Windows Server 2016

2022

Updates caused domain controller failures

The latest Windows Server KB5019966 updates released on November Patch Tuesday cause LSASS memory leaks that could cause the domain controller to freeze and restart. This became known on November 28, 2022. Read more here.

Block vulnerable drivers with WDAC

On March 29, 2022, it became known that Microsoft provided Windows users with the ability to block drivers with vulnerabilities using Windows Defender Application Control (WDAC) and the "blacklist" of vulnerable drivers.

This option is part of the Core Isolation security feature set for devices that use virtualization-based security. The feature works on devices running Windows 10, Windows 11, Windows Server 2016 and later with Hypervisor-Protected Code Integrity (HVCI) enabled, as well as systems running Windows 10 in S-mode. Read more here.

2019: Windows Server 2016 ranked third in terms of vulnerabilities

In the course of analyzing the statistics of vulnerabilities in various operating systems and software products at the end of 2019, it turned out that Windows Server 2016 was in third place (357 vulnerabilities). Read more here.

2017

Plans to add support for Linux containers

On September 15, 2017, Microsoft announced plans to add container technologies to Windows Server 2016.

According to the vendor's statement, this is done in order to make it easier for enterprises to transfer applications or upgrade existing installations of^[1] system^[1].

The build of the Windows server edition number 1709 for participants in the Windows Insiders early product testing program is prepared with the ability to run Linux containers. The final build of Windows Server 2016 is scheduled for release in early October 2017. In September 2017, this product in the edition of Windows Server Insider Build 16237 acquired a compatibility layer for running Windows Subsystem for Linux (WSL) Linux applications. However, so far WSL allows you to run only interactive console applications and does not support the execution of constantly running Linux services and background processes.

Microsoft worked to improve the performance of Linux containers in Windows Server as part of the Moby project. It is intended for system assemblers who create their infrastructure solutions based on containers. When creating assemblies/kits, you can use the content library from Docker, select third-party components ("bring your own components," BYOC) packed in containers. Technically, the project consists of a framework for assembling components into a single platform on a self-sufficient container platform and assembly utilities, a Moby Origin reference kit, which serves as an open base for the Docker container platform.

Starting beta Subsystem for Linux

On August 11, 2017, Microsoft announced a beta version of Linux application launch technology for building Windows Server Insider Build 16237. The subsystem allows console applications to work interactively and, as of August 11, 2017, does not support the execution of constantly running Linux services and background processes.

Windows Subsystem for Linux (WSL) appeared as a beta version with the preparation of Windows 10 Creators Update. After integrating WSL into the custom version of Windows, Microsoft decided to add it to the server edition of the operating system. The first compatibility layer for running Linux applications was the test build of Windows Server Insider Build 16237. WSL allows you to run only interactive console applications and does not yet support the execution of constantly running Linux services and background processes. For such tasks, tools are recommended for running Linux in Hyper-V containers, which also appeared in Windows Server. It supports the launch of node.js, Ruby, Python, Perl, Bash scripts and other tools for working in Linux^[2].

Windows Server Insider Build 16237 includes technology to optimize update delivery. It supports faster and stable download of updates, including through peer-to-peer file sharing with other computers.

The build of Windows Server Insider Build 16237 added basic images, containers optimized basic images (Nano Server 70% more compact) and Server Core (20% more compact), support for mounting SMB volumes (message block servers), support for shielded virtual machines Linux, protected clusters and encrypted virtual networks. SMBv1 that caused a chain of ransomware attacks is disabled by default in this assembly.

Added support for data deduplication for the Resilient File System (ReFS). To move data more efficiently, the file system was supplemented with the DataDort Data Deduplication API. The Storage Spaces Direct technology used to consolidate the internal storage of servers has acquired compatibility with memory kits that combine flash memory and DRAM.

Main functionality

On March 17, 2017, Microsoft published a list of major applications as part of the released release of Windows Server 2016.

It provides many functions for creating a private cloud.

Overview of changes to Windows Server 2016.

Windows Server 2016 is part of a private cloud platform that developers call Microsoft Datacenter vNext. It includes System Center 2016 and Windows Azure Pack for cloud management^[3].

This platform operates separately from the Azure Stack platform, but the company believes that after the release of Azure Stack, these solutions can complement each other.

There are two "hypostases" of Windows Server 2016: Windows Server on the host and Windows Server on the guest virtual machine.

Windows Server 2016 on the host

Microsoft adheres to the concept of "Software-defined Datacenter."

In a software-defined data center, you do not need to buy expensive proprietary equipment. Computing (at the virtualization level), networking, and storage - everything can be managed with software such as Windows Server and System Center.

• Nano Server is a lightweight version of OS on Hyper-V hosts.
• Increased scaling limit: VM launch is now available with 240 virtual CPUs and 16 TB of RAM.
• Capabilities for VMs on the Linux platform, previously they were only available for VMs on Windows: Secure Boot, vRSS, Hot-add, resizing virtual disks, improved backup technology and PowerShell DSC.
• Nested virtualization support - Hyper-V virtual machines can now be run inside other Hyper-V virtual machines. This can be a useful feature for lab scenarios and developers.
• Production Checkpoints - the type of VM checkpoints (snapshots) that use the Volume Snapshot Service (VSS) within guest VMs to correctly take a snapshot of the application software running within the VM.
• "Hot" addition of network adapters: in the second generation VM, you can add network adapters without downtime.
• Change memory configuration without downtime: no longer need to turn off the VM to activate or deactivate dynamic memory.
• PowerShell Direct allows you to send PowerShell commands directly to the VM.
• Discrete Device Assignment: A virtual machine gains direct and exclusive access to some PCIe devices (such as GPUs).
• Hyper-V integration components are now automatically updated through Microsoft Update. For the customer, this means that now you do not need to spend time and resources on updating, since the tenant can perform it himself.
• Shielded VMs: VM data protection technology from the factory administrator. This is a key feature of Windows Server 2016 for service providers and large organizations, unique to Hyper-V.

Shielded VMs

The Shielded VMs solution allows application owners working inside the VM to be sure that service provider administrators or private cloud administrators will not be able to access confidential information inside the VM. Some customers do not use IaaS providers, fearing that a competitor may bribe the service provider administrator and ask him to copy the customer's virtual machine to a public resource. If the service provider does not use Windows Server 2016, then there is always a risk that the factory administrator with malicious intent will be able to copy the VM client to a flash drive (or load it into OneDrive or a similar service) and transfer it to competitors. If this happens, the competitor will have access to all data in this VM, for example, the CRM database with the contacts of all customers of the company. Technically, this is feasible, since:

• The factory administrator has administrator rights (root) on the virtualization hosts. This means that it can connect to the VM using the console, change the bootloader of the operating system (bootloader), or inject malware using the integration components of the hypervisor. If you have console access to Windows Server or Linux, it will not be difficult to change the password of the local administrator or root user and get full access to the VM. Attackers can reset the local administrator password through Console Access and get secret data from the VM.
• If you have access to a virtual VM disk, you can inject any scripts into the VM. But this will lead to downtime (1-10 seconds), and the tenant will find that the VM has unexpectedly rebooted. In order not to raise suspicions, the factory administrator can perform this operation during scheduled maintenance.
• Even if the VM virtual disk is encrypted, the factory administrator can copy the VM to run it outside the trusted environment. A VM with an encrypted disk is a member of the network, and after starting a VM on an attacker's laptop, it can be hacked through virtualization instead of LAN. The security systems of the service provider will not detect this because the VM will be launched outside the controlled environment. VM snapshot technology can be copied without any downtime. The owner of the VM will not even notice anything. In addition, the VM copying process itself is as simple as possible: all that needs to be done is to copy a small VM configuration file and a VM virtual disk file/files.
• VM disk encryption usually brings difficulties: for example, you cannot provide TPM functionality inside the VM (in versions before Windows Server 2016). The VM owner needs to enter secret keys to unlock the disk and load the OS after each reboot. This reduces VM performance as virtual CPUs will be occupied by the encryption process.
• VMs in a private cloud are usually created from templates or images. An attacker can inject a malicious script into the template, and the customer's VM will be infected immediately after being created from the template or image. This malicious script can be executed once and the secret data of the customer can be sent to an external location owned by the attacker.

Shielded VMs is an effective solution to protect your confidential data from these risks. Windows Server 2016 uses a number of technologies to provide comprehensive data security. Shielded VM mode - This mode disables some Hyper-V integration components that an attacker can use (PowerShell Direct, Console Access, Guest File Copy Integration Components). A VMWP process that encrypts real-time migration traffic in addition to the runtime state file, saved state, checkpoints, and even Hyper-V Replica files.

Host Guardian Service - a separate service owned by another business unit in the organization (not a factory administrator). It checks the status of the host where it is planned to start the VM and determines whether it is allowed to start this VM on this host. Bitlocker encryption using vTPM: A virtual TPM inside a VM that is used to encrypt a virtual disk with a key that is securely stored inside a TPM chip. Microsoft Trusted Image Library: The owner of the VM can be sure that he is creating the VM from images provided by Microsoft, and that these images have not been changed (that is, a malicious script could not be embedded in them). Thus, Shielded VMs gives service provider customers confidence that their confidential data will not be stolen. The customer has a choice on the Azure Pack portal: create a VM in normal mode or use Shielded VMs mechanisms.

The Cluster OS Rolling Upgrade feature is available to update each Hyper-V host from 2012/2012R2 to 2016 without recreating the cluster. Now upgrading to the latest version of Window Server in the cluster has become easier, the likelihood of downtime has decreased.

Software Defined Network (SDN)

Software-defined Network (SDN) appeared in Windows Server in version 2012. It allowed factory administrators to create isolated networks for different tenants (external customers or internal consumers) and manage them without changing the configuration of network equipment. Tenants could use virtual networks at the hypervisor level instead of VLANs at the network equipment level. This provided the same level of isolation, but with self-service capabilities and without the restrictions inherent in VLANs. SDN allows you to manage the network and use extensions at the software level without changing the hardware configuration of the network.

Windows Server 2012 uses NVGRE as a protocol for encapsulating virtual network traffic within physical network traffic. System Center Virtual Machine Manager played the role of the SDN brain and was responsible for distributing the configuration between different Hyper-V hosts. Windows Server 2012 R2 introduced a multi-tenant gateway based on RRaS, which provided an external connection with point-to-point VPN and NAT capabilities.

Windows Server 2016 addresses these issues with SDN features.

• Windows Server 2016 adds the Network Controller role. The network controller is a highly available SDN smart center. It allows you to manage configuration changes and distribute them to hosts, gateways, and Hyper-V routers. VMM is no longer required for SDN organization. The network controller greatly simplifies SDN deployment and operation. This new architecture is more stable and reliable.
• VXLAN support: Although NVGRE is still available, SDN in Windows Server 2016 uses the standard VXLAN protocol for virtual network traffic by default. This allows SDN to be integrated with existing traditional network solutions and other SDNs.
• Software Load Balancer (L4) is a built-in solution for cloud-wide network traffic distribution. It allows load balancing of any traffic in virtual networks, supports HTTP probes/and HTTPS works similarly to Azure Load Balancer. This is an alternative to Microsoft Network Load Balancing technology (introduced in Windows Server 2003) and expensive third-party L4 and L7 load balancers. In addition, the NAT functions are transferred from the multi-tenant gateway to the load balancer.
• Switch Embedded Teaming (SET) - The fusion technology built into the Hyper-V switch. This is an alternative to Software Network Teaming technology (introduced in Windows Server 2012). SET adds network teamwork capabilities directly to the Hyper-V switch. Now you do not need to separate RDMA networks from merged networks, because SET supports RDMA. And since SET works more closely with the hypervisor, you can expect to improve performance.
• Data Center Firewall.
• VPN site-to-site via GRE.
• Optimized network performance: Improved network performance on 25/50/100GbE interfaces with RDMA.

SDN in Windows Server 2016 can run in two modes.

• SDNv1: SDN solution used in Windows Server 2012 R2. It allows you to quickly upgrade Windows Server 2012 R2 to Windows Server 2016 without changing the network architecture. This solution only supports capabilities in reverse order and adds nothing.
• SDNv2 - The default SDN solution if you are creating an SDN from scratch in Windows Server 2016. All functions are available only in SDNv2. If you recently upgraded Hyper-V 2012/2012R2 hosts to 2016, the next logical step is to deploy SDN in SDNv2 mode.

Software Defined Storage (SDS)

Data storage is part of the IaaS solution because VM virtual disks need to be stored in a safe place with the required level of performance. Windows Server 2016 supports traditional storage connected to hosts via Fibre Channel, FCoE, or iSCSI. However, there has been a trend of customers moving from complex and expensive traditional DSS to Software-defined Storage (SDS). Such systems operate on the basis of inexpensive server equipment, they are managed through software. They enable high-performance, fault-tolerant storage with lower-cost features than enterprise storage.

The current SDS implementation offers the following capabilities:

• Added Storage Spaces Direct (S2D). It allows you to create reliable and high-performance storage based on local disk drives. No need to use SAS - only SATA SSD, SATA HDD and NVMe SSD. S2D requires that some drives on each host be allocated for caching tasks (SATA SSD or NVMe SSD), and others for data storage. S2D supports mirroring, parity, and erasure coding technology. Now SDN acts as a SAN. There is no need to buy expensive FC, FCoE solutions, or configure iSCSI. To increase capacity and performance, you can add hosts with local drives to the cluster. You can reach 1 million IOPS, even 5 million IOPS is not the limit.
• Disk space (classic, not S2D) now works efficiently without preconfiguration.
• Windows Server Health will help you diagnose SDS problems and find the root cause of performance problems.
• Storage QoS Policies allow factory administrators to centrally manage storage QoS rules. IOPS limits are migrated when VMs are migrated to another host, and customers can easily apply these policies to the entire private cloud environment.
• Storage Replica is a built-in storage replication solution. It operates at the block level using the SMB protocol. Customers can now replicate storage data from one data center to another. Synchronous and asynchronous replication modes are supported. Storage Replica can be used to replicate VM disks, as an alternative to Hyper-V Replica, if synchronous VM replication is needed or if asynchronous replication is needed, but with a delay of several seconds (instead of minutes, in the case of Hyper-V Replica). Storage Replica supports SMB 3.0 capabilities such as Multi-path, RDMA, automatic failover, etc. Storage Replica can be used for Stretched Clusters, that is, failover clusters that are stretched over multiple sites.

Hyperconverged Solutions

Hyper-converged architecture is a hardware-based approach that combines computing, network, and storage resources into one layer.

With SDS and SDN features, Windows Server 2016 enables you to create hyperconverged solutions for the private cloud:

• RDMA-based SDN Ethernet(25/50/100GbE) - much faster than traditional FC/FCoE-based SANs;
• Storage Spaces Direct (S2D) storage based on local SATA drives.

Windows Server 2016 on the guest VM

Nano Server is an additional type of installation for Windows Server 2016. Nano Server does not have a graphical user interface - it is controlled remotely.

This version of Windows Server 2016 installs faster, runs fewer background processes, requires fewer updates, and so on. Nano Server in Windows Server 2016 is suitable for scripts:

• Hyper-V host;
• a server for starting containers;
• Scale-out File Server;
• IIS Web Server
• Microservice Application Platform.

The fewer processes that are running, the fewer opportunities for attack and fewer vulnerabilities in the OS security system.

Containers

Windows Server 2016 supports container technology on a container management system platform [[ Docker Distributed Application Platform 'Docker]].

There are two types of containers available in Windows Server 2016:

• Windows Server containers;
• Hyper-V containers.

Windows Server containers are similar to Linux containers. They isolate applications running on the same host from each other. Each container has its own representation of the host system, including the kernel, processes, file system, registry, and other components. Windows Server containers support user mode and kernel mode.

Hyper-V containers are based on that container technology, but additionally use hypervisor mechanism to create an additional layer of insulation. Virtualization creates a completely isolated environment for running applications in Hyper-V Containers.

The Docker platform module runs on top of Windows Server Containers and Hyper-V Containers. It provides all the tools you need to develop and run this module on top of any type of Windows container. Therefore, an application developed in a container can be launched anywhere.

You can connect to the executed container through the command line, but ideologically they were created for the operation of stateless services. Containers do not have a user interface.

Safety

Windows Server 2016 offers many security features.

• Control Flow Guard is an optimized platform protection feature.
• Device Guard - If enabled, allows only centrally authorized applications to run. This technology prevents drivers from loading dynamic code and blocks any driver that is not in the Safe Programs list. A computer protected by Device Guard cannot run a suspicious driver that is trying to change the in-memory code. Device Guard supports User Mode Protection (UMCI), allowing you to create code integrity policies (CIs) to configure trusted and authorized components that are allowed to run on individual servers.
• Credential Guard is a virtualization-based isolation technology that allows only privileged systems to access sensitive data. Credential Guard blocks identity theft technologies and tools that are often used to attack. Thanks to it, malware with administrator rights will not be able to extract confidential information from the OS.
• Remote Credential Guard - Prevents identity theft when the end user remotely connects to the system using a Remote Desktop Session (RDP). If a user tries to remotely connect to a desktop on a remote host, a Kerberos authentication request is sent to the source host. In this case, the credentials are simply not transmitted to the remote host, and the malicious code that is executed on this host cannot receive them.
• Together with Windows Server 2016, the Windows Defender malware protection module is installed on the computer by default.
• AD FS in Windows Server 2016 contains a built-in Azure MFA adapter that simplifies the use of Azure Multi-factor Authentication technology. To add this technology to ADFS authentication, you do not need to deploy the local Azure MFA server.
• Just-in-Time (JIT) Administration - a function that allows you to limit the validity time of administrator rights. The rights request will be sent exactly when they are needed. Then this request will be approved, and the account will receive the rights it needs for the specified period of time. The granted rights and the time of their action will be exactly as long as necessary to complete the task.
• Just Enough Administration (JEA) is a function that allows you to provide the user account with the required minimum of rights to perform a function. Thanks to it, you do not have to independently grant and revoke administrator rights. The JEA function is often used in combination with JIT.

RDS 2016

Remote Desktop Services in Windows Server 2016.

• Connection Broker now supports a large number of end-user connections. RDS 2016 can simultaneously process several thousand connections.
• RemoteFX now supports Windows Server 2016 inside guest VMs. Previously, this technology worked only with the Windows client OS.
• RemoteFX now supports OpenGL and OpenCL in addition to Direct3D, and up to 1 GB of video memory, 4K resolution and pen work. This allows users to make even more efficient use of hardware graphics resources.
• Support for Direct Device Assignment (DDA) - now the GPU can be completely thrown inside the VM. This allows guest VM users to access management of video card drivers and GPU settings, as well as parallel computing technologies like CUDA.
• The RDPv10 protocol with H.264 AVC data compression technology guarantees high quality graphics (4K, 60 frames per second) even with an unstable network connection.
• Connection Broker can use Azure SQL Database as a base. Azure AD Application Proxy allows you to safely publish an RDS farm to an external network.
• Remote Credential Guard - Prevents identity theft when the end user remotely connects to the system using a Remote Desktop Session (RDP).

PowerShell 5.1

Windows PowerShell is the main system for managing Microsoft technologies using the command line. Windows PowerShell source code is open. Linux support is implemented. You can now use Windows principles to manage your Linux environment.

SMT Server Management Tools (SMT) is a web-based management shell hosted in Azure. It can be used to manage, for example, deployed Nano Server or Server Core without connecting to them locally. These tools offer functionality:

• View and change the system configuration
• View performance data for different resources and manage processes and services
• Manage devices connected to the server
• View event logs
• View a list of installed roles and functions
• Manage and automate recurring tasks using Windows PowerShell.

SMT is a Windows Server 2016 environment management tool and an alternative to the classic Server Manager.

System Center 2016

System Center 2016 can manage Windows Server 2016 features - for example, VMM 2016 is the easiest way to deploy SDN. Because System Center 2012 R2 is not compatible with Windows Server 2016, Windows Server 2016 management is expected to upgrade to System Center 2016. And Windows Azure Pack UR10 (and later editions) supports Windows Server 2016.

Developing a Version for ARM Processors

On March 8, 2017, the corporation Microsoft announced operating system Windows the Server version for hardware based on processors with architecture. ARM The new project could jeopardize long-term dominance in Intel the profitable chip market for, data centers Bloomberg reports.

The new modification of Windows Server is being tested on servers running 10nm Qualcomm Centriq 2400 chips, which include 48 Falkor cores based on ARMv8 and designed primarily for cloud services such as Azure. Microsoft is testing such processors to solve problems in the field of search, storage, machine learning and working with big data, said Jason Zander, corporate vice president of Microsoft Azure.

Microsoft is developing the Project Olympus platform, which supports the installation of 1U and 2U servers, a universal motherboard, power supplies and up to eight Nvidia computing accelerators based on Pascal graphics solutions. The company plans to build Project Olympus on ARM processors and use such servers in its data centers starting in 2017.

In the future, other companies will be able to install similar solutions thanks to the Open Source approach in the implementation of the project, which also includes Qualcomm, Dell, Hewlett Packard Enterprise, AMD, Samsung Electronics and Intel.

In the 2016 financial report, Intel said the company's processors are used in server hardware, which runs 98% of the world's cloud services.

We operate in a highly competitive market and take all rivals seriously. We are confident that Xeon processors will continue to deliver the highest performance and lowest cost of ownership for our cloud customers. However, we understand the desire of our customers to evaluate other offers, "Intel said.[4]

SUSE Linux support enabled

On January 25, 2017, the latest version of the preliminary technological version of SQL Server vNext, Community Technology Preview, included support for SUSE Linux Enterprise Server in addition to Linux distributions from Canonical and Red Hat.

In 2016, the company announced that SQL is turning its face to Linux^[5].

This will make SQL Server a consistent data platform for Windows Server and Linux - both for local installations and for the cloud. Scott Guthrie, Head of Microsoft Cloud and Enterprise

According to the company, the release of SQL Server vNext is scheduled for mid-2017. Potential users can test the operation Linux of -version CTP 1.2 of this DBMS on (servers SUSE - Windows version available). As of January 25, 2017, you can try the pre-release version in development and testing environments or apply to join the SQL Server Early Adoption Program for support when deploying SQL Server vNext in a productive environment.

2016

Appearance in the public domain

On October 12, 2016, the Windows Server 2016 operating system appeared in the public domain. The RTM (Release to Manufacturing) version can be downloaded through the Microsoft Developer Network (MSDN) and Volume Licensing Service Center (VLSC) services.

In addition, a trial version is available for those who want to try out the product before buying it. The trial is designed for 180 days of testing.

Windows Server 2016 has several versions: Standard, Essentials, MultiPoint Premium Server, Storage Server, Hyper-V Server and Datacenter. The latter features additional replication features, a new network protocol with advanced virtualization capabilities, and technology for creating closed virtual machines whose content is protected from the host system administrator.

In general, Windows Server 2016 has become more secure compared to previous Servers OS Microsoft, has advanced security mechanisms, new functionality to block potential threats, and improved management capabilities. Also, the new OS is optimized for cloud services and containers.

This release only once reflects our deep commitment to the hybrid cloud. A long time ago, we began to consider a hybrid cloud to be real for all our corporate customers, even those with the most ambitious cloud plans. Some applications must and will migrate quickly to the public cloud, while others will face technological and regulatory barriers. Regardless of where these applications run now or will be launched in the future, Windows Server 2016 offers a rich and secure platform, Microsoft said in a statement.

Simultaneously with Windows Server 2016, System Center 2016 was released, which simplifies the management of software-defined data centers and the cloud.^[6]

Remote Credential Guard

On August 19, 2016, the TechNet blog published information about the Remote Credential Guard function, which helps prevent identity theft on Windows 10/Windows Server 2016 when users log on to a PC.

Preparing the release of Windows Server 2016 Technical Preview 5 and, anticipating the event, the vendor decided to increase the protection of credentials for Server and Helpdesk scripts, where remote desktop (RDP) is used to remotely log on to a PC.

The company created the Remote Credential Guard feature. It works in Windows RS1 and Windows Server 2016.

Remote Credential Guard (RCG) stores credentials on the client machine and when the user logs on to the remote desktop on the target machine (server or client), the data will not be available on the target machine, so cannot be stolen.

As a side effect, which Microsoft regarded as positive, Remote Credential Guard implements the Single Sign On procedure for RDP - the user does not need to enter a pair of usernames/passwords in an RDP session, but you can apply the credentials used to log on to the client machine (be it smart cards or Windows Hello)

IP Address Management (IPAM)

IP Address Management (or IPAM for short) is an integrated set of tools that allow you to manage IP space, manage multiple DNS and DHCP servers, and audit for DDI (DNS, DHCP, IPAM)^[7]

After IMAP was introduced in Windows Server 2012, it underwent an update and already in Windows Server 2012 R2 had extensive capabilities:

• role-based access control,
• DHCP Failover Management and DHCP Policies,
• PowerShell with cmdlets and integration with Virtual Machine Manager for private cloud environments.

IPAM in Windows Server 2016 is enhanced to support critical capabilities:

• DNS management,
• support for multiple AD forests
• much more.

2016 Technical Summary of Modifications DNS Management The ability to manage DNS zones and resource records across multiple DNS servers is a critical requirement for enterprises. IPAM in Windows Server 2016 can now perform all DNS management tasks for which the user previously had to use DNS Manager. DNS management available in IPAM:

• Create, delete, modify DNS zone (forward lookup and reverse lookup zones)
• Create, delete, modify DNS resource records (A, AAAA, CNAME, PTR, MX, and other types of DNS supported records in Windows Server)
• Create, delete, modify conditional forwards
• Configure zone transfer policy and initiate zone transfer

These operations are supported by both DNS-integrated Active Directory and DNS servers that store zones and records in a file. A DNS zone is typically hosted on more than one DNS server for high availability reasons. When performing operations such as creating or modifying a DNS record in a zone, IPAM performs an operation on one of the zone's DNS servers. The zone synchronization mechanism ensures that a newly created or updated DNS record currently exists on all zone hosting servers. IPAM provides an installation called "preferred server" for the zone. Any update operation on a specific zone will be performed by IPAM on the preferred server, which then receives the update and replicates to other DNS servers.

Integrating DNS Data with IP Addresses

IPAM records IP addresses in the IPAM database. In the IPAM interface, this inventory can be considered as part of IP address space management. The list must be manually entered or imported using a CSV file. In Windows Server 2016, IPAM will read DNS records from DNS servers, including PTR records. PTR records are used by IPAM to populate IP addresses and inventory them. This new feature provides an automated inventory of IP addresses. Administrators will no longer manually update IP addresses or import CSV files if reverse lookup zones with PTR records exist.

Another important feature is a tab for DNS records that lists all DNS records associated with this IP address - including AAAA, PTR, CNAME, MX, NS, and other records. This is very useful when CNAME, MX, and other record types are used that are indirectly related to an IP address.

Access control for DNS management through role-based policy

Role-based access control was first introduced in IPAM Windows Server 2012 R2. This was required to support DNS delegation and administration scripts. An administrator should be able to delegate management of a specific zone to a remote administrator while ensuring that he/she does not have access to other zones and DNS servers. Similarly, the mail administrator should only be able to manage MX records. With IPAM 2016, clients can execute such delegation scenarios and give the access that a user with a specific role needs.

Manage DNS and DHCP servers across multiple Active Directory forests

IPAM in Windows Server 2012 R2 supports DNS and DHCP server management in the same Active Directory forest - this is the forest in which IPAM is deployed. However, many enterprise clients have more than one Active Directory forest in their environment, as well as DNS and DHCP servers in all numerous AD forests. They wanted IPAM for Windows Server to support and manage DNS and DHCP servers in multiple AD forests from a single IPAM console. In Windows Server 2016, this is implemented.

PowerShell in Role Access Control

IPAM 2016 has new PowerShell cmdlets, which allows administrators to establish the scope of access to IPAM objects. Administrators can set access scopes for IP addresses (IP space, block IP addresses, subnet IP address, IP address ranges), for DNS objects (DNS servers, DNS zones, DNS conditional forwarders, DNS resource records), and for DHCP objects (DHCP servers, DHCP superscopes, and DHCP scope). This will allow administrators to automate the assignment of access scopes to IPAN objects using PowerShell scripts.

Network Virtualization with Windows Server 2016

Just as server hardware is virtualized with software to simulate processors, memory, and disks to create virtual machines, network hardware is also virtualized to simulate switches, routers, firewalls, gateways, and load balancers to create virtual networks. Not only do virtual networks provide isolation between workloads or business units, but they also allow network administrators to configure networks and define policies while maintaining flexibility, indicating where workloads are deployed and how^[8] apply].

The main features and advantages of Hyper-V Network Virtualization allow you to virtualize the topology of the underlying physical network.

What is the benefit?

• It is possible to add or remove an on-demand security policy through Network Security Groups so that it applies directly to virtual subnets or individual virtual network adapters.
• Scalability to increase the bandwidth of your workloads by expanding your virtual network and connecting them to Azure.
• Flexibility to move virtual subnets and associated workloads between clouds.

Specific functions include the ability to:

• Isolate different data centers, different departments or departments within an enterprise, or even different services and workloads across unique virtual networks.
• Integration with all relevant network functions and policies such as load balancing, quality of service, etc.
• Supports VXLAN (default) or NVGRE.
• The ability to make your own IPv4 subnets and routes from your physical network to the cloud.

All of these network policies can be easily deployed using System Center Virtual Machine Manager (SCVMM), Microsoft Azure Stack, or PowerShell scripts.

Why not just use a VLAN?

Using VLANs for isolation or security can be sufficient for SMB environments where the rate of change is slow. However, this model simply does not fit in large enterprises and modern data centers, as they depend on static configurations. Any updates require manual configuration changes on multiple devices (e.g. servers, switches). As the size of your enterprise or data center grows, it becomes more cumbersome to manage all different VLANs and security policies for each logical segment of the network. Manually updating the switch configuration and moving policies often generate errors and inevitably provide a simple network.

Sometimes it may be necessary to connect physical activities that cannot be virtualized. In these cases, virtualization gateways are used to route packets between virtual and physical networks to provide access to your workload.

Improvements over Network Virtualization Stack in Windows Server 2012 R2

We received many wishes through customer feedback that helped us improve this solution in Windows Server 2016. These improvements include:

• Programmable vSwitch based on the new Azure Virtual Filtering Platform (VFP) extension, which provides more efficient traffic processing.
• Reduces the number of physical IP addresses (2x per host) required to host virtual networks and encapsulate traffic.
• Implementation of correct Layer 2 Ethernet headers for improved compatibility.
• Improved troubleshooting with advanced diagnostic scripts.
• A distributed router that supports user-defined routes.
• Add support for the VXLAN encapsulation mechanism.

Network virtualization technology in Windows Server 2012 R2 (HNVv1 with NVGRE) is also supported in Windows Server 2016, which allows you to easily migrate to the new operating system. However, inspired by Azure, we offer to our customers.

2015

New Licensing Scheme

In December 2015, Microsoft announced a change in the licensing scheme for its server operating systems. Starting with Windows Server 2016, companies will buy licenses based on the number of computing cores.

Before Windows Server 2016, the cost of Microsoft server platforms depended on the number of processor sockets in the system. One Windows Server 2012 license applies to one pair of slots: even if the server uses one chip, companies have to buy a minimum package of two licenses.

In 2016, Microsoft will switch to a new sales model, under which one license for Windows Server 2016 will be valid for two computing cores. Its cost will be only 1/8 of the price of the Windows Server 2012 license for two sockets, but the minimum requirement of the new server platform assumes that each system should contain at least 16 cores, and each processor - at least eight cores.

According to Neowin browsers, for entry-level server users, the cost of Windows Server 2016 under the new licensing scheme is unlikely to change. But owners of high-performance solutions may suffer: if there are powerful servers with two to four 10-core processors, Windows Server 2016 will cost a quarter more than the previous version of the OS, the publication calculated.^[9]

Microsoft traditionally did not disclose prices for its new operating systems long before their release. So the cost of licenses for Windows Server 2016 will be known closer to the third quarter of 2016, when this product will enter the mass market.

Windows Server 2016 Technical Release Update

On December 8, 2015, the company Microsoft announced the release of the fourth version of the Windows Server platform, in which users are offered upgraded functionality for developing applications based on Windows Server containerization technologies and, Hyper-V a lightweight version of the server OS installation, Nano Server additional features. program defined DPC

Enhanced configuration, resiliency, and compute and store functionality. Features for information security, platform management and monitoring have appeared.

Andrey Beshkov, Microsoft's hybrid cloud platform promotion manager in Russia, said:

- We recently introduced Windows Server containers and Docker application containerization for Windows. Since then, we have received a lot of feedback from our customers, which has allowed us to significantly improve the solution. Responding to the needs of users, today we present containers with a number of new features. We hope these improvements will provide developers with additional benefits and make Microsoft's open and user-friendly development platform even more reliable and secure.

According to the company, updating Hyper-V containers will give customers the opportunity to isolate applications, which will increase the level of data security. At the same time, supporting the Docker development mechanism, they will retain the format familiar to Windows Server and will not affect the visualization and configuration of applications. In addition, developers will now be able to use Nano Server, both as a platform for launching applications and services, and as an operating system for virtualized containers. This will provide a more efficient way to work with cloud applications, as it will reduce the space occupied by the OS and increase the density of systems in cloud environments. Reducing the number of components in Nano Server will increase security, reduce the number of updates, and reduce the system maintenance window.

What's new in Windows Server 2016

Notes