http://aka.ms/mttsurvey

http://meetup.com/mttsocal

• Technical Community event, designed to bring IT leaders

in the local area together for deep discussions

• An opportunity to network and share with local

Microsoft Services Professionals and other IT

professionals.

• A Microsoft Services presenter delivers a technically-rich

presentation

• These communities now collectively have over 1100

members that have joined one of the local meetup

groups.

• We are constantly expanding to a region near you, your

friends / colleagues…..

GROUP JOIN US!

MTT So-Cal Meetup.com/mttsocal

MTT Charlotte Meetup.com/mttcharlotte

MTT Tempe Meetup.com/mtttempe

MTT Nor-Cal Meetup.com/mttnorcal

MTT Pac West Meetup.com/mttpacwest

MTT Las Vegas Meetup.com/mttlasvegas

MTT Detroit Meetup.com/mttdetroit

http://www.meetup.com/OCSharePointLOCATION: Newport Beach

http://www.meetup.com/socalazureLOCATION: San Diego, Irvine, Playa Vista

http://www.meetup.com/L-A-O-C-Lync-Users-Group/LOCATION : Playa Vista, Irvine

/

http://www.meetup.com/mttsocalLOCATION: San Diego, Irvine , Playa Vista

http://www.meetup.com/San-Diego-NET-Users-Group/LOCATION: Del Mar

http://www.meetup.com/SocalSystemCenterLOCATION: San Diego, Irvine

http://www.meetup.com/SanspugLOCATION: San Diego

http://www.meetup.com/SDSQLUG/LOCATION: San Diego

So-Cal System Center

User Group

So-Cal Area Microsoft Events

Los Angeles Skype For Business

User Group

San Diego SharePoint

User Group (SDSPUG)

So-Cal

Microsoft Tech Talks

Orange County SharePoint

User Group (OCSPUG)

So-Cal Azure

User Group

San Diego SQL Server

User Group

San Diego .NET

User Group

http://www.meetup.com/socalmsevents/LOCATION: So-CAL

http://aka.ms/mttsurvey

• Introduction

• Platform Vision

• Management

• Security

• Storage

• Networking

• Compute

• Identity and Access

• Appendix: Hardware Terminology

TechNet Landing Page: Windows Server 2016

1. PowerShell and DSC

2. Active Directory and Identity

3. Server management tools

4. Remote Desktop Services

5. Software defined storage

1. Software-defined compute

2. Software-defined networking

3. Security

4. Containers

5. Nano Server

MSDN Channel 9 - All Windows Server 2016

MS Virtual Academy - All Windows Server Courses

Ten reasons you’ll love Windows Server 2016 Video Series

Free e-book from MS Press: Introducing Windows Server 2016

Launch Dates

Licensing Model

Editions

Installation Options

Servicing

Supported Upgrade Paths

Windows Server 2016 Launch Dates

Technical Preview: October 2014 through October 2016

Release to Market (RTM): September 26th 2016 at Ignite

General Release (GA) and VLSC: October 12th 2016

First Monthly cumulative update: October 2016

Licensing Model Transformation

Customers run workloads on-premises and in the cloud

• Windows Server 2012 R2 licensing is processor-based

• Azure licensing is core-based

Windows Server 2016 aligned to enable consistency

• Core-based licensing model

• Offers consistent approach across environments

• Enable multi-cloud scenarios

• Improves workload portability

Pricing and Licensing for Windows Server 2016

Editions of Windows Server 2016

Datacenter (unlimited VM and Hyper-V containers)

• Shielded Virtual Machines, software-defined networking,

• Storage Spaces Direct and Storage Replica

Standard (2 VMs or Hyper-V containers)

Essentials (up to 25 users and 50 devices)

MultiPoint Premium (academic licensing)

Storage Server (dedicated OEM storage solutions)

Hyper-V Server (free)

Pricing and Licensing for Windows Server 2016

Deployment Options

Desktop Experience with Full GUI

Server Core

Nano Server (Cannot be installed)

Windows Container (Isolation environment)

Desktop Experience

Full GUI

Server Core

Lower maintenance server environment

Nano

Just enough OS

Container

Long Term Servicing Branch (LTSB) Cadence

Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)

There are always two supported Current Branch for Business releases at any given time: CBB & CBB-1.

Monthly security and quality updates not available for CBB-2

Supported Upgrade Paths• Installation

• Migration

• Cluster OS Rolling Upgrade

• License Conversion (Windows Server 2016 Standard to Datacenter)

• Upgrade

• Recommendations for moving to Windows Server 2016

• Windows Server Installation and Upgrade

• Upgrade and conversion options

• Server role upgrade and migration matrix

Platform Vision driven by Executive Feedback, such as• Our Internal IT is hard working, however always behind. Cannot support new

development in timely manner.

• We need to leverage our on-premise data center but also take advantage of the cloud

• IT spent years virtualizing which provided benefits, however developers need new micro-services that are available with PaaS in Cloud. I need this on-premise.

• How do we prevent becoming the next company that is hacked? Security…

Focus - Hybrid Data Center

Most customers now have a mixed On-Premise and Cloud environment

• Traditional Data Center with file, web, db servers.. (limited agility, scales up slowly)

• On-premise private clouds (medium agility, scales up faster)

• Cloud services from a host or public cloud provider such as Azure, Amazon or Google (high agility and scales up fast)

And are moving toward a Hybrid Cloud environment

• A hybrid cloud consists of both on- premise and cloud resources that can be easily moved

• And, that are managed as one…

NIST Definition of Cloud Computing

Azure Stack - Power to control the Datacenter

Cloud

HybridHyper-scale

Enterprise-grade

Cloud-inspired infrastructure[powered by Windows Server, System

Center, and Azure technologies]

Cloud infrastructure

On-premise Datacenter

PowerShell 5.1 (including updates to DSC - Desired State Configuration )

Server Management Tools hosted in Azure

Console Host Update

Azure Stack

Operations Management Suite

PowerShell 5.1 Introduced

Includes new features that extend its use, improve usability, improve control and management of Windows.

• ISE improvements

• Remote PowerShell debugging improvements

• Desired State Configuration (DSC) improvements

• Backward-compatible

PowerShell 5.1

Server Management Tools hosted in Azure

Can be used to manage on-premises infrastructure alongside Azure resources from anywhere.

Gateway server acts as proxy between Azure portal and on-premise resources

• View and change system configuration

• View performance across various resources and manage processes and services

• Manage devices attached to the server.

• View event logs

• View the list of installed roles and features

• Use a PowerShell console to manage and automateIntroducing Server Management Tools

Deploy and Setup Server Management Tools

Console Host Improvements(i.e. DOS command line console)

Updated to include several new editing and marking behaviors

Resize the console window by grabbing an edge with the mouse and dragging

Supports word wrapping

Console windows now can be semi-transparent (to a minimum transparency of 30%).

Use "click-and-drag" selection outside of Quick Edit mode

Control new features through the registry HKCU\Console

What’s New in the Console

Azure Stack for managing Hybrid environmentIn Technical Preview since January 2016 (TP2 released in October 2016)

Azure Stack Key Features

Operations Management Suite (OMS)Operations Management Suite – separate product in the Cloud which can monitor both on-premise and Azure cloud environments. Can connect to SCOM management group.

MS Cloud: OMS

IT Management

Failover Clustering

Hyper-V

Nano Server

Windows Containers

Remote Desktop Services

Cluster Rolling Upgrade (mixed OS Clusters)

Cloud Witness

Active Directory independent Cluster Improvements

Storage Spaces Direct

CSV cache enhancements

Shared Virtual hard disk resizing (no downtime)

Failover Clustering

Cluster Rolling Upgrade (mixed OS)

Cluster Rolling Upgrade

Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster

Recommended configuration

Cloud Witness

Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section). Note: Networking Speed critical

Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology

• Clusters with all nodes in the same domain…

• Clusters with nodes in different domains…

• Clusters with nodes which are member servers / workgroup (not domain joined)…

Fewer dependencies results in increased availability

• Cluster infrastructure switched over using Certificates

Member Servers

Multi-domainWorkgroup

Domain A Domain B

Workgroup and multi-domain clusters

CSV cache enhancements

Write-through cache for unbuffered IO

Boosts VM performance

Scalability improvements to increase the amount of memory that can be allocated as CSV Cache

Compatible with Tiered Storage Spaces and Deduplication

Shared Virtual hard disk

Shared Virtual hard

VHDX Resize with no downtime

Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery

Guest Clusters can have both host level and guest backups of Shared VHDX

Nano Server

Supported for use as Cluster Notes

Includes only essential Cluster Resources

Present Not Present

IPAddress

NetworkName

DistributedNetworkName

IPv6 Address

ScaleOutFileServer

RLUA

PhysicalDisk

Storage Pool

Task Scheduler

Virtual Machine

Virtual Machine Configuration

VirtualMachineReplicationBroker

File Server

FileShareWitness

GenericApplication

GenericScript

GenericService

Distributed File System

IPv6 Tunnel Address

Microsoft iSNS

MSMQTriggers

MSMQ

DHCP Service

Disjoint IPv4 Address

Disjoint IPv6 Address

DFS Replicated Folder

Distributed Transaction Coordinator

IPv6 Tunnel Address

NatProvider Address

WINS Service

iSCSI Target Server

Increased Scalability and Performance

Management

Diagnostic Improvements

Nested Virtualization

Hyper-V Clustered Role Resiliency Improvements

Hyper-V

Increased Scalability

Increased Performance

• Discrete device assignment of some PCIe hardware devices to VM

• Host Resource Protection on host from VM activity

• Hot add or remove of NICs on Generation 2 VMs

• Hot add or remove of memory on Generation 2 VMs

• RDMA support for NICs bound to Hyper-V virtual switch independent of Switch Embedded Teaming (SET)

• Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine

• Storage QoS policies (CSV or SOFS)• Host Resource Protection

• Hot add and remove for network adapters and memory

• RDMA support with switch embedded teaming

• Virtual machine multi queues

Management Improvements

Hyper-V Manager Console Improvements

• Alternate credentials support

• Manage earlier versions

• Updated Management Protocol

Integration Services delivered through Windows Update

Windows PowerShell Direct (uses Hyper-V Sockets)

• Run PowerShell commands in VM from the host directly

• No need to configure network, firewall or remote management

Hyper-V Sockets

• Services using socket-based communication between host and VM

• Available in native code (C/C++)

TechNet:

• Hyper-V Manager Improvements

• Integration Services

• PowerShell Direct

• Hyper-V Sockets

Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it

Server 2016 introduced the .VMCX configuration file format (no longer in XML)

If moving VMs from 2012 R2 to 2016, the config file will need to be upgrade

Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)

• VM Collections – Allows executing tasks on a group of VMs

• Management Collections – Allows to nest VM collections

Create with PowerShell New-VMGroup -GroupType

Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server

Virtual Machine Ordering

Production Checkpoints• “Point in time” images of a VM

• Backup technology inside the guest is used to create the checkpoint, instead of using saved states

Connected Standby Compatibility• Always On/Always Connected (AOAC) power model, the Connected Standby power state is now available

Support for Linux• Secure Boot Support

• Hot add and remove of network adapters

• Hyper-V Socket support

TechNet:

• Production Checkpoints

• Connected Standby

• Linux Support

Diagnostic Improvements

Improved Validation times for both Storage and non-Storage tests

Faster

Diagnostics

Additional Validation tests to catch Active Directory configuration issues

Improved Network Name resource logging (link)

Logging

Less noise logged to the cluster log to prevent wrapping

Additional data logged to cluster.log and mini-dump of log level 5

New Memory Dump – Active Dump

Filters out most memory pages allocated to Virtual Machines

Nested Virtualization Support

Ability to run Hyper-V servers inside Hyper-V Virtual machines

Supported for Virtualization Based Security features

Hyper-V Development environments

Run Hyper-V in a Virtual Machine with Nested Virtualization

Resiliency Features for Clustered Hyper-V Role

Site Awareness for stretched clusters

Group nodes and storage based on physical location. Fails over to node in same site and Storage affinity (VMs follow storage)

Node Fairness

Dynamically load balances the VMs on the cluster

VM Compute Resiliency

VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures

Quarantine of unhealthy nodes

Nodes that go in and out of cluster are temporarily placed in “Quarantined” state

Storage Resiliency

On storage failure, the tenant VM session state is preserved. VM moved to “PausedCritical” state

as it waits for the storage to recover. On recovery the session state is restored

TechNet

VM Compute Resiliency

• Site Awareness

• Node Fairness

Overview

Role Support

Driver Support

Application Installation Support

Anti-Malware, Patching and Feature Releases

Management

Image Builder Tool

Third-party Hypervisor Support

Nano Server

OverviewHeadless, 64-bit only and Managed Remotely

Deploy without reboots (deployment to start - 1 to 5 mins)

Secure – less components, small attack surface

Stable – less patching, bigger uptime, when it doubt redeploy

Small – 180mb WIM, 600mb VHDx

Ideal for scenarios such as

• Compute host for Hyper-V VMs and Windows Containers

• Storage cluster host for Scale-Out File Server

• Standalone DNS server

• Web server running IIS

• Born in the cloud apps (Java Runtime, .Net Core,

ASP.Net Core, Note.js, Python, Go, Ruby, Django,

Apache, PHP, CoreCLR, MySQL, Redis, Nginx, etc.…)

Role Support• Hyper-V, including container and shielded VM support

• Datacenter Bridging

• Defender

• DNS Server

• Desired State Configuration

• Clustering

• IIS

• Network Performance Diagnostics Service (NPDS)

• System Center Virtual Machine Manager

• Secure Startup

• Scale out File Server, including Storage Replica, MPIO, iSCSI initiator, Data Deduplication

**Roles are Not included in image, separate packages to minimize footprint

Driver Support

Driver installation remains INF-based for Windows Server 2016

• Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath

• Installed drivers to an offline VHD using INF via DISM

• Online driver installation is available using PNPUTIL.EXE

Deploy Nano Server (Section: Adding additional drivers)

Application InstallationMSI’s not supported since built for local installs and may invoke GUI or other non-headless friendly features

Applications must be refactored to be compatible with Nano Server.

Windows Server App (WSA) is the only supported installer available for Nano Server

• Appx installer has been extended to package WSAs

Configuration and Installation are handled separately

• Configuration handled by PowerShell Desired State Configuration or other tool like Puppet

• Group Policy is not supported on Nano Server

Example of application that can be installed on Nano

• Puppet - Works on Nano with some minor changes win32ole, win32-dir

Installing Windows Server Apps on Nano Server

Hands-on Packaging App for Nano Server

Anti-malware, Patching and New Releases

Antimalware options – Windows Defender is built in by default. 3rd party products are not currently supported by Nano Server

Patching – Windows Update is supported. 3rd party products are not supported by Nano Server

New Feature Releases

• Follows Current Branch for Business (CBB) for new features. Patching supports CBB-2. At CBB-3 updates are not available. (Reference: Service Model Details for Windows Server 2016)

• Upgrading to the next CBB requires recreating image. Cannot be upgraded. Releases will be available on the Volume License Center (VLSC).

Licensing Requires Software Assurance.

TechNet: Managing updates in Nano Server – Section Managing Updates

ManagementDomain Join supported

Group Policy Not Supported (LGPO supported)

Use PowerShell DSC instead of Group Policy

No local user interface, manage remotely

• PowerShell and DSC

• Server Manager

• Supports PowerShell core set of cmdlets

• Supports WMI v1 and v2 providers

• MMC Snap-in tools

Recovery Console includes local interface with simple menu to repair network configuration

SCVMM and SCOM Agent supported

Nano Server Image Builder GUI Tool

• GUI-based with many custom settings

• Create USB Key to detect firmware and hardware

• Create bootable USB or ISO for deployment

• Runs on Windows 8/8.1/10

• PowerShell script history

• Requires ADK

Download: http://aka.ms/NanoServerImageBuilder

Blog: Into Nano Server Image Builder

Third-party Hypervisor

Links for installing on VMWare

• TechNet Wiki: Nano Server: Virtualization with VMWare VSphere

• Polar Clouds Blog: Nano Hyper-V in a VMWare Virtual Machine

• Cloud base Blog: Nano Server on KVM and ESXi

Note: Be aware when reviewing articles that many of the parameters on New-NanoServerImage changed between each Technical Preview, RTM (9/26/16) and General Release (10/11/16).

Overview

Windows Containers versus Hyper-V Containers

Supported Operating

“Hyper-V Container Host” Requirements

Docker Engine for Windows

Note about Active Directory

Learning Resources

Windows Containers

OverviewWindows containers provide operating system-level virtualization that allows multiple isolated applications to run on a single system

How do containers differ from virtual machines?

• Container: OS Virtualization where each

virtualized app includes the app itself, required

binaries and libraries, and a guest OS

• Virtual Machine: Machine virtualization where

each VM simulates the underlying physical

hardware

Containers Overview

Windows Containers versusShared kernel architecture

Isolation provided through namespace and process isolation technologies

Hyper-V ContainersSeparate kernel architecture.

Isolation provided through Hyper-V

Each container is run inside of a utility VM

Supported Operating System for Container Host

Windows Containers and Hyper-V Containers are Supported on

• Windows Server 2016 Desktop Experience (Datacenter or Standard)

• Window Server 2016 Server Core (Datacenter or Standard)

• Windows Server 2016 Nano Server

• Windows 10 Professional and Enterprise 1607+ (i.e. Anniversary Edition+)

Licensing Note:

• Windows Containers: Unlimited on Standard or Datacenter

• Hyper-V containers: (2) on Standard / (Unlimited) on Datacenter

• Check with MS Account team for other scenarios

Supported Operating System for Container images

Window Server 2016 Server Core (Datacenter or Standard)

Windows Server 2016 Nano Server

• For Windows Containers, the “Container Host” Build must match the “Container Image” Build

• As of 10/31/16 currently 10.0.14393.351 –> KB3197954 Oct 2016 Cumulative Update

• If Update installed on “Container Host”, then all “Container Images” on Host must be updated

• Check MS Support: Windows 10 Update History to determine latest cumulative update

Requirements

“Hyper-V Container Host” RequirementsWindows Server 2016 (core or desktop), Nano Server or Windows 10 Pro or Ent (Anniversary Edition)

Hyper-V Role Enabled

Hyper-V partition(s)

Additional Requirements if “Hyper-V Container host” virtualizedHyper-V Role enabled (i.e. Nested virtualization)

Minimum 4 GB RAM assigned (not dynamic)

Minimum 2 virtual processors assigned

TechNet: Hyper-V Containers

TechNet: System Requirements

Docker engine for WindowsWhile containers are new to Windows, Linux containers have been available since 2008

Docker.exe

Examples:

docker run

docker images

Docker Engine for Windows Server containers developed under the Docker open source project

Docker client uses the same standard Docker client and interface as Linux

Docker Hub is a Collection of open and curated applications

Collaboration with Docker brings Windows Server containers to the Docker ecosystem

Docker Engine

Note about Active Directory“Container Host” must be domain joined

Optional to join Container to domain with Emulated domain join

Group Policy cannot be applied to Containers (eliminates overhead)

Domain credentials are not stored in the container image (data at rest).

Emulated domain join (requires AD 2012+ functional levels of AD)

• Allows services in a container to run with Group managed service accounts (gMSA)

• Allows applications to use Windows Integrated Authentication

LearningCreate free Azure account

In Azure Portal create a Windows Server 2016 VM with the containers feature

Filter on “Container”, select “Windows Server 2016 with Containers..” and follow Wizard

http://www.lybecker.com/blog/2016/08/31/getting-started-with-windows-containers/

References:

MSDN: Container Images Quick Start

MSDN: Deploy Windows Containers

GitHub: Walk Through sample Music Store application with Windows Containers

RemoteFX vGPU

Discrete Device Assignment (DDA)

RDP Graphics Compression (codec)

RD Connection Broker Scale Enhancements

Cloud Optimizations – Azure Active Directory and SQL

Multi-point Services Role

Personal session Desktops, Gen 2 VM Support, and Pen Remoting Support

Remote Desktop Services

RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VM’s to share the same physical GPU for graphics acceleration

• OpenGL 4.4 and OpenCL 1.1 API support

• Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM

• Up to 4k resolution support

• Windows Server 2016 VM support

• Improved performance

Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM

RDS Can now take advantage of DDA, enabling enhanced graphics performance.

• Full graphics API Support (ex. DirectX, OpenGL, CUDA, OpenCL) (depends on GPU driver)

• Native GPU Driver Support (Intel, AMD, NVIDIA)

• Maximum Performance (1 or more GPUs to 1 VM)

• Multiuser RDSH Support. Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA

Graphics enhancements – Codec investmentsNow implements full-screen AVC 444 mode

• High quality 4:4:4 model using standard H.264/AVC 4:2:0 hardware decoders

• Reduced bandwidth and better experience at higher resolutions

• Hardware offload support

RDP AVC/H.264 improvements

RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (“log on storms”).

• RD Connection Broker was tested to 10k concurrent connections with zero failure rate

RD Connection Broker requires a SQL database

• Previous OS versions a SQL cluster was recommended, requiring 2 VMs

• SQL database is still required however SQL authentication is now supported

• Shared SQL/DB connections, making even smaller scale deployments more cost effective.

RD Connection Broker Performance Improvements

Cloud Optimizations – Azure Active Directory and SQLRDS can utilize Azure services to provide more cost effective solutions.

• Azure AD Application Proxy enables secure remote access to applications. RD Gateway servers are still required. Now they can be published to the Application Proxy service, instead of exposed to the public internet. This reduces attack surface and enhances security.

• Conditional access rules can be created to further define how users must authenticate (require multi-factor authentication, require MFA only when users are not at work, block access when not at work).

• Azure AD Domain Services provides managed domain services (domain join, group policy, LDAP, Kerberos, etc.). A Remote Desktop Services environment using Domain Services eliminates the need to deploy and manage domain controllers.

• Azure SQL Database includes high availability, disaster recovery, and upgrade mechanisms. A RDS environment using Azure SQL Database eliminates the need to deploy and manage VMs for SQL.

Use Azure SQL DB for RD Connection Broker

Multi-point Services RoleNew server role

• Enables low-cost per seat desktop computing

• Allows multiple users, each with their own independent Windows experience, to simultaneously share one computer.

• The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server

• MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles

• Enabling the Multipoint Services role, also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows, Windows phone, Android, iOS and Mac OS

MultiPoint Services Role

Other Improvements

Personal session Desktops (New collection type)

Support for Generation 2 virtual machines (Support for RemoteFX and OpenGL)

Pen Remoting Support

Use personal session desktops

Introducing Personal Desktops

Pen Remoting

Resilient File System ReFs

• Now preferred for data volumes (requires UEFI and GPT)

• Data Integrity, Resiliency, Availability, Speed and Efficiency Improvements

Data Deduplication

• Integrated support for virtualized backup workloads and support for Nano Server

• Major performance and scalability improvements (64TB volumes and 1TB files)

SMB 3.1.1• Pre-Authentication Integrity

• Encryption Performance Improvements

• Supports rolling cluster upgrades

• SMB hardening improvements for SysVol in Active Directory

Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage

Storage ReplicaVolume level software replication between storage of any type

Storage QoSPrevent noise neighbors from impacting high priority workloads with a Storage QoS policy

FS

Microsoft offers an industry leading portfolio for building on-premises clouds. We embrace your choice of storage for your cloud – be it traditional SAN/NAS or the more cost-effective software-defined storage solutions using Storage Spaces Direct and Storage Spaces with shared JBODs.

Storage Resiliency

Clustered Hyper-V Role

• Detects storage failures

• Takes action to mitigate impact

• VM resumes exactly where it left off

• Designed for short transient failures

• > 30 minutes, VM shutdown

VM is running

VM experiences

failure writing to

VHD/VHDX

VM placed in

Paused-Critical

state

Storage becomes

responsive

VM moves back to

running state

Storage Resiliency

Storage Innovation with Storage Space DirectSoftware defined storage using standard servers with local storage

Industry-standard JBOD

Industry-standardx86 servers andSAS connectivity

SSD SSD SSD

Workload servers/cluster Workload servers/cluster

Storage Spaces Direct Storage Spaces Direct

Workload servers/cluster

• Standard servers with local storage (SATA, PCIe, JBOD..)

• Fault tolerance to disk, enclosure, node failures

• Simple and fine grained expansion

Storage Replica

Volume level software replication between storage of any type

Workload agnostic

Synchronous replication

Used by Failover Clusters with Storage Spaces Direct

• Automatic cluster failover for low Recovery time

Azure Site Recovery Storage Replica also available

Storage Replica

DNS Enhancements

DHCP Enhancements

Switch Embedded Teaming (SET)

Hyper-V Virtual Switch Enhancements

Software Defined Networking

DNS Enhancements

DNS Server Policies

Selective Recursion Control

Response Rate Limiting (RRL)

DNS Based Authentication of Named Entities (DANE)

Management of Unknown Record Types

IDNS Service

IPv6 Root Hints

Nano Server Support

TechNet Documentation and Blogs

• What's New in DNS Server in Windows Server 2016

• DNS policy overview

• PowerShell documentation

• Geo-Location Based Traffic Management

• Split-Brain DNS Deployment Using DNS Policies

• Applying Filters on DNS Queries using DNS Policies

• Application Load Balancing using DNS Policies

• Intelligent DNS Responses Based on the Time of Day

• Traffic Management with DNS Policies in Primary-

Secondary Deployment

• Selective Recursion Control Using DNS Policies

• Upward Referral Responses from Authoritative DNS

Servers

• Split-Brain DNS in Active Directory Environment Using

DNS Policies

• Response Rate Limiting in Windows DNS Server

DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2, but still supported

Windows Server 2016 DHCP Servers

• Will not enforce NAP Policies

• DHCP scopes cannot be NAP-enabled

DHCP DDNS Registration FailuresImproved Event Logging

• Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)

New Client Retry Behavior

• Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations

Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs. There is not a team name.

Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters

Supports RDMA which NIC teaming does not.

Notes:

• All team members must be identical make/model/driver/features

• No Active/Passive teaming

• No 32-port teams available with NIC Teaming (LBFO)

Switch Embedded Teaming

Hyper-V Virtual Switch Enhancements

Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs

VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)

Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload

Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch, including any forwarding extensions installed

Networking

Cloud-scale fundamentals

SDN infrastructure

What’s New in NetworkingSoftware Defined Networking Overview

Hybrid datacenter extension

Network function virtualization

• Data plane based on Azure

• High-throughput, low-latency packet processing [up to 40G]

• Programmable Network controller based on Azure

• Switch Embedded Teaming (SET)

• NVGRE, VXLAN, and OVSDB support

• Port Mirroring

• Software Load balancer that is proven in Azure

• Network Address Translation Capability

• Distributed firewall

• Custom service chaining, including Linux appliances

• Azure ExpressRoute

• Multi-tenant gateways

• RAS Gateway

• User Defined Routing

What’s New in NetworkingNetwork Controller

Distributed Firewall

Software Load Balancer

• Network Controller

Software Load Balancing for SDN

RAS Gateway for SDN

New Focus

Protect the Operating System

Protect Credentials

Protect Virtual Machines

Detect and Respond

Security is its own Silo with a new Focus

Applied “Assume breach” to new Security Designs with the focus to

• Protect

• Detect

• Respond

Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors

Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted

Windows DefenderActively protects from known malware without impacting workloads

Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)

Control Flow Guard

Configurable Code Integrity

Windows Defender

Device Guard (VBS)• Hypervisor protects Kernel and OS

• UEFI Secure Boot protects boot process and firmware from tampering

• UEFI Secure Boot with IOMMU protects against DMA based attacks

• Hypervisor Code Integrity (HVCI) protects code executing in kernel mode

• Other optional Protections

• Secure MOR, HSTI, UEFI NX and SMM Mitigation

• VBS Requirements

• Universal Extensible Firmware Interface

Input-Output Memory Management

Direct Memory Access based attacks

Hypervisor Code Integrity

Credential GuardProtect stored credentials from Pass the Hash attacks

• LSA process talks to a new component called the isolated LSA process which stores and protects secrets. Requires Virtualization Based Security to be enabled

Remote Credential GuardProtect credentials over a Remote Desktop connection

• Credential Guard

Remote Credential Guard

Just In Time Administration Provide privileged access through a workflow that is audited and limited in time

• Secure Bastion Forest

• Shadow security principal (groups) in Bastion Forest

• Time-bound expiration

Just enough Administration

Host Guardian Service

Device Health Attestation

Components of Shielded Virtual Machines

Virtualization Based Security

Prevent infected hosts from accessing Virtual Machines memory and processors

• Device Guard and Credential Guard

Host Guardian Service (more on next slide)

Insure VMs are running on a legitimate host leveraging

• Measured Boot

• Device Health Attestation

BitLocker with vTPM

Encrypt the VM hard drive

Host Guardian Service

Device Health Attestation Service

Evaluates validity of host before allowing VM to start

Two Attestation Modes

• Admin

• TPMTechNet:

• Shielded VMs

• Guarded Fabric

• Attestation Modes

Enhanced Security Logs

New targeted audit events to better detect malicious behavior by providing more detailed information

Windows Server 2016 security auditing reference

Microsoft Advanced Threat Analytics (ATA)Analyze, Learn, Detect and Alert on suspicious activities and abnormal behavior (separate product)

• Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile.

• Advanced Threat Analytics

• Operations Managment Suite

Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud. Can connect to SCOM (separate product)

Microsoft Passport for Work has been renamed to Windows Hello for Business

Enterprise Mobility End to End

Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system

Enables logon with a device-specific PIN or Biometrics (Facial recognition, Fingerprints, etc...)

Can be managed with Group Policy

Microsoft Passport Guide

Windows Hello for Business (New name for “Microsoft Passport for Work”)

Associates your Windows Hello device and PIN with an Identity Provider (IDP) such as Active Directory or Azure AD to logon you on seamlessly

Every device will create a unique private and public key set and register in the IDP

Replaces physical and virtual smart cards as well as reusable passwords for logon and access control

Takes advantage of onboard TPM hardware to generate, store and process keys if TPM exists

Microsoft Passport

Schema and Functional Level

Deprecation of FRS and Windows Server 2003 Functional Level

Accurate Time Enhancements

Allow NTLM network authentication when user is restricted to selected devices with “Authentication Policies”

Auto-roll NTLM Secrets for Smartcard Users

Schema Version 70 through 87 New Features• Windows Hello For Business (name change from “Microsoft Passport for Work”)

• ADFS 2016 at 2016 behavior level (FBL)

Windows Server 2016 Forest Functional Level • Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)

Windows Server 2016 Domain Functional Level • Enable rolling of expiring NTLM secrets

• Allow NTLM authentication when account restricted to selected devices with Authentication Policies

• Active Directory Schema versions

• ADFS 2016 Behavior Level

• Passport Guide (search for schema)

Windows Server 2016 Functional Levels

What’s New for MIM 2016 SP1

Deprecation of FRS• New Forests will only use DFS-R

• Existing Forests: Windows Server 2016 DCs can participate in FRS

• Best Practice to use DFS-R for SysVol Replication for performance, manageability and support

Deprecation of Windows Server 2003 Functional Level• New Forests: Windows Server 2003 Functional Levels not available

• Existing Forests: Windows Server 2016 DCs can be added if schema version updated to 87

• Windows Server 2003 Functional Level will not be supported in future releases

Deprecation of FRS

Deprecation of Windows Server 2003 Functional Levels

Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers

Time synchronization accuracy has been improved substantially, while maintaining full backwards NTP compatibility with older Windows OS versions

Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members.

Improvements• Elimination of rounding errors while calculating time

• More frequent fine tuned adjustments leading to better accuracy

• More accurate time server estimation

• Leading to accuracy within 10’s of micro seconds

Time Improvements in Windows Server 2016

Windows Server 2016 Accurate Time

Allow NTLM network authentication when user is restricted to selected devices with “Authentication Policies”

Requires:

• Windows Server 2016 domain FL

• NTLM Enabled on authentication

policy

Note: First generation of authentication policies blocked NTLM since they could not determine what device it comes from.

Auto-roll NTLM Secrets for Smartcard UsersPurpose: Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets

DC requirements:

• Windows Server 2016 Domain Functional Level

• Enabled on new domains by default. Opt in for existing domains

Device requirements:

• Ability to sign on with a smart card, virtual smart card or Windows Hello for Business (i.e. Passport for Work)

Security and Assurance

Firmware

VT-x (Intel) AMD-V

SLAT

IOMMU Direct Memory Access-based attacks

TPM

Firmware (cont.)UEFI

Secure Boot Trusted Boot ELAM

GPT

HSTI

Secure MOR

NIST guidelines

DriversWindows Hardware Compatibility Program

Network Adapter TechnologiesRSS

vRSS

VMQ

dVMQ

VMMQ

RDMA

SR-IOV

NVGRE VXLAN

DCB

Storage TechnologiesGPT MBR

NTFS ReFS

MPIO

NvMe

SATA