Windows Server 2016 on pilve-valmis operatsioonisüsteem, mis toetab ettevõtte praegusi töövooge, samal ajal tutvustades uusi tehnoloogiaid, mis teevad pilve ülemineku sujuvaks, kui aeg õige. Millised on põhilised uuendused ja kuidas need ettevõtteid aitavad - nendele küsimustele leiate vastused esitlusest.
2. Security Software-defined
Datacenter
Application Platform
Increasing breaches incidents
Identity is target of attacks
Complex to secure virtual environments
Lack of integration between solutions
Hard to deploy and operate
Low footprint server
No integration between Dev and Ops
Fast and lightweight OS
Hard to plan for public cloud
3. The cloud-ready server operating system that delivers new layers of security and Azure-
innovation for the applications and infrastructure that power your business.
Built-in
Security
Azure-inspired
Infrastructure
Hybrid
Application Platform
Protection to Identity
Secure the virtualization platform
Built-in layers of security
Affordable & Enterprise ready
Learnings from hyper-scale
datacenter
Built-in SDDC capabilities
Support for containers
Built-purpose OS
AHUB eases transition to Cloud
5. Windows Server Installation and Upgrade
• Windows Server Installation and Upgrade
• Server role upgrade and migration matrix for Windows Server 2016
• Upgrade and conversion options for Windows Server 2016
7. Unlimited Windows Server containers
Nano Server as deployment option
Unlimited VMs
Unlimited Hyper-V containers
Storage features including: Storage
Replica & Storage Spaces Direct
New Networking Stack
Shielded VMs and Host Guardian
Service
2 VMs
2 Hyper-V containers**
Essentials Edition
25 users / 50 devices
No server CALs required
1 physical or virtual*
Must be root of domain
Workgroup / Standard
Procs 1 / 2
RAM 32GB / 12TB
SMB links 250 / Unlimited
Max Users 50 / Unlimited
Disk number 6 / Unlimited
Enterprise class technology to drive any sized business
Basic functionality of Windows Server Core functionality of Windows Server
Unlimited, based on CALsUnlimited, based on CALs
8. Cumulative Updates and Windows
• Windows Server 2016 utilizes Cumulative Updates like
Windows 10
• Only need the latest Cumulative Update to bring an install to the
latest patch version
• Removes the challenge of every Customer deploying their own
combinations of patches that were not tested
• Security updates will still be delivered on an „as needed“ basis
10. Ready for
the cloud
Improve IT efficiency
& productivity
Safeguard your
business
Just in Time & Just Enough
Administration
Windows Defender for malware
protection
Trusted/Secure boot
Shielded Virtual Machines
Host Guardian Services
Enhanced Containers
Stretch Clusters
Rolling Cluster OS upgrades
Storage Spaces Direct
Storage Replica
Storage Quality of Service
Remote Desktop Services
Encrypted Virtual Machines and
Containers
Azure Backup, Azure Storage,
Azure Site Recovery1
Azure Active Directory1
RSMT Azure Remote Server
Management Tools1
Operations Manager Suite1
12. •
• Why do I have to reboot because of a patch to a component I never use?
• When a reboot is required, the systems need to be back in service ASAP
•
• Large images take a long time to install and configure
• Transferring images consumes too much network bandwidth
• Storing images requires too much disk space
•
• If the OS consumes fewer resources, I can increase my VM density
• Higher VM density lowers my costs and increases my efficiency & margins
Voice of the Customer
13. Nano Server – Just enough OS
Nucleus of next-gen cloud infrastructure and applications
14. Nano Server installation option
• Just enough OS
• Key roles & features
• Full developer experience
Containers
and next-gen
applications Full GUI
Specialized
workloads
Third-party
applications
RDS
experience
Server Core
Lower
maintenance
server
environment
Traditional
VM workloads
Nano Server
Just enough OS
15. Nano Server
Developer experience
Nano Server has a full developer
experience, unlike Server Core.
Windows SDK and Visual Studio 2015
target Nano Server.
Rich design-time experience.
Project template, full IntelliSense,
error squiggles, etc.
Full remote debugging experience.
16. Nano Server
• Smallest ever footprint
• 93 percent lower VHD size
• Very fast deployment and reboots
• Focus on two key scenarios
• Born-in-the-cloud applications
• Cloud platform –Hyper-V and
Scale-out File Servers
• Not installed in traditional
manner
• Enables the new cloud era!
• Managed through familiar and
new ways
18. Remotely Managing Nano Server
Remote Graphical
& Web Tools
• Server Manager
• Azure Portal tools
• Task manager
• Registry editor
• File explorer
• Server
configuration
• Event viewer
• Disk manager
• Device & driver
management
• Performance
• Users & groups
PowerShell
Remoting
• Core PowerShell
engine, language,
and cmdlets
• Windows Server
cmdlets (network,
storage, etc.)
• PowerShell DSC
• Remote file
transfer
• Remote script
authoring &
debugging
• PowerShell Web
Access
VM and Container
Management
• Hyper-V Manager
• Hyper-V cmdlets
• PowerShell Direct
over PSRP
• CimSession
support
• Docker
• SCVMM agent &
console
• 3rd party agents
& consoles
Deployment &
Monitoring
• DISM online &
VHD support
• Unattended setup
• Visual Studio
integration
• DSC Local Config
Manager
• Setup & boot
eventing
• SCOM agent
• VSO App Insights
• Azure Op Insights
Partners &
Frameworks
• Chef integration
• .NET Core and
CoreCLR
• ASP.NET 5
• Python, PHP,
Ruby, Node.js
• PowerShell
Classes
• PS Script Analyzer
• PowerShell
Gallery
• PowerShellGet
19. Nano Server preliminary results
2
8
23
Critical Patches
3
6
11
Reboots
11
26
34
Ports Open
0.41
6.5
10.4
VHD Size (GB)
40
300
1140
Setup Time (s)
20. • Top Ten: What You Need to Know about Microsoft Nano Server
• Introducing the Nano Server Image Builder
• Install Nano Server
• Manage Nano Server
22. What is a container?
Containers
Traditional virtual machines = hardware virtualization
VM VM VM
Applications
Kernel
= Operating system virtualization
Container Container Container
Windows Server containers
Maximum speed and density
Container Container Container
Hyper-V containers
Isolation plus performance
Container Container Container
24. Windows Server containers
Build: Developers will use familiar development
tools, such as Visual Studio, to write apps to run
within containers.
By building modular apps leveraging containers,
modules can scale independently, and be updated
on independent cadences.
Run: Container capabilities built into Windows Server.
Manage: Deploy and manage containers using PowerShell,
or using Docker.
Resources: Define CPU and memory resources per container
along with storage and network throughput.
Network: Provide NAT or DHCP/static IP for
network connectivity.
Web tier
Container A Container B Container C
App tier DB tier
25. Hyper-V containers
Hyper-V container Hyper-V containerConsistency: Hyper-V containers use the same APIs as
Windows Server containers ensuring consistency across
management and deployment toolsets.
Compatibility: Hyper-V containers use the exact same images
as Windows Server containers.
Strong isolation: Each Hyper-V container has its own
dedicated copy of the kernel.
Highly trusted: Built with proven Hyper-V virtualization
technology.
Optimized: The virtualization layer and the operating system
have been specifically optimized for containers
28. Where To Run Containers?
• Azure
• Windows Server 2016 Image In
Marketplace
• Only Windows Server Containers
• Existing Server/Physical or VM
• Install Windows Server 2016
• Windows Server and/or Hyper-V
Containers
• Nested Virtualization on Hyper-V
• VM on Windows 10 or Windows Server
2016
• Windows Server and/or Hyper-V
Containers
29. Docker integration
Joint strategic investments to drive containers forward
Docker: An open source engine that
automates the deployment of any
application as a portable, self-sufficient
container that can run almost anywhere.
Partnership: Enable the Docker toolset
to manage multi-container applications
using both Linux and Windows
containers, regardless of the hosting
environment or cloud provider.
Dockerized app
Run anywhere
30. • The differences between Windows Containers and Hyper-V
Containers in Windows Server 2016
• Windows Containers
• Hyper-V Containers
• Container Host Deployment - Windows Server
• Container host deployment - Nano Server
• Getting Started with Docker for Windows
• Build And Run Your First Docker Windows Server Container
• Docker Engine on Windows
32. Windows Server 2016 Hyper-V scale limits
Capability
Windows Server 2012/2012 R2
Standard and Datacenter
Windows Server 2016
Standard and Datacenter
VMware vSphere 6
Enterprise Plus
Physical (Host)
Memory Support
Up to 4 TB per
physical server
Up to 24 TB per
physical server (6x)
Up to 6 TB per physical server (12 TB
for specific OEM certified platform)
Physical (Host) Logical
Processor Support
Up to 320 LPs Up to 512 LPs Up to 480 LPs
Virtual Machine
Memory Support
Up to 1 TB
per VM
Up to 12 TB
per VM (12x)
Up to 4TB
per VM
Virtual Machine Virtual
Processor Support
Up to 64
VPs per VM
Up to 240 VPs
per VM (3.75x)
Up to 128
VPs per VM
Source: http://www.vmware.com/pdf/vsphere6/r60/vsphere-60-configuration-maximums.pdf
33. Increase reliability with cluster
Cluster OS Rolling Upgrades
Upgrade your fabric to Windows Server 2016, without
downtime to workloads running on Hyper-V virtual
machines.
Mixed OS Mode cluster
Provides ability for Windows Server 2012 R2 cluster
nodes to operate with Windows Server 2016 nodes.
VM resiliency
Designed for cloud-scale environments, this helps
preserve VM session state in the event of transient
storage or network disruptions.
Fault domain-aware clusters
Enhances key operations during cluster lifecycle such as
failover behavior, placement policies, heartbeating
between nodes, and quorum behavior.
35. Flexibility: Linux support on Hyper-V
Broad support: Run Red Hat, SUSE, OpenSUSE, CentOS,
Ubuntu, Debian and Oracle Linux, with full support.
Increased utilization: Run Windows and Linux side-by-side,
driving up utilization and reducing hardware costs.
Enhanced networking: Highest levels of networking performance
in Linux guests with virtual Receive Side Scaling (vRSS) support.
Storage enhancements: Hot-add and online-resize of storage for
enhanced administration flexibility.
Better protection: Better-than-physical backup support for
virtualized Linux guests on Hyper-V.
Simplified management: Single experience for managing,
monitoring, and operating the infrastructure.
PowerShell support: Use PowerShell Desired State
Configuration to declaratively specify the configuration of Linux
servers.
36. Secure Boot Support for Linux
• Providing kernel code integrity protections for Linux guest operating
systems.
• Works with:
• Ubuntu 14.04 and later
• SUSE Linux Enterprise Server 12
37. Network Adapter Identification
• You can name individual network adapters in the virtual machine
settings – and see the same name inside the guest operating system.
• PowerShell needed to configure naming
38. PowerShell Direct to Guest OS
• You can now script PowerShell in the Guest OS directly from the Host
OS
• No need to configure PowerShell Remoting
• Or even have network connectivity
• Still need to have guest credentials
39. Hyper-V Manager Improvements
• Multiple improvements to make it easier to remotely manage
and troubleshoot Hyper-V Servers:
• Support for alternate credentials
• Connecting via IP address
• Able to manage Windows Server 2012, 2012 R2 and
Windows Server 2016 Technical Preview from a single
console
• Connecting via WinRM
40. Hot Add/Remove
• VM Memory
• Network Adaptors
• VM check checkpoints based on VSS
• Dynamically identify VMs that are not “playing well” and reduce their
resource allocation
41. Built-in security
• Shielded Virtual Machines
• Host Guardian Service
• Secure Boot for Windows & Linux
• Nano Server Hyper-V Host
• Virtualization-based Security (VBS)
• Hyper-V Containers
• Containers in Shielded VMs
Credential Guard
Just in Time Administration
Just Enough Administration
Control Flow Guard
Code Integrity
Windows Defender
Enhanced Threat Detection
43. Shielded VMs: Security Assurance Goals
• Encryption of data, both at-rest & in-flight
• Virtual TPM enables the use of disk encryption within a VM (e.g. BitLocker)
• Both Live Migration and VM-state are encrypted
• Admin-lockout
• Host administrators cannot access guest VM secrets (e.g. can’t see disks, video, etc.)
• Host administrators cannot run arbitrary kernel-mode code
• Attestation of health
• VM-workloads can only run on “healthy” hosts
44. A bit more detail…
What is it and who’s it for?
As a hoster:
As a tenant:
As an enterprise:
Implementation Spotlights
Hardware-rooted security
technologies strictly isolate the VM
from host administrators
A Host Guardian Service that is able
to identify legitimate Hyper-V hosts
and certify them to run a given
shielded VM
Virtualized Trusted Platform Module
(vTPM) support for Generation 2
virtual machines
45. Shielded VMs: a bit more detail
• Requires a Generation 2 VM
• Virtual motherboard exposes UEFI firmware
• Enables Secure Boot in the VM, supports TPM v2.0
• Windows Server 2012, Windows Server 2012 R2 guest VMs supported today
• Windows Server 2008, Windows Server 2008 R2 support under investigation
46. Shielded VMs: what’s protected?
• vTPM enables protection for VM data at rest
• Enables disk encryption within the guest VM (e.g. BitLocker in Transparent mode)
• The TPM 2.0 device has been virtualized
• vTPM is not backed by a physical TPM – ensures VM mobility scenarios work
• Hardened VMWP hosts the vTPM VDEV for protected VMs
• The hardened VMWP encrypts other VM artifacts
• Live migration egress traffic is encrypted
• All other VM state at rest
• vTPM state in the VM config file
• Runtime state file, saved state, snapshot
• Hyper-V Replica file
47. • What's new in Hyper-V on Windows Server 2016
• Cluster operating system rolling upgrade
• Guarded fabric and shielded VMs overview
• Deploying the Host Guardian Service for guarded hosts and
shielded VMs
• Configuration scenarios for shielded VMs in a guarded fabric
• A closer look at shielded VMs in Windows Server 2016
• Step by Step – Configuring the Host Guardian Service in
Windows Server 2016
49. STRETCH CLUSTER AND CLUSTER TO CLUSTER
Site 1 Site 2
Storage replica
Synchronous replication: Storage agnostic mirroring
of data in physical sites with crash-consistent volumes
ensuring zero data loss at the volume level.
Increase resilience: Unlocks new scenarios for metro-
distance cluster to cluster disaster recovery and stretch
failover clusters for automated high availability.
Complete solution: End-to-end for storage and
clustering, including Hyper-V, Storage Replica, Storage
Spaces, Cluster, Scale-Out File Server, SMB3,
Deduplication, Resilient File System (ReFS), NTFS,
and Windows PowerShell.
Streamlined management: Graphical management for
individual nodes and clusters through Failover Cluster
Manager and Azure Site Recovery.
50. Reliability, scalability, flexibility
• Fault tolerance to disk, enclosure, node failures
• Scale pools to large number of drives
• Simple and fine grained expansion
• Fast VM creation and efficient VM snapshots
Use cases
• Hyper-V IaaS storage
• Storage for backup and replication targets
• Hyper-converged (compute and storage together)
• Converged (compute and storage separate)
Cloud design points and management
• Standard servers with local storage
• New device types such as SATA and NVMe SSD
• Prescriptive hardware configurations
• Deploy/manage/monitor with SCVMM, SCOM & PowerShell
Storage Spaces Direct
Software defined storage for private cloud using industry standard servers with local
storage
51. Converged solution
On-premises disaggregated solution
Scale components separately
in this model.
Simultaneous scaling is possible
when compute (Hyper-V) and storage
components (Storage Spaces Direct)
reside on the same cluster.
Hyper-converged
Scale compute, storage simultaneously
Storage Software
SMB3
Virtual
machines on
Hyper-V host
Scale-out
file server
Storage Software
Virtual
Machines
Scale-out
file server
Storage Software
53. Lenovo System x3650 M5HP Apollo 2000 System
Quanta D51PH
Dell PowerEdge R730xdCisco UCS C3260 Rack Server FUJITSU PRIMERGY RX2540 M1
Intel® Server Board S2600WT-Based Systems
55. • Storage Replica overview
• Stretch Cluster Replication Using Shared Storage
• Server to Server Storage Replication
• Frequently Asked Questions about Storage Replica
• Storage Quality of Service
• Storage Spaces Direct in Windows Server 2016
• Hyper-converged solution using Storage Spaces Direct in
Windows Server 2016
• What is Storage Spaces Direct?
57. Hard lessons…
The network is no longer the security
perimeter (it hasn’t been for some time)
Identity is the (new) security perimeter
Entry—we can’t stop this from happening People will be fooled, bribed, blackmailed, etc.
Eliminating human error isn’t possible Phishing works and will continue to do so
Insider-attacks are a big problem
Anomalous activity monitoring helps in detection;
limit access through identity management & isolation
Compliance is very important
But compliance and security are not the same thing:
compliant != secure
Prevention methods aren’t always
technical or architectural
Many will be operational and that will impose some
level of additional operational friction—security has a
price $$$
58. Ongoing focus & innovation on
preventative measures; block
known attacks & known malware
1. Protect
Comprehensive monitoring tools
to help you spot abnormalities
and respond to attacks faster
2. Detect
Leading response and recovery
technologies plus deep
consulting expertise
3. Respond
Isolate OS components &
secrets; limit admin. privileges;
rigorously measure host health
4. Isolate
Windows Server Security Posture
– Security isn’t a bolt-on;
59. 2. Secure the OS
What do we need to secure and how?
1. Managed privileged identities
3. Secure virtualization
Protect Respond
Detect Isolate
60. What do we need to secure and how?
1. Managed privileged identities
Protect Respond
Detect Isolate
61. What do we need to secure and how?
Manage privileged identities
Prevent credential theft
62. 2. Secure the OS
What do we need to secure and how?
1. Managed privileged identities
Protect Respond
Detect Isolate
63. What do we need to secure and how?
Secure the OS: host & guest
Host Integrity Guest Integrity
Manage privileged identities
Prevent credential theft
64. 3. Secure virtualization
What do we need to secure and how?
1. Managed privileged identities
2. Secure the OS
Protect Respond
Detect Isolate
67. • Privileged Access Management for Active Directory Domain
Services
• Weekend Scripter: Use PowerShell for JIT Administration and
PAM
• Just Enough Administration
• Just Enough Administration, Step by Step
• Windows 10 Device Guard and Credential Guard Demystified
68. Ready for
the cloud
Improve IT efficiency
& productivity
Safeguard your
business
Just in Time & Just Enough
Administration
Windows Defender for malware
protection
Trusted/Secure boot
Shielded Virtual Machines
Host Guardian Services
Enhanced Containers
Stretch Clusters
Rolling Cluster OS upgrades
Storage Spaces Direct
Storage Replica
Storage Quality of Service
Remote Desktop Services
Encrypted Virtual Machines and
Containers
Azure Backup, Azure Storage,
Azure Site Recovery1
Azure Active Directory1
RSMT Azure Remote Server
Management Tools1
Operations Manager Suite1