Small-footprint Nano Server
Think of Nano as the even smaller footprint successor to Server Core, which was the solution to a problem no one knew they even had. Today, Nano server can “solve” a lot of problems people know they have, and perform tasks that many of us need, such as host virtual machines, work as a DNS or IIS web server, or run container deployed apps. Nano has a much smaller footprint, so uses even fewer resources than Server Core did and can boot much faster than either Core of a full GUI based Windows can. Microsoft claims that Nano Server will have 93% smaller VHD size, 92% fewer critical bulletins and 80% fewer required reboots.
Nano is ideal for compute heavy tasks, or for dedicated purposes such as the mentioned DNS, IIS, or F&P. It runs only 64bit code, has no local login, but can be easily managed remotely using WMI and PowerShell. Think of Nano as the way to go when deploying purpose-built systems to support specific tasks, or to provide services to remote locations where you have minimal hardware and even less staff. Nano can run well on both physical hardware and as a guest VM.
Incidentally, there’s a new set of Sysinternals tools for Nano Server. You can download them from the TechNet page for the Sysinternals suite at https://technet.microsoft.com/en-us/sysinternals/bb842062. Since Nano has no GUI, not all the tools will be there, but several of them will work on other systems when run against a Nano server.
Docker containers running on Windows
If you are unfamiliar with Docker, it’s a software containerization platform that allows you easier deployment of developed apps and environments. That means that if you have an application which you have developed, and it has dependencies, you can use Docker to wrap your app with everything it needs to run. Your code, runtimes, tools, libraries, or anything else that your application needs to find on the running operating system in order to work can all be included in the container.
So instead of your customer spending hours just installing prerequisites, they can instead install your Docker based application and start running it. Better yet, Docker runs on both Linux and Windows, ensuring portability of your applications. And since the container is isolated from other applications and the operating system, your applications can run more securely and be less vulnerable to malicious code.
Docker isn’t for everyone, as it’s a way to wrap an application, as opposed to a virtual machine. But if you are in the habit of installing VMs just to support applications, Docker is a way to get the same isolation as you could with VMs, while using much less of the physical resources of the host system.
Even more powerful Hyper-V
Hyper-V has some great new features included. Most of these have to do with either the setup or the maintenance of guest virtual machines. For starters, the integration services are no longer installed by mounting an ISO file as a DVD; they are deployed through Windows Update. But that is just the tip of the iceberg.
Several things that used to require you to shut down a guest before making changes can now be changed on the fly. While a VM is running, you can now add or remove network adapters, and change the amount of memory allocated (add or subtract) even if the VM was not originally set up for dynamic memory allocation.
VMs can now be granted discrete access to devices on the PCIe bus, such as disk controllers, providing for much faster performance. The number of virtual processors a guest can be allocated has increased to 128, and the total amount of memory is now over 4TB.
There’s even nested virtualization, so you can run Hyper-V on a VM that is a guest of a Hyper-V server, which is a guest on a Hyper-V server, which is a guest…you get the idea. I am not sure just how many levels of virtualization you could need or support, but I have seen a CTP4 running four layers with barely any noticeable lag on the final level guest.
There are also improvements to snapshots, the ability to resize even shared virtual disks without having to shut down the guests, and new shielded VMs that can be used to ensure that a guest VM is fully secure, even from the Hyper-V host’s administrators. The full list is worthy of its own blog post, so check out https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/what-s-new-in-hyper-v-on-windows if you want to see even more on this.
PowerShell 5 is here
Windows Server 2016 comes with the Windows Management Framework 5.1, and that includes the latest version of PowerShell. Leveraging the .NET Framework 4.6, PowerShell 5 comes with several new features, including new cmdlets for managing local users and groups, as well as a new Get-ComputerInfo cmdlet which can dump detailed information on the system.
The PS5 improvements include enforcement for using signed modules when loading modules from remote locations, support for containers, CAB files, and EXEs, and better debugging. At last update, the WMF 5.1 shipping with Server 2016 was still listed as a preview version, with 5.0 also included, but we expect it to change to full release after Windows Server 2016 reaches general availability, which was yesterday, on October 12th.
Server footprints get even smaller with Nano
The next evolution of Server Core – Nano Server, is an even more thinned down version of Windows Server 2016. A Nano server must be managed remotely and can only run 64 bit applications, but it can be optimized for minimum resources, requires far less patching, restarts very quickly, and can perform a number of specific tasks very well with minimal hardware.
Good uses for Nano Server include IIS, DNS, F&P, application servers, and compute nodes. So if you liked Server Core, you will love Nano; and if you never really understood Server Core, you should give Nano a chance, especially if patching and downtime are challenges in your 24×7 shop.
Improved server management with PowerShell 5.0
Windows Server 2016 comes with PowerShell 5.0, a part of the Windows Management Framework 5.0. There are many improvements in PS5 (you’ll find a complete list in this blog post), including support for developing your own classes, or a new module called PackageManagement, which lets you discover and install software packages on the Internet.
The Workflow debugger now supports command or tab completion, and you can debug nested workflow functions. To enter it in a running script you can now press Ctrl+Break, in both local and remote sessions, and also in a workflow script. And PS5 now runs in Nano server directly, so administration of this lightweight server platform is made even simpler.
Versatile container support for enhanced density
Windows Server 2016 offers two kinds of containers to improve process isolation, performance, security, and scalability. Windows Server Containers can be used to isolate applications with a dedicated process and a namespace, while Hyper-V Containers appear to be entire machines optimized for the application.
Windows Server Containers share a kernel with the host, while Hyper-V Containers have their own kernel, and both enable you to get more out of your physical hardware investments. On top of this, Microsoft announced that all Windows Server 2016 customers will get the Commercially Supported Docker Engine for no additional cost, enabling applications delivered through Docker containers to run on Windows Server on-premise installations or in the cloud, on Azure. Here’s an official announcement on the Docker blog, with much more details.
More secure identity management
WS2016 brings some huge improvements to Active Directory, security, and identity management, such as Privileged Access Management (PAM), restricting privileged access within an existing Active Directory environment. In this model you have a bastion forest, sometimes called a red forest, that is where administrative accounts live and which can be heavily isolated to ensure it remains secure. Just-in-Time administration, privileged access request workflows, and improved audition are all included, and best of all – you don’t have to replace all of your DCs to take advantage of this.
Simplified administrative work
“Just Enough Administration” is a new capability in Windows Server 2016 that enables administrators to delegate anything that can be managed through PowerShell. Do you have a developer who needs to be able to bounce services or restart app pools on a server, but not log on or make any other changes? With JEA you can give him or her exactly those abilities, and nothing more. Of course, you may have to write some PS1s to let them actually do that, but the point is that now you can.
Improved HA remote desktop management
Customers who want to set up highly-available RDS environments, but not go to the trouble and expense of setting up HA SQL, can now use an Azure SQL DB for their Remote Desktop Connection Broker, making it both easier and less expensive to set up a resilient virtual desktop environment.
The RD Connection Broker can now handle massively concurrent connection situations, commonly known as the “log on storm”, and it has been tested to handle more than 10k concurrent connection requests without failures.
Software-defined storage for easier management
Software-defined storage enables you to create HA data storage infrastructures that can easily scale out, without breaking the bank. With software defined storage, even SMBs can start to take advantage of high availability storage with the existing budgets.
Three new features take over the stage: Storage Spaces Direct enables you to combine commodity hardware with availability software, providing performance for virtual machines, Storage Replica replicates data at the volume level in either synchronous or asynchronous modes, while Storage QoS guards against poor performance in a multitenant environment.
Time slips into more accuracy
If you have set up an NTP server on your network, or subscribed to NTP services from an NTP pool, you know how important accurate time can be. Typically, Windows environments were less worried about accurate time, and more concerned with a consensus of time, with a five-minute drift being acceptable.
Now in Windows Server 2016, the new time service can support up to a 1ms accuracy, which should be enough to meet almost all needs – if you need more accuracy than that, you probably own your own atomic clock.
Connection flexibility with software-defined networking
Immensely valuable in a virtualization environment, software-defined networking enables administrators to set up networking in their Hyper-V environment similar to what they can in Azure, including virtual LANs, routing, software firewalls, and more.
You can also do virtual routing and mirroring, so you can enable security devices to view traffic without expensive taps.
There are so many security improvements in Windows Server 2016 that we could do an entire post just on that, which, as a matter of fact, we will in the coming weeks. For now, be aware that WS2016 includes improvements to protect user credentials with Credential Guard and Remote Credential Guard, and to protect the operating system with Code Integrity, with a whole host of improvements with virtual machines, new antimalware capabilities in Windows Defender, and much more.