A couple of decades ago, Microsoft was the kaiju of network computing. First came MS-DOS, and Windows soon followed. Each simply took over business desktops. Before Novell knew what hit it, Windows was then infused with the DNA of OS/2 and became Windows NT and in turn NT Server. Novell had dominated the early PC networking market, but by the end of the 1990s the company was a shadow of its former self.
Like a special breed of kaiju, Microsoft’s server platform keeps on mutating, incorporating the DNA of its competitors in sometimes strange ways. All the while, Microsoft’s offering has constantly grown in its scope, creating variants of itself in the process. Godzilla often retreats, battered after battle, to regenerate, and the monster has spawned multiple variants (Roland Emmerich’s ‘Zilla is the Microsoft Bob of Godzillas, right?). Windows Server has done the same, coming back again and again to disrupt another server market with a snap of its 80-percent-functionality-for-20-percent-of-cost teeth.
In 2016, it’s happening again. Microsoft Windows Server 2016 picks up where its predecessor (Server 2012 R2) left off three years ago. The last release of Server strove to elevate the status of Microsoft’s server platform. It went from being an also-ran in the movement from on-premises servers to an increasingly virtualized, cloud-based enterprise to being integral to business cloud computing itself. With four different versions (Essentials, Hyper-V Server, Standard, and Datacenter), three different deployment schemes (“Desktop experience,” Core, and Nano), and an ever-expanding collection of optional features, Server 2016 wants to be everything for everyone. It’s a heavyweight virtualization hypervisor! It’s a lithe cloud application container! It’s a high performance storage platform! It’s a hardened security platform!
Though, just as our favorite giant monsters are continually misunderstood by the masses, Windows Server 2016 is not likely to be universally embraced. In many ways Server 2016 is late to the party started by other data center kaiju—Linux has offered container virtualization for years, and VMWare already offers virtual storage area networking.
But Server 2016’s take on each of its roles is fairly solid and (relatively) easy to use compared to the alternatives—especially if you’ve already got PowerShell veterans around. Thanks to the battle scars Microsoft took in using Server for its own Azure cloud service, Server 2016 now challenges or exceeds the capabilities of its primary virtualization rivals. In other words, it’s good enough to do most of what people are doing right now at Windows prices. Server 2016 is not going to quickly dislodge any incumbent vendors from existing data centers, but it will give people with a somewhat smaller budget the sort of capabilities that used to cost a whole lot more.
There’s no way to fully explore Server 2016 in a single article, so this is not intended as a full review of the platform. Rather, this serves as an extended first look based on technical preview releases. And because Server 2016 builds so heavily on the big shift made by its two most recent predecessors, Server 2012 and Server 2012 R2, I’m not going to dwell on the cosmetics and basic features of the platform. Based on the early look I had, there have been no significant changes in the graphical user interface of Server other than a little Windows 10 desktop remodeling.
A bad day at the on-prem datacenter at Monster Island Inc.
Server Manager is essentially the same as it was in Server 2012 R2. Which is what it was in Server 2012.
Instead, my focus centers on the significant changes under the hood and some of the most important enhancements to existing features. With this goal in mind, I performed two sets of evaluations. The first was in a virtualized lab running on Azure and set up by Microsoft (recognizable in screenshots by the Contoso domain name) to get some familiarity with key new features. The second evaluation was more free-form on my own lab server farm, in which I set up an on-premises network for the fictional Monster Island Incorporated (where all the admins are kaiju) to get a better feel for the overall evolution of the platform and how well it plays with others. In the on-premises test, I ran a mix of Server 2016 hosts across physical and virtualized systems.
There are some aspects of the OS that I could not fully test in time for this review, either because of a lack of support for them in the Technical Preview 5 version of Server 2016 that I used for our first look or because I didn’t have enough time and budget to scale up to a size where the features made sense (as with some of the new software-defined networking features). Ars will be evaluating those features once we have the final release in hand and can properly put it through its paces—both on premises and in the cloud.
Scaling up the beast
To fully enjoy the capabilities of Server 2016—that is, with all the many new things that depend on Microsoft’s latest Hyper-V hypervisor code—you will need a server with an Intel or AMD processor compatible with the x64 instruction set. It must also include support for Second Level Address Translation virtualization (EPT on Intel and Nested Paging Tables on AMD). And while it’s possible to run Server 2016 in its most minimal, GUI-less forms in 512 megabytes of RAM, you’ll need at least 2 gigabytes to boot up the “Desktop Experience.” Additionally, you’ll need a minimum of 32 gigabytes of disk on a SATA or SCSI controller to boot a physical server, plus at least one PCI Express gigabit Ethernet adapter.
Older systems will still run Server 2016 adequately without virtualization. To check, I ran it briefly on Monster Island’s “legacy” Dell PowerEdge 2950, the evil twin of the machine that was Hillary Clinton’s basement e-mail server. But for those looking to scale up, Windows Server 2016 is much beefier than its predecessors (something we didn’t have the hardware budget to test):
Windows Server 2012/2012 R2 Standard and Datacenter
Windows Server 2016 Standard and Datacenter
Physical (host) memory support
Up to 4TB per physical server
Up to 24TB per physical server
Physical (host) logical processor support
Up to 320
Up to 512
JUMP TO ENDPAGE 1 OF 3
Server Essentials
In nearly all of its forms, Server 2016 follows its predecessors by being ready, willing, and able to plug into Microsoft’s cloud when on premises or hosted elsewhere. That starts with Server Essentials, the small business-focused version of the operating system for networks with 25 or fewer users and a maximum of 50 connected devices.
The Server Essentials Dashboard, a highly simplified administrative tool, has not changed much in the last four years.
The Server Essentials Experience offers up a host of ways to tether to Azure.
Adding users, without all that Active Directory administrative angst.
The Server Essentials “experience” has changed little since it was introduced in the 2012 release. It includes a Remote Desktop Protocol “app” for administrative access to its dashboard and quick integration wizards for a number of Microsoft cloud services:
Azure Active Directory Services, a single sign-on extension of local Active Directory domains for integrating with software-as-a-service offerings.
The Office 365 collaboration service.
Intune mobile device management.
Azure Virtual Networks, a way to add Azure cloud server instances to the local network over virtual private tunnels.
Azure Recovery backup and disaster recovery service.
For the old-school types, there’s an integration wizard for connecting to an Exchange Server on premises. There’s also the remote access and VPN capability that we explored in the Server 2012 release. And for server stability purposes, you can run Server Essentials within Hyper-V using an installation without the “Essentials Experience” feature as the physical server. Just know you’ll still need to use a (free) Hyper-V hypervisor server if you want to virtualize anything else or set up failover clustering of your Essentials services.
Every other version of Server 2016 can now run the Essentials experience without downgrading its Active Directory licensing. This means you can essentially (so to speak) scale up Essentials to meet your needs while still getting the same plug-and-play integration with Azure cloud services and the same RDP-based remote administration tool, which doesn’t require the full-blown remote administration tools or a System Center 2016 license.
But sorry, there’s no pastel-shaded, user-friendly “wizards” for the best features of the new Server 2016 platform—or, at least most of them. To really get the most of these, you’ll need to leave the warm, fuzzy comfort zone of the Dashboard and dig into PowerShell, group policy settings, and other lower reaches of the Windows Server infrastructure. That’s especially true of the newest member of the Windows Server family, Nano.
Windows Nano Server
Nano Server is the latest evolution of the slimmed-down Windows Server, primed for both containerized cloud deployment and hands-off on-premises services. It’s not so much a separate product per se; think of it as a deployment option. It’s similar to the “Core” server configuration introduced in Server 2012, a version with most of the UI chrome removed except for a single console in a Window. Nano takes Core to its logical conclusion and throws everything non-essential to a server instance overboard to lower its weight. That includes 32-bit application support, support for the .MSI installer format, and all of the UI except for a bare-bones text-menu configuration console.
This is the login screen for Nano Server.
The “Recovery Console” is really just for that—to help get a server reconnected if something goes wrong.
Network configuration from the Nano Server recovery console.
You can also scroll through and set or globally reset firewall settings.
Making a Nano server in PowerShell.
There are two major upsides to losing all that ballast. For one, there’s a fraction of the potential attack surface available to hack into Nano. The reduced footprint means you can deploy the minimum of what you need to support a specific service or application in a relatively tiny virtual or even physical footprint—saving disk and memory for actual storage and compute needs. And because Nano server images are entirely created by PowerShell commands, you can easily automate the creation and deployment of new servers.
But that minimalist UI can be a dealbreaker for many. All you can really do from the console on a Nano server is fix its network and firewall settings. Everything else requires PowerShell or pushing over software packages and unattended execution instructions in an XML file via a file share (so don’t forget to include the file services module). Much of this process, again, can be automated by scripts and System Center 2016 or other tools, but don’t come expecting a Nano server “wizard” tool to hold your hand through it. And if you’re planning on pushing a Nano server to vSphere or another virtualization, that’s going to require a bit more gymnastics with virtual machine and virtual disk conversion tools, as the scripts only create .VHD and .VHDX virtual disk outputs. An attempt to convert a Nano disk image to a vSphere instance did not go very well in my initial testing.
Server 2016 security upgrades
Nano’s reduced attack surface is just the beginning of the security enhancements in Server 2016. There are a number of new ways to help protect against attackers using stolen credentials to gain wider access to server infrastructure—something that has been demonstrated in the real world far too often. There are also new features, called Guarded Hosts and Shielded Virtual Machines, that prevent someone who gains access to a server itself from getting into the virtual machines running on it.
Microsoft rolled out a feature called “Just Enough Administration” (JEA) as part of Windows Management Framework 5.0 earlier this year. JEA uses more finely tuned access controls to grant permission to run specific administrative tasks to individuals. Instead of having to grant someone a broader administrative “role” in Active Directory, JEA grants access to specific tasks through a PowerShell configuration profile.
This could allow a member of a DevOps team, for example, to diagnose issues with a server instance using a specific set of PowerShell “cmdlets” without giving them full administrative access to the server. As a result, you can significantly trim down the number of full administrative accounts and reduce the possibility of someone’s credentials being snatched and reused to do harm.
JEA is in addition to the “Just in Time Admin” capability introduced to Server 2012 R2, which allows for the creation of time-based administrative rights granted through a workflow for a specific task. Server 2016 also picks up Credential Guard, the technology originally deployed with Windows 10 Enterprise. It’s a virtualization-based security feature leveraging Hyper-V that partitions credential management from the rest of the operating system to help guard against credential theft.
Hardening is also available for Server 2016 on physical and virtual machines. Device Guard, also introduced in Windows 10 Enterprise, uses Hyper-V running in a layer below the operating system as a buffer between the OS and the hardware. A set of policies configurable through the Windows group policy editor can be used to add code integrity checks on both kernel-level and user-level software, too. That’s enforced by the hypervisor layer, allowing only trusted code to execute on the system right down to the boot loader. Device Guard’s Code Integrity policy setting can also be set to allow applications that would normally be blocked to run in an “audit mode,” which creates an event log detailing their activities.
The Host Guard Service, a server “role” for machines hosting Hyper-V guests, provides another level of protection. It essentially acts as a software-based Trusted Platform Module (TPM) for “Shielded” virtual machines. Once you’ve created shielded VMs on a guarded host, their Bitlocker-encrypted virtual disks can’t be mounted or read by anyone with access to the server they’re hosted on.
Setting up Device Guard’s code integrity policy restricts what code can be loaded—both in the kernel itself and in userland.
Setting up Virtualization-Based Security uses the hypervisor and virtualization interfaces to the processor (second level address translation, specifically) to actually monitor code execution and watch for problems.
Trying to mount Shielded VM’s disk—no dice.
Of course, this sort of hardening is only required for VMs because they’re running on a general-purpose operating system, and you can encrypt the virtual disks of VMs running on vSphere already with its “virtual SAN” feature. But these capabilities at least bring Server 2016 and Hyper-V into a sort of security parity with VMware.
Scaling up Hyper-V
As long as we’re talking about the “v” word, this is as good a time as any to talk about the major and minor changes Microsoft has made to virtualization on Windows Server—both in terms of “traditional” virtual machines and with the introduction of application containers in Server 2016. Virtualization has become the focal point of a trend in data storage called “hyperconverged storage,” a trend that’s likely making some salespeople at certain storage area networking vendors cry in their cocktails.
Hyper-V’s strongest selling point has always been its relative ease-of-use for small deployments of virtual machines compared to platforms like VMWare’s. That advantage has declined considerably over the past few years, as vSphere has offered better and simpler management tools for small deployments. vSphere 6’s Web-based management, when combined with the latest VMware Remote Console, is nearly on par with Hyper-V Manager in terms of simplicity of use (although, in my experience, it’s still prone to crashing).
VMware has likewise used vSphere / ESXi’s relatively thin profile—and the fact that it doesn’t require a Windows Server license—as a dig against Hyper-V. With Hyper-V available in a free version since Server 2012 and with the extra-thin provisioning possible for Hyper-V through the Nano server deployment scheme, it’s a bit of a wash. The Windows Server license issue is a bit of a strawman if you’re going to be running Windows Server for file and compute services anyway.
The Hyper-V platform has come a long way since its introduction with Server 2008. Back then, VMware was king (and it still is, by most counts, at least in terms of licenses deployed outside Microsoft), and Hyper-V was a clunky, heavy first swing at bringing virtualization to Microsoft’s platform. With the latest release, Hyper-V has caught up with VMware’s vSphere in many ways and actually surpassed it in some others.
