Microsoft brand template
• Technical Community event, designed to bring IT leaders
in the local area together for deep discussions
• An opportunity to network and share with local
Microsoft Services Professionals and other IT
• A Microsoft Services presenter delivers a technically-rich
• These communities now collectively have over 1100
members that have joined one of the local meetup
• We are constantly expanding to a region near you, your
friends / colleagues…..
MTT So-Cal
MTT Charlotte
MTT Tempe
MTT Nor-Cal
MTT Pac West
MTT Las Vegas
MTT Detroit
So-Cal Area Microsoft Events
So-Cal Azure
User Group
LOCATION: San Diego, Irvine, Playa Vista
Orange County SharePoint
User Group (OCSPUG)
LOCATION: Newport Beach
San Diego SharePoint
User Group (SDSPUG)
Microsoft Tech Talks
So-Cal System Center
User Group
Los Angeles Skype For Business
User Group
San Diego SQL Server
User Group
San Diego .NET
User Group
LOCATION: San Diego, Irvine , Playa Vista
LOCATION: San Diego, Irvine
LOCATION : Playa Vista, Irvine
Platform Vision
Identity and Access
Appendix: Hardware Terminology
Free e-book from MS Press: Introducing Windows Server 2016
Ten reasons you’ll love Windows Server 2016 Video Series
PowerShell and DSC
Active Directory and Identity
Server management tools
Remote Desktop Services
Software defined storage
Software-defined compute
Software-defined networking
Nano Server
MSDN Channel 9 - All Windows Server 2016
MS Virtual Academy - All Windows Server Courses
TechNet Landing Page: Windows Server 2016
Launch Dates
Licensing Model
Installation Options
Supported Upgrade Paths
Windows Server 2016 Launch Dates
Technical Preview: October 2014 through October 2016
Release to Market (RTM): September 26th 2016 at Ignite
General Release (GA) and VLSC: October 12th 2016
First Monthly cumulative update: October 2016
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
• Windows Server 2012 R2 licensing is processor-based
• Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
• Core-based licensing model
• Offers consistent approach across environments
• Enable multi-cloud scenarios
• Improves workload portability
Pricing and Licensing for Windows Server 2016
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
• Shielded Virtual Machines, software-defined networking,
• Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Pricing and Licensing for Windows Server 2016
Deployment Options
Desktop Experience with Full GUI
Server Core
Nano Server (Cannot be installed)
Windows Container (Isolation environment)
enough OS
Server Core
Lower maintenance server
Desktop Experience
Full GUI
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) Cadence
For Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time:
CBB & CBB-1.
Monthly security and quality updates not available for CBB-2
Supported Upgrade Paths
Cluster OS Rolling Upgrade
License Conversion (Windows Server 2016 Standard to Datacenter)
Recommendations for moving to Windows Server 2016
Windows Server Installation and Upgrade
Upgrade and conversion options
Server role upgrade and migration matrix
Platform Vision driven by Executive Feedback, such as
• Our Internal IT is hard working, however always behind. Cannot support new
development in timely manner.
• We need to leverage our on-premise data center but also take advantage of the cloud
• IT spent years virtualizing which provided benefits, however developers need new
micro-services that are available with PaaS in Cloud. I need this on-premise.
• How do we prevent becoming the next company that is hacked? Security…
Focus - Hybrid Data Center
Most customers now have a mixed On-Premise and Cloud environment
Traditional Data Center with file, web, db servers.. (limited agility, scales up slowly)
On-premise private clouds (medium agility, scales up faster)
Cloud services from a host or public cloud provider such as Azure, Amazon or Google (high agility and
scales up fast)
And are moving toward a Hybrid Cloud environment
A hybrid cloud consists of both on- premise and cloud resources that can be easily moved
• And, that are managed as one…
NIST Definition of Cloud Computing
Azure Stack - Power to control the Datacenter
Cloud-inspired infrastructure
[powered by Windows Server, System
Center, and Azure technologies]
On-premise Datacenter
Cloud infrastructure
PowerShell 5.1 (including updates to DSC - Desired State Configuration )
Server Management Tools hosted in Azure
Console Host Update
Azure Stack
Operations Management Suite
PowerShell 5.1 Introduced
Includes new features that extend its use, improve usability, improve control and
management of Windows.
• ISE improvements
• Remote PowerShell debugging improvements
• Desired State Configuration (DSC) improvements
• Backward-compatible
PowerShell 5.1
Server Management Tools
hosted in Azure
Can be used to manage on-premises infrastructure alongside
Azure resources from anywhere.
Gateway server acts as proxy between Azure portal and onpremise resources
• View and change system configuration
• View performance across various resources and manage
processes and services
• Manage devices attached to the server.
• View event logs
• View the list of installed roles and features
• Use a PowerShell console to manage and automate
Introducing Server Management Tools
Deploy and Setup Server Management Tools
Console Host Improvements
(i.e. DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30%).
Use "click-and-drag" selection outside of Quick Edit mode
Control new features through the registry HKCU\Console
What’s New in the Console
Azure Stack Key Features
Azure Stack for managing Hybrid environment
In Technical Preview since January 2016 (TP2 released in October 2016)
Operations Management Suite (OMS)
Operations Management Suite – separate product in the Cloud which can monitor both
on-premise and Azure cloud environments. Can connect to SCOM management group.
MS Cloud: OMS
IT Management
Failover Clustering
Nano Server
Windows Containers
Remote Desktop Services
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud Witness
Uses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces Direct
Uses local drives for storage and duplicates
across cluster nodes using Storage Replica
(discussed in Storage section). Note:
Networking Speed critical
Cloud Witness
Active Directory independent Cluster Improvements
Clusters can now be deployed independent of domain topology
• Clusters with all nodes in the same domain…
• Clusters with nodes in different domains…
• Clusters with nodes which are member servers / workgroup (not domain joined)…
Fewer dependencies results in increased availability
• Cluster infrastructure switched over using Certificates
Member Servers
Domain A
Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be
allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Nano Server
Supported for use as Cluster Notes
Includes only essential Cluster
IPv6 Address
Storage Pool
Task Scheduler
Virtual Machine
Virtual Machine Configuration
Not Present
File Server
Distributed File System
IPv6 Tunnel Address
Microsoft iSNS
DHCP Service
Disjoint IPv4 Address
Disjoint IPv6 Address
DFS Replicated Folder
Distributed Transaction Coordinator
IPv6 Tunnel Address
NatProvider Address
WINS Service
iSCSI Target Server
Increased Scalability and Performance
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Increased Scalability
Increased Performance
Discrete device assignment of some PCIe hardware devices to VM
Host Resource Protection on host from VM activity
Hot add or remove of NICs on Generation 2 VMs
Hot add or remove of memory on Generation 2 VMs
RDMA support for NICs bound to Hyper-V virtual switch independent of Switch Embedded Teaming (SET)
Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
Storage QoS policies (CSV or SOFS)
Host Resource Protection
Hot add and remove for network adapters and memory
RDMA support with switch embedded teaming
Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
• Alternate credentials support
• Manage earlier versions
• Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
• Run PowerShell commands in VM from the host directly
• No need to configure network, firewall or remote management
Hyper-V Sockets
• Services using socket-based communication between host and VM
• Available in native code (C/C++)
• Hyper-V Manager Improvements
• Integration Services
• PowerShell Direct
• Hyper-V Sockets
Configuration File Versions
Version of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the .VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016, the config file will need to be upgrade
Virtual Machine Groups
Added support for groupings of Virtual Machines (2 types)
• VM Collections – Allows executing tasks on a group of VMs
• Management Collections – Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility Improvements
Live Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Production Checkpoints
“Point in time” images of a VM
Backup technology inside the guest is used to create the checkpoint, instead of using saved states
Connected Standby Compatibility
Always On/Always Connected (AOAC) power model, the Connected Standby power state is now available
Support for Linux
Secure Boot Support
Hot add and remove of network adapters
Hyper-V Socket support
• Production Checkpoints
• Connected Standby
• Linux Support
Diagnostic Improvements
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Improved Validation times for both Storage and non-Storage tests
Less noise logged to the cluster log to prevent wrapping
Additional data logged to cluster.log and mini-dump of log level 5
New Memory Dump – Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside
Hyper-V Virtual machines
Supported for Virtualization Based
Security features
Hyper-V Development environments
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location. Fails over to node in same site and Storage
affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in “Quarantined” state
Storage Resiliency
On storage failure, the tenant VM session state is preserved. VM moved to “PausedCritical” state
as it waits for the storage to recover. On recovery the session state is restored
VM Compute
• Site Awareness
• Node Fairness
Role Support
Driver Support
Application Installation Support
Anti-Malware, Patching and Feature Releases
Image Builder Tool
Third-party Hypervisor Support
Nano Server
Headless, 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure – less components, small attack surface
Stable – less patching, bigger uptime, when it doubt redeploy
Small – 180mb WIM, 600mb VHDx
Ideal for scenarios such as
• Compute host for Hyper-V VMs and Windows Containers
• Storage cluster host for Scale-Out File Server
• Standalone DNS server
• Web server running IIS
• Born in the cloud apps (Java Runtime, .Net Core,
ASP.Net Core, Note.js, Python, Go, Ruby, Django,
Apache, PHP, CoreCLR, MySQL, Redis, Nginx, etc.…)
Role Support
Hyper-V, including container and shielded VM support
Datacenter Bridging
DNS Server
Desired State Configuration
Network Performance Diagnostics Service (NPDS)
System Center Virtual Machine Manager
Secure Startup
Scale out File Server, including Storage Replica, MPIO, iSCSI initiator, Data Deduplication
**Roles are Not included in image, separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
• Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
• Installed drivers to an offline VHD using INF via DISM
• Online driver installation is available using PNPUTIL.EXE
Deploy Nano Server (Section: Adding additional drivers)
Application Installation
MSI’s not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server.
Windows Server App (WSA) is the only supported installer available for Nano Server
• Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
• Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
• Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
• Puppet - Works on Nano with some minor changes win32ole, win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware, Patching and New Releases
Antimalware options – Windows Defender is built in by default. 3rd party products are not currently
supported by Nano Server
Patching – Windows Update is supported. 3rd party products are not supported by Nano Server
New Feature Releases
• Follows Current Branch for Business (CBB) for new features. Patching supports CBB-2. At CBB-3 updates
are not available. (Reference: Service Model Details for Windows Server 2016)
Upgrading to the next CBB requires recreating image. Cannot be upgraded. Releases will be available on
the Volume License Center (VLSC).
Licensing Requires Software Assurance.
TechNet: Managing updates in Nano Server – Section Managing Updates
Domain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface, manage remotely
• PowerShell and DSC
• Server Manager
• Supports PowerShell core set of cmdlets
• Supports WMI v1 and v2 providers
• MMC Snap-in tools
Recovery Console includes local interface with
simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
• GUI-based with many custom
• Create USB Key to detect
firmware and hardware
• Create bootable USB or ISO
for deployment
• Runs on Windows 8/8.1/10
• PowerShell script history
• Requires ADK
Blog: Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
• TechNet Wiki: Nano Server: Virtualization with VMWare VSphere
• Polar Clouds Blog: Nano Hyper-V in a VMWare Virtual Machine
• Cloud base Blog: Nano Server on KVM and ESXi
Note: Be aware when reviewing articles that many of the parameters on NewNanoServerImage changed between each Technical Preview, RTM (9/26/16) and General
Release (10/11/16).
Windows Containers versus Hyper-V Containers
Supported Operating
“Hyper-V Container Host” Requirements
Docker Engine for Windows
Note about Active Directory
Learning Resources
Windows Containers
Windows containers provide operating system-level virtualization that allows multiple
isolated applications to run on a single system
How do containers differ from virtual machines?
• Container: OS Virtualization where each
virtualized app includes the app itself, required
binaries and libraries, and a guest OS
• Virtual Machine: Machine virtualization where
each VM simulates the underlying physical
Containers Overview
Windows Containers versus Hyper-V Containers
Shared kernel architecture
Isolation provided through namespace and process
isolation technologies
Separate kernel architecture.
Isolation provided through Hyper-V
Each container is run inside of a utility VM
Supported Operating System for Container Host
Windows Containers and Hyper-V Containers are Supported on
• Windows Server 2016 Desktop Experience (Datacenter or Standard)
• Window Server 2016 Server Core (Datacenter or Standard)
• Windows Server 2016 Nano Server
• Windows 10 Professional and Enterprise 1607+ (i.e. Anniversary Edition+)
Licensing Note:
• Windows Containers:
Unlimited on Standard or Datacenter
• Hyper-V containers:
(2) on Standard / (Unlimited) on Datacenter
• Check with MS Account team for other scenarios
Supported Operating System for Container images
Window Server 2016 Server Core (Datacenter or Standard)
Windows Server 2016 Nano Server
For Windows Containers, the “Container Host” Build must match the “Container Image” Build
As of 10/31/16 currently 10.0.14393.351 –> KB3197954 Oct 2016 Cumulative Update
If Update installed on “Container Host”, then all “Container Images” on Host must be updated
Check MS Support: Windows 10 Update History to determine latest cumulative update
“Hyper-V Container Host” Requirements
Windows Server 2016 (core or desktop), Nano Server or Windows 10 Pro or Ent (Anniversary Edition)
Hyper-V Role Enabled
Hyper-V partition(s)
Additional Requirements if “Hyper-V
Container host” virtualized
Hyper-V Role enabled (i.e. Nested virtualization)
Minimum 4 GB RAM assigned (not dynamic)
Minimum 2 virtual processors assigned
TechNet: Hyper-V Containers
TechNet: System Requirements
Docker engine for Windows
While containers are new to Windows, Linux containers have been available since 2008
Docker Engine for Windows Server
containers developed under the
Docker open source project
docker run
docker images
Docker client uses the same
standard Docker client and interface
as Linux
Docker Hub is a Collection of open
and curated applications
Collaboration with Docker brings
Windows Server containers to the
Docker ecosystem
Docker Engine
Note about Active Directory
“Container Host” must be domain joined
Optional to join Container to domain with Emulated domain join
Group Policy cannot be applied to Containers (eliminates overhead)
Domain credentials are not stored in the container image (data at rest).
Emulated domain join (requires AD 2012+ functional levels of AD)
• Allows services in a container to run with Group managed service accounts (gMSA)
• Allows applications to use Windows Integrated Authentication
Create free Azure account
In Azure Portal create a Windows Server 2016 VM with the containers feature
Filter on “Container”, select “Windows Server 2016 with Containers..” and follow Wizard
MSDN: Container Images Quick Start
MSDN: Deploy Windows Containers
GitHub: Walk Through sample Music Store application with Windows Containers
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations – Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops, Gen 2 VM Support, and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPU
Provides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling
multiple VM’s to share the same physical GPU for graphics acceleration
OpenGL 4.4 and OpenCL 1.1 API support
Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
Up to 4k resolution support
Windows Server 2016 VM support
Improved performance
Discrete Device Assignment (DDA) Support
Allows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA, enabling enhanced graphics performance.
• Full graphics API Support (ex. DirectX, OpenGL, CUDA, OpenCL) (depends on GPU
• Native GPU Driver Support (Intel, AMD, NVIDIA)
• Maximum Performance (1 or more GPUs to 1 VM)
• Multiuser RDSH Support. Multiple sessions can utilize the graphics card assigned to the
Graphics enhancements – Codec investments
Now implements full-screen AVC 444 mode
• High quality 4:4:4 model using standard H.264/AVC 4:2:0 hardware decoders
• Reduced bandwidth and better experience at higher resolutions
• Hardware offload support
RDP AVC/H.264 improvements
RD Connection Broker Scale Enhancements
Enhanced to handle highly concurrent logon scenarios (“log on storms”).
• RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
• Previous OS versions a SQL cluster was recommended, requiring 2 VMs
• SQL database is still required however SQL authentication is now supported
• Shared SQL/DB connections, making even smaller scale deployments more cost
RD Connection Broker Performance Improvements
Cloud Optimizations – Azure Active Directory and SQL
RDS can utilize Azure services to provide more cost effective solutions.
Azure AD Application Proxy enables secure remote access to applications. RD Gateway servers are still
required. Now they can be published to the Application Proxy service, instead of exposed to the public
internet. This reduces attack surface and enhances security.
Conditional access rules can be created to further define how users must authenticate (require multifactor authentication, require MFA only when users are not at work, block access when not at work).
Azure AD Domain Services provides managed domain services (domain join, group policy, LDAP,
Kerberos, etc.). A Remote Desktop Services environment using Domain Services eliminates the need to
deploy and manage domain controllers.
Azure SQL Database includes high availability, disaster recovery, and upgrade mechanisms. A RDS
environment using Azure SQL Database eliminates the need to deploy and manage VMs for SQL.
Use Azure SQL DB for RD Connection Broker
Multi-point Services Role
New server role
Enables low-cost per seat desktop computing
Allows multiple users, each with their own independent Windows experience, to simultaneously share one
The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
Enabling the Multipoint Services role, also installs Remote Desktop Session Host role which allows users to
connect remotely with devices of their choice by using Remote Desktop applications available on
Windows, Windows phone, Android, iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops (New collection type)
Support for Generation 2 virtual machines (Support for RemoteFX and OpenGL)
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Resilient File System ReFs
Now preferred for data volumes (requires UEFI and GPT)
Data Integrity, Resiliency, Availability, Speed and Efficiency Improvements
Data Deduplication
Integrated support for virtualized backup workloads and support for Nano Server
Major performance and scalability improvements (64TB volumes and 1TB files)
SMB 3.1.1
Pre-Authentication Integrity
Encryption Performance Improvements
Supports rolling cluster upgrades
SMB hardening improvements for SysVol in Active Directory
Storage Spaces Direct
Use standard servers with local storage
to build highly available and scalable
software-defined storage
Storage Replica
Volume level software replication
between storage of any type
Storage QoS
Prevent noise neighbors from
impacting high priority workloads with
a Storage QoS policy
Microsoft offers an industry leading portfolio for building on-premises clouds. We embrace your choice
of storage for your cloud – be it traditional SAN/NAS or the more cost-effective software-defined
storage solutions using Storage Spaces Direct and Storage Spaces with shared JBODs.
Storage Resiliency
Clustered Hyper-V Role
• Detects storage failures
• Takes action to mitigate impact
• VM resumes exactly where it left off
• Designed for short transient failures
• > 30 minutes, VM shutdown
VM is running
VM moves back to
running state
Storage becomes
VM experiences
failure writing to
VM placed in
Storage Resiliency
Storage Innovation with Storage Space Direct
Software defined storage using standard servers with local storage
Workload servers/cluster
Workload servers/cluster
Workload servers/cluster
x86 servers and
SAS connectivity
Industry-standard JBOD
Storage Spaces Direct
Storage Spaces Direct
• Standard servers with local storage (SATA, PCIe, JBOD..)
• Fault tolerance to disk, enclosure, node failures
• Simple and fine grained expansion
Storage Replica
Volume level software replication between storage of any type
Workload agnostic
Synchronous replication
Used by Failover Clusters with Storage Spaces Direct
• Automatic cluster failover for low Recovery time
Azure Site Recovery Storage Replica also available
Storage Replica
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named
Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
• What's New in DNS Server in Windows Server 2016
• DNS policy overview
• PowerShell documentation
• Geo-Location Based Traffic Management
• Split-Brain DNS Deployment Using DNS Policies
• Applying Filters on DNS Queries using DNS Policies
• Application Load Balancing using DNS Policies
• Intelligent DNS Responses Based on the Time of Day
• Traffic Management with DNS Policies in PrimarySecondary Deployment
• Selective Recursion Control Using DNS Policies
• Upward Referral Responses from Authoritative DNS
• Split-Brain DNS in Active Directory Environment Using
DNS Policies
• Response Rate Limiting in Windows DNS Server
Network Access Protection (NAP)
Officially deprecated in Windows Server 2012 R2, but still supported
Windows Server 2016 DHCP Servers
• Will not enforce NAP Policies
• DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration Failures
Improved Event Logging
• Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
• Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for
DDNS name registrations
Switch Embedded Teaming and Converged RDMA
Does not require NIC team to converge NICs. There is not a team name.
Group between one and eight physical Ethernet network adapters into one or more software-based virtual
network adapters
Supports RDMA which NIC teaming does not.
• All team members must be identical make/model/driver/features
• No Active/Passive teaming
• No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) added
Enables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support added
Added support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE
(Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support added
Use single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detail
Contains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch,
including any forwarding extensions installed
What’s New in Networking
Software Defined Networking Overview
Data plane based
on Azure
High-throughput, lowlatency packet
processing [up to 40G]
SDN infrastructure
Network controller
based on Azure
Switch Embedded
Teaming (SET)
OVSDB support
Port Mirroring
Network function
Hybrid datacenter
Software Load balancer
that is proven in Azure
Azure ExpressRoute
Network Address
Translation Capability
Multi-tenant gateways
RAS Gateway
Distributed firewall
User Defined Routing
Custom service
chaining, including
Linux appliances
What’s New in Networking
Network Controller
Distributed Firewall
Software Load Balancer
• Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied “Assume breach” to new Security Designs with the focus to
• Protect
• Detect
• Respond
Control Flow Guard
Protects against unknown vulnerabilities by blocking
common attack vectors
Configurable Code Integrity
Ensure that only permitted binaries can be executed from the
moment the OS is booted
Windows Defender
Actively protects from known malware without impacting
Device Guard (Virtualization Based Security)
Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)
• Hypervisor protects Kernel and OS
• UEFI Secure Boot protects boot process and
firmware from tampering
• UEFI Secure Boot with IOMMU protects against
DMA based attacks
• Hypervisor Code Integrity (HVCI) protects code
executing in kernel mode
• Other optional Protections
• Secure MOR, HSTI, UEFI NX and SMM Mitigation
• VBS Requirements
• Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential Guard
Protect stored credentials from Pass the Hash attacks
• LSA process talks to a new component called the isolated LSA
process which stores and protects secrets. Requires
Virtualization Based Security to be enabled
Remote Credential Guard
Protect credentials over a Remote Desktop
• Credential Guard
Remote Credential Guard
Just enough Administration
Just In Time Administration
Provide privileged access through a workflow that is audited and limited in time
• Secure Bastion Forest
• Shadow security principal (groups) in Bastion Forest
• Time-bound expiration
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines
memory and processors
• Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
• Measured Boot
• Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation
Host Guardian Service
Device Health Attestation
Evaluates validity of host before
allowing VM to start
Two Attestation Modes
• Admin
• Shielded VMs
• Guarded Fabric
• Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious
behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)
Analyze, Learn, Detect and Alert on suspicious
activities and abnormal behavior (separate product)
• Takes information from multiple data-sources in
your network to learn the behavior of users and
other entities and build a behavioral profile.
Operations Management Suite (OMS)
Monitor both on-premise and Azure cloud environments in
the cloud. Can connect to SCOM (separate product)
• Advanced Threat Analytics
• Operations Managment Suite
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello
Built-in to the Windows 10 and Windows Server
2016 operating system
Enables logon with a device-specific PIN or
Biometrics (Facial recognition, Fingerprints, etc...)
Can be managed with Group Policy
Microsoft Passport Guide
Windows Hello for Business
(New name for “Microsoft Passport for Work”)
Associates your Windows Hello device and PIN with an Identity Provider (IDP) such as Active
Directory or Azure AD to logon you on seamlessly
Every device will create a unique private and public key set and register in the IDP
Replaces physical and virtual smart cards as well as reusable passwords for logon and access
Takes advantage of onboard TPM hardware to generate, store and process keys if TPM exists
Microsoft Passport
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with
“Authentication Policies”
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Features
Windows Hello For Business (name change from “Microsoft Passport for Work”)
ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level
Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level
Enable rolling of expiring NTLM secrets
Allow NTLM authentication when account restricted to selected devices with Authentication Policies
• Active Directory Schema versions
• ADFS 2016 Behavior Level
• Passport Guide (search for schema)
Windows Server 2016 Functional Levels
What’s New for MIM 2016 SP1
Deprecation of FRS
New Forests will only use DFS-R
Existing Forests: Windows Server 2016 DCs can participate in FRS
Best Practice to use DFS-R for SysVol Replication for performance, manageability and support
Deprecation of Windows Server 2003 Functional Level
New Forests: Windows Server 2003 Functional Levels not available
Existing Forests: Windows Server 2016 DCs can be added if schema version updated to 87
Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate Time
Maintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially, while maintaining full
backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to
UTC or better for Windows Server 2016 and Windows 10 (1607) domain members.
Elimination of rounding errors while calculating time
More frequent fine tuned adjustments leading to better accuracy
More accurate time server estimation
Leading to accuracy within 10’s of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted
to selected devices with “Authentication Policies”
• Windows Server 2016 domain FL
• NTLM Enabled on authentication
Note: First generation of authentication policies blocked NTLM since they could not
determine what device it comes from.
Auto-roll NTLM Secrets for Smartcard Users
Purpose: Automatically roll NTLM secrets for Windows Hello or smart card only users to
invalidate old NTLM secrets
DC requirements:
• Windows Server 2016 Domain Functional Level
• Enabled on new domains by default. Opt in for existing domains
Device requirements:
• Ability to sign on with a smart card, virtual smart card or Windows Hello for Business (i.e.
Passport for Work)
Security and Assurance
VT-x (Intel)
based attacks
Direct Memory Access-
Firmware (cont.)
Secure Boot Trusted Boot
Secure MOR
NIST guidelines
Windows Hardware Compatibility Program
Network Adapter Technologies
Storage Technologies
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF