At the Ignite conference in September, Microsoft released an evaluation version for IT professionals to get a look at what the RTM or “Release to Manufacturing” version of Windows Server 2016 will look like. The final version was generally released on October 12th.
Like many Microsoft releases, Windows Server 2016 brought a lot of new and expanded features to the flagship server OS software. However, it’s important to keep in mind another important reason to begin planning for your deployment of Server 2016: staying current.
Out with the old … In with the new
As you probably know, extended support for Server 2003 has ended, and with it comes the end of patches and security updates. I’m sure we all have a few 2003 servers left that are running legacy applications or non-production workloads. While these servers should definitely be addressed, let’s also talk about Server 2008 and 2008 R2.
Server 2008 and 2008 R2 make up a huge portion of current production servers in small and midsize offices and even data center operations. Extended support for 2008 and 2008 R2 ends at the start of the year 2020 and, while this might seem like a long way off, it’s only 3 years away.
Consider the fact that you may still have some 2003 servers running, and it’s 2016. Certainly, if any 2003 servers still linger, or you are starting to plan for migrations off of 2008 and 2008 R2 – Windows Server 2016 should be your target.
In order to help you make the decision to switch, let’s look at 3 areas and explore their new features in the latest release of the Windows Server OS: Remote Desktop Services, Nano Server, and Security.
Remote Desktop Services
Microsoft delivered a major and much-needed shift in Remote Desktop Services deployments and features with the RDS 2012. The new version models the existing methodology but brings enhancements to the table in terms of graphics, scaling, and cloud integration.
More and more applications are being delivered via RDS (Remote Desktop Services) and some of them require more intensive graphics processing than, say, Microsoft Office or a typical accounting software package. RDS 2016 makes improvements to application compatibility by introducing support for OpenGL—a major standard—in addition to DirectX.
Direct Device Assignment or DDA is also being introduced, which allows the mapping of a physical graphics card in the host server to specific or multiple user sessions. This increases performance and gives administrators flexibility in managing resources.
In terms of scale, the Remote Desktop Connection Broker—responsible for processing the initial logon to the RDS farm and directing users to session hosts—has been optimized.
For cloud deployments, the connection broker high availability database can now be hosted in Azure SQL DB. This means it will no longer require a dedicated SQL server just to provide high availability for this RDS role. Azure SQL DB takes about 1-2 minutes to set up as opposed to the lengthy setup of a traditional SQL server.
This is a great example of how you can leverage RDS features while scaling down your overall deployment. On the flip slide, if you are working within a large organization and experiencing the dreaded slow logon storms at 8 or 9AM every morning, you’ll be glad to know that the Remote Desktop Connection Broker role is now much more efficient in handling these, requiring fewer instances to accommodate the increases in traffic.
RDS 2016 was developed for integration into the cloud and Microsoft Azure. As previously mentioned, the Connection Broker role now supports Azure SQL DB for high availability. New tiers of Azure Virtual Machines will also be introduced, which include graphics cards to take advantage of OpenGL support and to help increase application compatibility when delivered via RDS in the cloud.
Azure Active Directory is also making big strides, and the introduction of Azure AD Directory Services will also support RDS 2016 deployments. This means that you will no longer need to spin up a dedicated VM to act as the domain controller. Instead, you can now leverage Azure AD Directory Services as a service to provide your directory service and domain controller services. It’s another VM you don’t need to deploy!
One final feature is the Azure App Proxy support for RDS 2016 deployments. The App Proxy protects your RDS 2016 farm, acting as a reverse proxy. What does this mean? It means the App Proxy will remove any external connections from your RDS 2016 farm. This increases security by limiting your attack surface. All incoming connections from the public internet pass through the App Proxy first and then to your RDS 2016 farm. This feature simplifies administration and troubleshooting and allows you to keep all of your critical RDS servers within an internal firewall.
Nano Server … what IS that?
A cool sounding name with an equally cool feature set. You can think of a Nano Server as a smaller, lighter and faster server operating system, purpose-built for our cloud-based world. With more and more servers and VM’s being deployed in every organization and in the cloud, the time has come to move away from every single server deployment containing a huge feature set of which only a tiny portion is actually used.
Enter the Nano Server, which you can think of as an enhancement to, and upgrade of, the last generation’s (Server 2008/2012) Server Core deployments.
Nano Server has no shell, no local graphic user interface (although it does support remote GUI’s), no graphics support, no 32-bit support, and no Remote Desktop.
So why would you want Nano Server?
I’m glad you asked. For starters, it’s a whopping 25 times smaller in storage usage as compared to a regular server OS installation. Additionally, it requires 90% fewer critical updates to be applied, a quarter of the number of reboots, and has about 1/3 of the normal amount of ports open, reducing your attack surface.
Another perk – It takes about 40 seconds to spin up a Nano Server; compare that to the 19 minutes on average that it takes to install a full-blown server with a desktop.
With the introduction of Nano Server, some of the previous challenges with Server Core have been overcome. First, it’s incredibly easy to add normal Windows Server roles to a Nano Server, in particular roles like Hyper-V and IIS.
It’s also easy to deploy Nano Servers via PowerShell and even easier to manage them, thanks to new PowerShell commands and the ability to quickly copy files to a Nano Server over PowerShell remoting.
Developers will love Nano Server because it’s lightweight and they can add any development package to their Nano Server, straight from a repository on the web, much like you can on a Unix or Linux server.
Microsoft thinks that Nano Server is the future of the data center, and I’m inclined to agree.
We’ve all come to expect security enhancements with each new release. There are more threats to our infrastructure and intellectual property today than ever before. Many companies are dealing with attacks from traditional hackers, as well as state-sponsored actors, yet very few have the desire or means to increase spending on IT security.
There are a number of new security measures that Server 2016 introduces, and a number of them focus on identity. Time and again there are major breaches caused by compromised credentials and credentials obtained via phishing schemes.
Just Enough Administrator
One of the new identity-based security features being introduced is Just Enough Administrator (JEA). JEA can be thought of as Role Based Access (RBAC) for anything you can do or manage on a Windows Server with PowerShell. The example that is commonly used revolves around the security issues of allowing an IT employee to manage DNS (typically on a domain controller), but not allowing them to carry out any other actions on the domain controller server, such as creating or modifying user accounts.
With JEA, you can assign a non-admin user the permissions to administer DNS (or Hyper-V, or Active Directory, or DHCP, etc.) without the need to actually make the user an administrator or to generate and share any new passwords or credentials. Moreover, the assigned employee can only interact and administer the specified service (DNS in this case), and even if they try to run other administrative commands against other services on the server or in the domain, they will be denied access.
This type of Role Based Access has long existed in Exchange and recently has made its debut in Azure, so it makes sense that Microsoft would extend this powerful functionality to Windows Server.
Of course, there are still those pesky pieces of malware and ransomware floating around all over the internet, so let’s look at a key addition to Server 2016 which covers a major gap left open in Server 2012: Windows Defender.
By now we all know Windows Defender as Microsoft’s built-in antivirus and anti-malware software and service. In Windows 2012, there was no Defender. There was also no supported way to install its predecessor, Security Essentials. Instead, customers were forced to purchase third party AV software to protect their Server 2012 deployments, and this led to a massive number of servers being left vulnerable and unprotected.
With Server 2016, Windows Defender comes pre-loaded and enabled. Unless you require the advanced protection of a specific workload, Windows Defender fits the bill perfectly, and at no additional cost.
How to get Windows Server 2016
Please contact us using the form below to purchase licensing for Windows Server 2016, or find out if you are already entitled to an upgrade.
Microsoft has, of course, changed the licensing model a bit for Server 2016, and our consultants can help simplify your licensing and deployment scenarios.
For a full and up-to-date list of what’s new in Server 2016, please visit the Microsoft TechNet article: