First look at Windows Server 2016: 'Cloud for the masses'? We'll be the judge of that

Containers, security and better hypervisor – but not much for small biz peeps


A better Hyper-V

Microsoft's hypervisor has a mixed reputation. Veteran VMWare admins tend to dismiss it, as Microsoft has played catch-up with features, and VMWare's tools are generally nicer to use than System Center's Virtual Machine Manager. On the other hand, Hyper-V is free with the operating system, its technology has evolved rapidly, and it integrates tightly with Windows as you would expect.

Hyper-V in Server 2016 scales better than its predecessors

Hyper-V in Server 2016 scales better than its predecessors (click to enlarge)

You can never trust what a vendor says about its competition, but Microsoft's Hyper-V limits slide (above) is worth a glance if only to see the comparison with limits in Windows Server 2012 R2. You can now configure up to 12TB RAM in a VM, for example, up from 1TB, and up to 240 virtual processors, up from 64. Hyper-V hosts support up to 24TB RAM, up from 4TB. The thinking is clear: running virtual systems should not compromise the specification.

Nano Server can be used as a Hyper-V host, reducing the OS overhead and improving security. With Nano Server, no interactive logon is supported, only PowerShell or other remote administration tools.

What else is new? Microsoft lists more than 40 new features, of which perhaps the biggest is nested virtualisation, which is important for Hyper-V containers (see below) and for offering Hyper-V hosts on Azure or other public clouds.

Another important feature is the virtual TPM (Trusted Platform Module), which enables features such as BitLocker encryption and Credential Guard (which stores credentials within a system-protected VM) within a VM.

You can now resize virtual drives at runtime, resize the memory, and hot add/remove virtual network cards. Rolling Cluster Upgrades mean that you can upgrade a Windows Server 2012 R2 cluster running Hyper-V to Server 2016 without service interruption.

New security features

In its pitch for Server 2016, Microsoft makes play of the fact that virtualisation can be a vulnerability, in that an attacker who gets access to a VM host can easily interfere with or steal data from VMs. Therefore Server 2016 introduces Shielded VMs. Setting this up requires both Windows Server Datacenter edition and a separate server running a Host Guardian Service, which protects security keys and checks whether a VM is allowed to run on the hardware on which it is installed.

A Host Guardian Service is required to verify whether a Shielded VM can run

A Host Guardian Service is required to verify whether a Shielded VM can run

The ability to use the Hyper-V admin tools to connect to a VM's virtual display is regarded as a security weakness, so this is blocked for Shielded VMs. This raises the question of how you fix Shielded VMs that will not boot. Microsoft has a solution which involves running the broken VM within another Shielded VM. The problem illustrates though that the decision to run Shielded VMs is not one to take lightly. If something goes catastrophically wrong, it could be near-impossible to recover.

Another issue with Shielded VMs is that the system requirements and admin overhead will limit adoption. It is not just a matter of checking a box, "Make this a Shielded VM."

Windows Server 2016 also introduces a feature called Just Enough Administration (JEA), which means administrators can log on for administrative tasks with temporary accounts that are restricted to predefined roles. It is a hard thing to get right, as early reports indicate, but must be a step forward from domain administrators logging on to perhaps malware-infected desktops to fix a problem, for example. Windows Credential Guard, introduced in Windows 10, is also designed to thwart malicious software running in this hazardous scenario.

Microsoft's Identity Manager Privileged Access Manager enables another feature, which the company calls Just in Time Administration, temporarily granting administrative privileges.

Making such features available is only the first step. Wide adoption will only come when they are made easy to configure and use.

Storage and networking

Window Server 2012 introduced Storage Spaces, which lets you create a pool of resilient storage on SAS disks connected to a server cluster without the expense of a traditional SAN (Storage Area Network). Storage Spaces Direct cuts out a couple of pieces by letting you use direct-attached SAS, SATA or SSD drives on a cluster which you can use to host VMs.

Software Defined Networking is improved in Server 2016 with the addition of a Network Controller server role for managing Hyper-V virtual switches, load balancers, firewall rules and virtual gateways. There is also support for the VXLAN (Virtual Extensible Local Area Network) standard, which was created by VMware, Arista Networks and Cisco and is widely used.

Storage Spaces Direct uses directly-attached drives

Storage Spaces Direct uses directly-attached drives


Keep Reading

Biting the hand that feeds IT © 1998–2021