Review Microsoft has released Windows Server 2016, complete with container support and a brand new Nano Server edition.
What is the essence of Windows Server 2016? First, a quick look at the context. Server 2016 follows the same pattern as previous releases, in that it follows a new release of the Windows desktop operating system, in this case Windows 10, and brings it to the server. Server 2016 is based on the same kernel as Windows 10 Anniversary, and if you type
ver at the command prompt, you get the same thing: Microsoft Windows [Version 10.0.14393].
More ReadingRogue sysadmins the target of Microsoft's new 'Shielded VM' securityOutlook-on-Android alternative 'Nine' leaked Exchange Server credsWorld spent US$7.7bn on cloud in Q2, and that was during a lullMicrosoft's chums Dell, HPE and Lenovo give Azure Stack a shout-outWindows Server 2016 will cost more on big servers, but discounts can be found
This means Server 2016 has the Windows 10 Anniversary Start menu, if you install it with the Desktop Experience, though thankfully there is no sign of Cortana.
Second, Microsoft’s primary direction in Server 2016 is to support cloud deployment, whether public or private. There is also attention paid to security, but that goes without saying. Jeffrey Snover, Chief Architect for Windows Server and Azure Stack, told tech journalists:
Windows Server 2016 takes a lot of the innovation we got from Azure, a lot of the cloud innovation, and we’re mainstreaming it. Just as in Windows NT we took a scenario that only the princes and high priests of technology could do and we made that available for the masses, we think we’re doing the same thing for the cloud today.
Windows Server 2016 is supposedly “cloud for the masses”. This is evident in the two biggest areas of change. One is the Hyper-V hypervisor, which is greatly improved in this release. The second is support for Containers and Nano Server, a new cut-down edition of Server, which I bracket together since they have the same goal: support for cloud-native applications.
That said, "cloud for the masses" means something different than "server for the masses" 20 years ago. Whereas a business of any size can run a server, you have to be of significant size before contemplating running your own private cloud. A couple of Azure Stack boxes located in two separate data centers should do it; one is not enough since it lacks geographic resiliency. That will not come cheap, judging by the boxes from Dell and HPE on display at Microsoft's Ignite event in Atlanta last month. Yes, you can run Azure Stack on a single server, but that is only intended for proof-of-concept testing.
An Azure Stack solution on display at Microsoft's Ignite event
In this instance then, the masses are either those large organisations with the capability and inclination to run their own cloud, or the rest of us who are cloud consumers. One of the former is, of course, Microsoft itself, and undoubtedly the features of Server 2016 are driven in part by the company's desire to improve Azure and Office 365.
The further implication is that there is not much new in Server 2016 for small-scale users. Snover talks about "snowflake servers", by which he means the traditional approach to server deployment where you install once and carefully nurture and maintain the result. "If you want to have these ... snowflake servers, Windows 2016 is awesome for that," says Snover, but what he really means is that it is just as good (or bad) as before. The innovation is elsewhere.
A better Hyper-V
Microsoft's hypervisor has a mixed reputation. Veteran VMWare admins tend to dismiss it, as Microsoft has played catch-up with features, and VMWare's tools are generally nicer to use than System Center's Virtual Machine Manager. On the other hand, Hyper-V is free with the operating system, its technology has evolved rapidly, and it integrates tightly with Windows as you would expect.
You can never trust what a vendor says about its competition, but Microsoft's Hyper-V limits slide (above) is worth a glance if only to see the comparison with limits in Windows Server 2012 R2. You can now configure up to 12TB RAM in a VM, for example, up from 1TB, and up to 240 virtual processors, up from 64. Hyper-V hosts support up to 24TB RAM, up from 4TB. The thinking is clear: running virtual systems should not compromise the specification.
Nano Server can be used as a Hyper-V host, reducing the OS overhead and improving security. With Nano Server, no interactive logon is supported, only PowerShell or other remote administration tools.
What else is new? Microsoft lists more than 40 new features, of which perhaps the biggest is nested virtualisation, which is important for Hyper-V containers (see below) and for offering Hyper-V hosts on Azure or other public clouds.
Another important feature is the virtual TPM (Trusted Platform Module), which enables features such as BitLocker encryption and Credential Guard (which stores credentials within a system-protected VM) within a VM.
You can now resize virtual drives at runtime, resize the memory, and hot add/remove virtual network cards. Rolling Cluster Upgrades mean that you can upgrade a Windows Server 2012 R2 cluster running Hyper-V to Server 2016 without service interruption.
New security features
In its pitch for Server 2016, Microsoft makes play of the fact that virtualisation can be a vulnerability, in that an attacker who gets access to a VM host can easily interfere with or steal data from VMs. Therefore Server 2016 introduces Shielded VMs. Setting this up requires both Windows Server Datacenter edition and a separate server running a Host Guardian Service, which protects security keys and checks whether a VM is allowed to run on the hardware on which it is installed.
A Host Guardian Service is required to verify whether a Shielded VM can run
The ability to use the Hyper-V admin tools to connect to a VM's virtual display is regarded as a security weakness, so this is blocked for Shielded VMs. This raises the question of how you fix Shielded VMs that will not boot. Microsoft has a solution which involves running the broken VM within another Shielded VM. The problem illustrates though that the decision to run Shielded VMs is not one to take lightly. If something goes catastrophically wrong, it could be near-impossible to recover.
Another issue with Shielded VMs is that the system requirements and admin overhead will limit adoption. It is not just a matter of checking a box, "Make this a Shielded VM."
Windows Server 2016 also introduces a feature called Just Enough Administration (JEA), which means administrators can log on for administrative tasks with temporary accounts that are restricted to predefined roles. It is a hard thing to get right, as early reports indicate, but must be a step forward from domain administrators logging on to perhaps malware-infected desktops to fix a problem, for example. Windows Credential Guard, introduced in Windows 10, is also designed to thwart malicious software running in this hazardous scenario.
Microsoft's Identity Manager Privileged Access Manager enables another feature, which the company calls Just in Time Administration, temporarily granting administrative privileges.
Making such features available is only the first step. Wide adoption will only come when they are made easy to configure and use.
Storage and networking
Window Server 2012 introduced Storage Spaces, which lets you create a pool of resilient storage on SAS disks connected to a server cluster without the expense of a traditional SAN (Storage Area Network). Storage Spaces Direct cuts out a couple of pieces by letting you use direct-attached SAS, SATA or SSD drives on a cluster which you can use to host VMs.
Software Defined Networking is improved in Server 2016 with the addition of a Network Controller server role for managing Hyper-V virtual switches, load balancers, firewall rules and virtual gateways. There is also support for the VXLAN (Virtual Extensible Local Area Network) standard, which was created by VMware, Arista Networks and Cisco and is widely used.
Storage Spaces Direct uses directly-attached drives
Docker comes to Windows Server
Container support in Windows Server is the far-reaching new feature in Windows Server 2016. Two years in the making, it required new primitives in the Windows kernel, according to Azure CTO Mark Russinovich. Microsoft has also contributed to the Docker engine, for container management, so that this runs on Windows.
Windows containers come in two flavours. Server containers are lightweight and do not consume a Windows license. Hyper-V containers are strongly isolated using virtualisation, have their own copy of the Windows kernel, and do consume a license when run on Standard edition. They are managed in the same way though. You pull down a container image from a repository (public or private), modify it as needed, and deploy it. Containers share operating system resources but for the application behave like a dedicated instance of the operating system.
A Docker container running on Windows Server 2016
For this review, I got up and running with a Docker container on Server 2016, though even the release version of Server 2016 required patching before it would work. It was still evident that this is a fantastic way to deploy an application, or an application split into microservices, since it is lightweight, amenable to automation, and lets you create exactly the right environment.
Using Nano Server as the base image is ideal for containers since it further reduces the OS overhead. You could go further and argue that only Nano Server is suitable as the base image for a Windows Server container; containers built on Server Core tend to be much larger. The introduction of Nano Server was a necessity, not just a bright idea.
The downside is that Nano Server is only a subset of Windows; it runs IIS but not the full .NET Framework, only the cross-platform version called .NET Core. Not many applications are currently compatible with Nano Server.
Docker images based on Nano Server can be small
Docker on Windows is in its infancy and it will take time for Windows admins and developers to adjust. The situation today is confusing since Docker is well established on Linux and almost all the documentation and examples refer to Linux. Microsoft also needs to extend tools like Visual Studio with Docker deployment options.
The technology is compelling though, as well as being one feature of Windows Server that is useful on any scale of installation.
Setup and editions
The default Windows Server 2016 setup is without a GUI
How many editions of Windows Server 2016 are there? It is difficult to give a straight answer. First, there is Standard and Datacenter, differentiated mainly by licensing. Standard includes licenses for just two VMs or Hyper-V Containers running Windows Server, whereas Datacenter is licensed for unlimited VMs. In addition, Datacenter is required for a few new features, including Storage Spaces Direct, Storage Replica, Shielded Virtual Machines, and advanced networking. Standard starts at $882 for a 16-core license (the minimum), whereas Datacenter starts at $6,155.
Nano Server is also an edition of Windows Server, but you do not buy it directly. It is licensed as a feature of Windows Server for which you need Software Assurance, not just a basic license. Microsoft says this is because Nano Server is only available under the Current Branch for Business servicing model, which means continual updates.
There is also Windows Hyper-V Server, which is a free version licensed only for use as a Hyper-V host, and Windows Server Essentials, for small businesses with up to 25 users and 50 devices, for which no CALs (Client Access Licenses) are required. Essentials costs $501, though cheaper OEM deals may be available. The OEM-only Windows Server Foundation has been discontinued.
There are a couple of other specialist editions, Windows Storage Server which you can only get bundled with a storage appliance, and Multipoint Premium Server, mainly designed for remote desktops in education.
Both Standard and Datacenter install by default without a GUI, the installation option called Server Core.
Microsoft's biggest release yet?
At a pre-launch press briefing, Snover assured the assembled journos that Server 2016 is Microsoft's biggest release yet. Whether or not that is true depends how closely your needs match with those which Microsoft is addressing. The security enhancements are valuable, but arduous to configure, which means only large organisations are likely to benefit. In a data centre context, there is a lot to like, including Storage Spaces Direct, improved software-defined networking, and most significantly, container support and Hyper-V enhancements. Smaller businesses will not find much that applies to them, other than the fact that container support really is a big deal, and "just deploy this container" will an attractive option for many kinds of application deployment, once the ecosystem around it matures. ®