Review: Microsoft Windows Server 2016 steps up security, cloud support

Today, Microsoft announced the release to manufacturing of Windows Server 2016. In this piece, I'll comb through the product and offer my thoughts on this new operating system.

Design goals

The Windows Server team at Microsoft says that they hear from customers that they are being pulled in a few different directions. First, everyone is worried about getting hacked. Last week, Yahoo confirmed 500 million accounts were hacked by what it calls "state-sponsored" attackers. This breach includes names, dates of birth, and both encrypted and unencrypted security challenge questions. Super.

Second, shadow IT is a huge problem, one that the cloud has arguably made worse. If you as an IT department don't deliver a quality solution quickly, your business users will just go whip out a credit card and sign up for Dropbox or some other service and go around you. Of course, IT is still responsible for data security and sovereignty, so how does that work with all of the responsibility and very little of the control?

Third, the hybrid cloud has arrived as organizations embrace other companies' data centers for at least a portion of their production workloads. Thus, IT needs tools and operating systems that make it easy to leverage the cloud when necessary, but that also bring resources online in-house when it makes sense or when, for compliance reasons, you don't have any other choice.

All of those pillars are addressed in some way in Windows Server 2016. Security was a big focus, and a large part of this review will focus on breach-resistance features and security improvements to the underlying operating system. Shadow IT is somewhat addressed, with container support for DevOps shops to be able to get up and running quickly with agile-style application solutions. (I personally think the container story has been lavished with far too much attention, so I won't mention much about it here in this review.) The hybrid cloud continues on a drum Microsoft has been beating for years and there are some key cloud improvements in the OS, particularly around networking, which I'll talk about in depth here.

Pumped-up specs

We'll start with the raw numbers. To be quite frank, Windows Server 2016 supports some jaw-dropping maximum specifications, which seem outlandish as I write this in 2016 but in four years we will all laugh at how naïve we were about what seemed like large amounts of memory and processor capacity:

• Up to 24TB physical memory per server (compared to 4TB in 2012)
• Up to 512 logical processors (320 in 2012)
• Up to 12TB of virtual machine memory (1TB in 2012)
• Up to 240 virtual processors per VM (64 in 2012)

Interestingly, Microsoft tells me that these specific maximum requirements are being driven by Azure's internal needs more than any sort of external customer demand or feature-gap closure between Windows Server and other operating systems. Azure is growing at the scale where Microsoft's biggest problem is not building out data centers or getting network capacity, but actually obtaining chips for servers. So these upper-end needs are primarily due to using Windows Server to run the public cloud service.

Real innovation: Nano Server

Perhaps the most innovative feature of Windows Server 2016 is the Nano Server installation option. Nano Server is essentially a complete refactoring of the Windows code base to eliminate a ton of dependencies, user-land elements and attack surface. The result, aimed at servers in cloud scenarios and other limited-purpose areas, is "just enough operating system."

What is Nano Server accomplishing?

Why did Nano Server come about? One of the primary design goals was to cut down on reboots. Every patch Tuesday event seems to come with attendant required reboots. Put simply, reboots impact your business for a couple of reasons. First, in an ideal world, reboots would not be required. But reboots also take a long time; some application servers take on the order of 10 minutes to shut down, configure updates, reboot, and then bring up Windows after another patch configuration session. These 10 minutes can have a huge impact on your business.

Another design goal was to massively reduce the size of Windows itself. You know that installing Windows Server 2012 R2 is a multi-gigabyte affair. Having a bunch of these in virtual machines is nice from a portability perspective, but the bigger the images get, the more difficult usability and management become. Larger images take a long time to install and configure, they take too much network bandwidth to move from place to place, and images take too much disk space.

If we were able to get smaller OS images, it follows that we would then be able to achieve a higher VM density. Higher density lowers costs and increases margins, which is a great place for IT to be in this day and age.

Keeping all of this in mind, the Windows Server team went through a major refactoring of Windows, tearing out server roles and optional features, removing essentially the entire user interface, killing 32-bit application compatibility, and nipping and tucking elsewhere. The result is an OS that provides for higher-density applications with a vastly reduced attack surface and far fewer servicing headaches.

Supported roles and functions

What did you lose in terms of functionality with Nano Server? Well, aside from the GUI, you have fewer supported workloads. At RTM, Nano Server will support:

• Running Hyper-V virtual machines as a host
• Scale Out File Servers
• Clustering
• Internet Information Services, Microsoft’s web server
• DNS
• Windows Defender
• TPM SIL for enhanced hardware-based security
• PowerShell desired state configuration
• .NET Core, a powerful but lightweight application framework
• ASP.NET Core, a reduced instruction set for running web applications on top of IIS

Notably, Nano Server does come with full Windows driver support, so regular .INF files and .SYS files will install just fine to support new hardware. You also get agents for System Center Virtual Machine Manager and Operations Manager, so while you cannot log in and really manage Nano Server locally, you can accomplish most of what you need to do remotely.

Managing Nano Server

If you have been following Microsoft's strategic direction at all, the lack of a GUI in Nano Server will not surprise you. The company's vision of servers is that they are not treated as princesses: If one misbehaves, you just kill it and rebuild it remotely. You do not log in via a GUI and try to point and click your way into a repair.

The primary management interface for Nano Server is PowerShell, via PowerShell remoting. If you log in to a Nano Server locally at the console, you will essentially get a text-based screen that lets you recover from serious networking errors that make the server disappear from the wire -- you can reset an adapter, change IPs and fix a few others things that can bork remote management. Other than that, management is exclusively via whatever centralized remote tools you have in your environment, whether that's System Center, anything WMI-based, PowerShell or something else.

One new Nano Server feature that was not in the technical previews is the Server Management Tools suite, which is a web-based remote management application offered up via Microsoft Azure. To deploy it, you need to install a virtual machine that acts as a gateway between your network and the Azure app. The web-based console will interact over the network with this gateway, which will then carry out your management instructions locally on the network.

The Server Management Tools suite includes graphical replacements for local-only tools like Task Manager, Device Manager, other local configuration tools, commonly used Microsoft Management Console (MMC) snap-ins, the Registry Editor, the Windows Firewall and more. It works based on WMI and PowerShell and thus can manage not only Nano Server but also Windows Server Core, Server with Desktop Experience, and will even go back to Windows Server 2012 and 2012 R2. The Server Management Tools suite is in public preview and will be officially released later this year.