810 likes | 945 Views
Windows Server 2019: New Features and Upgrade. Art Hogarth Premier Field Engineer. Instructor Introduction. Art Hogarth Active Directory/Platforms Experience: 20+ years IT Experience 7+ years Management 2.5 years at Microsoft Hobbies Riding my Motorcycle BBQ/Smoking Meat
E N D
Windows Server 2019: New Features and Upgrade Art Hogarth Premier Field Engineer
Instructor Introduction • Art Hogarth • Active Directory/Platforms • Experience: • 20+ years IT Experience • 7+ years Management • 2.5 years at Microsoft • Hobbies • Riding my Motorcycle • BBQ/Smoking Meat • Building Legos
Identify new and improved features in Windows Server • Identify Support Lifecycle of each version • Understand what we mean by Hybrid in Server 2019 • Recognize the Improvements to Security • Comprehend what the Application Platform consists of • Grasp how Server 2109 can help with Hyper Converged infrastructure • After this session you will be able to:
Releases • Referred to simply as Windows Server • Versions of Windows Server are released on two separate release channels • Long Term Servicing Channel (LTSC) • Semi-Annual Channel (SAC) • Detailed overview on the next slides TechNet Blog: Finding Windows Server on VLSC
Windows Server LTSC & SACTwo Channels for maximum flexibility Windows Server LTSC Windows Server N+1 LTSC Windows Server 2016 Windows Server 2019 Windows Server SAC 1609 1703* 1709 1803 1809 19xx 19xx 20xx 20xx Innovation Innovation Innovation Innovation Innovation Innovation Innovation
Windows Server Release Channels Long-Term Servicing Channel Semi-Annual Channel General purpose file servers, first and third-party workloads, traditional, apps, and other infrastructure roles Containerized applications, container hosts, and application scenarios benefiting from faster innovation NEW RELEASE SUPPORTED FOR Every 2–3 years Every 6 months EDITIONS 5 years of Mainstream support +5 years of Extended support 18 months of support WHO CAN USE All available Windows Server editions Standard and Datacenter RECOMMENDED SCENARIOS All customersthrough all channels Software Assurance and Cloud customers only INSTALLATIONOPTIONS Server Core and Server with Desktop Experience Server Core and Nano Server container image
Servicing Windows Update (stand-alone): This option is only available for servers that are connected to the Internet and have Windows Update enabled. Windows Server Update Services (WSUS) provides extensive control over Windows 10 and Windows Server updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. System Center Configuration Manager provides the greatest control over servicing. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. • Both the Long-Term Servicing Channel and the Semi-Annual Channel releases will be supported with security updates and non-security updates. • The difference is the length of time that the release is supported • https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19 Windows Server 2019 Tech Community: Servicing Update Changes
Windows Server 2019 Licensing • Scenarios • Minimum of 8 core licenses per processor • Minimum of 16 core licenses required for each server • Licenses available in 2-core packs or 16-packs
Windows Server 2019 Licensing * Windows Storage Server will be retired; the 2016 version will be the last version offered Windows Server 2016 Storage Server end of distribution has been extended to December 31, 2019 *Essentials Role removed; only available as a standalone SKU
Installation Options • Which option is best for you? • Windows Server Core • Recommended choice and used for Azure infrastructure • Headless, light weight and ideally suited for large datacenters and clouds • Smaller attack surface, so more secure • Easy to manage remotely with Windows Admin Center (WAC) • Feature on Demand (FoD) resolves most compatibility issues • https://docs.microsoft.com/en-us/windows-server/get-started-19/install-fod-19 • Windows Server with Desktop Experience • Use for applications that will not work on Windows Server Core • Use in RDS Deployment scenarios Server Core Lower maintenance server environment Desktop Experience Full GUI Cloud Blog: Server Core versus Server with Desktop
In-place Upgrades • Improved: Support of In-place upgrades • LTSC In-place upgrades are supported from N-2 LTSC • New! Microsoft is performing more testing and repairing any issues found to make the in-place upgrade a more viable option in Windows Server 2019 • Supports Windows Server 2012 to Windows Server 2016 • Supports Windows Server 2012 R2 to Windows Server 2019 • SAC In-place upgrades are planned to be supported from N-2 starting with Windows Server, version 1809 • Earlier versions may require a clean install • In-place upgrades are not supported • From SAC to LTSC and vice versa • Azure VMs: KB4014997 Windows Server 2019 TechNet Blog: Windows Server v1709 FAQ
Server Lifecycle • Windows Server • Product: • Server 2008 R2 SP1 1/13/2015 1/14/2020 • Server 2012/2012 R2 10/9/2018 10/10/2023 • Server 2016 1/11/2022 1/12/2027 • Server 2019 1/9/2024 1/9/2029 Mainstream Support End Date: Extended Support End Date
Lifecycle • New: Options for Windows Server 2008 • Extended support ends January 14th, 2020 • Migrate Windows Server 2008 and 2008 R2 VMs to Azure VMs and get free extended security updates for three years after deadline • In addition, SQL Server 2008 and 2008 R2 in Azure VMs will also get free extended security updates for three years after deadline • Can’t meet the deadline or migrate to Azure, then buy extended Security Updates for 3 more years Announced July 2018 MS Docs: Get three years extended support
Windows Server 2019 The Key Pillars HYBRID CLOUD Easy to connect to Azure Stack Easy to integrate Azure services Leverage Azure services without disruption SECURITY Windows Defender Advanced Threat Protection (ATP) Embedded Preventative protection, zero-day exploits and attack detection Access to deep kernels and memory sessions APPLICATIONPLATFORM Core base container image offering Modernize existing applications in to containers More choices for Container Deployments HYPER-CONVERGEDPLATFORM HCI solution will have added scalability, reliability and performance HCI deployment to be added to Windows Admin Center Simplified management and Day-by-day activities
Hybrid: Over the last few years • Pre-2016 • Azure Active Directory • Azure AD Connect • Azure Site Recovery • On-premises DR to Azure • Move VMware, AWS, Hyper-V and physical servers to Azure • Leverage SAN capabilities • Azure Backup • Advanced Threat Protection • StorSimple (physical) • 2016 • Azure AD Domain Services • Azure Security Center • Azure Site Recovery • Encryption at Rest • StorSimple (virtual) • 2017 • Azure Monitor • Azure Backup of Windows System State • Azure Site Recovery • Managed disk support • Deployment Planner • 2018 • Hybrid Cloud Print (Feb) • Azure File Sync (July)
New and Enhanced Features • New: Windows Admin Center • New: Connect to Azure backup, file sync, and disaster recovery • New: Storage Migration Service • Hybrid • Datacenter
Microsoft: End-to-end hybrid infrastructure • Hybrid Datacenter • Hybrid Cloud • WSSD/Windows Server • Azure Stack • On-premises
Azure AD Connect • Enables a Hybrid Identity • Connect on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (AAD). Providing users with single identity to access on-premises and Cloud services • Capabilities • Synchronization of Users, Groups, Devices and other objects • Filtering options to limit which objects are synchronized • Password Hash Synchronization option • Extend AAD Conditional Access features to on-premises AD DS • Write-back options available for some objects • Integrates with Federation infrastructures, like AD FS and PingFederate to address complex deployments MS Docs: Integrate your on-premises directories w/ AAD
Windows Admin Center • Azure Integration in Windows Admin Center • Ongoing development in place to allow Windows Admin Center to manage Azure features for Hybrid Scenarios • Easy, graphical registration process built in to the product • Allows authentication and services integration • More services coming over time • Can be automated with PowerShell as well MS Docs: Configure Azure Integration with WAC
Management with Windows Admin Center Simplified – Integrated – Secure – Cloud-ready Windows Server 2019 2016, 2012 R2, 2012 Windows Server Core, SAC, 2019, 2016, 2012 R2, 2012 Windows 10 Client
Flexible deployment options Windows 10 Windows Server 2019Windows Server, version 1803 Windows Server, version 1709 Windows Server 2016 Windows 10 Windows Server 2019 Windows Server, version 1803 Windows Server, version 1709 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows 10 desktop Dedicated gateway server Managed node High availability
Azure Backup Secure on-premises Backups with Azure Backup Azure Backup provides a secure location for backups that grows as needed Available Now Azure: Secure your backups
Azure File Sync • Centralize file replication services in Azure • Windows Server 2012R2, 2016, and 2019 support Azure File Sync • Builds on Azure Files • Transform your on-premises Windows file servers into fast caches of data • Simplify backup and restore, and quickly recover in a disaster • Simplify your life with cloud-based services • Free up on-premises storage with cloud tiering MS Docs: aka.ms/afs Video: Windows Server Summit (In Keynote at 22:30) Available Now
Storage Migration Service • Various “Data Box” solutions that allow you to copy your local data to Azure. • 40 TB – USB/SATA • 100 TB - 1x1/10 Gbps RJ45, 2x10 Gbps SFP+ interface • 800 TB - 1x1/10 Gbps RJ45, 4x40 Gbps QSFP+ interface MS Docs: aka.ms/afs Video: Windows Server Summit (In Keynote at 22:30) Available Now
Windows ServerSecurity Posture 1. Protect 4. Isolate 2. Detect 3. Respond Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster Isolate OS components & secrets; limit admin. privileges; rigorously measure host health Ongoing focus & innovation on preventative measures; block known attacks & known malware Leading response and recovery technologies plus deep consulting expertise Security isn’t a bolt-on; it’s an architectural principle!
Security Protecting the OS: Over the last two years • Windows Server • 2016 • Virtualization-Based Security • Device Guard • UEFI Secure Boot and DMA Protections • Virtualization-based code Integrity (HVCI) • Application Control (Configurable Code Integrity) • Credential Guard • Remote Credential Guard • Control Flow Guard • Windows Server version 1709 • No new features • Windows Server version 1803 • Device Guard • Improved Application Control with built-in code integrity • Windows Server • 2019 • Windows Defender ATP builtin to OS • Exploit Guard • Kernel Control Flow Guard • Virtualized-based security memory enclaves • Device Guard System Guard Monitor
New and Enhanced Features • New: Security - VSM Enclaves • New: Integrated security services • New: Exploit Guard • Enhanced: Shielded Virtual Machines • Security
Windows Defender ATP Exploit Guard • New: Windows Defender ATP Exploit Guard • New set of host-intrusion prevention capabilities • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking suspicious malicious files (for example, Office files), scripts, lateral movement, ransomware behavior, and email-based threats • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP addresses through Windows Defender SmartScreen. • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders • Exploit protection: A set of mitigations for vulnerability exploits (replacing EMET) that can be easily configured Attack Surface Reduction (ASR) Network protection Controlled folder access Exploit protection Windows Server 2019 MS Docs: Windows Server 2019 Preview 17623
Shielded Virtual Machines • Concept of Shielded Virtual Machines introduced in Windows Server 2016 • Hyper-V Generation 2 virtual machines are protected using • UEFI Secure Boot • Virtual TPM (vTPM) • BitLocker-Encrypted Virtual Hard Drives • Host Guardian Service to insure virtual machines are running on a legitimate Hyper-V host • Supports Windows Server 2012 (and later) • Supports Linux OS including Ubuntu 14.04+, SUSE Linux Enterprise Server 12+, Red Hat Enterprise Linux 7.0+, CentOS 7.0 and later Virtual machine Data Workload OS Compute Storage Network Hypervisor Fabric MS Docs: Guarded Fabric and Shielded VMs MS Docs: Device Health Attestation Windows Server 2016
Protect Identity: Over the last two years Windows Server 2016 Windows Hello for Business Just Enough Administration Just In Time Administration Windows Server 2016 Forest and Domain Functional Level AD DS Schema Version 87 Kerberos improvements NTLM improvements for Authentication Policies and Smart Cards • Windows Server version 1803 • AD DS Schema Version 88 added with new O365 attribute • Windows Server • 2019 • FRS and Windows Server 2003 Functional levels no longer supported • Role-based access control (JEA) in WAC – New! • AD DS ESE Version Store Improvements • Windows Hello Security Keys (FIDO 2.0)
Identity IS the new Perimeter • Enterprise datacenters are becoming a Virtual Concept • Most companies Intranet now extends into the cloud working around carefully constructed firewalls and VPNs • The network is no longer the security perimeter • Identity is the common denominator, however it is now located in the Cloud • This requires a different approach for securing the perimeter using new features introduced in • Azure Active Directory • Active Directory Domain Services (on-premises) • Windows Hello For Business • Just in Time Administration (i.e. Privileged Access Management) • Just Enough Administration • AD Integrated DNS MS Docs: Reference link
What is DevOps? Build& Test People. Process. Products. Deploy DevOps is the union of people, process, and products to enable continuous delivery of value to your end users. “ ContinuousDelivery ” Develop Operate Donavan Brown, Microsoft DevOps Manager Plan & Track Monitor & Learn @DonovanBrown
Containers: Over the last two years Windows Server 2016 Initial launch of containers Process and Hyper-V isolation Docker EE Basic Included at no additional cost • Windows Server version 1709 • Optimized container images for Nano Server and Server Core • Platform level support for Linux containers • Windows Subsystem for Linux • Networking enhancements for overlays and SDN • Windows Server version 1803 • Server Core image Optimizations • Native command line tools – curl.exe, tar.exe and SSH • Enhancements to the Windows Subsystem for Linux • Networking enhancements for greater density and quicker endpoint creation • Improved network security with Calico • Open source storage plugins for Kubernetes • Platform functionality required for Kubernetes conformance • Windows Server • 2019 • Server Core image Optimizations • Improved compatibility for apps running in containers • Enhanced Group Managed Service Account support • Platform functionality for Kubernetes and Microsoft Service Fabric • Container Performance and density improvements • Platform and open source work on CNI networking plugins such as Calico and Flannel • Enhancements to the Windows Subsystem for Linux
New and Enhanced Features • Enhanced: Unlimited Windows Containers • Enhanced: Hyper-V Windows Server Containers • New: Server Core and Nano container optimization, container security, Linux containers and Kubernetes support • New: Redhat OCP Kubernetes support • Enhanced: Support for 1st party (2019 wave) and 3rd party apps • Application Platform
AD Certificate Services • AuthManager, Bitlocker • BITS, CCFFilter, Containers • CoreFileServer • DataCenterBridging • Dedup-Core • DeviceHealthAttestationService • DFSN and DFSR • DirectoryServices • DiskIo-QoS • EnhancedStorage • FailoverCluster • File-Services • FileServerVSSAgent • FRS-Infrastructure , FSRM • HardenedFabricEncryptionTask • HostGuardian • IdentityServer-SecurityTokenService • IPAM, iSCSI, iSNS Service • Licensing, LightweightServer • Hyper-V, Group Policy • Windows-FCI-Client-Package • Windows-Subsystem-Linux • MSRDC-Infrastructure • MultipathIo , NetworkController • NDES • NetworkLoadBalancingFullServer • NetworkVirtualization • NFS Client and Server • OnlineRevocationServices • P2P-PnrpOnly, PeerDist • Printing, QWAVE • RasRoutingProtocols • Remote-Desktop-Services • RemoteAccess, ResumeKeyFilter • RightsManagementServices-Role • SBMgr-UI • ServerCore-Drivers • RSAT • ServerMediaFoundation • ServerMigration • SessionDirectory • SetupAndBootEventCollection • ShieldedVMToolsAdminPack • SMB1Protocol-Server • SmbDirect • SMBHashGeneration • SmbWitness • SNMP • SoftwareLoadBalancer • Storage-Replica-AdminPack • Storage-Replica • Tpm-PSH-Cmdlets • UpdateServices-Database • UpdateServices-Services • UpdateServices-WidDatabase • UpdateServices • VmHostAgent • VolumeActivation-Full-Role • Web-Application-Proxy • WebAccess • WebEnrollmentServices • Windows-Defender • WindowsServerBackup • WindowsStorageManagementService • WINSRuntime • WMISnmpProvider • WorkFolders-Server • WSS-Product-Package Server Core • Server Core Container Image • Image size reduced by 50% in version 1709, another 30% in version 1803, and down to 1.5 GB in Windows Server 2019 • Unused optional features removed (can be added as needed) / List removed from version 1803 • Application compatibility improvements in each release • Boot and run-time performance improved in each release Windows Server, version 1709 and 1803
Nano Server • Nano Server Container Image • Image size reduced by over 80% in version 1709, and as of version 1803, image is below 100mb • Optimized for .Net Core 2.0 • PowerShell Core, .NET Core and WMI no longer included by default in Container Image Windows Server, version 1709 and 1803
Linux Windows Container Host Hyper-V isolated container • Linux Containers for Windows (LCOW) • Linux containers with Hyper-V isolation run each Linux container (LCOW) in an optimized Linux VM • With just enough OS to run containers. • Each LCOW has its own kernel and its own VM sandbox. • They're also managed by Docker on Windows directly • LCOW is a work in progress and is under active development. Track ongoing progress in the Moby project on GitHub. • Not all features are available. Docker Client Docker Daemon LCOW grpc Windows Process Container Windows Process Container HCS Linux Kernel NT Kernel Hypervisor Windows Server, version 1709 (or later) MS Docs: Linux Containers on Windows
Kubernetes Open-source platform designed to automate deploying, scaling and operating application containers Deploy your applications quickly and predictably Scale your applications on the fly Limit hardware usage to required resources only Roll out new features seamlessly
Red Hat OpenShift Enables build and deployment automation as well as continuous integration and continuous delivery for container systems built on Kubernetes It is an open source container management platform which sits on top of the Kubernetes container orchestration system and the container runtime Red Hat OpenShift for Windows will enable managing Windows server 2019 Nodes and containers in a mixed Linux and Red Hat Windows OpenShift deployment