Windows Server: New Features in Version 1709
In this Ask the Admin, I’ll provide a summary of the new features in the latest version of Windows Server.
Without much of a splash, Microsoft announced the availability of Windows Server version 1709 in September, the first version which comes in the new Semi-Annual Channel. It was made available for download October 17th. As with the initial release of Windows Server 2016, most of the new features in this version are either related to building cloud infrastructure or for DevOps. So, if your interests don’t fall into either of those two categories, there’s not much to see here. The possible exception is Project Honolulu, which will eventually replace Server Manager and other Microsoft Management Consoles (MMCs).
Semi-Annual and Long-Term Servicing Channels
Beginning with this release of Windows Server, there are two channels customers can choose from: Semi-Annual (SAC) and Long-Term Servicing (LTSC). SAC is available for Software Assurance and Azure (cloud hosted) customers and we will see a new version released twice yearly, in spring and fall. Each new version will be supported for 18 months. LTSC versions of Windows Server will be released every 2 to 3 years with 5 years of mainstream support and 5 years of extended support.
If you’re deploying Windows Server container images, Nano Server is 80 percent smaller in this release. Server Core hasn’t been forgotten and is 60 percent smaller. Microsoft has also added Hyper-V isolation compatibility for Linux containers. And while we’re on the subject of Nano, you’ve probably already heard that in this release Nano is only supported as a container image. But Server Core can be used for container images or as an infrastructure host.
Storage class memory is a type of memory made from flash-based NAND with a capacity comparable to storage but with performance close to DRAM. In Windows Server version 1709, Microsoft has added storage-class memory support for virtual machines. Additionally, cluster shared volumes (CSVs) allow containers to access persistent data volumes on CSVs, and CSVs located on Storage Spaces Direct. Furthermore, SMB global mapping lets SMB file shares be mapped to a drive letter inside containers.
Because VMs are just files on a disk, if they somehow escape your environment, they could be started on any virtual host. HGS provides attestation and key protection in a guarded fabric. Therefore, only trusted Hyper-V hosts can run shielded VMs and they can be powered on and migrated to other guarded hosts. The Host Guardian Service (HGS) can now be run in a shielded VM, as opposed to a 3-node physical cluster. Finally, if you’re using software-defined networking, encryption can be quickly turned on to encrypt network segments.
The SMB1 client and server are not installed by default in this version. SMB2 guest authentication is also turned off by default. To further boost security, new options for securing SMB1 and SMB2 have been added, such as the option to disable oplocks in SMB2 (and later) for legacy applications and require signing or encryption on a per-connection basis from clients.
The big change in storage is that data deduplication now works on volumes formatted with ReFS. A new API also allows developers to utilize the knowledge from data deduplication to optimize how data is moved between volumes, servers, and clusters.
Remote Desktop Services (RDS)
RDS now integrates with Azure Active Directory so that organizations can use conditional access policies, multi-factor authentication, and other Azure AD features without deploying on-premises Active Directory. One interesting feature Microsoft is working on that isn’t part of this release, is an HTML5 experience that doesn’t require the installation of a plug-in or ActiveX control to access an RDS session from the browser. Hopefully, we’ll see that in the next Semi-Annual Channel release.
As well as a host of changes to the networking stack, support for Docker’s routing mesh has been added. Endpoints can access a service on any node in a swarm on one port. Swarm mode is Docker’s built-in orchestration solution.
The PowerShell Test-NetConnection cmdlet has been improved to give detailed information about route and source address selection. The Dead Gateway Detection (DGD) algorithm has also been given an upgrade to intermittently re-probe the network to check for updates to gateway status.
Several new features have been added to the built-in Windows 10 VPN client. Pre-Logon Infrastructure Tunnels can now be set to automatically establish, before a user logs on to their device, using the Device Tunnel (pre login) feature in the VPN profile. This is especially useful when managing remote computers. For this to work, you must additionally set the VPN to dynamically register the IP addresses that are assigned to the VPN interface with your DNS server. Pre-Logon Gateways can also be set and when combined with traffic filters, you can determine which intranet systems are accessible via the tunnel.
Last but not least, Project Honolulu is a new web-based management system for Windows Server that aims to provide a simplified, integrated, secure, and extensible interface for managing Windows Server, Windows 10 devices, clusters, and Storage Space Direct.
Servers and services are managed through a Honolulu gateway that can be installed on Windows Server 2016 or Windows 10. Remote PowerShell and WMI over WinRM do the heavy lifting in the background and Honolulu is designed to work with no dependency on Azure. I’ll be looking at Project Honolulu in a more detailed article soon on Petri.
In this article, I outlined the most interesting new features in Windows Server version 1709. For a complete list, you can read the details here on Microsoft’s website.