Tuesday, January 30, 2018

Windows Server 2016 New features and Interview Questions

Windows Server 2016 includes a large collection of new features such as Containers, Nano Server, Shielded VM’s and many more. If you’re applying for a job that requires knowledge of Microsoft’s latest tech then I strongly recommend reading about Dockers and Containers, particularly if you're involved in deployments, development or DevOps. Nano Server is another addition to the trimmed down OS types, providing a minimal footprint with high resource capacity.

 Hyper-V on Windows Server 2016:

# Compatible with Connected Standby (new):When the Hyper-V role is installed on a computer that uses the Always On/Always Connected (AOAC) power model, the Connected Standby power state is now available.

# Discrete device assignment (new): This feature lets you give a virtual machine direct and exclusive access to some PCIe hardware devices. Using a device in this way bypasses the Hyper-V virtualization stack, which results in faster access.

 # Encryption support for the operating system disk in generation 1 virtual machines (new)
You can now protect the operating system disk using BitLocker drive encryption in generation 1 virtual machines. A new feature, key storage, creates a small, dedicated drive to store the system drive’s BitLocker key. This is done instead of using a virtual Trusted Platform Module (TPM), which is available only in generation 2 virtual machines. To decrypt the disk and start the virtual machine, the Hyper-V host must either be part of an authorized guarded fabric or have the private key from one of the virtual machine's guardians. Key storage requires a version 8 virtual machine.

#Host resource protection (new): This feature helps prevent a virtual machine from using more than its share of system resources by looking for excessive levels of activity. Use Windows PowerShell to turn it on or off. To turn it on, run this command:
Set-VMProcessor TestVM -EnableHostResourceProtection $true 

# You can now add or remove a network adapter while the virtual machine is running, without incurring downtime. This works for generation 2 virtual machines that run either Windows or Linux operating systems.


You can also adjust the amount of memory assigned to a virtual machine while it's running, even if you haven't enabled Dynamic Memory. This works for both generation 1 and generation 2 virtual machines, running Windows Server 2016 or Windows 10.


# Linux Secure Boot (new) Linux operating systems running on generation 2 virtual machines can now boot with the Secure Boot option enabled. Ubuntu 14.04 and later, SUSE Linux Enterprise Server 12 and later, Red Hat Enterprise Linux 7.0 and later, and CentOS 7.0 and later are enabled for Secure Boot on hosts that run Windows Server 2016

# More memory and processors for generation 2 virtual machines and Hyper-V hosts


# Nested virtualization (new) This feature lets you use a virtual machine as a Hyper-V host and create virtual machines within that virtualized host. This can be especially useful for development and test environments.

#Shared virtual hard disks (updated): You can now resize shared virtual hard disks (.vhdx files) used for guest clustering, without downtime. Shared virtual hard disks can be grown or shrunk while the virtual machine is online. Guest clusters can now also protect shared virtual hard disks by using Hyper-V Replica for disaster recovery.

#Shielded virtual machines (new):Shielded virtual machines use several features to make it harder for Hyper-V administrators and malware on the host to inspect, tamper with, or steal data from the state of a shielded virtual machine. Data and state is encrypted, Hyper-V administrators can't see the video output and disks, and the virtual machines can be restricted to run only on known, healthy hosts, as determined by a Host Guardian Server.



Windows Containers

Windows Containers allow many isolated applications to run on one computer system. They're fast to build and are highly scalable and portable. Two types of container runtime are available, each with a different degree of application isolation. Windows Server Containers use namespace and process isolation. Hyper-V Containers use a light-weight virtual machine for each container.
Key features include:
  • Support for web sites and applications using HTTPS
  • Nano server can host both Windows Server and Hyper-V Containers
  • Ability to manage data through container shared folders
  • Ability to restrict container resources

Nano Server

Windows Server 2016 offers a new installation option: Nano Server. Nano Server is a remotely administered server operating system optimized for private clouds and datacenters. It is similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server. When it does restart, it restarts much faster. The Nano Server installation option is available for Standard and Datacenter editions of Windows Server 2016. 


Nano Server is ideal for a number of scenarios:
  • As a "compute" host for Hyper-V virtual machines, either in clusters or not
  • As a storage host for Scale-Out File Server.
  • As a DNS server
  • As a web server running Internet Information Services (IIS)
  • As a host for applications that are developed using cloud application patterns and run in a container or virtual machine guest operating system

    Security and Assurance

    Includes security solutions and features for the IT professional to deploy in your datacenter and cloud environment. For information about security in Windows Server 2016 generally, see Security and Assurance


    Just Enough Administration : Just Enough Administration in Windows Server 2016 is security technology that enables delegated administration for anything that can be managed with Windows PowerShell. Capabilities include support for running under a network identity, connecting over PowerShell Direct, securely copying files to or from JEA endpoints, and configuring the PowerShell console to launch in a JEA context by default. 
     
    Credential Guard: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. 
     
    Remote Credential Guard: Credential Guard includes support for RDP sessions so that the user credentials remain on the client side and are not exposed on the server side. This also provides Single Sign On for Remote Desktop. 

    Device Guard (Code Integrity): Device Guard provides kernel mode code integrity (KMCI) and user mode code integrity (UMCI) by creating policies that specify what code can run on the server. 
     
    Windows Defender:  Windows Server Antimalware is installed and enabled by default in Windows Server 2016, but the user interface for Windows Server Antimalware is not installed. However, Windows Server Antimalware will update antimalware definitions and protect the computer without the user interface. If you need the user interface for Windows Server Antimalware, you can install it after the operating system installation by using the Add Roles and Features Wizard.

    Control Flow Guard: Control Flow Guard (CFG) is a platform security feature that was created to combat memory corruption vulnerabilities. 

There are a lot more features but the above are the main one which you may focus for now then build your kowledge on more features as you go.


Here are some question for knowledge test:

Dynamic memory is a great feature that allows you to manage the amount of memory that Hyper-V virtual machines consume. How would you identify the memory a virtual machine consumes when Dynamic Memory is not enabled?

 Answer:
View the amount of RAM listed under Static in the Memory page of the virtual machine

Comments:
When dynamic memory is not enabled, the virtual machine is given a static amount of RAM. This value is located under the Static section of the Memory page of the virtual machine settings.


Virtual Network Manager (available from the Hyper-V Manager snap-in) offers three types of virtual networks that you can use to define various networking topologies for virtual machines and the virtualization server.

Which type of virtual network is isolated from all external network traffic on the virtualization server, as well any network traffic between the management operating system and the external network.


Answer:Private virtual network

Comments:
Private virtual network is useful when you need to create an isolated networking environment, such as an isolated test domain. 


You are trying to create a Nano Server on a physical computer. You have copied the NanoServerImageGenerator folder from the ISO to create a VHD that will run Nano Server on a physical computer using the pre-installed device drivers.

When you try and run Import-Module .\NanoServerImageGenerator it doesn’t work. What did you forget to run?


Answer:
Set-ExecutionPolicy

Comments:
You might have to adjust the Windows PowerShell execution policy. Set-ExecutionPolicy RemoteSigned should work well.

Nano Server is distributed on the physical media, where you will find a NanoServer folder; this contains a .wim image and a subfolder called Packages. It is these package files that you use to add server roles and features to the VHD image, which you then boot to.

You want to create a VHD that will run Nano Server on a physical computer, using the pre-installed device drivers. You have copied the VHD to the physical computer and want to configure it to boot from this new VHD. What command should you use?


Answer:bcdboot

Comments:
The BCDboot tool is a command-line tool that enables you to manage system partition files. You can use it to set up Windows to boot to a virtual hard disk.

 You want to prevent a virtual machine from using more than its share of system resources by looking for excessive levels of activity. This will help prevent a virtual machine's excessive activity from degrading the performance of the host or other virtual machines.

Which PowerShell paramter should you use with Set-VMProcessor?


 Answer:
-EnableHostResourceProtection

Comments:
EnableHostResourceProtection specifies whether to enable host resource protection. When monitoring detects a virtual machine with excessive activity, the virtual machine is given fewer resources. This monitoring and enforcement is off by default.

You want to capture the state, data, and hardware configuration of a running virtual machine. Which checkpoint can be very useful if you need to recreate a specific state or condition of a running virtual machine so that you can troubleshoot a problem?
Answer:
Standard

Comments:
Standard checkpoints capture the state, data, and hardware configuration of a running virtual machine and are intended for use in development and test scenarios.

 You have created a new data volume using the following docker command:

docker run -it -v c:\new-data-volume windowsservercore cmd

New data volumes are stored on the host under 'c:\ProgramData\Docker\volumes'. Where will this data volume be accessible in the running container?

Answer:
c:\new-data-volume 


Faysal Hasan - is a IT System Engineer has with a passion for security. He worked in information technology service delivery for more than 7 years. He received his Bachelor in IT from Southern Cross University, Australia and has earned numerous technical certifications throughout his career. He is currently working as the System Engineer in Enterprise Operations looking after technology infrastructure for Victoria Police.

0 comments:

Post a Comment

Twitter Facebook Favorites More