Posts

Windows Server 2019

Windows Server 2019 and what we need to do now: Migrate and Upgrade!

IT pros around the world were happy to hear that Windows Server 2019 is now generally available and since there have been some changes to the release. This is a huge milestone, and I would like to offer congratulations to the Microsoft team for launching the latest release of this amazing platform as a big highlight of Microsoft Ignite.

As important as this new operating system is now, there is an important subtle point that I think needs to be raised now (and don’t worry – Veeam can help). This is the fact that both SQL Server 2008 R2 and Windows Server 2008 R2 will soon have extended support ending. This can be a significant topic to tackle as many organizations have applications deployed on these systems.

What is the right thing to do today to prepare for leveraging Windows Server 2019? I’m convinced there is no single answer on the best way to address these systems; rather the right approach is to identify options that are suitable for each workload. This may also match some questions you may have. Should I move the workload to Azure? How do I safely upgrade my domain functional level? Should I use Azure SQL? Should I take physical Windows Server 2008 R2 systems and virtualize them or move to Azure? Should I migrate to the latest Hyper-V platform? What do I do if I don’t have the source code? These are all indeed natural questions to have now.

These are questions we need to ask today to move to Windows Server 2019, but how do we get there without any surprises? Let me re-introduce you to the Veeam DataLab. This technology was first launched by Veeam in 2010 and has evolved in every release and update since. Today, this technology is just what many organizations need to safely perform tests in an isolated environment to ensure that there are no surprises in production. The figure below shows a data lab:

windows 2008 eol

Let’s deconstruct this a bit first. An application group is an application you care about — and it can include multiple VMs. The proxy appliance isolates the DataLab from the production network yet reproduces the IP space in the private network without interference via a masquerade IP address. With this configuration, the DataLab allows Veeam users to test changes to systems without risk to production. This can include upgrading to Windows Server 2019, changing database versions, and more. Over the next weeks and month or so, I’ll be writing a more comprehensive document in whitepaper format that will take you through the process of setting up a DataLab and doing specific task-like upgrading to Windows Server 2019 or a newer version of SQL Server as well as migrating to Azure.

Another key technology where Veeam can help is the ability to restore Veeam backups to Microsoft Azure. This technology has been available for a long while and is now built into Veeam Backup & Replication. This is a great way to get workloads into Azure with ease starting from a Veeam backup. Additionally, you can easily test other changes to Windows and SQL Server with this process — put it into an Azure test environment to test the migration process, connectivity and more. If that’s a success, repeat the process as part of a planned migration to Azure. This cloud mobility technique is very powerful and is shown below for Azure:

Windows 2008 EOL

Why Azure?

This is because Microsoft announced that Extended Security Updates will be available for FREE in Azure for Windows server 2008 R2 for an additional three years after the end of the support deadline. Customers can rehost these workloads to Azure with no application code changes, giving them more time to plan for their future upgrades. Read more here.

What also is great about moving workloads to Azure is that this applies to almost anything that Veeam can back up. Windows Servers, Linux Agents, vSphere VMs, Hyper-V VMs and more!

Migrating to the latest platforms are a great way to stay in a supported configuration for critical applications in the data center. The difference is being able to do the migration without any surprises and with complete confidence. This is where Veeam’s DataLabs and Veeam Recovery to Microsoft Azure can work in conjunction to provide you a seamless experience in migrating to the latest SQL and Windows Server platforms.

Have you started testing Windows Server 2019? How many Windows Server 2008 R2 and SQL Server 2008 systems do you have? Let’s get DataLabbing!

Active Directory

Three Active Directory Automation Scripting Tips Using PowerShell

Active Directory is one of the most common products I see being automated. After all, it’s the perfect candidate. How many times do new users have to be created, group memberships changed, or new computers added? Employees are coming and going all the time, and the actions to perform these tasks are the same—every time.

Microsoft® has an Active Directory (AD) PowerShell module that allows anyone to manage AD objects and write scripts to tie various tasks together. However, with PowerShell expertise, we can create scripts that go past just finding users and groups. We can automate any task you can think of in AD.

Find All Effective Members of a Group

AD has a great feature that allows you to add groups to other groups. This cuts down on the number of repeated group assignments you have to make, and makes AD much cleaner. However, when navigating to a group in the AD Graphical User Interface (GUI), you can only see the members in that immediate group. You may see others, but you’ll have to look at the members of those groups over and over again.

It can become a pain when you want to see all of the affected user accounts, but we can solve that using a PowerShell code and a recursive function.

To find members of a group with PowerShell, use the Get-AdGroupMember cmdlet. This command returns all members in just that group. However, a property on each of those members is an AD attribute indicating if it’s a user, a group, etc. That way, we know what kind of object it is. Knowing this, we can build code to look at each of those members, check to see if they’re a group, and if so, run Get-AdGroupMember again. If not, we return the member.

We need to use a recursive function—a function that calls itself, forcing it to find user accounts nested deep inside of various groups. By using a recursive function like this, a user can be nested ten groups deep, and we’ll still find it.

An example of how this can be done is below. This function can be called via Get-NestedGroupMember -Group MyGroup.

function Get-NestedGroupMember {
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[string]$Group
)

## Find all members in the group specified
$members = Get-ADGroupMember -Identity $Group
foreach ($member in $members) {
## If any member in that group is another group just call this function again
if ($member.objectClass -eq 'group') {
Get-NestedGroupMember -Group $member.Name
} else { ## otherwise, just output the non-group object (probably a user account)
$member.Name
}
}
}
Easily Find Inactive Group Policy Objects

The next tip is finding inactive Group Policy Objects (GPOs). Especially in large organizations, GPOs can get out of hand and run wild unless controlled. Sometimes there ends up being dozens of GPOs created that aren’t doing anything at all. Rather than picking these out one at a time via the GUI, we can build a simple script to find them all in one shot.

There are two ways to define an inactive GPO. This GPO could have all of its settings disabled, or it could not be linked to an organizational unit. We can create a script to find both of these types. First, we’ll pull all of the GPOs in the environment:

$allGpos = Get-Gpo -All

Once we have them all, we can then filter those GPOs by the ones that have all settings disabled:

$disabledGpos = $allGpos | Where-Object { $_.GpoStatus -eq 'AllSettingsDisabled' }
foreach ($oGpo in $disabledGpos) {
[pscustomobject]@{
Name = $oGpo.DisplayName
Status = 'Disabled'
}
}

Next, we can find all GPOs that aren’t linked to an organizational unit. This is a little trickier, but nothing we can’t handle using the code below:

## Create an empty array
$unlinkedGpos = @()
foreach ($oGpo in $allGpos) {
## Gather up all settings in the GPO
[xml]$oGpoReport = Get-GPOReport -Guid $oGpo.ID -ReportType xml;
## Only return the GPOs that don't have a LinksTo property meaning they aren't linked to an OU
if ('LinksTo' -notin $oGpoReport.GPO.PSObject.Properties.Name) {
[pscustomobject]@{
Name = $oGpo.DisplayName
Status = 'Unlinked'
}
}
}

This script will return a list of GPOs that look like this:

Name Status
---- ------
GPO1 Unlinked
GPO2 Disabled
GPO3 Disabled
Find How Long Ago a User Reset Their Password

For my last tip, let’s figure out how long ago a user’s password was set. More specifically, let’s write a small script that will allow us to find only those users that have had their password set within a configurable amount of days.

This small script uses the Get-AdUser command and filters the users returned using the Where-Object command. In this example, we’re looking at the passwordlastset attribute for each user that is greater than 30 days ago.

$daysOld = 30
$today = Get-Date
Get-AdUser -Filter { enabled -eq $true } -Properties passwordlastset | Where-Object 
{ $_.passwordlastset -gt $today.AddDays(-$daysOld) }
Summary

We’ve just skimmed the surface on what’s possible when automating with PowerShell and Active Directory. By leveraging Microsoft’s Active Directory module and stringing together commands with PowerShell, we’re able to come up with some interesting scripts.

 

Windows 7

Windows 7 EOL timebomb identified

Latest figures reveal Microsoft is still struggling to shift people off Windows 7. Will it be the XP End of Life drama all over again?

The number of people still using Windows 7 could lead to a problem when it eventually goes out of support, with even the well-received Windows 10 failing to convince a majority of users to upgrade.

Hospitals, and the police in particular have been slow to give up Windows XP, despite it being out of support and hence vulnerable to new forms of attack.

The latest Netmarketshare figures from Net Applications reveal the picture two years on from the launch of Microsoft Windows 10.

here are the latest month on month figures:

Windows 7: 48.43 (-0.48), Windows 10: 27.99 (+0.36), Windows XP, 6.07 (-0.03), Windows 8.x: 7.42 (-0.35), Mac OS 13 Beta: 0.02 (no change), Mac OS 12 (stable): 3.59 (+0.07), Mac OS 11: 1.09 (-0.08), Mac OS (older): 1.24.

Bottom line: Windows 90.37 percent of the market. Mac has 5.94 and Linux has taken a jump to 3.37 (0.84).

The only event of note – it has been quiet, as relatively few devices are released over the summer – is that there are now the same percentage of people using Windows 8.1 as there are Windows XP – 6.07.

So how is Windows 10 is actually doing? At launch, Microsoft stated it was aiming for 2 billion machines in its first two years. The fact it hasn’t achieved that even allowing for IoT and XBox devices, as well as a host of other new form factors, is obvious, but it was a big goal in the first place.

When the first figures came out, a few days after launch, Windows 10 was already sitting at 0.39 percent, thanks to the early adopters program. A year later, it sat at 22.99, as the free upgrade offer finished.

Microsoft would have had egg on their faces, had they extended the offer, but nevertheless, progress since has been slow. Today’s 27.99 means that just a five percent shift has moved to Windows 10 since the end of the freebie.

When you consider all the devices that Windows 10 is on besides desktops, that’s a pretty unhealthy figure. The last public figure that Terry Myerson gave was 500,000 devices. That’s just not good enough, and whatever Microsoft’s notoriously oily marketing people tell you, it remains a long way from where the company would hope to be.

Microsoft has actually increased its market share overall – It was 90.37 percent for August, up from 88.74 two years ago. But it’s actually down a tiny fragment on this time last year, where it was at 90.39.

So where is all this coming from? Well we can’t look to Windows 8.x which now has less than half the users of two years ago (from 15.86 to 7.42). And XP has dropped by a similar figure (from 13.09 to 6.07).

The issue is Windows 7. People and more especially businesses are still refusing to give it up. It has lost its market share – down from 60.75 in August 2015 to 48.43 percent in August 2017. But again – it’s actually UP on this time last year, where it was at 47.25.

So Microsoft’s increase market share seems to be down to the continuing success of an eight-year old operating system that has been superseded twice. In other words, come 2020, we’re going to have the XP debacle all over again.

And it’s not just Windows. Mac OS has actually fragmented in the past two years. The number of people of Mac OS has dropped from 7.66 to 5.85. Linux on the other hand continues to bloom in its own tiny way, going from 1.68 to 3.37.

There’s no question that the last two years have seen a tremendous change in the market – not least of all, the variety of form factors and new players such as Chrome OS, which isn’t included here for logistical reasons.

But the key problem remains, if Microsoft can’t shift people off Windows 7, without annoying them in the process, then we’re setting ourselves up for another End of Life timebomb.

Windows Server 2016

Now available: Windows Server 2016 Security Guide!

Windows Server 2016 includes major security innovations that can help protect privileged identity, make it harder for attackers to breach your servers, and detect attacks so that you can respond faster. This is powerful technology, and all that’s missing is guidance on how to best deploy and use Windows Server 2016 to protect your server workloads.

Microsoft have recently released their Windows Server 2016 Security Guide.

This paper includes general guidance for helping secure servers in your environment as well as specific pointers on how you can utilize new security features in Windows Server 2016. We are committed to continue our effort to provide you with the right security solutions so that you can better protect, detect and respond to threats in your datacenter and private cloud.

MSP

The Evolving Role of the Managed Service Provider

Nearly every enterprise has at least one relationship with a managed service provider today and it’s very likely that relationship has evolved over the years. Get ready, it’s changing again and very much to the advantage of the enterprise.

Managed services has its origins in the beginning of the tech market when companies would turn to a reseller to not only integrate but manage the finished solution. Reselling begot hosting in the late 1990s as the Internet began to crossover from government system to the foundation of our lives, as it exists today. Hosters played two key roles: granting individuals and companies access to the Internet and renting server rack space so corporate applications (mostly web sites) could have a point of presence (POP) on the Internet.

This business evolved from rack hoster to rentable IT admins, who took on the tasks of managing the hardware, OS and increasingly the middleware and applications that ran on those servers. The hosting market was a lucrative and relatively well protected space until cloud computing came along. With the introduction of Software as a Service, applications could now be delivered and managed directly by the software provider themselves. Salesforce led this new market disruption in typical innovator fashion by targeting smaller firms, with lower enterprise-grade expectations and line of business budgets. By the time SaaS started penetrating the enterprise market, its multi-tenant, highly scalable deployment model and new pay-per-user business model was hard for hosters to match and the fight was on.

Public cloud platforms added to the competitive threat by extending the SaaS basics to hosted applications. Now both application outsourcing and the core business of hosting were under threat. A surface examination of these developments might lead you to conclude that the days of the managed service provider were looking pretty gloomy but that’s actually far from the case. It’s simply another evolutionary point in the business life-cycle. While the volume of traditional hosting and application outsourcing opportunities diminish as more applications shift to SaaS or cloud platforms, we aren’t making a binary shift and nor are we getting a free ride from a management and monitoring perspective. Look a little deeper and you’ll find that a large percent of corporate workloads don’t easily fit onto cloud platforms, can’t be cleanly replaced by SaaS and won’t go through such a binary change. In fact the definition of an application is shifting and, for most businesses, already have.

Take, for example, the common business process of eCommerce. Is that a single application? For most companies, absolutely not. It’s a workflow that blends together multiple applications including ERP, CRM, commerce, machine learning, mobile and web, content management and many other elements. And if your company has been around more than 10 years it’s highly likely you have some pretty customized elements in that mix. And it’s a workflow we are constantly refining to stay competitive, improve customer satisfaction with and adapt as end users shift from web-centric to device-centric. So given the changes we are seeing in applications and the shift to cloud that is taking place, what is the end result – a highly blended mix where certain elements are shifted to SaaS, others moved to cloud platforms and others that can’t make the move but must continue as part of the mix.

According to Gartner, Inc., by 2018, more than 40% of enterprises will have implemented hybrid data centers, up from 10% in 2015. Given that we need to accelerate the evolution of this blended model to keep pace both competitively and with our ever-changing customers, what’s the best use of your limited development and IT staff resources? You will pick up some bandwidth as the management of SaaS apps shifts to the SaaS provider and of the infrastructure below the elements you can shift to cloud platforms. But the integration, evolution, security and need for more agile UX improvements all remain. And whether you put your applications on hyper-scale public clouds like Azure or on more localized offerings such as those provided by most MSPs, you still have to manage the Cloud Handshake.

Looking at your task list and cross-correlating this with your IT staff bandwidth, you’ll likely draw the conclusion that managing the Cloud Handshake falls low on the priority list. And this is exactly where the managed service provider can add the most value. And exactly where their business models are evolving. As pointed out in this white paper from Hosting.com, the future of the managed service provider is in managing the blended IT environment. The reality is that your deployment portfolio is evolving to a mix of in-house, hosted, SaaS and multiple cloud platforms. And managing this mix isn’t your core competency and shouldn’t be your priority. MSPs are evolving their business models towards managing this mix so you can focus on the things that are unique to your business.

 

Keyboard shortcuts

Windows 10 Tip: keyboard shortcuts to help you work faster

Did you know there’s a world of keyboard shortcuts available to you with Windows 10?

You can check out the full list of keyboard shortcuts here, but here are six to help you get started working faster and smarter:

Minimize all your open windows with Windows key + M

Keyboard Shortcuts

Snap one window to exactly half of your screen with Windows key + either of the side arrow keys, and magically snap a second window side-by-side for easy multitasking.

Keyboard Shortcuts

Need one more window? Press Windows key + the “up” arrow to snap a third.

Open Cortana* in listening (voice-command) mode with Windows key + Shift + C

Keyboard Shortcuts

Open Settings with Windows Key + I

Keyboard Shortcuts

Open the first item you have pinned on the Taskbar with Windows Key + T, then use arrow keys to move between other pinned apps

Keyboard Shortcuts

Open the Action Center to view your notifications with Windows Key + A

Keyboard Shortcuts

 

Head over here for a full list of keyboard shortcuts,

 

malware attack

Microsoft networking protocol at the core of recent global malware attacks

The company is going to kill off SMB1 at long last, but you shouldn’t wait to disable it

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.

Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.

First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.

Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.

Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:

“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”

Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.

But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.

An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.

Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.


This article was reposted from : www.computerworld.com

Windows Server 2016

Windows Server 2016 docs are now on docs.microsoft.com

Microsoft have recently announced that their IT pro technical documentation for Windows Server 2016 and Windows 10 and Windows 10 Mobile is now available at docs.microsoft.com.

docs.microsoft.com

Why move to docs.microsoft.com?

Well here microsoft promise:

“a crisp new responsive design that looks fantastic on your phone, tablet, and PC. But, more importantly, you’ll see new ways to engage with Microsoft and contribute to the larger IT pro community. From the ground up, docs.microsoft.com that offers:

  • A more modern, community-oriented experience that’s open to your direct contribution and feedback.
  • Improved content discoverability and navigation, getting you to the content you need – fast.
  • In article Comments and inline feedback.
  • Downloadable PDF versions of key IT pro content collections and scenarios. To see this in action, browse to the recently released Performance Tuning Guidelines for Windows Server 2016 articles, and click Download PDF.
  • Active and ongoing site improvements, including new features, based on your direct feedback. Check out the November 2016 platform update post to see the latest features on docs.microsoft.com.”

How to contribute to IT pro content

Microsoft recognize that customers are eager to share best practices, optimizations, and samples with the larger IT pro community. Docs.microsoft.com makes contribution easy.

Community contributions are open for your contribution. Learn more about editing an existing IT pro article.

Windows 10

Microsoft to revamp its documentation for security patches

Microsoft has eliminated individual patches from every Windows version, and Security Bulletins will go away soon, replaced by a spreadsheet with tools

With the old method of patching now completely gone—October’s releases eliminated individual patches from every Windows version—Microsoft has announced that the documentation to accompany those patches is in for a significant change. Most notable, Security Bulletins will disappear, replaced by a lengthy list of patches and tools for slicing and dicing those lists.

Security Bulletins go back to June 1998, when Microsoft first released MS98-001. That and all subsequent bulletins referred to specific patches described in Knowledge Base articles. The KB articles, in turn, have detailed descriptions of the patches and lists of files changed by each patch. The Security Bulletins serve as an overview of all the KB patches associated with a specific security problem. Some Security Bulletins list dozens of KB patches, each for a specific version of Windows.

Starting in January, we’ll have two lists—or, more accurately, two ways of viewing a master table.

Keep in mind that we’re only talking about security patches and the security part of the Windows 10 cumulative updates. Nonsecurity patches and Win7/8.1 monthly rollups are outside of this discussion.

To see where this is going and to understand why it’s vastly superior to the Security Bulletin approach, look at the lists for November 8, this month’s Patch Tuesday. The main Windows Update list

shows page after page of security bulletins, identified by MS16-xxx numbers, and those numbers have become ambiguous. See, for example, MS16-142 on that list, which covers both the Security-only update for Win7, KB 3197867, and the Monthly rollup for Win7, KB 3197868. The MS16-142 Security Bulletin itself runs on for many pages.

Now flip over to the Security Updates Guide. In the filter box type windows 7 and press Enter. You see four security patches (screenshot below): IE11 and Windows, both 32- and 64-bit. They’re all associated with KB 3197867.security-update-100692728-large

In the Software Update Summary, searching for “windows 7” yields only one entry, for the applicable KB number (screenshot below).

software-update-summary-100692730-large

Here’s why the tools are important. On this month’s Patch Tuesday, we received 14 Security Bulletins. Those Security Bulletins actually contain 55 different patches for different KB numbers; the Security Bulletin artifice groups those patches together in various ways. The 55 different security patches actually contain 175 separate fixes, when you break them out by the intended platform.

There’s a whole lotta patchin’ goin’ on.

Starting this month, you can look at the patches either individually (in the Security Updates Guide) or by platform (in the Software Update Summary), or you can plow through those Security Bulletins and try to find the patches that concern you. Starting in January, per the Microsoft Security Response Center, the Security Bulletins are going away.

Of course, the devil’s in the implementation details, but all in all this seems to me like a reasonable response to what has become an untenable situation.


This is a repost from http://www.infoworld.com/

Windows Server 2016: 5 Things You Need to Know

On October 12th, Microsoft released their latest server operating system – Windows Server 2016. To ensure your success, we’ve gathered a list of the top 5 things you need to know.

We’ve been preparing for Windows Server 2016 for the past couple months, and even attended Microsoft Ignite a few weeks ago, to make sure we’re up to date on all the latest and greatest news.

While TechNet has already published a “What’s New in Windows Server 2016” article, at ConnectWise we want to take you a bit deeper and call out a few things technology solution providers like you should be aware of.

Patching

Windows Server 2016 continues Microsoft’s move to deployment rings. Windows 10 introduced 6 deployment ring options spread across 3 phases (also known as servicing branches):

Insider – 1 ring
Current Branch (CB) – 2 rings
Current Branch for Business (CBB) – 3 rings
Then, enterprise customers wanted an even slower option, so a special edition of Windows 10 was released called Windows 10 Enterprise Long-Term Servicing Branch (LTSB) – which essentially added a fourth phase / seventh deployment ring.

With Windows Server 2016, the installation option you choose will determine which servicing branch you default to. Server 2016 with Desktop Experience and Core will both default to the LTSB, which is great for reducing problems in a production environment. Just be aware that the LTSB won’t include certain things, like Edge browser.

Nano

There’s been a ton of hype about the Nano Server option. But before you start spinning them up in production, you should know that Nano Servers don’t use the LTSB (see above). Instead, they default to the CBB, which means more frequent patches (CBB is Phase 3. LTSB is Phase 4).

Given some recently reported issues with the Windows 10 Anniversary Update, we’ll let you decide whether this is a good idea or not for your business and clients. Also, it’s important to note that Nano Servers requires Microsoft Software Assurance.

Licensing

Speaking of Software Assurance, you may have noticed that Microsoft is changing how they license certain editions of Windows Server 2016.

Back in 2013, Microsoft introduced core-based licensing because processors weren’t a precise enough measure (since each processor can have a varying number of cores). Though, you could still get Datacenter and Standard editions under the processor-based licensing model.

Starting with Server 2016, processor-based licensing is no longer available for Datacenter and Standard edition. If you were lucky enough to renew your Software Assurance agreement recently, this won’t apply to you until renewal.

Even then, during renewal, you’ll get 16 core licenses for each applicable on-premise processor license and 8 core licenses for each service provider processor license.

Containers

On the plus side, if you opt for Datacenter or Standard under the core-based licensing model, you’ll now be able to use one of the most talked about features of Server 2016 – containers!

For anyone that’s not familiar with containers, Microsoft considers them “the next evolution of virtualization” and they come in two flavors:

Windows Server containers
Hyper-V containers
With either of the core-based editions for Server 2016, you can run unlimited Windows Server containers by sharing the host kernel. If that’s a security concern for you or your clients, then you’ll want to use Hyper-V containers to isolate the host’s kernel from each container.

Just know that unlike Windows Server containers, you can only run 2 Hyper-V containers on each Standard edition server. If you want unlimited Hyper-V containers, you’ll need Datacenter edition. But whichever choice you make, both types of container can work with Docker.

Windows Defender

When upgrading to Windows Server 2016 from a prior version with antivirus installed, you may run into problems. That’s because the upgrade process installs and enables Windows Defender by default.

Luckily, whether the user interface is enabled or not (which seems to depend on edition), there’s a quick PowerShell command you can run to disable Windows Defender entirely:

Uninstall-WindowsFeature -Name Windows-Server-Antimalware

(Bonus) Modern Lifecycle Policy

While not directly related to Windows Server 2016, here’s a bonus that partners should be aware of: Microsoft has announced their new Modern Lifecycle Policy. For now, this policy only applies to four Microsoft products:

System Center Configuration Manager (current branch)
.NET core
NET
Entity Framework core

The new policy essentially says that Microsoft will only support the current version and once they announce End of Life for a product, you have 12 months before support ends.

Given the heavy push to Microsoft’s new serving model for Windows 10 and now Server 2016, it’s a safe bet that the list of products this policy applies to will grow.

When it comes to the release of Windows Server 2016, there’s a lot to digest (known issues, PowerShell 5.0, WMF 5.1, Just Enough Administration, IIS 10).

Given the number of clients you support that may ask about upgrading older systems or virtualizing, we’re sure you’ll have plenty of opportunity to learn more… but before your clients ask, we wanted you be aware of some of the business and technical nuances.


This post was provided by one of our service providers ConnectWise.