



















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Windows_Server_2016_Technical_Feature_Comparison_DETAILED
Typology: Study Guides, Projects, Research
1 / 59
This page cannot be seen from the preview
Don't miss anything!
© 2016 Microsoft Corporation. All rights reserved. This document is for informational purposes only. Microsoft makes no warranties express or implied, with respect to the information presented here.
How to use this comparison guide ............................................................................................................................................................................................... 2
Windows Server 2016 – The cloud-ready operating system .............................................................................................................................................. 2
Windows Server 2016 editions ....................................................................................................................................................................................................... 3
Azure Hybrid Use Benefit .................................................................................................................................................................................................................. 4
Security ..................................................................................................................................................................................................................................................... 4
Identity ................................................................................................................................................................................................................................................... 10
Compute ................................................................................................................................................................................................................................................ 15
Storage ................................................................................................................................................................................................................................................... 20
Networking ...........................................................................................................................................................................................................................................
Virtualization ........................................................................................................................................................................................................................................
High availability ..................................................................................................................................................................................................................................
Management and automation ......................................................................................................................................................................................................
Remote Desktop Services (RDS)...................................................................................................................................................................................................
Application development ...............................................................................................................................................................................................................
This feature comparison guide compares selected features of Microsoft Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. Its goal is to help customers understand the differences between the version they are running today and the latest version available from Microsoft.
The comparison table includes comments about each feature, as well as notation about how well each feature is supported in each release. The legend for this notation is given in the table below.
Level of feature support
Feature name
Not Supported
Partially Supported
Fully Supported
Feature description
Windows Server 2016 is the cloud-ready operating system that delivers new layers of security and Azure-inspired innovation for the applications and infrastructure that power your business. Increase security and reduce business risk with multiple layers of protection built into the operating system. Evolve your datacenter to save money and gain flexibility with software-defined datacenter technologies inspired by Microsoft Azure. Innovate faster with an application platform optimized for the applications you run today as well as the cloud-native apps of tomorrow.
Built-in security
Windows Server 2016 includes built-in breach resistance to help thwart attacks on your systems and meet compliance goals. Even if someone finds a way into your environment, the layers of security built into Windows Server 2016 limit the damage they can cause and help detect suspicious activity.
Software-defined infrastructure
Datacenter operations are struggling to reduce costs while handling more data traffic. New applications stretch the operational fabric and create infrastructure backlogs that can slow business. Windows Server 2016 delivers a more flexible and cost-efficient operating system for datacenters, using software-defined compute, storage, and network virtualization features inspired by Azure.
Resilient compute
Run your datacenter with a highly automated, resilient, virtualized server operating system.
For the Standard and Datacenter editions, there are three installation options:
When you are ready to transition workloads to the public cloud, you can leverage your existing investment in Windows Server. The Azure Hybrid Use Benefit lets you bring your on-premises Windows Server license with Software Assurance to Azure. Rather than paying the full price for a new Windows Server virtual machine, you will only pay the base compute rate. More information can be found at http://azure.microsoft.com/en-us/pricing/hybrid-use-benefit/.
Windows Server 2016 delivers layers of protection that help address emerging threats and meet your compliance needs, making Windows Server 2016 an active participant in your security defenses. These include the new Shielded Virtual Machine feature that protects VMs from attacks and compromised administrators in the underlying fabric, extensive threat resistance components built into the Windows Server 2016 operating system and enhanced auditing events that will help security systems detect malicious activity.
Shielded Virtual Machines
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Shielded Virtual Machines and Guarded Fabric help provide hosting service providers and private cloud operators the ability to offer their tenants a hosted environment where protection of tenant virtual machine data is strengthened against threats from compromised storage, network and host administrators, and malware. For example: If you are running your domain controllers or sensitive SQL databases as a virtual machine, you would want to shield them from fabric attacks.
A Shielded Virtual Machine is a generation 2 VM (supports Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in the fabric. You can configure to run a Shielded Virtual Machine on any Hyper-V host. For the highest levels of assurance, the host hardware requires TPM 2.0 (or later) and UEFI 2.3.1 (or later).
Credential Guard
2008 R 2012 R 2016
Credential Guard helps prevent pass the hash attacks by utilizing virtualization-based security to credential artifacts from administrators.. Credential Guard offers better protection against advanced persistent threats by protecting credentials on the system from being stolen by a compromised administrator or malware.
Credential Guard can also be enabled on Remote Desktop Services servers and Virtual Desktop Infrastructure so that the credentials for users connecting to their sessions are protected.
Remote Credential Guard
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
Device Guard
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Device Guard uses Virtualization Based Security to ensure that only allowed binaries can be run on the system. If the app or driver isn’t trusted, it can’t run.
Device Guard can also help protect Remote Desktop Services to lock down what applications can run within the user sessions.
AppLocker
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. AppLocker and Device Guard can be used in tandem to provide a wide set of software restriction policies that meets your operational needs.
Privileged Access: Just Enough
Administration
2008 R 2012 R 2016
Administrators should only be able to perform their role and nothing more. For example: A file server administrator can restart services, but should not be able to browse the data on the server.
Just Enough Administration (JEA) provides a role based access platform through PowerShell. It allows specific users to perform specific adminstrative tasks on servers without giving them administrator rights.
JEA is built into Windows Server 2016 and you can also use WMF 5.0 to take advantage of JEA on Windows Server 2008 R2 and higher.
Privileged Access: Just-in-Time
Administration
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
The concept of Just-in-Time Administration helps transform administration privileges from perpetual administration to time-based administration. When a user needs to be an administrator, they go through a workflow that is fully audited and provides them with administration privilege for a limited time by adding them to a time-based security group and automatically removing them after that period of time has passed.
The deployment of Just-in-Time Administration includes creating an isolated administration forest, where the controlled administrator accounts will be managed.
Virtualization Based Security
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Virtualization Based Security (VBS) is a new protected environment that provides isolation from the running operating system so that secrets and control can be protected from compromised administrators or malware. VBS is used by Device Guard to protect kernel code, Credential Guard for credential isolation and Shielded VMs for the virtual TPM implementation.
Virtual TPM: Trusted Platform
Module
2008 R 2012 R 2016
Implemented in Windows Server 2016 Hyper-V, a Generation 2 virtual machine (Windows Server 2012 and later) can now have its own Virtual TPM so that it can use it as a secure crypto-processor chip. The virtual TPM is a new synthetic device that provides TPM 2.0 functionality.
Virtual TPM does not require a physical TPM to be available on the Hyper-V host, and its state is tied to the VM itself rather than the physical host it was first created on so that it can move with the VM. VMs with a virtual TPM can run on a guarded fabric.
The Shielded VM functionality uses the Virtual TPM for BitLocker encryption.
Client machines running on Virtual Desktop Infrastructure can now use a vTPM as well.
BitLocker encryption
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Windows BitLocker drive encryption provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume and/or data drives.
SMB 3.1.1 security improvements
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Security improvements to SMB 3.1.1 include pre-authentication integrity and SMB encryption improvements.
Pre-authentication integrity provides improved protection from a man-in-the-middle attacker tampering with SMB’s connection establishment and authentication messages. Pre-Auth integrity verifies all the “negotiate” and “session setup” exchanges used by SMB with a strong cryptographic hash (SHA-512). If your client and your server establish an SMB 3.1. session, you can be sure that no one has tampered with the connection and session properties.
SMB 3.1.1 offers a mechanism to negotiate the crypto algorithm per connection, with options for AES-128-CCM and AES- 128-GCM.
PowerShell 5.1 security features
2008 R 2012 R 2016
There are several new security features included in PowerShell 5. 1. These include: Script block logging, Antimalware Integration, Constrained PowerShell and transcript logging.
PowerShell 5.1 is also available for install on previous operating systems starting from Windows Server 2008 R2 and on.
Identity is the new control plane to secure access to on-premises and cloud resources. It centralizes your ability to control user and administrative privileges, both of which are very important when it comes to protecting your data and applications from malicious attack. At the same time, our users are more mobile than ever, and need access to computing resources from anywhere.
Active Directory Domain Services
Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.
New domain services capabilities
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
New in Windows Server 2016:
Active Directory Federation Services
Active Directory Federation Services (AD FS) is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. The service builds on the extensive AD FS capabilities available in the Windows Server 2012 R2 timeframe. Key enhancements to AD FS in Windows Server 2016 include better sign-on experiences, smoother upgrade and management processes, conditional access, and a wider array of strong authentication options, are described in the topics that follow.
Better sign-on to Azure AD and
Office 365
2008 R 2012 R 2016
One of the most common usage scenarios for AD FS continues to be providing sign-on to Office 365 and other Azure AD based applications using your on-premises Active Directory credentials.
AD FS extends hybrid identity by providing support for authentication based on any LDAP v3 compliant directory, not just Active Directory. This allows you to enable sign in to AD FS resources from:
Support for LDAP v3 directories is done by modeling each LDAP directory as a “local” claim that providers trust. This enables the following admin capabilities:
Improved sign-on experience
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
AD FS now allows for customization of the sign-on experience. This is especially applicable to organizations that host applications for a number of different customers or brands. With Windows Server 2016, you can customize not only the messages, but images, logo and web theme per application. Additionally, you can create new, custom web themes and apply these per relying party.
Users on Windows 10 devices and computers will be able to access applications without having to provide additional credentials , just based on their desktop login, even over the extranet.
Strong authentication options
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
AD FS in Windows Server 2016 provides more ways to authenticate different types of identities and devices. In addition to the traditional Active Directory based logon options (and new LDAP directory support), you can now configure device authentication or Azure MFA as either primary or secondary authentication methods.
Using either the device or Azure Multi-Factor Authentication (MFA) methods, you can create a way for managed, compliant, or domain joined devices to authenticate without the need to supply a password, even from the extranet. In addition to seamless single sign-on based on desktop login, Windows 10 users can sign-on to AD FS applications based on Microsoft Passport credentials, for a more secure and seamless way of authenticating both users and devices.
Seamless sign-on from Windows 10 and Microsoft Passport
2008 R 2012 R 2016
Domain Join in Windows 10 has been enhanced to provide integration with Azure AD, as well as stronger and more seamless Microsoft Passport based authentication. This provides the following benefits after being connected to Azure AD:
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS.
Developer focus
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
AD FS for Windows Server 2016 builds upon the Oauth protocol support to enable the most current and industry standard-based authentication flows among web apps, web APIs, browser and native client-based apps. In Windows Server 2016, the following additional protocols and features are supported:
Registering modern applications has also become simpler using AD FS in Windows Server 2016. Now instead of using PowerShell to create a client object, modeling the web API as an RP, and creating all of the authorization rules, you can use the new Application Group wizard.
Active Directory Lightweight Directory Services (AD LDS)
AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers.
Active Directory Lightweight Directory Services
2008 R 2012 R 2016
There are no significant enhancements to AD LDS in Windows Server 2016.
Existing capabilities that continue to be offered in AD LDS include:
Web Application Proxy
The Web Application Proxy is a Windows Server service that allows for secure publishing of internal resources to users on the Internet.
Web Application Proxy
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Web Application Proxy supports new features including pre-authentication support with AD FS for HTTP Basic applications such as Exchange Active Sync. Additionally, certificate authentication is now supported.
The following new features build on the existing application publishing capabilities found in the Web Application Proxy:
Pre-authentication for HTTP basic application publishing: HTTP Basic is the authorization protocol used by many protocols, including ActiveSync, to connect rich clients, including smartphones, with your Exchange mailbox. Web Application Proxy traditionally interacts with AD FS using redirections which is not supported on ActiveSync clients.
This new version of Web Application Proxy provides support to publish an app using HTTP basic by enabling the HTTP app to receive a non-claims relying party trust for the application to the Federation Service. For more information on HTTP basic publishing, see Publishing Applications using AD FS Pre-authentication
Nano Server OS capabilities
2008 R 2012 R 2016
Nano Server is available in Windows Server 2016 for:
Nano Server supports the following included optional roles and features:
All supported optional roles and features can be installed either offline, by injecting it into a Nano Server image, or online, when Nano Server is running. To enable the fastest possible time from instantiating a new Nano Server instance to the point where a role or feature is up and running, the recommended approach is to inject the role or feature into the offline Nano Server image. The Nano Server roles and features are not included in the image, instead they are separate packages in order to minimize the footprint when Nano Server is deployed – any roles and feature not used are not in the image or consuming disk space.
Nano Server is not listed in Setup. Instead, there is a Nano Server folder on the media with a Nano Server WIM file and a packages folder. Included with Nano Server is a PowerShell module that can be used to create and configure a Nano Server image, including adding drivers, roles, and features to a Nano Server image.
Nano Server can join an Active Directory domain, but does not support Group Policy. To apply policy at scale, Nano Server supports DSC.
Nano Server does not have a local user interface, all management of Nano Server must be done remotely using PowerShell, MMC snap-ins, the new web-based Server management tools, or other remote management tools. Nano Server includes PowerShell Core and set of cmdlets as well as WMIv1 and WMIv2 providers for remote management and automation. The exception to no local user interface is the Nano Server Recovery Console. If keyboard and video access (locally, vmconnect, or BMC) is available there is a text mode logon that provides a simple menu to repair the network configuration. This is provided in case the network is misconfigured remotely and the remote management tools can no longer connect, the network can be repaired instead of redeploying.
Nano Server Hyper-V
2008 R 2012 R 2016
The Windows Server 2016 Hyper-V role can be installed on a Nano Server; this is a key Nano Server role, shrinking the OS footprint and minimizing reboots required when Hyper-V is used to run virtualization hosts. Nano server can be clustered, including Hyper-V failover clusters.
Hyper-V works the same on Nano Server as it does in Windows Server 2016, aside from a few caveats:
Nano Server Storage Server
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Nano Server can run the Windows file server role, which works the same as it does on a full deployment of Windows Server 2016. The same management restrictions apply – all management must be performed remotely through PowerShell or management consoles.
Nano Server can also use Multi-Path IO for disk throughput and redundancy, and the file server role can also be joined to a failover cluster in Nano Server. In addition, there is full iSCSI support and Windows Server 2016 data deduplication can be used to conserve disk space. The combination of these features make Nano Server an excellent candidate for use as a scale-out file server cluster, which can back a Hyper-V private cloud using a low-footprint, lower-maintenance OS.
Nano Server also supports the new Storage Server capabilities introduced in Windows Server 2016, such as Storage Replica. For more details on these, see the Storage Server section below.
IIS on Nano Server
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
A subset of IIS 10.0 is supported on Nano Server in Windows Server 2016 with support for ASP.NET Core.
Linux Secure Boot
2008 R 2012 R 2016
Linux operating systems running on generation 2 virtual machines can now boot with the Secure Boot option enabled.
Support Linux versions include: Ubuntu 14.04 and later, SUSE Linux Enterprise Server 12 and later, Red Hat Enterprise Linux 7.0 and later, and CentOS 7.0 and later.
PowerShell Desired State
Configuration for Linux
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
PowerShell Desired State Configuration (DSC) enables you to declaratively specify the configuration of your server, and PowerShell DSC will “make it so.” Originally released for Windows, PowerShell DSC is now available for your Linux servers, using the same declarative syntax.
PowerShell on Linux and
Mac OS X
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
See the Management and Automation section for details on this exciting new capability for Linux and Mac OS X.
Hot add and remove for network
adapters
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
You can now add or remove a network adapter while the virtual machine is running, without incurring downtime. This works for generation 2 virtual machines that run either Windows or Linux operating systems.
Manual hot add and remove
memory
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
You can now add or remove memory assigned to a virtual machine while the virtual machine is running, without incurring downtime. The “add” or “remove” operation is performed by an IT administrator, and is separate from “Dynamic Memory” functionality, where Hyper-V automatically adds or removes memory from guests in order to meet varying memory demand over time. Manual hot add and remove works for virtual machines that run either Windows or Linux operating systems.
Discrete Device Assignment
2008 R 2012 R 2016
You can now map some PCI Express devices attached to the Hyper-V host, and map them directly into the address space of a Windows or Linux guest. Applications and libraries running in user space in the guest can directly access the device. For example, Discrete Device Assignment (DDA) can be used to map a physical GPU into a Linux guest so that a High Performance Computing (HPC) application can use it for high-speed computation.
SR-IOV support for Linux Guests
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
SR-IOV is now available for Linux guests, just as it is available for Windows guests. When using physical NICs in the Hyper- V host that are SR-IOV capable, Linux guests can directly access NIC functions in order to achieve higher performance. Like with Windows guests, Linux guests in a Hyper-V cluster can be live-migrated when using SR-IOV, and will automatically fallback to a normal network path if the target Hyper-V host does not have equivalent SR-IOV capability.
Hyper-V Socket support for Linux
Windows Server 2008 R
Windows Server 2012 R
Windows Server 2016
Hyper-V Sockets provides a secure, general purpose communication channel between Hyper-V host and guest operating systems. Hyper-V Sockets communicates over the VMBus and therefore doesn’t require network connectivity between the guest and the Hyper-V host. Applications communicating over Hyper-V Sockets use standard “sockets” as the programming model, and appear in the Windows and Linux operating systems as a new socket address family type.
Microsoft offers an industry leading portfolio for building on-premises clouds. We embrace your choice of storage for your cloud – be it traditional SAN/NAS or the more cost-effective software-defined storage solutions using Storage Spaces Direct and Storage Spaces with shared JBODs. In Windows Server 2016, we support hyper-converged infrastructure with Storage Spaces Direct. The Microsoft hyper-converged solution offers the following advantages: