Windows Server 2012 R2 Jumpstart Windows Server Management Marketing 4/19/2017 Windows Server 2012 R2 Jumpstart Pauze © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Storage Virtualization Storage Networking Identity and Access 4/19/2017 Virtualization Storage Storage Networking Identity and Access 2
Networking Scale Multitenant Cost
What is Software Defined Networking? Enables software to dynamically manage the network by: Enabling integrated policies that span physical and virtual networks Abstracting workloads from the physical network Controlling datacenter traffic flow
Hyper‑V Network Virtualization 4/19/2017 Hyper‑V Network Virtualization Customer Address Provider Address Blue Corp 10.1.1.1 192.168.1.10 10.1.1.2 192.168.1.12 SQL 10.1.1.1 Datacenter network Blue Corp Web 10.1.1.2 192.168.10 192.168.11 192.168.12 192.168.13 Hyper‑V Host 1 Hyper‑V Host 2 SQL 10.1.1.1 Yellow Corp Customer Address Provider Address Yellow Corp 10.1.1.1 192.168.1.11 10.1.1.2 192.168.1.13 Web 10.1.1.2 SQL SQL Web Web 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2 Policy settings Customer address spaces How IP address rewrite works Maps each Customer Address (CA) to a unique Provider Address (PA) Sends information in regular TCP/IP packets on the wire Benefits Requires no upgrade of network adapters, switches, or network appliances Can be deployed today without sacrificing performance
Hyper-V Network Virtualization Tenants with overlapping IP Address range share same physical network Policies enforced at host level using PowerShell or System Center Virtual Machine Manager DHCP servers can be part of virtualized network to enable locally assigned IP addresses Supports guest clustering SQL Server Web Blue sees SQL Server Web Orange sees 10.1.1.2 10.1.1.1 CUSTOMER ADDRESS SPACE 10.1.1.1 10.1.1.2 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 What’s really happening 192.168.n.n PROVIDER ADDRESS SPACE (PA) 192.168.2.12 192.168.1.10 Hyper-V 1 Hyper-V 2 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 10.1.1.1 192.168.1.10 10.1.1.2 192.168.2.12 SQL Server SQL Server Web Web
Network Virtualization Packet Flow Windows Server Management Marketing 4/19/2017 Network Virtualization Packet Flow Where is 10.10.10.11? 10.10.10.10 Blue1 10.10.10.11 Blue2 Network Virtualization Packet Flow Blue1 sending to Blue2 VSID 5001 Where is 10.10.10.11? Blue1 sends ARP Packet to locate 10.10.10.11 Hyper-V Switch broadcasts ARP on VSID 5001 Hyper-V Switch then broadcasts ARP to the rest of the network, but intercepted by NV Filter Note: ARP not broadcast on physical network NV Filter checks its Policy Table and responds with Blue2 MAC NV Filter sends ARP Response back into Hyper-V Switch and on to Blue1 VSID 5001 Hyper-V Switch VSID ACL Enforcement Hyper-V Switch VSID ACL Enforcement Network Virtualization Network Virtualization IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing ARP TABLE 10.10.10.11 34:29:af:c7:d9:12 34:29:af:c7:d9:12 192.168.2.10 MACPA1 192.168.5.12 MACPA2 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Network Virtualization Packet Flow Windows Server Management Marketing 4/19/2017 Network Virtualization Packet Flow MACB1 -> MACB2 10.10.10.10 -> 10.10.10.11 Packet 10.10.10.10 Blue1 10.10.10.11 Blue2 Network Virtualization Packet Flow Blue1 sending to Blue2 VSID 5001 Packet VSID 5001 Blue1 starts to construct its packet for Blue2 and sends it to the Hyper-V Switch VSID Packet VSID Hyper-V Switch VSID ACL Enforcement Hyper-V Switch VSID ACL Enforcement Hyper-V Switch attaches the VSID GRE 5001 MACB1 -> MACB2 10.10.10.10 -> 10.10.10.11 Network Virtualization NV Filter checks to see if Blue1 is allowed to contact Blue2, then constructs GRE Packet and sends it across the physical network Network Virtualization IP Virtualization Policy Enforcement Routing GRE Packet VSID IP Virtualization Policy Enforcement Routing Packet VSID MACP1 -> MACP2 192.168.2.10 -> 192.168.5.12 5001 MACB1 -> MACB2 10.10.10.10 -> 10.10.10.11 On receiving host, opposite process takes place – NV Filter strips GRE, pulls out the VSID information, passes packet to Hyper-V Switch, where VSID removed and packet sent to Blue2 VM 192.168.2.10 MACPA1 192.168.5.12 MACPA2 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Multi-tenant VPN Gateway Challenges Hoster wants to provide isolated networks for tenant VMs with integral S2S VPN and NAT Enterprises have virtualized networks split across different datacenters or virtualized networks (NVGRE aware) communicating to physical networks (NVGRE unaware) Solution Multi-tenant VPN gateway in Windows Server 2012 R2 Preview Integral multitenant edge gateway for seamless connectivity Guest clustering for high availability BGP for dynamic routes update Encaps/Decaps NVGRE packets Multitenant aware NAT for Internet access Bridge Between VM Networks & Physical Networks DNS SQL DC Contoso Fabrikam SPS VPN SPS VPN Internet Multi-tenant VPN Gateway Host Datacenter Network Virtualization Fabric Host Host
NIC Teaming 8 x 1Gb NICs – 8Gb throughput Operating system Provides network fault tolerance and continuous availability when network adapters fail by teaming multiple network interfaces Supports all vendors in-box Facilitates local or remote management through Windows PowerShell or UI Enables teams of up to 32 network adapters Aggregates bandwidth from multiple network adapters Includes multiple nodes: switch dependent and independent Operating system Virtual adapters Virtual adapters Team network adapter Team network adapter NIC Teaming 8 x 1Gb NICs – 8Gb throughput
Network fault tolerance with SMB Multichannel Automatic detection and use of multiple network connections between SMB client and server Helps server applications be resilient to network failure Transparent Failover with recovery of network failure if another connection is unavailable Improved throughput Bandwidth aggregation through NIC Teaming Multiple nodes/CPUs for network processing with RSS-capable network adapters Automatic configuration with very little administrative overhead SMB client Network SMB server NIC NIC File copy File copy NIC NIC
Improved network performance through SMB Direct (RDMA) With RDMA Without RDMA Higher performance through offloading of network I/O processing onto network adapter Higher throughput with low latency and ability to take advantage of high-speed networks (such as InfiniBand and iWARP) Remote storage at the speed of direct storage Transfer rate of around 50 Gbps on a single NIC port Compatible with SMB Multichannel for load balancing and failover File Client File Server Application Application App Buffer App Buffer SMB client SMB Client SMB Buffer SMB Buffer SMB Server SMB Server SMB Buffer SMB Buffer Transport Protocol Driver OS Buffer Transport Protocol Driver Transport Protocol Driver Transport Protocol Driver OS Buffer NIC Driver Driver Buffer NIC Driver NIC Driver NIC Driver Driver Buffer rNIC NIC rNIC NIC Adapter Buffer Adapter Buffer iWARP Adapter Buffer Adapter Buffer InfiniBand
Dynamic Virtual Machine Queue Increased efficiency of network processing on Hyper-V hosts Without VMQ Hyper-V Virtual Switch is responsible for routing & sorting packets for VMs This leads to increased CPU processing, all focused on CPU0 With VMQ Physical NIC creates virtual network queues for each VM to reduce host CPU With Dynamic VMQ Processor cores dynamically allocated for a better spread of network traffic processing Hyper‑V Host Hyper‑V Host Hyper‑V Host CPU0 CPU1 CPU2 CPU3 CPU0 CPU1 CPU2 CPU3 CPU0 CPU1 CPU2 CPU3 Without VMQ With VMQ With DVMQ
Single Root I/O Virtualization (SR-IOV) 4/19/2017 Single Root I/O Virtualization (SR-IOV) VM traffic bypasses virtual switch and performs I/O directly to NIC Ideal for high I/O workloads that do not require port policies, QoS, or network virtualization enforced at the end host virtual switch Most 10Gbps and in-box NICs SR-IOV capable Benefits Maximizes use of host system processors and memory Reduces host CPU overhead for processing network traffic (by up to 50%) Reduces network latency (by up to 50%) Provides higher network throughput (by up to 30%) Full support for Live Migration Host Virtual Machine VM Network Stack Synthetic NIC Virtual Function Hyper‑V Extensible Switch SR-IOV NIC VF VF VF Traffic Flow Traffic Flow
Highly Available DHCP Service Hot standby DHCP failover in a hub- and-spoke deployment Automatic DHCP failover based on DHCP failover IETF spec Provides multi-site IP address continuity to clients by helping eliminate single points of failure Provides in-box support for failover, without the need for clustering Uses a failover setup consisting of two servers located across different geographic locations Includes active/active or active/passive behavior Simple provisioning and configuration of DHCP server using PowerShell Load-sharing DHCP failover in a single site with a single subnet
IP Address Management (IPAM) Manages virtual address space in addition to physical address space Imports and exports network configurations automatically through plugin for System Center Virtual Machine Manager Enables synchronization of Active Directory Sites and subnets information with IPAM Supports large scale enterprise deployments Uses SQL Server to store IP address information Lets admins define user roles, access scope and access policy through role-based access control Network Administrator Fabric Administrator System Administrator Forensics Investigator IPAM Client Win 8.1 WCF VMM Server SC 2012 R2 PS/WS Man MS SQL Server SQL 2008 R2, SQL 2012 Role Based Access Control Integration Plugin IPAM Server WS 2012 R2 IPAM Administrator IPAM ASM Administrator IPAM MSM Administrator IPAM Users IPAM Audit Administrator Server Discovery Server Configuration Address Utilization Event Collection Server Availability Server Monitoring Address Expiry DHCP Server WS2012 Security Groups Data collection tasks DNS Server WS08 R2 & SPs DC Server WS2012 NPS Server WS2012
Storage Virtualization Storage Networking Identity and Access 4/19/2017 Virtualization Storage Storage Networking Identity and Access 17
Enabling IT to empower users System Center Marketing 4/19/2017 Enabling IT to empower users Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources RD Gateway Session host VDI Users can work from anywhere on their device with access to their corporate resources. IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Web Application Proxy Web Apps Files LOB Apps Remote Access IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Active Directory Users can register devices for single sign-on and access to corporate data with Workplace Join © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Effective working with Remote Access System Center Marketing 4/19/2017 Effective working with Remote Access An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources. Web Apps Session host LOB Apps Files VDI Cannot originate admin connection from intranet VPN Traditional VPNs are user- initiated and provide on- demand connectivity to corporate resources. Firewall Can originate admin connection from intranet With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. DirectAccess Connection to intranet is always active © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Remote Access Solutions User-based Computer-based PPTP L2TP SSTP Direct Access
What does Direct Access do? Connects you to your Corporate Office no matter where you are if you have Internet, you have corporate network access No visible VPN client
How does it do it? Combines multiple networking technologies IPSEC IPv6 IPHTTPS NAT64/DNS64 Domain member configuration Tunnels Kerberos proxy or Certificates
Direct Access Improvements Deploy without internal IPv6 Connectivity PKI deployment is not needed (Windows 8 or higher) New Kerberos Proxy and IP-HTTPS improvements Support for External NAT for DA Edge
Direct Access client flow Client attempts to locate Network Location Service server DNS Query for DirectAccess-NLS.corp.domain.com If NLS not found, assume Direct Access required HTTP Probe to check for availability Resolve external DA name with external DNS IPv4 (A) DNS Query for da.domain.com Establish IPSEC tunnel to DA endpoint Connect to external IP Address of the Direct Access Server, validate certificates Authenticate client computer Either using Kerberos or Certificate based Authentication
Expanded domain join capabilities System Center Marketing 4/19/2017 Expanded domain join capabilities Not Joined Workplace Joined Domain Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Registering and Enrolling Devices System Center Marketing 4/19/2017 Registering and Enrolling Devices Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intune is sync with Configuration Manager which provides unified management across both on- premises and in the cloud Active Authentication Active Directory Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Web Application Proxy ADFS IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Publish access to resources with the Web Application Proxy System Center Marketing 4/19/2017 Publish access to resources with the Web Application Proxy AD Integrated Published applications Restful OAuth apps Office Forms Based Access Claims & Kerberos web apps Use conditional access for granular control over how and where the application can be accessed ADFS Devices Apps & Data Web Application Proxy Reverse proxy pass through e.g. NTLM & Basic based apps Users can access corporate applications and data wherever they are Active Directory provides the central repository of user identity as well as the device registration information Active Directory IT can use the Web Application Proxy to authenticate users and devices with multi-factor authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
System Center Marketing 4/19/2017 Make corporate data available to users with Work Folders Active Directory discoverability provides users Work Folders location IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management IT can selectively wipe the corporate data from Windows 8.1 clients Active Directory Devices Apps & Data Reverse Proxy File Services Web Application Proxy Domain joined devices Access Policy Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access IT can publish access directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Get started Learn and Expand Act Download Windows Server 2012 R2 4/19/2017 Get started Download Windows Server 2012 R2 Learn and Expand Act
Extra Content Dynamic Access Control Rechten geven doormiddel van een centrale policy Twee belangrijke elementen 1 De classificatie van bestanden 2 Het maken van Claims Certificeringen voor Windows Server 2012R2 MCSA (en Upgrade) MCSE Server Infrastructure MCSE Desktop Infrasructure
Protect data with Dynamic Access Control System Center Marketing 4/19/2017 Protect data with Dynamic Access Control File Services Active Directory Automatically identify and classify data based on content. Classification applies as files are created or modified. File classification, access policies and automated Rights Management works against client distributed data through Work Folders. Centrally manage access control and audit polices from Windows Server Active Directory. Integration with Active Directory Rights Management Services provides automated encryption of documents. Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
1 Data Classification
Data classification – identifying data Manual Classification Classify data based on location inheritance Classify data automatically Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.
1 Data Classification 2 Central Access Policy
Expression based access control Expression based access conditions Manage fewer security groups by using conditional expressions Central! Access Policy Compound Identity Flexible access control lists based on document classification and multiple identities. Centralized access control lists using Central Access Policies.
How Access Check Works Share Security Descriptor Share Permissions Active Directory (cached in local Registry) File/Folder Security Descriptor Cached Central Access Policy Definition Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule Cached Central Access Rule Access Control Decision: Access Check – Share permissions if applicable Access Check – File permissions Access Check – Every matching Central Access Rule in Central Access Policy
410 411 412 MCSA: Windows Server 2012 + + = 20410 20411 20412 5 5 5 Installing and Configuring Windows Server 2012 Administering Windows Server 2012 Configuring Advanced Windows Server 2012 Services MCSA: Windows Server 2012 EXAM 410 EXAM 411 EXAM 412 + + = Installing and Configuring Windows Server 2012 5 Administering Windows Server 2012 5 Configuring Advanced Windows Server 2012 Services 5 Find a Learning Partner MOC 20410 MOC 20411 MOC 20412
MCSE: Server Infrastructure Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure MCSE: Server Infrastructure * Requires recertification EXAM 413 EXAM 414 + + = Windows Server 2012 Designing and Implementing a Server Infrastructure 5 Implementing an Advanced Server Infrastructure 5 Find a Learning Partner MOC 20413 MOC 20414
MCSE: Desktop Infrastructure Implementing a Desktop Infrastructure Implementing Desktop Application Environments MCSE: Desktop Infrastructure * Requires recertification EXAM 415 EXAM 416 + + = Windows Server 2012 Implementing a Desktop Infrastructure 5 Implementing Desktop Application Environments 5 Find a Learning Partner MOC 20415 MOC 20416
Upgrade paths + = + + Either or Both + = 417 413 414 415 416 Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure Server Infrastructure + = 413 414 Windows Server 2012 Any of the following certifications qualify: MCSA: Windows Server 2008* MCITP: Virtualization Administrator MCITP: Enterprise Messaging Administrator MCITP: Lync Server Administrator MCITP: SharePoint Administrator MCITP: Enterprise Desktop Administrator Upgrading Your Skills to MCSA Windows Server 2012 + + Either or Both 417 Implementing a Desktop Infrastructure Implementing Desktop Application Environments Desktop Infrastructure + = 415 416