Microsoft Windows Server 2016 Containers

Windows Server 2016 is the new server operating system. It has got several new features and improvements over the previous server operating systems.
One of the important new features in Windows Server 2016 is containers. By using containers, you can provide an isolated environment for applications. You can deploy multiple containers on a single physical machine or virtual machine, and each container provides a complete operating environment for installed applications. The container space provides an isolated environment for an app to run without affecting the rest of the operating system (OS) and without the OS affecting the app. By using the containers you can isolate the app from the OS.

Two types of containers are there in Windows Server 2016:

1. Windows Server Container: These containers share the OS kernel with the host on which the container has been deployed as well as with the other containers  on that host. It provides the isolation of app using process and namespace isolation.

2. Hyper-V Container: The kernel of the host OS is not shared with the Hyper-V containers. These containers run in a highly optimised virtual machine.

Deployment Scenarios:

Windows Server Container

Windows Server Containers are used to run apps that require the same trust boundary. As the containers don't have a GUI so it is ideal for the stateless web apps, that don't have GUI.
In a test environment where you require to deploy an app multiple times but you don't want the underlying infrastructure to be changed in that case also you can utilise Windows Server Container. For example you can create an image which hosts websites and IIS installed in it. This image can be used by developers to deploy app multiple times without changing the underlying infra.

Hyper-V Container
Hyper-V Containers are used to run apps that don't require the same trust boundaries on the same host.For example the public clouds such as Azure that provide multi-tenancy allows customers to supply their own code to extend the functionality of your service offering without any interference in the Azure service or gaining access to other customers information.  

New Features in Windows Server 2016

Hello folks! So Microsoft is back with a new server OS after Windows Server 2012 R2 that is  Windows Server 2016. Before you plan to upgrade your servers over 2016 you need to know what are the new features you are going to get with it. In this post we will have an overview of the new features in Windows Server 2016 and later we will discuss them in more detail.

What are the New Features in Windows Server 2016?

The following features and feature improvements were introduced in Windows Server 2016:

1. Nano Server: Nano Server is not a new edition but it is a new installation option of  Windows Server 2016. Nano Server has no graphical or command prompt interface so it has a very less hardware requirement and that makes it suitable for Hyper-V, scale-out file servers.

2. Containers: Container provides isolation between an Application and Operating System. It means within a container an application can run without affecting the entire system and rest of the system can also not affect the application. Two types of containers are there Windows Container and Hyper-V container.

3. Docker: Docker is associated with Linux but Windows Server 2016 provides support to it to manage Windows container and Hyper-V container.

4. Rolling upgrades for Hyper-V and storage clusters: If your failover cluster is running on Windows Server 2012 R2  these upgrades allow you to add Windows Server 2016 nodes to it. The cluster keeps running on Windows Server 2012 R2 mode until all the nodes are upgraded to Windows Server 2016.

5. The ability to hot add and hot remove virtual memory and network adapters from virtual machines. In Hyper-V in Windows Server 2016, you can now add or remove virtual memory and network adapters while the virtual machines are running.

6. Nested Virtualization: If you have used Hyper-V in previous version of operating systems then you must be aware of that you can not host a virtual machine within a virtual machine.In Hyper-V in Windows Server 2016, you can enable nested virtualization, which allows you to run Hyper-V virtual machines within a virtual machine.

7. PowerShell Direct:  When you need to perform automation and remote management PowerShell is a great tool. But if you want to manage your VMs using powershell remotely you need to take care of your firewall and security policies. With the new PowerShell Direct feature you can run commands to your guest OS without worrying about your security policies, host network configuration and firewall settings.

8. Shielded virtual machines: In Windows Server 2016 you can install a new role Host Guardian Service that enables Shielded virtual machines and protect them from unauthorised access.Shielded VMs can be created using the Azure Management Pack Portal. Standard VMs can also be converted to Shielded VMs. With Shielded VMs Hyper-V virtual disks can be encrypted with BitLocker.

9. Storage Space Direct: In Windows Server 2012 Storage Space feature was introduced. Storage Spaces Direct is an extension of the existing software defined storage stack for Windows Server. It uses industry-standard servers with local-attached drives to create highly available, highly scalable software-defined storage

How To Reset Administrator Password In Windows 10

Hi, don't you remember your Administrator password and don't have a password reset disk?
Don't worry here is the solution by using that you can easily reset the Administrator password without any password reset disk or any third party tool.

To reset the Administrator password you need just the Windows product DVD to boot from that.

1. Once you have booted from the Windows DVD and the set-up has loaded press SHIFT+F10 
2. Command prompt will be launched, on the command prompt run the following command to        determine your OS volume .
3. diskpart
4. list vol
5. Determine which drive letter is assigned to the OS drive, in my case its D: (mostly the drive letter C: here would be assigned to system drive and the OS drive can have any different drive letter).
6. D:
7. cd windows\system32\
8. ren utilman.exe utilman_old.exe
9. copy cmd.exe utilman.exe
10. Now reboot the computer and on the login screen click Accessibility option, it would launc cmd.
11. On cmd type the run the following command UserName with your Administrator account name whose password you want to reset:
12. net user UserName *
13. Enter the new password and confirm the password.
14. cd windows\system32
15. del utilman.exe
16. ren utilman_old.exe utilan.exe
17. exit

So we are done with the password reset. Now you can login using the new password.

Note: This solution applies for other previous operating systems too like Windows 8 or Windows 7.

New Features In Windows 10

Windows 10 the latest operating system from Microsoft. Well it has got many new features over Windows 7 and many enhancements over Windows 8.1. How much different you find Windows 10 depends on from which operating system you have upgraded to Windows 10.

So let's have a look on those improvements.

1. Start Screen and Start menu:

The Start screen of windows 10 is a kind of combination of Windows 7 and Windows 8 start screens.
Tile based start screen like Windows 8 makes it touch-friendly while the traditional start menu like Windows 7 makes it more friendly on non-touch devices like desktops.

2. Auto-triggered VPN:

In earlier versions of Windows if you need to access your company's intranet you had to manually establish a VPN connection but in Windows 10 if an app requires a connection to your company's intranet the Window can automatically trigger a VPN connection.

3. Windows Hello:

Windows Hello is a feature that supports number of biometric authentication methods like fingerprint scanner and face recognition if your device has a supportable infrared camera so that no one can sign-in to your device using your photograph.

4. Cortana:

Cortana is a personal digital assistant that you can control with voice commands. Using Cortana you can search for your documents, installed apps and internet results too. It is same kind of feature as you have on smart phones.

5. Multiple Desktop: 

This feature enables you to have multiple desktop views on the single desktop even if you don't have multiple devices.Let's take an example you are sharing your desktop in an online meeting or in a video call and you don't want to share all of your apps then this feature can be beneficial. If you are familiar with Ubuntu then you must be familiar with this feature too.

6. Continumm:

Today new hybrid devices are available in market that can work like a tablet when keyboard is disconnected and as a laptop when keyboard is connected. Windows 10 comes with a feature known as Continumm that enables the device to detect the mode in which it is running i,e; as a tablet or as a laptop and can change the operating system environment accordingly like thee start screen will become full screen with bigger tiles when tablet mode is detected to make the user work easy. Users can switch between these modes manually too from the Action center.

7. Action Center:

Starting from Windows 8 Action center got consolidated with more options that you earlier use to perform through Control Panel. Windows 10 continues those consolidation with more options.

8. Microsoft Edge:

Windows 10 has a new faster and lighter internet browser that is Microsoft Edge. It is designed for touch enabled devices and has many new features that we will discuss in coming posts.

9. Continuous Updates:

Earlier Microsoft used to release new versions of operating systems on periodic basis like after Windows 7 Windows 8 was launched. Now Microsoft has planned to provide continuous smaller updates.

10. Snap Assist:

In Windows 10 you can drag the apps and split the screen in four parts, in Windows 8.1 it was possible to split the screen in two parts only.

Offload Data Transfer (ODX)

Overview:

Offload Data Transfer (ODX) is a transparent fast file movement feature in Windows Server 2012 that enables ODX capable storage arrays to bypass the host computer and directly move data within or between compatible storage devices.

Key scenario of using ODX:

In a traditional host-based file transfer when a host needs to copy or move a file on a SAN, the windows OS reads the data in its buffer then transfers across the network to the destination server and then writes it back to the storage through the destination server.

If we compare this situation where you have a Hyper-v host having multi-terabyte VHDX files and you need to move these VHDX files from one disk to another, one cluster to another or from one storage array to another. Using the traditional host-based file transfer mechanism will take quite long to complete this task.

Using ODX feature in Windows Server 2012 you can bypass this long route and let the VHDX transferred directly within or between compatible-storage devices.

How ODX works:

ODX uses a token-based mechanism for reading and writing data within or between compatible-storage arrays. Instead of passing data across the network to the destination server it passes a token which represents the data. The token is then delivered to the storage array and then the actual data transfer takes place within or between the storage arrays internally.

ODX supports moving and copying using command line tools such as copy, xcopy, robocopy or even with drag & drop.

Fig: How ODX works

Benefit of using ODX:

• As ODX bypasses the host and transfers data directly within or between the storage devices it reduces the resource utilization on host such as CPU and memory.
• It enables SAN to move and copy files much faster.

·        

Limitations:

• Works with NTFS but not with ReFS and FAT.
• Doesn't support encryption, data deduplication and compression.
• Files less than 256 KB are transferred through traditional file transfer.
• Storage spaces and dynamic disks are not supported.

·

Loopback Processing

Before we jump into Loopback Processing let’s understand the group policy processing order. Group policy objects (GPO) can be linked over site, domain or on OU. So if we see the processing order if group policy:

1. Local policy
2. Site
3. Domain
4. OU

So the group policy processed last will be the final policy applied over users. This default processing order cab be change using options such as Block inheritance & Enforced. But it’s a recommendation to use this options as-less-as you can to keep your configuration simple. Whenever a user logins on any computer in a domain environment it doesn’t matter where that computer object is located in Active Directory and which GPO is linked on the Site or OU where the computer object is located; the user settings from GPO linked to the Site, Domain and OU where the user object resides applies.

Let’s understand the loopback processing and the scenario to use it.

What is Loopback Processing and when to use Loopback Processing?

Let’s take a scenario of a conference room where you want to have a common wallpaper for all of the users. But as we know that the user settings from GPO linked to the location where user resides will apply regardless of the computer object location. To overcome this we can use Loopback Processing.

Loopback processing is a computer configuration setting that provides a consistent user experience across all computers regardless of the GPOs linked to the user’s Site or OU.

How to configure loopback processing ?

The loopback setting is located under Computer Configuration/Administrative Templates/System/Group Policy in the Group Policy Management Editor (GPME).

Loopback processing works in two modes:

1. Merge
2. Replace

Merge Mode: If you have configured loopback processing to work in merge mode user settings and computer settings both are applied together. User settings from all GPOs linked on the user's OU and the computer's OU merge together but in case of any conflict the user settings from computer GPOs win.

Replace Mode: If you have configured loopback processing to work in replace mode all user settings from GPO linked to user's OU is replaced by the user settings from GPO linked to computer's OU.

Let's go back to our scenario that we discussed above, to get a common wallpaper on all conference room computers we can create an OU and place all those conference room computer objects in that and link a GPO over that defining loopback processing setting so that the computer configuration overrides user settings.

Protected User Group

User accounts are used to verify the identity of the users on any server or client work stations. The process of verifying the user identity is known as Authentication. When a user logins on a standalone or workgroup computer his identity is verified using the local SAM account database but when a domain user logins on a domain joined computer he is authenticated by the domain controller. For authentication several authentication protocols like NTLM, Kerberos, Credential Security Support Provider (CredSSP) can be used. When a user is authenticate by a DC his credentials are cached on the local machine, using this cached credential he can login in offline manner means without contacting DC for the authentication.

Although from security point of view every user account is has the importance but some accounts can be more sensitive than others. To secure these highly sensitive user accounts we have options like Fine-Grained Password Policy and group policy to restrict interactive logon. But these options don’t restrict from using less secure authentication protocol like NTLM and CredSSP, can’t restrict from using less secure encryption protocol during the pre-authentication process.

To comply with these issues Microsoft introduces Protected User Group in Windows Server 2012 R2. Members of the protected user group don’t inherit the permissions (ACL) from the OU but from the group. This group generates non-configurable protection on devices and computers running windows server 2012 R2 and windows 8.1, and on domain controllers in domains with PDC (Primary Domain Controller) running on Windows Server 2012 R2.

Protected users are generally used for Domain and Enterprise administrator account, it doesn’t mean that they can’t be used for standard users but it will apply more restrictions over those members. So it’s recommended that before adding users to the Protected Users Group test it in a test environment.

When a member of a protected users group logins on a windows server 2012 R2 host or windows 8.1 client computer following restrictions apply:

• The Protected Users group membership cannot authenticate by using NTLM, Digest Authentication, or Credential Security Support Provider, authentication mechanism also known as CredSSP. On Windows 8.1 devices, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is part of the Protected User group.
• The Kerberos protocol will not use the weaker Data Encryption Standard (DES) or RC4 encryption types in the pre-authentication process. Therefore, you must configure the domain to support at least the Advanced Encryption Standard cipher suite.
• The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This can cause former connections to other systems to fail if the user is in the Protected Users group.
• The default Kerberos TGTs lifetime setting of four hours is configurable by using Authentication Policies and Silos, which you can access through the Active Directory Administrative Center. This means that the user must authenticate again after four hours.

Detecting members of Protected User Group:

To check if you have the Protected Users group in your domain, log in to Windows Server 2012 R2 as a domain administrator:

·         Open Server Manager from the Start screen

·         Select Active Directory Users and Computers from the Tools

·         In the left pane, expand your domain and click Users.

If Protected Users is present in the domain, you should see it on the right. By default it doesn’t has any member but users can be added to Protected Users, as you would add them to any AD group.

To detect the members of protected user group using powershell:

Get-ADUser -LDAPFilter "(admincount=1)" | select name

Prerequisites:

·        To gain the Protected Users Security Group, the Active Directory schema needs to be extended to Windows Server 2012 R2 .

·  To replicate the Protected Users group, the Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role needs to run Windows Server 2012 R2.

·   Users need to authenticate on Windows 8.1-based devices (or up) or Windows Server 2012 R2-based servers (or up) to a Domain Controller that runs at least Windows Server 2012 R2.

·    For Domain Controller protection, the Active Directory domain needs to operate on the Windows Server 2012 R2 Domain Functional Level.