Bigger, fiddly to manage: The second coming of Windows Server 2012
Microsoft's R2 unit automates but frustrates
Review New Windows client, new Windows server seems to be the pattern; and October 18, 2013 saw the release of Windows Server 2012 R2 as well as Windows 8.1. The R2 release is a paid-for upgrade, but uses the same CALs (Client Access Licenses) as Server 2012, mitigating the cost of transition.
Microsoft calls Server 2012 a Cloud OS, by which it means an operating system optimized to run private, public or hybrid clouds, where “hybrid” means some servers on your own premises or data centre, and some in Microsoft’s public cloud, called Azure.
The further implication is that Microsoft has concentrated its efforts on virtualisation, meaning not only the Hyper-V hypervisor, but also software-defined networking that abstracts virtual networks from physical networks, and virtualised storage that abstracts virtual drives from physical disks. Another strong focus is automation, driven by PowerShell support throughout the product, on top of which come management tools such as System Center’s Virtual Machine Manager and Orchestrator, and Azure’s browser-based portal.
Abstraction and automation reduces the number of people who have to wrestle with the details of Windows Server – the things that give system administrators headaches, such as DCOM activation errors, Service Principal Names, mysterious errors in the event log, certificate permissions, the labyrinthine Windows security model, group policy errors and the like.
These issues are no less likely in Server 2012 R2 than in previous versions, as I discovered when setting up one of the new features, Workplace Join that registers mobile devices in Active Directory, on my own test network. “An attempt to fetch the password of a group managed service account failed,” declared my event log, along with other problems that took me some time to resolve.
Now compare that to the experience of logging into the Azure portal, selecting a web app from the gallery, and clicking through the wizard. It is delightful by comparison; and the more operations that can be moved to selecting from templates, galleries and scripts, the more users will enjoy using Windows Server. Virtualisation also increases the likelihood that you can solve a problem by zapping an instance and creating a new one, rather than trying to fix it. Microsoft’s push towards automation and self-service portals is the right direction, though someone still has to deal with low-level configuration.
Scroll past the sparse default Start menu for the complete smorgasbord (click on any photo to enlarge)
System Center 2012 R2 is a simultaneous release and is a key part of Microsoft’s overall server story. The Windows Azure Pack, also new, optionally brings the excellent Azure portal for cloud management and deployment to System Center; it is an awkward transition for existing System Center deployments but an improved experience for users and brings much-needed consistency between Azure and on-premises tools.
The list of what’s new in Server 2012 R2 is extensive. Of course it also has the Windows 8.1 Start menu changes. Hit the new Start button and you are offered just a few tiles, with a down arrow that takes you to a more complete list of built-in applications, with a right-click option to “Pin to Start”.
In practice, most admins will simply stay in the desktop environment, or use remote access. The Server Manager has a handy Tools menu that lists administrative utilities, though it is little changed from the 2012 version. You configure Windows Server by adding roles and features, where a role is a major piece like Active Directory or Web Server, and a feature a lesser piece like Bitlocker drive encryption or Message Queuing. It is sometimes a struggle to remember whether a certain thing is a role, a feature, or a feature of a role; but you can usually find what you want.
The Hyper-V question is not so much whether it has caught up with VMware, but whether it is good enough that the advantages of being built into Windows and integrating smoothly with System Center and the Windows client outweigh any advantages of a third-party hypervisor. That moment came with Windows Server 2012. Hyper-V was a solid hypervisor from its first release, and the 2012 edition brought features like Hyper-V Replica, which adds resilience by replicating a VM on another server at predefined intervals, commoditising what was once an enterprise-level feature. Another key feature is dynamic memory, allowing the system to vary the available RAM in a VM on demand.
R2 is a modest update by comparison, but Replica is enhanced with configurable replication intervals, down to 30 seconds, and can be extended to three VMs, for example one locally and one remote.
There is also support for live resize of virtual hard drives, faster live migration of VMs between hosts thanks to new data transfer options, and live export of a VM. If you have a problem with a production machine, you can do a live export and test various solutions in a lab environment, minimising downtime. Another new feature is shared virtual drives, provided they are in the latest VHDX format and located on a Cluster Shared Volume or Scale Out File Server, enabling failover clustering in VMs.
Blink my hurting eyes, behold Linux
Linux integration is improved with dynamic memory and backup from the host, provided the latest integration services are in the kernel.
Finally, the most forward-looking new feature is Generation 2 VMs. Why emulate legacy hardware, the argument goes, if you are going to run a modern operating system? Generation 2 VMs have no emulated IDE controller, PCI bus or legacy BIOS or network cards. Instead, they have UEFI bios, enabling secure boot, virtual SCSI, VMBus and synthetic network controllers, which means optimisation for the Hyper-V environment. Only Windows Server 2012 or higher, or 64-bit Windows 8 or higher, are supported as guest operating systems.
PowerShell, Microsoft’s scripting and automation engine, is becoming the primary tool for managing and configuring Windows Server. Walking through Microsoft’s example deployments you dip between GUI tools and PowerShell commands. Some things can only be configured through PowerShell and that is by design. Server 2012 R2 introduces PowerShell 4.0, which has a ton of bug-fixes and minor improvements, and one big new feature, Desired State Configuration (DSC).
The idea of DSC is that you can define the state of a Windows Server instance in code, using configuration blocks to specify what is installed and how to define, say, registry keys entries. You can also create files, run setup routines, add and remove Windows features, and so on. A DSC script is idempotent, which means it can safely be run multiple times.
Defining the state of a server in code has huge potential. You can imagine, for example, applications that have all their deployment requirements coded and versioned in the same way as the rest of their code. DSC depends on providers though, and these are limited to essential Windows features for now.
Opscode, the company behind a configuration automation tool called Chef, is working on using DSC to improve Chef support for Windows.
DSC is promising but needs more providers, third-party support and example scripts to realise its potential.
Bring your own device
If virtualisation is the number-one effort in Server 2012 R2, then support for Bring Your Own Device (BYOD) must be number two. The goal looks something like this. Users can register their PC or gadget for workplace use, giving them access to a company portal for installation of corporate apps. Company documents are available in work folders on the device, and they also have access to Windows desktops and applications via Remote Desktop Protocol (RDP).
Single sign-on avoids repeated authentication, but multi-factor authentication is supported where needed. Documents may be encrypted. If the user leaves the company, or the device is stolen, selective remote wipe removes corporate apps and data. Administrators manage everything through System Center Configuration Manager.
Sounds good, but there are a lot of moving parts here, some of which do not yet work smoothly or are not quite done. The pieces include Windows InTune, which is a cloud service for mobile device management; Active Directory supplemented by Active Directory Federation Services (ADFS); Windows Server file services; Remote Desktop Services; Information Rights Management; and System Center to provide an integrated management console.
New in Server 2012 R2 is Workplace Join, also called Device Registration, which allows users to register devices in Active Directory. This installs a certificate on the device and enables single sign-on via ADFS. Windows (including Windows RT for Microsoft’s ARM-based tablets) and iOS devices are supported with Android support to follow. New in System Center 2012 R2 is the ability for Configuration Manager to link to InTune to provide a single management console for PCs and devices.
Work Folders, which publishes a user document folder so that a synchronised copy appears on their PC and device, is also a new feature. Currently only Windows 8.1 clients are supported, including Windows RT, but support is promised for other platforms. Work Folders is a new feature of File and Storage Services in Windows Server, and can be accessed remotely without a VPN.
Microsoft handed press attendees at a Server 2012 R2 workshop Windows RT devices running the released-to-manufacturers version of Windows 8.1 RT, allowing hacks to try out the kit. After successfully turning on Workplace Join and Device Management, you can run the Company Portal app. You run the app and a login dialog appears. You enter your username, then rather than letting you enter a password, the app redirects you to a second log-in where you have to enter your username all over again, following which sometimes the company portal eventually appears, and sometimes you get an error and have to try again.
Work Folders raise the question of why Microsoft has introduced yet another technology for file sync, joining offline files (a feature of Windows Server for years), SkyDrive Pro that works with SharePoint and is an evolution of Ray Ozzie’s Groove, and not to mention the consumer SkyDrive or abandoned technologies like Live Mesh. The advantage of Work Folders is forthcoming device support and, I suppose, the fact that it does not need SharePoint.
RDP on devices, on the other hand, works well, even over the internet, probably because it is based on mature technology.
Acts of backroom bravery
Buying into Microsoft’s entire device management stack today looks brave, especially with Android support still mostly not yet available, beyond ActiveSync. Some parts work fine, but for others wait and see seems the right approach for now.
Server 2012 introduced Storage Spaces, which let you create pools of resilient storage from JBOD (“Just a bunch of drives”), on which you create virtual drives that can be thinly provisioned, meaning that the virtual drives are bigger than the underlying storage. The idea is that you add more drives as the space fills. It is a great feature, making sense of storage without the expense and vendor lock-in of a SAN (Storage Area Network).
New in the R2 release is tiered storage spaces. You can have a mix of solid state (SSD) and conventional drives and Windows Server will automatically place the most frequently accessed blocks on the fast SSDs. You can also pin files to a tier. A snag with tiered virtual disks is that they do not support thin provisioning.
Tiered storage supports write-back cache. This can greatly improve disk write speed, by writing temporarily to the SSD tier, then moving the blocks later to the conventional drives. Microsoft MVP Aidan Finn, with Ireland’s MicroWarehouse, measured an 11.44 times improvement in IOs operations per second using tiered storage.
Data deduplication, introduced in Server 2012, now supports running VDI (Virtual Desktop Infrastructure) instances in Remote Desktop Services. This requires virtual hard drives stored on Server 2012 R2 and accessed using SMB (Server Message Block). Space saving can be dramatic, and performance may actually increase thanks to caching of frequently accessed data.
It is easy to see the direction of Windows Server storage. In combination with Windows Azure, administrators will be able to set up in effect infinite storage, with tiers ranging from fast SSD to slow cloud-based storage, transparent to the user.
Small businesses still screwed
The last version of Microsoft’s Small Business Server (SBS) was SBS 2011, based on Server 2008 R2. It included Exchange, SharePoint and Software Update Services, forming a one-box solution for businesses with up to 75 users. A single SBS CAL covered both Windows and Exchange. In the Server 2012 wave, Microsoft scrapped SBS, replacing it with Windows Server Essentials, which does not require CALs but is limited to 25 users. Essentials does not include Exchange but does integrate with Office 365.
The disappearance of SBS means small businesses that want to stay on Microsoft’s platform have to migrate to Office 365, or else move from SBS to a multi-server installation. Essentials can work with on-premises Exchange, but migrating to Essentials plus Exchange means a second server running the Standard edition, which means Windows CALs, Exchange CALs, Remote Desktop Services CALs, and a more complex setup.
There is no change of heart with Essentials 2012 R2, but it is a little more flexible. Essentials R2 includes a Hyper-V licence so that you can install it as a VM, which is now recommended. You can now expand beyond 25 users by installing Essentials as a role on the Standard or Datacenter edition, though CALs then apply.
There is deeper integration with Office 365, including the ability to create user groups and Office 365 distribution groups. Mobile device management via ActiveSync is built in if you have Office 365. Finally, client PC backup, which is one of the best features of Essentials, is improved to support full system restore over the network.
Embracing the hybrid cloud
There are plenty of solid improvements in Windows Server 2012 R2 – I’ve only succeeded in scratching the surface here. Microsoft’s USP is hybrid cloud, and in this space it has made rapid progress thanks to infrastructure-as-a-service in Azure and excellent work in ADFS, now coming into its own as a way of managing authentication both on-premises and for cloud applications, and virtual networking which lets organisations scale out to Azure which keeping their existing subnets intact.
Hyper-V’s rapid evolution means that virtualisation is now deeply embedded into the Windows platform, something which just a few years ago seemed a distant possibility. Management tools for Azure and System Center are becoming more consistent with the introduction of the Windows Azure Pack. If you do not want to trust Microsoft with your data, hosting providers can provide much of the same. Microsoft’s claims for “Cloud OS” are now plausible.
On the device side Microsoft is still scrambling to keep pace, and the complex device management story is now the weakest aspect of Microsoft’s server platform.
Another downside is that if you have to tangle with Windows administration in detail it is still not much fun, as complex and sometimes bewildering as ever. Then again, the strategy of automation and virtualisation means that working with Windows Server is simplified for most users.
If you want hybrid cloud – and the evidence is that most enterprises do – Microsoft’s server platform is a strong choice and the R2 release wave a solid upgrade. ®