In the first post of this series I highlighted that with Windows Server 2016 there are some feature differences between the Standard and the Enterprise Editions that might get lost in some of the messaging, so in this series of posts I’m going to be highlighting the feature set of Windows Server 2016 Standard, and will include information from a few different resources, but the primary one is the Windows Server 2016 Technical Preview 5 Feature Comparison. As mentioned in the first post of the series, these will focus on what’s new from a Windows Server 2012 R2 perspective, rather than Windows Server 2008 R2 or Windows Server 2012 perspective. I will focus on those later if needed.
Following on from the previous post in the series, which was on Compute, today’s topic is Networking, and following you will find the information from the Feature Comparison Guide. Networking is one of the areas where Windows Server 2016 Datacenter has additional capabilities that aren’t included with Windows Server 2016 Standard edition, the primary one being the centralised Network Controller capabilities.
Please note that these are subject to change and are based on Windows Server 2016 Technical Preview 5. If any adjustments need to be made, please leave a comment.
Networking is a foundational part of the platform, and Windows Server 2016 provides new and improved technologies.
Virtual Machine Multi-Queue (VMMQ)
Physical NICs that support VMMQ (Virtual Machine Multi-Queue) can actually offload some of the network traffic processing from virtual RSS into a traffic queue on the physical NIC itself. VMMQ is VMQ integrated with vRSS in the hardware. Ultimately, this means virtual machines can sustain a greater networking traffic load by distributing the processing across multiple cores on the host and multiple cores on the virtual machine. vRSS continues to run on top of VMMQ to do the distribution across the logical processors. The number of queues used in the hardware for VMMQ for traffic for a particular VM has no relationship to the number of RSS queues in that VM.
Encapsulation Task Offloads (NVGRE, VXLAN)
Either NVGRE or VXLAN can be used to create a tenant overlay virtual network by encapsulating the tenant’s traffic transmitted between Hyper-V VMs. Encapsulation can be an expensive CPU operation for the Hyper-V Host and so the ability to offload these operations to a physical network adapter provides increased throughput performance and decreases CPU host load. The ability to offload these encapsulation operations for NVGRE has been available since Windows Server 2012 R2. Support for VXLAN encapsulation task offloads has been added in Windows Server 2016. This feature is developed in partnership with our NIC vendors who have a supporting driver.
There is support for hardware compatible with Data Center Bridging (DCB). DCB makes it possible to use a single ultrahigh bandwidth NIC while providing QoS and isolation services to support the multitenant workloads expected on private cloud deployments. New in Windows Server 2016 is the ability to use Network QoS (DCB) with a Hyper-V switch.
Core Network Infrastructure Services
There are a number of enhancements to the core networking services of DNS and IP Address Management in Windows Server 2016. The key new capability is DNS Server policies, which allows you to provide policy-based answers to DNS clients based on factors like client network location, time of day, or health-based global load balancing.
Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP, and together the DNS Client and DNS Server provide computer name-to-IP address mapping name resolution services to computers and users. The following are new and updated features of DNS for Windows Server 2016:
- DNS Policies: You can now configure DNS policies to specify how a DNS server responds to DNS queries. DNS responses can be based on client IP address (location), time of the day, and several other parameters, and enable location-aware DNS, traffic management, load balancing, split-brain DNS, and other scenarios. These policies allow you to perform sophisticated name resolution, pointing DNS clients to alternate service locations using a more flexible decision-making policy. The policies can be useful in these situations:
- Application high availability. DNS clients are redirected to the healthiest endpoint for a given application.
- Traffic Management. DNS clients are redirected to the closest datacenter.
- Split Brain DNS. DNS records are split into different Zone Scopes, and DNS clients receive a response based on whether they are internal or external clients.
- Filtering. DNS queries from a list of malicious IP addresses or FQDNs are blocked.
- Forensics. Malicious DNS clients are redirected to a sink hole instead of the computer they are trying to reach.
- Time of day based redirection. DNS clients can be redirected to datacenters based on the time of the day
- Response Rate Limiting: You can now enable response rate limiting on your DNS servers. By doing this, you avoid the possibility of malicious systems using your DNS servers to initiate a denial of service attack on a target.
- DNS-based Authentication of Named Entities: You can now use TLSA (Transport Layer Security Authentication) records to provide information to DNS clients that state what CA they should expect a certificate from for your domain name. DANE prevents man-in-the-middle attacks where someone might corrupt the DNS cache to point to their own website, and provide a certificate they issued from a different CA.
- Unknown record support: You can now add records which are not explicitly supported by the Windows DNS server using the unknown record functionality.
- IPv6 root hints: You can use the native IPv6 root hints support to perform internet name resolution using the IPV6 root servers.
- Windows PowerShell Support: New Windows PowerShell cmdlets are available for DNS Server. The new cmdlets allow for management of the new DNS server capabilities and some more granular management of existing DNS Server features.
Along with the new Windows Server 2016 capabilities, the previous enhancements from DNS Server in Windows Server 2012 R2 are still available, including expanded logging and diagnostics, zone-level statistics, DNSSEC support, and dynamically-ordered DNS forwarder lists.
DNS Client Service Binding Improvement for Multi-Homed Systems
In Windows Server 2016 (and Windows 10), the DNS Client service offers enhanced support for computers with more than one network interface. For multi-homed computers, DNS resolution is optimized in the following ways:
- When a DNS server that is configured on a specific interface is used to resolve a DNS query, the DNS Client service will bind to this interface before sending the DNS query. By binding to a specific interface, the DNS client can clearly specify the interface where name resolution occurs, enabling applications to optimize communications with the DNS client over this network interface.
- If the DNS server that is used is designated by a Group Policy setting from the Name Resolution Policy Table (NRPT), the DNS Client service does not bind to a specific interface.
IPAM: Enhanced IP Address Management
In addition to the capabilities of the IP Address Management feature of Windows Server that were introduced in Windows Server 2012 R2, there are a number of Windows Server 2016 enhancements. These include:
- Handling very small subnets. IPv4 /32 subnets, and IPv6 /128 subnets are now supported. These are becoming more common for use in point-to-point links between switches or switch loopback addresses.
- PowerShell cmdlets to find free address ranges and subnets. New PowerShell cmdlets are added to help find free IP address subnets or ranges in an IP address block or subnet respectively.
- Enhanced DNS service management. New DNS management features are added allowing administration of a wider range of DNS elements, including resource records, zones, and conditional forwarders. Role-based access control feature has been enhanced to support delegation of granular DNS operations.
- Multiple Active Directory Forest support. Now IPAM can manage DNS and DHCP in non-local forests, provided a two-way trust is in place.
- PowerShell support for role-based access control. The IPAM PowerShell manageability has been extended to allow for configuration of access scopes against IPAM elements.
- Integrated DNS, DHCP, and IP Address Management. Several new experiences and integrated lifecycle management operations are enabled, such as visualizing all DNS resource records that pertain to an IP address, automated inventory of IP addresses based on DNS resource records, and creating or deleting related DNS and DHCP objects from IP address pivot.