What is Windows Nano Server?
Nano server is a headless version of Windows Server designed to improve security and reliability by minimizing the attack surface of the operating system and reducing resource overhead. Microsoft states that Nano Server will have:
Nano server is a headless version of Windows Server designed to improve security and reliability by minimizing the attack surface of the operating system and reducing resource overhead. Microsoft states that Nano Server will have:
- 93% smaller VHD size
- 92% fewer critical bulletins
- 80% fewer required reboots
Why is Nano Server Important to my Organization?
Although all organizations can benefit from the improved virtualization and security features of Windows Nano server, here is a brief list of 5 points to consider for your organization:
- Improved Security :With a reduced attack surface, no Internet Explorer or GUI to exploit, Nano server is the most secure installation option for Windows servers. By default, there are only 12 ports opened on a Nano server compared to 34 ports on a full Windows GUI Server install.
- Lowered Total Cost of Ownership (TCO) :As a result of Nano server creating very little overhead, companies will not need to dedicate as many resources to server patching and maintenance. As a direct result of the improved security, organizations that must comply with PCI, SOX, or HIPAA compliance will see significant returns in the reduced amount of time spent patching vulnerabilities.
- Fast Boot Times: The boot IO of Nano server is around 150 MB. In my lab, I’m seeing boot times of around 5-10 seconds.
- Fewer Reboots Required :Microsoft is estimating that Nano server will only require 3 reboots a year for security patching, and is working diligently to get that number down to 2 reboots per year. Fewer reboots means less interruption to services and less after-hours work for your employees.
- Smaller Server Image :Nano server is 20x smaller than the full GUI installation of Windows Server. This will reduce the amount of space consumed on your expensive SAN storage by the operating system.
Below is a list of server roles currently supported on Windows Nano Server.
Containerization also allows Nano Server to scale rapidly, as this video shows a demonstration of Nano Server running 1,000 VMs on an 8 processor server with 1TB of RAM: https://channel9.msdn.com/Blogs/Regular-IT-Guy/Quick-Nano-Server-Scale-Demo
So let’s get started building our own Nano server!
Pre-Requisites
First, you’ll need to download an evaluation copy of Windows Server 2016 TP 4 using your MSDN subscription, or available here:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
We’ll cover both physical and virtual installations for the server, so you’ll need access to both platforms for this lab. To deploy on a physical server, you’ll need to download the Microsoft USB Download tool, available here: http://wudt.codeplex.com/
You’ll also need a separate instance of Server 2016 TP4 running to use the management consoles to access and manage the Nano Server.
Step 1 – Mount the ISO
After you finish downloading the Windows Server 2016 TP4 ISO, you’ll need to double click the file to mount it in File Explorer. In our lab, this is mounted as drive letter E:.
So let’s get started building our own Nano server!
Pre-Requisites
First, you’ll need to download an evaluation copy of Windows Server 2016 TP 4 using your MSDN subscription, or available here:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
We’ll cover both physical and virtual installations for the server, so you’ll need access to both platforms for this lab. To deploy on a physical server, you’ll need to download the Microsoft USB Download tool, available here: http://wudt.codeplex.com/
You’ll also need a separate instance of Server 2016 TP4 running to use the management consoles to access and manage the Nano Server.
Step 1 – Mount the ISO
After you finish downloading the Windows Server 2016 TP4 ISO, you’ll need to double click the file to mount it in File Explorer. In our lab, this is mounted as drive letter E:.
Step 2 – Build the Nano Server VHD or VHDX file
Nano Server is not a default installation option when you boot from the Windows Server 2016 TP4 ISO, so we’ll need to create a bootable VHD(X) file to use. In this lab, we will be creating a VHDX volume which requires UEFI or a second generation Hyper-V VM. We will also auto join the Nano server to an Active Directory domain during the VHDX creation process.
Create a bootable VHDX for a Physical Server with the Hyper-V Role Installed
Open a Powershell admin command prompt, navigate to C:Temp (or any directory where you’d like to build your VHDX image) and run the following script. (Be sure to modify the Domain and Server name/filepath to fit your needs.)
$adminPass = ConvertTo-SecureString “SecurePassword!2015” -AsPlainText –Force
$Domain = ‘YourDomain.com’
Import-Module ‘E:NanoServerNanoServerImageGenerator.psm1’
New-NanoServerImage -MediaPath ‘E:’ `
-BasePath .Base -TargetPath . Nano-01.vhdx -ComputerName NANO-01 `
-oemdrivers -Storage -Defender -compute -clustering -containers -EnableRemoteManagementPort ` -AdministratorPassword $adminPass -DomainName $Domain #-ReuseDomainNode `
Create a bootable VHDX for a Virtual Server with the Hyper-V Role Installed
Creating a VHDX for a virtual server is the same as a physical server, except we will include guest drivers instead of the OEM drivers package.
Open a Powershell admin command prompt, navigate to C:Temp (or any directory where you’d like to build your VHDX image) and run the following script. (Be sure to modify the Domain and Server name to fit your needs.)
$adminPass = ConvertTo-SecureString “SecurePassword!2015” -AsPlainText –Force
$Domain = ‘YourDomain.com’
Import-Module ‘E:NanoServerNanoServerImageGenerator.psm1’
New-NanoServerImage -MediaPath ‘E:’ `
-BasePath .Base -TargetPath . Nano-01.vhdx -ComputerName NANO-01 `
-guestdrivers -Storage -Defender -compute -clustering -containers -EnableRemoteManagementPort ` -AdministratorPassword $adminPass -DomainName $Domain #-ReuseDomainNode
Step 3a – Deploy Nano Server as the Native Boot Option on a Physical Server
First, we’ll need a bootable USB drive. Follow the instructions here to create a bootable drive using the Windows Server 2016 TP4 ISO that you already have downloaded: https://www.microsoft.com/en-us/download/windows-usb-dvd-download-tool
Next, copy the Nano-01.vhdx file that you created in Step 2 to the root of your USB drive.
Boot your server from the USB drive and select the Repair your computer option from the boot menu:
Complete the following steps to erase all data from the hard drive and boot from your VHDX file. This portion assumes that your USB drive is letter D:.
diskpart
select disk 0
clean
create partition primary size=300
format quick fs=FAT32
assign letter=s
active
create partition primary
format quick fs=ntfs
assign letter=C
exit
copy D:Nano-01.vhdx C:
diskpart
select vdisk file=C:Nano-01.vhdx
attach vdisk
list volume
select volume <volume_number_of_attached_VHD>
assign letter=E
exit
cd E:windowssystem32
bcdboot E:windows /s S:
* You may also need to identify the hidden virtual system drive and configure the boot options on this volume as well:
diskpart
list volume
select volume <Volume with no drive letter>
assign letter=q
Exit
bcdboot E:windows /s Q:
Reboot and remove USB drive
Congratulations! You now have a bootable Windows Nano Server!
Step 3b – Deploy Nano Server as a Virtual Machine
Creating a virtual machine and booting from it is considerably easier.
Copy your Nano-01.vhdx file to your VHD repository on your Hyper-V server
Create a new Gen2 VM and select it to boot from the VHDX file you created
Step 4 – Managing Your Nano Server
One of the main security benefits of Window Server Nano is that there is no Windowed GUI. This means all management must be done via PowerShell or Remote Server Administration Tools.
This requires some initial setup on the Nano server from the console. First you’ll need to login using your domain credentials:
Create a bootable VHDX for a Physical Server with the Hyper-V Role Installed
Open a Powershell admin command prompt, navigate to C:Temp (or any directory where you’d like to build your VHDX image) and run the following script. (Be sure to modify the Domain and Server name/filepath to fit your needs.)
$adminPass = ConvertTo-SecureString “SecurePassword!2015” -AsPlainText –Force
$Domain = ‘YourDomain.com’
Import-Module ‘E:NanoServerNanoServerImageGenerator.psm1’
New-NanoServerImage -MediaPath ‘E:’ `
-BasePath .Base -TargetPath . Nano-01.vhdx -ComputerName NANO-01 `
-oemdrivers -Storage -Defender -compute -clustering -containers -EnableRemoteManagementPort ` -AdministratorPassword $adminPass -DomainName $Domain #-ReuseDomainNode `
Create a bootable VHDX for a Virtual Server with the Hyper-V Role Installed
Creating a VHDX for a virtual server is the same as a physical server, except we will include guest drivers instead of the OEM drivers package.
Open a Powershell admin command prompt, navigate to C:Temp (or any directory where you’d like to build your VHDX image) and run the following script. (Be sure to modify the Domain and Server name to fit your needs.)
$adminPass = ConvertTo-SecureString “SecurePassword!2015” -AsPlainText –Force
$Domain = ‘YourDomain.com’
Import-Module ‘E:NanoServerNanoServerImageGenerator.psm1’
New-NanoServerImage -MediaPath ‘E:’ `
-BasePath .Base -TargetPath . Nano-01.vhdx -ComputerName NANO-01 `
-guestdrivers -Storage -Defender -compute -clustering -containers -EnableRemoteManagementPort ` -AdministratorPassword $adminPass -DomainName $Domain #-ReuseDomainNode
Step 3a – Deploy Nano Server as the Native Boot Option on a Physical Server
First, we’ll need a bootable USB drive. Follow the instructions here to create a bootable drive using the Windows Server 2016 TP4 ISO that you already have downloaded: https://www.microsoft.com/en-us/download/windows-usb-dvd-download-tool
Next, copy the Nano-01.vhdx file that you created in Step 2 to the root of your USB drive.
Boot your server from the USB drive and select the Repair your computer option from the boot menu:
Complete the following steps to erase all data from the hard drive and boot from your VHDX file. This portion assumes that your USB drive is letter D:.
diskpart
select disk 0
clean
create partition primary size=300
format quick fs=FAT32
assign letter=s
active
create partition primary
format quick fs=ntfs
assign letter=C
exit
copy D:Nano-01.vhdx C:
diskpart
select vdisk file=C:Nano-01.vhdx
attach vdisk
list volume
select volume <volume_number_of_attached_VHD>
assign letter=E
exit
cd E:windowssystem32
bcdboot E:windows /s S:
* You may also need to identify the hidden virtual system drive and configure the boot options on this volume as well:
diskpart
list volume
select volume <Volume with no drive letter>
assign letter=q
Exit
bcdboot E:windows /s Q:
Reboot and remove USB drive
Congratulations! You now have a bootable Windows Nano Server!
Step 3b – Deploy Nano Server as a Virtual Machine
Creating a virtual machine and booting from it is considerably easier.
Copy your Nano-01.vhdx file to your VHD repository on your Hyper-V server
Create a new Gen2 VM and select it to boot from the VHDX file you created
Step 4 – Managing Your Nano Server
One of the main security benefits of Window Server Nano is that there is no Windowed GUI. This means all management must be done via PowerShell or Remote Server Administration Tools.
This requires some initial setup on the Nano server from the console. First you’ll need to login using your domain credentials:
Next, you’ll have the option to configure a static IP address or enable Windows Firewall rules. For ease of management, I recommend enabling the SMB rules as well as the WinRM related rules.
Once your Nano server is configured to allow remote access, you can log into your Windows Server 2016 TP4 server with the full desktop experience and use the Hyper-V MMC to connect to your new Nano server for Management. Just right click the Hyper-V Manager icon and select Connect to Server:
Then enter the server name and click OK:
Now you have access to configure your Hyper-V server to your needs!
Note: if you’re using a static IP address to create a virtual switch on the same interface as your management network, you may need to reconfigure the static IP via PowerShell from another Server 2016 TP4 server after the vSwitch is created. For instance:
Enter-pssession <ServerName>
Netsh interface ip show interfaces
netsh interface ip set address “connection name” static 192.168.0.101 255.255.255.0 192.168.0.1
Netsh interface ip set dns “connection name” static 10.0.0.1 primary
Netsh interface ip addd dns “connection name” addr=10.0.0.2 index=2
Exit-Pssession
Conclusions
While Windows Nano Server is a huge leap forward in security and server management, one of the main drawbacks that I ran into was a lack of iSCSI support. This means that I could not use shared storage on my Nano cluster to maintain high availability. This feature is expected to be released as part of Windows Server 2016 RTM, so we’ll have to wait patiently until then.
Blogger Comment
Facebook Comment