Feature Comparison. Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2

Feature Comparison

Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2

Published: March 24^th, 2014

Introduction ... 3 General Features Overview ... 4

© 2014 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

This feature comparison guide compares the selected features of Microsoft Windows Server 2008 R2, Microsoft Windows Server 2012, and Microsoft Windows Server 2012 R2. The “General Features Overview”

section compares a wider range of features across all three releases. The comparison table in this section includes comments in regard to each release, as well as notation about how well each feature is

supported. The legend for this notation is given in the table below.

Level of Feature Support

Feature is supported

Feature is only partially supported Feature is not supported

This section compares the major features of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Identity and Access

DirectAccess

Unified server role that combines three networking services—DirectAccess, routing, and remote access—into one unified server role with remote access.¹

Single point of configuration and management for remote access server deployment with a new unified server role for DirectAccess, and Routing and Remote Access service (RRAS).

Dynamic Access Control

Centralized control and auditing access to file servers with claims-based access and File Classification.²

Ability to restrict access to sensitive files regardless of user actions through file security policy at the domain level, which is enforced across virtually all file servers in Windows Server 2012 R2 with File Classification, access control policies, and audit policies.

Windows Store app network isolation

Ability to set and enforce network boundaries to prevent compromised applications from accessing restricted networks. TEST

Customizable firewall rules for Windows Store apps in addition to firewall rules that can be created for programs and services.³

Windows PowerShell cmdlets for Windows Firewall

Extensive cmdlets for configuring and managing Windows Firewall.

Fully configurable and manageable Windows Firewall, Internet Protocol security (IPsec), and related features with a more powerful and scriptable Windows PowerShell.³

Network Access Protection

(NAP) A client health policy creation, enforcement, and remediation technology to help system administrators establish and automatically enforce health policies, which can include software requirements, security update requirements, and other settings .⁴

Domain Name System Security Extensions (DNSSEC)

Support for online signing and automated key management as part of the update process for DNSSEC support in the authoritative functions of Domain Name System (DNS) servers.⁵

Extensible Authentication Protocol (EAP)

Architectural framework that provides extensibility for the authentication methods of commonly-used protected network access technologies, such as Institute of Electrical and Electronic Engineers (IEEE) 802.1X-based wireless access, IEEE 802.1X- based wired access, and Point-to-Point Protocol (PPP) connections such as VPN.⁶ 802.1X

Authenticated Wired Access

Updated IEEE 802.1X Authenticated Wired Service for IEEE 802.3 Ethernet network clients.

EAP-Tunneled Transport Layer Security (EAP-TTLS) added to the list of network authentication methods included by default.⁷

Enable users with non-domain joined computers and devices running Windows 8.1 and Windows Server 2012 R2 to bring their own devices to their organization and enjoy the advantages of password-based credential reuse. This means that users need to provide their credentials the first time they connect to their organization’s network, and then they can connect to the resources they want to without being prompted repeatedly for their credentials because the credentials are stored on the local computer for reuse.

For security reasons, when the user’s computer or device disconnects from the network, the stored credentials are discarded.⁸

Read-only domain controller

(RODC) Domain controller that hosts read-only partitions of a database in Active Directory.

Ability to deploy RODC via Windows PowerShell and to virtual machines.⁹

Kerberos constrained delegation

across domains Administrative permission needed only for the back-end service account.

Back-end permitted to authorize which front-end service accounts can impersonate users against their resources.¹⁰

Flexible Authentication Secure

Tunneling (FAST)

Protected channel between domain-joined client and domain controller with FAST.¹⁰

Access controls in Active Directory Lightweight Directory Services (AD LDS)

Authentication of users requesting access to the directory.

Use of security descriptors, called access control lists (ACLs), on directory objects to determine which objects an authenticated user has access to.¹¹

Identity component updates

Updated Updated identity components include:¹²

 Service Principal Name (SPN) and User Principal Name (UPN) uniqueness

 Winlogon Automatic Restart Sign-On (ARSO)

 Trusted Platform Module (TPM) Key Attestation

 Certification authority (CA) Backup and Restore Windows PowerShell cmdlets

 Command line process auditing

 Credential Protection and Domain Authentication Controls

Directory Services

Active Directory Domain Services (AD DS) Virtualized

domain controller

cloning Ability to create replicas of virtualized domain controllers through cloning of existing ones.

Virtualization-safe technologies and rapid deployment of virtual domain controllers through cloning.¹³

Virtualization supported

Virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID (hypervisor-agnostic mechanism). The identifier can detect and employ necessary safety measures to protect the sanctity of the AD DS

environment if a virtual machine is rolled back in time by an unsupported mechanism (such as the application of a virtual machine snapshot).¹³

Active Directory Domain Services claims in Active Directory Federation Services (AD FS)

Ability to populate Security Assertion Markup Language (SAML) tokens with user- and device-claims taken directly from the Kerberos ticket through AD FS (v2.1).¹⁴

Off-premises domain join

Domain-join computers over the Internet for domains enabled for Direct Access.¹⁵ Fine-grained

password policy

Simplified management of password-setting objects (PSOs) through Active Directory Administrative Center.¹⁵

Database mounting tool

Improved recovery processes with the ability to compare data as it exists in the snapshots or backups that are taken at different times, enabling better decision- making about what data to restore after data loss.¹⁶

Active Directory- Based Activation (AD BA)

Simplified configuring of the distribution and management of volume software licenses, with the Volume Activation Services server role, Key Management Service (KMS), and activation based in Active Directory.¹⁵

Windows PowerShell History Viewer

Ability to view Windows PowerShell cmdlets as they run.

Ability to display the equivalent Windows PowerShell cmdlets in the History Viewer of Windows PowerShell with Active Directory Administrative Center.¹⁵

Active Directory Recycle Bin

Recovery of accidentally deleted objects from backups of AD DS taken by

Windows Server Backup with Active Directory domains.¹⁵ Active Directory object not physically removed from the database immediately.

Active Directory Domain Services integration

Ability to create cluster computer objects in targeted organizational units or by default in the same organizational unit as the cluster nodes.¹⁷

Domain and Forest Functional Levels New

Provides two new functional levels—Forest Functional Level (FFL) and Domain Functional Level (DFL). DFL enables support for protected users, authentication policies, and authentication isolation. FFL and DFL levels are set by default on new domain and new forest creation but can be lowered using Windows PowerShell.¹⁸ Lightweight

Directory Access Protocol (LDAP) query optimizer changes Updated

The LDAP query optimizer algorithm was reevaluated and further optimized. The result is the performance improvement in LDAP search efficiency and LDAP search time of complex queries.¹⁸

Active Directory Replication throughput improvement Updated

For Active Directory replication, the remote procedure calls (RPC) transmit buffer has been increased to a maximum throughput of around 600 Mbps by changing the RPC send buffer size from 8 KB to 256 KB. This change allows the TCP window size to grow beyond 8 KB, reducing the number of network round trips.¹⁸

Active Directory Lightweight Directory Services (AD LDS) Server Core

installations for Active

Directory Lightweight Directory Services

Role support for Server Core installations.¹⁹

Backup and restore for Active Directory Lightweight Directory Services

Ability to back up and restore databases to an existing AD LDS instance.²⁰

Multiple directory service

instances on a single server

Ability to concurrently run multiple instances of AD LDS on a single computer with an independently managed schema for each AD LDS instance.^{21 22}

Active Directory Rights Management Services (AD RMS) Active

Directory Rights Management Services as a server role

Available as a server role with several new features not available in previous versions.²³

Persistent protection

Protection of content on the go with AD RMS.

Ability to specify who can open, modify, print, or manage content.

Rights stay with content—even when it is transferred outside the organization.

Usage policy templates

Ability to create a usage policy template and apply it to content, eliminating the need to recreate usage rights settings for comprehensive file protection.

Software development kit for Active Directory Rights Management Services

Compatible with rights-enabled applications.

Self-enrollment of the Active Directory Rights Management Services cluster

Enrollment via local computer to help eliminate the need to connect to Microsoft Enrollment Service through a server self-enrollment certificate.²⁴

Integration with Active Directory Federation Services (AD FS)

Integration of AD RMS and AD FS to enable the leveraging of existing federated relationships for collaboration with external partners.²⁴²³

Windows PowerShell for deploying Active Directory Rights Management Services

Support for more secure and flexible remote server deployment of AD RMS using PowerShell.²⁵²⁶

Enhancements in Active Directory Rights Management Services and SQL Server requirements

Improved support for remote deployment of AD RMS and Microsoft SQL Server .²⁷²⁵ AD RMS installer account must have system administration permissions in the SQL Server installation.

SQL Server Browser service must be running to locate available SQL instances.

Active Directory Federation Services (AD FS) Single Sign-On

(SSO) and seamless second factor authentication across

company applications New

With Workplace Join, information workers can join their personal devices with their company to access company resources and services.²⁸

Provides seamless second factor authentication and SSO to workplace resources and applications.

The Device Registration Service (DRS), included with the Active Directory Federation Role in Windows Server 2012 R2, provisions a device object in Active Directory and sets a certificate on the consumer device to represent device identity.

Web Application Proxy New

Provides the reverse proxy functionality for web applications inside the corporate network so that users on virtually any device can access them from outside the corporate network.

Pre-authenticates access to web applications using AD FS, and also functions as an AD FS proxy.

Multi-factor access control

New Access control in AD FS is implemented with authorization claim rules. Issues permit or deny claims that will determine whether or not a user or a group of users will be allowed to access resources secured with AD FS.

Enhances user, device, location, and authentication data using a greater variety of authorization claim types or rules.

Multi-factor authentication

New Requires users to provide more than one form of authentication when connecting to published applications and services. For example, using one-time passwords or smart cards.

Integration with Microsoft Office

SharePoint Server

AD FS can be used to facilitate an out-of-the-box SSO solution for Microsoft SharePoint.²⁹

Integration with Active Directory Rights Management Services

AD FS can integrate with AD RMS to support the sharing of rights-protected content between organizations, helping eliminate the need for AD RMS to be deployed in both organizations.

Integration with Dynamic Access Control

scenarios AD FS can be used with user and device claims that are issued using Active Directory Domain Services (AD DS) for various DAC scenarios.¹⁴

Ability of AD FS to consume AD DS claims included in Kerberos tickets as a result of domain authentication.

Improved installation experience with Server Manager

Installation of AD FS server role with Server Manager.²⁴

Automatic listing and installing of virtually all services that AD FS depends on during the AD FS server role installation with Server Manager and its configuration wizard when AD FS server role is installed.

Windows PowerShell cmdlet tools

New cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy in addition to the management capabilities based in PowerShell that are provided in AD FS 2.0.²⁴

Active Directory Certificate Services (AD CS) Certification

authorities (CAs)

Management of CAs, certificate revocation, and certificate enrollment³⁰; root and subordinate CAs; and enterprise and stand-alone CAs.

Web enrollment

Enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, and for users of non-Microsoft operating systems.³¹³²

Microsoft Online Responder

Service Ability to configure and manage Online Certificate Status Protocol (OCSP) validation and revocation checking in networks based on Microsoft Windows.³³

Network Device Enrollment

Service (NDES) Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for the software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network to enroll for X.509 certificates from a certification authority.³⁴

Certificate Enrollment Policy Web

Service AD CS role service for obtaining certificate enrollment policy information for humans and computers.³⁵

Certificate Enrollment Web Service

Certificate enrollment with HTTPS protocol for users and computers.³⁵ Integration

with Server Manager

Integration of AD CS server role and its role services into Server Manager.³⁶

Deployment and

management capabilities of Windows PowerShell

Ability to configure or remove configurations for virtually all AD CS role services with the AD CS Deployment PowerShell cmdlets.³⁷

Active Directory Certificate Services role services on Server Core

Ability to install and run virtually all AD CS role services on Server Core installations of Windows Server 2012 or the Minimal Server Interface installation options.³⁶

Automatic renewal of certificates for non-domain joined computers

Builds on Certificate Enrollment Web Services by adding the ability to automatically renew certificates for computers that are part of untrusted Active Directory Domain Services (AD DS) domains or not joined to a domain.³⁶

Enforcement of certificate renewal with

same key Increased security with AD CS that requires certificate renewal with the same key, enabling the same assurance level of the original key to be maintained throughout its life cycle.³⁶

Support for international- ized domain

names (IDNs) Support for IDNs that contain characters that cannot be represented in ASCII with AD CS.³⁶

Increased security with default on certification authorities role service

Enforcement of enhanced security by CA role service in the requests sent to it.

Encryption required for packets requesting a certificate.³⁶

Policy module support for the Network Device Enrollment Service New

Using a policy module with the Network Device Enrollment Service provides enhanced security so that users and devices can request certificates from the Internet.³⁸

Trusted Platform Module (TPM) key attestation New

Allows the CA to verify that the private key is protected by a hardware-based TPM.³⁸

Windows PowerShell for Certificate Services New

New Windows PowerShell cmdlets are available for backup and restore.³⁸

Virtualization and Virtual Desktop Infrastructure (VDI)

Shared virtual hard disk

New Enables clustering of virtual machines by using shared virtual hard disk (VHDX) files.³⁹

Ability to host on Cluster Shared Volume (CSV) or on Server Message Block (SMB)- based Scale-Out File Server file shares.

Resize virtual hard disk Updated

Ability to expand or shrink the size of a virtual hard disk while the virtual machine is still running.³⁹

Ability to perform maintenance on the virtual hard disk without temporarily shutting down the virtual machine.

Only available for VHDX files that are attached to a SCSI controller.

Storage Quality of Service

New Ability to manage storage throughput for virtual hard disks that are accessed by virtual machines.³⁹

Ability to specify the maximum and minimum I/O loads in terms of I/O operations per second (IOPS) for each virtual hard disk in a virtual machine.

Ability to ensure that the storage throughput of one virtual hard disk does not impact the performance of another virtual hard disk on the same host.

Hyper-V Live Migration over SMB

New Ability to perform a live migration of virtual machines by using SMB 3.0 as a transport. This enables taking advantage of key SMB features, such as SMB Direct and SMB Multichannel, by providing high speed migration with low CPU

utilization.⁴⁶ Live Migration

with

compression

Updated Ability to first compress the memory content of the virtual machine that is being migrated and then copy it to the destination server over a TCP/IP connection. This is the default setting in Hyper-V in Windows Server 2012 R2.

Live Migration Remote Direct Memory Access (RDMA)

Updated

Ability to perform faster live migration between Hyper-V hosts by establishing an efficient memory-to-memory transfer of data using RDMA.

Server Message Block Direct (SMB Direct) over RDMA is a technology that, given the hardware (NICs) supporting it, can establish an efficient memory-to-memory

transfer of data.

In Windows Server 2012, the main advantage of this approach was faster file services but in Windows Server 2012 R2, it is used to send live migration data between the Hyper-V hosts.

Cross-version live migration Updated

Ability to support migrating Hyper-V virtual machines in Windows Server 2012 to Hyper-V in Windows Server 2012 R2.³⁹

Moving a virtual machine to a down-level server running Hyper-V is not supported.

Virtual machine generation

New Ability to determine the virtual hardware and functionality that is presented to the virtual machine.

Two supported virtual machine generations include:³⁹

 Generation 1: Provides the same virtual hardware to the virtual machine as in the previous versions of Hyper-V.

 Generation 2: Provides the following new functionality on a virtual machine:

– Secure Boot (enabled by default) – Boot from a SCSI virtual hard disk – Boot from a SCSI virtual DVD

– Pre-Boot Execution Environment (PXE) boot by using a standard network adapter

– Unified Extensible Firmware Interface (UEFI) firmware support

Integration services Updated

Ability to copy files to the virtual machine while the virtual machine is running without using a network connection.³⁹

Export Updated

Ability to export a virtual machine or a virtual machine checkpoint while the virtual machine is running without any downtime.³⁹

Failover Clustering and Hyper-V

Updated Helps protect the virtual network adapter and virtual machine storage.³⁹

Ability to detect physical storage failures on storage devices that are not managed by Windows Failover Clustering (SMB 3.0 file shares).

Enhanced session mode

New Ability to redirect local resources in a Virtual Machine Connection session.³⁹

Enhances the interactive session experience by providing a functionality that is similar to a remote desktop connection while interacting with a virtual machine.

Management Updated

Ability to manage Hyper-V in Windows Server 2012 from a computer running Windows Server 2012 R2 or Windows 8.1.³⁹

Linux support Updated

Enables backup support for Linux virtual machine.³⁹

Enables dynamic memory support for Linux guest operating systems.

Automatic Virtual Machine Activation New

Ability to install virtual machines on a computer where Windows Server 2012 R2 is properly activated without having to manage product keys for each individual virtual machine, even in disconnected environments.³⁹

Ability to bind the virtual machine activation to the licensed virtualization server and activate the virtual machine when it starts.

Enables real-time reporting on usage and historical data on the license state of the virtual machine.

Shared virtual hard disk (for guest clusters)

New Ability to use .vhdx files as shared storage in a guest cluster.⁴⁰ Virtual

machine drain on shutdown

New Enables a Hyper-V host to automatically live migrate running virtual machines if the computer is shut down.⁴⁰

Virtual machine network health detection New

Enables a Hyper-V host to automatically live migrate virtual machines if a network disconnection occurs on a protected virtual network.⁴⁰

Optimized CSV placement policies

Updated Ability to distribute CSV ownership evenly across the failover cluster nodes.⁴⁰

Increased CSV resiliency Updated

Enables multiple Server service instances per cluster node.⁴⁰

Enables CSV monitoring of the Server service that provides greater resiliency.

CSV cache allocation Updated

Ability to increase the amount of RAM that can be allocated as CSV cache.⁴⁰

CSV

diagnosibility Updated

Ability to view the state of a CSV on a per node basis and the reason for I/O redirection.⁴⁰

Enables optimizing cluster configuration by easily determining the state of a CSV.

CSV

interoperability Updated

Adds CSV support for the following Windows Server 2012 R2 features:⁴⁰

 Resilient File System (ReFS)

 Deduplication

 Parity storage spaces

 Tiered storage spaces

 Storage Spaces write-back caching

Deploy an Active Directory- detached cluster New

Ability to deploy a failover cluster with less dependency on Active Directory Domain Services.⁴⁰

Uses Kerberos authentication for intra-cluster communication.

Dynamic witness New

Dynamically adjusts the witness vote based on the number of voting nodes in the current cluster membership.⁴⁰

Quorum user interface improvements

Updated Ability to easily view the assigned quorum vote and the current quorum vote for each node in Failover Cluster Manager.⁴⁰

Force quorum resiliency

New Enables automatic recovery in the case of a partitioned failover cluster.⁴⁰

Tie breaker for 50% node split New

Enables one side of a cluster to continue to run in the case of a cluster split where neither side would normally have quorum.⁴⁰

Configure the Global Update Manager mode

New Helps the cluster to continue to function if there is a delay with one or more nodes.⁴⁰

Cluster node health detection

Updated Increases the resiliency to temporary network failures for virtual machines that are running on a Hyper-V cluster.⁴⁰

Turn off IPsec encryption for inter-node cluster

communication New

Helps prevent a cluster from being affected by the high latency Group Policy updates.⁴⁰

Ability to turn off Internet Protocol security (IPsec) encryption for inter-node cluster communication such as the cluster heartbeat.

Cluster dashboard

New Provides a convenient way to check the health of all managed failover clusters in Failover Cluster Manager.⁴⁰

Shared-nothing live migration

Ability to migrate virtual machines among Hyper-V hosts on different clusters or servers with no storage sharing using Ethernet connection only—with virtually no downtime.⁴¹

Live storage migration

Ability to move virtual hard disks that are attached to a running virtual machine⁴². Ability to transfer virtual hard disks to a new location for upgrading or migrating storage, performing back-end storage maintenance, or redistributing the storage load.

Ability to add storage to either a stand-alone computer or to a Hyper-V cluster, and then move virtual machines to the new storage while the virtual machines continue to run.

A new wizard in Hyper-V Manager or new Hyper-V cmdlets for Windows PowerShell can be used to perform this task.

Live Snapshot Merging

Ability to merge snapshots back into the virtual machine while it continues to run Hyper-V Live Merge.⁴²

Non-Uniform Memory Access (NUMA)

support NUMA support inside virtual machines.⁴²

Ability to project NUMA topology onto virtual machines, guest operating systems, and applications that can make intelligent NUMA decisions.

Dynamic Memory Run- time

Configuration Ability to make configuration changes to dynamic memory (increasing maximum memory or decreasing minimum memory) when a virtual machine is running.⁴³ Reduces downtime and increases agility to respond to requirement changes.

VHDX

Support for VHDX file format with Hyper-V.⁴² VHDX support for up to 64 terabytes of storage.

Protection from corruption due to power failures by logging updates to the VHDX metadata structures.

Prevention of performance degradation on large-sector physical disks through optimizing structure alignment.

Hyper-V Resource Metering

Tracks and reports amount of data transferred per IP address or virtual machine.⁴² Allows customers to create cost-effective and usage-based billing solutions.

Virtual Fibre Channel

Fibre Channel ports within the guest operating system.⁴²

Ability to connect to Fibre Channel directly from within virtual machines.

Hyper-V Replica Updated

Ability to replicate virtual machines among storage systems, clusters, and

datacenters between two sites to provide business continuity and failure recovery.

Ability to configure extended replication in Windows Server 2012 R2. In this case, the Replica server forwards information about the changes that occur on the primary virtual machines to a third server (the extended Replica server). The

frequency of replication, which previously was a fixed value, is now configurable for 30 seconds, 5 minutes, and 15 minutes.

Access to recovery points in Windows Server 2012 R2 has changed from 15 hours to 24 hours.⁴⁴

Simultaneous live migrations

Ability to migrate several virtual machines with support for simultaneous live migrations at the same time.⁴²

Live migrations not limited to a cluster.

Virtual machines can be migrated across cluster boundaries and between stand- alone servers that are not part of a cluster.

Hyper-V host and workload support

Ability to configure up to 320 logical processors on hardware, 4 terabytes of physical memory, 64 virtual processors, and up to 1 terabyte of memory on a virtual

machine.⁴²

Support for up to 64 nodes and 8,000 virtual machines in a cluster.

Dynamic memory, startup memory, and minimum memory

Hyper-V can reclaim the unused memory from virtual machines with a minimum memory value lower than their startup value.⁴²

Hyper-V Smart Paging

Bridges the gap between the minimum and startup memory if a virtual machine is configured with a lower minimum memory than its startup memory (Hyper-V needs additional memory to restart it.).⁴²

Quality of Service (QoS) minimum

bandwidth Hyper-V uses minimum bandwidth to assign specific bandwidth for each type of traffic and to ensure fair sharing during congestion.⁴²

Incremental backup

Hyper-V supports incremental backup (backing up only the differences) of virtual hard disks while the virtual machine is running.

Windows Server 2008 R2 provides support for full backups only.⁴² Clustering

New support for guest clustering via Fibre Channel, new live migration

enhancements, massive scale, encrypted cluster volumes, CSV 2.0 CSV, Hyper-V application monitoring, virtual machine failover prioritization, inbox live migration queuing, affinity (and anti-affinity) virtual machine rules, and File Server transparent failover.⁴²

Application monitoring

Ability to monitor health of key services provided by virtual machines.

Higher availability for workloads not supporting clustering with automatic correction (like restarting a virtual machine or moving it to a different server). ⁴²

Storage

Work Folders New

Provides a consistent way for users to access their work files from their PCs and devices.

Ability to maintain control over corporate data by storing files on centrally managed file servers, and optionally specifying user device policies such as encryption and lock-screen passwords.

Ability to deploy Work Folders with the existing deployments of Folder Redirection, Offline Files, and home folders. Work Folders stores user files in a folder on the server called a sync share.⁴⁵

Automatic rebalancing of Scale-Out File Server clients New

Improves scalability and manageability for Scale-Out File Servers. Server message block (SMB) client connections are tracked per file share (instead of per server), and clients are then redirected to the cluster node with the best access to the volume used by the file share. This improves efficiency by reducing redirection traffic between file server nodes. Clients are redirected following an initial connection and when cluster storage is reconfigured.⁴⁶

Improved performance of SMB Direct (SMB over RDMA) Updated

Improves performance for small I/O workloads by increasing efficiency when hosting workloads with small I/Os, such as an online transaction processing (OLTP) database in a virtual machine. These improvements are evident when using higher speed network interfaces, such as 40 Gbps Ethernet and 56 Gbps InfiniBand.⁴⁶

Improved SMB event messages Updated

SMB events now contain more detailed and helpful information. This makes troubleshooting easier and reduces the need to capture network traces or enable more detailed diagnostic event logging. By default, the most relevant event

channels are turned on, so as to instantly capture all of the essential information. In addition, some events now include details on configuration and troubleshooting solutions.⁴⁶

Improved SMB bandwidth management

New Ability to configure SMB bandwidth limits to control different SMB traffic types.

There are three SMB traffic types: default, live migration, and virtual machine.⁴⁶ Support for

multiple SMB instances on a Scale-Out File Server

New

Provides an additional instance on each cluster node in Scale-Out File Servers specifically for Clustered Shared Volume (CSV) traffic. A default instance can handle incoming traffic from SMB clients that are accessing regular file shares, while another instance only handles inter-node CSV traffic. This feature improves the scalability and reliability of the traffic between CSV nodes.⁴⁶

Storage Spaces

Ability to leverage commodity storage into virtual storage pools, which can then be provisioned as Storage Spaces.

Virtualized drives that can be formatted and accessed just like a physical drive, which can also be dynamically resized with the addition of more physical drives to the storage pool.⁴⁷

New features in Storage Spaces include storage tiers, write-back cache, parity space support for failover clusters, dual parity, and the ability to automatically rebuild storage spaces from storage pool free space.

Storage tiers New

Automatically moves frequently accessed data to faster (solid-state drive) storage and infrequently accessed data to slower (hard disk) storage.⁴⁸

Write-back cache New

Buffers small random writes to solid-state drives, reducing the latency of writes.⁴⁸ Parity space

support for failover clusters New

Ability to create parity spaces on failover clusters.⁴⁸

Dual parity New

Stores two copies of the parity information on a parity space, which helps protect against two simultaneous physical disk failures and optimizes storage efficiency.⁴⁸ Automatically

rebuild storage spaces from storage pool free space New

Decreases the time to rebuild a storage space after a physical disk failure by using the spare capacity in the pool instead of a single hot spare.⁴⁸

Resilient File System (ReFS) Updated

Maximizes data availability and online operations despite errors that would historically cause data loss or downtime.

In Windows Server 2012 R2, ReFS⁴⁹ automatically corrects the corruption on parity spaces. When corruption of ReFS metadata occurs, subfolders and their associated files are automatically recovered. ReFS is now available to use on Windows 8.1. ReFS includes a new registry entry, RefsDisableLastAccessUpdate, which is the equivalent of the previous NtfsDisableLastAccessUpdate registry entry. New storage cmdlets, Get-FileIntegrity and Set-FileIntegrity, are available to manage integrity and disk scrubbing policies.

Data

deduplication Updated

Involves finding and removing duplication within data without compromising its fidelity or integrity. The goal is to store more data in less space by segmenting files into small variable-sized chunks (32–128 KB), identifying duplicate chunks, and maintaining a single copy of each chunk.

In Windows Server 2012 R2, data deduplication can be installed on a scale-out file share and used to optimize live virtual hard disks for Virtual Desktop Infrastructure (VDI) workloads.⁵⁰

Use the new Expand-DedupFile cmdlet in Windows PowerShell to expand optimized files on a specified path on the original path if needed for compatibility with

applications, performance, or other requirements.

Distributed File System (DFS) Replication

Updated A role service in the File and Storage Services role that enables efficient replication of folders (including those referred to by a DFS namespace path) across multiple servers and sites.

Uses a compression algorithm known as remote differential compression (RDC).

RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.

DFS includes many new functionalities:⁵¹

 DFS Replication using Windows PowerShell module and methods based on Windows Management Infrastructure (WMI)

 Database cloning for initial sync

 Rebuilding of corrupt databases

 Disabling of cross-file RDC between servers

 File staging tuning and preserved file restoration

DFS Replication also includes updated functionalities such as unexpected shutdown database recovery improvements, and membership disabling.

iSCSI virtual disk

enhancements

New Includes a redesigned data persistence layer that is based on a new version of the virtual hard disk format called VHDX (VHD 2.0).⁵²

Provides data corruption protection during power failures and optimizes structural alignments of dynamic and differencing disks to prevent performance degradation on new, large-sector physical disks.

iSCSI

manageability enhancements

Updated Uses the SMI-S provider in Windows Server 2012 R2 with System Center Virtual Machine Manager (VMM) to manage iSCSI Target Server in a hosted or private cloud.⁵²

The new Windows PowerShell cmdlets for iSCSI Target Server enable the exporting and importing of configuration files, and provide the ability to disable remote management when iSCSI Target Server is deployed in a dedicated Windows-based appliance scenario (for example, Windows Storage Server).

iSCSI improved optimization to allow disk-level caching

Updated

Ability to set the disk cache bypass flag on a hosting disk I/O, through Force Unit Access (FUA), only when the issuing initiator explicitly requests it. This change can potentially improve performance.⁵²

iSCSI scalability limits

Updated

Increases the maximum number of sessions per target server to 544, and increases the maximum number of logical units per target server to 256.⁵²

iSCSI local mount functionality

Updated Deprecates the local mount functionality for snapshots. As a workaround, it enables use of the local iSCSI initiator on the target server computer (this is also called the loopback initiator) to access the exported snapshots.⁵²

Other File System

improvements:

thin

provisioning, trim, and Chkdsk

Thin Provisioning: Offers just-in-time allocations (also known as thin provisioning).

Identification of thinly provisioned virtual disks.⁵³

Trim: Ability to reclaim storage that is no longer needed (also known as trim).

Chkdsk: Ability to run in seconds to fix corrupted data. No offline time when used with CSV. Disk scanning process separated from repair process. Online scanning with volumes and offline repairs.⁵⁴

Clustered Share Volume Updated

Storage system for scale-out file servers, which can provide optimized availability and scalable file-based (such as SMB) server application storage.

In Windows Server 2012 R2, a disk or storage space for a CSV volume must be a basic disk that is partitioned with NTFS or ReFS. Offers distributed CSV ownership, increased resiliency through availability of the Server service, greater flexibility in the amount of physical memory that you can allocate to CSV cache, better

diagnosibility, and enhanced interoperability that includes support for ReFS and deduplication.⁵⁵

SMB Direct (RDMA) and SMB

Multichannel Load balanced failover connections to remote file servers that not only fail over when connections are lost, but also evaluate the condition of available connections to route traffic away from congested links.

Support for network adapters that have Remote Direct Memory Access (RDMA) and can function at full speed with low latency, while using very little CPU.⁵⁶

Offloaded Data Transfer (ODX)

Used with offload-capable SAN storage hardware to enable a storage device to perform a file copy operation without the main processor of the host actually reading the content from one storage place and writing it to another.⁵⁷ SMB for

workloads

Ability of remote file server shares to be used as storage for workloads such as Hyper-V and SQL Server 2012.⁵⁶

Network File System (NFS) support

File-sharing solution for enterprises with a mixed Windows and UNIX environment.

Ability to reliably store and run VMware ESX virtual infrastructures with file system support on Windows Server 2012, while using the advanced high availability of Windows.⁵⁸

Management (Server Manager and

PowerShell) Single point of access to management snap-ins for virtually all the installed roles.

Snap-in for managing Storage Spaces along with storage that can be managed through PowerShell.

Web and App Plat

Internet Information Services (IIS) enhancements Multitenant

high-density websites

Hosting-friendly web server platform with FTP Logon Attempt Restriction and improved site density, centralized SSL certificate support, and server name indication.

Increased Internet Information Services (IIS) scalability with SSL scalability, centralized SSL certificate support, and NUMA-aware scalability.

Server Name Indicator (SNI)

Binding a more secure site required a unique network endpoint using an IP address and a port in the previous versions of Windows Server, which often meant having a dedicated IP address for each secure site because site owners wanted their secure sites to be running on a standard SSL port.

Support for increased density of secure sites for greater scalability of sites.

Centralized SSL certificate management

Central storage of SSL certificates on a file share to simplify certificate management and lower the total cost of ownership.

Rapid addition of servers to the web farm to help eliminate the need to individually configure SSL.

NUMA-aware scalability

Ability to scale up web servers beyond 32 processors and use next-generation hardware.

IIS CPU Throttling

Ability to set maximum CPU consumption for individual IIS 8.0 application pools, helping every application get ample processor time.

Ability to create sandbox for each tenant and ensure that no single tenant consumes virtually all of a web server’s processing power.

FTP Service

FTP publishing on a web server.

FTP Logon Attempt Restrictions

Protection against brute force attacks with automatic detection of attacks in- progress and blocking of future requests from the same address.

Ability to modify the number of times FTP will allow users to attempt unsuccessfully to log in within a specified time period before denying access to the IP address.

Application initialization

Ability to proactively start ASP.NET applications with IIS 8.0.

Applications available virtually all of the time.

Initialization of ASP.NET applications before users need it.

Returns static pages to users instead of making users wait on a blank browser page.

Dynamic IP restrictions

Dynamic filters to automatically block potentially harmful IP addresses with IIS 8.0.

WebSocket Protocol

Encrypted, real-time, bidirectional communications between client and server.

ASP.NET Support (2.0, 3.0, 3.5, and

4.5) Multiple ASP.NET applications with different .NET Framework versions to run simultaneously with Windows Server 2012 R2 with IIS 8.0.

ASP.NET 3.5 and 4.5 Application

Management Graphical and command-line management tools to manage both ASP.NET 3.5 and ASP.NET 4.5 applications with IIS 8.0 in Windows Server 2012 R2.

Multiple language support

Support for programming languages, such as .NET, PHP, Node.js, and Python.

Enhanced support for PHP and MySQL through IIS extensions.

ASP.NET 4.5 integration and support for latest HTML5 standards.

Hybrid applications platform (on-premises and cloud) Cross-premises

application platform

Integration of applications between on-premises environments and the cloud (including Windows Azure).

Application and

programming

symmetry Shared development model with Windows Server 2012 R2 and Windows Azure.

Common development platform and

tools Common development environment for .NET developers to build cloud and on- premises applications.

Application- layer

connectivity

and messaging Access to on-premises applications through a cloud-based application.

Networking

Windows Server Gateway

New A virtual machine-based software router that allows cloud service providers (CSPs) and enterprises to enable datacenter and cloud network traffic routing between virtual and physical networks, including the Internet.⁵⁹

Routes network traffic between the physical network and virtual machine network resources, regardless of where the resources are located.

Virtual Receive-side scaling

New Enables network adapter to distribute its network processing load across multiple virtual processors in multicore virtual machines.⁶⁰

Multitenant site-to-site VPN gateway

New Enables hosters to deploy multitenant site-to-site gateways to provide cross- premises connectivity from networks at tenant sites to virtual networks dedicated per tenant in the hoster’s network.⁶¹

A single gateway instance is capable of serving multiple tenants with overlapping IP address spaces, maximizing efficiency for the hoster as compared to deploying a separate gateway instance per tenant.

Multitenant Remote Access VPN Gateway

New Enables hosters to allow transparent VPN access to virtual machines replicated in the cloud even after a failure when the entire site of the tenant goes down.⁶¹

Border Gateway Protocol (BGP)

New Enables dynamic distribution and learning of routes by site-to-site (S2S) interfaces of Routing and Remote Access (RRAS).⁶¹

Role-based access control

New Ability to customize the types of operations and access permissions for users and groups of users on specific objects.⁶²

Virtual address space

management

New IP Address Management (IPAM) streamlines the management of physical and virtual IP address space in System Center Virtual Machine Manager.⁶²

Enhanced Dynamic Host Configuration Protocol (DHCP) server management Updated

DHCP server management with IPAM is greatly enhanced in Windows Server 2012 R2, including multiple new operations for DHCP scope and DHCP servers, and views for the following objects:⁶² DHCP failover, DHCP policies, DHCP superscopes, DHCP filters, and DHCP reservations.

External database support

New In addition to Windows Internal Database (WID), IPAM also optionally supports the use of a Microsoft SQL database that enables additional scalability, disaster recovery, and reporting scenarios.⁶²

Upgrade and migration support

New If IPAM is installed on Windows Server 2012, then data can be maintained and migrated when one needs to upgrade to Windows Server 2012 R2.⁶²

Enhanced Windows PowerShell support for IPAM Updated

Windows PowerShell support for IPAM is greatly enhanced to provide extensibility, integration, and automation support.⁶²

Hyper-V Virtual Switch

Extended Port Access Control Lists (ACLs) Updated

Allows enterprises and CSPs to configure the Hyper-V Virtual Switch Extended Port ACLs to provide firewall protection and enforce security policies for the tenant virtual machines in their datacenters.⁶³

ACLs now include the socket port number.

Ability to configure stateful rules that are unidirectional and provide a timeout parameter.

Dynamic Load Balancing of Network Traffic New

Ability to continuously and automatically move traffic streams from network adapter to network adapter within the NIC team to share the traffic load as equitably as possible.⁶³

Hyper-V Network Virtualization (HNV) coexists with third- party forwarding extensions for the Hyper-V Virtual Switch New

Ability to forward packets for either the virtual machine customer address space or the physical address space because switch extensions now coexist seamlessly with Network Virtualization, which uses Network Virtualization Generic Routing

Encapsulation (NVGRE).

Ability to perform hybrid forwarding where the network traffic, which is NVGRE encapsulated, is forwarded by the HNV module within the switch, while all non- NVGRE network traffic is forwarded by the third-party forwarding extensions that the user has installed.⁶³

Traffic

bottlenecks to virtual

machines are reduced with vRSS

New

Virtual RSS (vRSS) is supported on the virtual machine network path that allows virtual machines to sustain a greater networking traffic load by distributing the processing across multiple cores on the host and multiple cores on the virtual machine.⁶³

Network tracing is streamlined and provides more detail Updated

Network traces contains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch, and any forwarding extensions the user has installed are easier to use and read.⁶³

Inbox HNV Gateway

New A multitenant gateway that performs site-to-site (VPN), NAT, and forwarding functions.⁶⁴

System Center 2012 R2 Virtual Machine Manager can be used to fully manage the HNV gateway.

Supports guest clustering for high availability.

Includes BGP for dynamic routes update.

HNV

interoperability with Hyper-V Virtual Switch Extensions Updated

The HNV module was moved inside the virtual switch so that extensions can see both the provider (physical address) and virtual (customer address) IP address spaces.⁶⁴

Implements hybrid forwarding.

HNV VM Network Diagnostics

Updated Enhanced ping.exe (ping –p) to allow pinging to and from provider addresses.⁶⁴ Two new Windows PowerShell cmdlets (Test-VMNetworkAdapter and Select-

NetVirtualizationNextHop) that enable diagnostics of HNV policy and the Customer Address space.

Added the ability for Message Analyzer to decode NVGRE packets.

HNV

Architecture Updated

Improved interoperability with switch extensions.⁶⁴

The HNV filter moved from being an NDIS lightweight filter (LWF) to being part of the Hyper-V virtual switch.

Dynamic IP Address Learning

New Enables high availability scenarios for both virtual machines on a virtual machine network and the HNV gateway.⁶⁴

Ability to run DHCP, DNS, and Active Directory in virtual machine networks.

HNV and Windows NIC Teaming

Updated Integrates HNV and Windows NIC Teaming to allow multiple network adapters to be placed into a team for the purposes of bandwidth aggregation and/or traffic failover to maintain connectivity in the event of a network component failure.⁶⁴

NVGRE Encapsulated Task Offload

Updated Ability to offload tasks to a network adapter that has the appropriate task offload capabilities.⁶⁴

Enhanced zone level statistics Updated

Zone level statistics are available for different resource record types, zone transfers, and dynamic updates.⁶⁵

Enhanced DNSSEC support

Updated DNSSSEC key management and support for signed file-backed zones is improved.⁶⁵ Enhanced

Windows PowerShell support for DNS Updated

New Windows PowerShell parameters are available for DNS Server.⁶⁵

DNS

registration enhancements

New Ability to use DHCP policies to configure conditions based on the fully qualified domain name (FQDN) of DHCP clients, and to register workgroup computers using a guest DNS suffix.⁶⁶

DNS PTR registration options

New Enables DNS registration of address (A) and pointer (PTR) records, or just enables registration of A records.⁶⁶

Windows PowerShell for DHCP server

Updated New Windows PowerShell cmdlets are available to perform tasks such as creating DHCP security groups, setting DNS credentials, managing superscopes, and managing multicast scopes.⁶⁶

DHCP server failover

New Ability to deploy two DHCP servers for the high availability of DHCP services to clients, including replicating lease information between them.

DHCP servers can be deployed in a non-clustered failover configuration that includes multi-subnet support.⁶⁷

Dynamic Virtual

Machine Queue

(VMQ) Enables a host’s network adapter to pass Direct Memory Access (DMA) packets directly into individual virtual machine memory stacks.

VMQ assigned to each virtual machine device buffer to avoid needless packet copies and route lookups in the virtual switch.⁶⁸

Quality of Service (QoS)

QoS for Hyper-V and other enhancements.

Hyper-V uses the minimum bandwidth to assign specific bandwidth for each type of traffic and to help ensure fair sharing during congestion.

Support for hardware compatible with Data Center Bridging (DCB), which makes it possible to use a single ultra-high bandwidth NIC, and provides QoS and isolation services to support multitenant workloads expected on private cloud deployments.⁶⁹

BranchCache

Improved performance, availability, and scalability.

New features include:

 Support for offices of nearly any size

 Single Group Policy object (GPO) object for nearly all offices

 Automatic configuration of client computers through Group Policy

 Integration with Windows file server

 Use of highly optimized file chunking system for intelligent splitting of files so that users can download only the changed part of the content

 Cache encryption

 Cache preloading

 PowerShell support

 New Group Policies⁷⁰

Internet Protocol

version 6 (IPv6)

Improved management of IPv6 addresses, better connectivity to Internet using IPv6 addresses, and NAT64/DNS64 protocol translation for DirectAccess clients.⁷¹

Low latency workload technologies

New capabilities and features for managing latency, such as NIC Teaming.⁷²

Network Load Balancing

Distributes traffic across several servers by using the TCP/IP networking protocol.

Additional features for failover clustering in comparison to Windows Server 2008 R2, including support for scale-out file servers, CAU, virtual machine application

monitoring, and iSCSI Software Target integration.⁷³ Multitenant

security and isolation

Fully isolated network layer of the datacenter with server virtualization through programmatically managed and extensible capabilities that help users connect virtual machines to physical networks with policy enforcement for enhanced security and isolation.⁷⁴

Private virtual local area network

(PVLAN) Ability to isolate virtual machines from each other—for example, virtual machines cannot contact other virtual machines over the network—while still maintaining external network connectivity for nearly all virtual machines.

Management and Automation

Graphic User Interface as Server Role

Ability to deploy the GUI as a role in Windows Server 2012 using PowerShell 3.0.

Enables servers to easily remove the full GUI and more to either Server Core or Minimal Installation Shell (PowerShell, Server Manager, and MMC support).

Servers can move among Server Core, Minimal Installation Shell, and full GUI using PowerShell commands when required.

Server Manager

Single point of access to manage snap-ins for virtually all installed roles.

Ability to manage a server's identity and system information, display server status, identify problems with server role configuration, and manage virtually all roles installed on the server.

Multi-server management

Management of multiple servers via roles, services, or customized management groups.

Single view for administrators to view events, roles, services, and other important information for virtually all managed servers.⁷⁵

Role and feature

deployment to remote servers and offline hard disks

The Server Manager console and Windows PowerShell cmdlets for Server Manager allow the installation of roles and features to local or remote servers, or offline virtual hard disks.

Ability to install multiple roles and features on a single remote server or offline VHD in a single Add Roles and Features Wizard or Windows PowerShell session.

Integrated console

Integrated console for IT departments to manage multiple server platforms—

whether physical or virtual—more effectively, helping lower IT operational costs (such as file storage management, Remote Desktop Services, and IP address management).

Windows PowerShell 4.0

New Windows PowerShell 4.0 includes several significant features that extend its use, improve its usability, and enable easier and more comprehensive control and management of Windows-based environments.

Windows PowerShell Desired State Configuration (DSC) enables the deployment and management of configuration data for software services and the environment in which these services run.

Windows PowerShell 4.0 features include:

 Backward-compatible

 Includes simplified, consistent syntax across all cmdlets

 Simplified scripting through Windows PowerShell ISE

 Comprehensive management with more than 3000 cmdlets in over 100 modules

Windows PowerShell Disconnected

Sessions Ability to create a session on a remote computer, start a command or job, disconnect from the session, shut down a computer, and then reconnect to the session from a different computer later to check job status or get results.⁷⁶

Windows PowerShell Workflow

Updated Support has been added for a new PipelineVariable common parameter in the context of iterative pipelines.⁷⁶

Parameter binding has been significantly enhanced to work outside of tab completion scenarios, such as with commands that do not exist in the current runspace.

Support for custom container activities has been added to Windows PowerShell Workflow.

After a crash, Windows PowerShell Workflow automatically reconnects to managed nodes.

Ability to throttle Foreach -Parallel activity statements by using the ThrottleLimit property.

The ErrorAction common parameter has a new valid value, Suspend, which is exclusively for workflows.

A workflow endpoint now automatically closes if there are no active sessions, no in- progress jobs, and no pending jobs.

Windows PowerShell Web Access

Updated Ability to disconnect from and reconnect to existing sessions in the web-based Windows PowerShell Web Access console.⁷⁶

Default parameters can be displayed on the sign-in page.

Ability to remotely manage authorization rules for Windows PowerShell Web Access.

Ability to have multiple Windows PowerShell Web Access sessions in a single browser session by using a new browser tab for each session.

Windows PowerShell Web Services (Management OData IIS Extension) Updated

Easily exposes Windows PowerShell cmdlets through an OData-based web service that is running in Web Server (IIS).⁷⁶

Ability to define the API version in an endpoint, as well as enforce the usage of a specific API version.