Nano Server future and Windows Server servicing channels

Nano Server has been presenting as an ideal Windows Server option for general infrastructure roles including Hyper-V and Storage since the RTM release. It’s been changed. Nano Server won’t be supported as an image for infrastructure-related roles deployed on physical/virtual machines and can be used only as container image.  So, now we need to step back and use Server Core again for roles like Hyper-V or Storage Spaces Direct.

It was confirmed yesterday by Erin Chapple, General Manager of Windows Server:

This next release will focus on making Nano Server the very best container image possible. From these changes, customers will now see the Nano Server images shrink in size by more than 50 percent, further decreasing startup times and improving container density. As part of this effort to focus on containers, we will be removing the functionality for infrastructure-related roles. Instead of using Nano Server for these scenarios, we recommend deploying the Server Core installation option, which includes all the roles and features you would need.

There are also some changes in the servicing model for Windows Server and System Center. There will be two primary release channels available to Windows Server customers, the Long-term Servicing Channel, and the new Semi-annual Channel in order to align with similar release and servicing models for Windows 10 and Office 365 ProPlus

In Long-term Servicing model, where a new major version of Windows Server is released every 2-3 years, users are entitled to 5 years of mainstream support, 5 years of extended support, and optionally 6 more years with Premium Assurance. This channel is appropriate for systems that require a longer servicing option and functional stability.

The new Semi-annual channel for Windows Server, Server Core and System Center will have new releases available twice a year, in spring and fall. Each release in this channel will be supported for 18 months from the initial release. Most of the features introduced in the Semi-annual Channel will be rolled up into the next Long-term Servicing Channel release of Windows Server. The editions, functionality, and supporting content might vary from release to release depending on customer feedback.

The Semi-annual Channel will be available to volume-licensed customers with Software Assurance, as well as via the Azure Marketplace or other cloud/hosting service providers and loyalty programs such as MSDN.

Both the Long-term Servicing Channel and the Semi-annual Channel releases will be supported with security updates and non-security updates distributed by servicing tools like WU, WSUS or SCCM

windows server servicing models

Windows Server has also become a member of Windows Insider Program. Pre-release builds of Windows Server will be available for download via the Windows Insider Program and the Windows Insider Program for Business. To join this program follow these steps

How easy is it to track Group Policy changes using the event log?

Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge.

Group Policy Auditing with Windows

Occasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location

GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs.

Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory.

How to enable auditing of Group Policy Objects

A Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects.

How to enable auditing of DS objects

Perform the following steps to enable auditing of Directory Service Objects:

  1. Launch Group Policy Management Console (GPMC) from the “Administrative Tools” in the “Start Menu”.
  2. Go to Forest -> Domains -> Domain Controllers.

  3. Right click “Default Domain Controllers Policy”, and click on “Edit” to access “Group Policy Management Editor” (GPMC Editor).

  4. The GPMC Editor window opens up, in the editor window navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies”.

  5. Select “DS Access” in the Audit Policies. The following policies will be displayed in it.

I. Audit Directory Service Access

II. Audit Directory Service Changes

III. Audit Directory Service Replication

IV. Audit Detailed Directory Service Replication

  1. One by one, double-click these policies, and enable their auditing for both “Success and “Failure”.
  • Do the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

  • Continue reading “How easy is it to track Group Policy changes using the event log?”