It’s been about a year since Microsoft first announced plans to deliver Nano Server–a new SKU of Windows Server that is essentially a highly stripped down version of the OS, optimized for cloud/data center environments and container/micro-service workloads. What does that mean? It means that in the future world of cloud-based Windows server, applications will increasingly be composed of micro-services, or small units of application functionality, that work in concert to deliver applications. And in that world, a big fat OS with GUI, full .Net stack and all the features of a modern Windows Server OS are not really needed, and in fact are less desirable from both a security (think–less features, less attack surface) and manageability/complexity perspective.
Managing and Configuring Nano Server without Group Policy
Given what I’ve just described, you can imagine that the management and configuration of Nano server is going to be significantly different. For example, you will not be able to Remote Desktop (RDP) to a Nano server–all management will happen remotely, using normal remote GUI tools, or preferentially, command-line solutions like PowerShell. And, most importantly for our discussions, Nano server will have NO GROUP POLICY PLUMBING. This is the first time a Windows OS will not ship with support for Group Policy since 2000! That’s a big deal. What that means is that Nano server will simply not be configurable at all (domain or locally) via GP. See this article for more information about this, but the bottom line is that there are no Group Policy “Guts” in Nano Server (Nano’s “interface” shown below).
So, how does one configure a Nano server? Well you have a couple of options. If you need to configure basic security hardening, Microsoft has provided a PowerShell module that essentially takes the raw GP-based setting files and applies those to Nano Server. For the broader configuration scenarios, we have Desired State Configuration (DSC) support within Nano, with almost full fidelity support for DSC features in the full version of Windows Server. If you ever needed a reason to dig into DSC, then Nano server’s exclusive support of it, and lack of support for GP, may be the push you need.
Keep in mind that Nano’s lack of GP support may not effect many of you in the short term, but over the long haul, as more workloads migrate to the cloud and to Nano, you may encounter this limitation more frequently. It’s good to know that you have an alternative, in DSC PowerShell, to configure these Nano workloads in the future.
Darren