hpe reference configuration: exchange 2016, …exchange server 2016, microsoft sharepoint server...
TRANSCRIPT
HPE Reference Configuration: Exchange 2016, SharePoint 2016, Skype for Business 2015, Windows Server 2016 on HPE DL380 Gen10
Reference Architecture
Reference Architecture
Contents Executive summary ................................................................................................................................................................................................................................................................................................................................ 3 Solution overview ..................................................................................................................................................................................................................................................................................................................................... 3
New features in HPE Gen10 servers ............................................................................................................................................................................................................................................................................... 4 Solution components ............................................................................................................................................................................................................................................................................................................................ 8
Server hardware .................................................................................................................................................................................................................................................................................................................................. 8 Application software ................................................................................................................................................................................................................................................................................................................... 10
Summary ...................................................................................................................................................................................................................................................................................................................................................... 16 Resources and additional links ................................................................................................................................................................................................................................................................................................ 17
Reference Architecture Page 3
Executive summary This Reference Configuration discusses the new features in the HPE Gen10 server portfolio which provide performance improvements, security enhancements and optimize efficiency across Unified Communications and Collaboration (UC&C) application workloads; such as Microsoft® Exchange Server 2016, Microsoft SharePoint Server 2016, and Microsoft Skype for Business Server 2015. While the family of servers have gained these new features, this paper provides examples featuring the HPE ProLiant DL380 Gen10, which is ideal for a wide range of UC&C application deployments.
In this era of digital transformation, businesses have to be more agile to adapt quickly to changing requirements and capture new opportunities. Businesses need to reduce operational cost while increasing productivity and efficiency and ensuring that IT operations are not compromised. Cloud computing technology is viewed as a way to achieve this new demand in IT infrastructure. The cloud can offer the benefits of on-demand, pay-as-you-go IT resource availability to help your organization respond quickly to business needs while avoiding capital outlays and costly overprovisioning. However, cloud computing technology provides less control over infrastructure. Security, privacy, compliance, latency issues, and localization are some of the concerns in the cloud computing technology, and cost factors may not be low in all cases. The right mix of Hybrid IT, which combines the right mix of traditional IT, private cloud, and public cloud, provides better agility to meet the business and IT goals.
HPE ProLiant Gen10 servers provide a new generation of compute experience, and accelerate businesses IT infrastructure through the world of Hybrid IT. Based on the Intel® Xeon® Processor Scalable Family, Gen10 servers help businesses adapt to rapidly changing application workload requirements and improve performance with technologies such as Intelligent System Tuning and HPE Scalable Persistent Memory. HPE Gen10 servers provide unique security features down to the silicon layer, with the HPE Secure Compute Lifecycle offering best-in-class innovations in firmware protection, malware detection, and firmware recovery. With new innovations around iLO (HPE Integrated Lights-Out) 5, increases in the internal server storage capacity and more efficient server management, HPE Gen10 servers create remarkable new value for business solutions of all sizes.
Target audience: This white paper is intended for system architects, Chief Information Officers (CIO), decision makers, IT support staff and project managers involved in planning and deploying unified communications and collaboration applications on the new HPE Gen10 server platform, notably on HPE ProLiant DL380 Gen10 servers. A working knowledge of Microsoft Exchange Server 2016, SharePoint Server 2016 and Skype for Business Server 2015 along with virtualization technologies is recommended.
Document purpose: The purpose of this document is to provide an overview of new features of HPE Gen10 servers and how those features can enhance solutions for Microsoft Exchange Server 2016, Microsoft SharePoint Server 2016 and Microsoft Skype for Business Server 2015 environments. A configuration example is provided for each Microsoft UC&C application with details about the factors to be considered while designing the solution.
Solution overview This Reference Configuration is the first in a series of projects providing examples of HPE best practices when deploying Microsoft Exchange, SharePoint and Skype for Business applications on HPE ProLiant DL380 Gen10 servers for customers, channel partners, Pointnext, and other skilled HPE solution implementers. Follow-on projects are planned that are designed to evaluate solutions that demonstrate concepts and design decisions made while sizing a Unified Communications and Collaboration (UC&C) infrastructure running on Gen10 platforms. These projects are intended to deliver Reference Architecture papers that will include example data from functional and performance testing of Gen10 features that are relevant to the specific UC&C applications and workloads.
HPE provides the most secure industry standard servers with unmatched threat protection through hardware root of trust, extensive standards compliance, and supply chain attack detection. HPE industry standard servers provide the ability to recover firmware and operating systems after a denial of service attempt or the detection of compromised code.
HPE’s innovation with ProLiant DL380 Gen10 servers has resulted in expanded hardware features and functionality as well as a unified management experience allowing our customers to rapidly build stable and secure Unified Communications and Collaboration (UC&C) infrastructure solutions. HPE’s new hardware design and simplified deployment experience combined with testing and industry certification helps our customer to implement a solid foundation.
HPE ProLiant Gen10 servers and options enable new features in the areas of compute, storage, network and security to ensure that customer experience is maintained at a high level which meets their business requirements. Simplification of ProLiant management tools provides customers with ease in properly deploying their server infrastructure and provides administrators and users with a reliable and consistent experience throughout the life cycle of the products.
Reference Architecture Page 4
New features in HPE Gen10 servers The following sections describe significant new features provided in HPE Gen10 servers. The Microsoft UC&C application portfolio benefits from these new features in terms of infrastructure security, ease of management and deployment, leveraging workload profiles and increased compute and in-server storage capacity. The specific benefits for each UC&C application are discussed in detail in the “Application software” section of this white paper.
Secure compute life cycle HPE Gen10 servers create a completely hardened infrastructure by offering a robust security solution spanning throughout the server and including networking, storage, racks, and rack options such as PDUs and thus provide a complete secure compute life cycle. The following sections highlight the server, networking and storage security features available in HPE Gen10 servers.
HPE server security features HPE introduced the silicon root of trust with its new HPE Gen10 servers. This technology allows the firmware to be scanned and monitored through a series of integrity checks that initiate from an immutable link embedded in silicon. Furthermore, HPE has engineered the Gen10 servers with the ability to recover to a known good state in the unlikely event that firmware becomes compromised in some way.
HPE’s silicon root of trust designs security directly into the powerful Integrated Lights-Out (iLO 5) server management controller, creating an immutable fingerprint in the silicon, preventing servers from booting up unless the firmware matches the fingerprint. Because HPE has total control of its own custom-made silicon chip and the server-essential firmware, it is the only vendor in the industry that can offer this advantage and help to prevent, detect and recover from cyber-attacks. The new silicon root of trust protection includes state-of-the-art encryption and breach detection technologies and is complemented by HPE supply chain security and HPE Pointnext security assessment and protection services. HPE Gen10 servers that include the iLO 5 controller are ProLiant, BladeSystem c-Class, Apollo, and Synergy series servers.
Figure 1. HPE Gen10 Silicon Root of Trust validates the iLO 5 firmware and UEFI during the system boot process
The silicon root of trust provides the secure start to the HPE Gen10 server boot process. When the system boots, iLO 5 hardware validates and checks the integrity of its own firmware and then allows it to be executed as shown in Figure 1. If iLO 5 finds that its own firmware has been compromised, it will load its authenticated firmware from an integrated backup, with the method and automation level dependent on the specific iLO license. Once the iLO 5 hardware validates and boots its own firmware, it then validates system BIOS. Because the silicon root of trust is inextricably tied into iLO 5 hardware, every validated signature throughout the boot process can be trusted. If iLO 5 finds that the system BIOS has been compromised iLO 5 will try to recover it from a backup copy. The customer will be alerted if the backup copy is compromised and it can be manually recovered to authenticate the firmware with an iLO Standard license. To use the option to automatically recover to authentic firmware, an iLO Advanced Premium Security Edition license is needed. For details refer to hpe.com/us/en/product-catalog/detail/pip.hpe-ilo-advanced-premium-security-edition.1010025876.html.
HPE Gen10 servers comply with multiple security standards and encryption protocols, including Federal Information Processing Standard (FIPS) Publication 140-2, the National Institute of Standards and Technology (NIST) 800-147b, the payment card industry data security standard (PCI DSS), and Common Criteria.
Reference Architecture Page 5
HPE Gen10 servers support the following additional physical security options:
• Trusted Platform Module (TPM) 1.2 and 2.0
Trusted Platform Modules are computer chips that securely store passwords, certificates, or encryption keys, which are used to authenticate the platform and validate software. HPE supports TPM 1.2 and 2.0. TPM 1.2 works with any Linux® OS, Microsoft Windows Server® 2012, and Windows Server 2012 R2. TPM 2.0 works with any Linux OS and Microsoft Windows Server 2016.
• Chassis intrusion detection
Select HPE Gen10 servers include an option for a chassis intrusion detection switch, which detects if the chassis hood is opened or closed at any time after installation at the factory. A battery operated switch is monitored by iLO 5 management processors and with any change (if the hood is opened or closed) a log entry noting the intrusion is created and can be configured for various alerting mechanisms (Remote Syslog, SNMP, alertmail, etc.)
HPE Gen10 networking and storage security features HPE Gen10 network adapters include numerous security features and capabilities based on the network adapter vendor and family series. Root of trust (in hardware or firmware) enables a chain of trust for authenticating updates to firmware via signature validation and thus blocks installation of rogue, compromised or corrupted firmware. The UEFI secure boot safeguards the system and ensures that no compromised drivers are executed on system startup. The HPE network adapters support packet inspection which is software programmable using a system-on-chip (SoC) implementation and is useful for blocking or rate-limiting packets based on packet headers and contents, and potentially stopping Distributed Denial of Service (DDoS) attacks. A filter engine uses a pseudo-microcode instruction set to configure the filter engine to selectively accept, reject, or rate-limit packets based on packet headers and packet contents. The device-level firewall blocks unmanaged access to memory or storage and ensures that only authorized agents can access on-device firmware and configuration data. The sanitization capability ensures that secure user data and configuration data is erased and irretrievable so that the adapters are safely redeployed or disposed. The audit logs capture the firmware changes. Depending on vendor and family series, different network adapters support features as is shown in Table 1.
Table 1. Gen10 security capability by network adapter product series
Security Capability 1Gb/10Gb Standard Series 10Gb Advanced Series 25Gb Performance Series
Root of Trust - Hardware Select Adapters Select Adapters
Root of Trust - Firmware Select Adapters
Hardware Authentication X Select Adapters Select Adapters
Signed Firmware
UEFI Secure Boot
Audit logs Select Adapters
Sanitization/Secure User Data Erase X Select Adapters
Device-Level Firewall Mix of Support
In Table 1, cells indicating a mix of support vary from one vendor to another. Please check the individual adapter QuickSpecs for specific features: hpe.com/us/en/product-catalog/servers/server-adapters.hits-12.html
HPE SSDs and HDDs include digitally signed firmware that prevents unauthorized and malicious attacks to data, ensuring that drive firmware is authentic and comes from a trusted source. HPE SSDs offer Sanitize Block Erase while HPE HDDs use Sanitize Overwrite – which both meet the requirements of the “NIST Guidelines for Media Sanitization”, NIST 800-88r1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf). These algorithms allow customers to erase data when a drive has reached end of life.
Reference Architecture Page 6
High speed memory capacity with persistence There are two classes of persistent memory in the HPE Gen10 persistent memory portfolio, which differ in capacity.
• HPE Scalable Persistent Memory
HPE Scalable Persistent Memory is an integrated storage solution that runs at memory speed with terabyte scale capacity. It unlocks new levels of compute performance with built-in persistence.
Key features:
– DRAM-level performance for the fastest performing persistent memory
– Flexible capacity points with capacity up to 1TB per server
– Complete solution using DRAM for application performance, flash tier for persistence, and backup power for moving data from DRAM to Flash
• HPE Persistent Memory NVDIMM
The HPE Gen10 servers introduce 16GB NVDIMMs with an updated speed of 2666 MT/s. This is a DIMM form factor but using DRAM with a controller chip and NAND Flash chips. The power for this is routed from HPE Smart Storage battery. While the server is powered off, data is saved in the NAND flash memory of each NVDIMM-N. When the server is powered on, each NVDIMM-N restores data from its NAND flash memory to its DRAM. This persistent memory solution is ideal for smaller database storage bottlenecks, write caching solutions like Windows® Storage Spaces volumes and any workload constrained by storage bottleneck.
Intelligent System Tuning Starting with Gen10 servers using Intel Xeon Scalable Processors and iLO 5, HPE has introduced a new server tuning technology to improve performance. Whenever a processor changes its operating frequency, jitter is introduced. There can be several reasons for a processor to dynamically change its frequency during runtime; some of which may be software driven while some may be processor driven. Jitter induced by processor frequency changes introduces latency that can impact a workload. Jitter smoothing technology is designed to reduce latency by limiting the causes for frequency changes and can be used to tune for best performance in workloads that are traditionally sensitive to latency, as well as in workloads that are impacted by excessive amounts of frequency shifting.
Processor Jitter Control allows the customer to remove or reduce the jitter caused by opportunistic frequency management resulting in better latency response and higher throughput performance. This feature is hosted by platform firmware within HPE ProLiant Gen10 servers. It allows the user to tune servers to reduce or remove processor jitter either automatically or manually. It has three modes and can be configured via the RBSU (ROM Based Setup Utility) or via the RESTful interface. Jitter Control can be disabled, or configured for auto-tuned or manual-tuned mode.
New level of compute HPE Gen10 servers are based on the Intel Xeon Processors Scalable Family with processor class strategy as defined by Intel, with Bronze (3100 Series), Silver (4100 Series), Gold (5100 series/6100 series), and Platinum (8100 series). The performance and reliability level increases as we move from Bronze to Platinum series. The Bronze series is more suitable for SMB workloads, while Platinum series is more suitable for in-memory analytics, virtualization, and container workloads.
HPE Gen10 servers also introduce a new memory architecture with 6 channels per processor with 2 DIMMs per Channel (DPC), delivering more data bandwidth and more PCI bandwidth.
Reference Architecture Page 7
Storage options for Gen10 servers HPE Gen10 servers now include three classes in the HPE Smart Array controller family: S-Class which provides Software RAID, E-Class which provides RAID on Chip and HBA modes, and P-Class which provides RAID on Chip with on-controller cache.
Smart Array controllers in Gen10 shift in their naming conventions to provide information in the model number relating to the capabilities provided by the card to help in procuring the correct controller for your needs. Figure 2 shows the summary of features available in each class of controller card.
Figure 2. HPE Gen10 Smart Array portfolio
One of the new features of the Smart Array controllers is their ability to simultaneously present drives as a traditional array controller using on-controller caching, while presenting other drives attached to the same controller in HBA mode and bypassing the cache. HPE provides Smart Array controller-based encryption and self-encrypting drives. HPE encryption keys can be stored local to the array controller or managed by an Encryption Secure Key Manager (ESKM).
Increase in server storage density HPE Gen10 servers provide a substantial increase in internal server storage density with LFF and SFF drives which can benefit collaboration and database workloads. A software defined storage solution will benefit from this increase in internal server storage. A DL380 Gen10 server supports a maximum of 24+6 SFF drives (with optional rear SFF drive cages) or 12+4+3 LFF drives with 2 SFF drives (with optional mid–tray and rear LFF drive cage, plus 2 SFF SSD rear). There is substantially greater NVMe capacity for write intensive workloads needing advanced caching/tiering. Each DL380 Gen10 server supports a maximum of 20 NVMe PCIe SSD drives.
New server management features The following features are new enhancements in the HPE Gen10 server portfolio.
New HTTP/HTTPS boot process The HTTP/HTTPS boot process is a new standard driven by HPE and Intel, and targeted to replace PXE boot. This new technology replaces the shortcomings of PXE, like TFTP timeout, UDP packet loss, and security issues like a rogue DHCP server pointing to malicious PXE boot image servers. This new technology uses HTTP/HTTPS instead of TFTP and provides more security using the TLS certificate management via RESTful API, UEFI shell, and RBSU.
Reference Architecture Page 8
HPE Gen10 server workload profiles The Gen10 server workload profiles optimize performance and power requirements for specific workloads. Workload profiles are a configuration option to deploy BIOS settings based on the application workload that a customer intends to run on the server. The customer has the opportunity to select from a list of workload profiles and relevant performance settings are configured accordingly. By default, the workload profile is set to “General Power Efficient Compute”, which provides common performance and power settings suitable for the majority of application workloads. Workload profiles help customers leverage the significant capabilities of HPE’s performance engineering team to quickly optimize performance for their workload.
iLO 5 The following are some of the new features introduced in iLO 5, in addition to the security features which are discussed in the section “HPE server security features”.
• iLO 5 Service Port
The iLO Service Port is a dedicated USB port for iLO. It provides the ability to plug in your laptop via a USB-Ethernet dongle for troubleshooting, health information, logs, remote console, and virtual media. The customer can connect a USB Key to download the Active Health System Logs.
• Agentless management
When you use the Agentless Management configuration, the management software (SNMP) operates within the iLO firmware instead of the host OS. This configuration frees memory and processor resources on the host OS for use by server applications. The iLO monitors all key internal subsystems, and can send SNMP alerts directly to a central management server, even with no host OS installed.
• Run scheduled or on-demand firmware verification scans and configure recovery actions to implement when an issue is detected.
• iLO Amplifier Pack
The iLO Amplifier Pack is an advanced server inventory, and firmware and driver update solution that enables rapid discovery, detailed inventory reporting, and firmware and driver updates by leveraging iLO advanced functionality.
• Firmware update technology
All the firmware is securely updated via the iLO management network using iLO authentication and authorization. The iLO checks digital signatures and integrity of all firmware.
Economic control HPE Gen10 servers combine the economics and benefits of a cloud platform with security and control benefits available on-premises. It combines the ability to consume the hardware with increases in business demand, with security and controls available on HPE Gen10 technology providing the customer a better way to provision the hardware. HPE provides a variety of investment models for the customer, as follows:
• HPE Flexible Capacity
This is based on pay only what you use. It aligns costs with monthly usage via advanced metering. This assists in minimizing overprovisioning.
• HPE Capacity Care Service for mid-size companies
This can be added to any Gen10 system order. This provides regular usage tracking and reports, and provides quarterly consultation to make sure that the IT consumption is based on customer needs, as well as planning for the future.
Solution components Server hardware The HPE ProLiant DL380 Gen10 2U server family provides configurations that offer optimal combinations for Microsoft Exchange, SharePoint and Skype for Business, with high-performance, reliability, ease of deployment and management. The design ideas in this Reference Configuration are based on a building block approach using HPE ProLiant DL380 Gen10 servers. The HPE ProLiant DL380 Gen10 servers are available in both large form factor (LFF) (Figure 3) and small form factor (SFF) (Figure 4) drive configurations. See hpe.com/servers for information on the HPE ProLiant DL380 Gen10 server.
Reference Architecture Page 9
Figure 3. HPE ProLiant DL380 Gen10 LFF server
Figure 4. HPE ProLiant DL380 Gen10 SFF server
The HPE ProLiant DL380 Gen10 server comprises:
• Rack mount 2U form factor
• 1 or 2 Intel Xeon Processor Scalable Family from 4-28 cores at 3.6 GHz maximum, depending on model
• HPE DDR4 SmartMemory with 12 DIMM slots per processor, 6 channels per processor, 2 DIMMs per channel, supporting up to 2666 MT/s.
• Modular chassis with greater drive capacity and flexibility than previous generations. Supports up to 20 NVMe drives. It has additional boot/drive/rear cage options: SATA M.2; dual uFF SSD (2x M.2 cartridges)
• Standard HPE Smart Array S100i along with choice of HPE Smart Array models depending on your needs. It also supports a variety of Smart HBA controllers
• Supports the most recent versions of Windows Server 2012 R2, Windows Server 2016, VMware® ESXi 6.0 U3, VMware ESXi 6.5 and U1
• Security features, such as iLO 5 (Security Root of Trust), Chassis Intrusion Detection, TPM 2.0, and digitally signed firmware
• Embedded management, including HPE iLO 5, Smart Update Manager (SUM), RESTful Interface Tool, UEFI, and Intelligent Provisioning
Reference Architecture Page 10
Application software The following sections describe how the new features of HPE Gen10 servers benefit UC&C applications.
Microsoft Exchange Server 2016 This Reference Configuration is designed using HPE ProLiant DL380 Gen10 servers and Microsoft Exchange Server 2016, in a building block approach, with a multi-copy database design leveraging Exchange Database Availability Groups (DAGs).
The DAG provides high availability with multiple copies in both a primary data center location, and a secondary data center or disaster recovery (DR) location. This design provides two copies of each database in each site. The database copies provide the ability to withstand failures due to either logical corruption in an Exchange database, the failure of one or more disk drives, a single server failure within the active site, or the complete outage of the servers in the primary data center or site (failover across sites). The user distribution can be either active or passive across the two sites.
This design is based on a specific number of servers per DAG which determines the number of users that can be hosted on a single server in a failover scenario. For example, 4 servers are sized with 3,526 users with 34GB mailboxes per server pair in normal operations, and 16 servers in the DAG can run up to 2,760 users per server in normal operations (with smaller mailboxes due to the increased user count). The number of servers per DAG is a flexible design decision that customers can make, and Microsoft best practices regarding deployment designs have been published in The Exchange 2016 Preferred Architecture (PA).. Using DAGs provide the following benefits:
• Includes both high availability within the data center, and site resilience between data centers
• Supports multiple copies of each database, thereby allowing for quick activation with clients shifted to other database copies
• Reduces the cost of the messaging infrastructure
• Increases Exchange system availability by optimizing around failure domains and reducing complexity
Figure 5 is an architecture diagram showing Exchange Database Availability Groups (DAGs).
Figure 5. Simplified architecture diagram showing Exchange Database Availability Groups (DAGs)
Reference Architecture Page 11
HPE Gen10 advantages for Exchange Server 2016 Table 2 highlights the Gen10 features relevant to Exchange Server 2016.
Table 2. HPE Gen10 feature advantages for Exchange Server 2016
HPE Gen10 server features Advantages for Exchange Server 2016
HPE Gen10 server workload profiles Exchange Server infrastructure can take benefit of HPE Gen10 server workload profiles for simple performance optimization
• Workload profile – Custom
• Power Regulator – OS Control mode
These can significantly benefit performance by allowing the operating system to manage power, and use the “High performance” power plan in Windows.
Internal storage: Higher capacity and increased HDD drive count Increases the user mailbox size
HPE Smart Array Gen10, delivers up to 65% better performance over previous generation controllers
It gives the additional headroom to the storage subsystem to support per mailbox IOPS requirement and improves the Exchange server storage performance
Security: Trusted Platform Module 2.0 providing security at operating system layer. (Secure data encryption and decryption)
Pairing the drive to the server helps prevent the encrypted drive from being read if inserted in a different server and helps prevent unauthorized access to data storage.
Microsoft SharePoint Server 2016 Microsoft SharePoint Server is a solution from Microsoft designed to support a range of business processes relating to collaborative work and document management.
SharePoint Server 2016 introduced the concept of MinRole where each SharePoint Server 2016 server in the farm can be configured as a specific optimized role in the environment, with each role prescriptively defining the services that run on each server. This results in simplified deployments assisting the SharePoint Server 2016 farm administrator to design the SharePoint Server 2016 environment as per required functionality. SharePoint Server 2016 Feature Pack 1 (FP1) enhances the concept of MinRole for smaller farm topologies using the concept of Shared Roles by combining dedicated roles together. Two new server roles were introduced in FP1 as “Front-end with Distributed Cache” and “Application with Search”.
There are a total of eight possible dedicated or shared MinRole server roles available as defined in Table 3.
Table 3. SharePoint Server 2016 FP1 MinRole definitions
Server Role Description
Dedicated Roles
Front-end Service applications, services, and components that serve user requests belong on Front-end web servers. These servers are optimized for low latency.
Application Service applications, services, and components that serve backend requests (such as background jobs or search crawl requests) belong on Application servers. These servers are optimized for high throughput.
Distributed cache Service applications, services, and components that are required for a distributed cache belong on Distributed Cache servers.
Search Service applications, services, and components that are required for searching belong on Search servers.
Custom Custom service applications, services, and components that do not integrate with MinRole belong on Custom servers. The farm administrator has full control over which service instances can run on servers assigned to the Custom role. MinRole does not control which service instances are provisioned on this role.
Single-server farm Service applications, services, and components required for a single machine farm belong on a Single-server farm. A Single-server farm is meant for development, testing, and very limited production use. A SharePoint farm with the Single-server farm role cannot have more than one SharePoint server in the farm.
Shared Roles (for smaller deployments)
Front End With Distributed Cache Shared role that combines the Front-end and Distributed Cache roles on the same server.
Application with Search Shared role that combines the Application and Search roles on the same server.
Reference Architecture Page 12
A SharePoint Server 2016 environment built upon dedicated MinRole topology requires at least four servers for the key roles: Front-end, Search, Application, and Distributed Cache, with a minimum of two of each role server required for HA redundancy purposes. SharePoint Server 2016 FP1 reduces this requirement for small farm HA deployments with two servers each for Front-end with Distributed Cache, and for Application with Search. If we also consider the 2-node SQL AlwaysOn cluster, a fully deployed HA MinRole topology would therefore require at least 10 servers or VMs for SharePoint Server 2016; whereas only 6 servers are required for VMs for SharePoint Server 2016 FP1.
Microsoft recommends MinRole topologies depending on the specific farm purpose, as defined in Table 4.
Table 4. Recommended MinRole topologies
Server role Required for content farm? Required for shared services farm? Required for search farm?
Front-end Yes No No
Application Yes Yes No
Distributed cache Yes Yes No
Search Yes, if hosting Search Yes, if hosting Search Yes
Custom Optional Optional Optional
Microsoft SharePoint HA features Figure 6 shows an example of a highly available SharePoint farm configuration leveraging at least two of each SharePoint MinRole server and SQL Servers. It provides a separation of various SharePoint service roles onto separate VMs, thus maximizing efficiency and allowing for precise VM tuning matching each role. A single VMware vSphere host cluster is also used to define a reasonably sized failure domain for the farm VMs, and to provide role redundancy across the two physical host servers. The design also leverages the built-in SharePoint Application Role Balancing Service to apportion the service load across multiple role VMs. This design, with deliberate over-sizing, also handles the unlikely event of a VM failure whereby the surviving VMs can handle the total load; or the deliberate event of taking down a VM or host for periodic maintenance while continuing to provide the service to users.
Figure 6. SharePoint/SQL MinRole VM design
Reference Architecture Page 13
HPE Gen10 advantages for Microsoft SharePoint 2016 Table 5 provides details about the benefits gained by Microsoft SharePoint Server 2016 from HPE Gen10 features.
Table 5. HPE Gen10 feature advantage for SharePoint Server 2016
HPE Gen10 server features Advantages for SharePoint Server 2016
HPE Gen10 server workload profiles SharePoint Server infrastructure is best installed in a virtualized environment. Select the HPE Gen10 server workload profile to use one of the Virtualization optimized modes:
• Virtualization – Power Efficient
• Virtualization – Max Performance
These can significantly benefit performance since the host servers will be hosting various virtual machines including a potentially high CPU workload for some roles.
Internal storage:
• Higher capacity and increased HDD drive count
SharePoint 2016 design can leverage internal storage coupled with a software defined virtual storage solution (e.g., VSA or vSAN) to provide a cluster-wide storage pool as part of a virtualization stack.
New security features:
• Silicon Root of Trust
• Chassis intrusion detection
• Trusted Platform Module (TPM) 1.2 and 2.0
These new security features introduced in HPE Gen10 servers will create a secure compute life cycle for the physical infrastructure in which the SharePoint servers are deployed. This will result in significant reduction in downtime which could occur because of cyber security attacks on the server firmware. TPM modules along with Windows features like BitLocker Drive Encryption will assist during the OS initialization process to ensure the OS startup is not compromised.
HPE Gen10 servers provide robust security solutions in networking with Network Interface Card (NIC) security
Features (depending on vendor and family series) include capabilities such as a root of trust (in hardware or firmware), sanitization capabilities for secure erase of data, device-level firewalls, packet inspection, and hardware authentication capabilities
NIC security features:
• Blocking installation of rogue, compromised, or corrupted firmware
• Blocking unmanaged access to memory or storage
• Renders user and configuration data on the NIC irretrievable so that NICs can be safely redeployed or disposed
• Ensures that only authorized agents can access on-device firmware and configuration data
Network adapters based on vendor and family series may also support packet inspection, which can block malicious traffic and potentially stop DDoS attacks.
HPE Gen10 Intelligent System Tuning Intelligent System Tuning will achieve higher levels of performance, efficiency, and control in your server environment.
Economic control A Microsoft SharePoint Server 2016 virtualized environment can be implemented in a pay as you use model. Initially the customer can implement SharePoint infrastructure with “Custom Role” and then scale out the environment with additional role VMs in a high availability model as needed.
Microsoft Skype for Business Server 2015 Unified communication and collaboration is rapidly becoming a key pillar in improving business efficiency. Microsoft Skype for Business (SfB) is part of the unified communication and collaboration offering from Microsoft. Skype for Business Server 2015 provides users with collaboration and meeting features integrated with Microsoft Office products that use SfB desktop, web and mobile clients.
There are three deployment choices for implementing Skype for Business Server 2015 as listed below:
• Skype for Business Server 2015 on-premises deployment involves installing Skype for Business Server 2015 in the organization’s data center or a third-party data center. This type of deployment provides options for customization, third-party integration and adherence to compliance, legal and regulatory requirements. For more detail, visit: https://technet.microsoft.com/en-us/library/gg398616.aspx. To deploy Skype for Business Server 2015 on-premises using HPE hardware and technology expertise, visit HPE Reference Architecture for Microsoft Skype for Business Server 2015 for 5,000 users using HPE Network Optimizer SDN Application
• Skype for Business Online is part of a “Software as a Service (SaaS)” offering from Microsoft commonly referred to as Office 365 (O365). Skype for Business Online provides most (but not all) of the functionality of the Skype for Business Server 2015 (on-premises) deployment on a per-user, per month subscription model without having to deploy Skype for Business Server 2015 on-premises. This offering can offer a lower TCO, 99.9% service uptime SLA, and features not available in on-premises deployments, such as large meeting support for more than 250 participants, etc. For more details, visit: https://products.office.com/en-us/business/microsoft-office-365-frequently-asked-questions.
Reference Architecture Page 14
• Skype for Business Hybrid enables administrators to deploy a portion of their Skype for Business environment on-premises for technical and business reasons, and leverage the benefits of the Skype for Business Online offering for part of the users. This type of deployment provides the maximum number of features for real-time communication and collaboration. For more details, visit: https://products.office.com/en-us/skype-for-business/server-hybrid
For more information on choosing the deployment model that fits your organization need, visit HPE Reference Configuration for Microsoft Skype for Business Server 2015 Hybrid design considerations
Skype for Business Server 2015 is supported in both physical and virtual deployments on-premises, with two basic topologies:
• Skype for Business Server 2015 Standard edition on-premises deployment for up to 2,500 active users
• Skype for Business Server 2015 Enterprise edition on-premises deployment for 5,000 active users and above
These are shown in Figure 7.
Figure 7. Skype for Business Server 2015 topologies
Reference Architecture Page 15
HPE Gen10 advantages for SfB Server 2015 The HPE Reference Architecture for Microsoft Skype for Business, Standard edition, 2500 users – virtual and physical deployment use cases paper provides use cases for both Skype for Business Server 2015 physical server deployment and Skype for Business Server 2015 virtual machine (Hyper-V). The key in any SfB deployment is provisioning the network to guarantee a maximum end-to-end delay (latency) of 150 milliseconds under peak load. With our experience at HPE we have found that the HPE ProLiant DL380 and DL360 series are the optimal platforms to run a physical deployment of SfB Server 2015, and the HPE ProLiant DL560 series is a more dense and scalable server which makes it more suitable as a virtualization platform.
Table 6. HPE Gen10 feature advantage for Skype for Business Server 2016
HPE Gen10 business feature
HPE Gen10 server features SfB Server 2015 feature and functionality
Agility to deliver business results
HPE Intelligent System Tuning is a new set of revolutionary capabilities that make it easier to manage your on-premises infrastructure by delivering higher levels of performance, agility, and control to your server environment.
SfB Server 2015 Physical server topology and Hypervisors that run the SfB servers as virtual machines will benefit from HPE Intelligent System Tuning capabilities such as dynamically configure server resources to match specific workloads and achieve higher levels of performance, efficiency, and control in your server environment
HPE Gen10 servers come with support for Intel Xeon Scalable 8100 series, Intel Xeon Scalable 6100 series, Intel Xeon Scalable 5100 series, Intel Xeon Scalable 4100 series, Intel Xeon Scalable 3100 series, that scale from 4 to up to 28 cores to meet the growth in demand for compute.
Intel Advanced Vector Extensions 512 (AVX-512), new instruction set extensions, to accelerate performance for your most demanding computational tasks. Extended GPU support is also available.
Almost All SfB features will benefit from the increased performance with Intel Xeon Processor Scalable family however the major impact will be felt by the following roles and features of SfB Server 2015:
Conferencing Audio/Video or Web require taking input from more than two users and processing a unified Audio/Video or Web experience. Server side processing (MCU) will benefit from the new Intel Xeon Processor Scalable family.
HPE DDR4 SmartMemory support in the HPE Gen10 servers offers increased data transfer rates and energy efficiency compared to DDR3.
Almost all SfB features will benefit from the increased performance with DDR4 RAM support however the major impact will be felt by the following roles and features of SfB Server 2015:
Enterprise Voice call processing will be faster on the server side.
SfB Persistent Chat / Compliance & Monitoring / Archiving database that run the backend SfB Backend SQL database will also benefit from the increased data transfer rate with DDR4.
Security to protect your digital assets
HPE is the first company to develop “silicon root of trust” – a unique link between the custom HPE silicon and the HPE Integrated Lights-Out (iLO 5) firmware to ensure servers do not execute compromised firmware code.
All Physical SfB servers will benefit from the increased security of “silicon root of trust”, so will underlying hypervisors that run the SfB servers as virtual machines.
HPE Gen10 servers include an option for a chassis intrusion detection switch, which detects if the chassis hood is opened or closed at any time after installation at the factory.
All Physical SfB servers will benefit from the increased security, so will underlying hypervisors that run the SfB servers as virtual machines.
Depending on the vendor and family series, the NIC security features include capabilities such as a root of trust (in hardware or firmware) to enable secure boot, sanitization capabilities for secure erase of data, device-level firewalls, packet inspection, and hardware authentication capabilities.
All Physical SfB servers will benefit from the increased security, so will underlying hypervisors that run the SfB servers as virtual machines.
Support for Trusted Platform Module 2.0 providing security at the operating system layer.
Intel AES New Instructions (Intel AES-NI) are a set of instructions in the Intel Xeon Processor Scalable family that enable fast and secure data encryption and decryption.
All Physical SfB servers will benefit from the increased security, so will underlying hypervisors that run the SfB servers as virtual machines with Host Guardian features in Windows Server 2016 and BitLocker drive encryption capabilities.
Economic control for your bottom line
HPE Flexible Capacity, a pay-per-use on-premises IT infrastructure solution, enables the agility and economics of a public-cloud experience with the control and performance benefits of on-premises IT. You can set up IT capacity, pay monthly based on what you use, and easily scale up or down without a capital outlay or a lengthy IT procurement process.
Provides a scalable application deployment platform for SfB Server 2015.
Reference Architecture Page 16
Summary HPE Gen10 servers provide a new generation of computing experience, offering the first industry standard servers to include silicon root of trust that provides integrity checks to ensure that the server boot process is completely secure and authenticated within the hardware itself before initializing the UEFI and the OS. HPE Gen10 servers offer additional physical platform security in the form of Trusted Platform Module (TPM) and chassis intrusion detection. They offer a robust security solution in networking and storage options, racks, and rack options such as PDUs. HPE Gen10 servers help businesses to remain agile with technologies like Intelligent System Tuning, HPE Gen10 server workload profiles, and HPE Scalable Persistent Memory. HPE Gen10 servers are based on the Intel Xeon Processor Scalable Family and provide increased in-server storage density over previous server generations.
Microsoft UC&C application workloads, such as Microsoft Exchange Server 2016, Microsoft SharePoint Server 2016, and Microsoft Skype for Business Server 2015, will benefit from these new enhancements in the HPE Gen10 server portfolio with optimized performance, secure compute life cycle and increase in efficiency.
Reference Architecture Page 17
Sign up for updates
© Copyright 2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft, Windows Server, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
a00022804enw, August 2017
Resources and additional links HPE Gen10 server portfolio hpe.com/us/en/servers/gen10-servers.html
HPE ProLiant DL380 Gen10 servers hpe.com/servers/dl380
HPE Reference Architectures hpe.com/info/ra
HPE Servers hpe.com/servers
HPE Storage hpe.com/storage
HPE Networking hpe.com/networking
HPE Pointnext hpe.com/us/en/services/consulting.html
HPE Solutions for Microsoft Collaboration hpe.com/info/Collaboration-RA
HPE Sizers hpe.com/info/sizers
To help us improve our documents, please provide feedback at hpe.com/contact/feedback.