Windows Server 2022 is here!
There are not many new features, and the ones that exist for traditional Windows Servers don’t all work with, says Paul Schnackenburg, our hands-on reviewer.
Quietly was released to General Access in mid-August, and then officially on September 1. Windows Server 2022 is now available.
Microsoft held a virtual Windows Server Summit launch event. It featured a Livestream of two hours featuring multiple presenters who covered different aspects of the new features and on-demand video content. This is a far cry from the excitement that would have been generated by a new version of Windows Server a few years back. As someone who was there initially, I can still smell the thick printed manuals for Windows Server NT 3.51, which I read from cover to cover as I set up my first server.
There are many great features, and it is a good idea to migrate.
The preview I saw back in April (” Windows Server 20022 Is Coming!”), and the majority of the information is for the GA release.
These three areas include Secure Core Server, SMB over QUIC, and Storage Migration Service. Other honorable mentions are for security, networking, and Hyper-V. I will also analyze where each feature brings real-world benefits and where it is more marketing spin.
Secure Core Server
Microsoft will expand the technology incorporated in newer PCs to protect against firmware attacks. This is important because firmware attacks are increasing, and it is crucial to have a strong guarantee that the hardware underneath is safe. Secure Core Servers made by major server manufacturers will include a Trusted Platform Module (TPM 2.0) chip, Bitlocker, and Virtualization Based Security (VBS) enabled right out of the box. These six areas are:
Hypervisor-based Code Integrity (HVCI),
Boot DMA Protection
System Guard
Secure Boot
VBS
TPM 2.0
Each of these components contributes to a trusted hardware platform. The TPM stores Bitlocker keys and other secrets securely. Utilizes hardware virtualization (not an entire VM protected with Hyper-V) to stop the credential attack (Mimikatz); Secure Boot verifies signatures on boot software (the OS, the UEFI, and any EFI apps).
It is built on top of VBS. It protects modifications to the ControlFlow Guard bitmap (CFG) and checks that device drivers are valid for EV certificates. CFG is an integral part of Windows. It stops malicious programs from corrupting the memory of benign apps. System Guardian takes advantage of these lower-level features to validate the boot chain with Static Root of Trust for Measurement, Dynamic Root of Trust for Measurement, and System Management Mode protection.
These are great additions to a server OS. But ask yourself: How many physical servers will you have in your data center by 2022? These protections only work on new servers with Secure Core (or on an existing server that has a TPM2.0 chip and the vendor has verified firmware drivers). Perhaps you have a Hyper-V cluster and Domain Controllers. Maybe even a large SQL server. If you have your DCs virtualized and run Windows VMs on VMware, the Secure Core server won’t benefit you. While some of these features are available (and many already are) for Hyper-V VMs or IaaS Azure VMs, they are not as secure as Secure Core servers.
Server Message Block
Windows Server 2022 SMB has been a hit. AES256-CCM and AES256-CCM encryption can be used for traffic. GMAC acceleration is also supported.
SMB compression is now possible at the client, server, share, or individual file copies (Robocopy). This reduces the network bandwidth usage by a significant amount, even though it requires slightly more CPU usage.
[Click image to enlarge SMB 3 Signing and encryption settings
Encrypting traffic can be done if you are using Direct Memory Access (RDMA) to speed up Hyper-V nodes’ access to storage space directly, such as using SMB Direct. You can also control encryption between cluster nodes and inbound/outbound traffic.
These features can only be used between nodes and Windows Server 2022 clients. For instance, the encryption features will negotiate which end support and then fall back to unencrypted. To ensure traffic protection at its highest level, you must upgrade ALL clients/servers.
[Click the image to see a larger version. SMB Share Compression and encryption settings
SMB QUICK
This feature is my favorite in Windows Server 2022. It has the best real-world application. It’s SMB over UDP with all traffic protected via TLS 1.3. Which allows you to securely share files with remote users without the need for a VPN. It’s not available if you connect from Windows 11 (but that upgrade is free, as long as you have the necessary hardware).
Windows Server 2022 is available in both Standard and Datacenter flavors (with Desktop/Core), plus a new version called Datacenter: Azure Edition. This new edition supports SMB over QuickC. Azure Edition only works in Azure, as the name suggests, OR on AzureStack HCI. It’s confusing because it suggests it runs in Azure, but it doesn’t. You can run it on-premises. Azure Stack HCI, is a version of Windows Server you can run on your hardware with Hyper-Converged Infrastructure. Storage space is shared between nodes using Storage Spaces Direct (S2D). This subscription version of Windows Server costs monthly, and you’ll get regular updates.
SMB over QUIC can only be used for a new fileserver that you have installed in Azure or Azure Stack HCI in the datacenter. It is not available if you connect to it from a Windows 11 client. It is disappointing that Windows Server 2022 Standard/Datacenter does not offer SMB over QUIC. Microsoft does provide support for SMB over QUIC. However, it is currently in preview.
Storage Migration Services
This feature, spearheaded by Ned Pyle from Microsoft, has been available in Windows for a few releases. It allows seamless migration of file server versions from older OS versions to newer versions. Point a destination server to an existing file server. You can have a Storage Migration Service Server orchestrating the migrations between multiple sources and multiple destination servers if you have multiple. Once both files are in sync, it will copy the data to create a new destination server. Then you can migrate seamlessly to the new one. Everything is migrated. Users will not notice any changes to their server names, share names, or permissions. This service supports Linux Samba servers and NetApp file sharing. It also continues to support Windows file servers, even clustered ones.