Windows Server 2022 is here! – Virtualization review


Windows Server 2022 is here!

“Overall, there aren’t really a lot of new features, and what there is, isn’t all available for your traditional on-premises Windows server,” says our hands-on review expert, Paul Schnackenburg.

Calmly generally available in mid-August then officially on September 1, Windows Server 2022 is here.

Microsoft recently hosted a Windows Server Summit to kick it off, with a two-hour livestream featuring different presenters covering different aspects of the new features, as well as video-on-demand content. Compare that to the great fanfare that would have accompanied a new version of Windows Server just a few years ago. For someone who was there in the beginning (I still remember the smell of the thick manuals printed for Windows Server NT 3.51 that I devoured from start to finish when setting up my first server), I cannot tell. ‘prevent Windows from thinking that the server is quietly going into the background.

However, there are some very useful features and there are certainly reasons to migrate (but not as much as in the past), so let’s dig into it.

I watched the preview in April (“Windows Server 2022 Is Coming!”) And most of this information is from the GA version.

The three main areas are Secure Core Server, SMB over QUIC, and Storage Migration Service, with additional honorable mentions for Security, Networking, and Hyper-V. I will also provide my own analysis of where each feature brings real benefits and the marketing aspect.

Secure primary server
As the name suggests, Microsoft is using technology built into newer PC devices to protect against firmware attacks and expanding it to the server platform. This is timely as firmware attacks are on the increase and it is important to have a strong guarantee that the underlying hardware is secure.

Comprised of six domains, Secure Core servers from leading server manufacturers will ship with a Trusted Platform Module (TPM) 2.0, Bitlocker plus Virtualization Based Security (VBS), enabled right out of the box. The six areas are:

  1. Hypervisor-Based Code Integrity (HVCI)

  2. DMA boot protection

  3. System Guard

  4. Secure boot

  5. VBS

  6. TPM 2.0

Each of them contributes to a trusted hardware platform: the TPM stores Bitlocker keys and other secrets securely; VBS uses hardware virtualization (not a fully separate virtual machine, just an area of ​​memory protected using Hyper-V) to stop credentials attacks (Mimikatz); and Secure Boot verifies the signatures on the boot software (the operating system itself, UEFI and all EFI applications).

HVCI relies on VBS to protect changes to the Control flow guard (CFG) bitmap and checks device drivers for EV certificates. CFG is a part of Windows that stops malicious applications trying to corrupt the memory of benign applications. System Guard builds on these lower-level features and validates the entire boot chain using static root of trust protection for measurement (SRTM), dynamic root of trust for measurement (DRTM) ) and the system management mode (SMM).

Secure Core Server Extension in Windows Admin Center
[Click on image for larger view.] Secure Core Server Extension in Windows Admin Center

There is no doubt that these are welcome additions in a server operating system, BUT ask yourself how many of your servers that you are going to be running in your data center in 2022 and beyond are going to be physical waiters? Because all these protections are only available on New servers that are Secure Core (or an existing server, with a TPM 2.0 chip where the vendor provides verified firmware drivers). So you might be running a Hyper-V cluster, maybe domain controllers, and maybe a very large SQL server or two. But if you are running your virtualized domain controllers, if you are running Windows virtual machines on VMware, the Secure Core server will bring you little or no benefit. That’s not to say that some of these features will (and some are already) available to VMs running on Hyper-V, or as IaaS VMs in Azure, but they aren’t fully protected as Secure Core servers.

Server message block
SMB in Windows Server 2022 received a lot of love. You can now use AES-256-GCM and AES-256-CCM encryption for traffic and Signature supports GMAC acceleration.

Even cooler, SMB compression can now be enabled on the server, client, share, or even in individual file copies (using Robocopy), which at the cost of slightly higher usage of the processor, significantly reduces the network bandwidth used.

SMB 3 Signature and Encryption Settings
[Click on image for larger view.] SMB 3 Signature and Encryption Settings

If you use Direct remote memory access (RDMA) To speed up your Hyper-V nodes’ access to Storage Spaces Direct, for example using SMB Direct, you can now encrypt this traffic. Additionally, you now have granular control over encryption between nodes in a cluster as well as inbound / outbound traffic to the cluster.

Note that all of these features are alone available between Windows Server 2022 nodes Where when communicating with Windows 11 clients. Encryption features, for example, will negotiate what each end supports and revert to unencrypted, so to really make sure all traffic is protected at the highest level, you need to upgrade ALL servers / clients.

SMB Share Compression and Encryption Settings
[Click on image for larger view.] SMB Share Compression and Encryption Settings

This is for me the most important feature of Windows Server 2022, along with the most real application. Basically, this is SMB over UDP, with all traffic protected by TLS 1.3, allowing you to securely deliver file shares to remote users without using a VPN. Again, it’s only available when logging in from Windows 11 (but at least this upgrade is free, as long as your client device has the required hardware).

The additional door here is the server version – Windows Server 2022 is available in the same Standard and Datacenter (with Desktop / Core) versions that we are used to, plus a new version, Datacenter: Azure Edition. This new edition is the alone one that supports SMB on QUIC. Azure Edition alone runs in Azure as the name suggests OR on Azure Stack HCI. This name itself is very confusing because it implies that it is running in Azure (it is not, you are running it on-premises) and that it has something to do with Azure Stack Hub (this is not, Hub is an integrated system that you buy from a vendor that runs the same software as Azure, with only a few versions behind). Azure Stack HCI is a version of Windows Server that you run on your own hardware, with hyperconverged infrastructure (HCI) so that storage is shared between nodes using Storage Spaces Direct (S2D). This version of Windows Server is a subscription version that you pay monthly, and in turn it will receive regular updates.

The bottom line: SMB on QUIC is only available for a new file server that you are running in Azure or on Azure Stack HCI in your datacenter, and only if you are connecting from a Windows 11 client. Particularly disappointing is the artificial limitation of not offering SMB on QUIC in Windows Server 2022 Standard / Datacenter. It should be noted that SMB on WHO WHAT is currently in preview, but you have support from Microsoft.

Storage migration service
Led by Ned Pyle at Microsoft, this feature has been present in Windows for a few versions now, allowing for a seamless migration of file servers from legacy operating system versions to more modern versions. You point a destination server to an existing file server (or if you have a fleet, you can have a Storage Migration Service server that orchestrates migrations from multiple sources to multiple destination servers), it will copy the data up to that both are in sync, then you can seamlessly migrate to the new one. Server names, share names, permissions, everything is migrated and your users will notice very little impact. This service now supports Linux Samba servers, NetApp file shares, and continues support for Windows file servers, including clustered ones.

About Jon Moses

Check Also

Development of a robust technique for the transmission of synchronized data in real time from a Magnetic Observatory to an INTERMAGNET GIN

Since internet availability at PowerLine is very limited due to its remote location from a …

Leave a Reply

Your email address will not be published.