Launched in “early preview” in November 2021 the next version of System Center is going to be released in the first quarter of 2022.

In this article, we’ll look at what’s new in each of the main components, Virtual Machine Manager, Operations Manager and Data Protection Manager and make some predictions around the finished product.

Virtual Machine Manager 2022

If you have a medium to large deployment of Hyper-V clusters, VMM is a must for management. Somewhat equivalent to vCenter in the VMware world this is the server product that lets you manage templates for VMs, including templates with multiple VMs (called a service) and other artefacts as well as automated deployments. VMM also manages your Software Defined Networking (SDN) stack and your backend storage (SANs and S2D). Notably, it also manages VMware virtualization hosts and clusters and can also integrate with Azure for light VM management.

SC Virtual Machine Manager 2022 Installation

There are a few new features in this version but the running theme throughout System Center 2022 (unless there’s a surprise reveal at GA) is that this is mostly about finishing little details and ensuring compatibility with current platforms. VMM 2022 runs on Windows Server 2022 and can manage Windows Server 2022 hosts.

On the networking side, the SDN stack gets support for dual-stack IPv4 and IPv6. You’ll need to be using the SDN v2 stack but that’s been where any new features have appeared since System Center 2016. In case you’re not familiar, up to System Center 2012R2 / Windows Server 2012R2 Microsoft built their own network virtualization stack and protocol but in 2016 they offered VXLan from VMware as an alternative. They also switched to an Azure inspired architecture where there’s a set of Network Controller VMs running on your cluster, managing all the virtualized networks. There are also Software Load Balancer VMs managing incoming network traffic, plus a Gateway providing connectivity from a virtualized network to the wider world. The dual-stack support covers all of these components, including site to site VPN (IPSec, GRE tunnel and L3 tunnels) so if your datacenter is adopting IPv6 – VMM is all ready to go. Note that you’ll need to provide both IPv4 and IPv6 address pools when setting this up.

VMM Logical Network with IPv4 and IPv6 subnets

The other big-ticket item is support for Azure Stack HCI (version 20H2 and 21H2) and Windows Server 2022. Note that VMM 2019 Update Release 3 (UR3) does provide support for Azure Stack HCI 20H2. If you missed our Windows Server 2022 webinar and haven’t heard of Azure Stack HCI realize that it’s got very little to do with Azure. This is a special version of Windows Server and Hyper-V that you cluster on top of Storage Spaces Direct (S2D) which you can then manage from Azure. The benefit of Azure Stack HCI is that all the latest features in Windows Server (and Hyper-V) are released for it (unlike “normal” Windows Server) and the downside is that you pay a subscription fee per core, per month, for it.

You can add existing Azure Stack HCI clusters, and you can also create new ones from within VMM. You can manage the entire VM lifecycle, set up VLAN based networks, deploy/manage the SDN controller and manage storage, creation of virtual disks and cluster shared volumes (CSVs) and application of storage QoS. There are new PowerShell cmdlets to handle Azure Stack HCI (Register-SCAzStackHCI).

Note that disaggregated Azure Stack HCI clusters (for Scale Out File Server, SOFS) aren’t supported, nor is Live Migration from an Azure Stack HCI cluster to a Windows Server cluster (although quick migration should work).

I installed the “early preview” on a Windows Server 2022 VM, and it works as advertised, with no visual differences from VMM 2019.

Operations Manager

Apart from VMM, I think SCOM is probably the strongest part of System Center. This venerable product keeps an eye on everything in your virtualized datacenter. Using Dell/HP/Lenovo servers? Just install the free management pack and you’ll get hardware monitoring, down to individual fans in your servers. The same goes for your networking and storage gear. Properly configured, SCOM provides visibility into your entire datacenter stack, from physical hardware to user-facing application code.

There are two new RBAC roles: Read-only Administrator which does what it says on the tin, including reporting. The Delegated Administrator profile doesn’t include report viewing but you can customize exactly what it should be able to do by adding one or more of:

• Agent management
• Account management
• Connector Management
• Global settings
• Management pack authoring
• Notification management
• Operator permissions
• Reporting permissions

If you have disabled NTLM in your organization, SCOM 2016/2019 reporting services are impacted, 2022 has a new authentication type (Windows Negotiate) that fixes this issue.

An interesting twist is the ability to choose the alert closure behavior, in 2019 you can’t close an alert when the underlying monitor is unhealthy, now you can choose to be able to close the alert and reset the monitor health, which will let you bulk close alerts. This brings back the behavior from earlier versions of SCOM. Alternatively, you can choose to stay with the 2019 behavior.

There are improvements to the upgrade process where registry key settings and custom install location of the Monitoring Agent is maintained when going from SCOM 2019 to 2022.

Alerts can now be sent to Teams channels, instead of Skype for Business.

SCOM can also monitor Azure Stack HCI deployments, using a new MP, which is actually a grouping of current Management Packs (BaseOS, Cluster, Hyper-V, SDN and Storage).

There are also some other minor fixes such as running the SCOM database on SQL Always On (no post configuration changes required), SHA256 encryption for certificates for the Linux agent, the FQDN source of alerts is now shown when tuning Management Packs and you can view the alert source for active alerts. Newer Linux distros such as Ubuntu20, Debian 10 and Oracle Linux 8 are also now supported for monitoring.

The dependency on the LocalSystem account on Management Servers has been removed and just like the other System Center components, SCOM 2022 runs on Windows Server 2022.

Data Protection Manager

Apart from running on Windows Server 2022, there are a few improvements in DPM. The main one (depending on your restore scenarios) is removing the requirement of file catalogue metadata for individual file and folder restores and instead uses an iSCSI based approach which improves backup times and restores.

If you’re using DPM to protect VMware vCenter you can now restore VMs in parallel, the default value is up to 8 VM simultaneously but you can up that limit with a simple registry change. Speaking of vCenter, VMware 7.0, 6.7 and 6.5 are supported and you can now separate the VDDK logs that relate to VMware operations from the rest of the DPM logs and store them in a user-defined file.

Another “big” improvement is the change of the maximum data storage for a DPM server from 120 TB to 300 TB. As before, it’s recommended to have tiered storage with a small amount of SSD cache and the rest hard-drive-based and use the ReFS file system.

Should you be Excited?

It seems that System Center Orchestrator will come in a 64-bit version although the bits weren’t part of the Early Preview, nor were System Center Service Manager 2022.

Overall, for me there’s nothing that we’ve covered in this article that’s a “must-have” to entice me to upgrade but if I’m upgrading to Windows Server 2022 anyway, or considering Azure Stack HCI, it’s a natural step.

I often express it like this – System Center is on life support. Microsoft isn’t looking to gain more market share against other datacenter management suites, they’re simply keeping System Center up to date and able to manage the latest OSs so that if you’re already a customer – you have a comfortable upgrade path. All System Center products also incorporate various levels of Azure/Microsoft 365 integration to tick the box of being “hybrid” and helping enterprises in their journey to the cloud.

The post What’s New in System Center 2022? appeared first on Altaro DOJO | Hyper-V.

It’s that time again! A new version of Windows Server is upon us and as usual, we produced a comprehensive webinar for system admins that covers all of the “What’s New?” questions that go along with a new release of Windows Server.

In Windows Server 2022, we’ve seen a number of enhancements in security, SMB, and hybrid cloud capabilities along with a new edition referred to as “Azure Edition”. On top of that, we have an entirely new deployment methodology in Azure Stack HCI, which while not Windows Server 2022 directly, shares the underlying features and capabilities and is now a huge source of focus for Microsoft moving forward.

To help you get up to speed on this release, we recommend you watch the webinar on-demand, along with a follow-up video with discussions on some of the more in-depth questions asked during the webinar. Finally, at the bottom of this article, you’ll find a list of questions asked during the webinar with their associated answers!

Watch the webinar What’s New in Windows Server 2022

Note: we’ve had several questions for more information on how the KDC proxy service works along with SMB over QUIC. This particular topic warrants its own article, which we’ll be working on in the near future so stay tuned for that!

Windows Server 2022 Frequently Asked Questions

What is “Azure Edition” exactly and how do I purchase it? I’m seeing datacenter and standard edition only

Azure Edition is a version of Windows Server 2022 that is designed to run as a VM within Microsoft Azure or on top of Azure Stack HCI on-prem. You can obtain it from the Azure Marketplace. For on-prem deployment, see the below question.

How do I obtain Windows Server 2022 Azure Edition to run on-prem?

This is still unclear, and we’re still waiting for guidance from Microsoft on how this will work exactly. In the meantime, it’s best to run the Azure Edition of Windows Server 2022 in Azure.

For Windows Server 2022 Essentials, does 1 CPU with 10 cores mean 20 “threads” per license?

Up to 10 cores and 1 VM on single-socket servers. Windows Server Essentials is available through our OEM Server Hardware partners. Microsoft counts physical cores for licensing on SQL / Win Standard/DC so I’m going to say this is physical cores NOT A REAL ESSENTIALS

Could XCP-ng be used as an alternative to the Free Hyper-V Server SKU?

While I don’t have any direct experience with the tool mentioned, at first glance it looks like a viable alternative, especially if you have experience with Xen hypervisors.

Is TPM 2.0 required to run Windows Server 2022?

TPM 2 required for Secure Core Server, not listed as a req for the general server (good idea to have though)

Is it required to keep Azure Stack HCI clusters “online” at all times?

Yes, Azure Stack HCI needs to contact Azure every 30 days for licensing purposes. If the check doesn’t happen the cluster goes into a reduced functionality mode

Is RDS a supporting role with Windows Server 2022 Essentials?

Yes, RDSH is one of the available roles just like previous versions of Windows

Can you license Windows Server 2022 with 2012 R2 User CALs?

No, you must purchase CALs that match the version of Windows Server you’re running. In this case, Windows Server 2022.

Do you get any virtualization rights with Windows Server 2022 Essentials?

Yes, you have the rights to run a single VM with Windows Server 2022 Essentials Edition.

Is there an upgrade path from Windows Server 2012 R2 to Windows Server 2022?

Normally only two version differences of Windows Server are supported for an in-place upgrade, so you’d be looking at a fresh install and a migration in this case.

You talked about some CLI tools in the webinar for migration purposes. Those are PowerShell tools, correct?

Yes

The maximum memory supported by Windows Server 2022 is 48TB? Why so much?

The increases in memory capacity are often driven by large memory-intensive workloads such as SQL or SAP. Plus, when you look at the length of support for Windows Server 2022, who knows how much memory we’ll need in 10 years.

Any chance that TLS 1.3 will be backported to Windows Server 2012 R2?

This is unlikely, but we suspect there is a high chance for Windows Server 2016/2019

Will SMB over QUIC support Azure AD joined devices in the future?

Maybe, but nothing definitive has been mentioned thus far to our knowledge

Now, in order to get SMB over QUIC on-prem, I have to buy new hardware that is Azure HCI compliant, pay per month for the license to only run a single Server 2022 file server in order to get that feature?

As it stands right now, yes. Additionally, you’ll have to migrate your files to that server as well. Now that said you’d be able to run additional workloads on that Azure Stack HCI cluster. Your other alternative is to run that VM out of Azure.

Where else can I run the Azure Edition of Windows Server 2022 besides Azure Stack HCI?

You can also run this edition from a VM in Azure.

What are the minimum system requirements for Windows Server 2022?

64-bit CPU, 2 GB RAM for Server with Desktop (512 MB for Core), 32 GB disk space MINIMUM

You talked about Windows Server 2022 Essentials in the webinar, is TRUE Windows Server Essentials back?

As mentioned, not really an Essentials, just a cheaper Standard with some limitations on size/no. of users/clients

How does Azure Stack HCI stack up against vSphere with VSAN?

It’s generally cheaper and offers more cloud-based integrations. From a performance perspective, it’s all dependent on the chosen hardware.

Does “Azure Edition” Mean it will only run in Azure?

No, you still have the usual Standard and Datacenter Editions, plus you’ll have the option of running “Azure Edition” in an on-prem Azure Stack HCI cluster if desired.

When do you think Windows Server 2022 will be ready for a production 2-node cluster?

Looks pretty ready right now! The version is GA, so ready to go! =)

In the Essentials edition of Windows Server 2022, “10 cores” means physical cores of logical cores?

From what we know so far, this is in reference to physical cores

Are there any changes to shielded VMs in Windows Server 2022 Hyper-V?

There are no changes here. In fact, Microsoft will not be developing this feature further at this point and will be leveraging Azure Stack HCI and azure service to fill this need moving forward. Check out this post from Microsoft for more info.

Any changes to the max number of vCPU per VM in Hyper-V in Windows Server 2022?

The defined vCPU max for VMs on Windows Server 2022 is 240 vCPUs for Gen2 VMs.

Is there any new information you can share regarding Storage Spaces Direct in Windows Server 2022?

One big enhancement is the adjustable storage repair speed. This is not to mention the enhancements specifically for SMB, which is leveraged heavily by S2D.

I would love to hear more about SMB over QUIC, where can I see it in action?

We did a webinar on Enhancements in Windows Server Storage earlier this year. In that webinar, Didier Van Hoye does an excellent demo of SMB over QUIC in action. That webinar can be watched here.

From a resource perspective, is consumption about the same as previous versions of Windows Server?

From the testing we’ve done, it looks to be about the same as Windows Server 2019

Do I need to re-deploy Windows Admin Center in order to manage Windows Server 2022?

Not at all. You should be able to connect to Windows Server 2022 just like any other server!

Was there any mention of What’s new in Group Policy in this webinar or any talk about GPO support for Azure Objects?

No. We didn’t cover GPO as not much has changed. Also no mention of Azure objects coming to GPO preferences from what we know today.

With Windows Server 2022 Essentials Edition, is it like Small Business Server is Back?

Nope, there are no SMB features in Essentials. The only difference is in sizing and pricing.

When will the desktop experience be removed from Windows Server?

We don’t see this happening anytime soon. Many admins still love the GUI

Are there any improvements in Windows Server 2022 in terms of Migration? FSMO roles for example?

No improvements here from what we’ve seen thus far.

Storage Spaces Direct has been available in Windows Server 2019 standard edition. So, for Windows Server 2022, did S2D really move to Datacenter Only?

A Clarification here, “Storage Spaces” is in Standard, “Storage Spaces Direct” is only in Datacenter Edition in Window Server 2016/19/22 – https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/storage-spaces-direct-overview

Will there be a Free Hyper-V Server 2022?

No. While the free SKU called “Hyper-V Server 2019” will no longer be getting feature updates, it will be officially supported for a number of years yet. You’ll want to move to an alternative solution at that time. The new strategic direction for Microsoft on-prem is Azure Stack HCI and they’re suggested replacement for Hyper-V Server. That said the Azure Stack HCI solution (as many have noted) is not free sadly.

What are the major difference and changes in Windows Server 2022 in how we pitch it to a customer?

Good question here! The big selling points for customers would be focused on the security enhancements and the ease of management from the cloud with hybrid cloud deployments. Additionally features like hot-patch, and SMB over QUIC could be strong features to mention as well.

Does Azure Stack differ a lot from the old Azure Pack in terms of roles you need to deploy for it to work? Azure Pack required many – many resources just to get it up and running alone. Is this feasible on a 2 – 3 node cluster for small/medium-sized businesses?

Yes, Azure Stack HCI installation is greatly improved over Azure Pack. It’s very wizard-driven, and assuming you’ve done your homework on deployment best practices and you’re using supported hardware, the deployment should be fairly straightforward. Very feasible for a small organization with properly vetted hardware.

So no changes if you are already buying server licenses correct?

As far as we know today, correct.

Does Azure Edition run on Premises?

Yes, it can be run on Azure Stack HCI on-prem

Does Windows Admin Center basically replace Failover Cluster Manager?

Yes, it’s the best place to manage most Windows server features, including failover clusters. That said, Failover Cluster Manager and the other MMC snap-ins will continue to be around for some time.

That wraps us up! If you asked a question that you don’t see here, or if you have any new questions that you’d like to get an answer on, use the questions form below this article and we’ll be sure to get an answer to you.

That all said, what are your thoughts on Windows Server 2022 so far? Let us know in the comments section below! We’d love to hear your input!

The post The 40 Most Critical Windows Server 2022 Questions Answered appeared first on Altaro DOJO | Hyper-V.

Each release of the Windows Server operating system represents a milestone of new technologies, capabilities, and features that help organizations solve the present technology challenges facing businesses. Windows Server 2022 is a milestone release of Windows Server. It combines powerful features across the board to allow companies to implement both on-premises technologies and easily extend their infrastructure with a hybrid configuration, with resources housed in Azure.

Arguably, one of the most critical challenges facing most businesses today is security. Windows Server 2022 represents the most advanced Windows Server operating system in terms of security features and advancements. This overview will look at the Windows Server 2022 security features and enhancements that help advance your organization’s security to the next level.

Overview of Windows Server 2022 Security Features

There are many great new Windows Server 2022 security features to note. Windows Server 2022 introduces new concepts and features, building on previous improvements with Windows Server 2019 hybrid features and security innovations. Note the following overview of new security features:

1. 1. Secured-core server
   2. Simplified configuration tools
   3. Secure connectivity
   4. Hybrid management tools
   5. Windows Server 2022 Azure Edition hotpatching

Let’s examine each of these enhancements with Windows Server 2022 and see how they bring security features forward to help meet the current threat landscape and help businesses seamlessly control and secure both on-premises and cloud resources.

Secured-core server

Microsoft first started the secured-core offering to the world of PC. However, with the apparent benefits from the client-side, this technology has been brought to Windows Server. So what is the Secured-Core technology now included in Windows Server 2022?

Secured-Core security technology is built upon three different pillars that Microsoft uses to make up the Secured-Core platform. These include:

• • Simplified security

• • Advanced protection

• • Preventative defense

What does Secured-Core mean from the Windows Server 2022 perspective?

Simplified Security

MICROSOFT requires certain OEM specifications and capabilities for validation as a Secured-Core offering. What does this include? It includes a validated set of hardware, firmware, and drivers that satisfy the security requirements. Therefore, when organizations purchase a Windows Server 2022 server certified as a Secured-Core offering, they can be confident it is certified using the standards outlined by Microsoft regarding the included components and software.

Advanced protection

Modern threats include very advanced attack techniques. Secured-Core includes advanced protection that is made up of both hardware and software solutions to counterattack these threats. These include:

• • Hardware Trusted Platform Module 2.0 – provides a secure hardware store for storing sensitive information such as cryptographic keys and data. It also holds a “fingerprint” of sorts for the boot components. If the fingerprint of the boot components changes, it can identify if this is tampering. It also bolsters the protection provided by BitLocker.

• • Protected Firmware – Firmware has become increasingly vulnerable to malware and ransomware. Secured-Core provides capabilities such as Dynamic Root of Trust of Measurement technology (DRTM) and DMA protection

• • Virtualization-based Security (VBS) – Secured-Core supports the implementation of VBS and hypervisor-assisted code integrity checks (HVCI). Using VBS, customers can also use new technologies such as Credential Guard, which helps protect against stolen credentials.

Preventative defense

Today’s security solutions must be proactive and not reactive to stay ahead of modern threats and techniques used by hackers. The capabilities provided by the Secured-Core offering in Windows Server 2022 dramatically increase the tools IT admins and SecOps have to defend against the modern threat landscape.

Windows Server Secured-Core checks scan for the following specific features enabled with a fully implemented Secured-Core deployment in Windows Server 2022. If you use Windows Admin Center to view Secured-Core components (as we will see below), it shows the following checks in Secured-Core deployment:

• • HVCI

• • Boot DMA Protection

• • System Guard

• • Secure Boot

• • VBS

• • TPM 2.0

Let’s consider these in more detail.

HVCI

Hypervisor Enforced Code Integrity (HVCI) works in tandem with Virtualization Based Security (VBS) to protect Windows Server and client operating systems from drivers that are bad, malicious, or otherwise insecure as well as malicious system files. Specifically, it helps prevent tampering with Control Flow Guard (CFG) and ensures valid certificates for security-related processes such as Credential Guard.

Boot DMA Protection

Boot DMA Protection helps to protect Windows Server and client operating systems from drive-by Direct-Memory Access attacks. These attacks can occur using PCI hotplug devices connected to externally accessible PCIe ports and internal PCIe ports.

A successful drive-by DMA attack can lead to sensitive information being disclosed or even malware injection leading to bypassing the lock screen or remote controlling the node. With the Boot DMA Protection enabled, Windows can block external peripherals from staring and performing DMA unless the drivers support memory isolation.

System Guard

System Guard is part of the Microsoft Windows Defender solution. As the name implies, System Guard guards the system and maintains the integrity of the system during the boot process. In addition, it works to validate that system integrity has not changed through local and remote attestation.

System Guard helps to defend end-user PCs against the types of rootkits and bootkits that commonly affected Windows 7 systems. With Windows 7, malicious software could start before Windows starts, which allowed it to run with the highest privileges. With modern hardware and operating systems such as Windows Server 2022, System Guard protects against these kinds of bootkits and prevents any unauthorized firmware or software from launching before the Windows bootloader.

Windows Defender System Guard Overview

Secure Boot

Secure Boot is not a Microsoft solution or technology. Instead, the PC industry developed it to help make sure a device boots with software validated and trusted by the OEM hardware vendor. By checking each boot software signature, including UEFI firmware drivers, Secure Boot makes sure the signatures are valid and authorized. It helps to validate the software has not been tampered with by an attacker.

Virtualization-based Security (VBS)

As part of the Secured-Core components, Windows Server 2022 contains Virtualization-based Security (VBS). With Virtualization-based Security (VBS), hardware virtualization is used to create a specialized secure region of memory isolated from the operating system. Windows can access the secure virtual mode for security-related tasks. It includes increasing OS protection from vulnerabilities and preventing malicious code that attempts to defeat protective mechanisms.

As mentioned earlier, HVCI makes use of VBS to strengthen code integrity enforcement. VBS makes use of the Windows Hyper-V hypervisor for the virtual secure mode used to enforce restrictions to protect crucial system and OS resources. An example includes authenticated user credentials by way of the Credential Guard solution that makes use of VBS.

TPM 2.0

The Trusted Platform Module is a hardware technology designed for security-related functions. The TPM chip contains a crypto-processor that allows generating, storing, and limiting the use of cryptographic keys. These generally include features that help to ensure it is tamper-resistant so that malicious software cannot tamper with the security-enabled functions of the TPM chip. TPM 2.0 contains many new hash algorithms and security features compared to the TPM 1.2 standard. Windows Server 2022 can take full advantage of the features and capabilities found in the TPM 2.0 module.

Simplified Configuration Tools

Microsoft has been feverishly working on a new tool since Windows Server 2019 for server configuration and management. This new tool is Windows Admin Center which is the new way forward for managing Microsoft Windows Server. It replaces the old Server Management console, even though the Server Management tool is still in Windows Server 2022.

A tough challenge with security is ensuring that configurations are implemented correctly and consistently. When configuration tooling is challenging to use or includes many different tools and dashboards required to implement various configuration parts, it can lead to implementation gaps. Any gap in security or insecure configuration leading to vulnerabilities is a serious issue.

Windows Admin Center provides a single-pane-of-glass interface that businesses can use to implement Windows Server configurations across the board, including the Security dashboard. This capability has been missing in legacy tools, and consoles such as Server Manager found in Windows Server 2019. In addition, the new Windows Admin Center compliments the implementation of Secured-Core security configurations by giving visibility to this in the Windows Admin Center UI.

As a note, the Secured-Core dashboard in Windows Server 2022 is still in Preview release at the time of this writing. To access the Secured-Core functionality in Windows Admin Center, you need to enable the Insider Preview “feed” in Windows Admin Center. To add the Insiders Preview feed so you can get the latest Insider Preview extensions available in Windows Admin Center, navigate to Settings using the settings cog in the upper right-hand corner. Click the Extensions > Feeds tab. Navigate to the Add button and click. Enter the feed URL: https://aka.ms/wac-insiders-feed

Adding the Insider Preview feed for Windows Admin Center

After adding the Insider Preview feed in Windows Admin Center, you will see a new, higher versioned, Security extension. At the time of writing, the version installed was 0.23.0.

Installing the Insider Preview Security Extension

After installing the Insider Preview Security extension, IT admins will have access to a new tab that displays on the Security dashboard, called Secured-Core.

It provides strong visual cues on which features are enabled or not configured or supported.

Viewing Secured-Core configuration using Windows Admin Center

Microsoft has built-in the capability to enable and disable the Secured-Core features from the Windows Admin Center dashboard. This feature makes controlling the Secured-Core features easy to configure and audit. Notice below. The HVCI feature has been enabled from the Windows Admin Center dashboard. The Windows Server 2022 server is now prompting a reboot.

Enabling and Disabling Secured-Core features from Windows Admin Center

The Security dashboard also gives visibility to and allows configuration of the Virus & threat protection configuration and scans leveraging Windows Defender. You can also view Protection history for events and default actions.

Configuring Virus & threat protection with Windows Admin Center

Secure Connectivity

An area that has been dramatically improved with Windows Server 2022 is secure connectivity. What improvements have been made in terms of connectivity with Windows Server 2022? Let’s consider the following:

• • Secure protocols by default

• • Secure DNS

• • Server Message Block (SMB) improvements

Secure protocols by default

When it comes to connectivity protocols, some protocols are more secure than others. Therefore, when hardening for security, insecure protocols need to be disabled, and businesses must make sure they are using the latest and most secure protocols for network transmissions.

Windows Server 2022 takes the heavy lifting out of this effort. It contains the most secure version of HTTPS enabled by default, TSL 1.3. It helps protect clients’ data connecting to the server and eliminates obsolete and insecure cryptographic algorithms. In addition, Windows Server 2022, using the latest standards, encrypts as much of the handshake as possible.

Secure DNS

Windows Server 2022 improves DNS security by implementing what is known as DNS-over-HTTPS (DoH). DNS-over-HTTPS encrypts DNS queries made over the HTTPS protocol. It dramatically enhances DNS security by keeping DNS queries private. In addition, it helps to prevent malicious eavesdropping of traffic and DNS data manipulation.

Server Message Block (SMB) improvements

Server Message Block (SMB) is at the heart of Windows Server file copies. Windows Server 2022 provides the latest and most significant improvements to the SMB protocol. Windows Server 2022 now supports encrypting SMB traffic with the latest cryptographic suites, including AES-256-GCM and AES-256-CCM. In addition, Windows Server 2022 will automatically negotiate the highest possible encryption suite when clients support the higher level of encrypted communications. These settings can also be configured using Group Policy.

Another interesting security improvement with SMB encryption is SMB East-West encryption of storage communications for Cluster Shared Volumes (CSVs). Using Storage Spaces Direct (S2D), you can encrypt or sign east-west intra-cluster communications for security purposes.

A new feature is SMB over QUIC, an enhancement of SMB 3.1.1 in Windows Server 2022 Datacenter: Azure Edition. It allows using the QUIC protocol instead of TCP. In addition, using SMB over QUIC with TLS 1.3 eliminates the need for VPN to access file servers over SMB when using Windows.

Hybrid Management Tools

Microsoft has built a solid set of hybrid features into the Windows Server platform, starting with Windows Server 2016 and moving forward. Windows Server 2019 greatly improved on the native hybrid features built into the operating system. Windows Server 2022 takes to the next level of hybrid capabilities. Why is hybrid management crucial for today’s businesses and, particularly, their security initiatives.

Most businesses today are using infrastructure that is housed both on-premises and in the cloud. This infrastructure layout is known as a hybrid configuration. As many organizations are required to keep a subset of infrastructure locally housed in their own physical on-premises data centers for compliance and other reasons, the hybrid world of infrastructure is no doubt here to stay for the foreseeable future.

As infrastructure spans between on-premises data centers and cloud environments such as Microsoft Azure, it becomes even more critical for businesses to focus on security between the two. Historically, it has been challenging to standardize security and management tools between on-premises and cloud environments as each has its specific tooling, processes, dashboards, configuration possibilities, etc.

With Microsoft Azure and modern Windows Server operating systems such as Windows Server 2022, Microsoft has created a solution to help remedy management disparities between the cloud and on-premises Windows Server instances. Azure Arc is a Microsoft Azure solution that allows the onboarding of on-premises Windows Servers into the management plane of your Microsoft Azure account, bringing on-premises resources under the purview of Azure Resource Manager (ARM).

Specifically, Azure Arc provides simplified management across many environments maintained by many organizations today, including Windows, Linux SQL, and even Kubernetes clusters across data centers and geographic locations. So what can you do with Azure Arc?

• • Provide centralized management of resources, both in Azure and on-premises

• • Gain centralized visibility in the Azure portal of both Azure and on-premises resources

• • Apply compliance and governance standards across all environments in a standardized way

• • Provide access delegation to resources using the role-based access control (RBAC) features in Azure

• • Gain organization and inventory benefits as you can house objects from Azure or on-premises locations into management groups, subscriptions, resource groups, in addition to using tagging

Azure Arc dashboard in the Azure portal

Azure Security Center is another offering from Microsoft, centred around security, that helps unify infrastructure security management and provide a consistent set of tools and security policies, regardless of whether resources exist in Azure or on-premises. It is built seamlessly into Windows Admin Center. In addition, you can sign in to Azure and onboard into the service directly from the tool.

Launching the Azure Security Center dashboard from Windows Admin Center

It helps businesses carry out the following Windows Server 2022 security-related tasks:

• • Manage organization security policy and compliance

• • Perform continuous assessments

• • Build network maps

• • Configure best practices and recommended controls

• • Protect against threats

Azure Security Center provides a consistent view of the security of on-premises and cloud workloads

Another great feature extended to Windows Server 2022 is the Azure hybrid center available directly from Windows Admin Center. With Azure hybrid services, IT admins can:

• • Protect virtual machines

• • Extend on-premises storage capacity and compute resources in Azure

• • Simplify network connectivity

• • Centralize monitoring, governance, configuration, and security

Available hybrid services with Windows Server 2022 and Microsoft Azure

Connecting your on-premises Windows Server 2022 server to the Azure hybrid center is as easy as registering your Windows Admin Center gateway server and signing in to your Azure portal.

Azure hybrid center available from Windows Admin Center

Windows Server 2022 Azure Edition Hotpatching

Microsoft has introduced a new patching technology that is part of the Azure Automanage platform in Microsoft Azure. It works with the “Azure Edition” of Windows Server products. Hotpatch is supported in Windows Server 2022: Azure Edition and is a new way of installing Windows updates in Windows Server Azure Edition virtual machines that do not require a reboot after installation.

The hotpatching feature drastically reduces maintenance windows and the downtime associated with the typical installation of Windows Updates in Windows Server. Hotpatch first establishes a baseline of the Windows Update Latest Cumulative Update. Hotpatches are then periodically released and contain updates that don’t require a reboot. Planned baselines are released on a regular cadence interval with hotpatch releases in between. In addition, unplanned baselines are released in case of emergency security patches and if the patch can’t be released in a hotpatch.

Customers making use of Windows Server 2022: Azure Edition in their Azure environment can take advantage of the latest enhancements and implementations of the hotpatch feature using Azure Automanage.

The Future of Windows Server Security

There are a large number of new features contained in Windows Server 2022. It represents the latest capabilities and features provided by Microsoft for the Windows Server platform. In addition, many enhancements are security-related and help customers with their cybersecurity posture, both on-premises and in the cloud.

As shown, Microsoft has worked hard to provide better tools for managing Windows Server 2022. For example, Windows Admin Center provides a single-pane-of-glass tool that perfectly compliments the new features and capabilities in Windows Server 2022. While many of the dashboards are still in preview, it helps to see the direction Microsoft is headed with an all-inclusive solution to standardize management of both on-premises and cloud resources seamlessly.

The Secured-Core functionality made possible by Windows Server 2022 and the Windows Admin Center management console allows customers to easily provide the core security fundamentals to their Windows Server environment powered by Windows Server 2022. Windows Server 2022 also provides the latest standards and implementations of secure protocols such as TLS 1.3 and SMB encryption.

In addition, using Windows Admin Center provides the gateway to integrating on-premises Windows Server installations with Azure. There are strong hybrid integration capabilities found in Windows Admin Center. It allows integrating your on-premises Windows Server 2022 installations into Azure with only a few clicks and signing in to your Azure account. All of these features make Windows Server 2022 the most secure Windows Server operating system released to date.

The post Windows Server 2022 has Very Interesting Security Features appeared first on Altaro DOJO | Hyper-V.

In the depths of Windows Server Failover Clustering (WSFC), where the graphical interface cannot reach, network traffic shaping tools await the brave administrator. Most clusters work perfectly well without tuning network parameters, but not all. If you have low-speed networking hardware or extremely tight bandwidth requirements, then prioritization might help. This article shows how to leverage these advanced controls.

If you have spent any time researching cluster network prioritization, then you likely noticed that most material dates back about a decade. This topic concerned us when networking was more primitive and unteamed gigabit connections pervaded our datacenters. Several superior alternatives have arisen in the meantime that requires less overall effort. You may not gain anything meaningful from network prioritization and you might set traps for yourself or others in the future.

Network Speed Enhancements in Windows

Windows Server versions beyond 2008 R2 provide network adapter teaming solutions. Additionally, 2012 added SMB multichannel which automatically works for all inter-node communications. These tools alone, with no special configuration, cover the bulk of network balancing problems that you can address at the host.

Speed Enhancements in Networking Hardware

For demanding loads, you have hardware-based solutions. Higher-end network adapters have significant speed-enhancing features, particularly RDMA (remote direct memory access), which comes on InfiniBand, RoCE, and iWarp. If that’s not enough, you can buy much faster hardware than 10 gigabit. These solutions solve QoS problems by providing so much bandwidth and reduced latency that contention effectively does not occur.

Software QoS Solutions

You can also configure software QoS for Windows Server and for Hyper-V virtual machines. This has similar challenges to cluster network prioritization, which we’ll discuss in the next section. Sticking with the QoS topic, networking hardware offers its own solutions. Unlike the other techniques in this article, QoS within the network extends beyond the hosts and shapes traffic as it moves between systems. Furthermore, Windows Server can directly interact with the 802.1p QoS standard that your hardware uses.

Drawbacks of WSFC Network Prioritization

Research the above options before you start down the path of cluster network shaping. This solution has a few problems that you need to know about:

• • It only works for networking traffic that Windows Server Failover Clustering understands. Virtual machine traffic does not benefit.

• • The use of cluster network shaping is non-obvious. It appears nowhere in any GUI or standard report. You must clearly document your configuration and ensure that anyone troubleshooting or reconfiguring knows about it.

• • WSFC network prioritization has no effect outside the cluster, which can make it even more limited than software-only QoS solutions.

• • WSFC network prioritization knows nothing about true QoS solutions and vice versa. Combining this technology with others leads to unknown and potentially unpredictable behavior.

• • The most likely answer that you will receive if you ask anyone for help and support will be: “Revert network prioritization to automatic and try again.” I do not know of any problems other than the obvious (poor tuning that inappropriately restricts traffic), but I have not seen everything.

Essentially, if you still have all-gigabit hardware and QoS solutions that do not shape traffic the way you want, then WSFC network prioritization might serve as a solution. Otherwise, it will probably only provide value in edge cases that I haven’t thought of yet.

Cluster Networking Characteristics

While many of the technologies mentioned in the previous section have reduced the importance of distinct cluster networks, you still need to configure and use them properly. This section outlines what you need to configure and use for a healthy cluster.

Cluster Network Redundancy

At its core, cluster networking depends on redundancy to reduce single-point-of-failure risks. What you see here shows the legacy holdover of unteamed and non-multichannel technologies. However, even these advanced solutions cannot fully ensure the redundancy that clustering desires, nor will everyone have sufficient hardware to use them.

WSFC networks operate solely at layer 3. That means that a cluster defines networks by IP addresses and subnet masks. It does not know anything about layer 2 or layer 1. That means that it cannot understand teaming or physical network connections. In classical builds, one network card has one IP address and belongs to one Ethernet network, which might give the impression that network clustering knows more than it actually does.

When the cluster service on a host starts up or detects a network configuration change, it looks at all IP addresses and their subnet masks. It segregates distinct subnets into “cluster networks”. If one host contains multiple IP addresses in the same cluster network, then WSFC chooses one and ignores the rest. It then compares its list of cluster networks and IP addresses against the other nodes. This discovery has four possible outcomes per discovered network:

• • The cluster finds at least one IP address on every node that belongs to the discovered network and all are reachable in a mesh. The cluster creates a cluster network to match if a known network does not already exist. It marks this network as “Up”. If a node has multiple addresses in the same network, the cluster chooses one and ignores the rest.

• • The cluster finds an IP address on at least one, but not all nodes, that belong to the discovered network and all are reachable in a mesh. The cluster will treat this network just as it would in the first case. This allows you to design clusters with complex networking that contain disparate networks without getting an error. It also means that you can forget to assign one or more IP addresses without getting an error. Check network membership.

• • The cluster finds an IP address on one or more nodes, but the mesh connections between them do not fully work. If the mesh pattern fails between detected addresses, the cluster marks the network as “partitioned”. This only means that the layer 3 communications failed. You usually cannot tell from this tool alone where the problem lies.

• • The cluster fails to detect any members of a previously discovered network. Removing all the members of a network will cause WSFC to remove it from the configuration.

You can view your networks and their status in Failover Cluster Manager on the Networks tab:

In the lower part of the screen, switch to the Network Connections tab where you can see the IP addresses chosen on each node and their status within the cluster. In a two-node cluster like this one, any unreachable network member means that it marks all as unreachable. In a three+ node cluster, it might be able to detect individual node(s) as having trouble.

This article will not go into troubleshooting these problems. Understand two things:

• • Cluster networking understands only layer 3 (TCP/IP).

• • Cluster networking understands only cluster traffic. It works for internode communications and clustered roles with IP addresses known by the clustering service.

If you do not fully understand either of these points, stop here and perform the necessary background research. For the first, we have some introductory networking articles. I will call out some of the specific implications in the next section. For the second point, I mostly want you to know that nothing that we do here will directly impact Hyper-V virtual machine traffic. In a cluster that runs only Hyper-V virtual machines, networks marked as “Cluster Only” and “Cluster and Client” have no functional difference.

Cluster Network Roles and Uses

In pre-2012 clusters, we recommended four network roles. Depending on your hardware and configuration, you should employ at least two for complete redundancy. This section covers the different roles and concepts that you can use for optimal configuration.

Management Cluster Network

If you create only one cluster network, this will be it. It holds the endpoints of each node’s so-called “management” traffic. This network has a great deal of misunderstanding surrounding it. Even the typical “management” name fits only by usage convention. Traditionally, the IP endpoint that holds a node’s DNS name also marks its membership in this network. As a result, traffic inbound meant for the node, not a cluster role, goes to this address.

The cluster will also use the management network for its own internode purposes, although, by default, it will use all other networks marked for cluster traffic first.

Absolutely nothing except convention prevents you from creating a network, excluding cluster traffic, and using that for management. I would not consider this an efficient use of resources in most cases, but I could envision some use cases.

Cluster Communications Network

You can specify one or more networks specifically to carry cluster traffic. While some documentation suggests, or outright states, otherwise, this encompasses all types of internode traffic. Three general functions fall into this category:

• • Node heartbeat

• • Cluster configuration synchronization

• • Cluster Shared Volume traffic

The most common error made with this network comes from the widespread belief that CSV traffic has some distinction from other cluster traffic that allows you to separate it onto a network away from the other cluster communication functions. It does not.

Cluster Application Networks

The relationship between clustered objects and cluster networks leads to a great deal of confusion, exacerbated by unclear documentation and third-party articles based on misunderstandings. To help clear it up, understand that while some the cluster understands networking for some applications, it does not understand all. Applications within a cluster have three different tiers:

• • Per-role cluster IP address. You will see this for roles that fully integrate with clustering, such as SQL server. Check the properties of the role within Failover Cluster Manager. If you see an IP address, the cluster knows about it.

• • Client network binding. When you mark a network with the “Cluster and Client” role, the cluster can utilize it for hosting simple roles, such as scripts.

• • No cluster awareness. A cluster can host roles for which it does not control or comprehend the network configuration. Chief among these, we find virtual machines. The cluster knows nothing of virtual machine networking.

We will revisit that final point further on along with network prioritization.

Live Migration Network

The Live Migration cluster network represents something of an anomaly. It does not belong to a role and you can exclude it from carrying cluster traffic, but you control it from the cluster and it only “works” between cluster nodes.

You configure the networks that will carry internode Live Migration traffic from the Network tree item in Failover Cluster Manager:

As with any other IP endpoint, nodes can use their members of Live Migration networks for any non-cluster purpose.

Non-Cluster Communications

Everything not covered above falls outside the control of the cluster service. Individual nodes can operate their own services and functions separate from the cluster. Due to common confusion, I want to call out three well-known items that fall into this category:

• • Virtual machine traffic

• • Storage traffic (host-to-storage connections, not internode CSV traffic)

• • Host-level backup traffic

The cluster knows nothing of the Hyper-V virtual switch. Furthermore, the virtual switch behaves as a layer 2 device and WSFC networking only operates at layer 3.

In fair weather, each node controls its own I/O. If a node has a problem connecting to storage and that storage is configured in one or more CSVs, then the cluster can redirect CSV traffic across the network via a node that can reach the CSV. However, the cluster classifies that traffic under the general “cluster” type.

I do not know of any backup tool that utilizes the cluster service to perform its duty. Therefore, each node handles its own backup traffic.

Once you understand what traffic the cluster cannot control, you next must understand that cluster network prioritization only impacts it indirectly and partially. The reasons will become more obvious as we investigate the implementation.

How to Discover and Interpret Cluster Network Prioritization

Before configuring anything, look at the decisions that the cluster made. Open a PowerShell prompt either in a remote session to a node directly on a node’s console and run:

1. 1. Get-ClusterNetwork | ft Name,AutoMetric,Metric,Role

This will output something like the following:

The “Name” and “Role” columns mean the same thing as you see in Failover Cluster Manager. “AutoMetric” means that the cluster has decided how to prioritize the network’s traffic. “Metric” means the currently assigned metric, whether automatic or not. Lower numbered networks receive higher priority.

To reiterate, these priorities only apply to cluster traffic. In other words, when the cluster wants to send data to another node, it starts at the lowest numbered network and works its way upward until it finds a suitable path.

Consider the real-world implications of the configuration in the screenshot above. The cluster has marked the “Management” network with the highest priority that can carry cluster traffic. The “Cluster” network has the lowest priority. The displayed cluster runs only Hyper-V virtual machines and stores them on an SMB target. It has no CSVs. Therefore, cluster traffic will consist only of heartbeat and configuration traffic. I have used Failover Cluster Manager as shown in a preceding section to prioritize Live Migration to the “Live Migration” network and set the Cluster and Management networks to allow Live Migration as second and third priorities, respectively. Therefore:

• • Internode traffic besides Live Migration will use the Cluster network if it is available, then the Live Migration, and as a last resort, the Management network.

• • Internode Live Migrations will prefer the Live Migration network, then the Cluster network, then the Management network.

• • Because cluster and Live Migration traffic use the Management network as a last resort, they should leave it wide open for my backup and other traffic. Due to isolation, non-cluster traffic does not have any access to the Cluster or Live Migration networks.

• • None of the preceding traffic types can operate on either Storage network.

The cluster automatically made the same choices that I would have, so I do not see any need to change any metrics. However, it does not make these decisions randomly. “Cluster only” networks receive higher priority than “Cluster and client” networks. Networks marked “None” appear in the list because they must, but the cluster will not use them. As for the ordering of networks with the same classification, I have not gathered sufficient data to make an authoritative statement. However, I always give my “Cluster” networks a lower IP range than my “Live Migration” networks, and the cluster always sorts them in that order (ex: 192.168.150.0/24 for the “Cluster” network and 192.168.160.0/24 for the “Live Migration” network) and my clusters always sort them in that order. But, “L” comes after “C” alphabetically, so maybe that’s why. Or, perhaps I’m just really lucky.

I want to summarize the information before I show how to make changes.

Key Points of Cluster Network Prioritization

We covered a lot of information to get to this point, and some of it might conflict with material or understanding that you picked up elsewhere. Let’s compress it to a few succinct points:

• • Cluster network prioritization is not a quality-of-service function. When the cluster service wants to send data to another node, it uses this hierarchy to decide how to do that. That’s it. That’s the whole feature.

• • The cluster service uses SMB to perform its functions, meaning that SMB multichannel can make this prioritization irrelevant.

• • In the absence of redirected CSV traffic, a cluster moves so little data that this prioritization does not accomplish much.

• • Cluster network prioritization does not “see” network adapters, virtual switches, or non-cluster traffic. It only recognizes IP addresses and only cares about the ones that carry cluster traffic.

• • You can only use cluster network prioritization to shape non-cluster traffic via process of elimination as discussed in the real-world example. Due to the low traffic needs of typical cluster traffic, you may never see a benefit.

How to Set Cluster Network Prioritization

Hopefully, you read everything above and realized that you probably don’t need to know how to do this. That said, a promise is a promise, and I will deliver.

The supported way to manually configure cluster network priority is through PowerShell. You can also use the registry, although I won’t directly tell you how because you can wreck it that way and I’m not sure that I could help you to put it back. I think you can also use the deprecated cluster CLI, but I never learned how myself and it’s deprecated.

Unfortunately, even though PowerShell is the only supported way, the PowerShell module for Failover Clustering remains surprisingly primitive. Much like PowerShell 2.0-era snap-ins, it usually requires you to acquire an object and manipulate it. It implements very few variables beyond “Get-“, and the ones that it has do not expose much functionality. Furthermore, the module implements the extremely rare “packet privacy” setting, which means that you must carry out most of its functions directly on a node’s console or in a first-hop remote session. I believe that the underlying CIM API exposed by the cluster service imposes the packet privacy restriction, not PowerShell. I do not know what problem packet privacy solves that makes it worth the potential administrative frustration. Just know that it exists and how to satisfy it.

So, with all of the caveats out of the way, let’s change something. Again, I will work with the network list as displayed earlier:

Let’s imagine that my manager does not trust the auto-metric to keep the “Cluster” network at first priority and wants me to force it. To do that, I must manually give the “Cluster” network a metric lower than anything that the cluster might pick for itself. As you can see, the cluster uses very high numbers, so I can hit that target easily.

First, acquire an object that represents the “Cluster” network:

1. 1. $ClusterNetwork = Get-ClusterNetwork -Name ‘Cluster’

Second, modify the acquired object’s “Metric” value:

2. 2. $ClusterNetwork.Metric = 42

Third, verify:

3. 3. Get-ClusterNetwork | ft Name, AutoMetric, Metric

You should see something like the following:

I performed the object acquisition and parameter setting in two discrete steps for clarity. If you only want to modify the metric property, then you do not need to keep the object and can perform it all on one line. I will demonstrate this by reverting to the auto-metric setting:

1. 1. (Get-ClusterNetwork -Name ‘Cluster’).AutoMetric = $true

By using Get-ClusterNetwork to place the object into the $ClusterNetwork variable in the first demonstration, I could continue on to make other changes without reacquiring the object. In the second demonstration, I lose the object immediately after changing its setting and would need to acquire it again to make further changes. Also, I find the second form harder to read and understand. It might perform marginally faster, but it would cost more time to prove it than it could ever be worth.

Changes to the cluster network priority take effect immediately.

Going Forward with Cluster Network Prioritization

Ordinarily, I would wrap up the article with some real-world ideas to get you going. Really, I don’t have any for this one except, don’t. You probably have a better way to solve whatever problem you face than this. Hopefully, this article mainly serves as an explanation of how newer features have made this one obsolete and that much of the existing material gets a lot of points wrong. If you have clusters configured under the patterns from 2008 R2 and earlier, review them to see if you can successfully employ the auto-metric setting. Happy balancing!

The post Network Prioritization for Modern Windows Failover Clusters appeared first on Altaro DOJO | Hyper-V.

At the recent Ignite 2021 conference Microsoft announced the preview of the next version of Windows Server 2022. This is not huge news as we can follow the direction that Windows Server is heading through the Semi-Annual Channel (SAC) releases that come out twice a year, however, there are some interesting features of note and in this article, we’ll take a look at them.

Security in Windows Server 2022

It’s no secret that most businesses worldwide are struggling with IT security – as organizations and society becomes more and more reliant on digital systems there are just too many avenues for increasingly sophisticated attackers to find a way in. Compromising systems before they start up through boot kits or root kits is becoming more popular and building on the work Microsoft’s done for Secured Core PCs, Windows Server 2022 brings Secured Core Servers.

Secure-Core Servers

If you haven’t heard of Secure-core, think of marrying a Trusted Platform Module (TPM) 2.0 chip for securely storing secrets, Bitlocker for full volume drive encryption and Virtualization Based Security (VBS) to protect credentials while the system is running. In other words, all the optional Microsoft security features that you could turn on for a normal PC, but all enabled out of the box. First out of the gate was Surface Pro X (which I’m writing this article on) but Secured Core PCs are available from Lenovo, Dell, Panasonic, HP and others.

For servers this means that when you purchase a system with this label the OEM will have provided secure firmware and drivers and also will have enabled all these security features out of the box. You can also check on the status of your servers, plus enable security features using the new add-in for Windows Admin Center (WAC).

Secured-core features in Windows Admin Center

Note that Secured-core servers lay the foundation for the forthcoming generation of processors from Intel, AMD and Qualcomm that’ll include the Pluton security processor, built on security features first seen in Xbox One. TPM has been very successful over the last 10 years as the first broadly available hardware security root of trust but as it’s a separate chip advanced attacks leverage the connection between the TPM chip and the main CPU to gain access to secure information or tamper with the data. Because Pluton is built into the processor itself it will mitigate this vector.

Let’s look at each of the Secured-core features in details.

Trusted Platform Module

TPM provides storage for security information such as Bitlocker keys, while Secure Boot checks the signatures of all boot software (UEFI firmware, EFI applications and the OS itself) to ensure that they haven’t been subverted by a root kit.

Virtualization-based Security

Virtualization-based Security (VBS) uses hardware virtualization (based on Hyper-V technology but don’t think of this as a separate VM, just an isolated part of the memory space in the OS) to stop attacks against credentials (Pass-the-Hash / Mimikatz for example). VBS is also the platform for Hypervisor-Enforced Code Integrity (HVCI) which protects modification of the Control Flow Guard (CFG) bitmap, provides a valid certificate for Credential Guard and checks that device drivers have an EV certificate.

Control Flow and System Guard

Control Flow Guard is a way that Windows protects against malicious applications corrupting memory of legitimate applications.

System Guard is the umbrella term for taking the above technologies and providing these security guarantees for Windows: protect the integrity of the system as it starts up and validate this through local and remote attestation. It uses Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection to achieve this.

Memory Protection

Boot Direct Memory Access (DMA) protection is part of Kernel DMA Protection which can stop attacks against Bitlocker and other security technologies that rely on storing secrets in memory while the system is running. Plug a drive with malicious software into a port that supports DMA mapping for fast transfers and hey presto – it just read your Bitlocker key, with DMA protection this isn’t possible.

Other security enhancements

Windows Server 2022 will have the latest version of Transport Layer Security (TLS) 1.3 enabled by default but this version will be available across earlier Windows Server versions as well.

When managing lots of Windows or Hyper-V containers across a server farm, the preferred approach is to give them an identity in Active Directory using group Managed Service Accounts (gMSA) but today that requires you to domain-join the container host – in 2022 this won’t be necessary. And if you’re encrypting your SMB (file server) traffic you can now use AES-256 encryption.

Windows Server 2022 Scalability

Another headline in the preview announcement is the increase in scalability, a physical server can now have 48 TB of RAM, 64 sockets with 2048 Logical Processors (cores, or Hyperthreaded cores). While these figures are incredible (VMware vSphere 7 update 1 supports 24 TB and 768 CPUs per host) they matter to exactly 0.000001% of Windows Server customers. And mostly that customer is Microsoft itself, where in Azure the benefit of humongous machines is the ability to provide gigantic VMs for SAP and other huge database workloads for enterprises with very deep pockets.

On the other end of the spectrum, the Server Core container image for Windows Server 2022 is 1 GB / 20% smaller than in previous versions, shaving start-up and transfer times for containers running the Windows Server 2022 container image.

Windows Server 2022 build 20303.120329

Other Enhancements in Windows Server 2022

Windows Server 2022 will also bring (in the right context, details are scant at the moment) another feature that’s been forged in the fire of Azure’s hosts – reboot-less patching. Here patches are applied to a running OS without requiring a restart, improving uptime.

If you’re running a mix of Windows and Linux containers in Kubernetes you can use Calico to manage networking across the entire cluster. If you’re running globally distributed applications, managing time zones in containers has been difficult (it’s based on the host’s time-zone, making it difficult to move containers around), virtualized time zones in Windows Server 2022 will take care of this.

Speaking of Linux, Microsoft is aiming to bring the improved boot security to Linux as well, just as they’re doing in Azure.

Windows Server 2022 and the Hybrid World

Most of the presentation at Ignite on Windows Server 2022 was taken up by talking about features around, not in, the product itself, such as the ones recently released in GA 2103 version of Windows Admin Center. Windows Admin Center can now be run in the Azure portal, can automatically update your extensions, supports outbound proxy configuration, lets you pop out tools into separate browser windows, brings a revamped Event Viewer UI (first update since 1993 believe it or not) and lets you reassign virtual switches when moving a VM from one host or cluster to another. WAC also supports HTTP/2 which equals faster performance.

Windows Server 2022 will also be a first-class citizen in Azure and will power Azure Stack HCI and can be managed by Azure Arc. When it’s available in Azure you can use Automanage to ease your administrative burden in running VMs but like so many features mentioned in the announcement, none of these are unique to Windows Server 2022.

A one-year-old Dell system without full support for Secure-Core Servers

In case you weren’t aware, Microsoft actually releases two versions of Windows Server per year, the Semi-Annual Channel (SAC). These versions are only supported for 18 months after they’ve been released, are only available to Software Assurance customers and only come in the Server Core flavor. Nevertheless, they point the way to where Windows Server is heading and Windows Server 2022 will be the next Long Term Servicing Channel (LTSC) release, with five-year mainstream and five-year extended support.

Windows Server 2022 Networking Improvements

Fortunately, the 100 level session at Ignite isn’t the only source of information for what’s new in the Windows Server 2022 preview, this blog article from August 2020 provides some more technical details.

MsQuic is probably the enhancement that’s going to impact IT Pros the most in the future. It’s Microsoft’s implementation of the QUIC protocol (open sourced) which will power the HTTP/3 implementation as well as provide improvements in SMB file transfers. The most interesting part for SMB is that it’ll be possible to set up file shares to be accessed securely over the internet with no VPN required. Read about it and watch Ned Pyle’s video for more info.

UDP will get a speed boost as well, similar to TCP offload, from NICs that support UDP Segmentation Offload (USO). TCP will benefit from support for TCP HyStart++ while packet capturing will see deeper into TCP/IP using PktMon.

Adding features in Windows Server 2022

Hyper-V networking isn’t left out in the cold, Receive Segment Coalescing (RSC) was introduced in Server 2019 and brings packets together to be processed as one larger segment in the virtual switch, lowering CPU load. In 2019 the traffic is re-segmented as it’s transferred to the VMBus, whereas in Server 2022 it’ll remain coalesced all the way to the application.

Containers and Kubernetes will benefit from Direct Server Return where request and response traffic can use different paths.

Hyper-V Enhancements in Windows Server 2022

Managing what VMs should be kept on the same host and which ones should be kept apart (virtualized Domain Controllers for instance) has been possible for a few versions, using Affinity/AntiAffinity rules. However, they weren’t site aware, if you have stretched clusters there are now PowerShell cmdlets to configure rules for this as well as better management overall of anti/affinity through rules.

In Failover Clusters, if you wanted to use Bitlocker on the nodes they all had to be in the same domain, now you can use local encrypted storage for key safekeeping in workgroup / cross-domain clusters.

Comparing Windows Server 2019 and 2022

*Microsoft hasn’t published scalability figures for VMs in Windows Server 2022 yet which makes sense as testing and optimizing performance happens late in an Operating System development. However, if the scalability increases on bare metal carries over to VMs the amount of supported memory should double, and the number of virtual CPUs should quadruple.

Conclusion

As you can tell from the screenshot above, the preview version doesn’t have any visible details distinguishing it from Windows Server 2019 (or 2016). However, it looks like there are some exciting features under the hood, both for Hyper-V and networking and my suspicion is that there will be more news coming throughout 2021 as we head for a release late in the year.

If you want to be part of the journey, sign up to be a Windows Server Insider, download the preview and join the community.

The post What’s New in Windows Server 2022 appeared first on Altaro DOJO | Hyper-V.

Undoubtedly, one of the most significant advancements in computing in the past two decades or so has been server and client virtualization, leading to questions such as what is the best virtual machine for windows 10. Virtualization has unlocked the true potential of modern hardware platforms. It has allowed a paradigm shift in the data center for organizations that can now run much denser, more efficient environments than ever before.

Many different hypervisors and solutions are available, including “pay for” enterprise datacenter hypervisor solutions to freely available desktop and server virtualization products that allow taking advantage of the efficiencies and capabilities provided by virtualization. Microsoft’s Windows 10 operating system is arguably one of the most popular OS’es subject to virtualized solutions. In this guide, we will look at the best virtual machine Windows 10 solution and see what platforms are available to virtualize Microsoft’s most popular OS and run inside a virtual machine Windows 10 environment.

What is Virtualization?

As mentioned, virtualization has been a revolutionary technology that allows organizations to use physical server hardware in ways that were not possible before. With traditional servers and workstations, you have one operating system bound to one set of physical hardware. In traditional data centers, this means you have one copy of the Windows Server operating system or Linux operating system installed on the underlying physical hardware.

The traditional way of installing operating systems on physical hardware is very limiting. It highlights many challenges with the conventional approach to operating systems installed on a single physical hardware set. For one, your operating system and any services, resources, and other critical data residing on it are subject to any hardware failures and other issues with the underlying physical hardware.

Virtualization allows effectively abstracting this traditional 1-to-1 relationship so that many operating system “instances” can run on top of the same set of physical hardware simultaneously. The operating system instances run in what are known as virtual machines. This layer of abstraction now means that multiple virtualized hosts can run in a clustered manner so that an operating system is resilient to a particular virtualization host failure. The operating system instance can move to a different host if a virtualization host fails. What makes these capabilities possible?

Hypervisor

The many capabilities and abstractions provided by virtualization are made possible by using a hypervisor. A hypervisor is a software called a virtual machine monitor that creates and runs virtual machines. The hypervisor separates and isolates the hypervisor, operating system, and all the physical resources. The hypervisor serves as an abstraction layer between the operating system and the underlying physical hardware.

The hypervisor aggregates physical hardware resources, such as CPU, memory, and storage, into resource pools. It allows effectively providing resources for many different virtual machines on the same set of physical hardware. Hypervisors include the following components:

• Process scheduler
• Memory manager
• I/O stack for input/output operations
• Device drivers
• Security layer
• Network stack

The hypervisor uses the above components and others not listed to provide resources to virtual machines. You may wonder how a hypervisor can provide resources such as compute cycles to many different virtual machines using the same hardware. This capability is possible through the hypervisor’s scheduling of physical resources such as the CPU. You can think of the hypervisor as the manager of the CPU’s time that schedules out the processing of requests coming from the various virtual machines. The hypervisor scheduler can schedule time with the CPU so that all requests from the different virtual machines are processed efficiently.

Type 1 vs. Type 2 hypervisor

When choosing the best virtual machine windows 10 solution or any other virtual machine, it means you will select between either a Type 1 or Type 2 hypervisor. What is the difference? Each one has different characteristics to note. To begin with, let’s take a look at the Type 1 hypervisor for running a windows 10 virtual machine.

A Type 1 hypervisor is also known as a bare-metal hypervisor. It is a bare-metal hypervisor because the hypervisor software is installed directly on top of the physical server hardware. Since the Type 1 hypervisor has no software or other operating system between it and the underlying physical hardware, it can achieve excellent performance. The hypervisor itself becomes the operating system. Since the hypervisor is the operating system installed on the physical hardware, it is not intended for any other purpose other than running virtual machines. The Type 1 hypervisor is the primary type of hypervisor used to run virtual machine workloads in the enterprise data center.

Type 2 hypervisors run on top of the operating system of the physical host machine. For this reason, they are known as hosted hypervisors. It means that Type 2 hypervisors have a layer of software between them and the underlying physical hardware. The software layer is the host operating system such as virtual machine Windows 10, Windows Server, or Linux operating system.

Type 2 hypervisors’ performance is not as good as Type 1 hypervisors since there is a software layer between it and the physical hardware. However, Type 2 hypervisors can simply be used as an application installed on the host operating system. It means the hypervisor does not monopolize the utility of the physical host. You can use the host for other purposes than running virtual machines.

The best virtual machine for Windows 10

As we have already covered, the hypervisor plays a crucial role in virtualization technology’s capabilities and functionality. There are many different hypervisor solutions on the market today, some paid products and others that are free. In this guide comparing the various features of different hypervisors available, we will consider the best virtual machine Windows 10 solution and other VM workloads you may have. Let’s look at the following available hypervisors:

1. Virtualbox
2. VMware Workstation Pro and Workstation Player
3. VMware ESXi
4. Microsoft Hyper-V
5. VMware Fusion Pro and Fusion Player

How does each of the available hypervisors compare and contrast in terms of price, features, compatibility, and other aspects? Are you wondering how to set up a virtual machine windows 10? Let’s take a look at these different solutions that answer the question – what is the best virtual machine for windows 10?

Virtualbox

VirtualBox is an extremely well-known x86 and AMD64/Intel64 virtualization solution widely used from the enterprise data center to the home user and enthusiast alike for running virtual machine windows 10 solutions. It is a Type 2 hypervisor that runs across a wide range of platforms, including:

• Windows
• Linux
• macOS
• Solaris

It also supports many guest operating systems that range from legacy OS’es to the latest versions of Windows, Linux, Solaris, OpenSolaris, OS/2, and OpenBSD. It makes it an excellent platform for playing around with, testing, learning, and running workloads for various use cases, including virtual machine windows 10 guests. For those keenly interested in virtual machine Windows 10 virtualization, VirtualBox provides one of the healthiest arrays of different Windows OS’es available for virtualizing, including legacy Windows operating systems back to Windows 3.1.

Virtualizing Windows 10 with Oracle VirtualBox

In particular, VirtualBox runs vm for Windows 10 environments very well and provides many different settings and features that allow a seamless and pleasant experience with the virtual machine Windows 10 OS across its various flavors for virtual machine windows 10 environments. One of VirtualBox’s “features” that stands out is it is an open-source program that is free. You pay no license fees or any other fees to use and run virtual machines on Windows 10. Some may be a bit concerned about VirtualBox’s open-source nature regarding support and any issues that may arise. However, VirtualBox has a healthy following and is a community-supported product with support from VirtualBox gurus on the forums, helping to troubleshoot virtual machine windows 10 and other environments.

VirtualBox is easy to run and requires very little to no previous experience with other hypervisors to get up and running with a Windows 10 VM. The software interface is intuitive and easy and features a very “point and click” oriented approach to running your virtual machine windows 10 VMs. However, while you can certainly accept the defaults with the program, it features many extra “nerd knobs” you can tweak to your liking with your virtual machine Windows 10 VMs.

One of the features that may especially appeal to virtual machine windows 10 for some users is a new feature called seamless mode. With the seamless mode functionality of VirtualBox, you can display windows found in a virtual machine side by side next to the windows shown in your host. After the seamless mode functionality is enabled, VirtualBox suppresses the display of your guest’s desktop background. It makes the windows appear seamlessly next to host windows, which provides the feel of the window from the guest operating system residing natively on the host. This greatly improves the virtual machine Windows 10 experience.

VirtualBox provides a robust set of network management features that allow customizing networking and connectivity as needed while using VirtualBox. VirtualBox for virtual machine Windows 10 certainly does not disappoint with the networking features made possible with the VirtualBox Host Network Manager. Using the Host Network Manager, you can create new virtual networks configured manually or automatically. You can also configure your host networks with DHCP capabilities for guest IP configuration running on a particular host network segment.

VirtualBox Host Network Manager

Below, we enable the DHCP server on a new Host-only network segment configured using the Host Network Manager in VirtualBox. You can configure the DHCP server IP address ranges assigned to virtual machine Windows 10 guests.

Configuring the Host Network Manager DHCP server

The flexibility offered by VirtualBox allows configuring your virtual machine Windows 10 VMs and others for various types of connectivity use cases, test scenarios, lab environments, etc. It is nice to see that VirtualBox provides a robust feature set in the area of virtual machine Windows 10 networking. Networking support is arguably one of the most important functional features and capabilities to look for with a hypervisor.

What about nested virtualization? Nested virtualization allows you to run a hypervisor inside another hypervisor. Why is this important? Suppose you want to use Hyper-V inside a virtual machine Windows 10 test VM that you have running inside a hypervisor such as VirtualBox. Having the ability to use nested virtualization means you can test and use Hyper-V installed on your virtual machine Windows 10 virtual machine running inside VirtualBox. VirtualBox supports this by enabling nested virtualization at the VM level.

Nested virtualization allows exposing the physical processor’s virtualization settings on your virtualization host to an underlying virtual machine. With VirtualBox, you can enable nested virtualization using either the GUI or the command-line.

Enabling nested virtualization on a Windows 10 VM running in VirtualBox

From the command-line in VirtualBox, you can enable nested virtualization using the following commands:

• Vboxmanage.exe list vms
• Vboxmanage.exe modifyvm “<your VM>” –nested-hw-virt on

Using the VirtualBox command-line to enable nested virtualization

Another point to mention with VirtualBox is Oracle has provided several pre-built VirtualBox VMs readily available for download. For the most part, the VMs cater to developers who want quick access to developer VMs running Oracle. These are Linux boxes that come preinstalled with developer tools to interact with Oracle and other solutions.

VMware Workstation Pro and Workstation Player

VMware Workstation has long been a standard in desktop virtualization in the enterprise and for power users. It is a Type 2 hypervisor that provides the “Cadillac” of features that offer users robust capabilities to run virtual machine Windows 10 vms and many other types of workloads, including containers. What features does VMware Workstation provide for virtual machine Windows 10 environments and to create virtual machine windows 10?

VMware Workstation Pro provides an excellent desktop virtualization platform

• Ability to run VMs, containers, and Kubernetes clusters on a single workstation
• Work with a wide range of operating systems and technologies
• It offers a robust set of nested virtualization features
• Interact with and even manage VMware vSphere environments
• Provide secure, isolated environments for development, testing, and other use cases

VMs, Containers, and Kubernetes

With VMware Workstation, you can run multiple virtual machine Windows 10 instances, OCI containers, and Kubernetes clusters on the same Windows or Linux host running VMware Workstation. You can create fully segmented and isolated networks with network condition simulation. The platform provides a “Swiss Army knife” solution that is an excellent choice for developers, solutions architects, application testing, and demonstrating product functionality.

Work with a wide range of operating systems and technologies

VMware Workstation provides the ability to work with a wide range of operating systems, including the virtual machine Windows 10 operating system’s latest versions. You can also work with OCI containers and Kubernetes clusters using kind and Minikube.

Robust set of nested virtualization features

VMware Workstation is known for its abilities in the realm of nested virtualization. You can easily configure and provision an entire lab containing virtual machine Windows 10 workstations, Hyper-V, and nested virtual machines running virtual machine Windows 10 VMs with the Hyper-V role installed.

Interact with and manage VMware vSphere environments

One of the great features you get with VMware Workstation is interacting with and managing VMware vSphere environments. If you have an existing enterprise VMware vSphere environment, you can use your VMware Workstation GUI dashboard to add and manage vSphere. It includes configuring, powering on and down virtual machines in vSphere, and creating and managing locally housed Windows 10 and other VMs in VMware Workstation.

Secure, isolated environments

Many choose to use VMware Workstation running on their Windows 10 host to run a Windows 10 VM used for another purpose such as a browsing VM, development, cybersecurity forensics, network management, etc. With the snapshot and other features provided by VMware Workstation, it allows quickly rolling your Windows 10 VM back to a known good state at any point.

VMware Workstation provides a robust feature set that connects your virtual machines to fit your environment needs from a networking perspective. By default, VMware Workstation creates the following networks in the Virtual Network Editor. These include a bridged network, Host-only, and NAT. As with VirtualBox, you can tweak the DHCP Settings.

Virtual Network Editor with VMware Workstation

After clicking the DHCP Settings button, you can configure the DHCP Settings with all the expected settings, including starting and ending address and lease time settings.

Customizing the virtual network DHCP settings in VMware Workstation

A really interesting ability that VMware Workstation provides is the ability for network condition simulation that allows simulating network conditions, including latency, packet loss, and even the bandwidth of your connection. The network condition simulation is a convenient tool to have access to for troubleshooting, development, and other purposes.

Having the ability in your Windows 10 development workstation or other VM to simulate network conditions is a great tool to allow development applications or testing processes and services over very slow links or other adverse network conditions. The network condition simulation is a feature not found in VirtualBox. However, VMware Workstation is a pay-for product. You can install and use VMware Workstation for 30-days in a trial period.

As mentioned earlier, nested virtualization is something that VMware Workstation does exceptionally well. Many in the community house their entire virtualization home lab off VMware Workstation running on either a workstation-class machine or a powerful laptop. It means you can set up your entire virtualization lab featuring nested hypervisors such as ESXi running child VMs with Windows client operating systems like virtual machine Windows 10 VMs.

Configuring hardware virtualization in VMware Workstation for nested virtualization

VMware Workstation Player is a free version of VMware’s desktop virtualization platform that provides the ability to have both a graphical and command-line interface for running a single VM. It is meant for use cases where a single VM is needed to create a secure, isolated sandbox on a PC. It is commonly used in education environments as a free and easy way to learn more about IT and computer systems in general.

VMware ESXi

VMware’s enterprise hypervisor is arguably the most well-known hypervisor in the enterprise environment today. VMware has a long history in the world of virtualization. They pioneered the virtualization movement back in the early 2000s and have revolutionized the virtualization industry ever since. In its current form, the ESXi hypervisor represents many years in development and touts some of the most cutting-edge features compared to any other hypervisor available on the market.

VMware ESXi is a Type 1, bare-metal hypervisor that provides a complete set of features and capabilities needed in enterprise data centers. It is both a free product from VMware and a licensed software solution purchased with support and additional licensed features we will cover below.

Specifically, VMware markets the VMware ESXi free edition as vSphere Hypervisor. You can easily download the vSphere Hypervisor by signing up for a VMware account (free) and requesting the ESXi free hypervisor. If you have a dedicated physical host that you plan on using for virtualization learning, practice, and to create virtual machine windows 10, and other guest VMs in a dedicated fashion, this is a great option.

Downloading VMware vSphere Hypervisor 7.0

VMware touts the vSphere ESXi hypervisor as the “world’s smallest and most robust architecture.” There are a few limitations to note with VMware ESXi free. The restrictions for the free vSphere Hypervisor include the following:

• Virtual Machine vCPUs are limited to 8 vCPUs
• No VMware Support
• No vSphere Storage APIs are exposed
• No management using vCenter Server

The free version of ESXi will function essentially as a dedicated workstation or laptop that would run your virtual machine Windows 10 or other virtual machines. Keep in mind that even though this is a Type 1 bare-metal hypervisor, you will not be able to do any fancy high-availability or resource scheduling between multiple nodes. These enterprise features require a vCenter Server in the mix. However, if you are looking at the list of hypervisors to use for the best virtual machine for Windows 10, VMware ESXi is arguably the “cream of the crop” among hypervisors out there.

Now, as mentioned, there are limitations with the free version of the ESXi hypervisor. However, if you want to have all of the enterprise features and capabilities for your Windows 10 and other workloads, you can step up to the paid version of VMware ESXi. With the latest licensed version of VMware vSphere ESXi 7.0 Update 1, you can now create virtual machines with a whopping 24 TB of memory and 768 vCPUs. What other enterprise features do you get with the paid version of vSphere ESXi?

• VMware High Availability (HA)
• VMware Distributed Resource Scheduler (DRS)

VMware High Availability (HA)

Let’s say you have to create virtual machine windows 10 that is production critical, and you want to ensure it can withstand the failure of a hypervisor host. With the paid version of VMware ESXi and vCenter Server in the mix, you can configure a vSphere cluster. The vSphere cluster ensures that you have multiple hosts sharing a pool of resources. If a single host fails, VMware High Availability (HA) kicks in, and the virtual machine relocates to a healthy host remaining in the cluster.

Distributed Resource Scheduler (DRS)

DRS is a tremendously powerful feature found in the enterprise version of vSphere. With DRS, the resources in the vSphere cluster are automatically normalized across the available cluster resources. With DRS’s capabilities, virtual machines can be vMotioned across different hosts in the cluster depending on which host better satisfies the equation of a “happy VM” over the others.

In terms of networking capabilities, in both the free and paid version of ESXi, you get access to the vSphere Standard Switch (VSS), which provides robust networking capabilities out of the box. VSS features include VLAN trunking, the ability to create isolated switches, failover behavior, some light security features, etc. Those who have the Enterprise Plus license of vSphere or a vSAN license have access to the vSphere Distributed Switch (vDS). The vDS switch provides the most powerful and fully-featured virtual switch capabilities. With the vDS, you can automate and streamline your virtual networking configuration and centralize the management with the vCenter Server.

Viewing virtual networks configured for an ESXi host

VMware ESXi also provides the ability to run virtual machines using nested virtualization. It allows the ability to run virtual machines that are hypervisors and run child VMs running in the environment. Nested virtualization in ESXi is configured using the Hardware Virtualization – Expose hardware-assisted virtualization to the guest OS flag set on a per-VM basis on VMs running on top of ESXi. As a note, this setting is also available and configurable with the free version of ESXi.

Configuring the hardware virtualization setting for nested virtualization

Any way you slice it, VMware ESXi is an excellent hypervisor with world-class features used to host millions of workloads across myriads of data centers, both public and private. In its free form, it is still powerful but has limits to note. Licensing for vSphere ESXi and vCenter Server is not cheap, so ESXi free may provide all the functionality and features needed.

Microsoft Hyper-V

Microsoft has been playing catchup with VMware over the past several years in enterprise virtualization. Over the past several years, they have been working hard to advance the Hyper-V solution to incorporate the features and functionality that enterprise customers have longed for over the past several years. With the introduction of Windows Server 2019, Microsoft Hyper-V has become a fully-featured enterprise-class hypervisor that is genuinely ready for enterprise workloads.

Like VMware vSphere, Microsoft Hyper-V comes in a free and paid version. Hyper-V Server is the free version of Microsoft Hyper-V. Hyper-V Server, a Type 1 hypervisor, is a special-purpose operating system from Microsoft that is essentially Windows Server Core with the Hyper-V Role installed by default. When you install Hyper-V Server, you can customize and configure the server through the sconfig utility, which provides a pseudo-GUI interface in text format that is menu-driven for configuration. Afterward, you can use Hyper-V Manager on a management workstation or Windows Admin Center to manage the Hyper-V host.

With Hyper-V Server, there are limitations from the full-blown Windows Server installation with the Hyper-V Role added. For one, there are no licenses included with Hyper-V Server compared to Windows Server Standard with 2 VM instances and Windows Server Datacenter, unlimited VMs. Microsoft Hyper-V Server is a great platform, especially for running Linux virtual machines. However, there are no limits to running Windows guest VMs other than licensing. However, it is noted this is a consideration with any hypervisor platform unless running Windows Server 2019 with the Hyper-V Role installed.

Create a virtual machine in Windows 10

There is yet another Hyper-V hypervisor to consider when you want to run Windows 10 or other virtual machines. It is the Hyper-V Windows feature for Windows 10 used to create virtual machine windows 10.

Hyper-V Windows feature for Windows 10

When you install the Hyper-V Windows feature, this installs the Hyper-V feature in Windows and instantiates the Hyper-V hypervisor before the Windows 10 operating system. This process is how the Hyper-V Role is still considered a Type 1 hypervisor despite the appearance that it is running on top of the host operating system.

Microsoft makes a few things easier with Hyper-V on Windows 10, such as creating a default virtual switch for network connectivity, which is not the case with Windows Server Hyper-V. With Windows 10 Hyper-V, you get the “Quick Create” wizard that easily creates virtual machines. Think of Windows 10 Hyper-V functionally the same as VMware Workstation and VirtualBox

With the quick installation of the Hyper-V role in Windows 10, you can create a virtual machine in Windows 10 easily. It is worth noting. To have the ability to create a virtual machine in Windows 10 by installing the Hyper-V role, you must be running Windows 10 Pro, Enterprise, or Education edition

VMware Fusion Pro and Fusion Player

The VMware Fusion Pro and Fusion Player products from VMware are the MacOS equivalent to VMware Workstation Pro and Workstation Player products for Windows and Linux and share the same basic features as mentioned above. It includes support for running VMs, containers, Kubernetes clusters, and interacting with VMware vSphere. With VMware Fusion Pro and Fusion Player, you can run Windows 10 on top of macOS and even run additional copies of MacOS in your Mac environment. Here is more information about VMware Fusion Pro and Fusion Player.

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Altaro DOJO | Hyper-V now (it’s free).

Concluding Thoughts

Choosing the best virtual machine for virtual machine Windows 10 environments depends on your needs and use case. It also relies on which operating system you want to use for the host. If you are looking to use virtualized Windows 10 instances from time to time but do not need VMs constantly running, the Type 2 hypervisors mentioned such as VirtualBox, VMware Workstation, and VMware Fusion may be excellent choices. Windows 10 Hyper-V, which is a Type 1 hypervisor can also function in this way. However, if you are looking to run virtual machine Windows 10 VMs continuously, you will want to consider VMware vSphere ESXi or Microsoft Hyper-V for this purpose.

The post The Best Virtual Machine for Windows 10 appeared first on Altaro DOJO | Hyper-V.

Microsoft Ignite this week marked another 6-month period of rapid development and transformation in the industry from Microsoft. While COVID has changed the makeup of the event into a collection of virtual experiences, the pace of innovation and the implications for the market are truer than ever.

In this article, I’ve listed some of the key items revealed during the event and I’ve also included a reaction video with myself and two other Microsoft MVPs, Didier Van Hoye, and Eric Siron. Let’s start with the reaction video, followed by my list of favourite reveals below that.

Enjoy!

3 Microsoft MVPs React to Microsoft Ignite – March 2021

Key Announcements from Microsoft Ignite – March 2021

The announcements from this Microsoft Ignite spanned many technology areas, and while the below is by no means a comprehensive list, these are some of the key announcements impacting IT Pros.

Let’s take a look.

Note: that we’ll be blogging more in-depth about many of the products and features listed below in the coming months.

Microsoft Mesh

If anything stole the show it was Microsoft Mesh. While not specifically applicable to IT Pros, Mesh encompasses so many use cases and potential applications that IT Pros are quite likely to find themselves supporting this infrastructure in some way/shape/form in the future. Whether it is to collaborate, remotely assist in equipment repair, or to create digital meeting spaces like that shown below, Mesh has the potential to disrupt (and improve) all facets of life on the planet. If you haven’t watched the Ignite keynote, I highly recommend it. Microsoft feels so strongly about Mesh that they gave at least half the time of the keynote presentation to it. It’s certainly worth the watch.

Windows Server 2022

While it didn’t receive much fanfare during the course of the event, Windows Server 2022 was quietly announced. While that’s not news to those folks that are part of the Windows Server Insider Preview, it still has wider implications for the IT Pro community. Microsoft is still committed to creating and supporting feature-rich and quality services for on-prem. Some of the key enhancements for Windows Server 2022 are focused on three key areas:

• Security
• Hybrid Cloud Integration with Azure
• Containerized Applications

Some of the more exciting announcements in these areas include Secured Core Server, which brings an all-encompassing secured server by requiring hardware and software vendors to follow security best-practices of the OS. Also mentioned was the support for on-prem Windows Server in Azure Automanage. The big sticking point there being that with Azure Automanage and Windows Server you can now do rebootless patching of managed machines, which is something IT Pros have been asking about for decades!

There are many more, but these are two of my favourites mentioned at the event.

Windows Admin Center Version 2103

Windows Admin Center is the new way to manage Windows Server, and while it may not be a complete replacement for the old RSAT tools yet, it’s certainly close. This new release of Windows Admin Center brings a lot of new and enhanced functionality. This includes:

• Public Preview of Windows Admin Center running in Microsoft Azure
• Automatic Updates for WAC and its Extensions
• Support for Outbound Proxies
• Windows Event Viewer Overhaul
• And much more

If you’re interested in trying the new version of Windows Admin Center, you can do so here.

Enhancements to Microsoft Teams

With our current socially distant world, it’s no surprise to see Microsoft Teams continue to get a lot of attention from the dev teams at Microsoft. In addition to the multitude of features coming with Microsoft Viva, a number of additional features for Teams were showcased at Ignite. This includes:

• Enhancements in collaborating with external people and groups
• New Gallery Views and Presenter Views
• Certified Teams Hardware
• End to End Encryption for Teams Calls
• Webinar enhancements and support for up to 1000 attendees
• And more!

IT Pros will need to be aware of these enhancements in the coming months so they can enable and support them for their end-users and customers moving forward.

For the full list of Teams enhancements announced during the Ignite Event, you can go here.

Wrap-Up

While this is by no means an exhaustive list, these are some of the key features I feel like IT Pros will be interested in. Microsoft is always innovating and I feel like this Ignite had a bit more substance than the previous one back in September. We saw a pretty even distribution of enhancements across the entire stack this time and I fully agree with the Microsoft messaging that this Ignite includes a little something new for everyone!

That all said if there is a feature that was announced that you’d like to hear about in a deep-dive blog article or video be sure to let us know in the comments section below this article!

The post Key Takeaways from Microsoft Ignite 2021 appeared first on Altaro DOJO | Hyper-V.

Microsoft Windows Server 2019 is one of the most powerful and fully-featured Windows Server operating systems released from Microsoft to date. It is highly capable and provides organizations with many great features for use on-premises, cloud environments, and hybrid cloud configurations.

Microsoft has provided three versions of the Windows Server 2019 operating system that offer different features and functionality. We want to key in on two versions to compare features, functionality, and use cases. What are the differences between Windows Server 2019 Essentials vs. Standard?

Additionally, Microsoft has strong cloud and hybrid cloud initiatives with current and future products, such as Windows Server. Many of the use cases that existed with the introduction of Windows Server Essentials are now solved by many of the cloud SaaS and cloud IaaS solutions offered in Microsoft Azure. How is Microsoft positioning Windows Server editions such as Windows Server Essentials with these offerings?

History of Windows Server Essentials

Before focusing on the intended use case with Windows Server 2019 Essentials, let’s take a look at the history of Windows Server Essentials. Where did it originate? What are its roots? The path to Windows Server Essentials began some twenty years ago with a product called Windows Small Business Server. Microsoft recognized a need that was lacking for small to mid-sized businesses.

Before any particular Windows Server release, small business environments may have used a Windows client machine running in the office to share files with employees. It was less than ideal and did not include a proper server environment’s enterprise-class controls and resilience.

Microsoft recognized this need for small to mid-sized businesses to deliver resources streamlined, efficient, and cost-effective. So, the Windows Small Business Server (SBS) was born. With Windows Small Business Server, Microsoft bundled together the most needed and desirable services for SMB environments. It included application, network, and communication services into a single, tightly integrated solution that empowered SMBs with the capabilities they needed. What were the various features of Windows Small Business Server at the time?

With the release of Small Business Server 2003, Microsoft introduced the Remote Web Workplace. It provided an all-in-one solution to provide remote access as well as email. Both Windows Small Business Server Standard and Premium editions provided Microsoft Exchange Server, Internet Information Services (IIS), Windows SharePoint Services, and Microsoft Office Outlook 2003, email client. SBS 2003 included additional infrastructure components such as Routing and Remote Access (RRAS), Windows Server Update Services (WSUS), and Microsoft Fax Server.

Microsoft Small Business Server (SBS) 2003 included Microsoft SQL Server, Microsoft Security and Acceleration Server, and Microsoft Office Frontpage 2003. As you can tell, Windows Small Business Server was the quintessential “LAN in a Can” that provided everything a small to mid-sized business needed. It was an excellent product for anyone that wanted to service anywhere from 25 to 50 employees using various devices.

Microsoft Windows Small Business Server provided everything an SMB needed for productivity management

In looking at Windows Small Business Server, you get a good idea of the historical background of Windows Server Essentials and its use case.

Windows Server 2016 Essentials

As the predecessor to Windows Server 2019 Essentials, Windows Server 2016 Essentials was the official Windows Server release that Microsoft started to step up its game in regards to integrating Windows Server Essentials with the Azure cloud. What are the features of Windows Server 2016 Essentials?

• Support for up to 25 users and 50 devices
• Integration with Azure Site Recovery Services
• Integration with Azure Virtual network
• Larger deployment support
  • Supports multiple domains
  • Multiple domain controllers
  • Designate a specific domain controller

Early Windows Small Business Server (SBS) editions offered very “wizardized” help for setting up the first SBS server. In like manner, Windows Server 2016 Essentials edition provides an initial “Configure Windows Server Essentials” wizard that steps you through configuring the server in the environment.

Configure Windows Server 2016 Essentials

When you first install Windows Server 2016 Essentials edition, the Configure Windows Server Essentials wizard begins at first login. It steps you through the Essentials server’s initial configuration, including setting up the date and time, domain, user accounts, update settings, and others. Below are screenshots of the initial Configure Windows Server Essentials wizard.

Windows Server 2016 configure Windows Server Essentials wizard

Configuring the date and time in Windows Server 2016 Essentials setup wizard

Configure the domain settings

Create a network administrator account

Configure the Windows Update settings in the Windows Server Essentials configuration wizard

Configuration of Windows Server 2016 Essentials completes successfully

One of the robust features included with Windows Server 2016 is the Windows Server Essentials Dashboard, installed as part of the Windows Server Essentials Experience role (installed during the Configure Windows Server Essentials wizard). It provides a single point of management dashboard that configures the Windows Server 2016 Essentials setup, services, and other integrations. A few of the tasks one can complete using the Windows Server Essentials Dashboard include:

• Finish setting up your server
• Access and perform everyday administrative tasks
• View server alerts and action these
• Set up and change server settings
• Access or search for Help topics on the web
• Access Community resources on the web
• Manage user accounts
• Manage devices and backups
• Manage access and settings for server folders and hard drives
• View and manage add-in applications
• Integrate with Microsoft online services

After running the initial configuration wizard with Windows Server 2016 Essentials, a Windows Server Essentials Dashboard shortcut is conveniently placed on the desktop. The tabs at the top of the dashboard allow managing and configuring your server’s main settings, including users, devices, Windows Server storage, and applications.

Windows Server 2016 Essentials Dashboard

Using the Windows Server Essentials Dashboard, you can configure various service integrations in the environment. It includes integration with Microsoft Exchange Server. If you use an on-premises Microsoft Exchange Server to manage email for your organization, the Windows Server Essentials Dashboard setup allows easy integration with Microsoft Exchange Server. As a note, Windows Server 2016 Essentials does not install Exchange Server but instead allows integrating with it.

Windows Server 2019 Essentials

Windows Server 2019 Essentials Edition is the successor to Windows Server 2016 Essentials edition and carries on the design for small businesses’ needs. Windows Server 2019 contains many Windows Server 2016 Essentials’ features and capabilities with various cloud features and interoperability. With these points noted, what are the key elements of Windows Server 2019 Essentials?

• It is available as a single license that includes Client Access Licenses (CAL) for up to 25 users/50 devices
  • ***Note*** You do not need to buy Client Access Licenses (CALs) for Essentials edition like Standard and Datacenter Edition
• It offers a very compelling price point compared to other Windows Server editions
• It runs native file and print services
• Manageable with Windows Admin Center (WAC)

Azure specific features to note:

Much like Windows Server 2016 Essentials, Windows Server 2019 Essentials contains the following key Azure integration features:

• Integration with Azure Site Recovery Services
• Easily extend the connection from on-premises Windows Server 2019 Essentials server to Azure with Azure Virtual Network
• Windows Server 2019 Essentials now supports Azure Active Directory Connect (AAD) installation.

Features removed

Aside from some of the feature parity with Windows Server 2016 Essentials, features have also been removed. One of the major features that many have noted as the “death knell” for Windows Server Essentials is removing the Windows Server Essentials Experience role in Windows Server 2019 Essentials. As shown above, with Windows Server 2016 Essentials, this is historically a core component of the Essentials product line installed during the initial configuration of Windows Server 2016 Essentials edition. Part of the Windows Server Essentials Experience role is the Administrative Dashboard detailed above, a core feature for the Windows Server Essentials role. It means that all management and configuration of Windows Server 2019 Essentials’ various functionality must be completed manually.

The Windows Server Essentials Administrative Dashboard has historically been seen as one of the installation’s primary benefits aside from cost. The Administrative Dashboard simplifies the tasks you perform to manage the Windows Server Essentials network and server configuration. Especially in SMB environments lacking dedicated IT staff trained to take care of on-premises infrastructure, removing the dashboard will require more expertise. Now, settings will require manual configuration.

Below is a screenshot of a Windows Server 2019 Essentials server after a clean installation. As you can see, there is no option in the Add Roles and Features Wizard for the Windows Server Essentials Experience role.

Windows Server 2019 Essentials server after installation

In comparison, the same Add Roles and Features Wizard in Windows Server 2016 Essentials has the Windows Server Essentials Experience role installed.

Windows Server 2016 Essentials after installation and initial configuration

Interestingly, with the handicapped nature of Windows Server 2019, Microsoft has noted LTSC support for Windows Server Essentials. Customers who are currently making use of Windows Server 2016 Essentials will be supported according to the LTSC time-line. When is the end-of-life (EOL) for Windows Server 2016 (1607)? As listed among the Windows Server current versions by Microsoft’s servicing documentation, mainstream support ends 01/11/2022 with the option for extended support until 01/11/2027.

Hacks for Windows Server 2019 Essentials Role and Administrative Dashboard

It is worth noting. Steps have been posted on the Internet showing the process of copying the required files from a working Windows Server 2016 Essentials server to a Windows Server 2019 Essentials server and getting the Windows Server Essentials Experience Administrative Dashboard working and functional in Windows Server 2019.

The Administrative Dashboard is a .NET application preinstalled with Windows Server 2016. Copying the required files, registry entries and installing the prerequisite roles and features in Windows Server 2019 allows running the Administrative Dashboard in Windows Server 2019 Essentials.

It is worth noting that Microsoft does not support the process of doing this in any way. This may be an option for those desperate to retain the same level of Essentials functionality in Windows Server 2019 Essentials edition.

Windows Server 2019 Essentials – the last Windows Essentials?

It has been speculated, even hinted at, that Windows Server 2019 Essentials will be the last Windows Server Essentials edition released. With the release of Windows Server 2022, it is no longer speculation as there is no SKU for Windows Server 2022 Essentials edition. Dig more info regarding Windows Server 2022 from the following articles:

• What’s New in Windows Server 2022

• The 40 Most Critical Windows Server 2022 Questions Answered

The reason is that Microsoft sees the future for SMBs in the cloud, specifically the Microsoft 365 cloud. Instead of deploying a Windows Server Essential installation on-premises, Microsoft is heavily encouraging customers to use Microsoft 365 Software-as-a-Service (SaaS) environment instead of installing and using Windows Server Essentials on-premises.

Microsoft’s reasoning here is that customers will benefit more from the solutions, services, and capabilities of the Microsoft 365 cloud SaaS offering than relying on the capabilities of an on-premises Windows Server Essentials installation.

It also helps to understand the rationale for adding the ability to allow the installation of AAD Connect. The Azure Active Directory Connect solution will enable organizations to synchronize their on-premises directory services to the Microsoft 365 cloud. It means users can log in with the same password in their Microsoft 365 environment as they do with their on-premises Active Directory credentials. Microsoft is here facilitating the integration with Microsoft 365 to coax SMBs and other organizations to use their cloud SaaS offering instead of on-premises resources backed by Windows Server Essentials installations.

The new model for Microsoft moving forward is a hybrid approach with the management and control plane existing in Microsoft Azure. Legacy on-premises technologies will either be phased out or continue to exist on-premises with configuration and management enabled from the Azure portal. As a case in point, Microsoft’s Azure Stack HCI offering is an on-premises technology delivering an environment to house on-premises virtualized workloads with software-defined storage and networking. However, licensing and deploying Azure Stack HCI is accomplished from the Azure Portal.

Additionally, the Arc-enabled solutions from Microsoft allow companies to onboard on-premises technologies such as Windows Server, virtual machines, SQL Servers, and other technologies into Azure for management, monitoring, and applying policies and governance. Even with on-premises technologies for the SMB, Azure Arc-enabled services provide many benefits and allow taking advantage of additional features and solutions enabled by Azure. 

Note Microsoft’s statement regarding what they refer to as the modern small business solution:

“Over the years since Windows Server 2016 Essentials was released, we have been working hard on the next solution for large and small businesses alike: Microsoft 365. We highly recommend Microsoft 365 for small business customers as a replacement for all versions of Windows Server Essentials. Microsoft 365 is a modern solution for file sharing and collaboration and includes Microsoft 365, Windows 10, and Enterprise Mobility + Security.

Evolve your business further with Microsoft 365 Business, which includes even more Office features, like email and calendaring, file storage in the cloud, data protection, and more. Microsoft 365 Business will help your small business achieve new levels of productivity.”

The writing is on the wall for Windows Server Essentials. Microsoft 365 is the modern solution that fills the need for SMBs looking for an all-in-one solution to do everything for them, similar to Windows Server Essentials. As many organizations are shifting to a much more distributed work layout, the anywhere, any device capabilities afforded by cloud SaaS environments become very appealing. Realistically, Microsoft 365 Business provides many more features for SMB organizations.

These include:

• Chat, calls, and online meetings – Provides the ability to host only meetings, calls, share files, and provides real-time collaboration by way of Microsoft Teams
• Cloud storage – Provides the ability to access files remotely, from anywhere
• Office apps and services – A Microsoft 365 Business subscription allows SMB organizations to have access to Word, Excel, and PowerPoint files within Microsoft Teams
• Email and calendaring – While Windows Server Essentials does not include Exchange Server, rather an integration to it, Microsoft 365 provides powerful Exchange Online email for end-users
• Modern cybersecurity features – protects against viruses, malware, phishing emails, ransomware, and other cybersecurity threats
• Protect against data leaks – Protect business-critical data
• Mobile Device Management – Allows managing mobile devices across the landscape of your employees
• Identity and Access Management – Manage identity across your entire environment

Windows Server 2019 Standard

For environments that grow beyond the 25 users/50 device limitations found in both Windows Server 2016 and 2019 Essentials, Windows Server 2019 Standard is the recommended edition of Windows Server in that case. In reality, due to the inherent limitations of Essentials Edition, the Windows Server 2019 Standard Edition of Windows Server may be a more viable solution for SMB and enterprise organizations looking to provide a resilient and fully-featured Microsoft Active Directory Domain environment in their environment and support more users.

In environments where multiple domain controllers are needed, and organizations want to build their AD infrastructure on-premises, the Windows Server 2019 Essentials SKU will not be sufficient.

Windows Server 2019 Standard Edition

Windows Server 2019 Standard Edition provides the features and capabilities for organizations with more than 25 users and 50 devices. With Windows Server 2019 Standard Edition, you get additional roles and features not found in Windows Server 2019 Essentials Edition. These include:

• Device Health Attestation – This is a new feature introduced with Windows Server 2016 to run the DHA service as a server role. It provides a secure way to attest to the security integrity of hardware running in your environment using the new role and without any additional infrastructure in the environment.
• Host Guardian Service – This is a new service responsible for ensuring that Hyper-V hosts in the fabric are known to the hoster or enterprise and running trusted software
• Network Virtualization – Microsoft’s network virtualization platform
• Storage Migration Service – Uses a new Storage Migration Proxy Service to seamlessly migrate data from legacy file servers running in the environment.
• Storage Migration Proxy – A component of the storage migration service
• Storage Replica – Replicate storage between two Windows Servers
• System Data Archiver – Collect and archive Windows system data
• System Insights – Provides predictive analytics capabilities that analyze Windows System data.
• VM Shielding Tools for Fabric Management – Part of the shielded VMs and Fabric Management components.

With Windows Server 2019 Standard edition, SMBs are responsible for client access licenses (CALs). They are NOT included automatically with Windows Server 2019 licensing. Additionally, with the Windows Server 2019 Standard Edition SKU, the licensing is purchased a core-based license model. So, if you are virtualizing servers, the proper licensing requirements must be followed when running multiple instances of Windows Server 2019 Standard Edition in a VM.

Windows Server 2019 Essentials vs. Standard

Note the following comparison chart of features found in each edition and how these compare. When it comes to choosing Windows Server 2019 Essentials vs. Standard, it will depend on the number of users/devices needed and the features needed.

Windows Server 2019 Datacenter

There is another edition of Windows Server 2019 to mention. Windows Server 2019 Datacenter Edition is the top-level Windows Server edition that provides all enterprise features for organizations. This Windows Server edition is especially beneficial in heavily virtualized environments looking to run many instances of Windows Server as production workloads.

With Windows Server Datacenter Edition, you can run an unlimited number of Windows Server virtual machines and containers by purchasing a single Windows Server 2019 Datacenter license. However, depending on the number of Hyper-V VMs an organization needs to run, it may still be less costly to purchase individual Windows Server 2019 Standard licenses instead of a single Windows Server 2019 Datacenter license as it is typically 7-8 times more expensive. The break-even point for most organizations where it becomes cost-effective to buy a Windows Server 2019 Datacenter license is around 12-14 VMs.

Windows Server 2019 Evaluation

You can download and install Windows Server 2019 Essentials, Standard, and Datacenter by downloading Windows Server 2019 evaluation copies from the Microsoft Evaluation Center. The Windows 2019 Server download provides a 180-day license.

Evaluation copies of Windows Server 2019 are beneficial for lab environments, testing Windows Server 2019 roles and features, standing up proof of concept environments, and even studying for Windows Server 2019 certification exams.

Windows Server 2019 evaluation copies can also be a great tool to better understand the version of Windows Server 2019 needed for various roles and features. After understanding which editions of Windows Server 2019 support various features and functionality, customers can use a Windows Server 2019 licensing calculator provided by Microsoft to understand pricing.

Windows Server 2019 related articles:

• 86 Questions Answered on Windows Server 2019

• Curious About Windows Server 2019? Here’s the Latest Features Added

• The Latest Updates from Windows Server 2019 Development
• What the IT Community is Saying about Windows Server 2019

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Concluding Thoughts

Windows Server 2019 Essentials comes from a long line of unique Windows Server versions created for the particular use case of small to medium-sized businesses. It provides basic office connectivity features for environments supporting 25 users/50 devices without purchasing client access licenses (CALs). While Windows Server 2016 retained the Windows Server Essentials Experience role and the Windows Essentials Administrative Dashboard, Windows Server 2019 Essentials has this functionality removed. With this and other changes, Microsoft has shown that Windows Server 2019 Essentials will undoubtedly be the last Windows Server Essentials version that is released.

With the reduced functionality and features provided by Windows Server 2019 Essentials, many SMBs may stick with Windows Server 2016 Essentials and look to transition to either Windows Server 2019 Standard Edition or migrate all resources to the cloud.

Microsoft strongly encourages SMB organizations to use Windows Server Essentials in their environment to consider migrating their business-critical resources to Microsoft 365. Microsoft notes that Microsoft 365 is the modern solution for small to medium-sized businesses looking to meet the needs of end-users sharing files, accessing email, collaborating, and other tasks and features needed in SMB environments. In most ways, Microsoft 365 provides superior features for SMBs.

For organizations needing to support more than 25 users/50 devices on-premises, Windows Server 2019 Standard Edition provides capabilities beyond those included in Windows Server 2019 Essentials Edition. With Windows Server 2019 Standard Edition, customers must purchase CALs for users. For the top-level features and functionality in the enterprise and highly dense virtualization initiatives, Windows Server 2019 Datacenter allows running unlimited virtual machines and containers.

What are your thoughts? Do you see a continued need for Windows Server 2019 Essentials? Do you have any “from the trenches” type of stories regarding this version of Windows Server? Let us know in the comments section below!

Thanks for reading!

The post Windows Server 2019 Essentials vs Standard appeared first on Altaro DOJO | Hyper-V.

Storage migration projects are often one of the most daunting tasks that IT administrators face. These projects are risky due to potential data loss or misconfiguring identity permissions. Migrations are unrewarding, as end-users rarely notice a difference, but perhaps more challenging is that many migration tools are of substandard quality with a limited support matrix. In the past, migration was a lower priority initiative by Microsoft, but things are changing with the Storage Migration Service (SMS).

About a decade ago, I worked for Windows Server as an engineer and designed several of their migration technologies, even earning a patent. However, these projects were often rushed, had features cut and used a limited test matrix. This surprised a lot of people since migration should be viewed as an important tool for bringing users to the latest versions. But from the business perspective, a Windows Server to Windows Server migration was generally a one-time operation by already-paying customers. It made more sense to invest engineering resources in building new features and bringing new customers to the platform. If an existing customer had a subpar migration experience, although not ideal, it was acceptable. Migrating customers from a different platform (like VMware of AWS) is different and has always been treated as a high priority by the company as it generates new revenue.

However, Microsoft has recently (Windows Server 1809) released a first-class Windows Server to Windows Server (or to Azure VMs or Azure Stack) migration solution. Storage Migration Service (SMS) provides a new storage migration technology which is managed using Windows Admin Center (WAC) or Remove Server Administrator Tools (RSAT). This GUI-based utility is straightforward and allows file servers (including their data, shares, permissions and associated metadata) to be migrated from older versions of Windows Server to Windows Server 2019 servers and clusters. SMS supports most Windows Server and various Linux distribution running Samba. After the migration, the identity of the file server can also be migrated so that users and applications do not lose access.

This article will review the scenarios, features, requirements and best practices to use Storage Migration Services. This article includes the latest updates included in release 1903 (May 2019) and 1909 (November 2019).

How Storage Migration Service Works

Storage Migration Service is fairly straightforward and follows other migration processes. First, you need to open a few firewall ports as described in the Security Requirements section of this article. Next, you will install Storage Migration Service in Windows Admin Center and open this tool.

To start the migration, you will select your source servers which will be inventoried and display a list of volumes and folders. You will select the storage that you wish to copy and specify some other settings. Next, you can pick the destination servers and volumes, and map them to the source volumes.

You are also given the option of migrating the entire file server, including its identity of the server and its networks, or just the shares and their data. It is possible to use this technology as a basic asynchronous file replication solution. The data will then be copied from the source volumes to destination volumes using the SMB protocol. The copy operations may run directly between the pair of servers or may be routed through an intermediary Orchestrator server which manages the migration operation.

If the identity of the file server is also migrated, users will be able to connect to their storage once Active Directory and DNS records throughout the infrastructure are updated. There may be slight disruptions in service, but all of their files and settings should be retained. The old servers will enter a maintenance state and not be available to users, and they can be repurposed.

Figure 1 – Storage Migration Service Overview

Note that a step-by-step guide for using the Storage Migration Service can be found in Microsoft’s official files.

Planning for Storage Migration Service

This section provides an overview of different considerations based on the hardware and software requirements for the various migration servers. Processing the migration can be resource-intensive, so it is recommended that the Orchestrator and any destination server have at least 2 GB of memory, 2 (v)CPUs and 2 cores. Conventional infrastructure enhancements will also speed up the process, such as providing a dedicated high-bandwidth network and using fast storage disks.

To make the migration faster, you can use hardware which has been optimized for SMB traffic. This can include using multiple NICs which support Remote Direct Memory Access (RDMA), SMB3 multichannel, Receive Side Scaling (RSS) and NIC teaming. On the server, you can try to maximize the memory and QPI speed, disable C-State, and enable NUMA.

Windows Server as a Source Server

The source server hosting the original storage must use one of the following versions of Windows Server:

• Windows Server, Semi-Annual Channel
• Windows Server 2019, 2016, 2012 / R2, 2008 / R2, 2003 / R2
• Windows Small Business Server 2011, 2008, 2003 R2
• Windows Server 2012 / R2, 2016, 2019 Essentials
• Windows Storage Server 2016, 2012 / R2, 2008 / R2

Migration from Failover Clusters running Windows Server 2012 / R2, Windows Server 2016 and Windows Server 2019 is also supported.

Linux Servers using Samba as a Source Server

Storage Migration Service makes it easy to migrate from legacy Linux server using Samba. Samba is a suite of programs for Linux and UNIX which provides file server interoperability with Windows Server. It allows file shares to be managed like they are running on Windows by providing compatibility with the SMB/CIFS protocol. It supports Active Directory, but when migrating from a Linux server you will enter additional Linux and Samba credentials, including a private key or SSH password.

Samba 4.8, 4.7, 4.3, 4.2, and 3.6 is supported on the following Linux distributions:

• CentOS 7
• Debian GNU/Linux 8
• RedHat Enterprise Linux 7.6
• SUSE Linux Enterprise Server (SLES) 11 SP4
• Ubuntu 16.04 LTS, 12.04.5 LTS

Windows Server as a Destination Server

It is generally recommended to migrate to the latest version of Windows Server (currently WS19), as this operating system will be supported for longer and has performance optimizations for SMB file transfers. With SMS, using Windows Server 2019 as the destination server actually runs about twice as fast as older versions of Windows Server as it can function as both the Orchestrator Server and destination. This is because data can be directly transferred to the destination, rather than routing through another intermediary Orchestrator server. However, Windows Server 2016 and Windows Server 2012 R2 are also supported.

Failover Clusters

Windows Server Failover Clusters are supported as host and destination servers, provided that they are running Windows Server 2012 / R2, Windows Server 2016 or Windows Server 2019. It is possible to migrate storage between two clusters, from a standalone server/VM to a cluster, or from cluster to a standalone server/VM. Failover cluster are also supported for consolidating multiple standalone hosts onto a single cluster by having each migrated file server become a clustered file server workload.

Microsoft Azure Stack

Microsoft Azure Stack can be used as a destination server, with the storage being migrated to VMs running on Azure Stack. Azure Stack is deployed as a failover cluster, so it can also be used for consolidating multiple standalone hosts onto a single piece of hardware.

Microsoft Azure

Storage Migration Services can migrate storage, identity and network settings to a file server running inside a Microsoft Azure Virtual Machine (VM). Simply deploy your Azure Active Directory-connected file server and access it like you would any on-premises file server.

Azure File Sync Integration

Azure File Sync is a technology which optimizes how an on-premises file server syncs its data with Microsoft Azure. It allows Windows Server to function as a local cache of the Azure file share. It integrates with Storage Migration Server and can optimize performance after the migration.

Active Directory Considerations

Storage Migration Service requires that both the source and destination server are within the same Active Directory domain. All of the source servers, destination servers and any Orchestrator Server must have a migration account with administrative access to all systems. If you use migration credentials, the domains must be within the same AD Forest. Any Linux servers running Samba are also required to be managed within the same domain.

When using Windows Server Essentials or Windows Small Business Server you likely have your domain controller (DC) on the source server. For this reason, you likely will not be able to migrate the identity settings as the DC must remain online throughout the process. You can still inventory and transfer files from these servers. If you have two or more domain controllers this should not be an issue, and you can promote the domain controller on the source server after the cutover.

Workgroup migration is not supported.

Installing Storage Migration Service

The Storage Migrations Service feature will appear in your Windows Admin Center feed. SMS can also be installed using PowerShell. Installing the Storage Migration Service feature on the management server will make it function as the Orchestrator Server. Install Storage Migration Service Proxy on your destination host(s) to maximize performance as this enables them to directly copy data from the source servers. You can optionally install the Storage Migration Service Tools if you are using an independent management server.

Figure 2 – Installing the Storage Migration Service Features

Storage Migration Service (Orchestrator Server)

This feature is installed on the primary server running the migration, known as the Orchestrator Server. This server manages the migration process. It can run on any server or VM that is part of the same domain. The Orchestrator Server can run directly on the Windows Server 2019 destination server or an independent server. It is a good practice to always copy the migration events and logs from this server to track the migration progress.

Figure 3 – Installing Storage Migration Service through Windows Admin Center

Storage Migration Service Proxy

The Storage Migration Service Proxy is a role installed by Server Manager. This can be installed on the Windows Server 2019 destination server in order to double the transfer speed as this allows the source and destination server to copy data directly between each other. Without the proxy, the files need to be first copied to the Orchestrator server then they are copied again to the destination server. This takes twice as long as the Orchestrator server acts as a bottleneck. Installing SMS on any Windows Server 2019 host will automatically open the necessary firewall ports.

Storage Migration Service Tools

These are the management tools which can be installed in Windows Admin Center or Remote Server Administration Tools (RSAT).

Configuring Firewall Settings

When installing the Storage Migration Service Proxy, the proper firewall settings will be configured. The source and destination servers must have the following firewall rules enabled for inbound traffic:

• File and Printer Sharing (SMB-In)
• NetLogon Service (NP-In)
• Windows Management Instrumentation (DCOM-In)
• Windows Management Instrumentation (WMI-In)

The Orchestrator Server must have the inbound File and Printer Sharing (SMB-In) firewall rule enabled.

Inventory Storage Volumes

One of the first steps performed by Storage Migration Services is to inventory the storage which is selected for migration. This will list details about each of the components which will be copied, including the volumes, shares, configuration settings and network adapters. This information will also be retained in the migration reports.

Figure 4 – Storage Migration Service will Scan a Server to Inventory its Volumes

Map Source and Destination Servers and Volumes

During the migration, you will get to match each volume on the source server with a volume on the destination server. After selecting your source server(s), SMS will scan them and present a list of volumes. You can select any or all of the drives you wish to migrate, and you will map each to a volume on the destination server which has enough capacity. You must also migrate between the same file system type (NTFS to NTFS or ReFS to ReFS).

Figure 5 – Mapping Source and Destinations Servers using Storage Migration Service

Consolidate File Servers on a Failover Cluster

Many administrators want to use Storage Migration Service as a consolidation tool, allowing them to merge several older file servers onto a single destination file server. This scenario is only supported by migrating each legacy file server to a clustered file server. This is permitted because a failover cluster can run multiple file servers as a native cluster workload or as virtualized file servers inside VMs.

Migration Using Storage Migration Service

This section provides details about what happens during the migration.

Validate Migration Settings

Once the source and destination servers are mapped, click Validate. This will run several tests to verify that a unique destination exists, its proxy is registered, the SMB connection is healthy, and that the credentials work with administrative privileges.

Figure 6 – Validate Migration Settings

Migrate Data

Once the transfer begins, data will be copied from each volume on the source server to its mapped volume on the destination server. If there is any data already in a share on the destination server, then this existing content will be backed up as a safety measure before the first migration. This initial backup only happens the first time and not on subsequent backups. If the storage migration is repeated, any identical folders and files will not be copied to avoid duplication.

Migrate Storage Settings

The following settings (if available) are migrated to the destination server.

• Availability Type
• CA Timeout
• Caching Mode
• Concurrent User Limit
• Continuously Available
• Description
• Encrypt Data
• Folder Enumeration Mode *(aka Access-Based Enumeration or ABE)*
• Identity Remoting
• Infrastructure
• Leasing Mode
• Name
• Path
• Scoped
• Scope Name
• Security Descriptor
• Shadow Copy
• Share State
• Share Type
• SMB Instance
• Special
• Temporary

One important component which is not copied during migration is Previous Versions made with the Volume Shadow Copy Service (VSS). Only the current version of the file will be migrated.

Migrate Local Users and Groups

During the migration, you are given the option to copy the account settings for local users and groups. This allows current users to be able to reconnect to the file server without any additional configuration, which would be ideal if the server identity is also migrated. If you decide to migrate the local users and groups, you will be given the option to keep these accounts the same or force them to be reset with a more secure password. You would not select this option if you plan on keeping your existing file servers in production as there would be duplicate and conflicting file servers in your infrastructure.

If you are running the migration to set up or seed a DFS Replication server, you must skip migrating the local users and groups.

Skip Critical Files and Folders

Since the migration process happens on a running operating system, it is important that any critical files or folder which are in use are protected. Storage Migration Service will skip these files and folders and add a warning to the log.

The following files and folders will automatically be skipped:

• Windows files, including: Windows, Program Files, Program Files (x86), Program Data, Users 
• System files, including: pagefile.sys, hiberfil.sys, swapfile.sys, winpepge.sys, config.sys, bootsect.bak, bootmgr, bootnxt 
• Computer-specific files, including: $Recycle.bin, Recycler, Recycled, System Volume Information, $UpgDrv$, $SysReset, $Windows.~BT, $Windows.~LS, Windows.old, boot, Recovery, Documents and Settings 
• Any conflicting files or folders on the source server that conflicts with reserved folders on the destination server.  

Multi-Threaded Migration

SMS allows for multiple copy jobs to run simultaneously as it uses a multi-threaded engine. By default, SMS will copy 8 files at a time within a job. This can be changed from 1 file to 128 simultaneous files by editing the FileTransferThreadCount registry setting for HKEY_Local_MachineSoftwareMicrosoftSMSProxy. It is best to not set this higher unless you have hardware-enhanced for SMB as it increases processing overhead, and network bandwidth or disk speed are usually the limiting factors. 

View Post-Migration Information

It is a good best practice to keep track of your SMS migration errors, transfers and jobs. There are a few different ways which you can track this information with Storage Migration Services.

Error Log

Any files or folders which cannot be transferred will be noted as warnings in the Error Log, such as those being used by the running operating system. This error log will also describe any other types of warnings and errors.

Transfer Log

To keep track of all of the migrations download the Transfer Log as a CSV (spreadsheet) file. Every time you run the migration this information will be overwritten. You may want to create an automated task in Task Scheduler which copies this file every time the Storage Migration Service has completed so this information is always captured.

Jobs Log

There is a log which tracks all of the SMS jobs, however, this is generally not needed by the admin so it is hidden. You can find it under C:ProgramDataMicrosoftStorageMigrationService. If you are migrating a large number of files, you may want to delete this database to reduce the size it takes up on disk. Additional information can be found in Microsoft’s official files.

Migrate & Cut Over the Identity of the File Servers

Once the data has been copied to your destination server you have the option to migrate the file server itself. This allows users to continue to access their files on the new hardware with minimal disruption. After completing the migration, select the Cut Over to the New Servers option and enter your Active Directory credentials. You can rename the server, but most likely you will keep the same file server name. If you do not copy the identity, the users will keep access files on the source server.

Migrate Network Adapter & IP Address Identity

When you migrate the File Server identity you will be given the option to map each of the network adapters from the source server to network adapters on the destination server. This will allow you to move the IP address during the cutover, whether it uses a static IP address or DHCP address. If you use a static IP address, make sure that the subnets on the source and destination server are also identical. You can also skip the network migration.

Figure 7 – Configuring the Network Migration for a Cutover

Migrate & Cut Over a Failover Cluster

If you are migrating to a failover cluster, you may also need to provide credentials which allow you to remove a cluster from the domain and rename it. This is required any time a cluster node is renamed.

Antivirus Considerations

Make sure that the antivirus versions and settings are the same on the source and destination server, particularly for scanning any included and excluded folder. You may need to temporarily disable antivirus scans during the migration to ensure that any files are not temporarily locked while being scanned.

Summary

Storage migration projects can be overwhelming. But if you plan on using Storing Migration Services for Windows Server and Azure, I hope the scenarios, features, requirements and best practices described here, will prove useful. As always, if you have any questions or concerns, let me know in the comments below.

The post How to Use Storage Migration Service for Windows Server and Azure appeared first on Altaro DOJO | Hyper-V.

Perhaps the only thing worse than having a disaster strike your datacenter is the stress of recovering your data and services as quickly as possible. Most businesses need to operate 24 hours a day and any service outage will upset customers and your business will lose money. According to a 2016 study by the Ponemon Institute, the average datacenter outage costs enterprises over $750,000 and lasts about 85 minutes, losing the businesses roughly $9,000 per minute. While your organization may be operating at a smaller scale, any service downtime or data loss is going to hurt your reputation and may even jeopardize your career. This blog is going to give you the best practices for how to recover your data from a backup and bring your services online as fast as possible.

Automation to Decrease your Recovery Time Objective (RTO)

Automation is key when it comes to decreasing your Recovery Time Objective (RTO) and minimizing your downtime. Any time you have a manual step in the process, it is going to create a bottleneck. If the outage is caused by a natural disaster, relying on human intervention is particularly risky as the datacenter may be inaccessible or remote connections may not be available. As you learn about the best practice of detection, alerting, recovery, startup, and verification, consider how you could implement each of these steps in a fully-automated fashion.

Detect Outages Faster

The first way to optimize your recovery speed is to detect the outage as quickly as possible. If you have an enterprise monitoring solution like System Center Operations Manager (SCOM), it will continually check the health of your application and its infrastructure, looking for errors or other problems.  Even if you have developed an in-house application and do not have access to enterprise tools, you can use Windows Task Manager to set up tasks that automatically check for system health by scanning event logs, then trigger recovery actions. There are also many free monitoring tools such as Uptime Robot which alerts you anytime your website goes offline.

Initiate the Recovery Process

Once the administrators have been alerted, immediately begin the recovery process.  Meanwhile, you should run a secondary health check on the system to make sure that you did not receive a false alert. This is a great background task to continually run during the recovery process to make sure that something like a cluster failover or transient network failure does not force your system into restarting if it is actually healthy. If the outage was indeed a false positive, then have a task prepared which will terminate the recovery process so that it does not interfere with the now-healthy system.

Select the Optimal Backup

If you restore your service and determine that there was data loss, then you will need to make a decision whether to accept that loss or if you should attempt to recover from the last good backup, which can cause further downtime during the restoration. Make sure you can automatically determine whether you need to restore a full backup, or whether a differencing backup is sufficient to give you a faster recovery time. By comparing the timestamp of the outage to the timestamp on your backup(s), you can determine which option will minimize the impact on your business. This can be done with a simple PowerShell script, but make sure that you know how to get this information from your backup provider and pass it into your script.

Prioritize Backup Network Traffic

Once you have identified the best backup, you then need to copy it to your production system as fast as possible. A lot of organizations will deprioritize their backup network since they are only used a few times a day or week. This may be acceptable during the backup process, but these networks need to be optimized during recovery.  If you do need to restore a backup, consider running a script that will prioritize this traffic, such as by changing the quality of service (QoS) settings or disabling other traffic which uses that same network.

Provision Fast Disks for Recovery

Next, consider the storage media which the backup is copied before the restoration happens.  Try to use your fastest SSD disks to maximize the speed in which the backup is restored.  If you decided to backup your data on a tape drive, you will likely have high copy speeds during restoration.  However, tape drives usually require manual intervention to find and mount that drive, which should generally be avoided if you want a fully automated process.  You can learn more about the tradeoffs of using tape drives and other media here.

Restart Services and Applications

Once your backup has been restored, then you need to restart the services and applications.  If you are restoring to a virtual machine (VM), then you can optimize its startup time by maximizing the memory which is allocated to it during startup and operations.  You can also configure VM prioritization to ensure that this critical VM starts first in case it is competing with other VMs to launch on a host which has recently crashed.  Enable QoS on your virtual network adapters to ensure that traffic flows through to the guest operating system as quickly as possible, which will speed up the time to restore a backup within the VM, and also help clients reconnect faster.  Whether you are running this application within a VM or on bare metal, you can also use Task Manager to enhance the priority of the important processes.

Verify that the Recovery Worked

Now verify that your backup was restored correctly and your application is functioning as expected by running some quick test cases.  If you feel confident that those tests worked, then you can allow users to reconnect.  If those tests fail, then work backward through the workflow to try to determine the bottleneck, or simply roll back to the next “good” backup and try the process again.

Regularly Test Backup and Recovery

Anytime you need to restore from a backup, it will be a frustrating experience, which is why testing throughout your application development lifecycle is critical.  Any single point of failure can cause your backup or recovery to fail, which is why this needs to be part of your regular business operations.  Once your systems have been restored, always make sure your IT department does a thorough investigation into what caused the outage, what worked well in the recovery, and what areas could be improved.  Review the time each step took to complete and ask yourself whether any of these should be optimized.  It is also a good best practice to write up a formal report which can be saved and referred to in the future, even if you have moved on to a different company.

The top software backup provides like Altaro can help you throughout the process by offering backup solutions for Hyper-V, Azure, O365 and PCs with the Altaro API interface which can be used for backup automation.

No matter how well you can prepare your datacenter, disasters can happen, so make sure that you have done all you can to try to recover your data – so that you can save your company!

The post How to Quickly Recover and Restore Windows Server Hyper-V Backups appeared first on Altaro DOJO | Hyper-V.