Chapter 1

An Overview of Windows Server 2019

IN THIS CHAPTER

Bullet Getting an overview of the features new to Windows Server 2019

Bullet Making sense of the Windows Server 2019 editions

Bullet Looking at the different Windows Server 2019 user experiences

Bullet Recognizing the benefits of Server Manager

Bullet Working with the Windows Admin Center

Windows Server 2019 is the latest version of Microsoft’s flagship server operating system. This chapter has something for everyone. If you’re already familiar with Windows Server, I discuss the new features that Windows Server 2019 brings to the table. If you haven’t worked with Microsoft Server operating systems much before, you’ll appreciate the information on the editions and user experiences that you can use, depending on your needs.

Extra! Extra! Read All About It! Seeing What’s New in Windows Server 2019

With each new version of Windows Server, Microsoft introduces new and innovative technologies to improve administration or add needed functionality. Here are some of the new features in Windows Server 2019:

  • App Compatibility Feature on Demand (FoD) for Server Core: The App Compatibility FoD package includes a set of binaries that improve compatibility for applications that require some of the graphical tools that haven’t historically been available with Server Core. To use these capabilities, you need to install the FoD package from Microsoft; it’s available as an optional package download from the Microsoft Evaluation Downloads page (www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019) in the form of an ISO image file. Just search for Windows Server Core Features on Demand, and ensure that you download the same version of FoD as the version of Server Core that you’re going to install or you’ve already installed. All you need to do is copy the ISO image file to the local storage on the server or to a shared storage location. Then you can use PowerShell to mount the ISO with the Mount-DiskImage command. This will give you the ability to use Internet Explorer 11, Event Viewer, Performance Monitor, Resource Monitor, Device Manager, Microsoft Management Console (MMC), File Explorer, Windows PowerShell ISE, and Failover Cluster Manager, and it will add support for SQL Server Management Studio.
  • Improvements to clustering: Several improvements have been made in regards to clustering in Windows Server 2019:
    • Cluster Sets is a new technology that allow you to group multiple clusters. These clusters may just be compute or storage, or they may be hyperconverged (both storage and compute) clusters. This allows the movement of virtual machines (VMs) across different clusters, which, in turn, allows you to do maintenance tasks with little to no impact to the uptime of the VMs. To use the Cluster Sets feature, you create a VM and point it to a unified namespace (a name that is shared and provides access across multiple storage systems) for the cluster set. From there, the VM will be assigned to a cluster, and the cluster will assign it to a specific node.

    • File Share Witness is a file share that can be used to reach quorum in a clustering scenario. It received two enhancements in Windows Server 2019. The first enhancement enables the Failover Cluster Manager to block the creation of a file share witness if Distributed File System (DFS) is being used. An error message will also be displayed letting you know that this is not supported because it can cause stability issues in your cluster if your file share witness is put on a DFS share.

      The second enhancement to File Share Witness enables you to use a file share witness in scenarios that were not previously supported — for example, when you have poor Internet connections to remote locations, when you don't have shared drives, when you don’t have a domain controller connection (for instance in a demilitarized zone [DMZ]), or in a workgroup or cross-domain cluster where there is no Active Directory–based cluster name.

      Technical stuff The DMZ is the area where you’ll typically locate public-facing systems like web servers. It’s essentially a lower-trust network being exposed to an untrusted network, like the Internet.

    • Moving clusters between domains no longer results in the cluster being destroyed. Two new PowerShell cmdlets were created that allow you to move a cluster from one domain to another domain.
    • Failover Clustering will no longer use NT LAN Manager (NTLM) for authentication. Instead, you’ll use Kerberos and certificates to manage authentication on your failover clusters.

  • Improvements to containers: You may be aware that containers were added in Windows Server 2016. The underlying technology used on Windows Server for containers is Docker. (To learn more about containers and Docker, turn to Book 8.)

    New container capabilities have been added in Windows Server 2019:

    • You can use group managed service accounts (gMSA) to access network resources. The container’s host name doesn’t need to be the same as the gMSA. You can use the gMSA on both Windows and Hyper-V isolated containers.
    • Applications that have specific communications needs such as support for Serial Peripheral Interface (SPI), Inter-Integrated Circuit (I2C), general-purpose input/output (GPIO), and universal asynchronous receiver-transmitter/communication (UART/COM) port can now be containerized. Host Device Access allows you to assign a simple bus to Windows Server containers. This is especially useful for Internet of Things (IoT) devices like sensors and other peripheral devices.
    • A third container image has been created that resolves application programming interface (API) dependencies that were not available in Server Core.
    • You can now deploy Kubernetes on Windows Server 2019. The master node still needs to be on Linux, but you can configure worker nodes to run on Windows Server. If you’re in a Windows-centric shop and you’re trying to automate processes, or you’re just looking for a container orchestration solution, Kubernetes is a great one to go with. You can find lots of great resources on Kubernetes if it’s something you’re interested in. Because it’s such a large topic, I don’t cover it in this book.
  • Congestion control: Windows Server 2019 includes Low Extra Delay Background Transport (LEDBAT), a network congestion control provider. As the name suggests, LEDBAT can find available network bandwidth for running updates and other network-intensive jobs. When the network is not in use, it can consume all the bandwidth. When the network is in use, it gives up bandwidth for your users and applications so that they don’t experience network delays.
  • Security enhancements: There are three enhancements made to security in Windows Server 2019, expanding on work done in Windows Server 2016 when Windows Defender was officially introduced to the server operating system. These enhancements are as follows:
    • Windows Defender Advanced Threat Protection (ATP): Provides visibility to attack activities that target memory and kernel-level areas, as well as the ability to respond to compromised systems. It also aids in forensics investigations and can be used to collect data about the system remotely.
    • Windows Defender ATP Exploit Guard: ATP Exploit Guard has similar capabilities to Host Intrusion Prevention Systems (HIPS). It’s designed to protect systems from multiple methods of attack, as well as block suspicious behavior that is often seen in compromises involving malware. The exploit protection capability replaces the older Enhanced Mitigation Experience Toolkit (EMET) that was previously offered by Microsoft.
    • Windows Defender Application Control: This feature was actually released in Windows Server 2016, but customer feedback provided to Microsoft conveyed that it was difficult to deploy. The version that ships with Windows Server 2019 comes with default policies built in to address some of the hardships that organizations faced. Microsoft applications are allowed to run by default, and executables that are known to be able to bypass code integrity checks are blocked.
  • Software-defined networking (SDN) enhancements: There were several improvements within the area of SDN:
    • One of the great improvements in security was made by introducing the Encrypted Networks feature, which provides end-to-end encryption and is configured on a per-subnet basis.
    • High-performance gateways allow for the network throughput to be increased up to six times. This is really great for hybrid scenarios where some systems are on-premises and others are in Azure.
    • Access control lists were introduced for the SDN fabric and can be applied automatically. This can improve the security of your SDN.
    • Your Hyper-V hosts can now generate firewall logs in the appropriate format for Azure Network Watcher.
    • IPv6 support was added, including all the security features available with the traditional IPv4 SDN.
    • Virtual network peering was introduced, to give you a method to allow separate virtual networks to communicate.
  • Shielded VMs: The concept of the shielded VM was introduced in Windows Server 2016. If you want to learn more about shielded VMs, turn to Book 7. Some cool new features available with Windows Server 2019 include the following:
    • The ability to run shielded VMs on systems that have intermittent connectivity to the Host Guardian Service (HGS)
    • The ability to enable VMConnect enhanced session mode and PowerShell Direct to aid in troubleshooting efforts
    • Support for shielded VMs running Linux operating systems

  • Improvements in storage: Storage Spaces Direct (S2D) was introduced in Windows Server 2016 Datacenter edition. This was a great step in the direction of hyperconverged architectures. It allows for locally attached storage to be leveraged to create highly available and easily scalable software-defined storage. If you want to learn more about this feature and other storage-related topics, check out Book 2, Chapter 2.

    Some of the new features added in Windows Server 2019 include the following:

    • New PowerShell cmdlets: These cmdlets simplify volume management and the retrieval of performance history when using Storage Spaces Direct.
    • Storage Migration Service: Storage Migration Service allows you to inventory existing servers for their data, security, and network settings, and then migrates those settings to a new modern server using Server Message Block (SMB). This is a huge win for you if you have some old file servers hanging around still because it simplifies the migration to a newer and more supported operating system. The new system takes over the identity of the old server — your users won’t even know anything happened!

    • Improvements to Storage Replica: Storage Replica was initially released in Windows Server 2016 Datacenter edition and allows for synchronous and asynchronous block replication between servers and/or clusters. With Windows Server 2019, Storage Replica has been made available in the Standard edition as well as the Datacenter edition.

      Warning The Standard edition version of Storage Replica does have a few limitations that don’t exist in the Datacenter version. You’ll need to see if these limitations will impact your use case; if they will, be sure to install the Datacenter edition.

  • System Insights: System Insights is a new feature in Windows Server 2019. It utilizes machine learning to analyze performance data and other metrics on each server. This feature can be especially beneficial if you need to do capacity forecasting for compute, storage, and networking needs. System Insights can be managed through PowerShell or through the newer version of Windows Admin Center.
  • Windows Admin Center: Windows Admin Center can be used to centrally manage your servers, from viewing performance statistics, reviewing logs, and performing configuration tasks to setting up recovery for your local server to Azure by utilizing Azure Site Recovery. Windows Admin Center can now connect to Server 2008 R2, though with limited functionality. Server 2012, 2012R2, 2016, Windows 10, and of course Windows Server 2019 are fully supported. The tool is browser-based and is designed to complement existing tools, but not necessarily replace them.

Deciding Which Windows Server 2019 Edition Is Right for You

Windows Server 2019 comes in three editions: Essentials, Standard, and Datacenter. In the following sections, I walk you through each edition so you can determine which one is right for you.

Essentials

Windows Server 2019 Essentials is tailored for small businesses of 25 users or less. It operates from a single license that is good for up to 25 users and 50 devices. Although Essentials has been extremely popular with small businesses because of its lower cost, there are rumors on the Microsoft blogs that the 2019 version of Essentials may be the last. This is due in part to the low cost of cloud services, which make for a very viable alternative for small businesses that don’t want the additional cost of having to support physical hardware.

Note: You won’t see Essentials called out in this book specifically. However, many of the topics I cover in this book can be applied to Essentials.

Standard

The Standard edition is ideal for environments with little to no virtualization or when used as a guest operating system. Features in the Standard edition include the following:

  • Up to two Hyper-V containers and unlimited Windows containers
  • HGS and Nano Server support
  • Storage Replica (with some limitations)

Datacenter

The Datacenter edition has the same features as Standard and some additional features:

  • Unlimited Hyper-V containers in addition to the unlimited Windows containers
  • Storage Replica (full version) and Storage Spaces Direct
  • Shielded VM support

Walking the Walk: Windows Server 2019 User Experiences

Windows Server 2019 has two user experiences to choose from. What you use will depend on the workload you’re wanting to support, as well as organizational requirements. In this section, I explain the Desktop Experience and the Server Core experience, as well as some pros and cons of each.

Desktop Experience

Desktop Experience is what you would consider to be the standard graphical user interface (GUI) that you may have used in previous versions of the Windows Server operating systems. It allows you to interact with the system with buttons and menus rather than through the command line. Server with Desktop Experience can be managed through Group Policy if attached to an Active Directory domain, and workgroup (non-domain) servers can be managed via local Group Policy.

Tip Desktop Experience tends to be the easier form of server installation and administration for beginning system administrators, but I highly recommend that you don’t rely on the GUI (shown in Figure 1-1). Become a PowerShell ninja instead! PowerShell is a very versatile language and can be used on a variety of systems, including some of the newer versions of Linux.

Screen capture of the Desktop with a Start button at the bottom left and Recycle Bin at the top left.

FIGURE 1-1: Server with Desktop Experience.

Server Core

Server Core (shown in Figure 1-2) provides a much simpler interface if you connect to the console. You’re greeted by a somewhat familiar-looking command window that prompts you for your username and password. After you’ve logged in, you get the traditional C:\ prompt. You can run the traditional command-line commands from this console. Alternatively, by typing powershell.exe, you can launch a PowerShell window. Initial configuration is done with the sconfig utility, though it could be done through a PowerShell script or PowerShell Desired State Configuration (DSC). This experience can be managed through Group Policy if attached to an Active Directory domain or through local Group Policy if they’re workstation servers.

Screen capture of the Command Prompt window depicting Server Core.

FIGURE 1-2: Server Core.

Nano

Nano provides an even simpler interface and a much more limited console, which is referred to as the Recovery Console. It isn’t available through the regular installer on the disc; instead, you have to “build” the image from files available on the disc. Nano has a much smaller footprint, both in disk and compute needs than Desktop Experience or Server Core. Because it has a smaller overall footprint, the attack surface is also reduced. Windows Server Nano 2019 is available only as a container base operating system image, and can only be run as a container on a container host.

Note: You won’t really see Nano discussed in depth anywhere in this book because you’re far more likely to encounter the Desktop Experience or Server Core installations of Windows Server 2019.

Nano can’t be managed through Group Policy. You need to use PowerShell DSC instead if you want to manage Nano at scale. You may be asking why you would even use Nano when it’s such a limited version of the operating system. If you need to run container workloads that use .NET, Nano is an excellent candidate because it has been optimized to run .NET Core applications.

Seeing What Server Manager Has to Offer

When you first install Windows Server 2019 and you log in, the first screen that you’re greeted with is Server Manager (see Figure 1-3). This screen gives you a central area to do all the configuration tasks you need to do on your server. It presents a handy menu to manage all the roles and features installed on your server as well.

Screen capture of the Server Manager window depicting all the configuration tasks.

FIGURE 1-3: Server Manager.

Server Manager will allow you to manage remote servers, not just the local server. The remote servers need to be added to Server Manager before they can be managed, and some firewall ports may need to be opened to allow full functionality. After remote servers are added, you can run PowerShell against them and perform basic management tasks like shutting down, connecting via Remote Desktop Protocol (RDP), and so on. You can manage up to 100 remote servers with Server Manager. This number may be lower depending on what you’re running on the manage servers. If you’re running large workloads, then you may not be able to manage as many.

Remember Server Manager can be used to manage the same operating system it’s installed on, as well as operating systems that are older than what is installed. It can’t manage the operating system on a server that is running a newer version of the operating system. For example, a server running Server Manager on Server 2012 R2 can’t manage a server running Windows Server 2016.

Figure 1-4 shows some of the options available through the Server Manager menu. You may notice that Remote Desktop Connection is grayed out. This is because I was logged on the server that is in the window.

Screen capture depicting a drop-down menu with some of the options available through the Server Manager menu.

FIGURE 1-4: Managing servers with Server Manager.

Here’s a list of some of the more commonly used features of Server Manager:

  • Managing local and remote servers
  • Managing roles and features on servers (To install or remove roles and features, the target system must be running at least Server 2012)
  • Starting management tools like Windows PowerShell and MMC snap-ins
  • Reviewing events, performance data, and results from the Best Practices Analyzer

Windows Admin Center: Your New Best Friend

Windows Admin Center is a newer server management tool from Microsoft. Microsoft has been investing heavily in Windows Admin Center, and it shows. You can use it to manage your on-premises systems, as well as your systems in Azure. Windows Admin Center is accessible through your browser and allows you to perform nearly all your administrative tasks through the same interface. Best of all, it’s free! You just need to pay for the license of the operating system it’s running on.

Admin Center has been optimized to administer Windows Server 2019, although it can manage older server operating systems as well. Server 2012 and newer versions feature full support for all functionality, while some limited functionality is provided for Windows Server 2008 R2.

By default, Windows Admin Center uses TCP port 6516, so you need to allow this through your server firewalls depending on how your network is architected. To access the Windows Admin Center Dashboard, you need the hostname of the system that Admin Center is installed on. In Figure 1-5, notice that the address is localhost:6516. That’s because I’ve installed it on a Windows 10 client in Desktop mode. Desktop mode is typically used by a single system administrator, as opposed to Gateway mode, which is available for a larger number of staff.

Screen capture depicting Internet Explorer browser at localhost:6516 page with all connected devices on the All Connections page.

FIGURE 1-5: You can see all your connected devices on the All Connections page.

The first screen (refer to Figure 1-5) shows your connected devices.

If you click one of the devices in the list, you get a management view specific to that device. For Figure 1-6, I clicked on server2019-dc. You see an overview of the system as well as some management options. On the left side of the screen, there are many more options you can work from.

Screen capture depicting Internet Explorer browser with server2019-dc and an overview of the system as well as some management options.

FIGURE 1-6: The Overview page shows, well, an overview of the device you clicked.

Installation of Windows Admin Center is simple. You download the Microsoft Installer (MSI) package from the Microsoft Windows Admin Center website (www.microsoft.com/en-us/cloud-platform/windows-admin-center). Before you install it you need to decide if you’re simply going to install it on your desktop client or if you want to install it on a server. My recommendation would be to use your desktop if you’re just trying it out or if you manage only a few servers. If you’re going to use Windows Admin Center in all its glory, install it on a server so that all your administrators can get to it. They’ll thank you!

You can install Windows Admin Center on Windows 10 (it needs to have the Fall Anniversary Update 1709) or Windows Server 2016 or newer. To manage older servers — including 2008 R2, 2012, and 2012 R2 — you need to install Windows Management Framework 5.1 on each of those servers.

When you install Windows Admin Center on Windows 10, it’s installed in Desktop mode, which means that you access it using https://localhost:6516. When Windows Admin Center is installed on a server, it installs in gateway mode which can be accessed with the server name in the URL (for example, https://servername).

Technical stuff You can’t install Windows Admin Center onto a domain controller. This would be a bad idea anyway! Because Windows Admin Center exposes its services via a web page, it provides a point of attack that would not normally be there.

Some of the coolest features of Windows Admin Center include the following:

  • Centralized server management
  • Integration with Azure so you can manage on-premises and cloud resources from the same console
  • Cluster management tools built into Windows Admin Center
  • Showscript, which allows you to see the PowerShell scripts that are being run to do your administrative work

Remember The only browsers currently supported are Microsoft Edge and Google Chrome. Firefox hasn’t been tested, but most of the functionality should work as expected.