Windows Server 2019 rolls up a number of incremental updates that Microsoft introduced over the past three years and packs in many new features as well, especially in areas of security, administration, storage and integration with Microsoft’s Azure cloud.
Microsoft had been on a four-year release cycle (Windows Server 2008, 2012, 2016), so Windows Server 2019 breaks that pattern. There are three versions: Standard, Datacenter, and a minimalist Nano edition designed specifically for containers. There are two channel options: with Long-Term Service Channel (LTSC), customers don’t get feature upgrades beyond security fixes; with the Semi-Annual Channel model, updates are issued every six months.
Here are some of the key features of Windows Server 2019:
Security: Windows Server 2019 goes to far greater lengths than ever before to prevent attacks. Windows Defender is included by default and has new features designed to plug security holes and make administration easier. Although Defender won’t stop a trigger-happy email recipient from opening an attachment harboring a zero-day threat, Windows Advanced Threat Protection adds another layer of security designed to protect against several kinds of malware behaviors, including a method of “bolting down” folder access to prevent ransomware-like mass file encryption.
It’s also easier in Windows Server 2019 to build-out a certificate authority (CA) infrastructure that issues digital certificates for authentication purposes. This makes it possible to get closer to the tenets of the Zero Trust model, which enforces strict authentication and access control. CA certificates are easily managed, as are updates to expired certificates.
Management: The control plane for systems administration offers a more understandable and approachable UI and admin UX. These and other management components take some of the sting out of managing large Windows systems, as well as heterogeneous Windows/Linux environments. Microsoft now provides a Windows Admin Center (WAC) app, usable in networks where Microsoft Active Directory is employed. This single pane of glass console manages a wide variety of Microsoft operating systems instances. We found it especially useful in dealing with Windows 2019 Server Core, which has no UI, and for distributed operations such as branch and multi-site administration.
The WAC app allows software-defined networks to be instantiated, managed, and secured/encrypted where appropriately configured certificate authority (CA) infrastructure exists. Our largest complaint regarding WAC is lack of UI/UX density, as in multiple servers on screen simultaneously, or a spread of monitors permitting major asset monitoring/comparisons, and reconfiguration during crisis times.
A small detail that delighted us was a simple change: Window Server 2019 offers a soft reboot capability. For anyone who sits for hours in front of HPE or Lenovo servers, this can be a savings of perhaps days of time, compared to full reboots.
Resilient File System (ReFS): The ReFS can correct files against a stored checksum and enable de-duplication, a new feature in Windows Server 2019. We found ReFS trivial to setup, as long as Microsoft Hyper-V is also installed. Our testing showed that it can save space in situations where there are sub-directories full of identical files.
Clustering: Windows Server 2019 clustering capabilities have advanced. A failover cluster of pairs (think of transaction processors, key servers, certificate storage, database servers), can now be connected via USB drive where the drive is attached to a network switch. In the past, a failover cluster required three machines.
Routing and Remote Access Server (RRAS) Always-OnVPN: Microsoft turned on Always-OnVPN (AOVPN) in Windows Server 2019, which can be an upgrade for users of Microsoft’s previous VPN methodology, called DirectAccess. The RRAS service plays the role as a proxy authenticator to accept or reject VPN connectivity requests. We found the choices of encryption are limited and there aren’t any sockets for plug-in encryption methods from third parties. There are many moving parts to AOVPN, and all must be happy to permit the VPN connection, but once we used the correct Educational Version of Windows 10, it worked well.
Active Directory: The Windows AD model hasn’t changed dramatically in Windows 2019 Server editions, but administering remote sites is now easier. Interesting new features, like AlwaysOnVPN, require a working AD. Joining Windows Server 2019 to an existing network for those with any experience with AD is simple. We built both internal and remote servers from a single pane of glass with Windows Administration Center.
Linux and Containers: Software-defined networks (SDNs) have evolved, as has the use of IPv6 in every component of networking, now as a native and parallel protocol to IPv4. This is important as a component of the scalability needed for networking inside the Microsoft Hyper-V virtualization infrastructure, and the management of Microsoft containers and Linux-based container fleets.
Windows Server 2019 includes access to LinuxKit, a toolkit designed specifically to build Linux subsystems on non-Linux operating systems like Windows Server. Container controls and interaction come via the GRPC link between a Windows and Linux instance living in a Hyper-V virtual machine.
Windows containers are fully baked and run smoothly on the Nano version of Windows Server 2019. In hybrid Windows/Linux networks, Microsoft has employed an egalitarian effort towards readily hosting, even offering, four distinct different versions of Linux distributions. Although Windows 10 has a Windows Linux Subsystem with increasing interchangeability of commands, pipelines, and even a popular shell app, use on Windows Server 2019 still has some limitations. For example, there is no pipeline, API set, or interconnect methodology that takes advantage of Windows support or even Active Directory support possibilities, except along narrow gateways. Overall, however, progress has been made, and it’s possible to perform very good container isolation and orchestration with the Kubernetes tool.
Installing Windows Server 2019
Windows Server 2019 is delivered in ISO image file format for bootable media, Virtual Hard Disk for Hyper-V virtualization, and for Azure spin-up as a virtual machine. Certain older AMD and Intel 64-bit CPUs might not be able to support Windows 2019 Server, and Microsoft offers an app called that enables customers to check.
We installed Windows 2019 Server on five hardware platforms, using a regimen of differing operating system payload sources. We installed on bare metal, using hypervisors (Microsoft’s Hyper-V and VMware 6.6), and on Microsoft’s Azure. There are several techniques to remotely deploy Windows Server, and where we had checked compatibility, a raw installation never failed to find all compatible hardware correctly.
Windows 2019 technically doesn’t need a directory service, and we installed it both with and without Active Directory. We used ISO, VHD, and Azure sources/targets and found that initial installations worked fine, but installing Windows Server on VMware 6.6 had a feature limitation– the biggest one being that it won’t also run Hyper-V. It can be argued that running a hypervisor inside of a hypervisor is overkill. But lack of Hyper-V means that other virtualization-related features are also not possible, such as the Windows Subsystem for Linux, which delivers Linux as a network member and provides a control plane for organizations deploying Linux containers. The administrative PowerShell let us execute simple scripts to install roles and features readily. Happily, features and roles can be uninstalled just as quickly.
Even without Active Directory services, Hyper-V can cover a lot of turf, be a strong hypervisor for both Windows, Linux, and xBSD operating system guests, and can still offer important security components, like Microsoft’s Certificate Service, and other roles traditionally offered for general purpose systems servers. Our non-AD installations and upgrades were uniformly painless.
Installation with Active Directory can be employed on bare metal, hypervisor, or Azure instances. System images can be downloaded from either Microsoft’s trial site, or the Volume Licensing websites. Formatted images can be made through Microsoft’s SYSPREP tool, through Microsoft’s Systems Center Configuration Manager, or other cloning tools.
On Microsoft Azure, new accounts require a small amount of setup. The environment, roles and features are chosen, Azure delivers the result, permitting an Azure Active Directory join, and/or access to new or existing Microsoft Office365 infrastructure. Once the groundwork selections are made in either case, deployment of an Active Directory version on Azure worked easily for us.
Storage migration services are available to take prior Windows Server storage to bare metal servers/VMs, to local Azure Stack infrastructure, or to a synchronized file system between on-premises storage and Azure storage. VM and bare metal instance migrations to Windows 2019 was a breeze. A source, destination, and orchestration server running WAC are linked together (when ports are opened for data flow past firewalls), then one click starts it. The new additions have enhanced speed over former versions, and can also include SAMBA-linked Linux distributions.
Even though many administrators are hesitant to perform in-place upgrades of existing Windows Server versions, our admittedly small sample of five upgrades was flawless and fast. It’s more typical to build new Windows Server versions, then mime new or proposed Windows roles according to infrastructure needs. Building and deploying pre-formed instances of Windows Server with the integral SYSPREP tool is still simple.
Summing it up
Much has been done in Windows Server 2019 to ease the administrative complexity needed to secure Windows-based infrastructure. Windows Defender has been strengthened. Certificate management for encryption from everything from network circuits to VMs has been enhanced. This comes as IT departments face increased compliance and audit needs, and require tighter anti-malware systems integrity. Windows Admin Center arrives to remove some of the complexity and multiple fiefdoms of administration in prior versions. The overall effort seems energetic, more egalitarian and embraces hybrid cloud — if it’s the Azure Hybrid Cloud.
The much-touted olive branches to Linux are pragmatic. As in Windows Server 2016, there is much focus on container methods, including a stronger relationship with Docker, including the ability to obtain Docker advanced container support as a function of the Windows Server 2019 licenses. But we aren’t totally there yet. Windows containers are oranges and Linux instances are watermelons and while both are fruitful, they don’t share an OS kernel and can only be linked at the shoulder, not the all-important brain.
How we tested
We tested Windows 2019 Server Standard and Datacenter instances on five platforms: Lenovo Thinkservers (m3650 with 256-512GB of DRAM, some with integral storage arrays) using Extreme Network Summit-series switches.
We also tested Windows 2019 Server editions on bare metal, VMware ESXi 6.6 as VMs in varying configurations, (using three Lenovo M3650 MS servers having 56CPUs, total NVMe disk of 9T and 512GB of memory), Microsoft Azure Cloud (two test instances), AWS, as laptop VMs using Hyper-V on Windows 10, and on laptops using Oracle Virtual Box.
We deployed Windows Server additionally on an HPE DL580Gen9 server (72CPUs, 256GB, 7T storage) as a bare metal install for Hyper-V and Linux density testing.
We backed up and upgraded two older Lenovo RD630 Thinkservers (24CPUs, 128GB, 2T storage) production servers from Windows 2016 Datacenter edition to Windows 2019 Datacenter edition without difficulties. These servers ran primary site DNS, as well as RRAS gateway services, and domain controller roles.
Various instances from stored VMs were used to test Windows Storage Services migrations, including Windows 2003, Windows 2012 (a production instance), and two virtualized instances of Windows 2016 Datacenter and Ubuntu server 16.04 (as updated). We updated all instances to patch/fix/update sync at the end of September 2019.
Our test clients were Lenovo X1 Carbon running Windows 10 Professional (then Educational), Macbook Air 2012, and Thinkpad Yoga S1 (running bare metal Linux).