What’s New in Windows Server 2019
With each new version of Windows Server, Microsoft introduces new and innovative technologies to improve administration or add needed functionality. Here are some of the new features in Windows Server 2019:
- App Compatibility Feature on Demand (FoD) for Server Core: The App Compatibility FoD package includes a set of binaries that improve compatibility for applications that require some of the graphical tools that haven’t historically been available with Server Core.
To use these capabilities, you need to install the FoD package from Microsoft; it’s available as an optional package download from the Microsoft Evaluation Downloads page in the form of an ISO image file. Just search for Windows Server Core Features on Demand, and ensure that you download the same version of FoD as the version of Server Core that you’re going to install or you’ve already installed. All you need to do is copy the ISO image file to the local storage on the server or to a shared storage location.
Then you can use PowerShell to mount the ISO with the Mount-DiskImage This will give you the ability to use Internet Explorer 11, Event Viewer, Performance Monitor, Resource Monitor, Device Manager, Microsoft Management Console (MMC), File Explorer, Windows PowerShell ISE, and Failover Cluster Manager, and it will add support for SQL Server Management Studio.
- Improvements to clustering: Several improvements have been made in regards to clustering in Windows Server 2019:
- Cluster Sets is a new technology that allow you to group multiple clusters. These clusters may just be compute or storage, or they may be hyperconverged (both storage and compute) clusters. This allows the movement of virtual machines (VMs) across different clusters, which, in turn, allows you to do maintenance tasks with little to no impact to the uptime of the VMs. To use the Cluster Sets feature, you create a VM and point it to a unified namespace (a name that is shared and provides access across multiple storage systems) for the cluster set. From there, the VM will be assigned to a cluster, and the cluster will assign it to a specific node.
- File Share Witness is a file share that can be used to reach quorum in a clustering scenario. It received two enhancements in Windows Server 2019. The first enhancement enables the Failover Cluster Manager to block the creation of a file share witness if Distributed File System (DFS) is being used. An error message will also be displayed letting you know that this is not supported because it can cause stability issues in your cluster if your file share witness is put on a DFS share.
The second enhancement to File Share Witness enables you to use a file share witness in scenarios that were not previously supported — for example, when you have poor Internet connections to remote locations, when you don’t have shared drives, when you don’t have a domain controller connection (for instance in a demilitarized zone [DMZ]), or in a workgroup or cross-domain cluster where there is no Active Directory–based cluster name.
The DMZ is the area where you’ll typically locate public-facing systems like web servers. It’s essentially a lower-trust network being exposed to an untrusted network, like the Internet.
- Moving clusters between domains no longer results in the cluster being destroyed. Two new PowerShell cmdlets were created that allow you to move a cluster from one domain to another domain.
- Failover Clustering will no longer use NT LAN Manager (NTLM) for authentication. Instead, you’ll use Kerberos and certificates to manage authentication on your failover clusters.
- Improvements to containers: You may be aware that containers were added in Windows Server 2016. The underlying technology used on Windows Server for containers is Docker. New container capabilities have been added in Windows Server 2019:
- You can use group managed service accounts (gMSA) to access network resources. The container’s host name doesn’t need to be the same as the gMSA. You can use the gMSA on both Windows and Hyper-V isolated containers.
- Applications that have specific communications needs such as support for Serial Peripheral Interface (SPI), Inter-Integrated Circuit (I2C), general-purpose input/output (GPIO), and universal asynchronous receiver-transmitter/communication (UART/COM) port can now be containerized. Host Device Access allows you to assign a simple bus to Windows Server containers. This is especially useful for Internet of Things (IoT) devices like sensors and other peripheral devices.
- A third container image has been created that resolves application programming interface (API) dependencies that were not available in Server Core.
- You can now deploy Kubernetes on Windows Server 2019. The master node still needs to be on Linux, but you can configure worker nodes to run on Windows Server. If you’re in a Windows-centric shop and you’re trying to automate processes, or you’re just looking for a container orchestration solution, Kubernetes is a great one to go with. You can find lots of great resources on Kubernetes if it’s something you’re interested in.
- Congestion control: Windows Server 2019 includes Low Extra Delay Background Transport (LEDBAT), a network congestion control provider. As the name suggests, LEDBAT can find available network bandwidth for running updates and other network-intensive jobs. When the network is not in use, it can consume all the bandwidth. When the network is in use, it gives up bandwidth for your users and applications so that they don’t experience network delays.
- Security enhancements: There are three enhancements made to security in Windows Server 2019, expanding on work done in Windows Server 2016 when Windows Defender was officially introduced to the server operating system. These enhancements are as follows:
- Windows Defender Advanced Threat Protection (ATP): Provides visibility to attack activities that target memory and kernel-level areas, as well as the ability to respond to compromised systems. It also aids in forensics investigations and can be used to collect data about the system remotely.
- Windows Defender ATP Exploit Guard: ATP Exploit Guard has similar capabilities to Host Intrusion Prevention Systems (HIPS). It’s designed to protect systems from multiple methods of attack, as well as block suspicious behavior that is often seen in compromises involving malware. The exploit protection capability replaces the older Enhanced Mitigation Experience Toolkit (EMET) that was previously offered by Microsoft.
- Windows Defender Application Control: This feature was actually released in Windows Server 2016, but customer feedback provided to Microsoft conveyed that it was difficult to deploy. The version that ships with Windows Server 2019 comes with default policies built in to address some of the hardships that organizations faced. Microsoft applications are allowed to run by default, and executables that are known to be able to bypass code integrity checks are blocked.
- Software-defined networking (SDN) enhancements: There were several improvements within the area of SDN:
- One of the great improvements in security was made by introducing the Encrypted Networks feature, which provides end-to-end encryption and is configured on a per-subnet basis.
- High-performance gateways allow for the network throughput to be increased up to six times. This is really great for hybrid scenarios where some systems are on-premises and others are in Azure.
- Access control lists were introduced for the SDN fabric and can be applied automatically. This can improve the security of your SDN.
- Your Hyper-V hosts can now generate firewall logs in the appropriate format for Azure Network Watcher.
- IPv6 support was added, including all the security features available with the traditional IPv4 SDN.
- Virtual network peering was introduced, to give you a method to allow separate virtual networks to communicate.
- Shielded VMs: The concept of the shielded VM was introduced in Windows Server 2016. Some cool new features available with Windows Server 2019 include the following:
- The ability to run shielded VMs on systems that have intermittent connectivity to the Host Guardian Service (HGS)
- The ability to enable VMConnect enhanced session mode and PowerShell Direct to aid in troubleshooting efforts
- Support for shielded VMs running Linux operating systems
- Improvements in storage: Storage Spaces Direct (S2D) was introduced in Windows Server 2016 Datacenter edition. This was a great step in the direction of hyperconverged architectures. It allows for locally attached storage to be leveraged to create highly available and easily scalable software-defined storage. Some of the new features added in Windows Server 2019 include the following:
- New PowerShell cmdlets: These cmdlets simplify volume management and the retrieval of performance history when using Storage Spaces Direct.
- Storage Migration Service: Storage Migration Service allows you to inventory existing servers for their data, security, and network settings, and then migrates those settings to a new modern server using Server Message Block (SMB). This is a huge win for you if you have some old file servers hanging around still because it simplifies the migration to a newer and more supported operating system. The new system takes over the identity of the old server — your users won’t even know anything happened!
- Improvements to Storage Replica: Storage Replica was initially released in Windows Server 2016 Datacenter edition and allows for synchronous and asynchronous block replication between servers and/or clusters. With Windows Server 2019, Storage Replica has been made available in the Standard edition as well as the Datacenter edition.
The Standard edition version of Storage Replica does have a few limitations that don’t exist in the Datacenter version. You’ll need to see if these limitations will impact your use case; if they will, be sure to install the Datacenter edition.
- System Insights: System Insights is a new feature in Windows Server 2019. It utilizes machine learning to analyze performance data and other metrics on each server. This feature can be especially beneficial if you need to do capacity forecasting for compute, storage, and networking needs. System Insights can be managed through PowerShell or through the newer version of Windows Admin Center.
- Windows Admin Center: Windows Admin Center can be used to centrally manage your servers, from viewing performance statistics, reviewing logs, and performing configuration tasks to setting up recovery for your local server to Azure by utilizing Azure Site Recovery. Windows Admin Center can now connect to Server 2008 R2, though with limited functionality. Server 2012, 2012R2, 2016, Windows 10, and of course Windows Server 2019 are fully supported. The tool is browser-based and is designed to complement existing tools, but not necessarily replace them.