Windows Server 2022 is full of new file services!

Ned Pyle · ‎Sep 01 2021

Heya folks, Ned here again. As you’ve heard by now, Windows Server 2022 is available and supported for production deployments. This new OS brings many new features around security, storage, networking, web, containers, applications, virtualization, edge, and Azure hybrid.

Today I’ll highlight what we’ve introduced for the single most used scenario in organizations: File Services. Our goal with Windows Server 2022 was to make the same generational leap that we did with Windows Server 2012, where we first introduced SMB 3.0 and its security, scale, and performance options. With Windows Server 2022, we focused on today's world of hybrid cloud computing, mobile and telecommuter edge users, and increasingly congested and untrusted networks. We ended up with a large new catalog of options for your organization to stay productive.

Mount up!

SMB Compression

Windows Server 2022 introduces SMB compression, which shrinks files as they transfer over the network. Compressed files use less bandwidth and take less time to transfer, at the cost of slightly increased CPU usage during transfers. For files with compressible space, the savings can be huge – watch my demo below of copying VHD files!

Narrated demo of SMB compression on Youtube

You configure this feature with Windows Admin Center or PowerShell, and you can set compression on SMB shares, client mapped drives, clients, servers, or even on individual file copies using robocopy. SMB compression is most effective on networks with less bandwidth, such as a client's 1Gbps ethernet or Wi-Fi network. It supports your favorite SMB options like SMB signing, encryption, and multichannel. Windows 11 and Windows Server 2022 both have this new capability.

This is a game changing feature in a world where files and are bigger than ever on networks that are fuller than ever.

SMB Security

We added a raft of new SMB security features in Windows Server 2022 for use with client-server scenarios as well as failover clustering and high speed RDMA networking. Security is ever evolving and besides the new options below, we have additional security features coming retroactively to Windows 11 and Windows Server 2022.

Windows Admin Center and the SMB settings for encryption and signing

AES-256

SMB encryption protects your data from being read off the network. Windows Server 2022 now supports AES-256-GCM and AES-256-CCM, in addition to the primary AES-128 encryption used today. This isn’t some implication that AES security is flawed – there are no practical attacks that would allow someone without a key to decrypt AES-128 and none reasonably forecast, despite what the quantum computing marketing folks would have you believe – it’s to ensure that we met mandates like FIPS 197, NSA Suite B Cryptography, and others required by top secret networks. In fact, we still use AES-128 by default for performance reasons and let you opt into 256 bits with group policy and management tools. Windows 11 and Windows Server 2022 have this new capability.

Accelerated signing

SMB signing prevents tampering with data on the network, as well as relay, interception, and spoofing attacks. With Windows Server 2022, we added AES-GMAC acceleration to signing, meaning improved AES-NI hardware offloading provided by CPUs. When two AES-128-GMAC machines are signing SMB and running at least Nehalem processors – i.e., newer than 12 years old – you’ll see the latency of signed SMB really drop and transfer speeds improve, especially on busy processors. For more info on signing, check out Configure SMB Signing with Confidence. Windows 11 and Windows Server 2022 have this new capability.

SMB Direct and RDMA encryption

SMB Direct and RDMA supply high bandwidth, low latency networking fabric for workloads like Storage Spaces Direct, Storage Replica, Hyper-V, Scale-out File Server, and MS SQL server. Windows Server 2022 SMB Direct now supports encryption. Previously, enabling SMB encryption disabled direct data placement; this was intentional, but seriously impacted performance. Now we encrypt data before placement, leading to far less performance degradation while adding AES-128 and AES-256 protected packet privacy. Windows 11 Enterprise, Education, and Pro Workstation, as well as Windows Server 2022, have this new capability.

Failover Cluster East-West security control

Windows Server failover clusters use intra-node communications instances for cluster shared volumes (CSV) and the storage bus layer (SBL). Windows Server 2022 now allows granular control of encrypting intra-node storage communications for those networks beyond the “default” instance of SMB Server. This means that when using clusters and RDMA networks, you can decide to encrypt or sign east-west communications within the cluster itself for higher security, but not necessarily for north-south communications like file copies or Hyper-V Live Migration – and the reverse as well. You can control this with PowerShell currently, there’s more info at Security Settings for Failover Clustering. Windows Server 2022 failover clusters have this new capability.

Storage Migration Service

The Storage Migration Service migrates servers, their storage, and their SMB config from old Windows and Linux to modern Windows Servers and clusters running on-prem or in Azure. You can now also migrate from NetApp FAS arrays running NetApp ONTAP 9 or later. The process is almost identical to migrating from an old Windows Server 2008 or 2012 machine, except that now you point to a NetApp FAS and pick from its running CIFS SVMs, and you can migrate the data into folders on one or more volumes as NetApp storage doesn’t have drive letters.

Furthermore, SMS now integrates with Azure File Sync cloud tiering! AFS cloud tiering allows you to use less storage in your Windows File Server and tier your data into Azure for backups and added ransomware protection.

Windows Admin Center and the Storage Migration Service enabling AFS sync on each volume

Applications must be aware of AFS cloud tiering, though; when they copy a large data set and AFS says “hey, this volume is full – please wait for me to dehydrate these old files into Azure,” the app has to pause IO. SMS understands this and you can configure AFS cloud tiering on your destination so that the migration and AFS happen simultaneously. For more info on AFS cloud tiering, see Understand Azure File Sync cloud tiering.

Windows Admin Center and the Storage Migration Service about to begin a transfer with AFS enabled

For steps on SMS, see Use Storage Migration Service to migrate a server. Windows Server 2022 and Windows Server 2019 with an update both have this new capability.

Storage and Networking

While not specific to File Services, the Networking, Hyper-V, and local storage teams have been busy adding more performance options for SMB and file servers to gain on Windows Server 2022. You’ll be configuring the new standalone storage bus cache feature based on your drive configuration; the networking features are on by default and just work!

TCP & UDP Networking

Windows Server 2022 implements TCP HyStart++ to reduce packet loss during connection start up - especially helpful in high-speed networks - and RACK to reduce Retransmit Time Outs (RTO). These features are enabled in the transport stack by default and provide a smoother network data flow with better performance at high speeds. Windows 11 and Windows Server 2022 both have this new capability.

Furthermore, UDP is becoming a more popular protocol carrying more networking traffic. In Windows Server 2022 we added the game changing UDP Segmentation Offload (USO). USO moves much of the work needed to send UDP packets from the CPU to the NIC's specialized hardware. We also added UDP Receive Side Coalescing (UDP RSC) which coalesces packets and reduces CPU usage for UDP processing. “But” you exclaim, “SMB uses TCP and RDMA, what does this matter?” Read on, noble IT Pro, to see why this is important. Windows 11 and Windows Server 2022 both have this new capability.

vSwitch networking

The odds that your file servers are virtualized are extremely high and Windows Server 2022 improves the Hyper-V vSwitch with updated Receive Segment Coalescing (RSC). This allows the hypervisor network to coalesce packets and process as one larger segment. This reduces CPU cycles and segments will remain coalesced across the entire data path until processed by the intended application. This means improved performance in both network traffic from an external host, received by a virtual NIC, as well as from a virtual NIC to another virtual NIC on the same host. Windows Server 2022 has this new capability.

Storage bus cache

Windows failover clusters with Storage Spaces Direct have supported a caching feature for many years and now the option is available for standalone servers using Storage Spaces as the storage bus cache. Storage bus cache can significantly improve read and write performance by tiering smaller fast flash drives above slower but higher capacity drives.

A diagram of SSD and HDD drives arranged into mirror cache tiers and parity capacity tiers

SBC can work both as a read cache and a read-write cache, depending on your hardware. It adds performance to a file server without breaking the bank. Windows Server 2022 has this new capability.

SMB over QUIC (preview)

Finally, we come to the next generation of hybrid file services: SMB over QUIC. SMB over QUIC (preview) provides secure and reliable connectivity to edge file servers over untrusted networks like the Internet, and brings an "SMB VPN" to telecommuters, mobile device users, and high security organizations. QUIC is an IETF-standardized protocol with many benefits over TCP, including:

All applications using QUIC travel over UDP and, by default, the firewall-friendly port 443
TLS 1.3 ensures encryption of all packets and a certificate provides non-repudiation
Parallel streams of reliable and unreliable application data
Improved congestion control and loss recovery

All SMB traffic, including authentication and authorization, occurs within the tunnel and is never exposed to the underlying network. SMB over QUIC supports Kerberos but even if you decide to use NTLMv2, no challenge or response is exposed to the network.

Here's a demonstration of deploying SMB over QUIC and the user experience:

Narrated demo of SMB over QUIC on Youtube

SMB behaves normally within the QUIC tunnel; as you saw in the demo, the user experience doesn't change. SMB features like multichannel, signing, compression, continuous availability, and directory leasing work normally. Windows 11 and Automanage for Windows Server Services (with Windows Server 2022 Datacenter: Azure Edition Preview) both have this new capability, and it is coming to Azure Files and Android Phones later.

This is another game changer feature.

Summary

Woo that’s a bunch of new stuff to learn. If you’re looking to get your feet wet, I recommend SMB compression as the quickest place to start, then dig into SMB over QUIC. For more important info on Windows Server 2022 in general:

Get Started - https://docs.microsoft.com/windows-server/get-started/get-started-with-windows-server
What's New - https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2022
Editions Comparisons - https://docs.microsoft.com/windows-server/get-started/editions-comparison-windows-server-2022
Hardware requirements - https://docs.microsoft.com/windows-server/get-started/hardware-requirements
Removed Features - https://docs.microsoft.com/windows-server/get-started/removed-deprecated-features-windows-server-202...
Windows 11 Insider Preview - Home | Windows Insider Blog

Don’t forget to add Microsoft Ignite to your calendar for November – there will be tons of Windows Server info. And really don’t forget to register for the free Windows Server Summit on September 16, 2021. I have a presentation with Rick Claus that features great info, discussion, demos, and a special guest! Who could it be?

Author's very embarrassed dogs wearing Halloween costumes of a viking and cowboy-riding horse

Until then,

- Ned “So Much Beauty” Pyle

Karl_Wester-Ebbinghaus · ‎Sep 01 2021

SMB compression:

Don't be shy to add nice pics from WAC 2103.2 and latest File and Share Plugin too. @Ned Pyle

https://yourwacgateway.tailspintoys.local/servermanager/connections/server/yourfileserver.tailspinto...

WAC Gateway > connect to Server > Files and File Sharing > File Shares

Select a share (non administrative shares only). x$ share cause issues > Edit Share

If anyone thinks these bells and whistles are for enterprise only? Nope all the good stuff like SMB compression and SMB over QUIC is also functional on the very same OS "cobalt" release 21H2 of Windows 10 and 11.
And might is even partly backported to Vibranium (2004).

Here is an absolutely practical usecase #sarcasm of SMB compression in a Home NAS solution powered by Windows Server 2022 LTSC as SMB target / Windows 11 as a client.

What I am going to do?

- Copying WinSxS folder and an extracted ZIP of Intel NIC Driver 26.x package to have really much and compressable files. This is something everybody does everyday, right?

Results:

300 Mbytes/ seconds throughput on a 1 Gbit link for small files isn't that bad is it? I think it was 1 - 20 Mbyte/s with File Explorer.

Small files - NO SMB Compression - File Explorer - Windows 11 > Server 2022 LTSC

(seems not to use it still on Windows 11 - would be great if so)

Small files - SMB Compression - Robocopy - Windows 11 > Server 2022 LTSC

source files:

Win11 WinSXS (of all accessible files without elevation)

Intel Network Driver Package zip extracted

Total: 60.944 files, 7.27 GByte

HW:

Source and target are SSD disk so the Ethernet 1 G Link is the bottleneck. Plenty RAM and CPU available.

Remeber SMB compression is not enabled by default, so you need PowerShell or preferably Windows Admin Center to manage it on the particular network shares or network drives.

robocopy "i:\test\small files" "\\mhv02.tailspintoys.local\Repository\test compress" /s /e /mt:16 /w:1 /r:1 /compress

Fun Fact: deleting the files from a File Share via SMB remotely in Windows Explorer takes a lot longer than copying them to this very File Share via SMB compression, because of the "processed preview" :)

Alban1999 · ‎Sep 02 2021

Hello Ned,

Congrats for the release, as it seems you are the last Product Team still interested in putting new features into Windows Server from what I saw from the Release Notes.

Some quick questions for you :

- Regarding SMB Security, how do you manage conflicts with similar GPO parameters ? (I'm expecting GPO to win, but...)

- Do you plan to update Storage Migration Services to migrate shares and not volumes only ?

- Dynamic Access Control GUI is currently only available on the deprecated Active Directory Administrative Center. Any plans to move it to Windows Admin Center ?

Thanks

Ned Pyle · ‎Sep 02 2021

@Alban1999 Thanks!

- Security policy mostly isn't really policy, it's preference - it has only one registry setting and isn't really GP. This is because it's older than GP and comes from NT

- SMS already migrates shares not volumes by default; you have to opt into shares. Maybe I am misunderstanding?

- I have no ownership or knowledge of DAC or its future, sorry.

Karl_Wester-Ebbinghaus · ‎Sep 03 2021

"Dynamic Access Control GUI is currently only available on the deprecated Active Directory Administrative Center."

Factually this tool is not deprecated. In fact the most still use Active Directory Users and Computers (ADUC). For Server 2022 I have even worked hard to get a long standing issue from 2012 fixed in ADAC.

Otherwise there will be no changes in GUI tools, neither ADAC or ADUC.

@Alban1999 do you have a Microsoft statement that ADAC is deprecated?

I would not use DAC as there is no counterpart in Azure at all.

Alban1999 · ‎Sep 13 2021

Hello Ned,

Sorry for the delay in the response.

- You're right on security settings, those are preferences not policies. I'm an idiot for forgetting about this.

- My question was really, really badly written (guess that wasn't a good day to write anything).

Here is my use case :

I'm migrating file servers on a regular basis, mostly from 2008 R2/2012 R2 to 2019. Most of those migrations imply merging or dispatching data from/to one/several file shares. I'm still relying on good old robocopy because some options are still not available within file storage services, like copy data without retaining ACL by example.

Basically, do you aim to provide similar features between robocopy and SMS in the future ?

Ned Pyle · ‎Sep 13 2021

@Alban1999 no worries & you're definitely not an idiot :)

So you want to migrate files using SMS but not have the ACL's migrate? I.e. just inherit the destination file system's inherited defaults? Or do you mean you want to move where the files get migrated to so that they aren't a mirrored copy of the source but instead merged together under some new folder structure?

I want to be sure I understand real clearly here, sorry for endless questions. A diagram might help here too.

Alban1999 · ‎Sep 14 2021

Looks like option 2 matches my needs. Let me give you one scenario I worked on.

I could describe more similar scenarios but that would be converting your comment section into a KB :p

Case 1 : Bob the fat file server.

Bob is ten-ish year old. Bob holds 6+ To of data, including application, user and office data. No one care for Bob, yet everyone knows if Bob fails, the company halts.

So I'm moving Bob's data over newly build file servers. I wish to separate user data, application data, office data (one file server being dedicated to one type of data only). I build and apply a brand new delegation model (including file directories and permissions) on those new file servers and their new shares. And I check with my customer what to move and where.

If I'm very lucky, I just need to copy the content of one of Bob's share to a newly created share. If I'm not (and most of the time, I'm not), I need to copy a part of a share (like a single or multiple, specific folders) to another share : by example, user data being mixed with application data, customer wishing to isolate sensitive data to a dedicated share, etc.

In both case I likely do not wish to copy ACL because the destination has already been pre-configured : I put my trust in my delegation model.

TL;DR : during most of my file migration scenario, it is not enough to work on volume/share level, I frequently need to work on a folder level to be able to reorganize data. Also, it is likely I do not want to retain ACL because I'm also implementing a new delegation model.

Robocopy is able to do that, not SMS (yet). Thus my question.

By the way, thanks a lot for taking some of your very precious time to gather feedback from us IT pros. This is very, very much appreciated.

Ned Pyle · ‎Sep 14 2021

Ah yeah. Sorry. We definitely only support the ACL mirror model - in fact we go even further and support local user and groups (with their new SIDs) so that we don't lose access to data or expose it by mistake, something robocopy cannot handle. I think robocopy is going to be your best option, perhaps combined with the ancient-but-still-useable built in 'server migration tool' you'll see listed as a feature. That tool can be run in a "recreate the shares only" mode where you wouldn't have to manually do all the shares over yourself.

Then you're just left with dealing with cutover manually. We did document what it does so you have kind of a checklist though: How cutover works in Storage Migration Service | Microsoft Docs

Sorry for my bummer answer. I've never had anyone ask for this functionality before. I guess one other thing would be to just run the migration, let it do all the security, and then just blow it away yourself with ICACLs afterwards? Meh...

Alban1999 · ‎Sep 16 2021

From experience I can confirm rewriting ACL is hell, and I try to stay away from it - just like local groups-based ACL. I do appreciate you fully support this kind of migration for customers who need it however.

Regarding ACL-less migration model , maybe create a Powershell only option, with -Confirm switch on top of it ? But I know your engineering resources aren't infinite and cannot implement every possible feature... And as you said, some alternate tools are already available. Was worth asking anyway :)

Thanks for your response.

PP-IT_Systeme · ‎Nov 19 2021

Do you think i will get a noticeable performance increase in a rds server when loading Profiles with fsLogix if i compress the smb share on the file server where the vhdx are located?

Ned Pyle · ‎Dec 06 2021

@PP-IT_Systeme I have no idea, please let us know how it goes. :)

NetworkCompany · ‎Apr 27 2022

What about storage server customers. We have a few customers with Windows Server 2016 storage server deployed. Is there a storage server version of 2022 planned or is 2016 the last storage server version we're going to get?

Ned Pyle · ‎Apr 27 2022

Hi. The Storage Server team was disbanded and WS2016 was the last version; there was no 2019 version and there are no future versions planned.

Brian Murphy · ‎Nov 17 2022

Why isn't compression enabled on Windows Server 2022 shares by default? Are there many (or a few common) likely scenarios where this setting causes risk or undesired results?

Ned Pyle · ‎Nov 17 2022

@Brian Murphy Hiya. It definitely has some CPU overhead and we didn't want to impact client perf in a mysterious way without first letting people use the opt-in route. But more importantly: we've found third parties over the years that fail to correctly follow the protocol spec for SMB and break when new capability comes to an existing dialect (even when they're negotiated like this one). The opt-in model gives them some time to catch up on their own bug fixes before we make the broader default change.

Stefan_Spock_Falk · ‎Jun 02 2023

Hello everybody!

Has anything changed regarding file (server) permissions from Windows Server 2019 and Windows Server 2022? A shared folder with folder permissions "Read & Execute (this folder only)" allowed the users to see the subfolders directly in the shared drive. However, on a Windows Server 2022 file server, we seem to need "Read & Execute (this folder and subfolders)", or users cannot see the folders contained in the share.

If the share is mapped as O:, then on Windows Server 2022 O:\ appears empty while in Windows Server 2019 you can see the subfolders of O:\.

Thanks if anyone can shed a light on this.

Stefan

Gavin Greenwalt · ‎Jul 06 2023

If anyone thinks these bells and whistles are for enterprise only?

They'd be right! We locked SMB QUIC behind our least accessible version of windows server that only enterprises ever deploy! You guessed right!

Karl_Wester-Ebbinghaus · ‎Jul 06 2023

Dear @Gavin Greenwalt yes, SMB over QUIC is integrated in Defender Firewall rules but afaik not useable with WS 2022. Maybe it will be coming in the next release in 1 or 2 years?

currently it is only available in Azure Cloud WS VMs or on-premises on Azure Stack HCI, which grants use rights for WS Datacenter Azure Edition (based on your licensing).

Apart from that SMB over QUIC and Thin Provisioning Storage Pool, which is currently exclusive to Azure Stack HCI 22H2, most of features Ned brought up (and these aren't even all), are available in the LTSC release.

If you have any questions, I would be happy to help.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs