Roles and features

Roles and features allow you to add functionality to your server. A role is something you want to use your server to do. For instance, you may install the Active Directory Domain Services role so that you can make this server a domain controller. A feature is typically used to support a role. In this case, you would also install the management tools for Active Directory Domain Services (you’ll be prompted to install this feature when you select the role). The management tools are a feature.

Diagnostics

Server Manager gives you quick and easy access to many of the diagnostic tools that you may need over your career. To access them, simply click Tools in the top menu, shown in Figure 1-3.

Here are a few of the items in the Tools menu that have helped me over the years:

• Event Viewer: When I’m troubleshooting an issue, my first stop is almost always the Event Viewer. I start with the System, Application, and Security logs, and then I get into role- and/or component-specific logs if needed.
• Performance Monitor: Performance Monitor is a very useful tool when you need to be able to measure very specific metrics in relation to performance like central processing unit (CPU) idle time, interrupt time, user time, and so on. It provides hundreds of counters out of the box and can be set to start when a certain criteria or threshold is met. This tool is most useful for troubleshooting issues related to performance like slowness and/or freezing.
• Resource Monitor: If you just want a quick look at how your system is doing, Resource Monitor is great for that. It has a simple summary screen that gives you information on your CPU, disk, network, and memory usage. This tool focuses on resource utilization and could help troubleshoot issues like low disk space, an overutilized disk, or insufficient network bandwidth.

  

• System Configuration: I use System Configuration when I’m having boot issues. The Boot tab gives me several helpful options, including whether I want to use safe boot, if I want to create a boot log, and if I want to use a very basic video setting.
• System Information: When you need to know what your hardware specs are or what some of your settings are, this should be your go-to utility. It can even tell you what version of BIOS you’re running and what mode it’s running in.
• Windows Memory Diagnostic: This is the same memory diagnostic that I cover in Book 1, Chapter 2. You’re simply launching it from the menu rather than typing in the name of the program.
• Windows PowerShell: PowerShell is always handy. You can query settings and export to a text file if need be.

Configuration tasks

The majority of your configuration tasks will be done in the Local Server section in Server Manager. When you click Local Server, you’re presented with a Properties page that displays current server information, shown in Figure 1-4. The great thing about this page is that every setting is a clickable hyperlink. If you click it, you’re taken to where you can configure that individual setting. Pretty cool, right? When you have a freshly built server, it simplifies the configuration process because you can change the hostname and IP address from here, as well as update the server, add it to a domain, even activate the operating system.

Configure and Manage Storage

I mention earlier that, by default, all Windows Server 2022 systems have the File and Storage Services role installed. This gives you an easy-to-access menu to work with your server’s storage. When you click File and Storage Services in the navigation menu, you’re presented with several options; select Disks. This is where you can bring new disks online, initialize the disks, and create volumes, shown in Figure 1-5.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is a role that allows you to create a public key infrastructure (PKI) in your organization that will allow you to issue your own internal certificates. This may include certificates for your domain controllers so they can support Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL), or certificates for internal web servers, or even code-signing certificates for scripts that will run on your organization’s systems. You can install certificate authorities (CAs) and provide additional services like Online Certificate Status Protocol (OCSP), which provides lookups for certificate revocation information, and Network Device Enrollment Service (NDES), which allows network devices to enroll for certificates without domain credentials.

AD CS has a lot of moving pieces. If you’re interested in learning more about AD CS, including how to install and configure it, check out Book 5, Chapter 6.

Active Directory Domain Services

Active Directory Domain Services (AD DS) gives you the ability to store information about users and other network objects in a directory service. You can organize these objects in a hierarchical structure with forests, domains, and organizational units (OUs).

Active Directory contains a global catalog, which contains information about every single object in the directory, and is required for successful logon to the domain. With Active Directory, it’s simple to search for and locate specific objects if you know a little information about them.

If you’re interested in AD DS, you can learn more about installing and configuring AD DS in Book 2, Chapter 5.

Active Directory Federation Services

Active Directory Federation Services (AD FS) can provide single sign-on capabilities to organizations that are utilizing AD DS. It allows those with an Active Directory account to use that account on applications that are outside the boundaries of their Active Directory (for example, a web application hosted by a business partner), or applications that don’t rely on Active Directory accounts for authentication at all. By creating a federation (the sharing of identity information), the user can be authenticated via his company’s Active Directory and can then be authenticated to the business partner’s web application with a claim. The business partner simply has to configure their web application to trust the incoming claims.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP)–based directory service similar to AD DS. It’s designed to be used with directory-enabled applications, and it’s especially handy for an organization that may want to establish a directory of customer accounts, but keep that directory separate from the organization’s AD DS infrastructure.

It can be used as an identity provider with AD FS for both authentication and the generation of claims to web applications that are configured to understand federation.

Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS) allows businesses to create and enforce policies to protect their data. The rules are created on the AD RMS server but continue to protect documents even if they leave the premises. For example, you can set the policy to allow documents to only be accessible for a brief amount of time, after which the recipient can no longer open them. You can take away the ability to print the document or copy text out of it with copy/paste.

AD RMS is not perfect. It won’t prevent someone from taking a screenshot of the data in a sensitive document (there aren’t many rights management products that can prevent this activity). Plus, the applications on the client side must support RMS. The functionality exists in the Microsoft Office suite of applications, SharePoint, and Exchange Server. You can also make Internet Explorer compatible with an add-on.

Device Health Attestation

The Device Health Attestation role was added in Windows Server 2016. It gives administrators a way to verify that a device is healthy as it boots. It can measure several different settings and is configured with whichever settings the system administrator or network administrator wants to track. This role is often used for systems to validate that they’re safe before they’re allowed to connect through remote access services like DirectAccess or other virtual private network (VPN) services.

The settings Device Health Attestation can validate include the following:

• Is BitLocker enabled?
• Is Early Launch Anti-Malware (ELAM) enabled?
• Is Secure Boot enabled?
• Is Code Integrity enabled?

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is a system administrator’s best friend for sure. Without DHCP, you had to manually assign an IP address and track which IP addresses were assigned. DHCP automates that process. It can automatically assign IP addresses out to systems on a lease-based system. When the lease has gotten to 50 percent of the configured lease duration time, the client will request that the IP address be renewed. If a system needs to keep the same IP address, you can set a reservation for that IP address. For as long as the system in question has the same network interface card, it will get the same IP address. As an additional bonus, you can set DHCP options for each scope that is defined. These options may tell the systems in the scope where they can find their gateway server, their DNS servers, where an imaging server might reside, and so on.

If you’re interested in finding out more about DHCP, check out Book 2, Chapter 5, where I cover installing DNS and DHCP. Be sure to also check out Book 2, Chapter 6.

Domain Name System

Domain Name System (DNS) is a very useful service that helps map hostnames to IP addresses. It’s because of DNS that you can type www.dummies.com in your web browser, which is really easy to remember, instead of having to remember an IP address like 13.32.254.23. Let’s face it, the human brain remembers words and phrases better than numbers.

DNS can resolve hostnames to IP addresses and also can do reverse lookups, which map IP addresses to hostnames. When dealing with network devices that deal only with IP addresses, this can be extremely useful.

If you’re interested in finding out more about DNS, check out Book 2, Chapter 5, where I cover installing DNS and DHCP. Be sure to also check out Book 2, Chapter 6. In addition, there is a whole section on securing your DNS infrastructure in Book 5, Chapter 7.

Fax Server

The Fax Server role can give a server the ability to act as a fax machine. The server enables users on the network to send and receive fax messages. The server is handling the actual message transmission and requires a fax modem with a connection to a telephone line, as well as a network connection so that it can communicate with your users on the network.

This type of setup is far more efficient than having multiple physical fax machines hanging around the office. The coolest thing about this role is that it can be configured to send faxes to your users by email, and they can send an email or Word document to the server and have it faxed out.

File and Storage Services

The File and Storage Services role has quite a few components that you can install. By default, on a fresh install of Windows Server 2022, the Storage Services component is installed. None of the following components under File and iSCSI Services is installed:

• File Server: Manages folder shares and lets users access those shares from the network.
• BranchCache for Network Files: A bandwidth optimization technology that caches the contents of servers at your main site with servers at branch sites.
• Data Deduplication: Saves disk space by eliminating duplicate data on drives; a single copy is left intact and links are put in place of the file in the other locations.
• DFS Namespaces: Allows you to use a logical namespace to access groups of shared folders on different servers, but it appears to be a single folder with multiple subfolders to end users.
• DFS Replication: Synchronizes folders across multiple servers.
• File Server Resource Manager: Allows you to manage and classify data on your file servers.
• File Server VSS Agent Service: Allows you to enable volume shadow copies on your system, which will take backup copies (snapshots) of your files and/or volumes even if something is using them.
• iSCSI Target Server: Services and management tools for iSCSI targets. iSCSI allows you to send SCSI commands for storage over regular TCP/IP networks and enables organizations to have a storage area network (SAN) that is not cost prohibitive.
• iSCSI Target Storage Provider: Allows applications connected to an iSCSI target to make volume shadow copies of the data on virtual iSCSI disks.
• Server for NFS: Allows the server to serve files to Unix and Linux systems that use the NFS protocol.
• Work Folders: Synchronizes files across multiple computers.

Host Guardian Service

This role was introduced for the first time in Windows Server 2016. It manages and releases keys for Hyper-V hosts that are considered trusted (known as guarded hosts). This allows the guarded hosts to power on shielded virtual machines (VMs) and perform live migrations. It uses two services to do its work:

• Attestation Service: Validates the identity of the hosts that are communicating with it as well as their configuration
• Key Protection Service: Gives access to the encrypted transport keys that allows the guarded hosts to work with the shielded VMs

If you want to learn more about shielded VMs, check out Book 7, Chapter 2.

Hyper-V

Installing the Hyper-V role installs a hypervisor on to the Windows Server operating system. On Server Standard edition, you’re limited to two VMs; you can run an unlimited number of VMs on Server Datacenter edition. Datacenter edition also includes the ability to work with shielded VMs.

I cover Hyper-V in great detail in Book 7.

Network Controller

Network Controller is a newer role that was introduced in Windows Server 2016. It’s only available in the Datacenter edition, not the Standard edition. Network Controller allows you to configure, monitor, program, and troubleshoot your physical and virtual network infrastructure. To do this work, it can leverage Windows PowerShell or the Representational State Transfer (REST) application programming interface (API) to communicate with the devices. If your organization wants to begin exploring Software-Defined Networking (SDN), this is a great way to start. Being able to use PowerShell to work with the Network Controller could be very powerful, but the REST API will allow you to build integrations with other products, including those that would not understand PowerShell. The communication is done through HTTP/HTTPS, so you don’t have to worry about opening any uncommon network ports to support REST APIs either.

Network Policy and Access Services

Network Policy and Access Services installs the Network Policy Server (NPS). This provides services like RADIUS and offers authentication, authorization, and accounting (AAA). NPS is very commonly used for authentication of network devices and VPN clients.

Note that you can only install this role on Server with Desktop Experience.

If this sparked your curiosity, check out Book 4, Chapter 3, where I cover the installation and configuration of NPS as a RADIUS server.

Print and Document Services

By installing the Print and Document Services role, you can turn your server into a network print server. This centralizes the management of printing, from working with queues to setting your desired default configurations for network printers. These are commonly things like printing in black and white or printing double-sided.

Remote Access

The Remote Access role allows you to do a few different things. It can provide connectivity to your network with DirectAccess and VPNs, and also offers a web application proxy. At its core, Remote Access is designed to be a VPN solution. Routing and Remote Access Service provides a traditional VPN service to support connectivity to your internal network, while DirectAccess offers end users a more seamless experience with VPN-like functionality. Your users will not have to stop or start their VPN connections; with DirectAccess, they’re connected to your organization when they have a good Internet connection. If you install the web application proxy, you can publish HTTP- and HTTPS-based web applications to devices on and off your network. The Routing functionality provides very similar functionality to a traditional router, including network address translation (NAT) and other methods needed to perform routing on an IP network.

Remote Desktop Services

Previously known as Terminal Services, Remote Desktop Services lets users access virtual desktops to run software just as they would if they were on their own desktops. This can be very helpful when you have limited licenses for applications, and the application can be used in this way. It can be especially helpful for client/server-style applications where upgrades can be an overwhelming effort due to configuration changes that need to occur after an upgrade. You can make the changes on each RDS server once, instead of having to do it on hundreds of desktops.

Volume Activation Services

This role creates a Key Management Service (KMS) server, which can manage all the keys for your Windows products and take care of automatic keying and activation for domain-joined systems, servers and clients alike. You can even set requirements like requiring systems to check in with the KMS server every 15 days or the key will no longer be valid. This can help to ensure that laptops find their way back on premises for patches and other things at least every 15 days as well.

Web Services

Web Server installs the Windows-based web server known as Internet Information Services (IIS). IIS can be used to host multiple websites and supports many of the server-side languages you know and love, like PHP and ASP. It also provides support for FTP services. With the Microsoft Web Platform installer, setting up applications like ASP.NET, Microsoft SQL Server, and non-Microsoft applications like WordPress or Joomla is very simple.

Windows Deployment Services

Windows Deployment Services (WDS) makes managing images for servers and desktops very simple. WDS is part Preboot Execution Environment (PXE) server and part Trivial File Transfer Protocol (TFTP) server with a nice, user-friendly graphical user interface (GUI) console to manage it. If you aren’t familiar with PXE, it allows a server with no operating system to boot from the network so that a system administrator can configure it and choose an operating system image for it. TFTP is used to transfer the image over the network. Images are saved as .wim files and can be kept up to date with tools already available on the system. Systems that are imaged by WDS are booted from their network interface card (NIC) and are able to get the settings for the WDS server from DHCP options 66 and 67.

Windows Server Update Services

Windows Server Update Services (WSUS) is exactly what the name implies: a server role that installs software, which allows you to centrally manage security patches and other updates for all your Microsoft products. It scales well and can be deployed as a single server that does it all, or as an upstream server that downloads updates from Microsoft and then makes those updates available to other downstream WSUS servers.

.NET 3.5

Provides support for .NET 3.5 and legacy support for .NET 2.0 and .NET 3.0 APIs. APIs allow applications to interact with the operating system or services. This may be required for the application you’re are trying to install; vendor documentation will usually be very explicit in telling you what needs to be installed as a prerequisite for the application.

.NET 4.8

Windows Server 2022 ships with the newer .NET 4.8, which is installed by default. This feature can also add support for ASP.NET 4.8 and adds support for WCF Services. Many newer applications are taking advantage of these features. Check with your application vendor to see if it supports .NET 4.8.

Background Intelligent Transfer Service

Background Intelligent Transfer Service (BITS) is used to transfer files between servers and clients and will provide progress information on the status of those transfers. It’s very commonly used by the Windows operating system to download updates.

The cool thing about BITS is that if the connection is for some reason lost, BITS will suspend the transfer. When the connection is back up, BITS will resume the transfer as if something happened.

There is a service installed by default with the Windows Server 2022 OS, so you don’t need to install this feature unless an application requires the feature to serve its purpose.

BitLocker Drive Encryption

BitLocker Drive Encryption is responsible for encrypting the entire hard drive and its contents on systems where it has been enabled. On modern systems with a TPM 1.2 or later chip, BitLocker ensures that the system has not been tampered with while the system was offline. Assuming the hardware checks out okay, it will boot.

Systems with older TPM chips can still use BitLocker, but it is not as user-friendly. Older TPM chips (pre-1.2) do not check for system integrity like the newer TPM chips do either.

TPM stands for Trusted Platform Module. It’s a chip on your computer’s motherboard, and it’s what generates the keys that BitLocker uses to provide the full disk encryption. It keeps half of the key, and the other half of the key is stored on disk. This prevents a thief from stealing a BitLocker-encrypted hard drive and booting it in another system.

BitLocker can lock the startup process until the user enters a PIN. This ensures that the user is the authorized user and will prevent data loss from an unencrypted drive if the system is stolen while offline.

BitLocker Network Unlock

The BitLocker Network Unlock feature was introduced in Windows Server 2012. It gives systems the ability to automatically unlock BitLocker if the system is on the corporate network. This can make patch management simpler if a company is using a Wake on LAN technology to wake systems up for patching or software installations.

BitLocker Network Unlock does have some dependencies on DHCP, so make sure that you’re running DHCP in your environment if you want to use it.

BranchCache

You may recall from the File and Storage Service role that BranchCache is a bandwidth optimization technology that copies files from main office file servers and caches the content locally at remote (branch) locations. For users at the remote locations, this means that they can access files with decreased latency. This also means that their network traffic is not crossing the network to the main office to retrieve files, which can improve bandwidth utilization significantly.

Turning on the BranchCache feature on a server enables you to turn your server into a hosted cache server or a BranchCache-enabled content server.

Client for NFS

If you have Unix- or Linux-based file servers in your environment that are using the NFS protocol, installing the Client for NFS feature will allow your server to access the NFS shares, so long as the shares allow anonymous access.

Containers

If you want to run Hyper-V Containers or Windows Server Containers, you need to enable this feature. If you want a higher degree of isolation and want to go with Hyper-V containers, you need to enable the Hyper-V role in addition to the Containers feature.

When the containers feature is installed, you have more steps to getting to a working container host like installing Docker and pulling base images. In the Standard edition, you can have unlimited Windows containers, but you can only have two Hyper-V containers. In the Datacenter edition, both Windows containers and Hyper-V containers are unlimited.

Containers are an exciting new technology that was first introduced in Windows Server 2016. For more on containers, check out Book 8.

Data Center Bridging

If your server is going to be used for clustering or for storage, you should consider enabling Data Center Bridging (DCB). DCB allows you to prioritize certain kinds of traffic over others (think of it like a traffic cop). It allows you to utilize your hardware for better bandwidth allocation as well.

Direct Play

Direct Play is a part of the DirectX API and has been deprecated. You must have Desktop Experience enabled to be able to enable the Direct Play feature. You may still run into applications that require the Direct Play API, though, this is unlikely to be found on a server because it was traditionally used for gaming.

Enhanced Storage

Enhanced Storage enables support for additional functions that are available when you use Enhanced Storage–compatible devices. These devices have built-in safety features that can require you to authenticate before you can access the data on the drive. This is very commonly used in USB flash drives.

Failover Clustering

Failover Clustering is a feature used to provide high availability to server roles. It’s often used for file servers, Hyper-V hosts, and database applications like Microsoft SQL Server. If a server in a failover cluster fails, services can be moved almost seamlessly to another server in the cluster. Systems in a failover cluster are referred to as nodes. Failover clusters take advantage of shared storage so that all nodes have access to the same data. If a failover event occurs, the transition from node to node can be as seamless as possible, because each node has access to the same storage.

For more on high availability with the Failover Clustering feature, check out Book 7, Chapter 5. There, I discuss Failover Clustering in relation to Hyper-V, but the way it works is pretty similar regardless of which application is using it.

Group Policy Management

Group Policy Management is a Microsoft Management Console (MMC) for managing group policies across your environment. It allows you to create, edit, delete, and assign group policies all the way down to an OU level. It can also be used to enforce a Group Policy Object.

Host Guardian Hyper-V Support

If you want to provision shielded VMs on your Hyper-V hosts, you need to install this feature. It’s available in the Datacenter edition only. This allows the Hyper-V server to communicate with the Host Guardian Service.

I/O Quality of Service

Enabling this feature will allow you to set quality of service settings for your applications, including maximum I/O and bandwidth limitations.

IIS Hostable Web Core

The IIS Hostable Web Core feature allows you to write your own custom applications that can host core IIS functionality on their own. Your application will be able to serve HTTP requests and use its own configuration files (applicationHost.config and web.config) instead of the configuration files used by the traditional full Web Server (IIS) role installation. After the IIS Hostable Web Core is installed, you can open a browser and type http://localhost. This will load the traditional IIS splash screen even though the Web Server role is not installed.

Internet Printing Client

Internet Printing Client allows you to connect to and print to printers on the network or Internet using the Internet Printing Protocol (IPP). It does require that Desktop Experience be installed and, as such, is not available in Server Core.

IP Address Management Server

IP Address Management (IPAM) was a breath of fresh air to network administrators and system administrators who had to manage multiple DNS and DHCP servers. It provides a centralized management pane for both DNS and DHCP and is able to help you locate available IP addresses, available subnets, and so on. Best of all, it supports multiple Active Directory forests, so it really can be a single pane of glass for your organization.

You can read more about IPAM in Book 2, Chapter 6.

LPR Port Monitor

Line Printer Remote (LPR) Port Monitor enables your server to print to a printer that is shared using Line Printer Daemon (LPD). This will typically be a Unix or Linux server being used as a print server.

Management OData IIS Extension

This feature gives you the ability to expose PowerShell cmdlets through an OData-based web service that runs on IIS. OData is a data access protocol that allows you to query and update data. To use this feature, you need to install the Web Server role.

Media Foundation

Media Foundation allows you to work with media files. You can transcode. You can analyze media files. You can even generate thumbnail images for media files. It also offers DirectX Video Acceleration and an enhanced video renderer (EVR). Media Foundation supports many of the codecs, sources, and sinks that you would expect, including AVI, DV, H.264, MP3, and MP4.

Message Queueing

Message Queueing is often used by applications to deliver messages to other applications. It guarantees message delivery and provides routing, security, and messaging based on priority between applications. Applications are able to send and receive messages from the queues. This is very useful when you need the guarantee that the message will get to its end destination, or when an application may not be able to get the message right away because it's busy or offline. If your application requires Message Queueing, your vendor will list it as one of its requirements.

Microsoft Defender Antivirus

This feature is installed by default and was previously known as Windows Defender. It’s a built-in next-generation antivirus solution that’s able to look at files and process behaviors for things that appear malicious. It gets regular updates from signatures and through machine learning and threat research.

Multipath I/O

What happens if your server is connected to its storage through a network switch, and that switch goes down? Your server can’t communicate with its storage any longer. With Multipath I/O, you can allow your server to use multiple paths to your SAN — you could have connections through two separate switches, for instance. If you have connections to two separate switches, your server will still be up and able to access its storage even if one of the switches goes offline. This allows you to build a truly fault-tolerant storage network.

Multipoint Connector

If you’re using Multipoint Services, the Multipoint Connector allows the system to be managed by the Multipoint Manager and the Multipoint Dashboard.

Network Load Balancing

Network Load Balancing (NLB) allows you to spread traffic across multiple servers, which can improve response times because the traffic is evenly distributed. It’s popular with web servers, especially with a stateless application, where the user’s request can be served by a server in the NLB cluster. As load increases, you can simply add more servers to the cluster, and when you need to do maintenance on a particular server, you do so while keeping the other servers in the NLB cluster up. An NLB cluster focuses on reliability and performance, not high availability or fault tolerance.

Network Virtualization

Network Virtualization allows you to create virtual network overlays on the same physical network. If you want to start working with software-defined networking (SDN), this is an important feature to examine. By taking advantage of network virtualization, you can automate the provisioning of networking resources, in addition to other server automation projects you may be working on.

Peer Name Resolution Protocol

Peer Name Resolution Protocol allows applications to register and resolve names on your computer so that other computers on the network can also communicate with these applications. This is especially helpful for systems that are in workgroups, rather than being domain-joined.

Quality Windows Audio Video Experience

Quality Windows Audio Video Experience, also known as qWave, is a networking platform for A/V streaming applications on home IP networks. When it’s installed on a Windows Server OS, it only provides rate of flow and prioritization services.

RAS Connection Manager Administration Kit

The RAS Connection Manager Administration Kit (CMAK) feature serves a very simple purpose: to create profiles for connecting to remote servers and remote networks. This feature is only available in the Desktop Experience.

Remote Assistance

The Remote Assistance feature allow you, as the support person, to offer remote assistance to your end users. You can view and control the user’s desktop from the server. Remote Assistance requires Desktop Experience.

Remote Differential Compression

Remote Differential Compression can help to optimize bandwidth. It’s able to look at a source and destination object and will only transfer the differences between the objects, rather than transfer the object as a whole.

Remote Server Administration Tools

Remote Server Administration Tools (RSAT) is your best friend as a system administrator. Installing the RSAT feature will give you all the snap-ins and command line management tools to manage roles and features. Typically, when you install a role or a feature that has a management tool in RSAT, you’ll be prompted to install the management tool at the same time. Installing RSAT is traditionally reserved for client-side devices to aid in remote administration tasks, so unless you’re going to administer roles and/or features on the server, you shouldn’t install the tools there.

To install RSAT on your client device, you can download the RSAT installation package from the Microsoft website. For Windows 10 client systems that are not on the October 2018 update, you can download RSAT at www.microsoft.com/en-us/download/details.aspx?id=45520. If you’re using Windows 10 and have the October 2018 update, you don’t need to download the RSAT installer. It’s included as a Feature on Demand, which you can install from the operating system directly.

If you install the role or feature through PowerShell, you have to specify the management tools to get RSAT to install — for example, Install-WindowsFeature -Name Web-Server -IncludeManagementTools.

RPC over HTTP Proxy

This feature is typically used to support VPN clients that need to communicate over HTTP. It relays RPC traffic over HTTP, as the name suggests.

Setup and Boot Event Collection

This feature was first introduced in Windows Server 2016. With this feature enabled, you can set up your server as a collector, which can be used to gather lots of different types of events from other systems as they boot up or as they go through the setup process. You can view the events once they're collected with Event Viewer as you’re used to.

Simple TCP/IP Services

This feature is provided for backwards compatibility and should not be installed unless it’s required. It’s a collection of utilities used on the command line. The utilities respond to telnet requests on specific ports. Quote of the Day, for example, will give you a random quote when you telnet to port 17.

SMB 1.0/CIFS File Sharing Support

If you enable this feature, you’re enabling support for Common Internet File System (CIFS) clients and/or CIFS servers to connect over SMB v1.0, which is an insecure protocol at this point. Only use this feature if absolutely necessary. At this point, it’s a huge security vulnerability and should never be enabled. If you have devices or applications that require SMB v1.0, you need to work with your organization to get those devices and/or applications replaced.

SMB Bandwidth Limit

The SMB Bandwidth Limit feature allows you to categorize your SMB traffic and limit the amount of traffic you want to allow by category. This is especially helpful when you’re doing live migrations on Hyper-V hosts and you want to limit the amount of bandwidth that the live migrations are able to use so that you don’t negatively impact your other VMs or your end users.

SMTP Server

The SMTP Server in Windows Server 2022 is a basic email server. It can be used as an organization’s main email server so long as the organization is small. Just keep in mind that it’s nowhere near as robust as Exchange Server.

Simple Network Management Protocol Service

Simple Network Management Protocol (SNMP) is used by many organizations to monitor devices for events and status. Enabling the SNMP Service gives you the ability to accept events from other servers and devices.

To configure SNMP after installation, launch the Service Control Manager MMC console (services.msc) and locate the SNMP Service. In the Properties for the service, you can set the community string and which hosts you want to receive SNMP packets from.

Software Load Balancer

This feature provides outbound network address translation (NAT), provides inbound NAT, can load-balance between multiple instances of applications, and can check to make sure that an instance of the application is healthy before sending traffic to it. This is excellent for SDN because you can configure it though PowerShell. It operates at Layer 4 of the OSI model, the Transport Layer.

Storage Migration Service

Storage Migration Service is new to Windows Server 2022. It allows you to painlessly inventory your data and settings on a server and then transfer that data and the configuration settings to a newer server. The new server can then take over the identity of the old server. Applications and users don’t need to change anything on their end.

This is a great new feature! Think of that old Windows Server 2008 system that’s still hanging around because everyone is afraid to touch it. Storage Migration Service is your answer to that old server. You can migrate data from systems as old as Windows Server 2003, but the destination server has to be Windows Server 2012 R2 or newer.

Using a Windows Server 2022 system as the destination is recommended because you can install the Storage Migration Service Proxy, which can double the transfer performance over older versions of Windows Server.

Storage Migration Service Proxy

When this feature is installed on the destination server, the transfer performance of the Storage Migration Service is almost doubled. This is only available on Windows Server 2022.

Storage Replica

Storage Replica adds the capability to replicate synchronously or asynchronously across servers or clusters. This is great for disaster recovery!

When Storage Replica was first introduced, it was only supported in the Datacenter edition. With Windows Server 2022, Storage Replica was made available in the Standard edition as well, though it does have some limitations when it’s installed on Standard: It can only replicate a single volume, volumes can have only one partner, and volumes can only be a max size of 2TB.

System Data Archiver

This feature is installed by default on Windows Server 2022 and is also new to Windows Server 2022. Its job is pretty simple: It’s responsible for collecting and archiving system data from the server.

System Insights

One of the challenges of being a system administrator is forecasting what your compute and storage needs are. New to Windows Server 2022 is System Insights. This cool new feature includes analytics and machine learning to predict based on usage what your needs may be. It’s a very useful tool when doing capacity forecasting, and can cover compute, storage, and networking needs. No more guesswork!

Telnet Client

The Telnet Client allows you to connect to a Telnet Server using the Telnet protocol.

Use this carefully! It can be very useful for troubleshooting, but because it sends information in plain text, you don’t want to send usernames or passwords through it.

TFTP Client

The TFTP Client feature allows you to interact with a TFTP server. With this feature installed, you can read from and write to a remote TFTP server. This may be beneficial for network administrators in particular to pull/push images on network equipment.

VM Shielding Tools for Fabric Management

Fabric in this context is referring to a guarded fabric, which provides a more secure infrastructure for shielded VMs to run on.

This feature should be installed on the Fabric Management Server. It includes utilities that can be used by solutions that manage the fabric.

WebDAV Redirector

The WebDAV Redirector allows you to connect to WebDAV sites and access files on the sites through a mapped drive. This is great from a compatibility standpoint because some applications don’t support WebDav, but they can absolutely understand how to access files on a mapped drive.

Windows Biometric Framework

The Windows Biometric Framework allows you to use fingerprint devices or facial recognition to authenticate to Windows. This includes the Windows Biometric Service, which supports the Windows Biometric Framework API. Client applications are able to leverage the API to take advantage of biometric authentication.

Windows Identity Foundation 3.5

The Windows Identity Foundation 3.5 feature provides a .NET 3.5 framework for building claims-aware applications. You should only use this if for some reason you need to code against .NET 3.5 or .NET 4.0. Windows Identity Foundation is included in .NET 4.5 and is no longer a separate feature that needs to be installed.

Windows Internal Database

The Windows Internal Database is a relational database intended to support Windows roles and features such as AD RMS, WSUS, and Windows System Resource Manager. This is not designed to replace SQL Server. It’s really only intended to support roles and features in the Windows Server operating system.

Windows PowerShell

Windows Server 2022 includes both PowerShell 5.1 and the PowerShell ISE installed by default. In most cases, this is all you need to work with the server with PowerShell. You can also install the older PowerShell 2.0 Engine, PowerShell Web Access, and PowerShell Desired State Configuration (DSC).

PowerShell is such a broad topic that Book 6 is devoted to it.

Windows Process Activation Service

When you install the Windows Process Activation Service, you can provide features you would normally get with IIS and HTTP applications to non-HTTP applications using Windows Communication Foundation (WCF) services. Additionally, IIS 10.0 takes advantage of Windows Process Activation Service to do message-based activations over HTTP.

Windows Search Service

Windows Search Service (WSS) can analyze a set of documents and extract useful information, typically metadata, which can then be queried later on. The processing of indexing can be pretty CPU intensive, but the service will throttle itself or even pause indexing if the user experience might be impacted by indexing. By leveraging the indexing, your users will notice a performance improvement when they do a search on your file server.

Windows Server Backup

Windows Server Backup is a built-in backup utility. It can be used to back up and restore data, and can perform full backups, system state backups, volume backups, and specific folder backups. You can even do a bare metal backup, which will allow you to completely restore your system should it need to be rebuilt.

Backups can be saved on a local drive or on a remote server share, and they can be run once or scheduled to run as often as needed.

Windows Server Migration Tools

Microsoft tried to make migrating to a newer version of Windows Server as painless as possible with Windows Server Migration Tools. This feature, when installed, can migrate roles, features, OS settings, and shares. I think that the greatest value of this tool is being able to move roles from several versions of the operating system back. This can be a very scary proposition for some system administrators, but Windows Server Migration Tools really simplifies the process and reduces the risk of things going wrong.

Windows Standards-Based Storage Management

Do you need to discover, manage, and monitor your storage devices? Are the management interfaces using the SMI-S standard? If you answered yes to both questions, then this is the feature for you. Installing this feature will add several Windows Management Instrumentation (WMI) classes and Windows PowerShell cmdlets to the server and will allow you discover, manage, and monitor compatible devices.

Windows Subsystem for Linux

The Windows Subsystem for Linux (WSL) originally gave you the ability to run a form of an Ubuntu-based bash shell on Windows. It has been enhanced since that early start and now allows you to install a full version of Linux from the Windows Store. It should be noted that WSL does not give you the full graphical Linux experience. It gives you terminal access and was primarily designed with developers in mind.

Windows TIFF IFilter

When the Windows TIFF IFilter is enabled, you can search TIFF files for text using optical character recognition (OCR). The IFilter can be used by the Windows search utility and will allow you to do full text searches of the TIFF files on your systems. It’s worth noting that the text needs to be clear. If the TIFF image is the result of a scan and the scan quality is poor, or includes images, the IFilter may not be able to read the TIFF file as well.

WinRM IIS Extension

Enabling WinRM IIS Extension allows you to manage the server remotely from a client that is using WS-Management (WS-Man), like PowerShell remoting for example.

WINS Server

WINS Server maps out NetBIOS names to IP addresses. A Windows system could register itself with WINS, and then other systems in the workgroup could query the WINS server for that system’s IP address. This has, for the most part, been replaced by DNS in most organizations.

Wireless LAN Service

If your server needs to connect to a wireless connection, you’ll need to install this feature. Wireless LAN Service allows the server to find wireless network adapters and manages both the wireless connections and wireless profiles.

WoW64 Support

WoW64 Support is installed by default on Windows Server 2022 and allows you to run 32-bit applications on a 64-bit system.

XPS Viewer

The XPS Viewer is installed by default on Windows Server 2022 with Desktop Experience. It allows you to read XPS documents and assign permissions or digitally sign XPS documents as well.