Mar 24, 2026 · Written by: Netspare Team
Windows Server 2022: AD, IIS, Hyper-V, and File Services in a Small Datacenter
Windows Server 2022 extends the hybrid story with Azure Arc and tighter security baselines, but most SME datacenters still deploy it for Active Directory, DNS, DHCP, file/print, and IIS or reverse-proxy front-ends to .NET services.
Licensing mixes core-based Windows Server licenses with CALs for users/devices; misunderstanding CALs is a common audit pain point. Document counts before you scale replicas.
This guide orients Linux-first engineers: where roles live, how Group Policy still gates security, and why patching windows differ from apt/yum rhythms.
SMB signing and encryption expectations changed as ransomware operators abuse NTLM relay—enforce signing on all domain members and monitor for downgraded clients.
Cluster-aware updating for Hyper-V requires orchestration discipline; live migration must succeed under maintenance windows or VM pause times breach SLA.
AD DS, DNS, and DHCP together
Domain controllers should run DNS integrated with AD for sane SRV records and secure dynamic updates. DHCP on member servers—not on DCs in tiny shops unless you accept the blast radius—keeps failure domains smaller.
Plan at least two DCs for any production domain; single-DC forests are recovery exercises waiting to happen.
IIS, ASP.NET Core, and reverse proxies
IIS can host ASP.NET Framework apps natively; ASP.NET Core typically uses the ASP.NET Core Module behind IIS or runs behind nginx/HAProxy on Linux while AD stays on Windows.
Centralize TLS certificates in a documented store; Windows Certificate Manager plus automated ACME clients reduce manual MMC work.
Hyper-V positioning
Hyper-V remains viable for on-prem virtualization with clustering and live migration, but many teams pair Windows guests for legacy apps with Linux KVM/VMware for elastic workloads—be explicit about supported guest OS matrix.
Checkpoint/snapshot discipline matters: do not treat checkpoints as backups; VSS-aware backup agents still rule for AD and SQL.
Hardening and patch cadence
- Apply Security Baseline / GPO hardening templates, then test line-of-business apps.
- Use WSUS or patch orchestration; monthly cumulative updates differ from Linux rolling security-only models.
- Disable legacy protocols (SMBv1, old TLS) in lab before production.
- Monitor Defender for Endpoint signals if enrolled; syslog forwarding for hybrid SIEM.
SMB and NTLM hardening
Disable LLMNR and NetBIOS where possible to reduce spoofing surface on flat networks.
Use Protected Users group for tier-zero accounts to limit credential delegation attack paths.
Hyper-V maintenance orchestration
Validate Quick Migration vs Live Migration support per guest OS; some legacy guests only support save state.
Checkpoint types differ—production checkpoints integrate with VSS; standard checkpoints are not backup substitutes.
Frequently asked questions
Can we run Docker containers on Windows Server instead of Linux?
Is Server Core always the right install?
Netspare Team
More posts from this authorYou may also like
- systemd Units, Timers, and journalctl: A Linux Admin Primer
Cron still exists, but systemd timers integrate with dependency ordering and logging. Learn unit files, `systemctl status`, and filtering journal fields.
- Nginx vs Apache for Reverse Proxy, PHP, and Static File Serving
Event-driven nginx often wins on C10K-style concurrency; Apache excels where .htaccess per-directory rules are non-negotiable. Learn hybrid patterns (nginx + php-fpm).
- Linux Server Hardening Baseline: SSH, Firewall, Updates, and Service Exposure
Before panels or orchestrators, every VPS needs a repeatable baseline: key-based SSH, least-privilege sudo, automatic security patches, and explicit allow-lists on ports.
- Rocky Linux vs AlmaLinux for RHEL-Compatible VPS and Hosting Workloads
Both rebuild RHEL sources for 1:1 compatibility with EL packaging. Differences show up in governance, release cadence, and vendor tooling—important when you standardize dozens of nodes.