Post

So My Company Is Switching Half Our Windows Servers To Linux

Posted
By Usman Masood Ashraf
views 8 min read
So My Company Is Switching Half Our Windows Servers To Linux

The transition from Windows toLinux in enterprise infrastructure is accelerating, and for good reason. As a 30-year IT veteran who’s spent decades mastering Windows Server administration, I recently found myself facing a pivotal shift: my company is migrating half our Windows servers to Linux. This isn’t just about cost savings or vendor lock-in—it’s about embracing modern infrastructure practices that align with cloud-native principles, improve security posture, and future-proof our operations. If you’re in a similar position—dabbling in Linux but now expected to own the administration—this guide is for you. We’ll cut through the noise and focus on the practical realities of managing a mixed environment, with actionable steps, real-world examples, and zero fluff. You’ll learn how to approach this transition methodically, avoid common pitfalls, and leverage Linux’s strengths without losing sleep over the learning curve.

Understanding the Topic: Beyond the Headlines

Let’s clarify what this shift actually means. It’s not about replacing every Windows server with a Linux box overnight. It’s about strategically migrating specific workloads—like web servers, databases, or internal tools—where Linux offers tangible advantages. Consider these key points:

  • Why Linux? Linux dominates modern infrastructure for good reason: it’s open-source, highly customizable, and built for scalability. Tools like Docker, Kubernetes, and Prometheus run natively on Linux, making it the backbone of containerized and cloud-native ecosystems. Windows Server, while robust, often requires more licensing overhead and lacks the same level of community-driven innovation for modern workflows.

  • The Mixed Environment Reality: Your environment won’t be “all Linux” overnight. You’ll manage both Windows and Linux systems simultaneously. This demands new skills: understanding Linux file permissions, systemd services, and command-line workflows, while still maintaining Windows-specific knowledge (like Active Directory integration). The goal isn’t to become a Linux expert overnight—it’s to become proficient enough to manage the migrated workloads effectively.

  • The Strategic Shift: Companies aren’t abandoning Windows—they’re using Linux where it shines. For example, a Windows-based CRM might stay on Windows, but the new analytics dashboard backend could run on a Linux container. This hybrid approach reduces risk and allows teams to adopt Linux incrementally. The key is intentionality: identify workloads where Linux delivers clear benefits (e.g., cost efficiency for stateless apps, better container support, or tighter security controls).

  • The Hidden Challenge: The biggest hurdle isn’t technical—it’s cultural. IT teams used to Windows’s GUI-centric management may resist Linux’s command-line paradigm. But this shift is inevitable. According to the Linux Foundation’s 2023 report, 90% of enterprises now use Linux in production, and 75% plan to increase Linux adoption. The transition isn’t a trend—it’s a fundamental reorientation of how infrastructure is built and maintained.

This isn’t just about servers; it’s about rethinking how we think about infrastructure. Linux isn’t a “replacement” for Windows—it’s a different tool for a different job. Understanding this mindset shift is the first step toward mastering the transition.

Prerequisites: What You Need Before You Start

Before touching a single Linux server, ensure you have the foundational elements in place. Skipping this phase leads to frustration and wasted effort. Here’s what you’ll need:

Hardware & OS Requirements:

  • Hardware: Minimum 2 vCPUs, 4GB RAM, and 20GB disk space per server (for basic workloads). For production, scale up: 4+ vCPUs, 8GB+ RAM, and 50GB+ storage. Example: A web server handling 1000 RPM might need 2 vCPUs, 4GB RAM, and 100GB SSD.
  • OS Choices: Stick to LTS (Long-Term Support) distributions for stability. Ubuntu 22.04 LTS, RHEL 9, or Debian 12 are ideal. Avoid bleeding-edge distros for production—stability trumps novelty.
  • Network: Ensure static IP assignments for servers (avoid DHCP in production). Configure firewalls to allow only necessary ports (e.g., 22 for SSH, 80/443 for HTTP/HTTPS). Critical: Block all inbound traffic by default and open only what’s required.

Software & Tools:

  • Essential Tools: Install git for version control, curl/wget for testing, and jq for JSON parsing. Use sudo for administrative tasks (configure sudoers file to avoid password prompts for trusted users).
  • Version Control: Git is non-negotiable. Store all configuration files (e.g., /etc/nginx/nginx.conf) in a Git repository. This enables rollback and audit trails.
  • Access: Secure remote access via SSH keys (not passwords). Generate a key pair with ssh-keygen, then add the public key to ~/.ssh/authorized_keys on the server. Never use root login—create a dedicated user with sudo privileges.
  • Monitoring: Install basic tools like htop, iotop, and netstat before deployment. These are your first line of defense when troubleshooting.

Security & Permissions:

  • User Management: Create a dedicated user for each service (e.g., nginx for web servers). Never run services as root. Example: sudo adduser --system --group --no-create-home nginx.
  • SELinux/AppArmor: Enable and configure these for mandatory access control. On RHEL, use semanage to allow specific ports; on Ubuntu, adjust AppArmor profiles. Example: sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx.
  • Patch Management: Schedule weekly updates via apt-get update && apt-get upgrade (Debian/Ubuntu) or dnf update (RHEL). Automate this with cron or systemd timers.

Prerequisite Checklist:

  • OS installed and updated to LTS version- [ ] SSH key-based access configured
  • Firewall rules set (e.g., ufw allow 22/tcp, ufw allow 80/tcp)
  • Git repository initialized for configs
  • Dedicated service users created (e.g., appuser for app processes)

Installation & Setup: From Zero to ProductionLet’s walk through a real-world example: deploying a lightweight Nginx web server on Ubuntu 22.04 LTS. This is a common first step in Linux migration—replacing a Windows IIS server with a more efficient, scalable solution.

Step 1: Update the System

1

sudo apt update && sudo apt upgrade -y

Why? Always start with the latest security patches. This command fetches package lists and upgrades all installed packages. -y auto-confirms prompts to avoid manual input during automation.

Step 2: Install Nginx

1

sudo apt install -y nginx

Why? apt install handles dependencies automatically. Nginx is lightweight and ideal for static content or reverse proxying. Verify installation with nginx -v (should show version 1.18+).

Step 3: Configure Nginx

Create a custom config file at /etc/nginx/sites-available/myapp:

1
2
3
4
5
6
7
8
9
10
11

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Line-by-Line Breakdown:

  • listen 80;: Listens on standard HTTP port (80).
  • server_name example.com;: Defines the domain this server responds to.
  • proxy_pass http://localhost:3000;: Forwards requests to a local app on port 3000 (e.g., a Node.js backend).
  • proxy_set_header...: Preserves original client IP and headers for logging and debugging.

Enable the site and test:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

sudo ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/
sudo nginx -t  # Test config syntax
sudo systemctl reload nginx  # Apply changes without downtime```
*Critical Note:* Always test configurations with `nginx -t` before reloading. A syntax error will break the service.

#### Step 4: Verify the Setup
Check if Nginx is running:
```bash
systemctl status nginx  # Should show "active (running)"
curl -I http://localhost  # Should return HTTP/1.1 200 OK```
*Troubleshooting Tip:* If `curl` fails, check logs: `sudo tail -f /var/log/nginx/error.log`.

#### Step 5: Automate with Systemd
Create a systemd service file for Nginx (though it’s usually managed by the package, this demonstrates the pattern):
```ini
[Unit]
Description=Nginx Web Server
After=network.target

[Service]
Type=forkingWorkerType=simple
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
PIDFile=/var/run/nginx.pid
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target

Why Systemd? It manages service lifecycle (start, stop, restart) and integrates with logging. The ExecStartPre check ensures the config is valid before starting.

Deployment Checklist:

  • Configuration file validated with nginx -t
  • Service enabled to start on boot: sudo systemctl enable nginx
  • Firewall opened for HTTP: sudo ufw allow 80/tcp
  • Initial access test via browser or curl

Common Pitfalls & Fixes:

  • Port Conflict: If another service uses port 80, change listen 80; to listen 8080; and update firewall rules.
  • Permission Errors: Ensure the nginx user owns the web root: sudo chown -R www-data:www-data /var/www.
  • Config Syntax Errors: Always run nginx -t before reloading.

Configuration & Optimization: Hardening and Scaling

Once the basics are running, focus on security and performance. A poorly configured Linux server is a security risk and a performance bottleneck.

Security Hardening: The Non-Negotiables1. Disable Root Login: Edit /etc/ssh/sshd_config and set PermitRootLogin no. Then restart SSH: sudo systemctl restart sshd.

  1. Firewall Rules: Use ufw to block all incoming traffic by default:
    1
2
3

    sudo ufw default deny incoming   sudo ufw allow 22/tcp  # SSH
sudo ufw allow 80/tcp  # HTTP
sudo ufw enable
  2. Fail2Ban for Brute-Force Protection: Install and configure to block repeated failed login attempts:
    1
2
3

    sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl restart fail2ban

    Configuration Example: In jail.local, set bantime = 600 (block for 10 minutes) and findtime = 600 (look for failures in 10 minutes).

Performance Optimization: Tuning for Scale

  • File System Choices: Use XFS for large files (e.g., databases) and ext4 for general use. Format with mkfs.xfs /dev/sdb.
  • Network Tuning: Adjust kernel parameters for high traffic: bash echo "net.core.somaxconn = 65535" | sudo tee -a /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65535" | sudo tee -a /etc/sysctl.conf sudo sysctl -p Why? somaxconn increases the queue size for incoming connections; ip_local_port_range expands the range
Open Source, Reddit Guides, Kubernetes
homelab sysadmin how-to tools kubernetes k8s docker containers
This post is licensed under CC BY 4.0 by the author.