Containers, Server 2016

Windows Server 2016 version 1709

Most IT administrators have been waiting for a release and probably another “R2” version of Server 2016 just like the previous Server editions but Microsoft has changed a few things. This version is called 1709 which is a combination of the year 2017 and September (9th month) release. I think they are following the same approach as they did for the System Center products.

Starting with this release, you have two options for receiving Windows Server feature updates:

  • Long-Term Servicing Channel (LTSC): This is business as usual with 5 years of mainstream support and 5 years of extended support. You have the option to upgrade to the next LTSC release every 2-3 years in the same way that has been supported for the last 20 years.
  • Semi-Annual Channel (SAC): This is a Software Assurance benefit and is fully supported in production. The difference is that it is supported for 18 months and there will be a new version every six months. Windows Server, version 1709 runs in Server Core mode. That means there is no graphical user interface, so you manage it remotely.

Other Improvements such as;

  • The Server Core container image has been further optimized for lift-and-shift scenarios where you can migrate existing code bases or applications into containers with minimal changes, and it’s also 60% smaller.
  • The Nano Server container image is nearly 80% smaller.
    • In the Windows Server Semi-Annual Channel, Nano Server as a container base OS image is decreased from 390 MB to 80 MB.
  • Linux containers with Hyper-V isolation

Microsoft introduced a new management tool “Project Honolulu“. It includes next generation tooling with a simplified, integrated, secure, and extensible interface. Project Honolulu includes an intuitive all-new management experience for managing PCs, Windows servers, Failover Clusters, as well as hyper-converged infrastructure based on Storage Spaces Direct, reducing operational costs.

Those running Server 2016 today shouldn’t treat 1709 as a feature update to 2016, officials said. To move from Windows Server 2016 or earlier versions of Windows Server to 1709, users must run a clean install, as no in-place upgrades are supported. Those who want Semi-Annual Channel releases need Software Assurance for their Windows Server licenses or be willing to use the Semi-Annual Channel releases hosted on Azure or other cloud-hosted environments. Windows Server Essentials releases will only be available in LTSC; Standard or Datacenter are the only supported editions in the Semi-Annual Channel.

A few other things to mention; Nano Server is available as a container operating system. This release no longer installs the SMB1 client and server by default. Additionally, the ability to authenticate as a guest in SMB2 and later is off by default. Storage Spaces Direct is not in this release, administrators cannot add servers running 1709 to deployments of Windows Server 2016 where Storage Spaces Direct is being used. Data Deduplication now supports ReFS.

Keep in mind that Windows Server, version 1709 is NOT an update to Windows Server 2016. It’s in the Semi-Annual Channel. Windows Server 2016 is in the Long-Term Servicing Channel. If you need the Desktop Experience, you should stay on the LTSC by sticking with the current Windows Server 2016.



Hyper-V, Server 2012 / R2, Server 2016, Virtualization

Advantages of Generation 2 VMs

Generation 2 VMs use synthetic drivers and software-based devices instead, and provide
advantages that include the following:

  • UEFI boot Instead of using the traditional BIOS, Generation 2 VMs support Secure Boot, using the Universal Extensible Firmware Interface (UEFI), which requires a system to boot from digitally signed drivers and enables them to boot from drives larger than 2 TB, with GUID partition tables. UEFI is fully emulated in VMs, regardless of the firmware in the physical host server.
  • SCSI disks Generation 2 VMs omit the IDE disk controller used by Generation 1 VMs to boot the system and use a high-performance virtual SCSI controller for all disks, enabling the VMs to boot from VHDX files, support up to 64 devices per controller, and perform hot disk adds and removes.
  • PXE boot The native virtual network adapter in Generation 2 VMs supports booting from a network server using the Preboot Execution Environment (PXE). Generation 1 VMs require you to use the legacy network adapter to support PXE booting.
  • SCSI boot Generation 2 VMs can boot from a SCSI device, which Generation 1 VMs cannot. Generation 2 VMs have no IDE or floppy controller support, and therefore cannot boot from these devices.
  • Boot volume size Generation 2 VMs can boot from a volume up to 64 TB in size, while Generation 1 boot volumes are limited to 2 TB.
  • VHDX boot volume resizing In a Generation 2 VM, you can expand or reduce a VHDX boot volume while the VM is running.
  • Software-based peripherals The keyboard, mouse, and videos drivers in a Generation 2 VM are software-based, not emulated, so they are less resource-intensive and provide a more secure environment.
  • Hot network adapters In Generation 2 VMs, you can add and remove virtual network adapters while the VM is running.
  • Enhanced Session Mode Generation 2 VMs support Enhanced Session Mode, which provides Hyper-V Manager and VMConnect connections to the VM with additional capabilities, such as audio, clipboard support, printer access, and USB devices.
  • Shielded virtual machines Generation 2 VMs can be shielded, so that the disk and the system state are encrypted and accessible only by authorized administrators.
  • Storage Spaces Direct Generation 2 VMs running Windows Server 2016 Datacenter Edition support Storage Spaces Direct, which can provide a high-performance, faulttolerant storage solution using local drives



Switching between Core edition and Full GUI in Server 2016

In Windows Server 2016, you can no longer add or remove the GUI elements after the
operating system installation. In addition, there is no Minimal Server Interface option, as in Windows Server 2012 R2. This means that, at installation time, you must choose between a full graphical interface, similar to that of Windows 10, and a command line only. In Windows Server 2012 R2, it was possible to install and configure the server using the full GUI option, and then remove GUI features once the server was up and running. This is no longer possible.

Server 2016

Determine which editions of Server 2016 you need?

Windows Server 2016 is available in multiple editions, with varying prices and features. To select an edition for your server deployment, you should consider the following questions:
What roles and features will you need to run on the server?
How will you obtain licenses for the servers?
Will you be running Windows Server 2016 on virtual or physical machines?

The current trend in server deployment is to use relatively small servers that perform a single task, rather than large servers that perform many tasks. In cloud deployments, whether public, private, or hybrid, it is common to see virtual machines performing one role, such as a web server or a DNS server. It is for this reason that Microsoft introduced the Server Core installation option in Windows Server 2008 and Nano Server in Windows Server 2016, so that virtual machines could function with a smaller resource footprint. Before you choose an installation option, however, you must select the appropriate Windows Server 2016 edition for the server workload you intend to implement. The Windows Server 2016 editions are as follows:

Windows Server 2016 Datacenter The Datacenter edition is intended for large and
powerful servers in a highly virtualized environment. The license allows for an unlim-ited number of operating system environments (OSEs) or Hyper-V containers. The
Datacenter edition also includes additional features not available in the other editions,
such as Storage Spaces Direct, Storage Replica, shielded virtual machines, and a new
networking stack with additional virtualization options.
Windows Server 2016 Standard The Standard edition license allows for two OSEs
and includes the same core set of features as the Datacenter edition. However, it lacks
the new storage and networking features listed in the Datacenter description.
Windows Server 2016 Essentials The Essentials edition includes nearly all the
features in the Standard and Datacenter editions; it does not include the Server Core
installation option. The Essentials edition is also limited to one OSE (physical or virtual)
and a maximum of 25 users and 50 devices. Unlike the Standard and Datacenter
editions, Essential includes a confi guration wizard that installs and confi gures Active
Directory Domain Services and other essential components needed for a single-server
Windows Server 2016 MultiPoint Premium Server Available only through academic
licensing, the Multipoint edition enables multiple users to access a single server
Windows Storage Server 2016 Server Available only through original equipment
manufacturer (OEM) channels, the Storage Server edition is bundled as part of a
dedicated storage hardware solution.
Windows Hyper-V Server 2016 Available at no cost, the Hyper-V Server edition is a
hypervisor-only download, without a graphical interface, that hosts virtual machines as
its only function.

In Windows Server 2012, the Datacenter and Standard editions were functionally identical. The only difference was in the number of Hyper-V virtual machines the license authorized you to create.

In Windows Server 2016, the Datacenter edition includes several new features that
could affect your decision to choose that edition over Standard. The features in the Datacenter edition that are not included in the Standard edition are as follows:
Storage Spaces Direct Enables administrators to use relatively inexpensive drive
arrays to create high-availability storage solutions. Instead of using an expensive array
or controller with built-in storage management intelligence, the intelligence is incorporated into the operating system, enabling the use of inexpensive JBOD (just a bunch of disks) arrays.

Storage Replica Provides storage-agnostic, synchronous or asynchronous volume replication
between local or remote servers, using the Server Message Blocks Version 3 protocol.
Shielded virtual machines Provides VMs with protection from compromised
administrators that have access to the Hyper-V host computer by encrypting the VM
state and its virtual disks.
Network controller Provides a central automation point for network infrastructure
configuration, monitoring, and troubleshooting.
For most organizations, the selection of an edition will be based on cost. The Essentials
edition is inexpensive and easy to deploy, but it is limited in its features. For a small organization, it can be ideal, however.

Hyper-V, Server 2012 / R2, Server 2016, Virtualization

Enabling SR-IOV on VMs

The single root I/O virtualization (SR-IOV) interface is an extension to the PCI Express (PCIe) specification. SR-IOV allows a device, such as a network adapter, to separate access to its resources among various PCIe hardware functions. SR-IOV enables network traffic to bypass the software switch layer of the Hyper-V virtualization stack. Because the VF is assigned to a child partition, the network traffic flows directly between the VF and child partition. As a result, the I/O overhead in the software emulation layer is diminished and achieves network performance that is nearly the same performance as in nonvirtualized environments.

Technically, there are two functions implemented by SR-IOV: physical functions (PFs) and virtual functions (VFs). There are a number of PCI devices available in which the PFs have been implemented, but Microsoft Hyper-V provides SR-IOV support only for networking. In other words, Microsoft Hyper-V provides VFs to allow VMs to communicate to the physical network adapters directly. Since the VMs can communicate directly with the physical network adapters, organizations may benefit from increasing I/O throughput, reducing CPU utilization on Hyper-V hosts for processing network traffic, and reducing network latency by enabling direct communication. Before you can use SR-IOV for a Hyper-V VM, you will need to meet the following prerequisites:

  • The SR-IOV functionality is currently only available to Windows 8 and Windows Server 2012 guests.
  • Hyper-V must be running on a Windows Server 2012 or later operating system.
  • You must have an SR-IOV-capable physical network adapter that implements the PFs and can understand the VFs’ requests coming from the VMs.
  • You must have an external virtual switch that can understand the SR-IOV traffic.
  • The server’s motherboard chipset must also support SR-IOV.

Enabling SR-IOV is a two-step approach. First, you need to create an external switch and enablecSR_IOV or if there is one already created but SR-IOV not enabled, you will need to delete this as this can only be enabled while you are creating the switch. Once the SR-IOV is enabled on the external virtual switch, you can enable SR-IOV on the VMs by checking the “Enable SR-IOV” checkbox found under the “Hardware Acceleration” under Network Adapter settings on the VM’s properties.






Server 2012 / R2, Server 2016

Add Servers to Server Manager

As you add remote servers to Server Manager, some of the servers that you add might require different user account credentials to access or manage them. To specify credentials for a managed server that are different from those you use to log on to the computer on which you are running Server Manager, use the Manage As command after you add a server to Server Manager, which is accessible by right-clicking the entry for a managed server in the Servers tile of a role or group home page. Clicking Manage As opens the Windows Security dialog box, in which you can provide a user name that has access rights on the managed server.

Add and manage servers in workgroups;

 Although adding servers that are in workgroups to Server Manager might be successful, after they are added, the Manageability column of the Servers tile—on a role or group page that includes a workgroup server—can display Credentials not valid errors that occur while trying to connect to or collect data from the remote, workgroup server.

These or similar errors can occur in the following conditions.

  • The managed server is in the same workgroup as the computer that is running Server Manager.
  • The managed server is in a different workgroup from the computer that is running Server Manager.
  • One of the computers is in a workgroup, while the other is in a domain.
  • The computer that is running Server Manager is in a workgroup, and remote, managed servers are on a different subnet.
  • Both computers are in domains, but there is no trust relationship between the two domains.
  • Both computers are in domains, but there is only a one-way trust relationship between the two domains.
  • The server you want to manage has been added by using its IP address.

To add remote workgroup servers to Server Manager

  1. On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

    Set-Item wsman:\localhost\Client\TrustedHosts ServerName -Concatenate -Force


  2. Determine whether the workgroup server that you want to manage is in the same subnet as the computer on which you are running Server Manager.

    If the two computers are in the same subnet, or if the workgroup server’s network profile is set to Private in the Network and Sharing Center, go on to the next step.

    If they are not in the same subnet, or if the workgroup server’s network profile is not set to Private, on the workgroup server, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

  3. To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following cmdlet.

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

Server 2016

Remote Access server role in Server 2016

The Remote Access server role is a logical grouping of the following related network access technologies.+

  • Remote Access Service (RAS)
  • Routing
  • Web Application Proxy


  • Routing and Remote Access Services –Users a virtual Private network (VPN) to support connectivity.
  • Direct Access –allow remote and users within an organization secure access to file, document and other resources without the needing a VPN
  • Web Application Proxy –supports end users access to applications from outside of a corporate network by using reverse proxy authentication.

Remote Access Service (RAS) – RAS Gateway

When you install the DirectAccess and VPN (RAS) role service, you are deploying the Remote Access Service Gateway (RAS Gateway). You can deploy the RAS Gateway a single tenant RAS Gateway virtual private network (VPN) server, a multitenant RAS Gateway VPN server, and as a DirectAccess server.

    • RAS Gateway – Single Tenant. By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization’s network and resources. If your clients are running Windows 10, you can deploy Always On VPN, which maintains a persistent connection between clients and your organization network whenever remote computers are connected to the Internet. With RAS Gateway, you can also create a site-to-site VPN connection between two servers at different locations, such as between your primary office and a branch office, and use Network Address Translation (NAT) so that users inside the network can access external resources, such as the Internet. In addition, RAS Gateway supports Border Gateway Protocol (BGP), which provides dynamic routing services when your remote office locations also have edge gateways that support BGP.
    • RAS Gateway – Multitenant. You can deploy RAS Gateway as a multitenant, software-based edge gateway and router when you are using Hyper-V Network Virtualization or you have VM networks deployed with virtual Local Area Networks (VLANs). With the RAS Gateway, Cloud Service Providers (CSPs) and Enterprises can enable datacenter and cloud network traffic routing between virtual and physical networks, including the Internet. With the RAS Gateway, your tenants can use point-so-site VPN connections to access their VM network resources in the datacenter from anywhere. You can also provide tenants with site-to-site VPN connections between their remote sites and your CSP datacenter. In addition, you can configure the RAS Gateway with BGP for dynamic routing, and you can enable Network Address Translation (NAT) to provide Internet access for VMs on VM networks.

    • DirectAccess. DirectAccess enables remote users to securely access shared resources, intranet Web sites, and applications on an internal network without connecting to a VPN. DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer is connected to the Internet. Users never have to think about connecting to the internal network, and IT administrators can manage remote computers outside the office, even when the computers are not connected via VPN.


You can use Remote Access to route network traffic between subnets on your Local Area Network. Routing provides support for Network Address Translation (NAT) routers, LAN routers running BGP, Routing Information Protocol (RIP), and multicast-capable routers using Internet Group Management Protocol (IGMP). As a full-featured router, you can deploy RAS on either a server computer or as a virtual machine (VM) on a computer that is running Hyper-V.

To install Remote Access as a LAN router, either use the Add Roles and Features Wizard in Server Manager and select the Remote Access server role and the Routing role service; or type the following command at a Windows PowerShell prompt, and then press ENTER.

Install-RemoteAccess -VpnType RoutingOnly

Web Application Proxy

Web Application Proxy is a Remote Access role service in Windows Server 2016. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy pre-authenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.+

To install Remote Access as a Web Application Proxy, either use the Add Roles and Features Wizard in Server Manager and select the Remote Access server role and the Web Application Proxy role service; or type the following command at a Windows PowerShell prompt, and then press ENTER.

Install-RemoteAccess -VpnType SstpProxy