Server 2012 / R2, Server 2016

Deploy Storage Spaces on a Stand-Alone Server

To create a storage space, you must first create one or more storage pools. A storage pool is a collection of physical disks. A storage pool enables storage aggregation, elastic capacity expansion, and delegated administration.

From a storage pool, you can create one or more virtual disks. These virtual disks are also referred to as storage spaces. A storage space appears to the Windows operating system as a regular disk from which you can create formatted volumes. When you create a virtual disk through the File and Storage Services user interface, you can configure the resiliency type (simple, mirror, or parity), the provisioning type (thin or fixed), and the size. Through Windows PowerShell, you can set additional parameters such as the number of columns, the interleave value, and which physical disks in the pool to use.

You cannot use a storage space to host the Windows operating system.


Area Requirement
Disk bus types Serial Attached SCSI (SAS)

Serial Advanced Technology Attachment (SATA)

Note: You can also use USB drives. However, we do not recommend that you use USB drives in a server environment.

Note: Storage Spaces does not support iSCSI and Fibre Channel controllers.

Disk configuration Physical disks must be at least 4 GB.

Disks must be blank and not formatted. Do not create volumes.

HBA considerations We recommend that you use simple host bus adapters (HBAs) that do not support RAID functionality. If RAID capable, HBAs must be in non-RAID mode with all RAID functionality disabled. Adapters must not abstract the physical disks, cache data, or obscure any attached devices. This includes enclosure services that are provided by attached just-a-bunch-of-disks (JBOD) devices. Storage Spaces is compatible only with HBAs where you can completely disable all RAID functionality.
JBOD enclosures A JBOD enclosure is optional. For full Storage Spaces functionality if you are using a JBOD enclosure, verify with your storage vendor that the JBOD enclosure supports Storage Spaces.

To determine whether the JBOD enclosure supports enclosure and slot identification, run the following Windows PowerShell cmdlet:

Get-PhysicalDisk | ? {$_.BusType –eq “SAS”} | fc

If the EnclosureNumber and SlotNumber fields contain values, this indicates that the enclosure supports these features.

Step 1: Create a storage pool

New-StoragePool –FriendlyName StoragePool1 –StorageSubsystemFriendlyName “Storage Spaces*” –PhysicalDisks (Get-PhysicalDisk PhysicalDisk1, PhysicalDisk2, PhysicalDisk3, PhysicalDisk4)

Step 2: Create a virtual disk

New-VirtualDisk –StoragePoolFriendlyName StoragePool1 –FriendlyName VirtualDisk1 –ResiliencySettingName Mirror –UseMaximumSize

Step 3: Create a volume

Get-VirtualDisk –FriendlyName VirtualDisk1 | Get-Disk | Initialize-Disk –Passthru | New-Partition –AssignDriveLetter –UseMaximumSize | Format-Volume

Server 2016

DirectAccess and Firewalls and NAT

When the Forefront UAG DirectAccess server is on the IPv4 Internet

Configure packet filters on your Internet firewall to allow the following types of IPv4 traffic for the Forefront UAG DirectAccess server:

  • Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
  • UDP destination port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
  • TCP destination port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients.

When the Forefront UAG DirectAccess server is on the IPv6 Internet

Configure packet filters on your Internet firewall to allow the following types of IPv6 traffic for the Forefront UAG DirectAccess server:

  • Protocol 50—Forefront UAG DirectAccess on the IPv6 Internet uses IPsec Encapsulating Security Payload (ESP) to protect the packets to and from the Forefront UAG DirectAccess server without the encapsulation headers required for IPv6 transition technologies. In the IPv6 header, the Protocol field is set to 50 to indicate an ESP-protected payload.
  • UDP destination port 500 inbound and UDP source port 500 outbound—Forefront UAG DirectAccess on the IPv6 Internet uses the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) protocols to negotiate IPsec security settings. The Forefront UAG DirectAccess server is listening on UDP port 500 for incoming IKE and AuthIP traffic.
  • All ICMPv6 traffic inbound and outbound.”
Hyper-V, Server 2012 / R2, Server 2016

Automatic Virtual Machine Activation

Automatic Virtual Machine Activation was a feature that was added in Windows Server 2012 R2 that enables the activation of your VMs without using a KMS server or MAK key without the requirement of  internet connectivity.  As you create new VMs they activate against the host Hyper-v server. This method of activation only lasts 7 days before the VM renews it’s activation.  Ideal for Datacenter hosts as you can also report on this too.

AVMA requires the Hyper-v host to be running Server 2012 R2 or 2016 Datacenter and it must be activated.   The VMs that run on the host must be at least 2012 R2 or above to activate.  VM’s that can be activated using this method include 2012 R2/2016 Datacenter, Standard and Essentials.

AVMA offers several benefits:

* Activate virtual machines in remote locations
* Activate virtual machines with or without an internet connection
* Track virtual machine usage and licenses from the virtualization server, without requiring any access rights on the virtualized systems


There is no true “configuration” for the virtual machine. When prompted for a license key, you simply give it the key that matches the operating system of the virtual machine.

Guest Operating System Key
Windows Server 2012 R2 Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2
Windows Server 2012 R2 Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows Server 2012 R2 Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
Windows Server 2016 Essentials B4YNW-62DX9-W8V6M-82649-MHBKQ
Windows Server 2016 Standard C3RCX-M6NRP-6CXC9-TW2F2-4RHYD
Windows Server 2016 Datacenter TMJ3Y-NTRTM-FJYXT-T22BY-CWG3J

In order for the VM’s to talk to the host for activation, the Data Exchange option needs to be activated on the Integration Services.  To ensure this is enabled click on the Settings of the VM and ensure the option is selected.


Powershell, Server 2016

How to access a Nano Server

Because Nano Server does not support a local session, it must be accessed remotely.

IP Address of the Nano Server:
1. Start an elevated PowerShell ISE session.
2. Set the Trusted Host. This is a one-time setting for each remote machine. You’re basically telling your development machine to trust the remote Nano Server.
Set-Item WSMan:\LocalHost\Client\TrustedHosts “”
3. Start the session.
Enter the following commands into the PowerShell ISE command line:
$ip = “” 
$s = New-PSSession -ComputerName $ip -Credential ~\Administrator
Enter-PSSession -Session $s

Powershell, Server 2016

Deploy Network Controller using Windows PowerShell

Install-WindowsFeature -Name NetworkController –IncludeManagementTools


New-NetworkControllerNodeObject –Name <string> -Server <String> -FaultDomain <string>-RestInterface <string> [-NodeCertificate <X509Certificate2>]

Install-NetworkControllerCluster –Node <NetworkControllerNode[]> –ClusterAuthentication <ClusterAuthentication> [-ManagementSecurityGroup <string>][-DiagnosticLogLocation <string>][-LogLocationCredential <PSCredential>] [-CredentialEncryptionCertificate <X509Certificate2>][-Credential <PSCredential>][-CertificateThumbprint <String> ] [-UseSSL][-ComputerName <string>]

Install-NetworkController –Node <NetworkControllerNode[]> –ClientAuthentication <ClientAuthentication> [-ClientCertificateThumbprint <string[]>] [-ClientSecurityGroup <string>] -ServerCertificate <X509Certificate2> [-RESTIPAddress <String>] [-RESTName <String>] [-Credential <PSCredential>][-CertificateThumbprint <String> ] [-UseSSL]

Server 2016

Host Guardian Service in Windows Server 2016

The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Once affirmatively attested, the Key Protection service provides the transport key (TK) needed to unlock & run Shielded VMs.

Shielded VMs protect VM data and state by supporting a virtual TPM (vTPM) device which allows BitLocker encryption of the VM’s disks. This vTPM device is encrypted with a transport key. HGS is a security critical component that protects the TK. In addition, there are significant security enhancements made across multiple components (including Hyper-V) that raise the security assurance levels for Shielded VMs. For more details on terms like Shielded VMs, guarded fabric, guarded hosts, etc.


or with powershell,


After installing the HGS role, you still need to configure the role to make it a fully functional HGS server. All management of HGS is done through Windows PowerShell.


Networking / Infrastructure, Server 2016

Publishing Remote Desktop Gateway through Web Application Proxy

If you want to restrict access to your Remote Access Gateway and add pre-authentication for remote access, you can roll it out through Web Application Proxy. This is a really good way to make sure you have rich pre-authentication for RDG including MFA. Publishing without pre-authentication is also an option and provides a single point of entry into your systems.

How to publish an application in RDG using Web Application Proxy pass-through authentication

  1. Installation will be different depending on whether your RD Web Access (/rdweb) and RD Gateway (rpc) roles are on the same server or on different servers.


  2. If the RD Web Access and RD Gateway roles are hosted on the same RDG server, you can simply publish the root FQDN in Web Application Proxy such as,

    You can also publish the two virtual directories individually e.g. and


  3. If the RD Web Access and the RD Gateway are hosted on separate RDG servers, you have to publish the two virtual directories individually. You can use the same or different external FQDN’s e.g. and


  4. If the External and Internal FQDN’s are different you should disable request header translation on the RDWeb publishing rule. This can be done by running the following PowerShell script on the Web Application Proxy server

    Get-WebApplicationProxyApplication applicationname | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true
    If you need to support rich clients such as RemoteApp and Desktop Connections or iOS Remote Desktop connections, these do not support pre-authentication so you have to publish RDG using pass-through authentication.
 To Publish a Web application;
Add-WebApplicationProxyApplication -Name “CompApp”
-ExternalPreauthentication ADFS -ExternalUrl
-ExternalCertificateThumbprint “70DF0AB8434060DC869D37BBAEF770ED5DD0C32B”
-BackendServerUrl http://CompApp:8080/ -ADFSRelyingPartyName “CompAppRP”
to omit external preauthentication;
Add-WebApplicationProxyApplication -Name “CompApp” -BackendServerUrl http://CompApp/ -ExternalUrl
-ExternalPreauthentication “PassThrough” -ExternalCertificateThumbprint “A1A657E1A4F276FCC45613C0F6B3BC91AFC4633C”