Containers, Docker, Hyper-V, Nano Server, Server 2016

Windows Containers on Windows Server 2016

I am running these on Windows 10 Pro and I have got Hyper-V feature enabled. Created a few VMs on this hyper-v host.

Prerequisites: One computer system (physical or virtual) running Windows Server 2016.

Critical updates are needed in order for the Windows Container feature to function. Please install all updates before working through this tutorial.

To install Docker we’ll use the OneGet provider PowerShell module which works with providers to perform the installation, in this case the MicrosoftDockerProvider. The provider enables the containers feature on your machine. You also install Docker which requires a reboot. Docker is required in order to work with Windows containers. It consists of the Docker Engine and the Docker client.+

Fist I have enabled Containers Feature on my server going in to Add Roles and Features



Then run a PowerShell command prompt as an administrator;

First, install the Docker-Microsoft PackageManagement Provider from the PowerShell Gallery.

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force


Secondly you use the PackageManagement PowerShell module to install the latest version of Docker.

Install-Package -Name docker -ProviderName DockerMsftProvider


This indicates we need KB3176936 to be installed on my server. I will use Windows Updates to bring my server up-to-date.



Looks like we are good to carry on, I will run the same command one more time to see if it is going to run…


All good so far. And run Restart-Computer -Force to restart to complete configurations.

Just to check the installed version….


I downloaded a pre-created .NET sample image from the Docker Hub registry and deploy a simple container running a .Net Hello World application.

Use docker run to deploy the .Net container. This will also download the container image which may take a few minutes.

docker run microsoft/dotnet-samples:dotnetapp-nanoserver


I had to start Docker service after my reboot otherwise I get the error in the image..

Start-Service Docker

Once all the downloads completed…..


There you have it.

Hyper-V, Nano Server, Server 2016

Roles and Features for a Nano Server

For Windows Server 2016, Nano Server is distributed on the physical media, where you will find a NanoServer folder; this contains a .wim image and a subfolder called Packages. It is these package files that you use to add server roles and features to the VHD image, which you then boot to.


You can also find and install these packages with the the NanoServerPackage provider of PackageManagement (OneGet) PowerShell module.


This table shows the roles and features that are available in this release of Nano Server, along with the Windows PowerShell options that will install the packages for them. Some packages are installed directly with their own Windows PowerShell switches (such as -Compute); others you install by passing package names to the -Package parameter, which you can combine in a comma-separated list. You can dynamically list available packages using the Get-NanoServerPackage cmdlet.

Role or feature Option
Hyper-V role (including NetQoS) -Compute
Failover Clustering and other components, detailed after this table -Clustering
Basic drivers for a variety of network adapters and storage controllers. This is the same set of drivers included in a Server Core installation of Windows Server 2016. -OEMDrivers
File Server role and other storage components, detailed after this table -Storage
Windows Defender, including a default signature file -Defender
Reverse forwarders for application compatibility, for example common application frameworks such as Ruby, Node.js, etc. Now included by default
DNS Server role -Package Microsoft-NanoServer-DNS-Package
PowerShell Desired State Configuration (DSC) -Package Microsoft-NanoServer-DSC-Package
Internet Information Server (IIS) -Package Microsoft-NanoServer-IIS-Package
Host support for Windows Containers -Containers
System Center Virtual Machine Manager agent -Package Microsoft-NanoServer-SCVMM-Package
-Package Microsoft-NanoServer-SCVMM-Compute-Package
Note: Use the SCVMM Compute package only if you are monitoring Hyper-V. For hyper-converged deployments in VMM, you should also specify the -Storage parameter.
System Center Operations Manager agent Installed separately.
Data Center Bridging (including DCBQoS) -Package Microsoft-NanoServer-DCB-Package
Deploying on a virtual machine -Package Microsoft-NanoServer-Guest-Package
Deploying on a physical machine – Package Microsoft-NanoServer-Host-Package
BitLocker, trusted platform module (TPM), volume encryption, platform identification, cryptography providers, and other functionality related to secure startup -Package Microsoft-NanoServer-SecureStartup-Package
Hyper-V support for Shielded VMs -Package Microsoft-NanoServer-ShieldedVM-Package
Note: This package is only available for the Datacenter edition of Nano Server.
Simple Network Management Protocol (SNMP) agent -Package
Note: Not included with Windows Server 2016 installation media. Available online only.
IPHelper service which provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS -Package
Note: Not included with Windows Server 2016 installation media. Available online only.

Failover Clustering items installed by the -Clustering parameter

  • Failover Clustering role
  • VM Failover Clustering
  • Storage Spaces Direct (S2D)
  • Storage Quality of Service
  • Volume Replication Clustering
  • SMB Witness Service

File and storage items installed by the -Storage parameter

  • File Server role
  • Data Deduplication
  • Multipath I/O, including a driver for Microsoft Device-Specific Module (MSDSM)
  • ReFS (v1 and v2)
  • iSCSI Initiator (but not iSCSI Target)
  • Storage Replica
  • Storage Management Service with SMI-S support
  • SMB Witness Service
  • Dynamic Volumes
  • Basic Windows storage providers (for Windows Storage Management)


Failover Clustering

Import-PackageProvider NanoServerPackage

find-NanoServerPackage -Name *

install-NanoServerPackage -name Microsoft-NanoServer-FailoverCluster-Package -culture en-us


Import-PackageProvider NanoServerPackage

find-NanoServerPackage -Name *

install-NanoServerPackage -name Microsoft-NanoServer-DNS-Package -culture en-us

Enable-WindowsOptionalFeature -Online -FeatureName DNS-Server-Full-Role


Hyper-V –

Import-PackageProvider NanoServerPackage

find-NanoServerPackage -Name *

install-NanoServerPackage -name Microsoft-NanoServer-Compute-Package -culture en-us


Hyper-V, Nano Server, Server 2016

How to deploy a Nano Server 2016

Nano Server is a remotely administered server operating system optimized for private clouds and datacenters. It is similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server. When it does restart, it restarts much faster. The Nano Server installation option is available for Standard and Datacenter editions of Windows Server 2016.

So let’s start, first of all, I have mounted my Server 2016 ISO file on to my desktop and copied the NanoServer folder on to my local drive.

NANO file

We have got a few things here that we will need to create our VHDX file for our VM.


Start Windows PowerShell as an administrator, change directory to the folder where you have placed the NanoServer folder and then import the module with;

Import-Module .\NanoServerImageGenerator -Verbose


As you see from the image you need to change your execution policy to run this command otherwise you will get error message like the one in the image.

Set-ExecutionPolicy RemoteSigned

This will allow us to run all the commandlets for nano server.

Next is to create our VHDX file.

New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath <path to root of media> -BasePath .\Base -TargetPath .\NanoServerVM\NanoServerVM.vhd -ComputerName <computer name>





So, this creates a VHDX from an ISO mounted as I:\. When creating the VHDX it will use a folder called Base in the same directory where you ran New-NanoServerImage; it will place the VHDX (called NanoServer1.vhdx) in a folder called NanoServer in the folder from where the command is run. The computer name will be NanoServer1. The resulting VHDX will contain the Standard edition of Windows Server 2016 and will be suitable for Hyper-V virtual machine deployment. If you want a Generation 1 virtual machine, create a VHD image by specifying a .vhd extension for -TargetPath. For a Generation 2 virtual machine, create a VHDX image by specifying a .vhdx extension for -TargetPath. You can also directly generate a WIM file by specifying a .wim extension for -TargetPath.

What we see within our folder;


Our final step is to use our Hyper-V Server to create a VM using thi VHDX file.

From hyper-v manager > create a virtual machine > starts with a wizard > Give a name and use the option “Use an existing virtual hard disk and locate the VHDX file we have just created. And finish the wizard.


You will see the first screen


Use the credentials you use to create this VM, you will be asked to change this password. Log on;

second screen

This is all you get; Configure the Networking and firewall rules for SMB and ICMP traffic ….

You can only manage this server remotely but you need to create a trust. Go to a member server and open up a PowerShell command;

Set-item wsman:\localhost\client\trustedhosts -value [IP address of your nano server]



Then you can run

Enter-PSSession -ComputerName NanoServer1

Hyper-V, Server 2012 / R2, Server 2016, Virtualization

Hyper-V Integration Services

Hyper-V Integration Services allow a virtual machine to communicate with the Hyper-V host. Many of these services are conveniences, such as guest file copy, while others are important to the virtual machine’s ability to function correctly, such as time synchronization. This set of services are sometimes referred to as integration components,


The Integration Services pane lists all integration services available on the Hyper-V host, and whether they’re turned on in the virtual machine. To get the version information for a guest operating system, log on to the guest operating system, open a command prompt, and run this command:

REG QUERY “HKLM\Software\Microsoft\Virtual Machine\Auto” /v IntegrationServicesVersion


Integration services

Name Windows Service Name Linux Daemon Name Description Impact on VM when disabled
Hyper-V Heartbeat Service vmicheartbeat hv_utils Reports that the virtual machine is running correctly. Varies
Hyper-V Guest Shutdown Service vmicshutdown hv_utils Allows the host to trigger virtual machines shutdown. High
Hyper-V Time Synchronization Service vmictimesync hv_utils Synchronizes the virtual machine’s clock with the host computer’s clock. High
Hyper-V Data Exchange Service (KVP) vmickvpexchange hv_kvp_daemon Provides a way to exchange basic metadata b etween the virtual machine and the host. Medium
Hyper-V Volume Shadow Copy Requestor vmicvss hv_vss_daemon Allows Volume Shadow Copy Service to back up the virtual machine with out shutting it down. Varies
Hyper-V Guest Service Interface vmicguestinterface hv_fcopy_daemon Provides an interface for the Hyper-V host to copy files to or from the virtual machine. Low
Hyper-V PowerShell Direct Service vmicvmsession not available Provides a way to manage virtual machine with PowerShell without a network connection. Low

Use Windows PowerShell to turn a integration service on or off

To do this in PowerShell, use Enable-VMIntegrationService and Disable-VMIntegrationService.

Get-VMIntegrationService -VMName “TestVM”

VMName Name Enabled PrimaryStatusDescription SecondaryStatusDescription
—— —- ——- ———————— ————————–
TestVM Guest Service Interface      False OK
TestVM Heartbeat                              True OK                                 OK
TestVM Key-Value Pair Exchange   True OK
TestVM Shutdown                              True OK
TestVM Time Synchronization        True OK
TestVM VSS                                          True OK

                                    Services Overview

Hyper-V Guest Shutdown Service

Windows Service Name: vmicshutdown
Linux Daemon Name: hv_utils
Description: Allows the Hyper-V host to request that the virtual machine shutdown. The host can always force the virtual machine to turn off, but that is like flipping the power switch as opposed to selecting shutdown.
Added In: Windows Server 2012, Windows 8
Impact: High Impact When disabled, the host can’t trigger a friendly shutdown inside the virtual machine. All shutdowns will be a hard power-off wich could cause data loss or data corruption.

Hyper-V Time Synchronization Service

Windows Service Name: vmictimesync
Linux Daemon Name: hv_utils
Description: Synchronizes the virtual machine’s system clock with the system clock of the physical computer.
Added In: Windows Server 2012, Windows 8
Impact: High Impact When disabled, the virtual machine’s clock will drift erratically.

Hyper-V Data Exchange Service (KVP)

Windows Service Name: vmickvpexchange
Linux Daemon Name: hv_kvp_daemon
Description: Provides a mechanism to exchange basic metadata between the virtual machine and the host.
Added In: Windows Server 2012, Windows 8
Impact: When disabled, virtual machines running Windows 8 or Windows Server 2012 or earlier will not receive updates to Hyper-V integration services. Disabling data exchange may also impact some kinds of monitoring and host-side diagnostics.+

The data exchange service (sometimes called KVP) shares small amounts of machine information between virtual machine and the Hyper-V host using key-value pairs (KVP) through the Windows registry. The same mechanism can also be used to share customized data between the virtual machine and the host.

Hyper-V Volume Shadow Copy Requestor

Windows Service Name: vmicvss
Linux Daemon Name: hv_vss_daemon
Description: Allows Volume Shadow Copy Service to back up applications and data on the virtual machine.
Added In: Windows Server 2012, Windows 8
Impact: When disabled, the virtual machine can not be backed up while running (using VSS).+

The Volume Shadow Copy Requestor integration service is required for Volume Shadow Copy Service (VSS). The Volume Shadow Copy Service (VSS) captures and copies images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. This integration service makes that possible by coordinating the virtual machine’s workloads with the host’s backup process.

Hyper-V Guest Service Interface

Windows Service Name: vmicguestinterface
Linux Daemon Name: hv_fcopy_daemon
Description: Provides an interface for the Hyper-V host to bidirectionally copy files to or from the virtual machine.
Added In: Windows Server 2012 R2, Windows 8.1
Impact: When disabled, the host can not copy files to and from the guest using Copy-VMFile.

Hyper-V PowerShell Direct Service

Windows Service Name: vmicvmsession
Linux Daemon Name: n/a
Description: Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.
Added In: Windows Server TP3, Windows 10
Impact: Disabling this service prevents the host from being able to connect to the virtual machine with PowerShell Direct.

The service name was originally was Hyper-V VM Session Service.
PowerShell Direct is under active development and only available on Windows 10/Windows Server Technical Preview 3 or later hosts/guests.

PowerShell Direct allows PowerShell management inside a virtual machine from the Hyper-V host regardless of any network configuration or remote management settings on either the Hyper-V host or the virtual machine. This makes it easier for Hyper-V Administrators to automate and script management and configuration tasks.

Server 2016

Workgroup and Multi-domain clusters in Windows Server 2016

In Windows Server 2012 R2 and previous versions, a cluster could only be created between member nodes joined to the same domain. Windows Server 2016 breaks down these barriers and introduces the ability to create a Failover Cluster without Active Directory dependencies. Failover Clusters can now therefore be created in the following configurations:

  • Single-domain Clusters: Clusters with all nodes joined to the same domain and

  • Multi-domain Clusters: Clusters with nodes which are members of different domains and Server3.def.local

  • Workgroup Clusters: Clusters with nodes which are member servers / workgroup (not domain joined)

ServerA and ServerB


The prerequisites for Single-domain clusters are unchanged from previous versions of Windows Server.

  • All servers must be running Windows Server 2016.
  • All servers must have the Failover Clustering feature installed.
  • All servers must use logo’d hardware that has been certified and the collection of servers must pass all cluster validation tests.

In addition to the pre-requisites of Single-domain clusters, the following are the pre-requisites for Multi-domain or Workgroup clusters in the Windows Server 2016:

  • To create a new cluster or to add nodes to the cluster, a local account needs to be provisioned on all nodes of the cluster (as well as the node from which the operation is invoked) with the following requirements:
    1. Create a local ‘User’ account on each node in the cluster
    2. The username and password of the account must be the same on all nodes
    3. The account is a member of the local ‘Administrators’ group on each node
    4. When using a non-builtin local administrator account to create the cluster, set the LocalAccountTokenFilterPolicyregistry policy to 1, on all the nodes of the cluster. Builtin administrator accounts include the ‘Administrator’ account. You can set the LocalAccountTokenFilterPolicy registry policy as follows:
    •  On each node of the cluster launch a Microsoft PowerShell shell as an administrator and type:
new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1
  • The Failover Cluster needs to be created as an Active Directory-Detached Cluster without any associated computer objects. Therefore, the cluster needs to have a Cluster Network Name (also known as administrative access point) of type DNS.
  • Primary DNS Suffix Requirements
    • Each cluster node needs to have a primary DNS suffix.
    • For Multi-domain Clusters: The DNS suffix for all the domains in the cluster, should be present on all cluster nodes…

Note:  Active Directory-detached cluster. Using this deployment method enables you to create a failover cluster without the previously required permissions for creating computer objects in AD DS or the need to request that computer objects are prestaged in AD DS.

When you create an Active Directory-detached cluster, the cluster network name (also known as the administrative access point) and network names for any clustered roles with client access points are registered in Domain Name System (DNS). However, no computer objects are created for the cluster in AD DS. This includes the computer object for the cluster (also known as the cluster name object or CNO) and computer objects for any clustered roles that would typically have client access points in AD DS (also known as virtual computer objects or VCOs).

If you are using PowerShell, when creating the cluster, use the AdministrativeAccessPoint switch to specify a type of DNS so that the cluster does not attempt to create computer objects.

New-Cluster –Name <Cluster Name> -Node <Nodes to Cluster> -AdministrativeAccessPoint DNS



The following table summarizes whether this deployment method is supported for a specific cluster workload.

Cluster Workload Supported/Not Supported More Information
SQL Server Supported We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment.
File server Supported, but not recommended Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.
Hyper-V Supported, but not recommended Live migration is not supported because it has a dependency on Kerberos authentication.

Quick migration is supported.

Message Queuing (also known as MSMQ) Not supported Message Queuing stores properties in AD DS.

NOTE: An Active Directory-detached cluster uses Kerberos authentication for intracluster communication. However, when authentication against the cluster network name is required, the cluster uses NTLM authentication. Therefore, we do not recommend this deployment method for any scenario that requires Kerberos authentication.

Quorum Configuration

The witness type recommended for Workgroup clusters and Multi-domain clusters is a Cloud Witness or Disk Witness.  File Share Witness (FSW) is not supported with a Workgroup or Multi-domain cluster.


It is recommended that nodes in a cluster have a consistent configuration.  Multi-domain and Workgroup clusters introduce higher risk of configuration drift, when deploying ensure that:

  • The same set of Windows patches are applied to all nodes in the clusters
  • If group policies are rolled out to the cluster nodes, they are not conflicting.

DNS Replication

It should be ensured that the cluster node and network names for Workgroup and Multi-domain clusters are replicated to the DNS servers authoritative for the cluster nodes.


In addition, be aware of the following issues for this type of cluster deployment:

  • BitLocker Drive Encryption is not supported.
  • Cluster-Aware Updating (CAU) in self-updating mode is not supported but remote-updating mode is supported.
  • You cannot copy a clustered role between failover clusters that use different types of administrative access points.

  • You can set the type of administrative access point only when you create the cluster. You cannot change it after the cluster is deployed.
  • If you deploy a highly available file server by using this deployment method, you cannot use Server Manager to manage the file server. Instead, you must use Windows PowerShell or Failover Cluster Manager.

Server 2016

PowerShell Core 6.0

PowerShell Core 6.0 is a new edition of PowerShell that is cross-platform (Windows, macOS, and Linux), open-source, and built for heterogeneous environments and the hybrid cloud.

Windows PowerShell 3.0, 4.0, and 5.1 will continue to be supported on supported versions of Windows and Windows Server. While Windows PowerShell 2.0 is still in support, it has been deprecated, and it’s recommend that workloads be migrated to newer versions of PowerShell.

To install PowerShell on a Windows client or Windows Server (works on Windows 7 SP1, Server 2008 R2, and later), download the MSI package from our GitHub releases page.

The MSI file looks like this – PowerShell-6.0.0.<buildversion>.<os-arch>.msi

Once downloaded, double-click the installer and follow the prompts.




PowerShell Core uses .NET Core 2.0 as its runtime. .NET Core 2.0 enables PowerShell Core to work on multiple platforms (Windows, macOS, and Linux). PowerShell Core also exposes the API set offered by .NET Core 2.0 to be used in PowerShell cmdlets and scripts.

Windows PowerShell used the .NET Framework runtime to host the PowerShell engine. This means that Windows PowerShell exposes the API set offered by .NET Framework.

PowerShell now officially supports macOS and Linux, including:

  • Windows 7, 8.1, and 10
  • Windows Server 2008 R2, 2012 R2, 2016
  • Windows Server Semi-Annual Channel
  • Ubuntu 14.04, 16.04, and 17.04
  • Debian 8.7+, and 9
  • CentOS 7
  • Red Hat Enterprise Linux 7
  • OpenSUSE 42.2
  • Fedora 25, 26
  • macOS 10.12+

The binary name for PowerShell Core has been changed from powershell(.exe) to pwsh(.exe).

PowerShell Core is adopting the Microsoft Modern Lifecycle Policy. This support lifecycle is intended to keep customers up-to-date with the latest versions. The version 6.x branch of PowerShell Core will be updated approximately once every six months. You must update within six months after each new minor version release to continue receiving support.

Containers, Server 2016

Windows Server 2016 version 1709

Most IT administrators have been waiting for a release and probably another “R2” version of Server 2016 just like the previous Server editions but Microsoft has changed a few things. This version is called 1709 which is a combination of the year 2017 and September (9th month) release. I think they are following the same approach as they did for the System Center products.

Starting with this release, you have two options for receiving Windows Server feature updates:

  • Long-Term Servicing Channel (LTSC): This is business as usual with 5 years of mainstream support and 5 years of extended support. You have the option to upgrade to the next LTSC release every 2-3 years in the same way that has been supported for the last 20 years.
  • Semi-Annual Channel (SAC): This is a Software Assurance benefit and is fully supported in production. The difference is that it is supported for 18 months and there will be a new version every six months. Windows Server, version 1709 runs in Server Core mode. That means there is no graphical user interface, so you manage it remotely.

Other Improvements such as;

  • The Server Core container image has been further optimized for lift-and-shift scenarios where you can migrate existing code bases or applications into containers with minimal changes, and it’s also 60% smaller.
  • The Nano Server container image is nearly 80% smaller.
    • In the Windows Server Semi-Annual Channel, Nano Server as a container base OS image is decreased from 390 MB to 80 MB.
  • Linux containers with Hyper-V isolation

Microsoft introduced a new management tool “Project Honolulu“. It includes next generation tooling with a simplified, integrated, secure, and extensible interface. Project Honolulu includes an intuitive all-new management experience for managing PCs, Windows servers, Failover Clusters, as well as hyper-converged infrastructure based on Storage Spaces Direct, reducing operational costs.

Those running Server 2016 today shouldn’t treat 1709 as a feature update to 2016, officials said. To move from Windows Server 2016 or earlier versions of Windows Server to 1709, users must run a clean install, as no in-place upgrades are supported. Those who want Semi-Annual Channel releases need Software Assurance for their Windows Server licenses or be willing to use the Semi-Annual Channel releases hosted on Azure or other cloud-hosted environments. Windows Server Essentials releases will only be available in LTSC; Standard or Datacenter are the only supported editions in the Semi-Annual Channel.

A few other things to mention; Nano Server is available as a container operating system. This release no longer installs the SMB1 client and server by default. Additionally, the ability to authenticate as a guest in SMB2 and later is off by default. Storage Spaces Direct is not in this release, administrators cannot add servers running 1709 to deployments of Windows Server 2016 where Storage Spaces Direct is being used. Data Deduplication now supports ReFS.

Keep in mind that Windows Server, version 1709 is NOT an update to Windows Server 2016. It’s in the Semi-Annual Channel. Windows Server 2016 is in the Long-Term Servicing Channel. If you need the Desktop Experience, you should stay on the LTSC by sticking with the current Windows Server 2016.