Hyper-V, Server 2012 / R2, Server 2016, Virtualization

Enabling SR-IOV on VMs

The single root I/O virtualization (SR-IOV) interface is an extension to the PCI Express (PCIe) specification. SR-IOV allows a device, such as a network adapter, to separate access to its resources among various PCIe hardware functions. SR-IOV enables network traffic to bypass the software switch layer of the Hyper-V virtualization stack. Because the VF is assigned to a child partition, the network traffic flows directly between the VF and child partition. As a result, the I/O overhead in the software emulation layer is diminished and achieves network performance that is nearly the same performance as in nonvirtualized environments.

Technically, there are two functions implemented by SR-IOV: physical functions (PFs) and virtual functions (VFs). There are a number of PCI devices available in which the PFs have been implemented, but Microsoft Hyper-V provides SR-IOV support only for networking. In other words, Microsoft Hyper-V provides VFs to allow VMs to communicate to the physical network adapters directly. Since the VMs can communicate directly with the physical network adapters, organizations may benefit from increasing I/O throughput, reducing CPU utilization on Hyper-V hosts for processing network traffic, and reducing network latency by enabling direct communication. Before you can use SR-IOV for a Hyper-V VM, you will need to meet the following prerequisites:

  • The SR-IOV functionality is currently only available to Windows 8 and Windows Server 2012 guests.
  • Hyper-V must be running on a Windows Server 2012 or later operating system.
  • You must have an SR-IOV-capable physical network adapter that implements the PFs and can understand the VFs’ requests coming from the VMs.
  • You must have an external virtual switch that can understand the SR-IOV traffic.
  • The server’s motherboard chipset must also support SR-IOV.

Enabling SR-IOV is a two-step approach. First, you need to create an external switch and enablecSR_IOV or if there is one already created but SR-IOV not enabled, you will need to delete this as this can only be enabled while you are creating the switch. Once the SR-IOV is enabled on the external virtual switch, you can enable SR-IOV on the VMs by checking the “Enable SR-IOV” checkbox found under the “Hardware Acceleration” under Network Adapter settings on the VM’s properties.






Server 2012 / R2, Server 2016

Add Servers to Server Manager

As you add remote servers to Server Manager, some of the servers that you add might require different user account credentials to access or manage them. To specify credentials for a managed server that are different from those you use to log on to the computer on which you are running Server Manager, use the Manage As command after you add a server to Server Manager, which is accessible by right-clicking the entry for a managed server in the Servers tile of a role or group home page. Clicking Manage As opens the Windows Security dialog box, in which you can provide a user name that has access rights on the managed server.

Add and manage servers in workgroups;

 Although adding servers that are in workgroups to Server Manager might be successful, after they are added, the Manageability column of the Servers tile—on a role or group page that includes a workgroup server—can display Credentials not valid errors that occur while trying to connect to or collect data from the remote, workgroup server.

These or similar errors can occur in the following conditions.

  • The managed server is in the same workgroup as the computer that is running Server Manager.
  • The managed server is in a different workgroup from the computer that is running Server Manager.
  • One of the computers is in a workgroup, while the other is in a domain.
  • The computer that is running Server Manager is in a workgroup, and remote, managed servers are on a different subnet.
  • Both computers are in domains, but there is no trust relationship between the two domains.
  • Both computers are in domains, but there is only a one-way trust relationship between the two domains.
  • The server you want to manage has been added by using its IP address.

To add remote workgroup servers to Server Manager

  1. On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

    Set-Item wsman:\localhost\Client\TrustedHosts ServerName -Concatenate -Force


  2. Determine whether the workgroup server that you want to manage is in the same subnet as the computer on which you are running Server Manager.

    If the two computers are in the same subnet, or if the workgroup server’s network profile is set to Private in the Network and Sharing Center, go on to the next step.

    If they are not in the same subnet, or if the workgroup server’s network profile is not set to Private, on the workgroup server, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

  3. To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following cmdlet.

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

Server 2016

Remote Access server role in Server 2016

The Remote Access server role is a logical grouping of the following related network access technologies.+

  • Remote Access Service (RAS)
  • Routing
  • Web Application Proxy


  • Routing and Remote Access Services –Users a virtual Private network (VPN) to support connectivity.
  • Direct Access –allow remote and users within an organization secure access to file, document and other resources without the needing a VPN
  • Web Application Proxy –supports end users access to applications from outside of a corporate network by using reverse proxy authentication.

Remote Access Service (RAS) – RAS Gateway

When you install the DirectAccess and VPN (RAS) role service, you are deploying the Remote Access Service Gateway (RAS Gateway). You can deploy the RAS Gateway a single tenant RAS Gateway virtual private network (VPN) server, a multitenant RAS Gateway VPN server, and as a DirectAccess server.

    • RAS Gateway – Single Tenant. By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization’s network and resources. If your clients are running Windows 10, you can deploy Always On VPN, which maintains a persistent connection between clients and your organization network whenever remote computers are connected to the Internet. With RAS Gateway, you can also create a site-to-site VPN connection between two servers at different locations, such as between your primary office and a branch office, and use Network Address Translation (NAT) so that users inside the network can access external resources, such as the Internet. In addition, RAS Gateway supports Border Gateway Protocol (BGP), which provides dynamic routing services when your remote office locations also have edge gateways that support BGP.
    • RAS Gateway – Multitenant. You can deploy RAS Gateway as a multitenant, software-based edge gateway and router when you are using Hyper-V Network Virtualization or you have VM networks deployed with virtual Local Area Networks (VLANs). With the RAS Gateway, Cloud Service Providers (CSPs) and Enterprises can enable datacenter and cloud network traffic routing between virtual and physical networks, including the Internet. With the RAS Gateway, your tenants can use point-so-site VPN connections to access their VM network resources in the datacenter from anywhere. You can also provide tenants with site-to-site VPN connections between their remote sites and your CSP datacenter. In addition, you can configure the RAS Gateway with BGP for dynamic routing, and you can enable Network Address Translation (NAT) to provide Internet access for VMs on VM networks.

    • DirectAccess. DirectAccess enables remote users to securely access shared resources, intranet Web sites, and applications on an internal network without connecting to a VPN. DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer is connected to the Internet. Users never have to think about connecting to the internal network, and IT administrators can manage remote computers outside the office, even when the computers are not connected via VPN.


You can use Remote Access to route network traffic between subnets on your Local Area Network. Routing provides support for Network Address Translation (NAT) routers, LAN routers running BGP, Routing Information Protocol (RIP), and multicast-capable routers using Internet Group Management Protocol (IGMP). As a full-featured router, you can deploy RAS on either a server computer or as a virtual machine (VM) on a computer that is running Hyper-V.

To install Remote Access as a LAN router, either use the Add Roles and Features Wizard in Server Manager and select the Remote Access server role and the Routing role service; or type the following command at a Windows PowerShell prompt, and then press ENTER.

Install-RemoteAccess -VpnType RoutingOnly

Web Application Proxy

Web Application Proxy is a Remote Access role service in Windows Server 2016. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy pre-authenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.+

To install Remote Access as a Web Application Proxy, either use the Add Roles and Features Wizard in Server Manager and select the Remote Access server role and the Web Application Proxy role service; or type the following command at a Windows PowerShell prompt, and then press ENTER.

Install-RemoteAccess -VpnType SstpProxy  


Server 2012 / R2, Server 2016

Branch Office Direct Printing

Branch Office Direct Printing can reduce Wide Area Network (WAN) usage by printing directly to a print device instead of a server print queue. This feature can be enabled or disabled on a per printer basis and is transparent to the user.

This feature requires a print server running Windows Server 2012 and clients running Windows 8. It is enabled by an administrator using the Print Management Console or Windows PowerShell on the server.

Branch Office Direct Printing requires the following operating systems:

  • Windows Server 2012
  • Windows 8

To Configure Branch Office Direct Printing

  1. Open the Print Management Console and expand Print Servers.

  2. Expand the print server where the print queues are installed and then expand Printers.

  3. Right click the printer that you wish to manage and select Enable Branch Office Direct Printing. Multiple printers can be configured at the same time by highlighting each printer prior to this step.


Set-Printer -name <String> -ComputerName <String> -RenderingMode BranchOffice

Powershell, Server 2016


The Set-WebApplicationProxyApplication cmdlet modifies settings of a web application published through Web Application Proxy. Specify the web application to modify by using its ID. Note that the method of preauthentication cannot be changed. The cmdlet ensures that no other applications are already configured to use any specified ExternalURL or BackendServerURL.

Set-WebApplicationProxyApplication -ID 994A4543-7983-77A3-1E6D-1163E7419AC1 -ExternalUrl https://webapp.abc.com/

[-ClientCertificateAuthenticationBindingMode <String>]
[-BackendServerCertificateValidation <String>]
[-ExternalUrl <String>]
[-ExternalCertificateThumbprint <String>]
[-BackendServerUrl <String>]
[-ADFSUserCertificateStore <String>]
[-PersistentAccessCookieExpirationTimeSec <UInt32>]
[-BackendServerAuthenticationMode <String>]
[-BackendServerAuthenticationSPN <String>]
[-Name <String>]
[-InactiveTransactionsTimeoutSec <UInt32>]
[-ClientCertificatePreauthenticationThumbprint <String>]
[-ID] <Guid>
[-CimSession <CimSession[]>]
[-ThrottleLimit <Int32>]

Server 2016

AD DS 2016 Requirements

Domain controller requirements

  • AD FS requires Domain controllers running Windows Server 2008 or later.
  • At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.

Domain functional-level requirements

  • All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.
  • A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user’s account in AD DS.

Domain Requirements

  • All AD FS servers must be a joined to an AD DS domain.
  • All AD FS servers within a farm must be deployed in the same domain.

Multi Forest Requirements

  • The domain to which the AD FS servers are joined must trust every domain or forest that contains users authenticating to the AD FS service.
  • The forest, that the AD FS service account is a member of, must trust all user login forests.
  • The AD FS service account must have permissions to read user attributes in every domain that contains users authenticating to the AD FS service.
Server 2016, Hyper-V

Which VMs can be shielded?

The shielding process for existing VMs is only available for VMs that meet the following prerequisites:

  • The guest OS is Windows Server 2012, 2012 R2, 2016, or a semi-annual channel release. Existing Linux VMs cannot be converted to shielded VMs.
  • The VM is a generation 2 VM (UEFI firmware)
  • The VM does not use differencing disks for its OS volume.