40389A ENU TrainerHandBook PDF

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
40389A
Windows Server® 2016 First Look Clinic
MCT USE ONLY. STUDENT USE PROHIBITED
ii Windows Server® 2016 First Look Clinic
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2016 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks are trademarks of the

Microsoft group of companies. All other trademarks are property of their respective owners.
Product Number: 40389A
Released: 04/2016
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Windows Server® 2016 First Look Clinic xi
xii Windows Server® 2016 First Look Clinic
Contents
Module 1: What is new in compute?
Module Overview 1-2
Lesson 1: Introducing Windows Server 2016 1-3

Lesson 2: Introducing Nano Server 1-12
Lesson 3: New Features of Hyper-V in Windows Server 2016 1-17
Lesson 4: Introducing Windows Server and Hyper-V Containers 1-30

Lesson 5: Windows Server 2016 Management 1-38
Module Review 1-43
Module 2: What is new in identity?

Module Overview 2-2
Lesson 1: What is new in Active Directory Domain Services (AD DS)? 2-3
Lesson 2: AD FS improvements 2-7
Module Review 2-24
Module 3: What is new in file and storage services?

Module Overview 3-2
Lesson 1: Storage Spaces Direct 3-3
Lesson 2: Storage Replica 3-10

Lesson 3: Storage QoS 3-16
Module Review 3-21
Module 4: What is new in networking?

Module Overview 4-2
Lesson 1: Software Defined Networking 4-3
Lesson 2: Windows Server networking technologies 4-16
Lesson 3: Networking services 4-29
Module Review 4-33

About This Clinic xiii
About This Clinic

This section provides a brief description of the clinic—40389A: Windows Server® 2016 First Look Clinic,
including its audience, suggested prerequisites, and clinic objectives.
Clinic Description
Note: This release (A) Microsoft Official Courseware (MOC) version of the clinic 40389 has been
developed on the Technical Preview 4 of the Windows Server 2016 operating system.
This Microsoft First Look Clinic introduces IT Professionals to the new features and capabilities of Windows
Server 2016. It is designed to provide a broad range of knowledge across a broad array of technologies
focusing on the pillars identity, compute, and networking. No topic is covered fully, but students will finish
the clinic with an understanding of the new and improved features and capabilities of Windows Server
2016. This clinic is based on Windows Server 2016 Technical Preview 4, and the technologies are subject
to change in the final release.
Audience
This clinic is intended for IT Professionals who are interested in learning about the new features and
functionality in Windows Server 2016. People who are key influencers and technology decision makers in
an IT organization will also be interested in attending this clinic and will benefit from gaining an early
insight into some of the latest technologies included in Windows Server 2016. In general, early adopters
of a new technology or people looking to gain an early insight into the new functionality in Windows
Server 2016 will benefit from attending this First Look Clinic.
Student Prerequisites
While there are no specific prerequisites for attending the clinic, students will benefit most if they have
experience in the following areas:
• Experience with Windows Server 2012 and Windows Server 2012 R2
• Familiar with Active Directory Domain Services (AD DS)
• Experience in configuring storage in an enterprise

• Experience in managing an enterprise network
• Experience with virtual machines and clustering
Clinic Objectives
After completing this clinic, you will be able to:
• Describe the installation options and editions of Windows Server 2016.
• Describe Nano Server and how to manage it.

• Describe the new features in Hyper-V.
• Describe Windows Server Containers and Hyper-V Containers.
• Describe the new features in management.

• List and describe the new features available for Active Directory Federation Services (AD FS).
xiv About This Clinic
• List and describe the new features available for AD DS.
• Describe Storage Spaces Direct.
• Describe Storage Replica.
• Describe Storage Quality of Service (Storage QoS).
• List and describe the Windows Server technologies for Software-Defined Networking.
• List and describe the cloud-scaling features in Windows Server 2016.
• List and describe the other new and improved networking services in Windows Server 2016.
Clinic Outline
This section provides an outline of the clinic:
Module 1. What is new in compute?
In this module, you will explore the new features related to compute in Windows Server 2016
Technical Preview. This module specifically focuses on Nano Server, Hyper-V, Windows Server
Containers, Hyper-V Containers, and management features.
Module 2. What is new in identity?

Windows Server 2016 Technical Preview has many new features in identity to improve the ability
for organizations to help secure Active Directory environments. Additionally, many of the new
features help organizations migrate to cloud-only deployments and hybrid deployments, where
some applications and services are hosted in the cloud while others are hosted in an on-premises
environment. This module introduces you to those improvements.
Module 3. What is new in file and storage services?
Windows Server 2016 Technical Preview brings several new storage capabilities for IT
professionals to design, deploy, and maintain Windows Server storage. This module provides an
overview of some of the new features and improvements in storage.
Module 4. What is new in networking?
Networking improvements in Windows Server 2016 Technical Preview include new features and
enhancements that make flexible workload placement and mobility possible. Organizations need
flexibility, reliability, high levels of performance, and need a focus on applications and workloads.
To meet these needs, Windows Server 2016 provides:
• Enhancements related to reliability, performance, and interoperability of virtual networking

• Improved support for centralized configuration and management across virtual and physical
networks
• New virtualized network functions for transforming the network cloud
• Seamless datacenter extensions for flexible workload placement and mobility

This module covers the new networking features in Windows server 2016.
Clinic Materials
The following materials are included with your kit:
• Clinic Handbook. A succinct classroom-learning guide that provides the critical technical information
in a crisp, tightly focused format, which is essential for your in-class learning experience.
About This Clinic xv
The content contains the following:
o Lessons. Lessons guide you through the learning objectives and provide the key points that are
critical to the success of the in-class learning experience.
o Module Reviews and Takeaways. These sections provide improved on-the-job reference material
to boost knowledge and skills retention.
• Clinic Evaluation. At the end of the clinic, you will have the opportunity to complete an online
evaluation to provide feedback on the clinic, training facility, and instructor.
o To provide additional comments or feedback on the clinic, go to

http://www.microsoft.com/learning/help. To inquire about the Microsoft Certification Program,
send e-mail to mcphelp@microsoft.com.
1-1
Module 1
What is new in compute?
Contents:
Module Overview 1-2
Lesson 1: Introducing Windows Server 2016 1-3
Lesson 2: Introducing Nano Server 1-12
Lesson 3: New Features of Hyper-V in Windows Server 2016 1-17

Lesson 4: Introducing Windows Server and Hyper-V Containers 1-30
Lesson 5: Windows Server 2016 Management 1-38
Module Review 1-43

1-2 What is new in compute?
Module Overview
Windows Server 2016 is the latest Microsoft server operating system. It incorporates modern application
development principles such as Microsoft Hyper-V Containers and Nano Server. Also, it turns the
software-defined datacenter into reality—without abandoning what you have today. This module
introduces you to some of the new features of Windows Server 2016 and the improved, modern,
software-defined datacenter capabilities across storage, networking, and compute. This module also
introduces you to the improvements made to the existing features, which are now part of the new
operating system.
In addition, in this module, you can explore the new features related to compute in Windows Server 2016
Technical Preview. This module specifically focuses on Nano Server, Hyper-V, Windows Server Containers,
Hyper-V Containers, and management features.
After completing this module, you will be able to:
• Describe the installation options and editions of Windows Server 2016.
• Describe Nano Server and how to manage it.
• Describe the new features in Hyper-V.

• Describe Windows Server Containers and Hyper-V Containers.
• Describe the new features in management.

Windows Server® 2016 First Look Clinic 1-3
Lesson 1
Introducing Windows Server 2016
Windows Server 2016 is the latest in the line of Microsoft Server operating systems. From Hyper-V
Containers to Nano Server, the latest operating system incorporates modern app development principles.
It turns the software-defined datacenter in to reality—without abandoning what you have today. This
lesson introduces you to some of the new features of Windows Server 2016 and the improved, modern,
software-defined datacenter capabilities, across storage, networking and compute. This lesson also
introduces you to the new operating system and some of its improvements.
After completing this lesson, you will be able to:
• Describe the key improvements in Windows Server 2016.
• Compare the different editions of Windows Server 2016.

• Describe some of the deprecated features in Windows Server 2016.
• List the installation options for Windows Server 2016.

Overview of the Microsoft Cloud Platform
Virtualization has enabled your organization to save money by consolidating server workloads and
retiring obsolete hardware. You were able to further reduce the cost of doing business by moving some of
your workloads from your on-premises environment into the cloud (public or service provider–hosted).
Because of these changes, instead of having to deal with a server sprawl in your datacenter, you are now
faced with a virtual machine sprawl. In fact, things can get inconvenient in some situations because it is
easier to configure and start up a new virtual machine than it is to procure and provision a new server
hardware in your environment. Instead of managing only one infrastructure—the one in your
datacenter—you now need to deal with managing resources in the cloud, as well. If you are not careful,
you might end up with two sets of administrative tools that need twice as much time and staff to manage.
With this type of sprawl within the compute resource pool, you might begin to have significant problems
within the other pillars or in networking and storage. In essence, after an enterprise implements
virtualization, how do you keep up with what becomes cloud-scale very quickly.
This is where a business of any size needs to begin thinking in terms of the software-defined datacenter
(SDDC).
Compute resources in your datacenter are covered. But there are new approaches to networking and
storage that can help bring agile concepts to all three pillars. This will ultimately enable your environment
to be a true cloud environment and efficiently service the needs of the business, on demand.
The following are the differences between a traditional datacenter and a cloud computing environment:
• Traditional datacenter - limited agility

• Cloud computing - high agility and managed differently
The key to success in a hybrid cloud is to manage your resources as if the cloud were not just an external
entity but also in your datacenter. When this is the case, you can easily move your compute, networking,
and storage resources from your on-premises environment to the cloud, and from the cloud to your on-
premises environment.
The Microsoft Cloud Platform can make all this possible for your business. Microsoft offers a consistent
platform that lets you choose to run workloads depending on where it makes the most sense for your
business: in your datacenter, in a service provider’s datacenter, or in Microsoft Azure.
By using this platform, you can deliver and manage your IT services, both in an on-premises environment
and in the cloud, in a unified way across a wide range of device platforms. With the Microsoft Cloud
Platform, you will be able to do the following:
• Empower enterprise mobility.

• Create Your Internet of Things.
• Enable application innovation.
• Unlock insights on any data.
• Transform the datacenter.

Comparing the editions of Windows Server
The licensing of the Windows Server 2016 Standard edition and the Windows Server 2016 Datacenter
edition will be based on physical cores rather than processors (which was the case in the previous
licensing model). Licensing based on cores provides a more consistent licensing metric regardless of
where the solution is deployed, either in an on-premises environment or in a cloud. The Windows Server
2016 licensing model for Standard and Datacenter editions will be Cores + client access license (CAL).
Overview of the Datacenter and Standard editions

• The Datacenter edition. This is needed for highly virtualized private and hybrid cloud environments.
• The Standard edition. This is needed for low density or non-virtualized environments.
Information about the following editions of Windows Server 2016 and Windows Storage Server 2016 will
be available closer to release:
• Windows Storage Server 2016 Workgroup
• Windows Storage Server 2016 Standard
• Windows Server 2016 Essentials
• Hyper-V Server 2016 (free download)

Windows Server 2016 editions
Features Datacenter Edition Standard Edition
Core functionality of  
Windows Server
OSEs/Hyper-V Containers Unlimited 2
Windows Server containers Unlimited Unlimited
Nano Server  
New storage features  NA

including Storage Spaces
Direct and Storage Replica
New Shielded Virtual  NA

Machines and Host
Features Datacenter Edition Standard Edition

Guardian Service
New networking stack  NA
Licensing Model Core + CAL Core + CAL
Additional Reading: For more information about Windows Server licensing, refer to:
http://aka.ms/Wi nServ2016
Deprecated features
The following features and functionalities have been removed from this release of Windows Server 2016
Technical Preview. Applications, code, or usage that depend on these features will not function in this
release unless you employ an alternate method. This list is subject to change and might not include every
deprecated feature or functionality.
Additional Reading: If you are moving to Windows Server 2016 Technical Preview from a
server release prior to Windows Server 2012 R2 or Windows Server 2012, you should also review
Features Removed or Deprecated in Windows Server 2012 R2 located here http://aka.ms/Dhlj4g,
or Features Removed or Deprecated in Windows Server 2012 located here http://aka.ms/Obzxfp.
File Server
The Share and Storage Management snap-in for Microsoft Management Console is removed. Instead, you
can perform any of the following:
• If the computer you want to manage is running an operating system that is older than Windows
Server 2016 Technical Preview, connect to it with a remote desktop and use the local version of the
Share and Storage Management snap-in.
• On a computer that is running Windows 8.1 or earlier, use the Share and Storage Management snap-
in from Remote Server Administration Tools (RSAT) to view the computer that you want to manage.
• Use Hyper-V on a client computer to run a virtual machine, running Windows 7, Windows 8, or
Windows 8.1 and that has the Share and Storage Management snap-in in RSAT.
The Security Configuration Wizard

The Security Configuration Wizard is removed. Instead, the features are secured by default. If you need to
control specific security settings, you can use either Group Policy or Microsoft Security Compliance
Manager.
Service Quality Metrics

The opt-in components that manage participation in the Customer Experience Improvement Program are
removed.
Configuration tools
• Scregedit.exe is deprecated. If you have scripts that depend on Scregedit.exe, adjust them to use
Reg.exe or Windows PowerShell cmdlets.
• Sconfig.exe is deprecated. Use Windows PowerShell cmdlets instead.
Note: Sconfig.cmd is used to configure basic settings such as network, domain, and firewall
settings.
NetCfg custom APIs

Installation of PrintProvider, NetClient, and ISDN by using NetCfg custom APIs is deprecated.
Remote management
WinRM.vbs is deprecated. Instead, use the functionality in the WinRM provider of Windows PowerShell.
SMB 2+ over NetBT

SMB 2+ over NetBT is deprecated. Instead, implement SMB over Transmission Control Protocol (TCP) or
Remote Direct Memory Access (RDMA).
Network Access Protection (NAP) support in Dynamic Host Configuration Protocol

(DHCP)
DHCP is an Internet Engineering Task Force (IETF) standard that is designed to reduce the administrative
burden and complexity of configuring hosts on a TCP/IP-based network, such as a private intranet. By
using the DHCP Server service, the process of configuring TCP/IP on DHCP clients is automatic.
NAP is deprecated in Windows Server 2012 R2. In Windows Server 2016 Technical Preview, the DHCP
Server role no longer supports NAP.
NAP support was introduced to the DHCP Server role with Windows Server 2008 and is supported in the
Windows client and server operating systems prior to Windows 10 and Windows Server 2016 Technical
Preview. The following table summarizes support for NAP in Windows Server.
Operating system NAP support
Windows Server 2008 Supported
Windows Server 2008 R2 Supported
Windows Server 2012 Supported
Windows Server 2012 R2 Supported
Windows Server 2016 Technical Preview Not Supported
In a NAP deployment, a DHCP server running an operating system that supports NAP can function as a
NAP enforcement point for the NAP DHCP enforcement method.
In Windows Server 2016 Technical Preview, DHCP servers will not enforce NAP policies, and DHCP scopes
cannot be NAP-enabled. DHCP client computers that are also NAP clients will send a statement of health
(SoH) with the DHCP request. If the DHCP server is running Windows Server 2016 Technical Preview, these
requests will be treated as if no SoH is present and will grant a normal DHCP lease. If servers running
Windows Server 2016 Technical Preview are Remote Authentication Dial-In User Service (RADIUS) proxies
that forward authentication requests to a Network Policy Server (NPS) that supports NAP, these NAP
clients will be evaluated as non NAP-capable.
Installation options for Windows Server 2016 Technical Preview
When you install Windows Server 2016 Technical Preview using the Setup wizard, you can choose
between Windows Server 2016 Technical Preview and Windows Server Technical Preview (Server with
Desktop Experience). The Server with Desktop Experience option in the Windows Server 2016 Technical
Preview is equivalent to the Full installation option available in Windows Server 2012 R2 with the
Desktop Experience feature installed. If you do not make a choice in the Setup wizard, Windows Server
2016 Technical Preview is installed by default. This is the Server Core installation option. The Server Core
option reduces the space required on the disk, the potential attack surface, and especially the servicing
requirements, so we recommend that you choose the Server Core installation unless you have a particular
need for the additional user interface elements and graphical management tools that are included in the
Server with Desktop Experience option.
Note: Unlike some previous releases of Windows Server, your choice of Server Core versus
Server with Desktop Experience at the time of installation is not convertible to the other mode.
Desktop experience
If you select this option, the standard user interface and all the tools are installed, including client
experience features that required a separate installation in Windows Server 2012 R2. Server roles and
features are installed with Server Manager or by other methods.
• User interface: It is a standard graphical user interface (Server Graphical Shell). The Server Graphical
Shell includes the new Windows 10 shell. The specific Windows features are installed by default with
this option are User-Interfaces-Infra, Server-GUI-Shell, Server-GUI-Mgmt-Infra,
InkAndHandwritingServices, ServerMediaFoundation, and Desktop Experience.
• Install, configure, and uninstall server roles locally: with Server Manager or with Windows PowerShell
• Install, configure, and uninstall server roles remotely: with Server Manager, Remote Server, RSAT, or
Windows PowerShell
• Microsoft Management Console: installed
Windows Server 2016 Technical Preview

With this installation option, the standard user interface (the Server Graphical Shell) is not installed; you
manage the server by using the command line, Windows PowerShell, or by remote methods.
• User interface: command prompt.

• Install, configure, and uninstall server roles locally: at a command prompt with Windows PowerShell.
• Install, configure, and uninstall server roles remotely: with Server Manager, Remote Server
Administration Tools (RSAT), or Windows PowerShell.
• Microsoft Management Console: not available locally.
• Server roles available:
o Active Directory Certificate Services

o Active Directory Domain Services
o DHCP Server
o Domain Name System (DNS) Server

o File Services (including File Server Resource Manager)
o Active Directory Lightweight Directory Services
o Hyper-V
o Print and Document Services
o Streaming Media Services
o Web Server (including a subset of ASP.NET)
o Windows Server Update Server

o Active Directory Rights Management Server
o Routing and Remote Access Server
Note: You can also install Windows Server Technical Preview as a Nano Server, which is a
remotely administered version of Windows Server that is optimized for hosting in private clouds,
datacenters, and running applications that are developed using cloud application patterns. This
installation option is not available from the Setup wizard; you install it by configuring a virtual
hard disk (VHD.
Nano Server
Windows Server 2016 offers a new installation option called Nano Server. Nano Server is a remotely
administered server operating system optimized for private clouds and datacenters. It is similar to
Windows Server in the Server Core mode, but significantly smaller, has no local sign-in capability, and only
supports 64-bit applications, tools, and agents. It consumes far less disk space, sets up significantly faster,
and requires far fewer updates and fewer and faster restarts than Windows Server.
Nano Server now supports the DNS Server and Microsoft Internet Information Services (IIS) server roles,
Multipath I/O (MPIO), virtual machine monitor (VMM), Microsoft System Center Operations Manager,
Desired State Configuration DSC push mode, directory control block (DCB), Windows Server Installer, and
the Windows Management Instrumentation (WMI) provider for Windows Update. Its Recovery Console
supports editing and repairing the network configuration. A Windows PowerShell module is now available
to simplify building Nano Server images.
Lesson 2
Introducing Nano Server
Nano Server is a remotely administered server operating system optimized for private clouds and
datacenters. It is similar to Windows Server in Server Core mode, but significantly smaller. Nano Server has
no local sign-in capability, and only supports 64-bit applications, tools, and agents. This lesson introduces
you to the capabilities of Nano Server and explains how to manage it.
• Describe the role of Nano Server in a datacenter.

• Describe the various methods available to manage Nano Server.
Overview of Nano Server
Windows Server 2016 Technical Preview offers a new installation option called Nano Server. Nano Server
is a remotely administered server operating system optimized for private clouds and datacenters. It is
similar to Windows Server in the Server Core mode, but significantly smaller, has no local sign-in
capability, and only supports 64-bit applications, tools, and agents. It consumes far less disk space, can be
set up significantly faster, and requires far fewer updates and fewer and faster restarts than Windows
Server.
Nano Server is ideal for the following scenarios:
• As a compute host for Hyper-V virtual machines

• As a storage host for Scale-Out File Server
• As a DNS server
• As a web server running Internet Information Services (IIS)

• As a host for applications that are developed using cloud application patterns and run in a container
or virtual machine guest operating system
Although Nano Server is an installation option like Server Core, you cannot select this option during
Setup. Instead, you must create a virtual hard disk by using Windows PowerShell. You can then use this
virtual hard disk on a virtual machine to support a virtualized Nano Server in Hyper V. Alternatively, you
can configure your server computer to start from a .vhd file for a physical Nano Server deployment
option.
Additional Reading: For more guidance in installing Nano Server, see the Microsoft
TechNet website: http://aka.ms/H3nz2l
The following list shows the server roles and features that you can either install when you deploy Nano
Server or subsequently install by using Windows PowerShell on a previously deployed Nano Server:
• The Hyper V role.
• Failover Clustering.
• Hyper V guest drivers for hosting Nano Server as a virtual machine.

• Basic drivers for a variety of network adapters and storage controllers. This is the same set of drivers
included in a Server Core installation of Windows Server 2016.
• The File Server role and other storage components.
• Windows Defender Antimalware, including a default signature file.
• Reverse forwarders for application compatibility—for example, common application frameworks, such
as Ruby and Node.js.
• The DNS Server role.
• Desired State Configuration (DSC)

• IIS.
• Host support for Windows Containers.
• System Center Virtual Machine Manager agent.

• Network Performance Diagnostics Service (NPDS).
• Data Center Bridging.
Workload scenarios
Nano Server is a deeply refactored version of Windows Server with a small footprint and remotely
managed installation, optimized for the cloud and a DevOps workflow. It is designed for fewer update
events, faster restarts, better resource utilization, and tighter security. By taking advantage of the learnings
from building and managing some of the largest hyperscale cloud environments, Nano Server focuses on
two scenarios:
• Born-in-the-cloud applications. Support for multiple programming languages and runtimes. Such as
C#, Java, Node.js, Python, and more, running in containers, virtual machines, or on physical servers.
• The Microsoft Cloud Platform infrastructure. Support for compute clusters running Hyper-V and
storage clusters running Scale-out File Server.
Managing Nano Server
Nano Server is designed to be managed entirely remotely. Although you can sign in locally to use the
recovery console for very basic configuration, you must perform all other management tasks remotely.
Nano Server does not support Terminal Services. However, you have a wide variety of options for
managing Nano Server remotely, including:
• Windows PowerShell
• Windows Management Instrumentation (WMI)
• Windows Remote Management

• Emergency Management Services (EMS)
• Remote Server Management Tools
• Core PowerShell
• Windows PowerShell DSC
• Hyper-V Manager
• Failover Cluster Manager
• Server Manager
• Perfmon, Event Viewer, Disk Manager, Device Manager etc.
To use any remote management tool, you will probably need to know the IP address of the Nano Server.
Some ways of finding out the IP address include:
• Using the Nano Recovery Console (see the Using the Nano Server Recovery Console section of this
topic for details).
• Connecting a serial cable to the computer and using EMS.
• Using the computer name you assigned to the Nano Server while configuring it, you can get the IP
address with ping. For example, ping NanoServer-PC /4.
Using the Nano Server Recovery Console

Nano Server includes a Recovery Console that ensures you can access your Nano Server even if a network
misconfiguration prevents you from connecting to the Nano Server. You can use the Recovery Console to
fix the network configuration issue, and then use your usual remote management tools.
When you start Nano Server in either a virtual machine or on a physical computer that has a monitor and
keyboard attached, you will see a full-screen, text-mode sign in prompt. Sign in to this prompt with an
administrator account to see the computer name and IP address of the Nano Server. You can use the
following keys to navigate in this console:
• Use arrow keys to scroll
• Use TAB to move to any text that starts with >, and then press ENTER to select.
• To go back one screen or page, press ESC. If you are on the home page, pressing ESC will sign you
out.
• Some screens display additional capabilities on the last line of the screen. For example, if you explore
a network adapter, F4 will disable the network adapter.
In Windows Server 2016 Technical Preview, you can use the Recovery Console to view and configure
network adapters, TCP/IP settings, and firewall rules. To join a computer to a domain, you must use
Windows PowerShell Remoting, and use the djoin command.
Core PowerShell on Nano Server

The main features of Core PowerShell on Nano Server include:
• Built on .NET Core Runtime
o Lean, composable, open source, cross-platform
o CoreCLR + ASP.NET 5 + C# "Roslyn" compiler

• Reduced disk footprint: 55 MB total
o CoreCLR (45 MB) + PowerShell (8 MB) + Modules (2 MB)
• Full language, a subset of features, and a subset of cmdlets

• Windows PowerShell remoting (server-side only)
o Backwards compatible with existing Windows PowerShell remoting clients to PS 2.0
o File transfer over PowerShell remoting
o Remote script authoring and debugging in ISE
• Cmdlets for managing Nano Server components
Additional Reading: For more information on Managing Nano Server by using methods
mentioned in this topic, refer to: http://aka.ms/H3nz2l
Lesson 3
New Features of Hyper-V in Windows Server 2016
You can use the Hyper-V server role in Windows Server to create a virtualized server computing
environment, where you can create and manage virtual machines. You can run multiple operating systems
on one physical computer and isolate the operating systems from each other. By using this technology,
you can improve the efficiency of your computing resources and free your hardware resources. This lesson
describes the new features in Hyper-V in Windows Server 2016.
• Explain some of the new and updated features in Hyper-V.

• Describe some of the security-related features in Hyper-V.
• Explain some of the management-related features in Hyper-V.
• Explain some of the availability-related features in Hyper-V.

• Explain some of the features related to performance and quality in Hyper-V.
Overview of Hyper-V features
Some updates in Hyper-V in Windows Server 2016 include:
• Compatible with Connected Standby. When you install the Hyper-V role on a computer that uses the
Always On/Always Connected (AOAC) power model, the Connected Standby power state is available.
• Discrete device assignment. This feature allows you to give a virtual machine direct and exclusive
access to some PCIe hardware devices. Using a device in this way bypasses the Hyper-V virtualization
stack, which results in faster access.
• Hot add and remove for network adapters and memory. You can now add or remove a network
adapter while the virtual machine is running, without incurring downtime. This works for generation 2
virtual machines that run either Windows or Linux operating systems.
You can also adjust the amount of memory assigned to a virtual machine while it is running, even if you
have not enabled Dynamic Memory. This works for both generation 1 and generation 2 virtual machines.
• Hyper-V Manager improvements:
o Alternate credentials support
o Manage earlier versions
o Updated management
• Integration services delivered through Windows Update. Updates to integration services for Windows
guests are distributed through Windows Update.
• Linux Secure Boot. Linux operating systems running on generation 2 virtual machines can now boot
with the Secure Boot option enabled.
• Nested virtualization. This feature enables you to use a virtual machine as a Hyper-V host and to
create virtual machines within that virtualized host.
Hyper-V relies on hardware virtualization support, such as Intel VT-x and AMD-V, to run virtual machines.
Typically, after Hyper-V is installed, the hypervisor hides this capability from guest virtual machines. This
prevents guest virtual machines from running Hyper-V server role among other hypervisors. Nested
virtualization exposes those hardware virtualization support components to guest virtual machine.
• Networking features. – The new networking features include:
o Remote direct memory access (RDMA) and switch embedded teaming (SET).
o Virtual machine multi queues (VMMQ).

o Quality of service (QoS) for software-defined networks.
o Virtual NICs (vNICs) Add/Removal from a virtual machine without downtime.
• Production checkpoints. Production checkpoints allow you to easily create “point in time” images of a
virtual machine, which can be restored later in a way that is completely supported for all production
workloads.
• Rolling Hyper-V Cluster upgrade. You can now add a node running Windows Server 2016 Technical
Preview to a Hyper-V Cluster with nodes running Windows Server 2012 R2.
• Storage QoS. You can now create storage QoS policies on a Scale-Out File Server and assign them to
one or more virtual disks on Hyper-V virtual machines. Storage performance is automatically
readjusted to meet the policies because the storage load fluctuates.
• Shielded virtual machines. Shielded virtual machines use several features to make it harder for
datacenter administrators and malware to inspect, tamper with, or steal data from virtual machines,
and help to protect the state of these virtual machines.
• Virtual machine configuration file format. Virtual machines have a new configuration file format.
• Virtual machine configuration version. The version represents the compatibility of the virtual
machine’s configuration, saved state, and snapshot files with the version of Hyper-V. Virtual machines
with version 5 are compatible with Windows Server 2012 R2 and can run on both Windows Server
2012 R2 and Windows Server 2016 Technical Preview. Virtual machines with version 6 are compatible
with Windows Server 2016 Technical Preview, but will not run in Hyper-V on Windows Server 2012
R2.
• Windows Containers. Windows Containers enable many isolated applications to run on one computer
system. The applications build fast and are highly scalable and portable. Two different types of
container runtime are included with the feature, each with a different degree of application isolation.
Windows Server Containers achieve isolation through namespace and process isolation, while Hyper-
V Containers encapsulates each container in a light-weight virtual machine.
Here are additional features introduced with Windows Containers:
o Nano server can host both Windows Server and Hyper-V Containers.
o Container data management capabilities are enabled with container shared folders.
o Container resource restrictions can be implemented.
• Windows PowerShell Direct. There is now an easy and reliable way to run Windows PowerShell
commands inside a virtual machine from the host operating system. There is no network, firewall
requirement, or special configuration required. It works regardless of your remote management
configuration. To use it, you must run Windows 10 or Windows Server 2016 Technical Preview on the
host and the virtual machine guest operating systems.
Note: In order to use the new Windows Server 2016 features on virtual machines that were
created with Windows Server 2012 R2 and moved or imported to a server that runs Hyper-V on
Windows Server 2016 Technical Preview, you must manually update the virtual machine
configuration version.
Security
Hyper-V features that help protect the fabric from the guest include:
• Shielded virtual machines. Data and state is encrypted, Hyper-V administrators cannot see the video
output and disks, and the virtual machines run only on known, healthy hosts, as determined by a
server running the Host Guardian Service.
o Encryption and data at-rest/in-flight protection:

 Virtual Trusted Platform Module (TPM) enables you to use disk encryption within a
virtual machine such as BitLocker)
 Both Live Migration and virtual machine-state are encrypted
o Admin-lockout
 Host administrators cannot access guest virtual machine data. For example,
administrators cannot see disks or video.
 Host administrators cannot run arbitrary kernel-mode code
o Attestation of health
 virtual machine-workloads can only run on “healthy” hosts
 Hardware-trusted attestation (TPM-based)
 Admin-trusted (Active Directory-based)
 Simplified deployment and configuration
 Setup an Active Directory trust + register group
 Authorize a Hyper-V host to run shielded virtual machines by adding it to the Active
Directory group
 Existing hardware likely to meet requirements
 Scenarios enabled
 Data-protection at rest and on-the-wire
 Weaker levels of assurance
 Fabric-admin is trusted
 No hardware-rooted trust or measured-boot
 No enforced code-integrity
• Linux Secure Boot: Linux operating systems running on generation 2 virtual machines can now boot
with the Secure Boot option enabled. Ubuntu 14.04 and later, SUSE Linux Enterprise Server 12 and
later, Red Hat Enterprise Linux 7.0 and later, and CentOS 7.0 and later are enabled for Secure Boot on
hosts that run Windows Server 2016 Technical Preview. Before you boot the virtual machine for the
first time, you must configure the virtual machine to use the Microsoft UEFI Certificate Authority. You
can do this from Hyper-V Manager, Virtual Machine Manager, or an elevated Windows PowerShell
session.
• Virtual Secure Mode: Virtual secure mode provides a container in which critical security components
are isolated. This virtualization helps to protect these key components from malicious compromise.
Virtual Secure Mode-enabled virtual machines prevent infected hosts accessing physical memory data
and the physical processor. Virtual Secure Mode introduces the concept of Virtual Trust Levels (VTLs),
which consist of Memory Access Protections, Virtual Processor State, and Interrupt Subsystem.
o VTLsSecurity mechanism on top of existing privilege enforcement (ring 0/ring 3)

o Memory Access Protections: A VTL’s memory access protections can only be changed by software
running at a higher VTL.
o Virtual Processor State: Isolation of processor state between VTLs.

o Interrupt Subsystem: Interrupts to be managed securely at a particular VTL without risk of a lower
VTL generating unexpected interrupts or masking interrupts.
• Host Resource Isolation. This feature was designed to help prevent a virtual machine from consuming
excessive hardware resources. It dynamically identifies virtual machines that are not “interacting well”
and reduces their resource allocation. Host Resource Isolation looks for patterns of activity that
should not occur within a non-malicious virtual machine. This feature is enabled by default.
• Hyper-V Containers. Although multiple container instances can run concurrently on a host, each
container runs inside of a special virtual machine. This provides kernel-level isolation between each
Hyper-V container and the container host.
Managing Hyper-V
Hyper-V Manager improvements include:

• Alternate credentials support. You can now use a different set of credentials in Hyper-V Manager
when you connect to another Windows Server 2016 Technical Preview or Windows 10 remote host.
You can also save these credentials to make it easier to sign in again.
• Manage earlier versions. By using Hyper-V Manager in the Windows Server 2016 Technical Preview
and Windows 10, you can manage computers running Hyper-V on Windows Server 2012, Windows
Server 2012 R2, Windows 8, and Windows 8.1.
• Updated management protocol. Hyper-V Manager has been updated to communicate with remote
Hyper-V hosts using the WS-MAN protocol, which permits CredSSP, Kerberos, or NTLM
authentication. When you use CredSSP to connect to a remote Hyper-V host, you can do a live
migration without enabling constrained delegation in Active Directory Domain Services. The WS-
MAN-based infrastructure also makes it easier to enable a host for remote management. WS-MAN
connects over port 80, which is open by default.
Understanding production checkpoints

Starting with Windows Server 2016 Technical Preview and Windows 10, you can choose between standard
and production checkpoints for each virtual machine.
Production checkpoints are “point-in-time” images of a virtual machine, which you can later restore in a
way that is completely supported for all production workloads. This is achieved by using backup
technology inside the guest to create the checkpoint, instead of using saved state technology. Production
checkpoints are the default for new virtual machines, starting in Windows Server 2016 Technical Preview
and Windows 10.
Standard checkpoints capture the state, data, and hardware configuration of a running virtual machine
and are intended to be used in development and test scenarios. Standard checkpoints can be very useful
if you need to recreate a specific state or condition of a running virtual machine so that you can
troubleshoot a problem.
To change checkpoints to production or standard checkpoints, perform the following steps:
1. In Hyper-V Manager, right-click the virtual machine, and then click Settings.
2. Under the Management section, select Checkpoints.
3. Select either production checkpoints or standard checkpoints.

4. If you choose production checkpoints, you can also specify whether the host should take a standard
checkpoint if a production checkpoint cannot be taken. If you clear this check box and a production
checkpoint cannot be taken, then no checkpoint will be taken.
5. If you want to store the checkpoint configuration files in a different location, change it in the
Checkpoint File Location section.
6. Click Apply to apply your changes. After you complete, click OK to close the dialog box.
PowerShell Direct
You can use PowerShell Direct to remotely manage a Windows 10 or Windows Server 2016 Technical
Preview virtual machine from a Windows 10 or Windows Server 2016 Technical Preview Hyper-V host.
PowerShell Direct allows Windows PowerShell management inside a virtual machine regardless of the
network configuration or remote management settings on either the Hyper-V host or the virtual machine.
This makes it easier for Hyper-V administrators to automate and script virtual machine management and
configuration.
There are two ways to run PowerShell Direct:
• Create a PowerShell Direct session by using the PSSession cmdlets.

• Run a script or command with the Invoke-Command cmdlet.
To create a PowerShell Direct session on a virtual machine, you should satisfy the following requirements:
• The virtual machine must be running locally on the host and must be booted.
• You must be logged into the host computer as a Hyper-V administrator.
• You must supply valid user credentials for the virtual machine.
• The host operating system must run Windows 10, Windows Server 2016 Technical Preview, or later
version.
• The virtual machine must run Windows 10, Windows Server 2016 Technical Preview, or later version.
Additional Reading: For more information on PowerShell Direct, refer to:

http://aka.ms/Gfebj4
Integration services delivered through Windows Update

Windows Update distributes the updates to integration services for Windows guests. For service providers
and private cloud hosters, this puts the control of applying updates into the hands of the tenants who
own the virtual machines. Tenants can now update their Windows virtual machines with all updates,
including the integration services, by using a single method.
Additional Reading: For information on integration services for Linux guests, refer to:
http://aka.ms/Y82q8r
Note: The ISO image file vmguest.iso is no longer needed to update integration
components. It isn't included with Hyper-V on Windows Server 2016 Technical Preview.
Additional Reading: For more information on Updating Integration Components over
Windows Update, refer to: http://aka.ms/Wr0z3y
Virtual machine configuration file format

Virtual machines have a new configuration file format, which helps make the reading and writing of
configuration data more efficient. It also reduces the chances of data corruption in case of a storage
failure. The new configuration files use the .vmcx file extension for virtual machine configuration data and
the .vmrs file extension for runtime state data.
Note: A file with the .VMCX file extension is in binary format. Directly editing a file with a
.VMCX or .VMRS file extension isn't supported.
Virtual machine configuration version

When you move or import a virtual machine to a server that runs Hyper-V on Windows Server 2016
Technical Preview from Windows Server 2012 R2, the virtual machine’s configuration is not automatically
updated. This means you can move the virtual machine back to a server that runs Windows Server 2012
R2. But, this also means you cannot use the new features of the virtual machine until you manually update
the version of the virtual machine configuration. Virtual machines with version 6 are compatible with
Windows Server 2016 Technical Preview, but will not run in Hyper-V in Windows Server 2012 R2.
To check the configuration version of the virtual machines running on Hyper-V, from an elevated
Windows PowerShell command prompt, run:
Get-VM * | Format-Table Name, Version

Availability
Rolling Hyper-V Cluster upgrade

You can now add a node running Windows Server 2016 Technical Preview to a Hyper-V Cluster with
nodes running Windows Server 2012 R2. The cluster continues to function at a Windows Server 2012 R2
feature level until you upgrade all of the nodes in the cluster. To upgrade the cluster functional level, use
the following Windows PowerShell cmdlet:
Update-ClusterFunctionalLevel
Note: After you update the cluster functional level, you cannot downgrade it back to
Windows Server 2012 R2.
When the Hyper-V Cluster has a mix of both Windows Server 2012 R2 and Windows Server 2016
Technical Preview nodes, you can still move virtual machines between all of the nodes in the Hyper-V
Cluster.
When the cluster functional level is Windows Server 2012 R2, the following applies to the Hyper-V Cluster:
• You should manage the cluster, Hyper-V, and virtual machines from a node running Windows Server
2016 Technical Preview or Windows 10.
• You cannot use new Hyper-V features until all of the nodes run Windows Server 2016 Technical
Preview and you upgrade the cluster functional level.
• The virtual machine configuration version for existing virtual machines is not upgraded. You can only
upgrade the configuration version after you upgrade the cluster functional level.
• Virtual machines that you create will be compatible with Windows Server 2012 R2, virtual machine
configuration level 5.
After you upgrade the cluster functional level to Windows Server 2016 Technical Preview, the following
applies:
• To enable new virtual machine features, you need to manually upgrade the virtual machine
configuration level of the virtual machines by using the Update-VmConfigurationVersion cmdlet.
• You can enable new Hyper-V features.

• You cannot add a node to the Hyper-V Cluster that runs Windows Server 2012 R2.
Additional Reading: For more information on Cluster Operating System Rolling Upgrade,
refer to: http://aka.ms/Je0xnc
Hyper-V replica
Integrated software-based virtual machine replication
• Virtual machine replication capabilities built into Windows Server 2012 R2 Hyper-V.
• Configurable replication frequencies of 30 seconds, 5 minutes, and 15 minutes.
• Secure replication across a network by using certificates.
• Flexible solution, agnostic of network, server, and storage hardware on either site.
• No need for other virtual machine replication technologies, reducing costs.
• Automatic handling of live migration.

• Simple configuration and management—either through Hyper-V Manager, Windows PowerShell, or
with Azure Site Recovery.
Failover clustering enhancements

• Virtual machine storage resiliency:
o Preserves tenant virtual machine session state in the event of transient storage disruption.
o Enables the virtual machine stack to quickly and intelligently notify on failure of the underlying
block or file based storage infrastructure.
o Enables the virtual machine to be quickly moved to a PausedCritical state.

o Enables the virtual machine to wait for storage to recover and session state to be retained on
recovery.
• Virtual machine Compute Resiliency:

o Provides resiliency to transient failures such as a temporary network outage, or a non-responding
node.
o In the event of node isolation, virtual machines will continue to run, even if a node falls out of
cluster membership.
o This is configurable based on your requirements. The default is set to 4 minutes.
• Node quarantine:
o Unhealthy nodes are quarantined and are no longer allowed to join the cluster.
o This capability prevents unhealthy nodes from negatively affecting other nodes and the overall
cluster.
o Node is quarantined if it unexpectedly leaves the cluster three times within an hour.
o After a node is placed in quarantine, virtual machines are live migrated from the cluster node,
without downtime to the virtual machine.
Guest clustering with shared VHDx

• Flexible and secure:
o Shared VHDX removes need to present the physical underlying storage to a guest operating
system.
o *NEW* Shared VHDX supports online resize.
• Streamlined virtual machine shared storage:
o Shared VHDX files can be presented to multiple virtual machines simultaneously as shared
storage.
o The virtual machine sees a shared virtual Serial attached SCSI (SAS) disk that it can use for
clustering at the guest operating system and application level.
o Utilizes SCSI-persistent reservations.
o Shared VHDX can reside on a Cluster Shared Volume on block storage, or on server message
block (SMB) file-based storage.
• *NEW* Protected:
o Shared VHDX supports Hyper-V Replica and host-level backup.

Performance and quality
Improvements in memory management

• Static Memory: Startup RAM represents memory that will be allocated regardless of virtual machine
memory demand.
• *NEW* Runtime resize: Administrators can now increase, or decrease virtual machine memory without
virtual machine downtime. Cannot be decreased lower than current demand, or increased higher
than physical system memory.
• Dynamic Memory: Enables automatic reallocation of memory between running virtual machines.
Results in increased utilization of resources, improved consolidation ratios, and reliability for restart
operations.
• Runtime resize: With Dynamic Memory enabled, administrators can increase the maximum or
decrease the minimum memory without virtual machine downtime.
Discrete device assignment

Users can now take some of the PCI Express devices in their systems and pass them through directly to a
guest virtual machine. This technology is actually very similar to the technology used for Single Root I/O
Virtualization (SR-IOV) networking in the past.
Windows Server 2016 will allow NVMe devices to be assigned to guest virtual machines. We still
recommend that these virtual machines only be those that are under control of the same administration
team that manages the host and the hypervisor.
Similarly, GPUs (graphics processor units) are becoming an essential component in virtual machines. And
while what most people really want is to segment their GPU into lots of sections and let virtual machines
share them, you can use Discrete Device Assignment to pass them through to a virtual machine. GPUs are
quite complicated, and a full support statement must come from the GPU vendor.
Other types of devices might work when passed through to a guest virtual machine, such as USB 3.0
controllers, RAID/SAS controllers, and more. But none of these devices will be candidates for official
support from Microsoft at first, and you won't be able to put them into use without overriding warning
messages. Consider these devices to be in the experimental category.
Storage QoS
Storage QoS in Windows Server 2016 Technical Preview enables you to centrally monitor and manage
storage performance for virtual machines by using Hyper-V and the Scale-Out File Server roles. The
feature automatically improves storage resource fairness between multiple virtual machines by using the
same file server cluster and you can configure specific minimum and maximum performance goals in units
of normalized Input/Output Operations Per Second (IOPs).
You can use Storage QoS in Windows Server 2016 Technical Preview to accomplish the following:
• Mitigate noisy neighbor issues. By default, Storage QoS ensures that a single virtual machine cannot
consume all storage resources and deprive other virtual machines of storage bandwidth.
• Monitor end-to-end storage performance. After the virtual machines stored on a Scale-Out File
Server start, their performance is monitored. You can view the performance details of all running
virtual machines and the configuration of the Scale-Out File Server cluster from a single location.
• Deploy at high density with confidence. Storage QoS policies define performance minimums and
maximums for virtual machines and ensure that they are met. This provides consistent performance to
virtual machines, even in dense and overprovisioned environments. If policies cannot be met, alerts
are available to track when virtual machines are out of policy or have invalid policies assigned.
Storage QoS requirements

Storage QoS supports two deployment scenarios.
Hyper-V using a Scale-Out File Server

This scenario requires both of the following:
• A storage cluster that is a Scale-Out File Server cluster
• A compute cluster that has least one server with the Hyper-V role enabled
For Storage QoS, a failover cluster is required on storage servers, but the compute servers are not required
to be in a failover cluster. All servers (used for both storage and compute) must be running Windows
Server Technical Preview.
Hyper-V using Cluster Shared Volumes

This scenario requires both of the following:
• A compute cluster with the Hyper-V role enabled.

• A Hyper-V server using Cluster Shared Volumes (CSV) for storage
A failover cluster is required and all servers must be running the same version of Windows Server 2016
Technical Preview.
Additional Reading: For more information on Storage Quality of Service, refer to:
http://aka.ms/Todxmx
Lesson 4
Introducing Windows Server and Hyper-V Containers
Windows Server and Hyper-V Containers provide application isolation that enable easier app
development, higher scaling, rapid deployment, and operation of applications. This lesson introduces you
to Windows Server and Hyper-V Containers.
• Describe the concept of containers.
• Describe the difference between Windows and Hyper-V Containers.

• Describe the procedure for creating Containers.
• Describe the integration with Docker.
• Identify the Windows Container requirements.

Container fundamentals
Containers provide an isolated and portable operating environment for your apps. From the application’s
perspective, a container appears as an isolated Windows operating system, with its own file system,
devices, and configuration. Windows Server supports two types of containers: Windows Server Containers
and Hyper-V containers. Windows Server Containers achieve isolation through namespace and process
isolation, whereas Hyper-V Containers encapsulate each container in a lightweight virtual machine.
When you begin working with containers you will notice many similarities between a container and a
virtual machine. A container runs an operating system, has a file system and can be accessed over a
network just as if it was a physical or virtual computer system. However, the technology and concepts
behind containers are very different from that of virtual machines.
The following key concepts will be helpful as you begin creating and working with Windows Containers.
Container host
A container host is a physical or virtual computer system configured with the Windows Container feature.
The container host can run one or more Windows Containers.
Container image
As modifications are made to a containers file system or registry, such as with software installation, they
are captured in a sandbox. In many cases you might want to capture this state such that new containers
can be created that inherit these changes. That is the purpose of an image, after the container has
stopped you can either discard that sandbox or you can convert it into a new container image. For
example, consider a scenario where you have deployed a container from the Windows Server Core
operating system image. You then install MySQL into this container. Creating a new image from this
container would act as a deployable version of the container. This image would only contain the changes
made (MySQL), but it would work as a layer on top of the Container OS image.
Sandbox
After a container has been started, all write actions such as file system modifications, registry
modifications, or software installations are captured in this sandbox layer.
Container OS image
Containers are deployed from images. The container OS image is the first layer in potentially many image
layers that make up a container. This image provides the operating system environment. A container OS
image is immutable, and it cannot be modified.
Container repository
Each time you create a container image, the container image and its dependencies are stored in a local
repository. These images can be reused many times on the container host. The container images can also
be stored in a public or private registry such as DockerHub so that they can be used across many different
container hosts.
Container management technology

You can manage Windows Containers by using both Windows PowerShell and Docker. With any one of
these tools you can create new containers, create container images and manage the container lifecycle.
Containers for IT professionals

IT Professionals can use containers to provide standardized environments for their development, QA, and
production teams. They no longer have to worry about complex installation and configuration steps. By
using containers, systems administrators can abstract the differences in operating system installations and
the underlying infrastructure.
Containers help admins create an infrastructure that is simpler to update and maintain.
Containers for developers

When you containerize an app, only the app and the components needed to run the app are combined
into an image. Containers are then created from this image as you need them. You can also use an image
as a baseline to create another image, making image creation even faster. Multiple containers can share
the same image, which means containers start very quickly and use fewer resources. For example, you can
use containers to start up lightweight and portable app components – or micro-services – for distributed
apps and quickly scale each service separately.
Windows Server Containers versus Hyper-V Containers
Two types of containers are available in Windows Server 2016 Technical Preview:
• Windows Server Containers. These containers provide application isolation through process and
namespace isolation technology. A Windows Server Container shares a kernel with the container host
and all containers running on the host. Windows Server Container isolate applications on the same
container host. Each container has its own view of the host system, including the kernel, processes, file
systems, the registry, and other components. In the case of Windows Server Containers, they work
between the user mode level and the kernel mode level.
• Hyper-V Containers. These containers expand on the isolation provided by Windows Server
Containers by running each container in a highly optimized virtual machine. In this configuration, the
kernel of the container host is not shared with the Hyper-V Containers. Hyper-V Containers are based
on a container technology that is rooted in hardware-assisted virtualization. With hardware-assisted
virtualization, Hyper-V Containers' applications are provided a highly isolated environment in which
to operate, where the host operating system cannot be affected in any way by any running container.
Creating Containers
Set up a new Container Host in a new virtual machine

Windows Containers consist of several components such as the Windows Container Host and Container
OS Base Images. We have put together a script that will download and configure these items for you.
Follow these steps to deploy a new Hyper-V Virtual Machine and configure this system as a Windows
Container Host.
Start a Windows PowerShell session as Administrator by right-clicking the Windows PowerShell icon and
selecting Run as Administrator, or by running the following command from any Windows PowerShell
session.
PS C:\> start-process powershell -Verb runAs
Before downloading and running the script, ensure that an external Hyper-V virtual switch has been
created because this script will fail without one.
Run the following command to return a list of external virtual switches. If nothing is returned, create a
new external virtual switch, and then proceed to the next step of this guide.
PS C:\> Get-VMSwitch | where {$_.SwitchType -eq “External”}
Use the following command to download the configuration script. The script can also be manually
downloaded from this location - Configuration Script.
PS C:\> wget -uri https://aka.ms/tp4/New-ContainerHost -OutFile c:\New-

ContainerHost.ps1
Run the following command to create and configure the container host, where <containerhost> will be
the virtual machine name.
PS C:\> powershell.exe -NoProfile c:\New-ContainerHost.ps1 -VMName testcont -

WindowsImage ServerDatacenterCore -Hyperv
When the script begins, you will be prompted for a password. This will be the password assigned to the
Administrator account.
Next, you will be asked to read and accept licensing terms.
Before installing and using the Windows Server Technical Preview 4 with Containers virtual machine, you
must:
1. Review the license terms by navigating to this link: http://aka.ms/tp4/containerseula
2. Print and retain a copy of the license terms for your records.
By downloading and using the Windows Server Technical Preview 4 with Containers virtual machine, you
agree to such license terms. Please confirm you have accepted and agree to the license terms.
[N] No [Y] Yes [?] Help (default is "N"):
The script will then begin to download and configure the Windows Container components. This process
might take quite some time because of the large download size of the component. When the process
completes, your virtual machine will be configured and ready for you to create and manage Windows
Containers and Windows Container Images with both Windows PowerShell and Docker.
When the configuration script has completed, sign in to the virtual machine using the password specified
during the configuration process and make sure that the virtual machine has a valid IP address. After
completing these steps, your system should be ready for Windows Containers.
Integrating with Docker
Containers are not a new technology. In general, they have existed in Linux for quite some time. Docker is
an open-source engine that has helped containers become more prevalent.
Currently, Docker’s open-source runtime builds, ships, and runs containers on Linux operating systems.
Because it is open source, an extensive ecosystem of developers, and now dockerized applications have
grown up around it. Docker provides a user-friendly experience to manage the lifecycle of its containers,
facilitating easy adoption.
With the introduction of Windows Server Containers and Hyper-V Containers, Docker becomes even more
useful because you can use it to manage Docker containers on Windows and the traditional Linux
environment. With Docker, you can:
• Create containers.
• Remove containers.
• Browse the Docker Hub to access and download prebuilt images.
Note: Docker is a third-party product and is not preinstalled or available as a feature in

Windows. You must download the installer/binaries and set up the host with the Docker Engine:
https://aka.ms/ContainerTools
Windows Containers requirements
Windows Containers on a physical system

The Windows Container role is only available on Windows Server 2016 Technical Preview 4 (Full and Core)
and Nano Server. If you plan to run Hyper-V Containers, you need to install the Hyper-V role.
Windows Containers on a virtual system

If you plan to run a Windows Container host from a Hyper-V virtual machine, and you also plan to host
Hyper-V Containers, you will need to enable nested virtualization. Nested virtualization has the following
requirements:
• At least 4 GB RAM available for the virtualized Hyper-V host.
• Windows Server 2016 Technical Preview 4, or Windows 10 build 10565 on the host system, and
Windows Server Technical Preview 4 (Full, Core), or Nano Server in the virtual machine.
• A processor with Intel VT-x (this feature is currently only available for Intel processors).
• The Container host virtual machine will also need at least 2 virtual processors.
Supported operating system images

Windows Server Technical Preview 4 is offered with two container OS Images, Windows Server Core and
Nano Server. Not all configurations support both OS images. This table details the supported
configurations.
Host Operating System Windows Server Container Hyper-V Container
Windows Server 2016 Core OS Image Nano OS Image

Full UI
Windows Server 2016 Core OS Image Nano OS Image

Core
Windows Server 2016 Nano OS Image Nano OS Image

Nano
Lesson 5
Windows Server 2016 Management
Windows Server 2016 includes improvements that can assist you in troubleshooting computers in your
datacenter and managing your failover clusters. This lesson describes the various improvements included
in Windows Server 2016.
• Describe the Setup and Boot Event Collection feature.
• List the new features in failover clustering.

• Describe the new features of Windows PowerShell 5.0.
Setup and Boot Event Collection overview
Setup and Boot Event Collection is a new feature introduced in Windows Server 2016 Technical Preview.
You can use this feature to designate a collector computer that can gather a variety of important events
that occur on other computers when they boot or go through the setup process. You can then later
analyze the collected events with Event Viewer, Message Analyzer, Wevtutil, or Windows PowerShell
cmdlets.
Previously, it was impossible to monitor these events because the infrastructure needed to collect them
does not exist until a computer is already set up. The kind of setup and boot events you can monitor
include:
• Loading of kernel modules and drivers
• Enumeration of devices and initialization of their drivers (including “devices” such as CPU type)
• Verification and mounting of file systems
• Starting of executable files
• Starting and completion of system updates
• The points when the system becomes available for logon, establishes connection with a domain
controller, completion of service starts, and network shares become available.
The collector computer must be running Windows Server 2016 Technical Preview (it can be in either
Server with Desktop Experience or Server Core mode). The target computer must be running either
Windows 10 or Windows Server 2016 Technical Preview. You can also run this service on a virtual machine
that is hosted on a computer that is not running Windows Server 2016 Technical Preview. The following
combinations of virtualized collector and target computers are known to work.
Virtualization host Collector virtual machine Target virtual machine
Windows 8.1 yes yes
Windows 10 yes yes
Windows Server 2016 yes yes

Technical Preview
Windows Server 2012 R2 yes no

Failover clustering improvements
Microsoft has made several key improvements to failover clustering in Windows Server 2016 Technical
Preview, which include:
• Cloud witness using Microsoft Azure
• Shared VHDX improvements
• Improved cluster logs

• Active memory dumps
• Network name diagnostics
• Cluster Operating System Rolling Upgrade
Creating a cloud witness by using Azure

Windows Server 2016 Technical Preview introduces the cloud witness quorum type, a witness that you can
create in the cloud by using Azure. This quorum type takes advantage of the Azure public cloud as the
arbitration (witness) point for the cluster. You can achieve this configuration without the need for an extra
site and you will utilize it mostly in multisite clusters.
The cloud witness acts the same as a file-share witness, using the same basic logic in that it does not
contain a copy of the cluster database and will act as a deciding vote to prevent split brains. Split brains
are multiple nodes running in the same cluster that cannot communicate with one another.
Improved cluster logs

When you generate a cluster log in Windows Server 2016 Technical Preview, it includes additional
information that can be accessed quickly and broken down into various sections, which reduced the time
you spend looking for information or trying to resolve an issue.
Shared VHDX improvements

Shared VHDX gives guest clusters the shared storage they need without giving them access to storage
infrastructures. While shared VHDX provides an additional option from a shared-disk perspective, it was
not without limitations. Windows Server 2016 Technical Preview includes improvements that address
some of these limitations.
• Expand the drive while it is online. (Note that you can only expand a Shared VHDX drive, and you
cannot shrink one.)
• Back up the Shared VHDX attached to a virtual machine from the host.
• Virtual machines that include a Shared VHDX can now also participate in Hyper-V Replica.
Active Memory Dumps

Windows Server 2016 includes a new dump setting called Active Memory Dump, which captures only the
memory that the host is actually using. If the host is actively using only 5 GB of memory, a 5-GB memory
dump is what will be created instead of a memory dump that contains both the user and kernel mode
memory, which could be over 512 GB.
Network name diagnostics

Windows Server 2016 Technical Preview features improvements related to diagnosing network name
problems. In previous versions, at times, some of the events are confusing or not even present, which
creates challenges for troubleshooting. Some of the changes are:
• Additional Cluster validation tests.
• In Windows Server 2016 Technical Preview, events are updated to include the specific error.
• Additional checks for network names to prevent problems that might not occur for days or weeks.
Cluster OS Rolling Upgrade
This is a new feature in Windows Server 2016 Technical Preview, which enables an administrator to
upgrade the operating system of the cluster nodes from Windows Server 2012 R2 to Windows Server
2016 Technical Preview without stopping the Hyper-V or the Scale-Out File Server workloads. Using this
feature, the downtime penalties against Service Level Agreements (SLA) can be avoided.
What is new in Windows PowerShell 5.0?
Windows PowerShell 5.0, which is included in Windows Server 2016, includes significant new features that
extend its use, improve its usability, and allow you to control and manage Windows-based environments
more easily and comprehensively. The following list describes some of these features:
• Starting in Windows PowerShell 5.0, you can develop by using classes, by using formal syntax and
semantics that are similar to other object-oriented programming languages.
• Windows PowerShell 5.0 introduces a new, structured information stream that you can use to transmit
structured data between a script and its callers (or hosting environment).
• Addition of new Modules, new Utility Cmdlets, and Remote Management improvements
• Windows PowerShell language enhancements give you more control in configuring and managing
Windows PowerShell DSC.
• Improvements to Windows PowerShell authoring in ISE, DSC resource authoring and editing in Visual
Studio.
Module Review
Review Question(s)
Question: How do you check the configuration version of the virtual machines running on
Hyper-V?
Question: You want to implement Windows Server Containers, and want to start off with 6
for testing purposes. Which edition of Windows Server 2016 will you need to implement?
Question: Which type of checkpoint is completely supported for all production workloads?
2-1
Module 2
What is new in identity?
Contents:
Module Overview 2-2
Lesson 1: What is new in Active Directory Domain Services (AD DS)? 2-3
Lesson 2: AD FS improvements 2-8
Module Review 2-24

2-2 What is new in identity?
Module Overview
Windows Server 2016 Technical Preview has many new features in identity to improve the ability for
organizations to help secure Active Directory environments. Additionally, many of the new features help
organizations migrate to cloud-only deployments and hybrid deployments, where some applications and
services are hosted in the cloud while others are hosted in an on-premises environment. This module
introduces you to those improvements.
After completing this module, you will be able to list and describe:
• The new features available for Active Directory Domain Services (AD DS).
• The new features available for Active Directory Federation Services (AD FS).
Lesson 1
What is new in Active Directory Domain Services (AD DS)?
AD DS includes improvements that help organizations secure their Active Directory environments and
provide better identity management experiences for both corporate and personal devices.
• Describe the new features in Privileged Access Management (PAM).

• Describe the benefits of Microsoft Azure Active Directory (Azure AD) Join.
• Describe Microsoft Passport.
• List the AD DS features that have been removed.

Privileged Access Management
PAM helps mitigate security concerns for Active Directory environments that are caused by credential
theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new
administrative access solution that you can configure by using Microsoft Identity Manager (MIM). PAM
introduces:
• A new bastion Active Directory forest provisioned by MIM. The bastion forest has a special PAM trust
with an existing forest. It provides a new Active Directory environment that is known to be free of any
malicious activity, and is isolated from an existing forest for the use of privileged accounts.
• New processes in MIM to request for administrative privileges. Along with these new processes, there
are new workflows that are based on the approval of these requests.
• New shadow security principals (groups) that are provisioned in the bastion forest by MIM in
response to administrative privilege requests. The shadow security principals have an attribute that
references the Security Identifier SID of an administrative group in an existing forest. This allows the
shadow group to access resources in an existing forest without changing any access control lists
(ACLs).
• An expiring links feature, which enables time-bound membership in a shadow group. A user can be
added to the group for just enough time required to perform an administrative task. The time-bound
membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
• Key Distribution Center (KDC) enhancements that are built in to Active Directory domain controllers.
This helps restrict the Kerberos ticket lifetime to the lowest possible TTL value in cases where a user
has multiple time-bound memberships in administrative groups. For example, if you are added to a
time-bound group A, when you sign in, the Kerberos ticket-granting ticket (TGT) lifetime is equal to
the time remaining for you in group A. If you are also a member of another time-bound group B,
which has a lower TTL than group A, then the TGT lifetime is equal to the time remaining for you in
group B.
• New monitoring capabilities to help you easily identify who requested the access, what access was
granted, and what activities were performed.
Azure AD Join
Azure AD Join enhances identity experiences for enterprise, business, and higher education (EDU)
customers with improved capabilities for corporate and personal devices.
Benefits:
• Availability of modern settings on corporate-owned Windows devices. Oxygen Services no longer
require a personal Microsoft account—they now run on users’ existing work accounts to ensure
compliance. Oxygen Services work on PCs that are members of an on-premises AD DS domain, and
PCs and devices that are joined to your Azure AD tenant (cloud domain). These settings include:
o Roaming or personalization, accessibility settings, and credentials
o Backup and Restore
o Access to the Windows Store with work account
o Live tiles and notifications

• Access organizational resources on mobile devices (phones and tablets) that cannot be members of a
Windows domain, whether they are corporate-owned or are part of a Bring Your Own Device (BYOD)
program.
• Use single sign-on (SSO) to sign in to Microsoft Office 365 and other organizational apps, websites,
and resources.
• Add a work account (from an on-premises domain or Azure AD) to a personally-owned device that is
part of a BYOD program, and enjoy SSO to sign in to work resources, via apps and websites. This
helps ensure compliance with new capabilities such as Conditional Account Control and Device
Health attestation.
• Mobile device management (MDM) integration lets you auto-enroll devices to your MDM (Microsoft
Intune or a third-party application) deployment.
• Set up the kiosk mode and shared devices for multiple users in your organization.
• Developer experience lets you build apps that cater to both enterprise and personal contexts with a
shared programing stack.
The imaging option lets you choose between either imaging or allowing your users to configure
corporate-owned devices directly during the first-run experience.
Microsoft Passport
Microsoft Passport is a new key-based authentication approach for organizations and consumers that
goes beyond passwords. This form of authentication uses credentials that are breach, theft, and phish-
resistant.
The user signs in to the device with a biometric or personal identification number PIN sign-in information
that is linked to a certificate or an asymmetrical key pair. The identity providers (IdPs) validate the user by
mapping the public key of the user to IDLocker and provide the sign-in information through a one-time
password (OTP), Phonefactor, or a different notification mechanism.
Additional Reading: For more information, refer to Authenticating identities without

passwords through Microsoft Passport: http://aka.ms/authid
Deprecated features
Although file replication service (FRS) and the Windows Server 2003 functional levels were deprecated in
the previous versions of Windows Server, it is important to repeat that the Windows Server 2003
operating system is no longer supported. As a result, you should remove any domain controller that runs
Windows Server 2003 from the domain. Also you should raise the domain and forest functional levels to
Windows Server 2008 or higher to prevent a domain controller that runs an earlier version of Windows
Server from being added to the environment.
At the Windows Server 2008 and higher domain functional levels, Distributed File System (DFS)
Replication is used to replicate the contents of the SYSVOL folder between domain controllers. If you
create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is
automatically used to replicate SYSVOL. If you created the domain at a lower functional level, you will
need to migrate from FRS to DFS Replication for SYSVOL. For the migration steps, you can either follow
the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File
Cabinet blog.
Windows Server 2016 Technical Preview still supports the Windows Server 2003 domain and forest
functional levels, but organizations should raise the functional level to Windows Server 2008 (or higher if
possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many
other benefits and features that are available at higher functional levels. See the following resources for
more information:
Additional Reading: For more information, refer to Understanding Active Directory

Domain Services (AD DS) Functional Levels: http://aka.ms/technetlibuadds
Additional Reading: For more information, refer to Raise the Domain Functional Level:
http://aka.ms/technetlibraise
Additional Reading: For more information, refer to Raise the Forest Functional Level:
http://aka.ms/technetlibraiseforest
Additional Reading: For more information, refer to SYSVOL Replication Migration Guide:
FRS to DFS Replication: http://aka.ms/technetlibsysvol
Lesson 2
AD FS improvements
AD FS is an extension to AD DS and it provides the capability to sign in to a wide variety of applications

including Office 365, cloud-based software as a service (SaaS) applications, and applications on the
corporate network with common credentials.
• For the IT organizations, AD FS enables you to provide authentication and access control to both
modern and legacy applications, on-premises and in the cloud, based on the same set of credentials
and policies. This ensures that you are allowing access to only users, devices, and network locations
that meet your corporate policies.
• For the user, AD FS provides a seamless sign-in experience by using the same, familiar account
credentials.
• For the developer, AD FS provides a simpler method to authenticate users whose identities live in the
organizational directory so that you can focus your effort on the application, not authentication or
identity.
This lesson takes you through what is new in AD FS in Windows Server 2016 Technical Preview.
• Describe what is new in AD FS.
• Explain how AD FS provides a better method to sign in to Azure AD and Office 365.
• Identify the sign-in and authentication improvements in AD FS.
• Explain how AD FS makes farm deployment and management easier.
• Describe the improvements to conditional access.
• Describe how AD FS improves the sign-in experience from Windows 10 and Microsoft Passport.
• List the new protocols for developer support.
• Describe the new features in access control policies.
• Describe how to upgrade AD FS to the Windows Server 2016 farm behavior level.
• Describe the improvements to Web Application Proxy.

What is new in AD FS?
In Windows Server 2016 Technical Preview, the AD FS server role includes the same functionality and
feature set that is available in Windows Server 2012 and Windows Server 2012 R2. It also includes new
features that enable you to configure AD FS to authenticate users stored in non-Active Directory
directories, such as X.500 compliant Lightweight Directory Access Protocol (LDAP) directories and SQL
databases. In many organizations, identity management solutions consist of a combination of AD DS,
Active Directory Lightweight Directory Services and non-Microsoft LDAP directories, and SQL databases.
With the AD FS support for non-Active Directory identity stores, you can benefit from the entire
enterprise-ready AD FS feature set regardless of where your user identities are stored.
Additional Reading: For more information, see http://aka.ms/technetlibconfigadfs
The new version of AD FS in Windows Server 2016 Technical Preview includes additional options that help
you implement easier sign-in methods for a diverse set of users and devices, while keeping the control
over who has access to what and from which device.
Improvements to AD FS in Windows Server 2016 Technical Preview are organized into the following
themes:
• Better method to sign in to Azure AD and Office 365
• Better sign-in experiences
• More options for strong authentication
• Easier deployment and management
• Conditional access
• Seamless sign in from Windows 10 and Microsoft Passport
• Better for developers

AD FS, a better method to sign in to Azure AD and Office 365
One of the most commonly used scenarios for AD FS continues to be providing sign in to Office 365 and
other Azure AD-based applications by using your on-premises Active Directory credentials.
Based on the customer feedback, Microsoft extended the hybrid identity technology by providing support
for authentication based on any LDAP v3-compliant directory, and not just AD DS. This allows users to
sign in to the AD FS resources from:
• Any LDAP v3-compliant directory including AD LDS and third-party directories.
• Untrusted or partially trusted AD DS domains and forests.

You can support LDAP v3 directories by modeling each LDAP directory as a 'local' claims provider trust.
This enables the following administration capabilities:
• Restrict the scope of the directory based on the organizational unit.

• Map individual attributes to AD FS claims, including sign-in ID.
• Map sign-in suffixes to individual LDAP directories.
• Augment claims for users, after authentication, by modifying claim rules.
Additional Reading: For more information, refer to Configure AD FS to authenticate users

stored in LDAP directories: http://aka.ms/technetlibconfigADFSLDAP
Sign-in and authentication improvements in AD FS
Customize the sign-in experience for AD FS applications

From the customer feedback, Microsoft identified that the ability to customize the sign-in experience for
each application would be a great usability improvement, especially for organizations that provide sign-in
methods for applications that represent multiple different companies or brands.
AD FS in Windows Server 2012 R2 provided a common sign-in experience for all relying party
applications, with the ability to customize a subset of text-based content per application. With Windows
Server 2016 Technical Preview, you can customize not only the messages, but also the images, the logo,
and the web theme per application. Additionally, you can create new, custom web themes and apply
these per relying party. This custom web theme can include a logo, an illustration, style sheets, or an
entire onload.js file.
Additional Reading: For more information, refer to Customizing user sign-in for AD FS
relying parties: http://aka.ms/technetlibcustusersign
Seamless sign-in experience from Windows 10

Users of Windows 10 devices and computers will be able to access applications without having to provide
additional credentials, just based on their desktop login, even over the extranet.
Enable new authentication methods and eliminate passwords

AD FS in Windows Server 2016 provides additional methods to authenticate different types of identities
and devices. In addition to the traditional Active Directory-based sign-in options (and new LDAP directory
support), you can now configure device authentication or Azure Multi-Factor Authentication as either the
primary or secondary authentication method.
Using either the device or Azure Multi-Factor Authentication method, you can create a way for managed,
compliant, or domain member devices to authenticate without the need to supply a password, even from
the extranet.
Note: With Windows Server 2016, Microsoft is introducing a built-in Azure Multi-Factor
Authentication-based authentication method. In the current preview, you can enable this feature
only as part of a special opt-in program, so that Microsoft can set up your tenant to support this.
Note: In addition, we are introducing a built-in Azure MFA based authentication. In the
current preview, this can only be enabled as part of a special opt-in program, so that we can
setup your tenant to support this.
Stronger sign-in from Windows 10

In addition to seamless SSO based on desktop sign-in credentials, Windows 10 users can sign in to AD FS
applications based on their Microsoft Passport credentials. This is a more secure and provides a seamless
authentication method for both users and devices.
Easier deployment and management
Moving from AD FS in Windows Server 2012 R2 to AD FS in Windows Server 2016 is

easier
Prior to Windows Server 2016 Technical Preview, migrating to a new version of AD FS required exporting
the configuration from the old farm and importing it to a new, parallel farm.
Now, moving from AD FS in Windows Server 2012 R2 to AD FS on Windows Server 2016 is relatively easy.
To do this, perform the following tasks:
1. Add a new Windows Server 2016 server to a Windows Server 2012 R2 farm. This will ensure that the
farm acts at the Windows Server 2012 R2 farm-behavior level, which is just like a Windows Server
2012 R2 farm.
2. Add additional new Windows Server 2016 servers to the farm.

3. Verify the functionality, and then remove the older servers from the load balancer.
4. Verify that all farm nodes are running Windows Server 2016, and then upgrade the farm behavior
level to 2016. Now you are ready to use the new features.
Additional Reading: For more information on how to upgrade to AD FS in Windows

Server 2016, refer to Walkthrough: Upgrading to AD FS in Windows Server 2016:
http://aka.ms/technetlib605334
Application Policies
Previously you configured custom AD FS policies using claim rules language, which could make it difficult
to implement and maintain more complex policies. AD FS in Windows Server 2016 makes it easier for you
to configure policies by using a wizard. This allows you to avoid writing claim rules even for conditional
access policies.
The new access control policy templates enable the following new scenarios and benefits:
• Templates to simplify the application of similar policies across multiple applications.
• Parameterized policies to support assigning different values for access control (for example, by using
a security group).
• Simpler UI with additional support for many new conditions.
• Conditional predicates (security groups, networks, the device trust level, require Azure MFA).
Additional Reading: For more information, refer to Access Control Policies in AD FS:
Delegated service management

AD FS in Windows Server 2016 introduces the ability to have a separation between server administrators
and AD FS service administrators. This means that there is no longer a requirement for the AD FS service
administrator to be a local server administrator. Instead, you can designate a standard security group.
Audit enhancements
In AD FS in Windows Server 2016, it is much easier to consume and manage audit data. The number of
audits has been reduced from an average of 80 per sign in to 3, and the new audits have been
schematized. These enhancements are enabled by default in the new AD FS for Windows Server 2016
farms.
Additional Reading: For more information, refer to Auditing Enhancements to AD FS in

Windows Server 2016: http://aka.ms/technetlib622082
User certificate authentication over port 443

In AD FS in Windows Server 2012 R2, you could not perform certificate authentication over port 443. This
is because you could not have different bindings for device authentication and user certificate
authentication on the same host.
In AD FS in Windows Server 2016, this has changed. You can now configure user certificate authentication
over the standard port 443. You can do this at the time of creating a farm, or later by using Windows
PowerShell.
Additional Reading: For more information, refer to AD FS support for alternate hostname
binding for certificate authentication: http://aka.ms/technetlib622002
Conditional access improvements in AD FS
AD FS in Windows Server 2016 builds on the previous device registration capabilities by enabling new
scenarios. These include working with Azure AD to require compliant devices, and either restrict or require
multiple factors of authentication, based on management, or compliance status.
Azure AD and Microsoft Intune-based conditional access policies enable scenarios and provide benefits
such as:
• Enable access only from devices that are managed and/or compliant.
• Restrict access to corporate ‘joined’ PCs (including managed devices and domain member PCs).
• Require multi-factor authentication for computers that are not domain members and devices that are
not compliant.
AD FS in Windows Server 2016 can use the computer or device compliance status, so that you can apply
the same policies to your on-premises resources as you do for the cloud.
Compliance is re-evaluated when the device attributes change. This helps you to ensure that policies are
enforced at all times.
Seamless sign-on from Windows 10 and Microsoft Passport
Domain Join in Windows 10 is enhanced to provide integration with Azure AD and support stronger and
more seamless Microsoft Passport-based authentication. This provides the following benefits after
connecting to Azure AD:
• SSO to Azure AD resources from anywhere.
• Strong authentication and convenient sign-in experience with Microsoft Passport and Windows Hello.
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-
premises resources that are protected by AD FS.
Additional Reading: For more information, refer to Windows 10 Sign on – enabling device
authentication with AD FS: http://aka.ms/technetlib593303
AD FS improvements for developers
AD FS in Windows Server 2016 provides improvements for developers. This topic discusses those
improvements.
Enable new protocols for modern authentication

AD FS in Windows Server 2016 builds on the Open Authorization (OAuth) protocol support that was
introduced in Windows Server 2012 R2 to enable the most current industry standard-based authentication
flows among web apps, web APIs, browser-based apps, and native client-based apps.
Windows Server 2012 R2 offered support for the OAuth authorization code grant flow and authorization
code grant type for public clients only. In Windows Server 2016, the following additional protocols and
features are supported:
• OpenId Connect
• Additional OAuth authorization code grant types:

o Implicit flow (for single-page applications)
o Resource owner password (for scripting apps)
• OAuth confidential clients (clients capable of maintaining their own secret, such as apps or services
running on a web server)
• OAuth confidential client authentication methods:

o Symmetric (shared secret/password)
o Asymmetric keys
o Integrated Windows authentication
• Support for “on behalf of” flows as an extension to basic OAuth support
Additional Reading: For more information, refer to Enabling OAuth Confidential Clients
with AD FS 2016: http://aka.ms/technetlib593306
Additional Reading: For more information, refer to Enabling OpenId Connect with AD FS
2016: http://aka.ms/technetlib593305
Configuring application groups for modern authentication

Registering modern applications has become simpler by using AD FS in Windows Server 2016. Instead of
using Windows PowerShell, you can now use the new Application Group Wizard for creating a client
object, modeling the web API as a relying party, and creating all the authorization rules.
You can create an initial application group based on any of the in-built templates, for example Server
application and Web API, and then add additional clients or servers depending on the scenario that you
need.
Access control policies in AD FS
Access control policy templates in AD FS

AD FS now supports the use of access control policy templates. By using access control policy templates,
an administrator can enforce policy settings by assigning a policy template to a group of relying parties.
Administrators can also make updates to the policy template, and the changes will be applied to the
relying parties automatically and there is no user interaction needed.
What are access control policy templates?

The AD FS core pipeline for policy processing has three phases: authentication, authorization, and claim
issuance. Currently, AD FS administrators have to configure a policy for each of these phases separately.
This also involves understanding the implications of applying these policies, and identifying if these
policies have inter-dependency. Also, administrators need to understand the claim rule language, and
author custom rules to enable some simple and common policies (for example, block external access).
Access control policy templates replace this old model where administrators have to configure issuance
authorization rules by using claims language. The old Windows PowerShell cmdlets for issuance
authorization rules still apply but it is mutually exclusive of the new model. Administrators can choose
either to use the new model or the old model. The new model allows administrators to control when to
grant access, including enforcing multi-factor authentication.
Access control policy templates use a permit model. This means by default, no one has access, and you
must explicitly grant access. However, this is not just an all or nothing permit. Administrators can add
exceptions to the permit rule. For example, an administrator might wish to grant access based on a
specific network by selecting this option and specifying the IP address range. But the administrator might
add an exception, for instance, from a specific network and specify that IP address range.
Built-in access control policy templates versus custom access control policy
templates
AD FS includes several built-in access control policy templates. These target some common scenarios that
have the same set of policy requirements, for example the client access policy for Office 365. These
templates cannot be modified.
To provide increased flexibility to address their business needs, administrators can create their own access
policy templates. Administrators can modify these after creation, and changes to the custom policy
template will apply to all the relying parties that are controlled by these policy templates. To add a
custom policy template, click Add Access Control Policy in AD FS management.
Additional Reading: For more information, refer to Access Control Policies in AD FS:
Upgrading AD FS to the Windows Server 2016 farm behavior level
New in AD FS for Windows Server 2016 is the farm behavior level feature. This feature is available farm
wide and determines the features that the AD FS farm can use. By default, the farm behavior level in a
Windows Server 2012 R2 AD FS farm is at the Windows Server 2012 R2 farm behavior level.
You can add a Windows Server 2016 AD FS server to a Windows Server 2012 R2 farm, and it will operate
at the same farm behavior level as a Windows Server 2012 R2 server. When you have a Windows Server
2016 AD FS server that operates like this, your farm is said to be mixed. However, you will not be able to
take advantage of the new Windows Server 2016 features until the farm behavior level is raised to
Windows Server 2016. With a mixed farm:
• Administrators can add new Windows Server 2016 federation servers to an existing Windows Server
2012 R2 farm. As a result, the farm will be in the mixed mode, and operates at the Windows Server
2012 R2 farm behavior level. To ensure consistent behavior across the farm, you cannot configure or
use new Windows Server 2016 features in this mode.
• After all Windows Server 2012 R2 federation servers have been removed from the mixed mode farm,
the administrator can then raise the farm behavior level from Windows Server 2012 R2 to Windows
Server 2016. Note that in the case of a Windows internal database (WID) farm, one of the new
Windows Server 2016 federation servers must have been promoted to the role of the primary node.
As a result, you can configure and use any new AD FS Windows Server 2016 features.
• With the mixed farm feature, organizations that have deployed AD FS in Windows Server 2012 R2,
and planning to upgrade to Windows Server 2016 will not have to deploy an entirely new farm, and
then export and import the configuration data. Instead, they can add Windows Server 2016 nodes to
an existing farm while it is online, and experience a relatively brief downtime involved during the farm
behavior level raise.
Be aware that while in the mixed farm mode, you cannot configure or use any new features or
functionality that is introduced in AD FS in Windows Server 2016. This means organizations that want to
test new features cannot do this until the FBL is raised. So if your organization is looking to test the new
features prior to raising the FBL, you will need to deploy a separate farm to do this.
What is new in Web Application Proxy?
Web Application Proxy provides a reverse proxy functionality for web applications within your corporate
network to allow users on any device to access these web applications from outside the corporate
network. Web Application Proxy preauthenticates the access to web applications by using AD FS, and it
also functions as an AD FS proxy.
The new features and changes listed here are the ones most likely to have the greatest impact as you
work with the Windows Server Technical Preview.
• Preauthentication for HTTP basic application publishing. HTTP Basic is the authorization protocol
used by many services and apps, such as ActiveSync, to connect rich clients, such as smartphones,
with your Microsoft Exchange mailbox. Web Application Proxy traditionally interacts with AD FS by
using redirections, which is not supported on ActiveSync clients. The new version of Web Application
Proxy provides support to publish an app using HTTP Basic by enabling the HTTP app to receive a
non-claims relying party trust for the application to the Federation Service.
Additional Reading: For more information, refer to Publishing Applications using AD FS

Preauthentication: http://aka.ms/technetlib765483
• Wildcard domain publishing of applications. To support scenarios such as publishing Microsoft

SharePoint 2013 apps, the external URL for an app can now include a wildcard. This will enable you to
publish multiple apps from within a specific domain, for example, https://*.sp-apps.contoso.com. This
will simplify publishing of SharePoint apps.
• HTTP to HTTPS redirection. To ensure that users can access your app, even if they neglect to include
HTTPS in the URL. Web Application Proxy now supports HTTP to HTTPS redirection.
• HTTP publishing. You can now publish HTTP applications by using pass-through preauthentication.
• Publishing of Remote Desktop Gateway apps.
Additional Reading: For more information on RDG in Web Application Proxy, refer to
Publishing Applications with SharePoint, Exchange and RDG: http://aka.ms/technetlib765486
• Exchange Server and Remote Desktop Gateway. AD FS now provides a new debug log for better
troubleshooting, and an improved service log for complete audit trail and improved error handling.
Additional Reading: For more information on troubleshooting, refer to Troubleshooting

Web Application Proxy: http://aka.ms/technetlib765477
• The Administrator console UI improvements.
• Propagation of client IP address to back-end applications.
Note: This content is relevant to the on-premises version of Web Application Proxy.
Additional Reading: To enable secure access to on-premises applications from the
Internet, refer to How to provide secure remote access to on-premises applications:
http://aka.ms/AzureDocADAPGS
Module Review
Review Question(s)
Question: How would you upgrade an existing Windows Server 2012 R2 AD FS deployment
to Windows Server 2016?
3-1
Module 3
What is new in file and storage services?
Contents:
Module Overview 3-2
Lesson 1: Storage Spaces Direct 3-3
Lesson 2: Storage Replica 3-10
Lesson 3: Storage QoS 3-16

Module Review 3-21
3-2 What is new in file and storage services?
Module Overview
Windows Server 2016 Technical Preview brings several new storage capabilities for IT professionals to
design, deploy, and maintain Windows Server storage. This module provides an overview of some of the
new features and improvements in storage.
• Describe Storage Spaces Direct.

• Describe Storage Quality of Service (Storage QoS).

Lesson 1
Storage Spaces Direct
Windows Server 2016 Technical Preview introduces Storage Spaces Direct. This feature enables building
highly available storage systems with local storage. This lesson provides an overview of Storage Spaces
Direct.
• Describe the new Storage Spaces Direct feature.
• Describe the Storage Spaces Direct deployment scenarios.

• Describe the hardware requirements for Storage Spaces Direct.
Overview of Storage Spaces Direct
Windows Server 2016 Technical Preview introduces Storage Spaces Direct, which enables building highly
available (HA) storage systems with local storage. This is a significant step forward in Windows Server
software-defined storage (SDS) because it simplifies the deployment and management of SDS systems
and also allows the use of new classes of disk devices, such as Serial ATA and NVMe disks that were
previously not possible with clustered Storage Spaces with shared disks.
Storage Spaces Direct integrates with the existing features that constitute the Windows Server software-
defined storage stack, including Scale-Out File Server, Clustered Shared Volume File System, Storage
Spaces, and failover clustering.
The Storage Spaces Direct stack includes the following components:
• Networking hardware. Storage Spaces Direct relies on a network to communicate between hosts. For
production deployments, it is required to have a Remote Direct Memory Access (RDMA)-capable NIC
port (or a pair of NIC ports).
• Storage hardware. The storage system consisting of a minimum of four storage nodes with local
storage. Each storage node can have internal disks, or disks in an external Serial Attached SCSI (SAS)
connected JBOD enclosure. The disk devices can be SATA disks, NVMe disks, or SAS disks.
• Software Storage Bus. Software Storage Bus is the Storage Spaces Direct-specific software component
that spans all the storage nodes and brings together the local storage in each node. This makes all
disks visible to the Storage Spaces layer.
Additional Reading: For more information about Software Storage Bus, refer to Storage
Spaces Direct – Under the hood with the Software Storage Bus: http://aka.ms/N2k6g4
• The storage pool. The storage pool spans the local storage across all the nodes.
• Storage Spaces. Storage Spaces (or virtual disks) provide resiliency to disk or node failures because
data copies are stored on different storage nodes.
• Resilient File System (ReFS). ReFS provides the file system in which the Microsoft Hyper-V virtual
machine files are stored. ReFS is a premier file system for virtualized deployments and includes
optimizations for Storage Spaces such as error detection and automatic correction. In addition, ReFS
provides accelerations for VHD(X) operations such as fixed VHD(X) creation, dynamic VHD(X) growth,
and VHD(X) merge.
• Clustered Shared Volumes. The CSV File System (CSVFS) layer above ReFS brings all the mounted
volumes into a single namespace that is accessible through any node.
• Scale-Out File Server. This is the top layer of the storage stack that provides remote access to the
storage system by using the SMB 3.0 access protocol. The Scale-Out File Server layer is only needed in
disaggregated configurations (where the Storage Spaces Direct system is dedicated to providing
storage services), and is not implemented in hyper-converged configurations (where the virtual
machines are hosted on the same cluster as the Storage Spaces Direct system).
Note: Use Windows PowerShell to deploy and manage Storage Spaces Direct. Do not use
Server Manager or Failover Cluster Manager to manage Storage Spaces Direct.
Examples of cmdlets that you can use to configure Storage Spaces Direct include:
• Test-Cluster. This cmdlet tests the suitability of a hardware configuration before you create a cluster.
• Enable-ClusterStorageSpacesDirect. This cmdlet configures a cluster for the Storage Spaces Direct
feature.
• Enable-ClusterS2D. This cmdlet configures a cluster for the Storage Spaces Direct feature for use
with NVMe devices and SATA solid-state drives (SSDs).
• Optimize-StoragePool. This cmdlet rebalances storage optimization if a disk or storage node
changes.
• Debug-StorageSubsystem. This cmdlet displays any faults that are affecting the Storage Spaces
Direct feature.
To evaluate Storage Spaces Direct in Windows Server 2016 Technical Preview, the simplest deployment is
to use at least four generation 2 Hyper-V virtual machines with at least four data disks per virtual
machine.
Additional Reading: For information on setting up Storage Spaces Direct refer to Storage
Spaces Direct in Windows Server 2016 Technical Preview: http://aka.ms/D5i9go
Storage Spaces Direct deployment scenarios
There are two targeted deployment scenarios for Windows Server 2016 Technical Preview Storage Spaces
Direct. Both the scenarios provide storage for Hyper-V, specifically focusing on Hyper-V Infrastructure as a
Service (IaaS) for service providers and enterprises.
• Disaggregated. The disaggregated deployment scenario has the Hyper-V servers (compute
component) in a separate cluster from the Storage Spaces Direct servers (storage component). In this
scenario, you configure virtual machines to store their files on the Scale-Out File Server, which is
accessed through the network by using the SMB 3.0 protocol. This allows for scaling Hyper-V clusters
(compute) and Scale Out File Server cluster (storage) independently. For example, if the compute
nodes are nearing capacity for the number of virtual machines that they can host but the storage has
excess capacity (both disk and IOPS), you can add more compute nodes without adding additional
storage nodes.
• Hyper-converged. The hyper-converged deployment scenario has the Hyper-V (compute) and
Storage Spaces Direct (storage) components on the same cluster. Virtual machine's files are stored on
the local CSVs and does not implement a Scale-Out File Server. This allows for scaling Hyper-V
compute clusters and storage together, and removes the requirement of configuring file server access
and permissions. After you configure Storage Spaces Direct and the CSV volumes are available, you
can configure and provision Hyper-V by using the same process and the same tools that you would
use with any other Hyper-V deployment on a failover cluster.
Hardware and configuration
You have three options for evaluating Storage Spaces Direct in Windows Server 2016 Technical Preview 4:
• Hyper-V virtual machines
• Validated server configurations from Microsoft partners
• Existing hardware that meets required hardware and configuration requirements
Note: Microsoft is working closely with its hardware partners to define and validate server
configurations for Storage Spaces Direct. Using these hardware configurations is the best option
for evaluating Storage Spaces Direct because these configurations should work well with Storage
Space Direct and help you experience the full feature set as well as the performance potential.
Hyper-V virtual machines

Using Hyper-V virtual machines is a quick and simple way to get started with Storage Spaces Direct. You
can use it to get a basic understanding of how to set up and manage Storage Spaces Direct. However, you
will not be able to experience all the features or the full performance of Storage Spaces Direct. To
evaluate Storage Spaces Direct, you will need at least four virtual machines, each with at least two data
disks.
Additional Reading: For more information, refer to Clustering and High-Availability:

http://aka.ms/Anviiv
Note, make sure to not use the processor compatibility option on Hyper-V virtual machines that are
used for Storage Spaces Direct. Processor compatibility masks certain processor capabilities and will
prevent using Storage Spaces Direct, even if the physical processor supports the required capabilities.
Validated server configurations from our partners

Microsoft is working closely with our hardware partners to define and validate server configurations for
Storage Spaces Direct. Using these hardware configurations is the best option for evaluating Storage
Spaces Direct because Microsoft is working closely with them to validate that these work well with Storage
Space Direct and you can experience the full feature set as well as the performance potential.
Existing Hardware
Microsoft highly recommends using server configurations from Microsoft partners that are in the process
of being validated, because Microsoft worked with them closely to ensure they function properly and
provide the best overall experience. If it is not possible to use one of these configurations, you can
evaluate Storage Spaces Direct in Windows Server 2016 Technical Preview 4 with your existing hardware if
it meets the required hardware and configuration requirements.
Storage Spaces Direct requires at least four servers that are expected to be of the same configuration,
which means identical CPU and memory configuration and identical network adapter, storage controllers,
and devices. The servers run the same software load and are configured as a Windows Server failover
cluster.
Using at least four servers (up to 16) provides the best storage resiliency and availability, and it satisfies
the requirements for both mirrored configurations with two and three copies of data and for dual parity
with erasure-coded data.
CPU
The servers in a Storage Spaces Direct configuration are generally expected to be a dual-socket CPU
configuration to provide for the best flexibility and equipped with modern CPUs (Intel Xeon Processor E5
v3 Family). The CPU requirements depend on the deployment mode.
In the disaggregated deployment mode (the Scale-Out File Server mode), the CPU is primarily consumed
by storage and network I/O, but is also used by advanced storage operations such as erasure coding, and
so on.
In the hyper-converged deployment mode (virtual machines hosted on the same cluster as Storage
Spaces Direct (S2D)), the CPU will support the virtual machine’s workload and the storage and networking
requirements. This mode will generally require more CPU power, so more cores and faster processers are
needed for more virtual machines to be hosted on the system.
Memory requirements
The recommend minimum memory requirement is 128 GB, which allows for the best memory
performance (balance with the number of memory channels) and provides the memory to be used by the
base operating system and the Software Storage Bus cache in Storage Spaces Direct.
The 128 GB memory supports the disaggregated deployment mode or a hyper-converged deployment
mode with a smaller number of virtual machines. Hyper-converged deployments with larger number of
virtual machines would require additional memory, depending on the number of virtual machines and
how much memory each virtual machines consumes.
Network interface cards

Storage Spaces Direct requires a minimum of one 10 Gigabit Ethernet (GbE) NIC per server.
Most configurations, such as a general purpose hyper-converged configuration, will perform efficiently
and reliably by using 10+ GbE NIC with the RDMA capability. RDMA should be either RDMA over
Converged Ethernet (RoCE) or Internet Wide Area RDMA (iWARP).
If the configuration is primarily for backup or archive type of workloads, (sequential large I/O) it can be a
10GbE NIC without the RDMA capability.
In both cases, a single, dual-ported NIC provides the best performance and resiliency to network
connectivity issues.
Storage Device Connectivity

Storage Spaces Direct supports three storage device attach types: NVMe, SATA, and SAS. NVMe devices
are connected via PCI Express (PCIe). For the SATA and SAS devices, these can be either SSDs or HDDs.
Note: These requirements are current as of Windows Server 2016 Technical Preview 4 and
might change. Always check the latest documentation to ensure that you have the most current
information.
Additional Reading: For more information, refer to Hardware options for evaluating
Storage Spaces Direct in Technical Preview 4: http://aka.ms/Dsxu2c
Lesson 2
Storage Replica
Storage Replica is a new feature in Windows Server 2016 Technical Preview that helps you set up storage-
agnostic, block-level, and synchronous replication between clusters or servers for disaster recovery. This
lesson introduces you to Storage Replica and the implementation scenarios.
• Describe the various Storage Replica scenarios.

Overview of Storage Replica
Storage Replica is a new feature in Windows Server 2016 Technical Preview that helps you implement
storage-agnostic, block-level, and synchronous replication between servers or clusters for disaster
recovery. It also helps you to stretch a failover cluster between sites. Synchronous replication enables
mirroring of data in physical sites with crash-consistent volumes to help to achieve zero data loss at the
file-system level. Asynchronous replication allows site extension beyond metropolitan ranges with the
possibility of data loss.
By using Storage Replication, you can do the following:
• Provide a single vendor disaster recovery solution for planned and unplanned outages of mission
critical workloads.
• Use SMB 3.0 transport with proven reliability, scalability, and performance.
• Stretch Windows failover clusters to metropolitan distances.
• Use Microsoft software, such as Hyper-V, Storage Replica, Storage Spaces, Cluster, Scale-Out File
Server, SMB 3.0, Deduplication, and ReFS/NTFS for end-to-end storage and clustering
implementations.
• Help reduce cost and complexity because Storage Replication:
o Is hardware agnostic, with no requirement for a specific storage configuration such as direct-
attached storage (DAS) or storage area network (SAN).
o Allows commodity storage and networking technologies.
o Features ease of management for individual nodes and clusters through the Failover Cluster
Manager graphical user interface (GUI).
o Includes comprehensive, large-scale scripting options through Windows PowerShell.
• Help reduce downtime, and increase reliability and productivity essential to Windows.
• Provide supportability, performance metrics, and diagnostic capabilities.
Note: Storage Replica is not fully implemented in the pre-release version of Windows
Server 2016 and cannot be deployed in a production environment. It is for evaluation purposes
only.
Before implementing Storage Replica, you must consider the following:

• Performance. The Windows Server 2016 Technical Preview version of Storage Replica has not been
fully optimized for performance.
• Network bandwidth and latency with fastest storage. There are physical limitations around
synchronous replication. Because Storage Replica implements an I/O filtering mechanism that uses
logs and requires network round trips, synchronous replication is likely to make application writes
slower. By using low latency, high-bandwidth networks and high-throughput disk subsystems for the
logs, you can minimize performance overhead.
• The destination volume is not accessible while replicating. When you configure replication, the
destination volume dismounts, making it inaccessible to any writes by users. Also you can no longer
see it in File Explorer. Block-level replication technologies do not allow access to the destination
target’s mounted file system in a volume; NTFS and ReFS do not support users writing data to the
volume while blocks change underneath them.
• The Microsoft implementation of asynchronous replication is different than most implementations.

Most industry implementations of asynchronous replication rely on snapshot-based replication, where
periodic differential transfers move to the other node and merge. Storage Replica asynchronous
replication operates just like synchronous replication, except that it removes the requirement for a
serialized synchronous acknowledgment from the destination. This means that Storage Replica
theoretically has a lower recovery point objective (RPO) because it continuously replicates. However,
this also means it relies on internal application consistency guarantees rather than using snapshots to
force consistency in application files. Storage Replica guarantees crash consistency in all replication
modes.
• Storage Replica is not Distributed File System Replication (DFSR). Volume-level block storage
replication is not a good candidate for branch office scenarios. Branch office networks tend to be
highly latent, highly utilized, and use lower bandwidth, which makes synchronous replication
impractical. Branch office often replicates data in a “one-to-many” configuration with read-only
targets, such as for software distribution, and Storage Replica is not capable of this in the first release.
When replicating data from a branch office back to a main office, Storage Replica dismounts the
destination volume to prevent direct access. It is important to note, nevertheless, that many
customers use DFSR as a disaster recovery solution even though it is often impractical for that
scenario—DFSR cannot replicate open files and is designed to minimize bandwidth usage at the
expense of performance, leading to large recovery point deltas. Storage Replica might allow you to
retire DFSR from some of these types of disaster recovery duties.
• Storage Replica is not a backup solution. Some IT environments deploy replication systems as backup
solutions, because of their zero data-loss options when compared to daily backups. Storage Replica
replicates all changes to all blocks of data on the volume, regardless of the change type. If a user
deletes all data from a volume, Storage Replica will replicate the deletion instantly to the other
volume, irrevocably removing the data from both servers. Do not use Storage Replica as a
replacement for a point-in-time backup solution.
• Storage Replica is not Hyper-V Replica or Microsoft SQL Server AlwaysOn Availability Groups. Storage
Replica is a general purpose, storage-agnostic engine. By definition, it cannot tailor its behavior as
ideally as application-level replication. This might lead to specific feature gaps that encourage you to
deploy or remain on specific application replication technologies.
With Windows Server 2016 Technical Preview, you can deploy Storage Replica in the following
configurations:
• Hyper-V stretch cluster
• Cluster-to-cluster
• Server-to-server
• Server-to-Self
Additional Reading: For more information, refer to Storage Replica Overview:

http://aka.ms/F5wbcm
Storage Replica scenarios
You can configure Storage Replica to replicate storage among servers and clusters, and clusters in
different datacenters. Storage Replica supports the following three scenarios:
• Stretch cluster. A stretch cluster is a configuration with one Hyper-V cluster that has nodes in two
locations and storage in both the locations. Storage Replica synchronously replicates to keep both
sets of storage mirrored. This allows the cluster to fail over virtual machines immediately from one
location to another.
• Server-to-server. In a server-to-server replication scenario, storage from one server is replicated to

storage on another server. These servers can be in the same datacenter or in different locations. There
are no tools with GUIs to configure server-to-server replication. You must use Windows PowerShell to
configure this.
• Cluster-to-cluster. In a cluster-to-cluster replication scenario, one cluster replicates its storage with
another cluster and its storage. These clusters can be located next to each other or far apart. You
configure and manage cluster-to-cluster replication similar to how you configure and manage server-
to-server replication.
You can also configure server-to-self replication by using four separate volumes on one computer.
Hyper-V stretch cluster requirements:

• Domain-joined servers.
• Physical servers for the stretch cluster Hyper-V scenario. You can use virtual machines for server-to-
server replication and cluster-to-cluster replication.
• Two sets of shared storage that use serial attached SCSI JBODs, Fibre Channel SAN, or iSCSI Target.
• Each storage set must be able to create at least two virtual disks, one for replicated data and one for
logs. The sector size must be the same on all data disks on the physical storage. All the log disks also
need to be of the same sector size, but not necessarily the same size as the data disks.
• At least 1 GbE connection on each file server, preferably 10 GbE, iWARP, or InfiniBand.
• A minimum of 4 GB of RAM on each server with at least two cores.
• Firewall configured to allow Internet Control Message Protocol (ICMP), SMB (port 445, plus 5445 for
SMB Direct), and WS-MAN (port 5985) bidirectional traffic between all nodes.
• The network between the two sets of servers should have at least 1 Gbps throughput (preferably 8
Gbps or higher) and an average of less than or equal to 5 milliseconds (ms) round-trip latency.
• Local administrator permissions on all server nodes.
Server-to-server replica prerequisites:

• Two sets of storage that use DAS, serial-attached SCSI JBODs, Fibre Channel SAN, or iSCSI Target.
• Each storage set must have at least two volumes, one for replicated data and one for logs. The sector
size must be the same on all data disks on the physical storage. All the log disks also need to be the
same sector size, but not necessarily the same size as the data disks. The size of the two data volumes
must be the same.
• Firewall configured to allow ICMP, SMB (port 445, plus 5445 for SMB Direct), and WS-MAN (port
5985) bi-directional traffic between all nodes.
• The network between the servers should have at least 1 Gbps throughput (preferably 8 Gbps or
higher) and an average of less than or equal to 5 ms round-trip latency.
Cluster-to-cluster prerequisites:
• Two sets of shared storage that use Storage Spaces Direct, serial attached SCSI JBODs, Fibre Channel
SAN, or iSCSI Target.
• Each storage set must have at least two volumes, one for replicated data and one for logs. The sector
size must be the same on all data disks on the physical storage. All the log disks also need to be of
the same sector size, but not necessarily the same size as the data disks. The size of the two data
volumes must be the same.
• Firewall configured to allow ICMP, SMB (port 445, plus 5445 for SMB Direct), and WS-MAN (port
5985) bi-directional traffic between all nodes.
• The network between the two sets of servers should have at least 1 Gbps throughput (preferably 8
Gbps or higher) and an average of less than or equal to 5 ms round-trip latency.

Lesson 3
Storage QoS
Storage QoS in Windows Server 2016 Technical Preview provides a way to centrally monitor and manage
storage performance for virtual machines by using the Hyper-V and the Scale-Out File Server roles. This
feature automatically improves storage resource fairness between multiple virtual machines by using the
same file server cluster and allows specific minimum and maximum performance goals to be configured in
units of normalized IOPs. This lesson introduces you to new features of Storage QoS.
• Describe the benefits of Storage QoS.

• Describe Storage QoS policies.
Overview of Storage QoS
Storage Quality of Service (Storage QoS) in Windows Server 2016 Technical Preview provides a way to
centrally monitor and manage storage performance for virtual machines by using the Hyper-V and Scale-
Out File Server roles. This feature automatically improves storage resource fairness between multiple
virtual machines by using the same file server cluster and allows specific minimum and maximum
performance goals to be configured in units of normalized IOPs.
Storage QoS supports two deployment scenarios:
• Hyper-V using a Scale-Out File Server. This scenario requires:

o A storage cluster that is a Scale-Out File Server cluster.
o A compute cluster that has least one server with the Hyper-V role enabled.
• Hyper-V using Cluster Shared Volumes (CSVs). This scenario requires:

o A compute cluster with the Hyper-V role enabled.
o Hyper-V configured using Cluster Shared Volumes for storage.
Additional Reading: For more information, refer to Expand Storage Quality of Service:
http://aka.ms/Rdnlab
You can now use Storage QoS to centrally monitor end-to-end storage performance and create policies
by using Hyper-V and Scale-Out File Server in Windows Server 2016 Technical Preview.
You can now create Storage QoS policies on a Scale-Out File Server and assign them to one or more
virtual disks on virtual machines running Hyper-V. Storage performance is automatically readjusted to
meet policies as the storage load fluctuates. In this situation:
• Each policy specifies a reserve (minimum) and a limit (maximum) to be applied to a collection of data
flows, such as a virtual hard disk, a single virtual machine, or a group of virtual machines, a service, or
a tenant.
• If multiple virtual hard disks share the same policy, performance is fairly distributed to meet the
demand within the policy minimum and maximum. Therefore, a policy can be used to represent a
virtual machine, multiple virtual machines comprising a service, or all virtual machines owned by a
tenant.
Note: Storage QoS in Windows Server 2016 Technical Preview is turned on by default. This
means that you do not need to install an additional role or feature to start using Storage QoS.
By using Windows PowerShell or Windows Management Instrumentation (WMI), you can perform the
following tasks:
• Create policies on a Scale-Out File Server.
• Enumerate policies available on a Scale-Out File Server.
• Assign a policy to a virtual hard disk on a server running Hyper-V.
• Monitor the performance of each flow and status within the policy.
Storage QoS policies
In Windows Server 2016 Technical Preview, you can now enforce resource fairness or prioritization
depending on the policies that you want to configure for your storage. The core usage of Storage QoS will
be focused around Hyper-V virtual machines deployed on either a Scale-Out File Server or Hyper-V
cluster with Cluster Shared Volumes. A new Policy Manager has been added to the File Server cluster,
which provides the central storage performance monitoring.
Storage QoS will only work effectively if you configure appropriate policies. You can use policies to
control the traffic flow as necessary based on your requirements. You can configure Storage QoS policies
on the Scale-Out File Server. You have a choice of two policy types:
• Single-instance. By using single-instance policies, you can create a minimum and maximum amount
of IOPS per policy. This is aggregated against a virtual machine. For example, if a virtual machine has
a single virtual hard disk (VHD/VHDX), it will have full use of all the IOPS in the assigned policy.
However, if the virtual machine has three virtual hard disks (VHD/VHDX) and they are all assigned the
same single-instance policy, that virtual machine will share the maximum number of IOPS across all
drives, degrading the overall performance. You have the option to have multiple single-instance
policies and configure each drive to use a different single-instance policy to ensure that they get
access to all the IOPS. If you have two virtual machines with a single VHD each, and all assigned to
the same single-instance policy, they will also share the minimum and maximum IOPS.
• Multi-instance. With multi-instance policies, you have options to create a minimum and maximum
number of IOPS. However, in this scenario, if you have two virtual machines with a single virtual hard
disk (VHD/VHDX) each, they will get their own allocation of IOPS, both minimum and maximum.
However, the same rules apply if the virtual machines have multiple drives; unless you assign
individual policies to them, they will share the total amount of assigned minimum and maximum
IOPS.
To create a policy, use the following Windows PowerShell cmdlet:
$GoldVmPolicy = New-StorageQosPolicy -Name Gold -PolicyType MultiInstance -MinimumIops

100 -MaximumIops 500
This sample below will store information about the policy in the variable. There is one property called the
PolicyId, which is required. To access the PolicyId property, use the following syntax:
$GoldVmPolicy.PolicyId
Guid
----
Cd5f6b87-fa15-402b-3545-32c2f456f6e1
The Guid is required for applying this policy to a virtual hard disk. You can do this by using the following
Windows PowerShell cmdlet:
Get-VM -Name GoldSrv* | Get-VMHardDiskDrive | Set-VMHardDiskDrive -QoSPolicyID Cd5f6b87-

fa15-402b-3545-32c2f456f6e1
After the policy is applied, you can verify if the policy is active and check if it has the appropriate effect.
You can do this by using the Get-StorageQoSFlow cmdlet.
Additional Reading: For more information, refer to Storage Quality of Service:

http://aka.ms/Otsvsa
Module Review
Review Question(s)
Question: You wish to evaluate Storage Spaces Direct in Windows Server 2016 Technical
Preview. What hardware options are available?
Question: What are the three scenarios supported by Storage Replica?
4-1
Module 4
What is new in networking?
Contents:
Module Overview 4-2
Lesson 1: Software-Defined Networking 4-3
Lesson 2: Windows Server networking technologies 4-16
Lesson 3: Networking services 4-29

Module Review 4-33
4-2 What is new in networking?
Module Overview
Networking is the foundation of a software-defined datacenter (SDDC) platform. Windows Server 2016
Technical Preview provides new and improved Software-Defined Networking technologies to help you
move to a fully realized SDDC solution for your organization.
When you manage a network as a software-defined resource, you can describe an application’s
infrastructure requirements one time, and then choose where the application runs, either in an on-
premises environment or in the cloud. This consistency means that your applications are now easier to
scale and you can seamlessly run them anywhere with equal confidence around security, performance,
quality of service, and availability.
Networking improvements in Windows Server 2016 Technical Preview include new features and
enhancements that make flexible workload placement and mobility possible. Organizations need
flexibility, reliability, high levels of performance, and need a focus on applications and workloads. To meet
these needs, Windows Server 2016 provides:
• Enhancements related to reliability, performance, and interoperability of virtual networking

• Improved support for centralized configuration and management across virtual and physical networks
• New virtualized network functions for transforming the network cloud
• Seamless datacenter extensions for flexible workload placement and mobility
Windows Server 2016 Technical Preview is an early release of Windows Server 2016, and some of the
features and scenarios in this release are still in development. Do not deploy Windows Server 2016
Technical Preview in a production environment or a lab environment. The features and functionality might
differ in the final product.
• List and describe the Windows Server technologies for Software-Defined Networking.
• List and describe the cloud-scaling features in Windows Server 2016.
• List and describe the other new and improved networking services in Windows Server 2016.
Lesson 1
Software-Defined Networking
Software-Defined Networking provides a method to centrally configure and manage physical and virtual
network devices such as routers, switches, and gateways in your datacenter.
The term software-defined means that your IT infrastructure is decoupled from its underlying hardware so
that it can be managed and controlled by using a policy. This lesson provides an overview of the benefits
and the uses of Software-Defined Networking, and the Software-Defined Networking technologies
implemented in Windows Server 2016.
• Describe the benefits of Software-Defined Networking.
• List and describe the Software-Defined Networking technologies in Windows Server 2016.
• List and describe the new features in Network Controller.
• List and describe the new features in the Microsoft Hyper-V Virtual Switch.
• List and describe the new features in Network Function Virtualization.

• Describe the software load-balancing features.
Overview of Software-Defined Networking
Software-Defined Networking provides a method to centrally configure and manage physical and virtual
network devices such as routers, switches, and gateways in your datacenter. Virtual network elements such
as the Hyper-V Virtual Switch, Hyper-V Network Virtualization, and Windows Server Gateway are designed
to be the integral elements of your Software-Defined Networking infrastructure. While you can still use
your existing physical switches, routers, and other hardware devices, you can achieve deeper integration
between the virtual network and the physical network if these devices are designed for compatibility with
software-defined networking.
Software-defined networking is possible because the network planes, which are the management, control,
and data planes, are no longer bound to the network devices themselves, but are abstracted for use by
other entities; for example, datacenter management software such as Microsoft System Center.
Software-defined networking allows you to dynamically manage your datacenter network to provide an
automated and centralized way to meet the requirements of your applications and workloads. Software-
defined networking provides the following capabilities:
• The ability to abstract your applications and workloads from the underlying physical network, which is
accomplished by virtualizing the network. Just as with server virtualization by using Hyper-V, the
abstractions are consistent and work with your applications and workloads in a non-disruptive
manner. For example, software-defined networking provides virtual abstractions for your physical
network elements, such as IP addresses, switches, and load balancers.
• The ability to centrally define and control policies that govern both physical and virtual networks,
including the traffic flow between them.
• The ability to implement network policies in a consistent manner at scale, even as you deploy new
workloads or move workloads across virtual or physical networks.
You can use the following to deploy software-defined networks with Windows Server 2016 Technical
Preview:
• Virtual Machine Manager

• Scripts
Additional Reading: For more information on how to deploy a software-defined network

infrastructure by using scripts, refer to http://aka.ms/Oej9ih
Additional Reading: For more information on deploying a Microsoft Software-Defined

Networking (SDN) infrastructure in Windows Server 2016 Technical Preview using System Center
Virtual Machine Manager 2016 Technology Preview 4 (VMM), see http://aka.ms/ymzd00
Software-Defined Networking technologies
There are many technologies that work together to create software-defined networking solutions for
Microsoft, including the following:
Network Controller
The Network Controller provides a centralized, programmable point of automation to manage, configure,
monitor, and troubleshoot virtual and physical network infrastructure in your datacenter.
Hyper-V Network Virtualization

Hyper-V Network Virtualization enables virtualization of customer networks on top of a shared physical
network infrastructure.
Network Function Virtualization

Network functions that are being performed by hardware appliances such as load balancers, firewalls,
routers, and switches are increasingly being virtualized as virtual appliances. Microsoft has virtualized
networks, switches, gateways, network address translations (NATs), load balancers, and firewalls.
Software Load Balancing for Software-Defined Networking

Cloud Service Providers and enterprises that are deploying Software-Defined Networking in Windows
Server 2016 Technical Preview can use software load balancing to evenly distribute tenant and tenant
customer network traffic among virtual network resources. The Windows Server software load balancer
enables multiple servers to host the same workload, providing high availability and scalability.
Datacenter Firewall
Datacenter Firewall is a new service included with Windows Server 2016 Technical Preview. It is a network
layer, 5-tuple (protocol, source and destination port numbers, source and destination IP addresses),
stateful, multitenant firewall. When deployed and offered as a service by the service provider, tenant
administrators can install and configure firewall policies to help protect their virtual networks from
unwanted traffic originating from Internet and intranet networks.
Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)
You can use a converged NIC to combine both RDMA and Ethernet traffic by using a single network
adapter. The converged NIC allows you to use a single network adapter for management, RDMA-enabled
storage, and tenant traffic. This reduces the capital expenditures that are associated with each server in
your datacenter, because you need fewer network adapters to manage different types of traffic per server.
SET is a NIC Teaming solution that is integrated in the Hyper-V Virtual Switch. SET allows the teaming of
up to eight physical NICs into a single SET team, which improves availability and provides failover. In
Windows Server 2016 Technical Preview, you can create SET teams that are restricted to the use of Server
Message Block (SMB) and RDMA.
RAS Gateway Multitenant Border Gateway Protocol (BGP) Router

RAS Gateway is a software-based, multitenant, BGP-capable router in Windows Server 2016 Technical
Preview that is designed for Cloud Service Providers and enterprises that host multiple tenant virtual
networks by using Hyper-V Network Virtualization.
BGP
When configured on a Windows Server 2016 Technical Preview Routing and Remote Access Service
(RRAS) Gateway, BGP provides you with the ability to manage the routing of network traffic between your
tenants’ virtual machine networks and their remote sites. BGP reduces the need for manual route
configuration on routers because it is a dynamic routing protocol, and it automatically learns routes
between sites that are connected by using site-to-site VPN connections.
System Center: Deploy Software-Defined Networks by using Virtual Machine

Manager
You can use System Center Virtual Machine Manager to deploy and manage many Software-Defined
Networking components.
Network Controller
Network Controller is a highly available and scalable server role, and provides one application
programming interface (API) that allows Network Controller to communicate with the network, and a
second API that allows you to communicate with Network Controller.
You can deploy Network Controller in both domain and non-domain environments. In domain
environments, Network Controller authenticates users and network devices by using Kerberos; in non-
domain environments, you must deploy certificates for authentication.
Network Controller communicates with network devices, services, and components by using the
Southbound API. With the Southbound API, Network Controller can discover network devices, detect
service configurations, and gather all of the information you need about the network. In addition, the
Southbound API gives Network Controller a pathway to send information to the network infrastructure,
such as the configuration changes that you have made.
The Network Controller Northbound API provides you with the ability to gather network information from
Network Controller and use it to monitor and configure the network. The Network Controller Northbound
API allows you to configure, monitor, troubleshoot, and deploy new devices on the network by using
Windows PowerShell, the Representational State Transfer (REST) API, or a management application with a
graphical user interface, such as Virtual Machine Manager.
Note: The Network Controller Northbound API is implemented as a REST interface.
You can manage your datacenter network with Network Controller by using management applications,
such as Virtual Machine Manager and System Center Operations Manager, because Network Controller
allows you to configure, monitor, program, and troubleshoot the network infrastructure under its control.
By using Windows PowerShell, the REST API, or a management application, you can use Network
Controller to manage the following physical and virtual network infrastructure:
• Hyper-V virtual machines and virtual switches

• Physical network switches
• Physical network routers
• Firewall software
• VPN gateways, including Routing and Remote Access Service multitenant gateways
• Load balancers
If you are deploying Network Controller in a test lab environment, you can run the Network Controller
server role on a single physical server (without using Hyper-V) or on a Hyper-V virtual machine that is
installed on a Hyper-V host.
For high availability in large datacenters, you can deploy a cluster by using either three physical servers
(without Hyper-V) or by using three virtual machines that are installed on three Hyper-V hosts.
Additional Reading: For more information on Network Controller, refer to Network

Controller: http://aka.ms/Hz2mt8
The Hyper-V Virtual Switch
The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available in Hyper-
V Manager when you install the Hyper-V server role. The switch includes programmatically managed and
extensible capabilities to connect virtual machines to both virtual networks and the physical network. In
addition, Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.
Note: Hyper-V Virtual Switch only supports Ethernet, and does not support any other wired
local area network (LAN) technologies, such as Infiniband and Fibre Channel.
The Hyper-V Virtual Switch includes tenant isolation capabilities, traffic shaping, protection against
malicious virtual machines, and simplified troubleshooting. With built-in support for Network Device
Interface Specification (NDIS) filter drivers and Windows Filtering Platform (WFP) callout drivers, the
Hyper-V Virtual Switch enables independent software vendors (ISVs) to create extensible plug-ins, known
as Virtual Switch Extensions, that can provide enhanced networking and security capabilities. Virtual
Switch Extensions that you add to the Hyper-V Virtual Switch are listed in the Virtual Switch Manager
feature of Hyper-V Manager.
Some of the principal features that are included in the Hyper-V Virtual Switch are:
• Address Resolution Protocol (ARP) /ND Poisoning (spoofing) protection. Helps protect against a
malicious virtual machine by using ARP spoofing to steal IP addresses from other virtual machines.
Helps protect against attacks that can be launched for IPv6 by using Neighbor Discovery spoofing.
• DHCP Guard protection. Helps protect against a malicious virtual machine representing itself as a
Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks.
• Port access control lists (ACLs). Provides traffic filtering based on media access control (MAC) or
Internet Protocol (IP) addresses/ranges, which enables you to set up virtual network isolation.
• Trunk mode to a virtual machine. Enables administrators to set up a specific virtual machine as a
virtual appliance, and then direct traffic from various virtual Local Area Networks (VLANs) to that
virtual machine.
• Network traffic monitoring. Enables administrators to review traffic that is traversing the network
switch.
• Isolated (private) VLAN. Enables administrators to segregate traffic on multiple VLANs, to more easily
establish isolated tenant communities.
The following is a list of capabilities that enhance the Hyper-V Virtual Switch usability:
• Bandwidth limit and burst support. Bandwidth minimum guarantees the amount of bandwidth that is
reserved. Bandwidth maximum limits the amount of bandwidth a virtual machine can consume.
• Explicit Congestion Notification (ECN) marking support. ECN marking—also known as Data Center
TCP (DCTCP)—enables the physical switch and operating system to regulate traffic flow such that the
buffer resources of the switch are not flooded, which results in increased traffic throughput.
• Diagnostics. Diagnostics allow easy tracing and monitoring of events and packets through the virtual
switch.
Network Function Virtualization
In today’s software-defined datacenters, hardware appliances such as load balancers, firewalls, routers,
and switches are increasingly being deployed as virtual appliances to perform network functions. Network
function virtualization is a natural progression of server virtualization and network virtualization. Virtual
appliances are quickly emerging and creating a brand new market. They continue to generate interest
and gain momentum in both virtualization platforms and cloud services. The following network function
virtualization technologies are available in Windows Server 2016 Technical Preview:
• Software load balancer and NAT. The north-south and east-west layer 4 load balancer and NAT
enhance throughput by supporting Direct Server Return, with which the return network traffic can
bypass the load-balancing multiplexer.
• Datacenter firewall. This distributed firewall provides granular ACLs, enabling you to apply firewall
policies at the virtual machine interface level or at the subnet level.
• RAS Gateway Multitenant BGP Router. You can use RAS Gateway for routing traffic between virtual
networks and physical networks; specifically, you can deploy site-to-site IPSec or Generic Route
Encapsulation (GRE) VPN gateways and forwarding gateways. In addition, gateway pools and M+N
redundancy of gateways are supported; and BGP provides dynamic routing between networks for all
gateway scenarios (site-to-site, GRE, and forwarding).
Microsoft included a standalone gateway as a virtual appliance, starting with Windows Server 2012 R2.
With Windows Server 2016 Technical Preview, Microsoft continues to expand and invest in the network
function virtualization market.
A virtual appliance is dynamic and easy to change because it is a pre-built, customized virtual machine. It
can consist of one or more virtual machines packaged, updated, and maintained as a unit. Together with
Software-Defined Networking, you get the agility and flexibility needed in today’s cloud-based
infrastructure. For example:
• Software-Defined Networking presents the network as a pooled and dynamic resource.
• Software-Defined Networking facilitates tenant isolation.
• Software-Defined Networking maximizes scale and performance.
• Virtual appliances enable seamless capacity expansion and workload mobility.
• Virtual appliances minimize operational complexity.
• Virtual appliances let customers easily acquire, deploy, and manage pre-integrated solutions:
o Customers can easily move the virtual appliance anywhere in the cloud.
o Customers can scale virtual appliances up or down dynamically based on demand.
Note: For more information on Network Function Virtualization, refer to

http://aka.ms/Ll2u05
Software load balancing overview
Cloud Service Providers and enterprises that are deploying Software-Defined Networking in Windows
Server 2016 Technical Preview can use software load balancing to evenly distribute tenant and tenant
customer network traffic among virtual network resources. Windows Server software load balancer
enables multiple servers to host the same workload, providing high availability and scalability.
Windows Server SLB includes the following capabilities:
• Layer 4 (L4) load balancing services for “north-south” and “east-west” TCP/UDP traffic.
• Public and internal network traffic load balancing.

• Supports dynamic IP addresses on VLANs and on virtual networks that you create by using Hyper-V
Network Virtualization.
• Health probe support.

• Ready for cloud scale, including scale-out capability and scale-up capability, for multiplexers and host
agents.
Using Windows Server SLB, you can scale out your load balancing capabilities by using SLB virtual
machines on the same Hyper-V compute servers that you use for your other virtual machine workloads.
Because of this, SLB supports the rapid creation and deletion of load balancing endpoints that are
required for CSP operations. In addition, Windows Server SLB supports tens of gigabytes per cluster,
provides a simple provisioning model, and is easy to scale out and in.
When you have a service that requires software load balancing, Network Controller is notified of the
request and provisions a Software Load Balancing multiplexer. You can have several different multiplexers
in an environment. Each multiplexer will be assigned a virtual IP address.
The BGP then announces the virtual IP address to the network. The multiplexer is also responsible for
accepting connections and routing them to the virtual machines backing the service. Because the virtual
IP address is announced through BGP and is controlled by Network Controller, in the event of a
multiplexer failure, Network Controller has the ability to recover by initiating a new multiplexer and
reannouncing the routes through BGP.
Types of IP addresses:
• Virtual IP Address (VIP). The external connections will route to this IP.
• Dynamic IP Address (DIP). This is the set of IPs on the virtual machines backing the service.
Additional Reading: For more information on Software Load Balancing, see

http://aka.ms/Do4don
Lesson 2
Windows Server networking technologies
Network functions that are being performed by hardware appliances are increasingly being virtualized as
virtual appliances. This lesson provides an overview of some of the more prominent Hyper-V Network
Virtualization functionality that is new or changed in Windows Server 2016 Technical Preview.
• Describe the new features in Hyper-V Network Virtualization.
• Describe the new features in RAS Gateway.

• Describe the new features in NIC Teaming.
• Describe the benefits of Packet Direct.
• Describe SET.
• Describe the uses and benefits of Network Monitoring.
Hyper-V Network Virtualization
Introduced in Windows Server 2012, Hyper-V Network Virtualization enables virtualization of customer
networks on top of a shared physical network infrastructure. With minimal changes necessary on the
physical network fabric, HNV gives service providers the agility to deploy and migrate the tenant
workloads anywhere across the three clouds: the service provider cloud, the private cloud, or the
Microsoft Azure public cloud.
Programmable Hyper-V switch

HNV is a fundamental building block of the updated Software-Defined Networking solution from
Microsoft, and is fully integrated into the Software-Defined Networking stack.
The new Network Controller from Microsoft pushes the HNV policies down to a Host Agent running on
each host by using the Open vSwitch Database Management Protocol (OVSDB) as the SouthBound
Interface (SBI). The Host Agent stores this policy by using a customization of the VTEP schema and
programs complex flow rules into a performant flow engine in the Hyper-V switch.
The flow engine inside the Hyper-V switch is the same as the engine used in Microsoft Azure, which has
been implemented at hyper-scale in the Azure public cloud. Additionally, the entire Software-Defined
Networking stack up through the Network Controller, and Network Resource Provider is consistent with
Azure, thus bringing the power of the Azure public cloud to the Microsoft enterprise and hosting service
provider customers. The Hyper-V switch supports both stateless and stateful flow rules based on simple
match action.
VXLAN encapsulation support

The Virtual eXtensible Local Area Network (VXLAN - RFC 7348) protocol has been widely adopted in the
market place, with support from vendors such as Cisco Systems, Brocade, Dell, Hewlett-Packard, and
others. HNV also now supports this encapsulation scheme by using MAC distribution mode through
Network Controller to program mappings for tenant overlay network IP addresses (Customer Address –
CA) to the physical underlay network IP addresses (Provider Address – PA). Both NVGRE and VXLAN task
offloads are supported for improved performance through third-party drivers.
Software Load Balancer interoperability

Windows Server 2016 Technical Preview includes a software load balancer with full support for virtual
network traffic and seamless interaction with HNV. The SLB is implemented through the performant flow
engine in the data plane v-Switch and controlled by the Network Controller for Virtual IP (VIP)/Dynamic IP
(DIP) mappings.
Compliant IEEE Ethernet headers

HNV implements correct L2 Ethernet headers to ensure interoperability with third-party virtual and
physical appliances that depend on industry-standard protocols. Microsoft ensures that all transmitted
packets have compliant values in all fields to ensure this interoperability. In addition, support for Jumbo
Frames (MTU > 1780) in the physical L2 network will be required to account for packet overhead
introduced by encapsulation protocols (NVGRE and VXLAN) while ensuring guest virtual machines
attached to an HNV virtual network maintain a 1514 MTU.
RAS Gateway
RAS Gateway is a software-based, multitenant, Border Gateway Protocol (BGP) capable router in Windows
Server 2016 Technical Preview that is designed for Cloud Service Providers (CSPs) and Enterprises that
host multiple tenant virtual networks using Hyper-V Network Virtualization.
In Windows Server 2016 Technical Preview, RAS Gateway routes network traffic between the physical
network and virtual machine network resources, regardless of where the resources are located. You can
use RAS Gateway to route network traffic between physical and virtual networks at the same physical
location or at many different physical locations over the Internet.
RAS Gateway features

The following are the RAS Gateway features in Windows Server 2016 Technical Preview. You can deploy
RAS Gateway in high availability pools that use all of these features at a time:
• Site-to-site VPN. This RAS Gateway feature allows you to connect two networks at different physical
locations across the Internet by using a site-to-site VPN connection. For CSPs that host many tenants
in their datacenter, RAS Gateway provides a multitenant gateway solution that allows your tenants to
access and manage their resources over site-to-site VPN connections from remote sites, and that
allows network traffic flow between virtual resources in your datacenter and their physical network.
• Point-to-site VPN. This RAS Gateway feature allows organization employees or administrators to
connect to your organization's network from remote locations. For multitenant deployments, tenant
network administrators can use point-to-site VPN connections to access virtual network resources at
the CSP datacenter.
• GRE tunneling. GRE-based tunnels enable connectivity between tenant virtual networks and external
networks. Because the GRE protocol is lightweight and the support for GRE is available on most
network devices, it is an ideal choice for tunneling where encryption of data is not required. GRE
support in site-to-site tunnels solves the problem of forwarding between tenant virtual networks and
tenant external networks using a multitenant gateway, as described later in this topic.
• Dynamic routing with BGP. BGP reduces the need for manual route configuration on routers because
it is a dynamic routing protocol, and automatically learns routes between sites that are connected by
using site-to-site VPN connections. If your organization has multiple sites that are connected by using
BGP-enabled routers such as RAS Gateway, BGP allows the routers to automatically calculate and use
valid routes to each other in the event of network disruption or failure. For more information, see RFC
4271.
• NAT. NAT allows you to share a connection to the public Internet through a single interface with a
single public IP address. The computers on the private network use private, non-routable addresses.
NAT maps the private addresses to the public address. The RAS Gateway feature allows employees of
an organization with single tenant deployments to access Internet resources from behind the
gateway. For CSPs, this feature allows applications that are running on tenant virtual machines to
access the Internet. For example, a tenant virtual machine that is configured as a web server can
contact external financial resources to process credit card transactions.
NIC Teaming
NIC Teaming allows you to group between one and thirty-two physical Ethernet network adapters into
one or more software-based virtual network adapters. These virtual network adapters provide fast
performance and fault tolerance in the event of a network adapter failure.
To group network adapters by using NIC Teaming, you must first install them all in the same physical host
computer.
Note: A NIC team that contains only one network adapter cannot provide load balancing
and failover; however with one network adapter, you can use NIC Teaming for separation of
network traffic when you are also using virtual VLANs.
When you configure network adapters into a NIC team, they are connected into the NIC Teaming solution
common core, which then presents one or more virtual adapters (also called team NICs [tNICs] or team
interfaces) to the operating system. Windows Server 2016 Technical Preview supports up to 32 team
interfaces per team. There are a variety of algorithms that distribute outbound traffic (load) between the
NICs.
You can use any Ethernet NIC that has passed the Windows Hardware Quality Labs (WHQL tests) in a NIC
Team in Windows Server 2016 Technical Preview.
You cannot place the following NICs in a NIC team:

• Hyper-V virtual network adapters that are Hyper-V Virtual Switch ports exposed as NICs in the host
partition.
Note: Hyper-V virtual NICs (vNICs) that are exposed in the host partition must not be
placed in a team. Teaming of vNICs inside the host partition is not supported in any
configuration or combination. Attempts to team vNICs might cause a complete loss of
communication if network failures occur.
• The kernel debug network adapter.
• NICs that are being used for network boot.
• NICs that use technologies other than Ethernet, such as wireless wide area network (WWAN),
WLAN/Wi-Fi, Bluetooth, and Infiniband, including Internet Protocol over Infiniband NICs.
Additional Reading: For more information, refer to NIC Teaming in Virtual

Machines:http:// aka.ms/Az2gjr
NIC Teaming Compatibility

NIC Teaming is compatible with all networking technologies in Windows Server 2016 Technical Preview,
except for the following:
• Single-root I/O virtualization (SR-IOV). For SR-IOV, data is delivered directly to the NIC without
passing it through the networking stack (in the host operating system in the case of virtualization).
Therefore, it is not possible for the NIC team to inspect or redirect the data to another path in the
team.
• Native host Quality of Service (QoS). When QoS policies are set on a native or host system and those
policies invoke minimum bandwidth limitations, the overall throughput for a NIC team will be less
than it would be without the bandwidth policies in place.
• TCP Chimney. TCP Chimney is not supported with NIC Teaming because TCP Chimney offloads the
entire networking stack directly to the NIC.
• 802.1X Authentication. 802.1X Authentication should not be used with NIC Teaming. Some switches
do not permit the configuration of both 802.1X Authentication and NIC Teaming on the same port.
Additional Reading: For more information on NIC Teaming in virtual machines that are
running on a Hyper-V host, refer to: http://aka.ms/Xtud73
Packet Direct
Packet Direct provides a high network traffic throughput and low-latency packet processing
infrastructure.
Packet Direct extends the current NDIS model with an accelerated network I/O path that is optimized for
packet per second (pps) counts an order of a magnitude higher than what has been seen with the
traditional NDIS I/O model. This is accomplished through:
• Reduced latency.
• Reduced cycles/packet.
• Linear speed up with the use of additional system resources.
Packet Direct exists side-by-side with the traditional model. The new Packet Direct path can be used when
an application prefers it and there are sufficient hardware resources to accommodate it. Packet Direct is
not meant to replace the traditional I/O model and assumes that a client writing to the Packet Direct
interface will have strict partitioning requirements for the underlying resources based on the system
topology. Packet Direct is meant to be the new high-speed data path that will help a Windows system
replace high pps workloads that have been traditionally done in hardware, potentially saving datacenter
owners millions in infrastructure costs.
Packet Direct works by allowing a Packet Direct client to explicitly manage networking traffic from a
network adapter. Packet Direct gives the Packet Direct client the control of the high-performance send
and receive functionality of the NIC through the PacketDirect client interface (PDCI). Internally, the PDCI
send/receive functions are mapped directly to the PDPI. Packet Direct send/receive functions operate on
Packet Direct queues created by the Packet Direct client on Packet Direct capable NICs.
Note: There can be one Packet Direct provider and one Packet Direct client per network
adapter. Therefore, there can be multiple Packet Direct clients and Packet Direct providers on a
single system.
PacketDirect Provider Interface (PDPI). The PDPI allows NIC drivers to expose their high-performance send
and receive functionality to the Windows operating system. The functions implemented are a subset of
the complete MiniPort functionality and are generic to all NICs that implement Packet Direct.
PacketDirect Client Interface (PDCI). The PDCI allows first-party Windows services/applications such as
load-balancer, NAT, and virtual machine-switch, to speed up their data path by leveraging the
PacketDirect I/O model through the use of the Packet Direct clients. This interface is a layer 2 interface
just like the current NDIS send/receive interface. In addition to PDPI access, the main functionality that
PDCI provides is Packet Direct packet buffer allocation/management, a back-channel for injecting packets
back to regular NDIS receive path, and handling of NDIS power/PnP events.
Additional Reading: For more information on PacketDirect, refer to Introduction to the

NDIS PacketDirect Provider Interface: http://aka.ms/D7x57s
Network Monitoring
You can use Network Monitoring to detect changes in network loss, latency, and the availability of devices
in your network topology, and to alert you to network problems as they occur. These alerts provide you
with the ability to rapidly identify, locate, and fix network issues.
The alerts and the information provided with the alerts allow you to:
• Prioritize troubleshooting actions based on issue impact.

• Achieve faster turnaround on reported issues.
• Solve problems before they seriously impact your tenants.
• More successfully maintain network up time for your datacenter network service level agreements
(SLAs).
The Network Monitoring service uses the network object model, provided by the topology service, to
determine the network devices and links that are to be monitored. Physical network monitoring is
performed by using both the active network and element data.
Active network data, such as network loss and latency, is detected by sending network traffic and
measuring the round-trip time. The Network Monitoring service automatically determines the network
points between which the traffic must be sent, the quantum of traffic to be sent to cover all network
paths, and also the loss and latency baseline and deviations over a period of time.
Health monitoring
The monitoring system reports the health of both devices and device groups. Health is reported based on
both active and element data. Devices include physical switches and routers. Device groups are a
combination of physical devices, which has some relevance within the datacenter.
For example, device groups can be racks or subnets or simply host groups. In addition to providing health
information, the monitoring service also reports vital statistics such as network loss, latency, device
CPU/memory usages, link utilization, and packet drops.
Impact analysis
Impact analysis is the process of identifying overlay networks that are affected by the underlying faulty
physical networks. Network Monitoring can identify virtual networks that are affected by any network
failure, including physical network failures, and which are at high risk of losing connectivity. Network
Monitoring uses topology information to determine the virtual network footprint and to report the health
of impacted virtual networks.
For example, if a host loses network connectivity, the system marks all virtual networks on this host and
that are connected to the faulty network as impacted. Similarly, if a rack loses uplink connectivity to the
core network, the system determines the logical network affected and marks all virtual networks in this
rack and that are connected to the affected logical network as impacted.
Network Monitoring integrates with the Operations Manager server to report both health and statistics
data. Health is reported in an aggregated manner making it easy to traverse and understand key issues.
Performance monitoring
Performance monitoring is accomplished with active probing, which measures network loss and latency
within a fault domain/rack, between fault domains/racks, and from fault domains/racks to external
addresses. Active probing identifies all parallel paths between any two end nodes, and includes all of the
paths in its tests.
By using active probing, Network Monitoring learns the baseline threshold for loss and latency for every
link that it monitors.
Statistics collection and aggregation

Network Monitoring collects statistics about your network and aggregates them into an easy to
understand format so that you are always aware of your network health status.
Network Monitoring gathers statistics for physical and virtual network devices and interfaces, including
the following:
• Switches, routers, and their interfaces

• Fault domains/racks
• Hosts
• Host interfaces
• Hyper-V virtual switches
• Hyper-V virtual switch ports
Fault localization
The Network Monitoring service attempts to localize devices that are causing network loss and latency, by
using advanced algorithms to identify both network paths and devices in the paths that are causing
performance degradation.
Network Monitoring uses fault localization to identify the network location of a device or interface that
has failed. Fault localization reduces the number of alerts that are raised in circumstances where a single
failure causes lack of connectivity for many other devices, which in turn could cause a cascade of
additional alerts.
Network Controller
Network Monitoring is a feature of Network Controller in Windows Server 2016 Technical Preview; you
must deploy Network Controller to use Network Monitoring.
To use Network Monitoring, it is recommended that you install the Network Controller Network
Monitoring Management pack in Operations Manager, which provides a graphical Network Monitoring
interface. You can also interact with Network Monitor by using the REST APIs or Windows PowerShell.
Additional Reading: For more information, refer to Deploying Network Controller using
Windows PowerShell: http://aka.ms/U2mjt5
SET
SET is a NIC Teaming solution that is integrated in the Hyper-V Virtual Switch. SET allows the teaming of
up to eight physical NICs into a single SET team, which improves availability and provides failover. In
Windows Server 2016 Technical Preview, you can create SET teams that are restricted to the use of SMB
and RDMA. In addition, you can use SET teams to distribute network traffic for Hyper-V Network
Virtualization.
SET is an alternative NIC Teaming solution that you can use in environments that include Hyper-V and the
Software-Defined Networking stack in Windows Server 2016 Technical Preview. SET integrates some NIC
Teaming functionality into the Hyper-V Virtual Switch.
SET allows you to group between one to eight physical Ethernet network adapters into one or more
software-based virtual network adapters. These virtual network adapters provide fast performance and
fault tolerance in the event of a network adapter failure. SET member network adapters must all be
installed on the same physical Hyper-V host to be placed in a team.
Note: The use of SET is only supported in the Hyper-V Virtual Switch in Windows Server
2016 Technical Preview. You cannot deploy SET in Windows Server 2012 R2.
In addition, you can connect your teamed NICs to the same physical switch or to different physical
switches. If you connect NICs to different switches, both switches must be on the same subnet.
Because SET is integrated into the Hyper-V Virtual Switch, you cannot use SET inside a virtual machine.
You can, however use NIC Teaming within virtual machines.
In addition, SET architecture does not expose team interfaces. Instead, you must configure Hyper-V Virtual
Switch ports.
Additional Reading: For more information, see NIC Teaming in Virtual Machines (VMs):
http://aka.ms/Pbon43
SET modes and settings

Unlike NIC Teaming, when you create a SET team, you cannot configure a team name. In addition, using a
standby adapter is supported in NIC Teaming, but it is not supported in SET. When you deploy SET, all
network adapters are active and none are in the standby mode.
Another key difference between NIC Teaming and SET is that NIC Teaming provides the choice of three
different teaming modes, whereas SET supports only the Switch Independent mode. With the Switch
Independent mode, the switch or switches to which the SET team members are connected are unaware of
the presence of the SET team and do not determine how to distribute network traffic to SET team
members. Instead, the SET team distributes inbound network traffic across the SET team members.
When you create a new SET team, you must configure the following team properties.
• Member adapters
• Load-balancing mode
Member adapters
When you create a SET team, you must specify up to eight identical network adapters that are bound to
the Hyper-V Virtual Switch as SET team member adapters.
Load-balancing options
Hyper-V Port
Virtual machines are connected to a port on the Hyper-V Virtual Switch. When you use the Hyper-V Port
mode for SET teams, the Hyper-V Virtual Switch port and the associated MAC address are used to divide
the network traffic between SET team members.
Dynamic
This load-balancing mode provides the following advantages:
• Outbound loads are distributed based on a hash of the TCP ports and IP addresses. Dynamic mode
also re-balances loads in real time so that a given outbound flow can move back and forth between
SET team members.
• Inbound loads are distributed in the same way as in the Hyper-V port mode.
The outbound loads in this mode are dynamically balanced based on the concept of flowlets. Just as
human speech has natural breaks at the end of words and sentences, TCP flows (TCP communication
streams) also have naturally occurring breaks. The portion of a TCP flow between two such breaks is
referred to as a flowlet.
RDMA and SET

RDMA is a networking technology that provides high-throughput, low-latency communication that
minimizes CPU usage. The RDMA protocol enables removal of data copy operations and enables
reduction in latencies by allowing a local application to read or write data on a remote computer's
memory with minimal demands on memory bus bandwidth and CPU processing overhead, while
preserving memory protection semantics.
In editions of Windows Server previous to Windows Server 2016 Technical Preview, it was not possible to
configure RDMA on network adapters that are bound to a NIC team or to a Hyper-V Virtual Switch. In
Windows Server 2016 Technical Preview, you can enable RDMA on network adapters that are bound to a
Hyper-V Virtual Switch with or without SET.
.
Lesson 3
Networking services
Networking improvements include the new features and enhancements that make flexible workload
placement and mobility possible. Organizations need flexibility, reliability, high levels of performance, and
a focus on applications and workloads. To meet these needs, Windows Server 2016 delivers enhancements
in the reliability, performance, and interoperability of virtual networking; improved support for centralized
configuration and management across virtual and physical networks; new virtualized network functions
for transforming the network cloud; and seamless datacenter extensions for flexible workload placement
and mobility.
Some of these improvements have been in the networking services. This lesson provides an overview of
some of those networking services.

• Describe the new features in Domain Name System (DNS).
• Describe the new and improved features of IP Address Management (IPAM).

What is new in DNS?
Windows Server 2016 introduces new and improved features in the DNS server role, including:
• DNS policies. The DNS policies specify how a DNS server responds to queries. You can configure
policies to allow responses specific to a client IP address, the time of the day, and other parameters.
• Response rate limiting. This feature when enabled will help you to prevent malicious users from
starting the denial-of-service attacks by using your DNS servers.
• DNS-based authentication of named entities. You can use Transport Layer Security Authentication
records to provide information on the certification authority (CA) that your domain names use for
certificates. This helps in preventing the man-in-the-middle attacks, in which malicious users corrupt a
DNS cache and redirect it to their website, and might even provide a legitimate certificate issued from
a different CA. RFC 6394 and 6698 describe DNS-based authentication of named entities.
• Unknown record support. DNS in the previous versions of Windows Server required all records to be
in a supported type. The DNS server role in Windows Server 2016, by using the unknown record
functionality, supports records that are not supported explicitly.
• IPv6 root hints. Windows Server 2016 now has both the native IP version 4 (IPv4) and IP version 6
(IPv6) root hints to support Internet name resolution. The root hints are in the
C:\Windows\system32\dns\cache.dns file.
• Windows PowerShell support. New Windows PowerShell cmdlets are available in Windows Server
2016, and they facilitate administration of the new DNS features.
Additional Reading: For more information on new and improved functionality in DNS,
refer to http://aka.ms/Xadz1j
IPAM
IPAM is an integrated suite of tools that enable end-to-end planning, deploying, managing, and
monitoring of your IP address infrastructure, with a rich user experience. IPAM automatically discovers IP
address infrastructure servers and DNS servers on your network and enables you to manage them from a
central interface.
The following features improve the IPAM address management capabilities:
• IPAM in Windows Server 2016 Technical Preview now supports /31, /32, and /128 subnets. For
example, a two-address subnet (/31 IPv4) might be required for a point-to-point link between
switches. Also, some switches might require single loopback addresses (/32 for IPv4 and /128 for
IPv6).
• The Find-IpamFreeSubnet cmdlet. This new Windows PowerShell cmdlet returns subnets available
for allocation, given an IP block, prefix length, and number of requested subnets. If the number of
available subnets is less than the number of requested subnets, the available subnets are returned
with a warning indicating that the number available is less than the number requested.
• The Find-IpamFreeRange cmdlet. This new Windows PowerShell cmdlet returns the available IP
address ranges given an IP subnet, the number of addresses needed in the range, and the number of
ranges requested. It searches for a continuous series of unallocated IP addresses that match the
number of requested addresses. The process is repeated until the requested number of ranges is
found, or until there are no more available address ranges available.
• Enhanced DNS service management. IPAM in Windows Server 2016 Technical Preview now supports
discovery of file-based, domain-joined DNS servers in an Active Directory forest in which IPAM is
running.
The following additional DNS functions have been added to configure properties for resource records and
DNS zones and others:
• Integrated DNS, DHCP, and IP address (DDI) management. When you view an IP address in the IP
address inventory, you have the option in the Details View to see all the DNS resource records
associated with the IP address.
• As part DNS resource record collection, IPAM collects the PTR records for the DNS reverse lookup
zones. For all the reverse lookup zones, which are mapped to any IP address range, IPAM creates the
IP address records for all the PTR records belonging to that zone in the corresponding mapped IP
address range. If the IP address already exists, the PTR record is simply associated with that IP address.
The IP addresses are not automatically created if the reverse lookup zone is not mapped to any IP
address range. When a PTR record is created in a reverse lookup zone through IPAM, the IP address
inventory is updated in the same way as described above. During subsequent collection, because the
IP address will already exist in the system, the PTR record will simply be mapped with that IP address.
• Multiple Active Directory forest support. In Windows Server 2012 R2, IPAM was able to discover and
manage DNS and DHCP servers belonging to the same Active Directory forest as the IPAM server.
Now you can manage DNS and DHCP servers belonging to a different Active Directory forest when it
has a two-way trust relationship with the forest where the IPAM server is installed. You can go to the
Configure Server Discovery dialog box and add the domains from the other trusted forests that you
want to manage. After the servers are discovered, the management experience is the same as for the
servers that belong to the same forest where IPAM is installed.
Windows PowerShell support for role-based access control. You can now use Windows PowerShell to
configure role-based access control. You can use Windows PowerShell commands to retrieve DNS and
DHCP objects in IPAM and change their access scopes. Because of this, you can write Windows PowerShell
scripts to assign access scopes to the many new objects.
Module Review
Review Question(s)
Question: Which highly available and scalable Software-Defined Networking technology
enables you to monitor and configure a network?
Question: Which feature provides a high-speed data path that will help a Windows system
replace high pps workloads that have been traditionally done in hardware, potentially saving
datacenter owners millions in infrastructure costs?
Question: Which NIC Teaming solution that is integrated in the Hyper-V Virtual Switch
allows you to group between one to eight physical Ethernet network adapters into one or
more software-based virtual network adapters?
Clinic Evaluation
Your evaluation of this clinic will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the clinic evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.

40389A ENU TrainerHandBook PDF

Uploaded by

Copyright:

Available Formats

You might also like

40389A ENU TrainerHandBook PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

40389A ENU TrainerHandBook PDF

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

© 2016 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/trademarks are trademarks of the

Product Number: 40389A

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

Revised July 2013

Lesson 1: Introducing Windows Server 2016 1-3

Lesson 3: New Features of Hyper-V in Windows Server 2016 1-17

Lesson 4: Introducing Windows Server and Hyper-V Containers 1-30

Module Review 1-43

Module 2: What is new in identity?

Lesson 2: AD FS improvements 2-7

Module Review 2-24

Module 3: What is new in file and storage services?

Lesson 2: Storage Replica 3-10

Module 4: What is new in networking?

Lesson 1: Software Defined Networking 4-3

Lesson 2: Windows Server networking technologies 4-16

Lesson 3: Networking services 4-29

Module Review 4-33

About This Clinic

• Experience in configuring storage in an enterprise

• Experience with virtual machines and clustering

• Describe the installation options and editions of Windows Server 2016.

• Describe Nano Server and how to manage it.

• Describe Windows Server Containers and Hyper-V Containers.

• Describe the new features in management.

• List and describe the new features available for AD DS.

• Describe Storage Spaces Direct.

• Describe Storage Replica.

• Describe Storage Quality of Service (Storage QoS).

• List and describe the cloud-scaling features in Windows Server 2016.

Module 1. What is new in compute?

Module 2. What is new in identity?

Module 3. What is new in file and storage services?

• Enhancements related to reliability, performance, and interoperability of virtual networking

• New virtualized network functions for transforming the network cloud

• Seamless datacenter extensions for flexible workload placement and mobility

The content contains the following:

o To provide additional comments or feedback on the clinic, go to

Lesson 2: Introducing Nano Server 1-12

Lesson 3: New Features of Hyper-V in Windows Server 2016 1-17

Lesson 5: Windows Server 2016 Management 1-38

Module Review 1-43

After completing this module, you will be able to:

• Describe the installation options and editions of Windows Server 2016.

• Describe Nano Server and how to manage it.

• Describe the new features in Hyper-V.

• Describe the new features in management.

• Describe the key improvements in Windows Server 2016.