Windows Server 2016 Expert

Key Features

Nano Server

Nano Server was Windows Server 2016's minimal-footprint deployment option (~400 MB disk). No GUI, no WoW64, no MSI support. Management via PowerShell remoting and WMI only.

# Build Nano Server image (from WS2016 ISO)
Import-Module D:\NanoServer\NanoServerImageGenerator\NanoServerImageGenerator.psm1

New-NanoServerImage `
    -MediaPath D:\ -BasePath C:\NanoBase `
    -TargetPath C:\NanoServer\NanoVM.vhdx `
    -DeploymentType Guest -Edition Datacenter `
    -ComputerName NANO01 `
    -Packages Microsoft-NanoServer-IIS-Package, Microsoft-NanoServer-DNS-Package `
    -EnableRemoteManagementPort

Critical: In Windows Server 2019, Nano Server was demoted to a container base image only. It no longer functions as a host OS. Migrate Nano Server deployments before adopting 2019+.

Windows Containers (First Native Support)

Two isolation modes:

• Windows Server Containers: shared host kernel, high-density for trusted workloads
• Hyper-V Containers: dedicated lightweight VM kernel per container, tenant isolation

# Install container support
Install-WindowsFeature -Name Containers -Restart

# Install Docker Engine (2016 method)
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider
Restart-Computer -Force

# Pull 2016 base images
docker pull microsoft/windowsservercore:ltsc2016
docker pull microsoft/nanoserver:sac2016

# Run with Hyper-V isolation
docker run -it --isolation=hyperv microsoft/windowsservercore cmd

Container host and image OS versions must match for process-isolated containers. Hyper-V isolation relaxes this requirement. Networking modes: nat (default), transparent, overlay (Swarm), l2bridge/l2tunnel (SDN).

Shielded VMs and Host Guardian Service

Shielded VMs protect Hyper-V guests from compromised fabric admins. The VHDX is BitLocker-encrypted and starts only on attested hosts. Datacenter edition only.

# HGS server setup
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools
Install-HgsServer -HgsDomainName 'bastion.local' -SafeModeAdministratorPassword (Read-Host -AsSecureString)
Initialize-HgsAttestation -TpmTrustedAttestation

# Check VBS and shielding status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object VirtualizationBasedSecurityStatus, SecurityServicesRunning

Attestation modes: TPM-trusted (highest security), Admin-trusted (deprecated), Host Key. Requires Generation 2 VMs with UEFI Secure Boot. HGS should run on dedicated hardware in a separate AD forest.

Storage Spaces Direct (S2D)

Software-defined hyperconverged storage using local disks across cluster nodes. Datacenter edition only; minimum 4 nodes for production.

# Prerequisites on all nodes
Install-WindowsFeature -Name Hyper-V, Failover-Clustering, Data-Center-Bridging `
    -IncludeManagementTools -Restart

# Create cluster, then enable S2D
New-Cluster -Name S2DCluster -Node Node1,Node2,Node3,Node4 -NoStorage
Enable-ClusterStorageSpacesDirect -CimSession S2DCluster

# Create a two-way mirror volume
New-Volume -StoragePoolFriendlyName 'S2D on S2DCluster' `
    -FriendlyName VM-Vol-01 -FileSystem CSVFS_ReFS `
    -ResiliencySettingName Mirror -Size 2TB

Cache tier: NVMe/SSD auto-assigned as write-back cache. Capacity tier: HDD or slower SSD. ReFS is the recommended file system (CSVFS_ReFS). ReFS deduplication is NOT supported on 2016 (added in 2019).

Storage Replica

Block-level, synchronous or asynchronous replication. Datacenter edition only in 2016 (Standard gains limited SR in 2019).

Install-WindowsFeature -Name Storage-Replica -IncludeManagementTools -Restart

# Test prerequisites
Test-SRTopology -SourceComputerName SRV-A -SourceVolumeName E: -SourceLogVolumeName F: `
    -DestinationComputerName SRV-B -DestinationVolumeName E: -DestinationLogVolumeName F: `
    -DurationInMinutes 30 -ResultPath C:\SRTest

# Create replication partnership
New-SRPartnership -SourceComputerName SRV-A -SourceRGName SRV-A-RG `
    -SourceVolumeName E: -SourceLogVolumeName F: `
    -DestinationComputerName SRV-B -DestinationRGName SRV-B-RG `
    -DestinationVolumeName E: -DestinationLogVolumeName F: `
    -LogSizeMinimum 8GB -ReplicationMode Synchronous

Destination volume is inaccessible during replication. Log volume should be on fast storage (SSD/NVMe). Synchronous mode suitable for <5ms RTT links.

Credential Guard and Device Guard

VBS features using Hyper-V to isolate credentials and enforce code integrity.

# Check Credential Guard status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object VirtualizationBasedSecurityStatus, SecurityServicesRunning, SecurityServicesConfigured
# SecurityServicesRunning: 1=Credential Guard, 2=HVCI

# Enable via GPO: Computer Config > Admin Templates > System > Device Guard
# "Turn On Virtualization Based Security" = Enabled
# "Credential Guard Configuration" = Enabled with UEFI lock

Credential Guard blocks pass-the-hash/pass-the-ticket attacks. HVCI (Device Guard) prevents unsigned kernel drivers. Test HVCI compatibility before rollout -- third-party drivers frequently fail validation.

Just Enough Administration (JEA)

Constrained PowerShell remoting endpoints for delegated administration without full admin rights.

# Create role capability file
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEADns\RoleCapabilities\DnsAdmin.psrc'

# Create session configuration
New-PSSessionConfigurationFile -Path C:\JEA\DnsEndpoint.pssc `
    -SessionType RestrictedRemoteServer `
    -RoleDefinitions @{ 'CONTOSO\DnsAdmins' = @{ RoleCapabilities = 'DnsAdmin' } } `
    -TranscriptDirectory C:\JEA\Transcripts

# Register the endpoint
Register-PSSessionConfiguration -Name DnsAdmin -Path C:\JEA\DnsEndpoint.pssc -Force

Nested Virtualization

Run Hyper-V inside a Hyper-V VM. Intel VT-x/EPT required (AMD NOT supported in 2016).

# On Hyper-V host (VM must be OFF)
Set-VMProcessor -VMName NestedVM -ExposeVirtualizationExtensions $true
Set-VMNetworkAdapter -VMName NestedVM -MacAddressSpoofing On
Set-VMMemory -VMName NestedVM -DynamicMemoryEnabled $false -StartupBytes 8GB

Not for production workloads. Dynamic memory conflicts with Hyper-V role inside guest.

Version Boundaries

• This agent covers Windows Server 2016 (build 14393)
• Nano Server is a host OS option (demoted to container-only in 2019)
• Nested virtualization: Intel only (AMD support added in 2022)
• S2D and Storage Replica: Datacenter only
• No Storage Migration Service (added in 2019)
• No Windows Admin Center built-in (added in 2019)
• No system-level predictive analytics (System Insights added in 2019)
• Docker is the container runtime (containerd default in 2025)

Common Pitfalls

1. Deploying Nano Server for long-term use -- Nano Server as a host OS is deprecated after 2016. Plan migration to Server Core + containers.
2. Mixed disk types in S2D cache tier -- Causes unpredictable performance. Use identical media type within each tier.
3. Attempting SR on Standard edition -- Storage Replica is Datacenter-only in 2016. Standard gains limited SR in 2019.
4. HVCI breaking third-party drivers -- Test in audit mode before enforcement. Many older drivers fail HVCI validation.
5. Enabling Credential Guard with UEFI lock without testing recovery -- Requires physical access to disable. Plan hardware recovery first.
6. S2D with fewer than 4 nodes -- 2-node mirror is supported for ROBO but parity requires 4+ nodes.
7. Admin-trusted attestation for Shielded VMs -- Weak security. Use TPM-trusted attestation in production.

Migration from Windows Server 2016

When upgrading from 2016:

1. Identify Nano Server deployments and plan migration to Server Core
2. Test container image compatibility (ltsc2016 images work under Hyper-V isolation on newer hosts)
3. Verify driver HVCI compatibility if enabling VBS on new version
4. S2D clusters: use Cluster OS Rolling Upgrade (one version at a time)
5. Storage Replica partnerships: can be maintained during in-place upgrade

Reference Files

Load these for deep knowledge:

• ../references/architecture.md -- Storage engine, boot process, registry, networking
• ../references/diagnostics.md -- Event logs, performance counters, BSOD analysis
• ../references/best-practices.md -- Hardening, patching, backup, Group Policy
• ../references/editions.md -- Edition features, licensing, upgrade paths