In this article we have selected some of the new features available in Windows Server 2016 with the aim of analysing them and evaluating their impact in a real world scenario.

As we’ve mentioned in the previous issue, this new release is conceived as an improvement of the previous versions, rather than a brand new system. Ne features can be grouped into three ares: Virtualization and Containers, Security and Storage.


The main news in terms of Hyper-V is nested virtualization. With the new Windows Server 2016, Hyper-V hosts can be virtualized (ie a VM with Hyper-V running on it): this approach is often used in testing environments and situations where one wants to create multi-tenant environments without costs related to physical hardware. Now VMs’ hardware hot-add (disks, network cards, controllers, etc..) is supported: this operation was previously available upon powering off machines and restarting them with a subsequent downtime.

hot add

A new feature that is introduced with this version is the Host Guardian role, which we discussed in the previous issue. Host Guardian allows to regulate granularly levels and access permissions of Hyper-V administrators on virtual machines running on an host or cluster. Server 2016 also steps towards the Linux world: one of the main problems when creating a Linux VM was the lack of drivers certified for Secure Boot in Windows, which would lead to a “Failed Secure Boot Verification” error when starting the virtual machine; it could be solved by disabling the Secure Boot feature. This new release of Windows Server fixes the problem including such drivers.


Containers are an actual topic, however given their nature are restricted to the UNIX/Linux world, as they are semi-isolated instances of the operating system, they’ve been first developed in open source environments. Thanks to the collaboration between Microsoft and the Docker development team that lasted 2 years, Windows Server 2016 finally addressed the problem offering two different containers deployment modes. The first one is about the so-called Windows Server Container, ie containers with shared resources with the server and suitable to non-critic situations in terms of security and with a low impact on resources. The second type is called Hyper-V Container and is about instances completely isolated between them and the server itself: they are more suitable to security critical applications but require a larger resources overhead.

The integration between the Docker engine and the new operating system is such that the containers execution feature is also available in Windows 10 starting with the Anniversary Update.
Moreover, the “docker run” command maintains the same syntax used in the Linux world; to make a practical example, the isolation mode is indicated with the command:

docker run --isolation=hyperv ……

Always keep in mind that Hyper-V containers are not virtual machines, therefore they aren’t manageable with the classic tools of the Microsoft hypervisor.


On a side note, an interesting news of Server 2016 is the Nano Server installation: this installation mode can reduce up to 92% the dimension of the operating system, naturally excluding (among the other things) the graphical interface. In addition to a lower impact on computational resources, the bare-metal installation and the capability of installing only the required roles help to reduce the number of reboots and periodical updates, with a positive impact on uptime. Nano Server is conceived to be managed remotely, making it an optimal choice of installation for an Hyper-V host.


Resilient File System (ReFS) is the new file system introduced with Windows Server 2012 and 2012 R2 (and thus Windows 8.1), which finally comes to a stable version in Server 2016. ReFS is conceived to manage data and guarantee integrity and resilience to faults also in case of big data sets and regardless of the underlying hardware structures. Key points of ReFS are integrity, availability, scalability and proactive correction of errors.

In terms of integrity, ReFS leverages the presence of mirror environments or parity information to individuate and fix automatically errors on data, and also making specific PowerShell cmdlet available to check the integrity state. Availability is guaranteed by a new approach to the fixing of corrupted data, which now doesn’t require anymore the unmounting of the volume to be fixed, instead they are now isolated and restored online. The constant growth of the dimension of volumes and data sets, which now is in the order of Petabytes, also in consumer habits is a constant: ReFS is planned to work properly and maintain high performance levels also when data dimensions grow. Proactive correction of data is performed thanks to a data integrity scanner, aka cleaning tool, which periodically analyzes the volume identifying and fixing errors in an autonomous way, if possible.

ReFS can also work together with Storage Spaces Direct (S2D), a new feature of the operating system that shows the interest of Microsoft towards the Software Defined Storage area. As explained in the previous article, S2D (and other advanced features) is only available with the Datacenter version of Server 2016, also because it requires at least two nodes with two SSD and four additional disks each to be implemented. The peculiarity of this system is the capability of leveraging hosts with integrated storage (SATA, SAS or NVMe) and not ad-hoc external solutions to realize a secure, scalable and high performance system. In its most extended configuration, S2D can work with 16 nodes and 400 drives with a total capacity in the range of Petabytes, also supporting disks hot add. Communication between nodes requires hardware capable of supporting 10GbE networks with remote-direct memory access (RDMA).

Security and Active Directory

Windows Server 2016 introduces the AD Federation Services version 4 (ADFS v4) role which allows to control single accesses and multi-platform Single Sign On (SSO), also between Cloud-based, SaaS and within the same business network applications, like Office 365 and Azure. Specifically there are three new password-less access modes, thought to minimize the risk of data breach due to stolen or sniffed passwords.

Azure Multi-factor Authentication (MFA): the primary authentication mode implies the use of a OTP code (One Time Password) generated with the Azure Authenticator App combined with the username. Moreover, the implementation of the Cloud MFA service with the Azure app doesn’t require a dedicated, on-premises server. Password-less access from compatible devices: this way specific devices can be authorized with a check on their actual state, with a check request and the re-introduction of credentials should the state of the device change.

Access with Microsoft Password: Windows 10 introduced the Windows Hello and Microsoft Passport for Work features, which instead of usernames and passwords leverage credentials secured by gestures (like typing a sequence on the screen) and face and fingerprint recognition, which is now supported by most top-tier smartphones.
New features of ADFS v4 are several, and in addition to the aforementioned we’d like to cite the support to LDAP v3, pre-configured templates for policies and a simplified migration from AD FS in Server 2012 R2 to AD FS Server 2016.


About the Author

Lorenzo Bedin

Lorenzo graduated in Telecommunication Engineering and works as freelance IT consultant, after a period of training as systems analyst. Currently he provides hardware solutions, virtualized infrastructures and websites.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1