How to Set Up Windows Server 2019 Network Controller

How to Set Up Windows Server 2019 Network Controller

Network Controller is a Software Defined Networking (SDN) component available in Windows Server 2019 Datacenter edition that provides a centralized, programmable point of automation for virtual and physical network infrastructure management. Network Controller manages Hyper-V virtual networks, software load balancers, RAS Gateways, and Network Security Groups. It exposes a REST API for network automation and integrates with System Center VMM or PowerShell for management. This guide covers deploying Network Controller and performing basic network management tasks.

Network Controller Architecture

Network Controller consists of three layers: the Southbound API communicates with network devices using protocols like OpenFlow, NetConf, and WMI. The Network Controller application layer manages network policies and state. The Northbound API (REST/HTTPS) allows management applications, PowerShell, and orchestration tools like System Center VMM to configure the network. Network Controller can be deployed as a single VM for lab environments or as a highly available cluster of three or more VMs for production.

Prerequisites and Infrastructure Requirements

# Network Controller requires Windows Server 2019 Datacenter edition
# Verify edition on target servers
Get-WindowsEdition -Online | Select-Object Edition

# Required features for Network Controller nodes
Install-WindowsFeature -Name NetworkController -IncludeManagementTools
Install-WindowsFeature -Name RSAT-NetworkController

# All Network Controller VMs must have domain join and valid certificates
# Network Controller requires certificates for Northbound REST API security

# Generate a self-signed certificate for lab (use PKI for production)
$cert = New-SelfSignedCertificate `
  -Type Custom `
  -KeySpec KeyExchange `
  -Subject "CN=NetworkController.domain.local" `
  -KeyExportPolicy Exportable `
  -HashAlgorithm sha256 `
  -KeyLength 2048 `
  -CertStoreLocation "Cert:LocalMachineMy" `
  -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")

Write-Output "Certificate thumbprint: $($cert.Thumbprint)"

Deploying a Single-Node Network Controller (Lab)

# Install the Network Controller role on the designated VM
Install-WindowsFeature -Name NetworkController -IncludeManagementTools

# Configure the Network Controller node
$nodeProperties = New-Object Microsoft.Windows.NetworkController.NodeProperties
$nodeProperties.ConnectionUri = "https://NC-Node1.domain.local"

# Add the node to the cluster (single node for lab)
$clusterParams = @{
    ClusterAuthentication = "Kerberos"
    ManagementSecurityGroup = "DOMAINNC-Admins"
    DiagnosticEventSource = "Microsoft-Windows-NetworkController-NcHostAgent"
    Node = @(
        New-Object Microsoft.Windows.NetworkController.NetworkControllerNode -Property @{
            Name = "NC-Node1"
            Server = "NC-Node1.domain.local"
            FaultDomain = "fd:/rack1"
            RestInterface = "Ethernet"
            NodeCertificate = (Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*NetworkController*" })
        }
    )
}

Install-NetworkControllerCluster @clusterParams `
  -Credential (Get-Credential -Message "Enter NC service account credentials") `
  -Force

Deploying a Three-Node Network Controller Cluster (Production)

# Deploy a highly available three-node Network Controller cluster
$nodes = @(
    New-Object Microsoft.Windows.NetworkController.NetworkControllerNode -Property @{
        Name = "NC-Node1"; Server = "NC-Node1.domain.local"
        FaultDomain = "fd:/rack1"; RestInterface = "Ethernet"
    }
    New-Object Microsoft.Windows.NetworkController.NetworkControllerNode -Property @{
        Name = "NC-Node2"; Server = "NC-Node2.domain.local"
        FaultDomain = "fd:/rack2"; RestInterface = "Ethernet"
    }
    New-Object Microsoft.Windows.NetworkController.NetworkControllerNode -Property @{
        Name = "NC-Node3"; Server = "NC-Node3.domain.local"
        FaultDomain = "fd:/rack3"; RestInterface = "Ethernet"
    }
)

Install-NetworkControllerCluster `
  -Node $nodes `
  -ClusterAuthentication Kerberos `
  -ManagementSecurityGroup "DOMAINNC-Admins" `
  -Credential (Get-Credential) `
  -Force

# Install the Network Controller application on the cluster
Install-NetworkController `
  -Node $nodes `
  -ClientAuthentication Kerberos `
  -ClientSecurityGroup "DOMAINNC-Clients" `
  -ServerCertificate (Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*NetworkController*" }) `
  -RestIPAddress "192.168.1.30/24" `
  -Credential (Get-Credential)

Verifying Network Controller Deployment

# Check Network Controller cluster status
Get-NetworkControllerCluster

# Verify the REST endpoint is accessible
$uri = "https://networkcontroller.domain.local"
$headers = @{ "Accept" = "application/json" }
Invoke-RestMethod -Uri "$uri/networking/v1/logicalnetworks" `
  -Method Get `
  -Headers $headers `
  -Credential (Get-Credential) `
  -UseDefaultCredentials

# Get all managed servers registered with Network Controller
Get-NetworkControllerServer -ConnectionUri "https://networkcontroller.domain.local"

Registering Hyper-V Hosts with Network Controller

$uri = "https://networkcontroller.domain.local"

# Register a Hyper-V host with Network Controller
$serverProperties = New-Object Microsoft.Windows.NetworkController.ServerProperties
$serverProperties.Connections = New-Object Microsoft.Windows.NetworkController.ServerConnection[]
$connection = New-Object Microsoft.Windows.NetworkController.ServerConnection
$connection.ManagementAddresses = @("192.168.1.10")
$connection.CredentialType = "UsernamePassword"
$serverProperties.Connections += $connection

New-NetworkControllerServer `
  -ConnectionUri $uri `
  -Properties $serverProperties `
  -ResourceId "HyperV-Host-01" `
  -PassInnerException

# Create a logical network for tenant use
$logNetProperties = New-Object Microsoft.Windows.NetworkController.LogicalNetworkProperties
$logNetProperties.Subnets = @(
    @{ AddressPrefix = "192.168.100.0/24"; DefaultGateways = @("192.168.100.1"); VlanID = 100 }
)
New-NetworkControllerLogicalNetwork -ConnectionUri $uri -ResourceId "TenantNet01" -Properties $logNetProperties

Network Controller is the foundation of a full SDN deployment and is typically deployed as part of a larger SDN infrastructure that includes Software Load Balancer and RAS Gateway components. For organizations new to SDN, start with a lab deployment using the SDN Express deployment scripts provided in the WindowsServerDocs GitHub repository, which automate much of the multi-component deployment process. Network Controller fundamentally changes how you manage networking, so ensure your team has adequate SDN training before deploying in production.