How to Set Up Windows Server 2016 Network Controller

Network Controller is a software-defined networking (SDN) management component introduced in Windows Server 2016 Datacenter edition. It provides a centralized, programmable point of automation for configuring, monitoring, and troubleshooting virtual and physical network infrastructure in a datacenter. Network Controller communicates with network devices using southbound APIs (such as OVSDB for physical switches) and exposes northbound REST APIs that management applications use to configure the network. This tutorial covers deploying and configuring a Network Controller cluster on Windows Server 2016.

Network Controller Architecture

Network Controller is deployed as a cluster of one or more Windows Server 2016 virtual machines or physical servers. In production, a three-node cluster provides high availability. Network Controller manages several SDN components including Hyper-V Network Virtualization (HNV) for multi-tenant virtual networks, Software Load Balancer (SLB) for north-south and east-west load balancing, RAS Gateway for VPN and routing, and network policies for quality of service and access control lists. All configuration is performed through REST API calls, PowerShell, or System Center VMM.

Prerequisites for Network Controller

Network Controller requires Windows Server 2016 Datacenter edition. All Network Controller nodes must be members of the same Active Directory domain. Kerberos or X.509 certificate authentication must be configured for communication between the Network Controller and management clients. Physical hosts running Hyper-V must have the SDN Hyper-V Host Agent installed. A dedicated management network, separate from tenant networks, is strongly recommended for Network Controller communication. Sufficient compute resources are required: at minimum 4 vCPUs and 4 GB RAM per Network Controller VM.

Installing the Network Controller Role

Install the Network Controller role on each node that will be part of the cluster. On each node, run in an elevated PowerShell window:

Install-WindowsFeature -Name NetworkController -IncludeManagementTools

Verify the installation on each node:

Get-WindowsFeature -Name NetworkController

Configuring Network Controller Certificates

Network Controller nodes communicate using certificates. For a test environment, create a self-signed certificate on each node. Replace Node01 with the actual hostname:

$cert = New-SelfSignedCertificate -DnsName "NC_Node01" -CertStoreLocation "Cert:LocalMachineMy"

Export the certificate for use during cluster configuration:

$certPassword = ConvertTo-SecureString -String "P@ssw0rd123" -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath "C:CertsNC_Node01.pfx" -Password $certPassword

In production environments, use certificates issued by your organizational Certificate Authority instead of self-signed certificates.

Creating the Network Controller Cluster

Create the Network Controller node and cluster configuration on the first node. Install the node configuration:

Install-NetworkControllerCluster -Node @{
    Fault_DomainId = "Node01";
    RestInterface = "Ethernet1";
    NodeHost = "NC_Node01";
    CertificateThumbPrint = (Get-ChildItem -Path Cert:LocalMachineMy | Where-Object Subject -like "*NC_Node01*").Thumbprint
} -ClusterAuthentication Kerberos -CredentialEncryptionCertificate (Get-ChildItem -Path Cert:LocalMachineMy | Where-Object Subject -like "*NC_Node01*")

After the cluster is created, install the Network Controller application to configure the REST endpoint:

Install-NetworkController -Node (Get-NetworkControllerNode) -ClientAuthentication Kerberos -RestIpAddress "192.168.10.50/24"

Verifying Network Controller Deployment

Verify that the Network Controller cluster is running and healthy:

Get-NetworkControllerNode

Check the health of the Network Controller application:

Get-NetworkController

Test connectivity to the Network Controller REST API endpoint using a simple REST query:

$headers = @{Accept="application/json"}
Invoke-WebRequest -Uri "https://192.168.10.50/networking/v1/networks" -Headers $headers -UseDefaultCredentials

Installing the Hyper-V Host SDN Agent

Each Hyper-V host managed by Network Controller must have the NetworkControllerSdnDiagnostics and Hyper-V-PowerShell features installed. Install the SDN host agent module on each Hyper-V host:

Install-WindowsFeature -Name NetworkController -IncludeAllSubFeature
Install-Module -Name SdnDiagnostics -Force

Configure the host agent to communicate with Network Controller by providing the REST endpoint:

Set-NetworkControllerOnHost -ConnectionUri "https://192.168.10.50" -Credential (Get-Credential)

Creating a Virtual Network via Network Controller

Create a tenant virtual network through the Network Controller REST API using PowerShell. Define the virtual network properties and post them to the API. First define the logical network resource object:

$vnet = New-Object Microsoft.Windows.NetworkController.VirtualNetwork
$vnet.ResourceId = "Tenant1_VNet"
$vnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualNetworkProperties
$vnet.Properties.AddressSpace = New-Object Microsoft.Windows.NetworkController.AddressSpace
$vnet.Properties.AddressSpace.AddressPrefixes = @("10.100.0.0/16")

Submit the virtual network to Network Controller:

New-NetworkControllerVirtualNetwork -ConnectionUri "https://192.168.10.50" -ResourceId "Tenant1_VNet" -Properties $vnet.Properties -Force

Monitoring Network Controller

Monitor Network Controller health and managed resources using PowerShell and the built-in diagnostic tools:

Get-NetworkControllerNode | Select-Object Name, Status, Fault_DomainId

To view all virtual networks managed by Network Controller:

Get-NetworkControllerVirtualNetwork -ConnectionUri "https://192.168.10.50"

Best Practices for Network Controller

Deploy Network Controller as a three-node cluster for high availability in production environments. Use certificates issued by a trusted Certificate Authority rather than self-signed certificates to simplify trust configuration. Dedicate a separate management network for Network Controller communication to isolate management traffic from tenant traffic. Back up the Network Controller database regularly using the Export-NetworkControllerConfiguration cmdlet. Monitor Network Controller event logs under Applications and Services Logs > Microsoft > Windows > NetworkController for warnings and errors. Plan IP address space carefully before deploying Network Controller to avoid renumbering after deployment. Integrate Network Controller with System Center VMM for a unified management experience across compute, storage, and networking.

Network Controller on Windows Server 2016 is the foundation of a software-defined datacenter, enabling automated, policy-driven network provisioning and management that dramatically reduces the operational complexity and cost of managing large-scale virtualized network infrastructure.