How to Deploy an SDN Controller on Windows Server 2016

April 23, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Software Defined Networking Controller

The Network Controller is the cornerstone of the Software Defined Networking (SDN) solution in Windows Server 2016. It provides a centralised, programmable point of automation for managing, configuring, monitoring, and troubleshooting virtual and physical network infrastructure in your datacenter. Rather than configuring each network device individually, the Network Controller exposes a RESTful API through which you can define network policies that are automatically applied across the entire fabric.

This tutorial walks through the complete process of deploying the Windows Server 2016 Network Controller — from preparing the environment to verifying the deployment and connecting the first managed component.

Network Controller Architecture

The Network Controller operates as a cluster of one or more server VMs or physical machines. For high availability, Microsoft recommends deploying three or more nodes in the cluster. The Network Controller has three layers: an Application layer that handles API requests, a Service layer that manages SDN services (routing, load balancing, firewalling), and a Infrastructure layer that communicates with host agents and physical devices. All communication uses HTTPS REST APIs secured with certificates.

Prerequisites

Each Network Controller node must be running Windows Server 2016 Datacenter edition. The servers should be joined to an Active Directory domain. You will need a signed certificate or the ability to use a self-signed certificate for the REST endpoint. Ensure DNS is configured to resolve the Network Controller REST endpoint hostname.

Install the Network Controller feature on each node:

Install-WindowsFeature NetworkController -IncludeManagementTools

Step 1 — Configure the Network Controller Cluster

On the first node, configure the Network Controller node with its REST certificate and credentials. First, create or import the certificate. For testing, create a self-signed certificate:

$cert = New-SelfSignedCertificate `
  -DnsName "nc.contoso.com" `
  -CertStoreLocation "cert:LocalMachineMy" `
  -KeyUsageProperty All `
  -KeyUsage CertSign, CRLSign, DigitalSignature

Export the certificate thumbprint for use in subsequent commands:

$certThumbprint = $cert.Thumbprint
Write-Host "Certificate Thumbprint: $certThumbprint"

Step 2 — Initialise the Network Controller Node

Initialise the first Network Controller node, specifying the server certificate, the REST certificate, and the management credentials:

$NodePki = New-NetworkControllerNodeObject `
  -Name "NC01" `
  -Server "NC01.contoso.com" `
  -FaultDomain "fd:/NC01" `
  -RestInterface "Management"

Install-NetworkControllerCluster `
  -Node $NodePki `
  -ClusterAuthentication Kerberos `
  -EnableUpdates $true `
  -Credential (Get-Credential)

Step 3 — Install the Network Controller Application

With the cluster layer initialised, install the Network Controller application layer, specifying the REST IP address or hostname and the certificate to use for HTTPS:

Install-NetworkController `
  -Node $NodePki `
  -ClientAuthentication Kerberos `
  -RestIpAddress "192.168.100.50/24" `
  -ServerCertificate (Get-Item "Cert:LocalMachineMy$certThumbprint") `
  -Credential (Get-Credential)

This step may take several minutes. Upon completion, the Network Controller REST endpoint will be available at the specified IP address.

Step 4 — Verify the Network Controller Deployment

Confirm the Network Controller cluster is operational:

Get-NetworkController

Get-NetworkControllerNode

Test the REST API endpoint:

$uri = "https://nc.contoso.com"
Invoke-WebRequest -Uri "$uri/networking/v1/discover" -UseDefaultCredentials | ConvertFrom-Json

Step 5 — Install the Host Agent on Hyper-V Hosts

Each Hyper-V host that will participate in the SDN fabric needs the Network Controller Host Agent installed. This agent communicates with the Network Controller to apply network policies to VMs. Install the host agent on each Hyper-V server:

Install-WindowsFeature NetworkControllerTools

$cert = Get-Item "Cert:LocalMachineMy$certThumbprint"
Install-NetworkControllerOnRas `
  -RestUri "https://nc.contoso.com" `
  -ClientCertificate $cert

Step 6 — Register a Logical Network

With the Network Controller running, register your first logical network via the REST API to confirm end-to-end functionality:

$headers = @{ "Content-Type" = "application/json" }
$body = @{
  properties = @{
    networkVirtualizationEnabled = $false
    subnets = @(@{
      properties = @{
        addressPrefix = "10.10.10.0/24"
        vlanID = 100
      }
    })
  }
} | ConvertTo-Json -Depth 6

Invoke-RestMethod `
  -Uri "https://nc.contoso.com/networking/v1/logicalNetworks/Management" `
  -Method Put `
  -Body $body `
  -Headers $headers `
  -UseDefaultCredentials

Conclusion

Deploying the Windows Server 2016 Network Controller is the foundational step for any SDN implementation. Once in place, it becomes the single pane of glass for configuring virtual networks, load balancers, gateways, and firewall policies across your entire datacenter fabric. Subsequent SDN components — including the Software Load Balancer and RAS Gateway — register with and are managed by the Network Controller, allowing you to build a fully programmable, software-defined network infrastructure.