According to Microsoft, it is possible to run Windows Server 2016 containers in Windows Server 2019 host as long as hyper-v isolation is used. We can verify the container Is running because it can be built and deployed with docker-compose.
But when trying to run the application, it simply does not run.
1. Tests in the host
a. Test-ADServiceAccount <our app>
b. Firewall rules configured for correct traffic support
2. Tests in the container (gMsa related)
nltest /sc_verify:pj16.loc and klist get krbtgt always fail in this scenario (where the application has gMsa, and hyper-v is used)
The only scenarios where the application works correctly is when hyper-v is not used, but on that scenarios the host and the container OS must match, meaning Windows Server 2019 host with Windows Server 2019 container or Windows Server 2016 host with Windows Server 2016 container.
We found on the internet this page GitHub - plooploops/windows-containers-AD: Working with AD and Windows Containers where it looks a team is tried to do the same but with the same result.
In our scenario we are using Windows Server 2016 10.0.14393 build 1607 that is even older than 1803. We do not know as well the corresponding server for 1709 build.
The question is: Is there any build combination between Windows Server 2019 host and Windows Server 2016 container for gMsa and hyper-v run correctly, or it is really incompatible, and the only solution for this specific scenario is to match the OS and container version?