Server roles as a container
Many of the concepts described involve applications outside of "core" server roles. It would be remarkably cool to see roles such as AD DS run in a container, similar to a FreeBSD jail. This capability would thus allow for a security architecture that isolates components from one another. By going a step further, policy could be defined at the container level to control ingress/egress, manage file system access, etc. Effectively, the server roles are abstracted from the host OS, much as Device Guard and Credential Guard isolate user space and LSASS processes.