All of us Command line addicts (Users
of DOS up to version 6.22, Novell 4.11 and Linux shell users) are
rejoicing.
Server Core
is essentially Windows without Windows. Confused?
Think of this server as running the
bare minimum of everything, lowering it's attack surface and reducing
the list of things that can go wrong. Whilst it does not have the
PowerShell, the CLI (Command Line
Interface) is still very powerful.
This is
revolutionizing the way Microsoft is looking at GUI-based
administration. This has been a swing in thought since Windows
PowerShell and Microsoft Exchange Server
2007, all allowing strong command line management capabilities.
Server
Core comes in Standard, Enterprise and Datacenter editions for i386 and
x64 platforms and has basically had the GUI cut out (there are some
minor exceptions to this generalization).
Whilst I am not using Windows Core
server 2008 in a production environment (It is a virtual server for my
own educational purposes) I can see an feel it's power.
You can
compare the differences in the Server versions on Microsoft's site
here
Windows Server 2008 Requirements
|
Component |
Requirement |
|
Processor |
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64
processor) |
|
|
|
Recommended: 2 GHz or faster |
|
|
|
Note: An Intel Itanium 2 processor is required
for Windows Server 2008 for Itanium-Based Systems |
|
Memory |
Minimum: 512 MB RAM |
|
|
|
Recommended: 2 GB RAM or greater |
|
|
|
Optimal: 2 GB RAM (Full installation) or 1 GB
RAM (Server Core installation) or more |
|
|
|
Maximum (32-bit systems): 4 GB (Standard) or 64
GB (Enterprise and Datacenter) |
|
|
|
Maximum (64-bit systems): 32 GB (Standard) or 2
TB (Enterprise, Datacenter, and Itanium-Based Systems) |
|
Available Disk Space |
Minimum: 10 GB |
|
|
|
Recommended: 40 GB or greater |
|
|
|
Note: Computers with more than 16 GB of RAM
will require more disk space for paging, hibernation, and dump files |
|
Drive |
DVD-ROM drive |
|
Display |
Super VGA (800 × 600) or higher resolution
monitor |
|
Other |
Keyboard and Microsoft Mouse or compatible
pointing device |
My virtual server is
running on a 1.6 Ghz Laptop with 1 Gb ram. The Virtual server is using 512
Mb ram.
Lets
run through the installation and setup together.
Installation
The installation
was very straight forward. The basic system images to your drive, It asks
for the CD key, region and then asks you to change the Administrator password.
I
opted to not use a CD key (trial mode) and then had to select the Core
version I wanted. (Just like Vista, everything is on the DVD disk. It
depends on your CD key what is installed).
You do not get any options to partition the drive. This
is due to the imaging technology used for the install. You will end up with
one big partition with everything in it.
The Server Core installation
option of Windows Server 2008 requires the initial configuration at a
command prompt. For the uninitiated, this is the scary part.
Before we start hacking
into our installation. here is the base list of Benefits of a Server Core
installation
The Server Core installation
option of Windows Server 2008 provides
- Reduced maintenance -
Because the Server Core installation option installs only what is
required to have a manageable server for the AD DS, AD LDS, DHCP Server,
DNS Server, File Services, Print Services, and Streaming Media Services
roles, less maintenance is required than on a full installation of
Windows Server 2008.
- Reduced attack surface -
Because Server Core installations are minimal, there are fewer
applications running on the server, which decreases the attack surface.
- Reduced management -
Because fewer applications and services are installed on a server
running the Server Core installation, there is less to manage.
- Less disk space required
- A Server Core installation requires only about 1 gigabyte (GB) of disk
space to install and approximately 2 GB for operations after the
installation.
- Lower risk of bugs -
Reducing the amount of code can help reduce the amount of bugs.
Now
that you know what this is all about, you can log in.
Once you have
logged in, you are greeted with a floating command prompt. If you close
this, you need to use Cntl+Alt+Del to bring up task manager (One of the GUI
components) and then run "CMD.EXE" to get back to a command window.
The
Server Core installation does not include the traditional full graphical
user interface (GUI). Therefore, once you have configured the server, you
can only manage it locally at a command prompt, remote MMC's or remotely
using a Terminal Server connection (Still in a CLI when remote).
You will really need to remember your old DOS commands and a few of the new
Windows commands (Like ipconfig, netsh and Dcpromo). I wanted to poke around
a little so I started looking through the directory structure using "Dir
/a" to show all files and folders (Including the hidden ones).
My first
observation, there are hardly any files in
C:\Windows. There is an Internet Explorer folder in "Program Files" but
except for one Dll file, it is empty. The folder structure is really quite
foreign. In reality there is actually very little installed and very little
you can do.
I also noticed
that a lot of the folder structure was made up of Junctions. (Much like
Vista and similar to Linux).
|
In Windows Vista and Windows Server
2008, the default location of user data has changed. An example of
this change is the Documents and Settings directory, which has been
moved from %systemdrive%\Documents and Settings to
%systemdrive%\Users.
To
enable interoperability with legacy applications, junction points
are used at the deprecated locations and point to the new locations
in Windows Vista and Windows Server 2008.
These junction points have file attributes of
FILE_ATTRIBUTE_REPARSE_POINT and FILE_ATTRIBUTE_SYSTEM, and the
access control lists (ACLs) must be set to "“Everyone Deny Read".
Applications must have permissions in order to call out and traverse
a specific path. However, enumerating the contents of these junction
points is not possible.
There are two categories of directory
junctions that can be created by
profiles for application compatibility
in Windows Vista and Windows Server
2008:
- Per-user junctions—junctions
created inside each individual
user's profile to provide
application compatibility for the
old legacy namespace (for example,
from C:\Users\<username>\My
Documents to C:\Users\<username>\Documents).
These junctions will be created by
the Profile service when the user's
profile itself is created.
- System Junctions—all the other
junctions created on the system and
are not beneath the
<username>
node. This category includes
junctions for Documents and Settings
and junctions within the All User,
Public, and Default User profiles.
These junctions will be created by
userenv.dll when invoked from
Machine OOBE (Out of box Experience
- An OEM term) on the Windows Vista
and Windows Server 2008 computer.
Directory junction
creation location
|
Destination |
Type of junction |
|
..\Documents and Settings\ |
..\Users\
|
|
..\Documents and
Settings\<username> \My
Documents
|
..\Users\<username> \Documents |
|
|
..\Documents and
Settings\<username> \My
Documents\My Music |
..\Users\<username> \Music |
|
|
..\Documents and
Settings\<username> \My
Documents\My Pictures |
..\Users\<username> \Pictures |
|
|
..\Documents and
Settings\<username> \My
Documents\My Videos |
..\Users\<username> \Videos
|
|
..\Documents and
Settings\<username>
\Cookies\
|
..\Roaming\Microsoft \Windows
\Cookies |
|
|
..\Documents and
Settings\<username> \Recent |
..\Roaming\Microsoft \Windows
\Recent |
|
|
..\Documents and
Settings\<username> \Nethood\ |
..\Roaming\Microsoft \Windows
\Network Shortcuts |
|
|
..\Documents and
Settings\<username> \Printhood\ |
..\Roaming\Microsoft \Windows
\Printer Shortcuts |
|
|
..\Documents and
Settings\<username> \SendTo\ |
..\Roaming\Microsoft \Windows
\Send To |
|
|
..\Documents and
Settings\<username> \StartMenu\ |
..\Roaming\Microsoft \Windows
\StartMenu |
|
|
..\Documents and
Settings\<username> \Templates\ |
..\Roaming\Microsoft \Windows
\Templates
|
|
..\Documents and
Settings\<username>
\Desktop
|
Covered by the junction at
Documents and Settings |
|
|
..\Documents and
Settings\<username> \Favorites |
Covered by the junction at
Documents and Settings |
|
|
..\Documents and
Settings\<username> \Local
Settings\Temp |
Covered by the junction for the
Local Settings folder to Local
|
|
|
|
..\ProgramData
|
|
|
|
..\Users\Public\Desktop |
|
|
..\ProgramData\Documents |
..\Users\Public\Documents |
|
|
..\ProgramData\Favorites |
..\Users\Public\Favorites |
|
|
..\Users\Public\Documents\My
Music |
..\Users\Public\Music |
|
|
..\Users\Public\Documents\My
Pictures |
..\Users\Public\Pictures |
|
|
..\Users\Public\Documents\My
Videos |
..\Users\Public\Videos |
|
|
..\ProgramData\Application Data\ |
..\ProgramData |
|
|
..\ProgramData\Start Menu\ |
..\ProgramData\Microsoft
\Windows \StartMenu |
|
|
..\ProgramData\Templates\ |
..\ProgramData\Microsoft
\Windows \Templates
|
|
..\Documents and
Settings\Default User
|
..\Users\Default |
|
|
..\Documents and
Settings\Default User\Desktop |
..\Users\Default\Desktop |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents |
..\Users\Default\Documents |
Default User legacy |
|
..\Documents and
Settings\Default User\Favorites |
..\Users\Default\Favorites |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Music |
..\Users\Default\Music |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Pictures |
..\Users\Default\Pictures |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Videos |
..\Users\Default\Videos |
Default User legacy |
|
..\Documents and
Settings\Default
User\Application Data\ |
..\Users\Default\AppData\Roaming |
Default User legacy |
|
..\Documents and
Settings\Default Users\Start
Menu\ |
..\Users\Default\AppData\Roaming\Microsoft
\Windows \StartMenu |
Default User legacy |
|
..\Documents and
Settings\Default User\Templates\ |
..\Users\Default\AppData\Roaming\Microsoft
\Windows \Templates
|
Default User legacy |
..\Program Files
(Localized name)
|
..\Program Files |
|
|
..\Program Files\Common Files
(Localized Name) |
..\Program Files\Local Files
|
|
|
Why do we need Core installations and how can it be used?
A Server Core installation provides a
minimal environment for running specific server roles, which reduces the
maintenance and management requirements and the attack surface for those
server roles.
A server running a Server Core installation
supports the following server roles:
- Active Directory Domain Services (AD DS)
- Active Directory Lightweight Directory Services
(AD LDS)
- DHCP Server
- DNS Server
- File Services
- Print Services
- Streaming Media Services
- Internet Information Services (IIS)
- Windows Virtualization
To
actually work with Core, we need some basic GUI tools. There are not many
however here is a quick list for you.
|
Task Manager |
 |
|
Notepad |
 |
|
Time,
Date, and Time Zone |
 |
|
Regional Settings |
 |
Every thing else is done at the command
prompt or remote management in MMC's.
My first stumbling block was how to set the
IP address on this machine. There are no GUI utilities and my use of
ipconfig and netsh is limited. I need to also allow RDP through the firewall
so that I can remotely administer my Virtual server. By default Core servers
are hardened and the firewall blocks even ping.
Time to get the initial configuration out
of the way and make this server useful.
We can forget the ever trusted ipconfig
tool. It is not like the ifconfig in Linux. We need netsh here. At a command
prompt, type in "netsh interface ipv4 show interfaces"
Look at the number shown in the "Idx" column of the output for your
network adapter. If your computer has more than one network adapter, make a
note of the number corresponding to the network adapter for which you wish
to set a static IP address.
Now to assign the IP address you want to
type
"netsh interface ipv4 set address name="<ID>" source=static
address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway>"
In addition to add DNS servers:
"netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP> index=1"
Repeat this last step for each DNS server that you want to set, incrementing
the index= number each time. (I am on a closed private network so I did not
bother with DNS in my tests)
Now you can check your settings by using "ipconfig /all" and check
that all the addresses are correct.
Don't forget that the server is hardened by default. You can't even ping it
yet.
Now is a good time to change the
Administrators password.
At the command prompt, type "net user
administrator *"
When prompted to enter the password, type the new password for the
administrator user account and press ENTER.
When prompted, retype the password and press ENTER.
Next, lets change the computer's name, as
the default name is a randomly generated name (unless you configured it
through an answer file or OPK)
First lets determine the current name of
the server with the hostname or "ipconfig /all" commands.
Type
"netdom renamecomputer <ComputerName>
/NewName:<NewComputerName>"
Restart the computer by using the shutdown command (This tool has been
around since Windows XP/Server 2003 or as a resource kit tool for Windows
2000).
shutdown /r /t 0 or shutdown /s (If you want to shut it down).
You can also logoff (type in "logoff") and use the red shutdown
button.
After having done all this, it is time to
think about remotely administering this machine.
Although
Server Core doesn't utilize explorer.exe as its shell and doesn't offer the
Computer Properties screen to enable Remote Desktop or select users to
remote desktop towards the server, Server Core does offer Remote Desktop.
This is not a magical GUI interface to your Core server. You get the same
interface as if at the Core servers desktop.
To enable Remote Desktop you can use the
SCregEdit.wsf script in the System32 subfolder of your Windows folder.
Simply type the following commands:
cd C:\windows\system32
cscript SCregEdit.wsf /AR 0
This command will also automatically create the Firewall exception for you.
Just like on a full server installation, the firewall is on by default in a
Server Core installation and most inbound traffic is blocked at the end of
setup.
There are then three scenarios for remote
management via MMC:
Server Role
When a server role is installed, the
appropriate ports are opened to allow the role to function as well as to
allow remote management, so no additional configuration is required. Using
the Remote Server Administration Tools (RSAT) feature on a full server
installation, you can install just the MMC snap-ins for a role and use them
to remotely manage the role on Server Core.
Domain joined
Once domain joined, the firewall profile is
changed to the domain profile which allows remote management. Again, no
additional configuration is required.
Workgroup server
This is the scenario in which you may need
to make firewall configuration changes to allow remote management. If you
just want all remote management to work you can use:
"Netsh advfirewall firewall set rule
group=“remote administration” new enable=yes"
The only restriction with the RDP
you're only granted one simultaneous Remote Desktop session (It is the
console). The Remote Desktop is one of the most common used ways to
remotely manage Windows Servers nowadays in environments without
delegation.You might prefer to
use the Windows Remote Shell on a server running a Server Core
installation, type "WinRM quickconfig"
Click Y to accept the default settings.
The WinRM quickconfig setting enables a server running a Server Core
installation to accept Windows Remote Shell connections.
On your remote computer, at a command prompt, use "WinRS.exe" to
run commands on a server running a Server Core installation.
I don't have a domain here to join (I
am testing this on a workgroup) however if you want to join to your
existing domain at a command prompt, type
"netdom join <ComputerName>
/domain:<DomainName> /userd:<UserName> /passwordD:*"
ComputerName is the name of the server that is running the Server Core
installation.
DomainName is the name of the domain to join.
UserName is a domain user account with permission to join the domain.
(If you enter * as the password, you will be prompted to enter it on the
command prompt window in the next step. You can enter it in the initial
command line if you like).
When prompted to enter the password, type the password for the domain
user account specified by UserName.
Restart the computer as explained earlier.
To remove the core server from the domain use "netdom remove"
As I am in trial mode, I have no
intention of activating my server. For you, this is likely important.
To activate the server
At a command prompt, type "slmgr.vbs –ato"
If activation is successful, no message will return in the command
prompt.
Ok, so your server is up and running.
What can you do with it?
As mentioned at the start of this page, Server Core comes in Standard,
Enterprise and Datacenter editions for i386 and x64 platforms. Most
companies will probably go for the Standard edition because most of the
differences found in the Enterprise and Datacenter editions of Windows
Server 2008 won't be present in Server Core.
The Enterprise Server Core
will, however, allow you to utilize more processor and memory support,
as well as clustering. Datacenter adds the whole Datacenter hardware
program and 99.999 percent r
