Welcome to 

    mickyj.com

   


















     

     

    

    


Windows Core Server 2008

 

All of us Command line addicts (Users of DOS up to version 6.22, Novell 4.11 and Linux shell users) are rejoicing.

Server Core is essentially Windows without Windows. Confused?

Think of this server as running the bare minimum of everything, lowering it's attack surface and reducing the list of things that can go wrong. Whilst it does not have the PowerShell, the CLI (Command Line Interface) is still very powerful.

This is revolutionizing the way Microsoft is looking at GUI-based administration. This has been a swing in thought since Windows PowerShell and Microsoft Exchange Server 2007, all allowing strong command line management capabilities.

Server Core comes in Standard, Enterprise and Datacenter editions for i386 and x64 platforms and has basically had the GUI cut out (there are some minor exceptions to this generalization).

Whilst I am not using Windows Core server 2008 in a production environment (It is a virtual server for my own educational purposes) I can see an feel it's power.

 

You can compare the differences in the Server versions on Microsoft's site here 

 

Windows Server 2008 Requirements

 

Component Requirement
Processor Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
 
Recommended: 2 GHz or faster
 
Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems
Memory Minimum: 512 MB RAM
 
Recommended: 2 GB RAM or greater
 
Optimal: 2 GB RAM (Full installation) or 1 GB RAM (Server Core installation) or more
 
Maximum (32-bit systems): 4 GB (Standard) or 64 GB (Enterprise and Datacenter)
 
Maximum (64-bit systems): 32 GB (Standard) or 2 TB (Enterprise, Datacenter, and Itanium-Based Systems)
Available Disk Space Minimum: 10 GB
 
Recommended: 40 GB or greater
 
Note: Computers with more than 16 GB of RAM will require more disk space for paging, hibernation, and dump files
Drive DVD-ROM drive
Display Super VGA (800 × 600) or higher resolution monitor
Other Keyboard and Microsoft Mouse or compatible pointing device

 

My virtual server is running on a 1.6 Ghz Laptop with 1 Gb ram. The Virtual server is using 512 Mb ram.

 

Lets run through the installation and setup together.

 

Installation

The installation was very straight forward. The basic system images to your drive, It asks for the CD key, region and then asks you to change the Administrator password.

 

I opted to not use a CD key (trial mode) and then had to select the Core version I wanted. (Just like Vista, everything is on the DVD disk. It depends on your CD key what is installed).

 

You do not get any options to partition the drive. This is due to the imaging technology used for the install. You will end up with one big partition with everything in it.

The Server Core installation option of Windows Server 2008 requires the initial configuration at a command prompt. For the uninitiated, this is the scary part.

Before we start hacking into our installation. here is the base list of Benefits of a Server Core installation

The Server Core installation option of Windows Server 2008 provides

  • Reduced maintenance - Because the Server Core installation option installs only what is required to have a manageable server for the AD DS, AD LDS, DHCP Server, DNS Server, File Services, Print Services, and Streaming Media Services roles, less maintenance is required than on a full installation of Windows Server 2008.
     
  • Reduced attack surface - Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface.
     
  • Reduced management - Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage.
     
  • Less disk space required - A Server Core installation requires only about 1 gigabyte (GB) of disk space to install and approximately 2 GB for operations after the installation.
     
  • Lower risk of bugs - Reducing the amount of code can help reduce the amount of bugs.

Now that you know what this is all about, you can log in.

 

Once you have logged in, you are greeted with a floating command prompt. If you close this, you need to use Cntl+Alt+Del to bring up task manager (One of the GUI components) and then run "CMD.EXE" to get back to a command window.

 

 

The Server Core installation does not include the traditional full graphical user interface (GUI). Therefore, once you have configured the server, you can only manage it locally at a command prompt, remote MMC's or remotely using a Terminal Server connection (Still in a CLI when remote).

You will really need to remember your old DOS commands and a few of the new Windows commands (Like ipconfig, netsh and Dcpromo). I wanted to poke around a little so I started looking through the directory structure using "Dir /a" to show all files and folders (Including the hidden ones).

 

My first observation, there are hardly any files in C:\Windows. There is an Internet Explorer folder in "Program Files" but except for one Dll file, it is empty. The folder structure is really quite foreign. In reality there is actually very little installed and very little you can do.

 

I also noticed that a lot of the folder structure was made up of Junctions. (Much like Vista and similar to Linux).

 

In Windows Vista and Windows Server 2008, the default location of user data has changed. An example of this change is the Documents and Settings directory, which has been moved from %systemdrive%\Documents and Settings to %systemdrive%\Users.

To enable interoperability with legacy applications, junction points are used at the deprecated locations and point to the new locations in Windows Vista and Windows Server 2008.

These junction points have file attributes of FILE_ATTRIBUTE_REPARSE_POINT and FILE_ATTRIBUTE_SYSTEM, and the access control lists (ACLs) must be set to "“Everyone Deny Read". Applications must have permissions in order to call out and traverse a specific path. However, enumerating the contents of these junction points is not possible.

There are two categories of directory junctions that can be created by profiles for application compatibility in Windows Vista and Windows Server 2008:
  • Per-user junctions—junctions created inside each individual user's profile to provide application compatibility for the old legacy namespace (for example, from C:\Users\<username>\My Documents to C:\Users\<username>\Documents). These junctions will be created by the Profile service when the user's profile itself is created.
  • System Junctions—all the other junctions created on the system and are not beneath the <username> node. This category includes junctions for Documents and Settings and junctions within the All User, Public, and Default User profiles. These junctions will be created by userenv.dll when invoked from Machine OOBE (Out of box Experience - An OEM term) on the Windows Vista and Windows Server 2008 computer.
Directory junction creation location
Destination Type of junction
..\Documents and Settings\ ..\Users\
Parent folder
..\Documents and Settings\<username> \My Documents
..\Users\<username> \Documents
User data legacy folder
..\Documents and Settings\<username> \My Documents\My Music ..\Users\<username> \Music
User data legacy folder
..\Documents and Settings\<username> \My Documents\My Pictures ..\Users\<username> \Pictures
User data legacy folder
..\Documents and Settings\<username> \My Documents\My Videos ..\Users\<username> \Videos
User data legacy folder
..\Documents and Settings\<username> \Cookies\
..\Roaming\Microsoft \Windows \Cookies
Per-user OS settings
..\Documents and Settings\<username> \Recent ..\Roaming\Microsoft \Windows \Recent
Per-user OS settings
..\Documents and Settings\<username> \Nethood\ ..\Roaming\Microsoft \Windows \Network Shortcuts
Per-user OS settings
..\Documents and Settings\<username> \Printhood\ ..\Roaming\Microsoft \Windows \Printer Shortcuts
Per-user OS settings
..\Documents and Settings\<username> \SendTo\ ..\Roaming\Microsoft \Windows \Send To
Per-user OS settings
..\Documents and Settings\<username> \StartMenu\ ..\Roaming\Microsoft \Windows \StartMenu
Per-user OS settings
..\Documents and Settings\<username> \Templates\ ..\Roaming\Microsoft \Windows \Templates
Per-user OS settings
..\Documents and Settings\<username> \Desktop
Covered by the junction at Documents and Settings
Legacy profile
..\Documents and Settings\<username> \Favorites Covered by the junction at Documents and Settings
Legacy profile
..\Documents and Settings\<username> \Local Settings\Temp Covered by the junction for the Local Settings folder to Local
Legacy profile
..\Users\All Users
..\ProgramData
All Users legacy
..\ProgramData\Desktop
..\Users\Public\Desktop
User
..\ProgramData\Documents ..\Users\Public\Documents
User
..\ProgramData\Favorites ..\Users\Public\Favorites
User
..\Users\Public\Documents\My Music ..\Users\Public\Music
User
..\Users\Public\Documents\My Pictures ..\Users\Public\Pictures
User
..\Users\Public\Documents\My Videos ..\Users\Public\Videos
User
..\ProgramData\Application Data\ ..\ProgramData
User
..\ProgramData\Start Menu\ ..\ProgramData\Microsoft \Windows \StartMenu
User
..\ProgramData\Templates\ ..\ProgramData\Microsoft \Windows \Templates
User
..\Documents and Settings\Default User
..\Users\Default
Default User legacy
..\Documents and Settings\Default User\Desktop ..\Users\Default\Desktop Default User legacy
..\Documents and Settings\Default User\My Documents ..\Users\Default\Documents Default User legacy
..\Documents and Settings\Default User\Favorites ..\Users\Default\Favorites Default User legacy
..\Documents and Settings\Default User\My Documents\My Music ..\Users\Default\Music Default User legacy
..\Documents and Settings\Default User\My Documents\My Pictures ..\Users\Default\Pictures Default User legacy
..\Documents and Settings\Default User\My Documents\My Videos ..\Users\Default\Videos Default User legacy
..\Documents and Settings\Default User\Application Data\ ..\Users\Default\AppData\Roaming Default User legacy
..\Documents and Settings\Default Users\Start Menu\ ..\Users\Default\AppData\Roaming\Microsoft \Windows \StartMenu Default User legacy
..\Documents and Settings\Default User\Templates\ ..\Users\Default\AppData\Roaming\Microsoft \Windows \Templates Default User legacy
..\Program Files (Localized name)
..\Program Files
Program Files
..\Program Files\Common Files (Localized Name) ..\Program Files\Local Files
Program Files



Why do we need Core installations and how can it be used?

A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles.

 

A server running a Server Core installation supports the following server roles:

  • Active Directory Domain Services (AD DS)
  • Active Directory Lightweight Directory Services (AD LDS)
  • DHCP Server
  • DNS Server
  • File Services
  • Print Services
  • Streaming Media Services
  • Internet Information Services (IIS)
  • Windows Virtualization

To actually work with Core, we need some basic GUI tools. There are not many however here is a quick list for you.

 

Task Manager
Notepad
Time, Date, and Time Zone
Regional Settings

 

Every thing else is done at the command prompt or remote management in MMC's.

 

My first stumbling block was how to set the IP address on this machine. There are no GUI utilities and my use of ipconfig and netsh is limited. I need to also allow RDP through the firewall so that I can remotely administer my Virtual server. By default Core servers are hardened and the firewall blocks even ping.

 

Time to get the initial configuration out of the way and make this server useful.

 

We can forget the ever trusted ipconfig tool. It is not like the ifconfig in Linux. We need netsh here. At a command prompt, type in "netsh interface ipv4 show interfaces"


Look at the number shown in the "Idx" column of the output for your network adapter. If your computer has more than one network adapter, make a note of the number corresponding to the network adapter for which you wish to set a static IP address.

 

Now to assign the IP address you want to type


"netsh interface ipv4 set address name="<ID>" source=static address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway>"

 

In addition to add DNS servers:


"netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP> index=1"


Repeat this last step for each DNS server that you want to set, incrementing the index= number each time. (I am on a closed private network so I did not bother with DNS in my tests)

Now you can check your settings by using "ipconfig /all" and check that all the addresses are correct.

 
Don't forget that the server is hardened by default. You can't even ping it yet.

 

Now is a good time to change the Administrators password.

At the command prompt, type "net user administrator *"


When prompted to enter the password, type the new password for the administrator user account and press ENTER.

When prompted, retype the password and press ENTER.
 

Next, lets change the computer's name, as the default name is a randomly generated name (unless you configured it through an answer file or OPK)

 

First lets determine the current name of the server with the hostname or "ipconfig /all" commands.

Type

"netdom renamecomputer <ComputerName> /NewName:<NewComputerName>"

Restart the computer by using the shutdown command (This tool has been around since Windows XP/Server 2003 or as a resource kit tool for Windows 2000).

shutdown /r /t 0 or shutdown /s (If you want to shut it down). You can also logoff (type in "logoff") and use the red shutdown button.

 

After having done all this, it is time to think about remotely administering this machine.

 

Although Server Core doesn't utilize explorer.exe as its shell and doesn't offer the Computer Properties screen to enable Remote Desktop or select users to remote desktop towards the server, Server Core does offer Remote Desktop. This is not a magical GUI interface to your Core server. You get the same interface as if at the Core servers desktop.

 

To enable Remote Desktop you can use the SCregEdit.wsf script in the System32 subfolder of your Windows folder. Simply type the following commands:

cd C:\windows\system32
cscript SCregEdit.wsf /AR 0



This command will also automatically create the Firewall exception for you.

Just like on a full server installation, the firewall is on by default in a Server Core installation and most inbound traffic is blocked at the end of setup.

 

There are then three scenarios for remote management via MMC:

Server Role

When a server role is installed, the appropriate ports are opened to allow the role to function as well as to allow remote management, so no additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, you can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.
 

Domain joined

Once domain joined, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.
 

Workgroup server

This is the scenario in which you may need to make firewall configuration changes to allow remote management. If you just want all remote management to work you can use:
 

"Netsh advfirewall firewall set rule group=“remote administration” new enable=yes"
 

The only restriction with the RDP  you're only granted one simultaneous Remote Desktop session (It is the console). The Remote Desktop is one of the most common used ways to remotely manage Windows Servers nowadays in environments without delegation.

You might prefer to use the Windows Remote Shell on a server running a Server Core installation, type "WinRM quickconfig"
Click Y to accept the default settings.

The WinRM quickconfig setting enables a server running a Server Core installation to accept Windows Remote Shell connections.

On your remote computer, at a command prompt, use "WinRS.exe" to run commands on a server running a Server Core installation.

I don't have a domain here to join (I am testing this on a workgroup) however if you want to join to your existing domain at a command prompt, type

"netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /passwordD:*"

  • ComputerName is the name of the server that is running the Server Core installation.

  • DomainName is the name of the domain to join.

  • UserName is a domain user account with permission to join the domain.


  • (If you enter * as the password, you will be prompted to enter it on the command prompt window in the next step. You can enter it in the initial command line if you like).

    When prompted to enter the password, type the password for the domain user account specified by UserName.

    Restart the computer as explained earlier.

    To remove the core server from the domain use "netdom remove"

    As I am in trial mode, I have no intention of activating my server. For you, this is likely important.

    To activate the server
    At a command prompt, type "slmgr.vbs –ato"
    If activation is successful, no message will return in the command prompt.

    Ok, so your server is up and running. What can you do with it?

    As mentioned at the start of this page, Server Core comes in Standard, Enterprise and Datacenter editions for i386 and x64 platforms. Most companies will probably go for the Standard edition because most of the differences found in the Enterprise and Datacenter editions of Windows Server 2008 won't be present in Server Core.

    The Enterprise Server Core will, however, allow you to utilize more processor and memory support, as well as clustering. Datacenter adds the whole Datacenter hardware program and 99.999 percent reliability.

    As most of my clients and my expertise is in Small Businesses, Standard is the only version I will likely look at.

    Across the various versions you have the ability to run as

    • Active Directory Domain Services (AD DS)
    • Active Directory Lightweight Directory Services (AD LDS)
    • DHCP Server
    • DNS Server
    • File Services
    • Print Services
    • Streaming Media Services
    • Internet Information Services (IIS)
    • Windows Virtualization

    To list the available server roles and features (And those already configured), type "oclist".

    To install the Active Directory Domain Services role type
    "dcpromo /unattend:<unattendfile>"

    This command installs the Active Directory Domain Services role and promotes the server to a domain controller by using the settings in the unattend file (which you need to manually create).

    To install the AD LDS role type "start /w ocsetup DirectoryServices-ADAM-ServerCore"

    (Using /w prevents the command prompt from returning until the installation completes)
    The start command opens the new process in a new Command line interface. Ocsetup is doing the real work here.

    This can be uninstalled with

    "start /w ocsetup DirectoryServices-ADAM-ServerCore /uninstall"

    (Using /uninstall basically uninstalls the role for each role listed here)

    To install the DHCP Server role type "start /w ocsetup DHCPServerCore"

    (Using /w prevents the command prompt from returning until the installation completes)

    You can configure a DHCP scope at the command prompt by using netsh, or by remotely using the DHCP snap-in from Windows Server 2008. If the DHCP server is installed in an Active Directory domain, you must authorize it in Active Directory.

    To configure this service to start use "sc config dhcpserver start= auto" and to start it right now use "net start dhcpserver"

    Uninstall it using "start /w ocsetup DHCPServerCore /uninstall"

    To install DNS use "start /w ocsetup DNS-Server-Core-Role" and to uninstall "start /w ocsetup DNS-Server-Core-Role /uninstall".

    Configure a DNS zone at the command prompt by typing "dnscmd" or by remotely using the DNS MMC snap-in.

    Installing File Services role and features is a little more involved as there are many parts.

    • Replication service:  "start /w ocsetup FRS-Infrastructure"
    • Distributed File System service: "start /w ocsetup DFSN-Server"
    • Distributed File System Replication: "start /w ocsetup DFSR-Infrastructure-ServerEdition"
    • Services for Network File System (NFS): "start /w ocsetup ServerForNFS-Base" and "start /w ocsetup ClientForNFS-Base"

    Uninstallation follows the same pattern as previously listed.

    Installing Print Services role and features is as simple as "start /w ocsetup Printing-ServerCore-Role" and "start /w ocsetup Printing-LPDPrintService".

    The Streaming Media Services has a slightly more involved installation method. Whilst you can simply run "start /w ocsetup MediaServer" like the other roles, you first need to do some preparation.

    As you can not surf from the Core server, download the required Role file using another pc from Microsoft (Kb 934518).

    Copy the file "installerfilename.msi" to your Server Core installation and run it.

    Now install it with "start /w ocsetup MediaServer" and then on a remote computer, use the Streaming Media Services MMC snap-in to remotely configure Streaming Media Services.

    Adding a printer to your new slender server

    Determine the IP address or host name of the printer you want to connect to.

    On a remote computer running Windows Vista or Windows Server 2008, open the Print Management console and add the server running the Server Core installation.

    Expand the entry for the print server running a Server Core installation, right-click Drivers, and then click Add Driver. The Add Printer Driver Wizard starts.

    Complete the wizard to install the printer driver for your printer.

    In the Print Management console, right-click Printers and then click Add Printer. The Network Printer Installation Wizard starts.

    Click Add a TCP/IP or Web Services printer by IP address or hostname and then click Next.

    Enter the printer's host name or IP address (the port name will be the same by default), and then click Next.

    Make any necessary changes to the printer name, contact information, or sharing status, and then click Next.

    Issues with Server Core installation and upgrading from previous versions

    As Server Core is a special installation of Windows Server 2008, there are the following limitations

    • There is no way to upgrade from a previous version of the Windows Server operating system to a Server Core installation. Only a clean installation is supported. (Who would want this anyway, you would be introducing security flaws)
       
    • There is no way to upgrade from a full installation of Windows Server 2008 to a Server Core installation. Only a clean installation is supported. (More of a downgrade really)
       
    • There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, you will need to install a full installation of Windows Server 2008.

     

     

     

     

     

        

     

         ( )

     

     

     

     

                                                                 This page was written and designed by Michael Jenkin 2011 ©