All of us Command line addicts (Users
of DOS up to version 6.22, Novell 4.11 and Linux shell users) are
rejoicing.
Server Core
is essentially Windows without Windows. Confused?
Think of this server as running the
bare minimum of everything, lowering it's attack surface and reducing
the list of things that can go wrong. Whilst it does not have the
PowerShell, the CLI (Command Line
Interface) is still very powerful.
This is
revolutionizing the way Microsoft is looking at GUI-based
administration. This has been a swing in thought since Windows
PowerShell and Microsoft Exchange Server
2007, all allowing strong command line management capabilities.
Server
Core comes in Standard, Enterprise and Datacenter editions for i386 and
x64 platforms and has basically had the GUI cut out (there are some
minor exceptions to this generalization).
Whilst I am not using Windows Core
server 2008 in a production environment (It is a virtual server for my
own educational purposes) I can see an feel it's power.
You can
compare the differences in the Server versions on Microsoft's site
here
Windows Server 2008 Requirements
|
Component |
Requirement |
|
Processor |
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64
processor) |
|
|
|
Recommended: 2 GHz or faster |
|
|
|
Note: An Intel Itanium 2 processor is required
for Windows Server 2008 for Itanium-Based Systems |
|
Memory |
Minimum: 512 MB RAM |
|
|
|
Recommended: 2 GB RAM or greater |
|
|
|
Optimal: 2 GB RAM (Full installation) or 1 GB
RAM (Server Core installation) or more |
|
|
|
Maximum (32-bit systems): 4 GB (Standard) or 64
GB (Enterprise and Datacenter) |
|
|
|
Maximum (64-bit systems): 32 GB (Standard) or 2
TB (Enterprise, Datacenter, and Itanium-Based Systems) |
|
Available Disk Space |
Minimum: 10 GB |
|
|
|
Recommended: 40 GB or greater |
|
|
|
Note: Computers with more than 16 GB of RAM
will require more disk space for paging, hibernation, and dump files |
|
Drive |
DVD-ROM drive |
|
Display |
Super VGA (800 × 600) or higher resolution
monitor |
|
Other |
Keyboard and Microsoft Mouse or compatible
pointing device |
My virtual server is
running on a 1.6 Ghz Laptop with 1 Gb ram. The Virtual server is using 512
Mb ram.
Lets
run through the installation and setup together.
Installation
The installation
was very straight forward. The basic system images to your drive, It asks
for the CD key, region and then asks you to change the Administrator password.
I
opted to not use a CD key (trial mode) and then had to select the Core
version I wanted. (Just like Vista, everything is on the DVD disk. It
depends on your CD key what is installed).
You do not get any options to partition the drive. This
is due to the imaging technology used for the install. You will end up with
one big partition with everything in it.
The Server Core installation
option of Windows Server 2008 requires the initial configuration at a
command prompt. For the uninitiated, this is the scary part.
Before we start hacking
into our installation. here is the base list of Benefits of a Server Core
installation
The Server Core installation
option of Windows Server 2008 provides
- Reduced maintenance -
Because the Server Core installation option installs only what is
required to have a manageable server for the AD DS, AD LDS, DHCP Server,
DNS Server, File Services, Print Services, and Streaming Media Services
roles, less maintenance is required than on a full installation of
Windows Server 2008.
- Reduced attack surface -
Because Server Core installations are minimal, there are fewer
applications running on the server, which decreases the attack surface.
- Reduced management -
Because fewer applications and services are installed on a server
running the Server Core installation, there is less to manage.
- Less disk space required
- A Server Core installation requires only about 1 gigabyte (GB) of disk
space to install and approximately 2 GB for operations after the
installation.
- Lower risk of bugs -
Reducing the amount of code can help reduce the amount of bugs.
Now
that you know what this is all about, you can log in.
Once you have
logged in, you are greeted with a floating command prompt. If you close
this, you need to use Cntl+Alt+Del to bring up task manager (One of the GUI
components) and then run "CMD.EXE" to get back to a command window.
The
Server Core installation does not include the traditional full graphical
user interface (GUI). Therefore, once you have configured the server, you
can only manage it locally at a command prompt, remote MMC's or remotely
using a Terminal Server connection (Still in a CLI when remote).
You will really need to remember your old DOS commands and a few of the new
Windows commands (Like ipconfig, netsh and Dcpromo). I wanted to poke around
a little so I started looking through the directory structure using "Dir
/a" to show all files and folders (Including the hidden ones).
My first
observation, there are hardly any files in
C:\Windows. There is an Internet Explorer folder in "Program Files" but
except for one Dll file, it is empty. The folder structure is really quite
foreign. In reality there is actually very little installed and very little
you can do.
I also noticed
that a lot of the folder structure was made up of Junctions. (Much like
Vista and similar to Linux).
|
In Windows Vista and Windows Server
2008, the default location of user data has changed. An example of
this change is the Documents and Settings directory, which has been
moved from %systemdrive%\Documents and Settings to
%systemdrive%\Users.
To
enable interoperability with legacy applications, junction points
are used at the deprecated locations and point to the new locations
in Windows Vista and Windows Server 2008.
These junction points have file attributes of
FILE_ATTRIBUTE_REPARSE_POINT and FILE_ATTRIBUTE_SYSTEM, and the
access control lists (ACLs) must be set to "“Everyone Deny Read".
Applications must have permissions in order to call out and traverse
a specific path. However, enumerating the contents of these junction
points is not possible.
There are two categories of directory
junctions that can be created by
profiles for application compatibility
in Windows Vista and Windows Server
2008:
- Per-user junctions—junctions
created inside each individual
user's profile to provide
application compatibility for the
old legacy namespace (for example,
from C:\Users\<username>\My
Documents to C:\Users\<username>\Documents).
These junctions will be created by
the Profile service when the user's
profile itself is created.
- System Junctions—all the other
junctions created on the system and
are not beneath the
<username>
node. This category includes
junctions for Documents and Settings
and junctions within the All User,
Public, and Default User profiles.
These junctions will be created by
userenv.dll when invoked from
Machine OOBE (Out of box Experience
- An OEM term) on the Windows Vista
and Windows Server 2008 computer.
Directory junction
creation location
|
Destination |
Type of junction |
|
..\Documents and Settings\ |
..\Users\
|
|
..\Documents and
Settings\<username> \My
Documents
|
..\Users\<username> \Documents |
|
|
..\Documents and
Settings\<username> \My
Documents\My Music |
..\Users\<username> \Music |
|
|
..\Documents and
Settings\<username> \My
Documents\My Pictures |
..\Users\<username> \Pictures |
|
|
..\Documents and
Settings\<username> \My
Documents\My Videos |
..\Users\<username> \Videos
|
|
..\Documents and
Settings\<username>
\Cookies\
|
..\Roaming\Microsoft \Windows
\Cookies |
|
|
..\Documents and
Settings\<username> \Recent |
..\Roaming\Microsoft \Windows
\Recent |
|
|
..\Documents and
Settings\<username> \Nethood\ |
..\Roaming\Microsoft \Windows
\Network Shortcuts |
|
|
..\Documents and
Settings\<username> \Printhood\ |
..\Roaming\Microsoft \Windows
\Printer Shortcuts |
|
|
..\Documents and
Settings\<username> \SendTo\ |
..\Roaming\Microsoft \Windows
\Send To |
|
|
..\Documents and
Settings\<username> \StartMenu\ |
..\Roaming\Microsoft \Windows
\StartMenu |
|
|
..\Documents and
Settings\<username> \Templates\ |
..\Roaming\Microsoft \Windows
\Templates
|
|
..\Documents and
Settings\<username>
\Desktop
|
Covered by the junction at
Documents and Settings |
|
|
..\Documents and
Settings\<username> \Favorites |
Covered by the junction at
Documents and Settings |
|
|
..\Documents and
Settings\<username> \Local
Settings\Temp |
Covered by the junction for the
Local Settings folder to Local
|
|
|
|
..\ProgramData
|
|
|
|
..\Users\Public\Desktop |
|
|
..\ProgramData\Documents |
..\Users\Public\Documents |
|
|
..\ProgramData\Favorites |
..\Users\Public\Favorites |
|
|
..\Users\Public\Documents\My
Music |
..\Users\Public\Music |
|
|
..\Users\Public\Documents\My
Pictures |
..\Users\Public\Pictures |
|
|
..\Users\Public\Documents\My
Videos |
..\Users\Public\Videos |
|
|
..\ProgramData\Application Data\ |
..\ProgramData |
|
|
..\ProgramData\Start Menu\ |
..\ProgramData\Microsoft
\Windows \StartMenu |
|
|
..\ProgramData\Templates\ |
..\ProgramData\Microsoft
\Windows \Templates
|
|
..\Documents and
Settings\Default User
|
..\Users\Default |
|
|
..\Documents and
Settings\Default User\Desktop |
..\Users\Default\Desktop |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents |
..\Users\Default\Documents |
Default User legacy |
|
..\Documents and
Settings\Default User\Favorites |
..\Users\Default\Favorites |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Music |
..\Users\Default\Music |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Pictures |
..\Users\Default\Pictures |
Default User legacy |
|
..\Documents and
Settings\Default User\My
Documents\My Videos |
..\Users\Default\Videos |
Default User legacy |
|
..\Documents and
Settings\Default
User\Application Data\ |
..\Users\Default\AppData\Roaming |
Default User legacy |
|
..\Documents and
Settings\Default Users\Start
Menu\ |
..\Users\Default\AppData\Roaming\Microsoft
\Windows \StartMenu |
Default User legacy |
|
..\Documents and
Settings\Default User\Templates\ |
..\Users\Default\AppData\Roaming\Microsoft
\Windows \Templates
|
Default User legacy |
..\Program Files
(Localized name)
|
..\Program Files |
|
|
..\Program Files\Common Files
(Localized Name) |
..\Program Files\Local Files
|
|
|
Why do we need Core installations and how can it be used?
A Server Core installation provides a
minimal environment for running specific server roles, which reduces the
maintenance and management requirements and the attack surface for those
server roles.
A server running a Server Core installation
supports the following server roles:
- Active Directory Domain Services (AD DS)
- Active Directory Lightweight Directory Services
(AD LDS)
- DHCP Server
- DNS Server
- File Services
- Print Services
- Streaming Media Services
- Internet Information Services (IIS)
- Windows Virtualization
To
actually work with Core, we need some basic GUI tools. There are not many
however here is a quick list for you.
|
Task Manager |
 |
|
Notepad |
 |
|
Time,
Date, and Time Zone |
 |
|
Regional Settings |
 |
Every thing else is done at the command
prompt or remote management in MMC's.
My first stumbling block was how to set the
IP address on this machine. There are no GUI utilities and my use of
ipconfig and netsh is limited. I need to also allow RDP through the firewall
so that I can remotely administer my Virtual server. By default Core servers
are hardened and the firewall blocks even ping.
Time to get the initial configuration out
of the way and make this server useful.
We can forget the ever trusted ipconfig
tool. It is not like the ifconfig in Linux. We need netsh here. At a command
prompt, type in "netsh interface ipv4 show interfaces"
Look at the number shown in the "Idx" column of the output for your
network adapter. If your computer has more than one network adapter, make a
note of the number corresponding to the network adapter for which you wish
to set a static IP address.
Now to assign the IP address you want to
type
"netsh interface ipv4 set address name="<ID>" source=static
address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway>"
In addition to add DNS servers:
"netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP> index=1"
Repeat this last step for each DNS server that you want to set, incrementing
the index= number each time. (I am on a closed private network so I did not
bother with DNS in my tests)
Now you can check your settings by using "ipconfig /all" and check
that all the addresses are correct.
Don't forget that the server is hardened by default. You can't even ping it
yet.
Now is a good time to change the
Administrators password.
At the command prompt, type "net user
administrator *"
When prompted to enter the password, type the new password for the
administrator user account and press ENTER.
When prompted, retype the password and press ENTER.
Next, lets change the computer's name, as
the default name is a randomly generated name (unless you configured it
through an answer file or OPK)
First lets determine the current name of
the server with the hostname or "ipconfig /all" commands.
Type
"netdom renamecomputer <ComputerName>
/NewName:<NewComputerName>"
Restart the computer by using the shutdown command (This tool has been
around since Windows XP/Server 2003 or as a resource kit tool for Windows
2000).
shutdown /r /t 0 or shutdown /s (If you want to shut it down).
You can also logoff (type in "logoff") and use the red shutdown
button.
After having done all this, it is time to
think about remotely administering this machine.
Although
Server Core doesn't utilize explorer.exe as its shell and doesn't offer the
Computer Properties screen to enable Remote Desktop or select users to
remote desktop towards the server, Server Core does offer Remote Desktop.
This is not a magical GUI interface to your Core server. You get the same
interface as if at the Core servers desktop.
To enable Remote Desktop you can use the
SCregEdit.wsf script in the System32 subfolder of your Windows folder.
Simply type the following commands:
cd C:\windows\system32
cscript SCregEdit.wsf /AR 0
This command will also automatically create the Firewall exception for you.
Just like on a full server installation, the firewall is on by default in a
Server Core installation and most inbound traffic is blocked at the end of
setup.
There are then three scenarios for remote
management via MMC:
Server Role
When a server role is installed, the
appropriate ports are opened to allow the role to function as well as to
allow remote management, so no additional configuration is required. Using
the Remote Server Administration Tools (RSAT) feature on a full server
installation, you can install just the MMC snap-ins for a role and use them
to remotely manage the role on Server Core.
Domain joined
Once domain joined, the firewall profile is
changed to the domain profile which allows remote management. Again, no
additional configuration is required.
Workgroup server
This is the scenario in which you may need
to make firewall configuration changes to allow remote management. If you
just want all remote management to work you can use:
"Netsh advfirewall firewall set rule
group=“remote administration” new enable=yes"
The only restriction with the RDP
you're only granted one simultaneous Remote Desktop session (It is the
console). The Remote Desktop is one of the most common used ways to
remotely manage Windows Servers nowadays in environments without
delegation.You might prefer to
use the Windows Remote Shell on a server running a Server Core
installation, type "WinRM quickconfig"
Click Y to accept the default settings.
The WinRM quickconfig setting enables a server running a Server Core
installation to accept Windows Remote Shell connections.
On your remote computer, at a command prompt, use "WinRS.exe" to
run commands on a server running a Server Core installation.
I don't have a domain here to join (I
am testing this on a workgroup) however if you want to join to your
existing domain at a command prompt, type
"netdom join <ComputerName>
/domain:<DomainName> /userd:<UserName> /passwordD:*"
ComputerName is the name of the server that is running the Server Core
installation.
DomainName is the name of the domain to join.
UserName is a domain user account with permission to join the domain.
(If you enter * as the password, you will be prompted to enter it on the
command prompt window in the next step. You can enter it in the initial
command line if you like).
When prompted to enter the password, type the password for the domain
user account specified by UserName.
Restart the computer as explained earlier.
To remove the core server from the domain use "netdom remove"
As I am in trial mode, I have no
intention of activating my server. For you, this is likely important.
To activate the server
At a command prompt, type "slmgr.vbs –ato"
If activation is successful, no message will return in the command
prompt.
Ok, so your server is up and running.
What can you do with it?
As mentioned at the start of this page, Server Core comes in Standard,
Enterprise and Datacenter editions for i386 and x64 platforms. Most
companies will probably go for the Standard edition because most of the
differences found in the Enterprise and Datacenter editions of Windows
Server 2008 won't be present in Server Core.
The Enterprise Server Core
will, however, allow you to utilize more processor and memory support,
as well as clustering. Datacenter adds the whole Datacenter hardware
program and 99.999 percent reliability.
As most of my clients and my
expertise is in Small Businesses, Standard is the only version I will
likely look at.
Across the various versions you have
the ability to run as
- Active Directory Domain Services (AD DS)
- Active Directory Lightweight Directory Services
(AD LDS)
- DHCP Server
- DNS Server
- File Services
- Print Services
- Streaming Media Services
- Internet Information Services (IIS)
- Windows Virtualization
To list the available server
roles and features (And those already configured), type "oclist".
To install the Active Directory Domain Services
role type
"dcpromo /unattend:<unattendfile>"
This command installs the Active Directory Domain
Services role and promotes the server to a domain controller by using
the settings in the unattend file (which you need to manually create).
To install the AD LDS role type "start /w
ocsetup DirectoryServices-ADAM-ServerCore"
(Using
/w prevents the command prompt from returning until the installation
completes)
The start command opens the new process in a new Command line interface.
Ocsetup is doing the real work here.
This can be uninstalled with
"start /w ocsetup
DirectoryServices-ADAM-ServerCore /uninstall"
(Using /uninstall basically
uninstalls the role for each role listed here)
To install the DHCP Server
role type "start /w ocsetup DHCPServerCore"
(Using
/w prevents the command prompt from returning until the installation
completes)
You can configure a DHCP
scope at the command prompt by using netsh, or by remotely using the
DHCP snap-in from Windows Server 2008. If the DHCP server is installed
in an Active Directory domain, you must authorize it in Active
Directory.
To configure this service to
start use "sc config dhcpserver start= auto" and to start it
right now use "net start dhcpserver"
Uninstall it using "start
/w ocsetup DHCPServerCore /uninstall"
To install DNS use "start
/w ocsetup DNS-Server-Core-Role" and to uninstall "start /w
ocsetup DNS-Server-Core-Role /uninstall".
Configure a DNS zone at the command prompt by typing "dnscmd"
or by remotely using the DNS MMC snap-in.
Installing File Services
role and features is a little more involved as there are many parts.
- Replication service: "start /w
ocsetup FRS-Infrastructure"
- Distributed File System service: "start /w
ocsetup DFSN-Server"
- Distributed File System Replication:
"start /w ocsetup DFSR-Infrastructure-ServerEdition"
- Services for Network File System (NFS):
"start /w ocsetup ServerForNFS-Base" and "start /w ocsetup
ClientForNFS-Base"
Uninstallation follows the
same pattern as previously listed.
Installing Print Services
role and features is as simple as "start /w ocsetup Printing-ServerCore-Role"
and "start /w ocsetup Printing-LPDPrintService".
The Streaming Media Services
has a slightly more involved installation method. Whilst you can simply
run "start /w ocsetup MediaServer" like the other roles, you
first need to do some preparation.
As you can not surf from the Core
server, download the required Role file using another pc from
Microsoft (Kb
934518).
Copy the file "installerfilename.msi"
to your Server Core installation and run it.
Now install it with "start /w ocsetup MediaServer" and then on a
remote computer, use the Streaming Media Services MMC snap-in to
remotely configure Streaming Media Services.
Adding a printer to your new slender
server
Determine the IP address or host name of the
printer you want to connect to.
On a remote computer running Windows Vista or Windows Server 2008, open
the Print Management console and add the server running the Server Core
installation.
Expand the entry for the print server running a Server Core
installation, right-click Drivers, and then click Add Driver. The Add
Printer Driver Wizard starts.
Complete the wizard to install the printer driver for your printer.
In the Print Management console, right-click Printers and then click Add
Printer. The Network Printer Installation Wizard starts.
Click Add a TCP/IP or Web Services printer by IP address or hostname and
then click Next.
Enter the printer's host name or IP address (the port name will be the
same by default), and then click Next.
Make any necessary changes to the printer name, contact information, or
sharing status, and then click Next.
Issues
with Server Core installation and upgrading from previous versions
As Server Core is a special
installation of Windows Server 2008, there are the following limitations
- There is no way to upgrade from a
previous version of the Windows Server operating system to a Server
Core installation. Only a clean installation is supported. (Who
would want this anyway, you would be introducing security flaws)
- There is no way to upgrade from a
full installation of Windows Server 2008 to a Server Core
installation. Only a clean installation is supported. (More of a
downgrade really)
- There is no way to upgrade from a
Server Core installation to a full installation of Windows Server
2008. If you need the Windows user interface or a server role that
is not supported in a Server Core installation, you will need to
install a full installation of Windows Server 2008.
( )
