inf307 server core: running a minimal server andrew mason program manager
TRANSCRIPT
INF307Server Core:Running a Minimal Server
Andrew Mason
Program Manager
Agenda
• Today’s Challenges
• Server Core Overview and Benefits
• Server Core Architecture
• Server Core Installation and Initial Configuration
• Adding Server Roles
• Administering Server Core
• Demo
Today’s Challenges
• Windows® ServerTM is frequently deployed to support a single role or a fixed workload
• In this scenario, administrators are required to deploy and service all of Windows Server
• These non-value add features (wrt fixed workload server) present a servicing and security burden
• Administrators think of servers in terms of server roles
Today’s Challenges (continued)
• Value Proposition
• Reduce the attack and servicing surface area for certain server roles by only installing what is required and administrators use
• Servers optimized by role are easier to service and manage
• Fewer patches
• Server management lifecycle oriented around roles
• IT Staff can specialize on their role(s)• Increased reliability and security
• Less installed and less running
Server Core Overview
• Server Core is:
• A minimal installation option for Longhorn Server
• Included with Standard, Enterprise, and Datacenter
• Available for x86 and x64
Server Core Overview (continued)
• Server Core
• Provides minimal server OS functionality
• Boots and operates stand-alone in headless scenarios
• Low surface area server for targeted roles
• Includes
• A set of server roles
• DHCP, File, AD, DNS, and WINS
• The following optional features:
• Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client
• Command Line interface, no GUI Shell
Server Core Desktop
Benefits of Server Core
• Fewer Patches
• Server Core reduces # of patches by ~60%
• Based on all Windows 2000 patches
• Servicing burden is reduced by removing components that are most often serviced
• More Secure, Reliable and Less Management
• Removal of non-value add legacy & client components from server
Server Core Architecture
Server Core Server Roles
Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
DNS DHCP File AD
ServerWith .NetFx, Shell, Tools, etc.
TS IASWeb
ServerSharePoint
Etc…
GUI, CLR, Shell, IE,
Media, OE, Etc.
Server, Server Roles (for example only)
WINS
Server Core
Core Subsystems
Security (Logon scenarios) Networking (TCP/IP)File SystemsRPCWinlogonNecessary dependencies
Resolved category dependenciesHALKernelVGALogonetc.
HW Support componentsDiskNet cardetc.
DHCP server role
Infrastructure features
Command shellDomain joinEvent LogPerf counter infra.WS-ManagementWMI infrastructureLicensing serviceWFPHTTP supportIPSec
“Thin” Management tools (Local and remote)Configure IP addressJoin a domainCreate usersetc.
DNS server role
File server role
Domain Controller
role
WINS server role
Deploying Server Core
• There is a screen in Setup to select either:
• Server with the shell and all Server Roles
• Server Core with Command Prompt and supported roles
• Server Core initial configuration can be done either
• Manually using the command line tools
• Using an unattend file
Unattended Install
• Same unattend and options as Vista and Server
• Can set options that otherwise require editing the registry on Server Core• Display Resolution and Color Depth
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<Display>
<HorizontalResolution>1024</HorizontalResolution>
<VerticalResolution>768</VerticalResolution>
<ColorDepth>16</ColorDepth>
</Display>
</component>
</settings>
Unattended Install (cont)
• To enable Terminal Services remote admin mode
• In the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
• To enable support for pre-Vista/Longhorn Terminal Services clients
• In the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<UserAuthentication>0</UserAuthentication>
</component>
Selecting Server Core in Unattend
• After the </InstallTo> section, add the appropriate <InstallFrom> section
• Server Core:
<InstallFrom>
<MetaData>
<Key>/IMAGE/Name</Key>
<Value>Windows Longhorn Server Core</Value>
</MetaData>
</InstallFrom>
• Server
<InstallFrom>
<MetaData>
<Key>/IMAGE/Name</Key>
<Value>Windows Longhorn Server</Value>
</MetaData>
</InstallFrom>
No Server Core Upgrades
• Only a clean install is supported
• Cannot upgrade from a previous version of Windows Server
• Cannot upgrade from Server Core to Windows Server "Longhorn“
• If you need the Explorer Shell or a Server Role that is not supported on Server Core, you will need to reinstall
• Cannot upgrade from Windows Server "Longhorn" to Server Core
Server Core Initial Configuration
• Set Administrator Password• CTRL+ALT+DEL and click Change password• net user administrator *
• Activate• Slmgr.vbs –ato
• Configure Static IP Address (if required)• Netsh interface ipv4
• show interfaces• set address name="ID" source=static
address=StaticIP mask=SubnetMask gateway=DefaultGateway
• add dnsserver name="ID" address=DNSIP index=1 • Join a domain (if required)
• Netdom
Adding Server Roles• Command line only, no Server Manager
• Start /w Ocsetup RolePackage
• DHCP = DHCPServerCore
• DNS = DNS-Server-Core-Role
• File = File-Server-Core-Role
• File Replication service = FRS-Infrastructure
• Distributed File System service = DFSN-Server
• Distributed File System Replication = DFSR-Infrastructure-ServerEdition
• Network File System = ServerForNFS-Base
• Single Instance Store = SIS
• Active Directory
• Dcpromo /unattend:Unattendfile
• Dcpromo now installs Active Directory
• Ocsetup not supported for Active Directory
Adding Optional Features
• Start /w ocsetup OptionalFeaturePackage
• Failover Cluster = FailoverCluster-Core
• Network Load Balancing = NetworkLoadBalancingHeadlessServer
• Subsystem for UNIX-bases applications = SUA
• Multipath IO = Microsoft-Windows-MultipathIO
• Removable Storage Management = Microsoft-Windows-RemovableStorageManagementCore
• Bitlocker Drive Encryption = BitLocker
• Backup = WindowsServerBackup
• Simple Network Management Protocol (SNMP) = SNMP-SC
• Telnet Client = TelnetClient
Uninstalling Roles and Features
• Start /w Ocsetup Package /uninstall
• Except for Active Directory
• You must use DCPromo and demote
• This will also remove the Active Directory binaries
• No Remote GUI for installing or uninstalling roles and features
Managing Server Core
• CMD for local command execution
• Terminal Server using CMD
• WS-Management and Windows Remote Shell for remote command execution
• WMI
• Task Scheduler for scheduling jobs and tasks
• Event Logging and Event Forwarding
• RPC and DCOM for remote MMC support
• SNMP
Managing with Windows Remote Shell
• Windows Remote Management (WinRM)
• WS-Management - secure firewall friendly mgmt protocol
• WinRM.exe configures the server side
• Can also be configured using GPO or unattend install
• Windows Remote Shell (WinRS)
• Must configure WinRM first
• WinRS.exe remotely execute commands
• Requires Windows Vista or Longhorn Server
• Only command line tools or scripts without UI can be executed
• Prompts are problematic, full interactive mode not supported• For example, “press any key”
Configuring WinRM on Server Core
• The Server side of WS-Management
• From the command line
• WinRM quickconfig
• Through an unattend file
• In the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-Web-Services-for-Management-Core" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement>
</component>
Using WinRS
• The Client side of WS-Management
• WinRS –r:<remote endpoint> command
• Remote endpoint can be
• -r:https://myserver.com
• -r:myserver
• -r:http://127.0.0.1
• -r:http://169.51.2.101:80
• For example
• Winrs –r:myserver dir c:\windows\system32\*.dll
• WinRS -? for help
WinRS examples
• Turn on Terminal Services remote admin
• winrs -r:myserver cscript \windows\system32\scregedit.wsf /ar 0
• Allow pre-Vista/Longhorn TS clients
• winrs -r:myserver cscript \windows\system32\scregedit.wsf /cs 0
• Join a domain
• winrs -r:myserver netdom add myserver /domain:testdomain /userd:administrator /passwordd:<password>
• Add domain admin to local admins
• winrs -r:myserver net localgroup administrators testdomain\administrator /add
SCRegEdit.wsf
• Not all tasks can be performed from the command line or remotely
• SCRegEdit.wsf is included in Server Core to:
• Configure the pagefile
• Enable automatic updates
• Set the time zone
• Enable error reporting
• Enable Terminal Server Remote Admin Mode
• Enable remote IPSec Monitor management
• Configure DNS SRV record weight and priority
• Located in \Windows\System32
Hardware on Server Core
• Plug and Play is included in Server Core
• If you add hardware with an inbox driver, PnP will “silently” install the driver
• If the driver is not included, but you have a PnP driver for the hardware
• Copy the driver files to the Server Core box
• Execute: Pnputil –i –a driverinf
• To list installed drivers
• sc query type= driver
• To remove a driver
• sc delete service_name
Control Panel in Server Core?
• Limited functionality for specific scenarios
• Time zone, to change
• Control timedate.cpl
• Keyboards and/or language, to change
• Control intl.cpl
Notepad in Server Core
• Included, but with limitations
• On the File menu, only Exit works
• Help does not work
• To work with files:
• Notepad <filename>, make change, exit, and when prompted click save
• No “Save As”, need to rename the file before opening and making changes
• Copy, Paste, Find, Replace, etc all work
Restarting CMD.EXE
• If you close the command prompt window
• Locally, you can either:
• Press ctrl-alt-del, click Start Task Manager, click File, click Run, and enter cmd.exe
• Log off and back on again
• In a Terminal Services session:
• You can use the Terminal Services MMC snapin to remotely logoff
• You can use the Terminal Serivces command line tools remotely:
• query session /server:<servername>
• logoff <session_id> /server:<servername>
Limitations of Server Core
• No support for Managed Code
• No balloon notifications, such as for activation
• Password expiration is now a balloon notification, so it will not appear on Server Core
• Runonce is not supported on Server Core
Server Core Development
• Server Core is not an application platform
• Server Core does support development of Management tools, utilities, and agents
• Remote Management tools should not require changes
• Need to use one of the protocols supported in Server core, such as RPC
Server Core Development (cont)
• Management agents may require changes to work on Server Core
• Agents cannot have shell or gui dependencies
• Agents cannot use managed code
• Test your agents on Server Core
• Beta SDK includes a list of APIs supported in Server Core
Demo
• Server Core
• Server Role on Server Core
Server Core Feedback and Questions
• Newsgroups
• http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17
• Server Core Blog
• http://blogs.technet.com/server_core/default.aspx
• “Command-line reference A-Z” in Help is very helpful
• Online at: http://go.microsoft.com/fwlink/?LinkId=20331
Ask The ExpertsGet Your Questions Answered
You can find me at the Microsoft Ask the Experts area, located in the Exhibition Hall:
Wednesday 15 November Lunch
Thursday 16 November 10:15 – 10:45
Thursday 17 November 14.45 – 15.45
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.