satisfy your technical curiosity server core: running a minimal server david lowe senior product...

Satisfy Your Technical Curiosity

Server Core:Server Core:Running a Minimal ServerRunning a Minimal Server

David LoweDavid LoweSenior Product ManagerSenior Product Manager

Windows ServerWindows Server

Microsoft Confidential

Today’s Challenges

Server Core Overview and Benefits

Server Core Architecture

Server Core Installation and Initial Configuration

Adding Server Roles

Administering Server Core


Windows® ServerTM is frequently deployed to support a single role or a fixed workload

In this scenario, administrators are required to deploy and service all of Windows Server

These non-value add features (wrt fixed workload server) present a servicing and security burden

Administrators think of servers in terms of server roles


Value PropositionReduce the attack and servicing surface area for certain server roles by only installing what is required and administrators use

Servers optimized by role are easier to service and manage

Fewer patchesServer management lifecycle oriented around rolesIT Staff can specialize on their role(s)

Increased reliability and security

Less installed and less running


Server Core is:A minimal installation option for Longhorn Server

Included with Standard, Enterprise, and Datacenter

Available for x86 and x64


Server CoreProvides minimal server OS functionality

Low surface area server for targeted roles

IncludesA set of server roles

DHCP, File, AD, AD LDS, Media Services, DNS, and Windows Virtualization Services

The following optional features:WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client

Command Line interface, no GUI Shell


Fewer PatchesServer Core reduces # of patches by ~60%

Based on all Windows 2000 patches

Servicing burden is reduced by removing components that are most often serviced

More Secure, Reliable and Less Management

Removal of non-value add legacy & client components from server


Server Core Server Roles

Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems

DNS DHCP File AD

ServerWith .NetFx, Shell, Tools, etc.

TS IASWeb

ServerSharePoint

Etc…

GUI, CLR, Shell, IE,

Media, OE, Etc.

Server, Server Roles (for example only)

ADLDS

MediaServer

WVS


Server Core

Core Subsystems

Security (Logon scenarios) Networking (TCP/IP)File SystemsRPCWinlogonNecessary dependencies

Resolved category dependenciesHALKernelVGALogonetc.

HW Support componentsDiskNet cardetc.

DHCP server role

Infrastructure features

Command shellDomain joinEvent LogPerf counter infra.WS-ManagementWMI infrastructureLicensing serviceWFPHTTP supportIPSec

“Thin” Management tools (Local and remote)Configure IP addressJoin a domainCreate usersetc.

DNS server role

File server role

Domain Controller

role

WINS server roleServer Roles Optional Features


There is a screen in Setup to select either:

Server with the shell and all Server Roles

Server Core with Command Prompt and supported roles

Server Core initial configuration can be done either

Manually using the command line tools

Using an unattend file


Same unattend and options as Vista and ServerCan set options that otherwise require editing the registry on Server Core

Display Resolution and Color Depth<settings pass="oobeSystem">

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">

<Display><HorizontalResolution>1024</

HorizontalResolution><VerticalResolution>768</VerticalResolution><ColorDepth>16</ColorDepth>

</Display></component>

</settings>


To enable Terminal Services remote admin mode In the <settings pass="specialize"> section add:

<component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">

<fDenyTSConnections>false</fDenyTSConnections></component>

To enable support for pre-Vista/Longhorn Terminal Services clients

In the <settings pass="specialize"> section add:<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">

<UserAuthentication>0</UserAuthentication></component>


After the </InstallTo> section, add the appropriate <InstallFrom> section

Server Core:<InstallFrom>

<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server Core</Value>

</MetaData></InstallFrom>

Server<InstallFrom>

<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server</Value>

</MetaData></InstallFrom>


Only a clean install is supportedCannot upgrade from a previous version of Windows Server

Cannot upgrade from Server Core to Windows Server "Longhorn“

If you need the Explorer Shell or a Server Role that is not supported on Server Core, you will need to reinstall

Cannot upgrade from Windows Server "Longhorn" to Server Core


Set Administrator PasswordCTRL+ALT+DEL and click Change passwordnet user administrator *

ActivateSlmgr.vbs –ato

Configure Static IP Address (if required)Netsh interface ipv4

show interfacesset address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway add dnsserver name="ID" address=DNSIP index=1

Join a domain (if required)Netdom


Command line only, no Server Manager

Start /w Ocsetup RolePackageDHCP = DHCPServerCore DNS = DNS-Server-Core-Role File = File-Server-Core-Role File Replication service = FRS-InfrastructureDistributed File System service = DFSN-ServerDistributed File System Replication = DFSR-Infrastructure-ServerEditionNetwork File System = ServerForNFS-BaseMedia Server = MediaServer

Active DirectoryDcpromo /unattend:UnattendfileDcpromo now installs Active DirectoryOcsetup not supported for Active Directory


Start /w ocsetup OptionalFeaturePackageFailover Cluster = FailoverCluster-Core

Network Load Balancing = NetworkLoadBalancingHeadlessServer

Subsystem for UNIX-bases applications = SUA

Multipath IO = Microsoft-Windows-MultipathIO

Removable Storage Management = Microsoft-Windows-RemovableStorageManagementCore

Bitlocker Drive Encryption = BitLocker

Backup = WindowsServerBackup

Simple Network Management Protocol (SNMP) = SNMP-SC

Telnet Client = TelnetClient

WINS = WINS-SC


Start /w Ocsetup Package /uninstallExcept for Active Directory

You must use DCPromo and demoteThis will also remove the Active Directory binaries

No Remote GUI for installing or uninstalling roles and features


Server Core only command line tool

Lists the Server Role and Optional Feature package names for use with OCSetup

Lists whether the packages are installed or not


CMD for local command execution

Terminal Server using CMD

WS-Management and Windows Remote Shell for remote command execution

WMI

Task Scheduler for scheduling jobs and tasks

Event Logging and Event Forwarding

RPC and DCOM for remote MMC support

SNMP

No Managed Code so no PowerShell support


Windows Remote Management (WinRM) WS-Management - secure firewall friendly mgmt protocol

Windows Remote Shell (WinRS)Remotely execute command line tools and scripts

Requires Windows Vista or Longhorn Server

Only command line tools or scripts without UI can be executed

Prompts are problematic, full interactive mode not supported

For example, “press any key”


The Server side of WS-Management

Can be configuredFrom the command line: WinRM quickconfig

Through an unattend file by adding the following in the <settings pass="specialize"> section add:

<component name="Microsoft-Windows-Web-Services-for-Management-Core" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">

<ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement>

</component>

Through GPO


The Client side of WS-Management

WinRS –r:<remote endpoint> commandRemote endpoint can be

-r:https://myserver.com

-r:myserver

-r:http://127.0.0.1

-r:http://169.51.2.101:80For example

Winrs –r:myserver dir c:\windows\system32\*.dll

WinRS -? for help


Turn on Terminal Services remote adminwinrs -r:myserver cscript \windows\system32\scregedit.wsf /ar 0

Allow pre-Vista/Longhorn TS clientswinrs -r:myserver cscript \windows\system32\scregedit.wsf /cs 0

Join a domainwinrs -r:myserver netdom add myserver /domain:testdomain /userd:administrator /passwordd:<password>

Add domain admin to local adminswinrs -r:myserver net localgroup administrators testdomain\administrator /add


Not all tasks can be performed from the command line or remotely

SCRegEdit.wsf is included in Server Core to:

Enable automatic updates

Enable Terminal Server Remote Admin Mode

Enable remote IPSec Monitor management

Configure DNS SRV record weight and priority

New /cli switch that lists common command line tools and switches

Located in \Windows\System32


Plug and Play is included in Server CoreIf you add hardware with an inbox driver, PnP will “silently” install the driver

If the driver is not included, but you have a PnP driver for the hardware

Copy the driver files to the Server Core box

Execute: Pnputil –i –a driverinf

To list installed driverssc query type= driver

To remove a driversc delete service_name


Limited functionality for specific scenarios

Time zone, to changeControl timedate.cpl

Keyboards and/or language, to change Control intl.cpl


Included, but with limitationsHelp does not work

An app compat shim was added in IDS-1, which allows

Open, Save, and Save As to all work now

These use the Win95 version of the common dialog

Copy, Paste, Find, Replace, etc all work


If you close the command prompt window

Locally, you can either:Press ctrl-alt-del, click Start Task Manager, click File, click Run, and enter cmd.exe

Log off and back on again

In a Terminal Services session:You can use the Terminal Services MMC snapin to remotely logoff

You can use the Terminal Serivces command line tools remotely:

query session /server:<servername>logoff <session_id> /server:<servername>


No support for Managed CodeNo PowerShell in Longhorn

No balloon notifications, such as for activation

Password expiration is now a balloon notification, so it will not appear on Server Core

Runonce is not supported on Server Core


Server Core is not an application platform

Server Core does support management tools, utilities, and agents

Remote Management tools should not require changes

Need to use one of the protocols supported in Server core, such as RPC


Management agents may require changes to work on Server Core

Agents cannot have shell or gui dependencies

Agents cannot use managed code

Test your agents on Server Core

Beta SDK includes a list of APIs supported in Server Core


Newsgroupshttp://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17

[email protected]

Server Core Bloghttp://blogs.technet.com/server_core/default.aspx

“Command-line reference A-Z” in Help is very helpful

Online at: http://go.microsoft.com/fwlink/?LinkId=20331


© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of

this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

satisfy your technical curiosity server core: running a minimal server david lowe senior product...

Documents