Server Core:Running A Minimal ServerJeff AlexanderIT Pro EvangelistMicrosoft Australia

SVR306

Agenda

Today’s ChallengesServer Core Overview and BenefitsServer Core ArchitectureServer Core Installation and Initial ConfigurationAdding Server RolesAdministering Server Core

Today’s Challenges

Windows Server is frequently deployed to support a single role or a fixed workload

In this scenario, administrators are required to deploy and service all of Windows ServerThese non-value add features (wrt fixed workload server) present a servicing and security burden

Administrators think of servers in terms of server roles

Today’s Challenges (cont.)

Value PropositionReduce the attack and servicing surface area for certain server roles by only installing what is required and administrators useServers optimized by role are easier to service and manage

Fewer patchesServer management lifecycle oriented around rolesIT Staff can specialize on their role(s)

Increased reliability and securityLess installed and less running

Server Core Overview

Server Core is:A minimal installation option for Windows Server 2008Included in the general purpose Windows Server 2008 SKUsAvailable for x86 and x64

Server Core Overview (cont.)

Server CoreProvides minimal server OS functionalityLow surface area server for targeted roles

In Beta 3, Server Core includesA set of server roles

DHCP, File, Print, AD, AD LDS, Media Services, and DNS

The following optional features:WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client, QoS

Command Line interface, no GUI Shell

Server Core Introduction

demo

Benefits of Server Core

Fewer PatchesServer Core reduces # of patches by ~60%

Based on all Windows 2000 patches

Servicing burden is reduced by removing components that are most often serviced

More Secure, Reliable and Less Management

Removal of non-value add legacy & client components from server

Server Core: Smaller Footprint

demo

Windows Server Core

Minimal installation optionLow surface area Command line interfaceLimited set of server roles

Server Core Server Roles

Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems

DNS DHCP FileAD

ServerWith WinFx, Shell, Tools,

etc.

TS IASWebServer

SharePoint Etc..

Server, Server Roles (for example only)

GUI, CLR, Shell, IE, Media, OE, etc.

AD LDS

IIS 7 WSV

Server Core

Core Subsystems

Security (Logon scenarios) Networking (TCP/IP)File SystemsRPCWinlogonNecessary dependencies

Resolved category dependenciesHALKernelVGALogonetc.

HW Support componentsDiskNet cardetc.

DHCP server role

Infrastructure features

Command shellDomain joinEvent LogPerf counter infra.WS-ManagementWMI infrastructureLicensing serviceWFPHTTP supportIPSec

“Thin” Management tools (Local and remote)Configure IP addressJoin a domainCreate usersetc.

DNS server role

File server role

Domain Controller

role

WINS server roleServer Roles Optional Features

Deploying Server Core

There is a screen in Setup to select either:

Server with the shell and all Server RolesServer Core with Command Prompt and supported roles

Server Core initial configuration can be

done eitherManually using the command line toolsUsing an unattend file

Unattended Install

Same unattend and options as Vista and ServerCan set options that otherwise require editing the registry on Server Core

Display Resolution and Color Depth<settings pass="oobeSystem">

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">

<Display><HorizontalResolution>1024</

HorizontalResolution><VerticalResolution>768</VerticalResolution><ColorDepth>16</ColorDepth>

</Display></component>

</settings>

Selecting Server Core in Unattend

After the </InstallTo> section, add the appropriate <InstallFrom> sectionServer Core:<InstallFrom>

<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server Core</Value>

</MetaData></InstallFrom>

Server<InstallFrom>

<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server</Value>

</MetaData></InstallFrom>

No Server Core Upgrades

Only a clean install is supportedCannot upgrade from a previous version of Windows ServerCannot upgrade from Server Core to full Server with the GUI shellCannot upgrade from full Server with the GUI shell to Server Core

Server Core Initial Configuration

Set Administrator PasswordCTRL+ALT+DEL and click Change passwordnet user administrator *

ActivateSlmgr.vbs –ato

Configure Static IP Address (if required)

Netsh interface ipv4show interfacesset address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway add dnsserver name="ID" address=DNSIP index=1

Join a domain (if required)Netdom

Server Core: Initial Configuration

demo

Adding Server Roles

Command line only, no Server Manager Start /w Ocsetup RolePackage

DHCP = DHCPServerCore DNS = DNS-Server-Core-Role File = File-Server-Core-Role File Replication service = FRS-InfrastructureDistributed File System service = DFSN-ServerDistributed File System Replication = DFSR-Infrastructure-ServerEditionNetwork File System = ServerForNFS-BaseMedia Server = MediaServer

Active DirectoryDcpromo /unattend:UnattendfileDcpromo now installs Active DirectoryOcsetup not supported for Active Directory

Server Core: Managing Server Roles

demo

IIS 7 On Server CoreNot included:

Management Service and GUI ToolsASP.NET supportPowerShell cmdlets

Can be managed remotely using IIS PowerShell cmdlets or managed codeSame installation granularity as on Server installations

Top level packages are:

IIS-WebServerManagementTools IIS-IIS6ManagementCompatibility IIS-ManagementScriptingToolsWAS-WindowsActivationService WAS-ProcessModel

IIS-WebServerRole IIS-FTPPublishingService IIS-FTPServer IIS-WebServer IIS-ApplicationDevelopment IIS-CommonHttpFeatures IIS-HealthAndDiagnostics IIS-Performance IIS-Security

Server Core: Installing IIS 7.0 Role

demo

Adding Optional Features

Start /w ocsetup OptionalFeaturePackage

Failover Cluster = FailoverCluster-CoreNetwork Load Balancing = NetworkLoadBalancingHeadlessServerSubsystem for UNIX-bases applications = SUAMultipath IO = Microsoft-Windows-MultipathIORemovable Storage Management = Microsoft-Windows-RemovableStorageManagementCoreBitlocker Drive Encryption = BitLockerBackup = WindowsServerBackupSimple Network Management Protocol (SNMP) = SNMP-SCTelnet Client = TelnetClientWINS = WINS-SC

Server Core: Managing Features

demo

Uninstalling Roles and Features

Start /w Ocsetup Package /uninstallExcept for Active Directory

You must use DCPromo and demoteThis will also remove the Active Directory binaries

No Remote GUI for installing or uninstalling roles and features

OCList.exe

Server Core only command line toolLists the Server Role and Optional Feature package names for use with OCSetupLists whether the packages are installed or not

Managing Server CoreCMD for local command execution Terminal Server using CMDWS-Management and Windows Remote Shell for remote command execution WMI

Can use WMI based PowerShell scripts and cmdlets remotely

Task Scheduler for scheduling jobs and tasksEvent Logging and Event ForwardingRPC and DCOM for remote MMC supportSNMPScripting host

SCRegEdit.wsf

Not all tasks can be performed from the command line or remotelySCRegEdit.wsf is included in Server Core to:

Enable automatic updatesEnable Terminal Server Remote Admin ModeEnable remote IPSec Monitor managementConfigure DNS SRV record weight and priority

/cli switch that lists common command line tools and switchesLocated in \Windows\System32

Managing with Windows Remote Shell

Windows Remote Management (WinRM)

WS-Management - secure firewall friendly

mgmt protocolWindows Remote Shell (WinRS)

Requires Windows Vista or Windows Server 2008Only command line tools or scripts without UI can be executed Prompts are problematic, full interactive mode not supported

For example, “press any key”

Configuring WinRM on Server CoreThe Server side of WS-Management

From the command lineWinRM quickconfig

Through an unattend fileIn the <settings pass=“specialize”> section add:<component name=“Microsoft-Windows-Web-

Services-for-Management-Core” publicKeyToken=“31bf3856ad364e35” language=“neutral” versionScope=“nonSxS” processorArchitecture=“x86”> 

<ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement>

  </component>

Can also be configured using Group Policy

Using WinRS

The Client side of WS-ManagementWinRS –r:<remote endpoint> command

Remote endpoint can be-r:https://myserver.com-r:myserver-r:http://127.0.0.1-r:http://169.51.2.101:80

For exampleWinrs –r:myserver dir c:\windows\system32\*.dll

WinRS Examples

Turn on Terminal Services remote adminwinrs -r:myserver cscript \windows\system32\scregedit.wsf /ar 0

Allow pre-Vista/Longhorn TS clientswinrs -r:myserver cscript \windows\system32\scregedit.wsf /cs 0

Join a domainwinrs -r:myserver netdom add myserver /domain:testdomain /userd:administrator /passwordd:<password>

Add domain admin to local adminswinrs -r:myserver net localgroup administrators testdomain\administrator /add

Server Core: Remote Management

demo

Hardware on Server Core

Plug and Play is included in Server Core

If you add hardware with an inbox driver, PnP will “silently” install the driver

If the driver is not included, but you have a PnP driver for the hardware

Copy the driver files to the Server Core boxPnputil –i –a driverinf

To list installed driverssc query type= driver

To remove a driversc delete service_name

Control Panel in Server Core?

Limited functionality for specific scenariosTime zone, to change

Control timedate.cplKeyboards and/or language, to change

Control intl.cpl

Notepad and Regedit

NotepadHas the following limitations

Help does not workOpen, Save and Save As work in Beta 3

Copy, Paste, Find, Replace, etc all workRegedit

Help does not work

Restarting CMD.EXE

If you close the command prompt windowLocally, you can either:

Press ctrl-alt-del, click Start Task Manager, click File, click Run, and enter cmd.exeLog off and back on again

In a Terminal Services session:You can use the Terminal Services MMC snapin to remotely logoffYou can use the Terminal Serivces command line tools remotely:

query session /server:<servername>logoff <session_id> /server:<servername>

Limitations of Server Core

No support for Managed CodeNo balloon notifications, such as for activation

Password expiration is now a balloon notification, so it will not appear on Server Core

Runonce is not supported on Server Core

Mgmt Tools on Server Core

Server Core is not an application platformServer Core does support development of Management tools, utilities, and agents

Remote Management tools should not require changes

Need to use one of the protocols supported in Server core, such as RPC

Mgmt Tools on Server Core (cont)

Management agents may require changes to work on Server Core

Agents cannot have shell or gui dependenciesAgents cannot use managed codeTest your agents on Server CoreBeta SDK includes a list of APIs supported in Server Core

Server Core: Additional Tools

demo

Server Core ResourcesStep by Step Guide

Online athttp://technet2.microsoft.com/windowsserver/longhorn/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true

Download in Word Document in the Download Centerhttp://download.microsoft.com/

Newsgroupshttp://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17

Server Core Bloghttp://blogs.technet.com/server_core/default.aspx

Emailsrvcfdbk@microsoft.com

“Command-line reference A-Z” in Help is very helpful

Online at: http://go.microsoft.com/fwlink/?LinkId=20331

ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx

Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

Evaluation Forms

Questions?

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.