satisfy your technical curiosity server core: running a minimal server david lowe senior product...
TRANSCRIPT
Satisfy Your Technical Curiosity
Server Core:Server Core:Running a Minimal ServerRunning a Minimal Server
David LoweDavid LoweSenior Product ManagerSenior Product Manager
Windows ServerWindows Server
Microsoft Confidential
Today’s Challenges
Server Core Overview and Benefits
Server Core Architecture
Server Core Installation and Initial Configuration
Adding Server Roles
Administering Server Core
Microsoft Confidential
Windows® ServerTM is frequently deployed to support a single role or a fixed workload
In this scenario, administrators are required to deploy and service all of Windows Server
These non-value add features (wrt fixed workload server) present a servicing and security burden
Administrators think of servers in terms of server roles
Microsoft Confidential
Value PropositionReduce the attack and servicing surface area for certain server roles by only installing what is required and administrators use
Servers optimized by role are easier to service and manage
Fewer patchesServer management lifecycle oriented around rolesIT Staff can specialize on their role(s)
Increased reliability and security
Less installed and less running
Microsoft Confidential
Server Core is:A minimal installation option for Longhorn Server
Included with Standard, Enterprise, and Datacenter
Available for x86 and x64
Microsoft Confidential
Server CoreProvides minimal server OS functionality
Low surface area server for targeted roles
IncludesA set of server roles
DHCP, File, AD, AD LDS, Media Services, DNS, and Windows Virtualization Services
The following optional features:WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client
Command Line interface, no GUI Shell
Microsoft Confidential
Microsoft Confidential
Fewer PatchesServer Core reduces # of patches by ~60%
Based on all Windows 2000 patches
Servicing burden is reduced by removing components that are most often serviced
More Secure, Reliable and Less Management
Removal of non-value add legacy & client components from server
Microsoft Confidential
Server Core Server Roles
Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
DNS DHCP File AD
ServerWith .NetFx, Shell, Tools, etc.
TS IASWeb
ServerSharePoint
Etc…
GUI, CLR, Shell, IE,
Media, OE, Etc.
Server, Server Roles (for example only)
ADLDS
MediaServer
WVS
Microsoft Confidential
Server Core
Core Subsystems
Security (Logon scenarios) Networking (TCP/IP)File SystemsRPCWinlogonNecessary dependencies
Resolved category dependenciesHALKernelVGALogonetc.
HW Support componentsDiskNet cardetc.
DHCP server role
Infrastructure features
Command shellDomain joinEvent LogPerf counter infra.WS-ManagementWMI infrastructureLicensing serviceWFPHTTP supportIPSec
“Thin” Management tools (Local and remote)Configure IP addressJoin a domainCreate usersetc.
DNS server role
File server role
Domain Controller
role
WINS server roleServer Roles Optional Features
Microsoft Confidential
There is a screen in Setup to select either:
Server with the shell and all Server Roles
Server Core with Command Prompt and supported roles
Server Core initial configuration can be done either
Manually using the command line tools
Using an unattend file
Microsoft Confidential
Same unattend and options as Vista and ServerCan set options that otherwise require editing the registry on Server Core
Display Resolution and Color Depth<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<Display><HorizontalResolution>1024</
HorizontalResolution><VerticalResolution>768</VerticalResolution><ColorDepth>16</ColorDepth>
</Display></component>
</settings>
Microsoft Confidential
To enable Terminal Services remote admin mode In the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<fDenyTSConnections>false</fDenyTSConnections></component>
To enable support for pre-Vista/Longhorn Terminal Services clients
In the <settings pass="specialize"> section add:<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<UserAuthentication>0</UserAuthentication></component>
Microsoft Confidential
After the </InstallTo> section, add the appropriate <InstallFrom> section
Server Core:<InstallFrom>
<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server Core</Value>
</MetaData></InstallFrom>
Server<InstallFrom>
<MetaData><Key>/IMAGE/Name</Key><Value>Windows Longhorn Server</Value>
</MetaData></InstallFrom>
Microsoft Confidential
Only a clean install is supportedCannot upgrade from a previous version of Windows Server
Cannot upgrade from Server Core to Windows Server "Longhorn“
If you need the Explorer Shell or a Server Role that is not supported on Server Core, you will need to reinstall
Cannot upgrade from Windows Server "Longhorn" to Server Core
Microsoft Confidential
Set Administrator PasswordCTRL+ALT+DEL and click Change passwordnet user administrator *
ActivateSlmgr.vbs –ato
Configure Static IP Address (if required)Netsh interface ipv4
show interfacesset address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway add dnsserver name="ID" address=DNSIP index=1
Join a domain (if required)Netdom
Microsoft Confidential
Command line only, no Server Manager
Start /w Ocsetup RolePackageDHCP = DHCPServerCore DNS = DNS-Server-Core-Role File = File-Server-Core-Role File Replication service = FRS-InfrastructureDistributed File System service = DFSN-ServerDistributed File System Replication = DFSR-Infrastructure-ServerEditionNetwork File System = ServerForNFS-BaseMedia Server = MediaServer
Active DirectoryDcpromo /unattend:UnattendfileDcpromo now installs Active DirectoryOcsetup not supported for Active Directory
Microsoft Confidential
Start /w ocsetup OptionalFeaturePackageFailover Cluster = FailoverCluster-Core
Network Load Balancing = NetworkLoadBalancingHeadlessServer
Subsystem for UNIX-bases applications = SUA
Multipath IO = Microsoft-Windows-MultipathIO
Removable Storage Management = Microsoft-Windows-RemovableStorageManagementCore
Bitlocker Drive Encryption = BitLocker
Backup = WindowsServerBackup
Simple Network Management Protocol (SNMP) = SNMP-SC
Telnet Client = TelnetClient
WINS = WINS-SC
Microsoft Confidential
Start /w Ocsetup Package /uninstallExcept for Active Directory
You must use DCPromo and demoteThis will also remove the Active Directory binaries
No Remote GUI for installing or uninstalling roles and features
Microsoft Confidential
Server Core only command line tool
Lists the Server Role and Optional Feature package names for use with OCSetup
Lists whether the packages are installed or not
Microsoft Confidential
CMD for local command execution
Terminal Server using CMD
WS-Management and Windows Remote Shell for remote command execution
WMI
Task Scheduler for scheduling jobs and tasks
Event Logging and Event Forwarding
RPC and DCOM for remote MMC support
SNMP
No Managed Code so no PowerShell support
Microsoft Confidential
Windows Remote Management (WinRM) WS-Management - secure firewall friendly mgmt protocol
Windows Remote Shell (WinRS)Remotely execute command line tools and scripts
Requires Windows Vista or Longhorn Server
Only command line tools or scripts without UI can be executed
Prompts are problematic, full interactive mode not supported
For example, “press any key”
Microsoft Confidential
The Server side of WS-Management
Can be configuredFrom the command line: WinRM quickconfig
Through an unattend file by adding the following in the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-Web-Services-for-Management-Core" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement>
</component>
Through GPO
Microsoft Confidential
The Client side of WS-Management
WinRS –r:<remote endpoint> commandRemote endpoint can be
-r:https://myserver.com
-r:myserver
-r:http://127.0.0.1
-r:http://169.51.2.101:80For example
Winrs –r:myserver dir c:\windows\system32\*.dll
WinRS -? for help
Microsoft Confidential
Turn on Terminal Services remote adminwinrs -r:myserver cscript \windows\system32\scregedit.wsf /ar 0
Allow pre-Vista/Longhorn TS clientswinrs -r:myserver cscript \windows\system32\scregedit.wsf /cs 0
Join a domainwinrs -r:myserver netdom add myserver /domain:testdomain /userd:administrator /passwordd:<password>
Add domain admin to local adminswinrs -r:myserver net localgroup administrators testdomain\administrator /add
Microsoft Confidential
Not all tasks can be performed from the command line or remotely
SCRegEdit.wsf is included in Server Core to:
Enable automatic updates
Enable Terminal Server Remote Admin Mode
Enable remote IPSec Monitor management
Configure DNS SRV record weight and priority
New /cli switch that lists common command line tools and switches
Located in \Windows\System32
Microsoft Confidential
Plug and Play is included in Server CoreIf you add hardware with an inbox driver, PnP will “silently” install the driver
If the driver is not included, but you have a PnP driver for the hardware
Copy the driver files to the Server Core box
Execute: Pnputil –i –a driverinf
To list installed driverssc query type= driver
To remove a driversc delete service_name
Microsoft Confidential
Limited functionality for specific scenarios
Time zone, to changeControl timedate.cpl
Keyboards and/or language, to change Control intl.cpl
Microsoft Confidential
Included, but with limitationsHelp does not work
An app compat shim was added in IDS-1, which allows
Open, Save, and Save As to all work now
These use the Win95 version of the common dialog
Copy, Paste, Find, Replace, etc all work
Microsoft Confidential
If you close the command prompt window
Locally, you can either:Press ctrl-alt-del, click Start Task Manager, click File, click Run, and enter cmd.exe
Log off and back on again
In a Terminal Services session:You can use the Terminal Services MMC snapin to remotely logoff
You can use the Terminal Serivces command line tools remotely:
query session /server:<servername>logoff <session_id> /server:<servername>
Microsoft Confidential
No support for Managed CodeNo PowerShell in Longhorn
No balloon notifications, such as for activation
Password expiration is now a balloon notification, so it will not appear on Server Core
Runonce is not supported on Server Core
Microsoft Confidential
Server Core is not an application platform
Server Core does support management tools, utilities, and agents
Remote Management tools should not require changes
Need to use one of the protocols supported in Server core, such as RPC
Microsoft Confidential
Management agents may require changes to work on Server Core
Agents cannot have shell or gui dependencies
Agents cannot use managed code
Test your agents on Server Core
Beta SDK includes a list of APIs supported in Server Core
Microsoft Confidential
Newsgroupshttp://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17
Server Core Bloghttp://blogs.technet.com/server_core/default.aspx
“Command-line reference A-Z” in Help is very helpful
Online at: http://go.microsoft.com/fwlink/?LinkId=20331
Microsoft Confidential
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of
this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.