Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Server Core’ Category

(2010-07-29) Windows Server Core Configurator

Posted by Jorge on 2010-07-29

With Windows Server 2008, Microsoft introduced Server Core into the Windows Server operating system, which is a new installation option. Summarized: Windows Server WITH a GUI is Full Server and Windows Server WITHOUT a GUI is Server Core. You could also call it "Windows without Windows" or "Windows Command Prompt".

Server Core has limited support for GUIs. Because of that a lot of the stuff locally must be done through Command Line Tools already in the operating system or third-party (free) tools. A non-exhaustive list of command line tools in Server Core can be found here.

Server Core is the perfect Windows Server option with the lowest attack surface you can imagine. Lots of the baggage that Full Server has is not available. If it is not available there’s not much left to attack.

Although perfect in terms of security, admins may not feel that well because they do not always know all the required command line utilities with their options to do something on the server.

A while ago, the Server Core Configurator was born which allowed an admin to use a GUI to do stuff locally on Server Core. The story about that tool can be found here. Unfortunately that tool is not available anymore to download. So, what are the options now?

On codeplex you will find two versions of Windows Server Core Configurator. Version 1.1 can be used on Windows Server 2008 Server Core (x86 and x64) and on Windows Server 2008 R2 Server Core (x64 only) because it is based upon VB Script. Version 2.0 can only be used on Windows Server 2008 R2 Server Core (x64 only) because it leverages PowerShell. The required features are "NetFx-ServerCore Feature" and "PowerShell" and both are only available on the Server Core version of Windows Server 2008 R2. As soon as you start version 2.0 it checks for the required features. If those are not installed, then those will be installed. If you are using Server Core on Windows Server 2008 R2, I really suggest you use version 2.0 of the Windows Server Core Configurator. The GUI is amazing!

Have a look at some screenshots for both versions.

"Windows Server Core Configurator Version 1.1"


"Windows Server Core Configurator Version 2.0"


Isn’t this just COOL?!

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Posted in Server Core, Tooling/Scripting, Windows Server | Leave a Comment »

(2008-03-26) A New Gang In Town – Server Core (W2K8)

Posted by Jorge on 2008-03-26

You probably already know it by now. If you don’t, where the heck have you been lately? Windows Server 2008 provides two installation options. The first is Windows Server WITH a GUI (Full Server) and the second one is Windows Server WITHOUT a GUI (Server Core). Although it only shows a command prompt after logon, it supports very limited GUI functionality (e.g. NOTEPAD, REGEDIT, etc.). It could however be called "Windows without Windows".

So, if you want to manage Server Core locally your knowledge of command line utilities must be quite good. If you want manage it remotely, you can use MMCs and WinRS. To summarize, these are notes I made once during beta test. Enjoy!

REMARK: Make sure you go to the end of this post as it contains a reference to another very interesting post!

Windows Server Core Characteristics:

  • Minimal server installation for running specific server roles
  • Reduces servicing, management and hardware requirements and attack surface!!!
    • No Windows/Internet Explorer
    • No .NET Framework
    • No Powershell
    • No features or whatever depending on the features listed above this one like for example notifications and balloons
  • Disk space required for a normal server: approx. (min.) 7-8 GB
  • Disk space required for a server core server: approx. (min.) 2-3 GB
  • Supported server roles (OCLIST.EXE): IIS (without ASP.NET), Print Server, Hyper-V, ADDS, ADLDS, DHCP Server, DNS, File Server (incl. NTFRS, DFS-R and DFS)
    REMARK: available roles may depend on Server Edition (standard, enterprise, datacenter, web)
  • Supported server features (OCLIST.EXE): Bitlocker, Clustering, NLB, Subsystem for UNIX apps, Windows Server Backup, Multipath IO, Removable Storage Management, SNMP, WINS (why the heck is this a feature and not a role?)
  • Install and Upgrade:
    • Not possible to upgrade from whatever windows version to server core
    • Manual install and after the server still needs to be configured (initial configuration tasks)
    • Unattended install using a UNATTEND.XML file where it is possible to configure the "initial configuration tasks" and other settings (e.g. enabling TS, configuring screen resolution, enabling and configuring WinRM/WinRS) during unattended install.
      • UNATTEND.XML file can be created with the "Windows System Image Manager"
      • Boot using WinPE and execute SETUP /unattend:<path>unattend.xml
      • Place UNATTEND.XML in a default location (e.g. floppy)
  • Can be managed through
    • Locally and remotely via the Command Prompt (tools and scripts)
    • Remotely via Terminal Server –> admin mode must be enabled first!
    • Remotely via Windows Remote Shell –> remote management must be enabled first!
    • Remotely via MMC –> watch out for the firewall on the server which is enabled by default!

Command Line Utilities:

  • Command Line Reference
    (This setting displays a list of common tasks and how to perform them from the command line)
  • Viewing installed roles/features
  • Install/Uninstall component (roles/features)
    (To get a list of component names use OCLIST and copy the name into the command line. The name of the components is CASE-SENSITIVE!!!)
    • Start /W OCSETUP <component>
    • Start /W OCSETUP <component> /Uninstall
    • To install AD either one of the following IS required:
      • DCPROMO /UNATTEND:<answer file>
      • DCPROMO /ANSWER:<answer file>
      • DCPROMO /UNATTEND /OPTION1:<value1> /OPTION2:<value2> /OPTION1:<value3> /OPTION1:<value3> …..
  • Managing Registry
    • REG.EXE
  • Creating notes/text files
    • EDIT.EXE
  • Disk/partition management:
  • Performance Related Stuff
    • tracerpt.exe
    • typeperf.exe
  • Managing Power Related Options
  • Managing Auditing on the local server
  • Network management (incl. firewall):
  • Service and driver management:
  • Backup and Restore
  • Windows Management Interface (for all kinds of things to manage)
    • WMIC.EXE
    • NET.EXE USER …
  • To change the time zone:
  • To change international settings:
  • To manage other CUSTOM CPLs (when available)
  • Shutdown/reboot/restart server
  • Manage Activation
  • Manage Automatic Updates
  • Allow Remote Administration Connections
  • Allow connections from previous versions of Windows
  • IP Security (IPSEC) Monitor – allow remote management
  • Windows Remote Management/Shell
  • Applying a patch
    • Wusa.exe <patchname>.msu [/quiet] [/norestart]
  • Managing the Event Viewer
    • wecutil.exe
    • eventcreate.exe
    • wevtutil.exe
  • Managing CA & Certificates stuff
  • File Server Management (role may need to be installed first):
  • DNS Management:
    • DNSCMD.EXE (
    • DNS SRV priority – changes the priority for DNS SRV records (only useful on Domain Controllers)
    • DNS SRV weight – changes the weight for DNS SRV records (only useful on Domain Controllers)
  • DHCP Management:
  • AD Management
    • dsadd.EXE
    • dsget.EXE
    • dsmod.EXE
    • dsmove.EXE
    • dsquery.EXE
    • dsrm.EXE
    • dcgpofix.exe
    • dfsrmig.exe
    • redircmp.exe
    • redirusr.exe
    • gpfixup.exe
    • rendom.exe
  • AD LDS Management
    • adaminstall.exe
    • adamuninstall.exe
    • adamsync.exe

More information about Server Core:

As you can see a lot of command line utilities. And this is not the complete list that is available. Besides that a lot of people were used to configure a Window Server through some GUI, but with Server Core you may need to use command line utilities like specified above. For some admins that can be a pain, especially if they are not used to use command line utilities. Like I said before in a previous blogpost, some people are crazy enough to create kick a$$ tooling for people to use that is even free to use. Regarding Server Core tooling, Guy Teverovsky, also a Windows Server –Directory Services MVP created a GUI that allows the configuration of basic stuff on a Server Core. Now how cool is that?!?!?! Trust me, it is damn cool!

That tool (Server Core – CoreConfigurator) has the following features:

  • Product Activation
  • Configuration of display resolution
  • Clock and time zone configuration
  • Remote Desktop configuration
  • Management of local user accounts (creation, deletion, group membership, passwords)
  • Firewall configuration
  • WinRM configuration
  • IP configuration
  • Computer name and domain/workgroup membership
  • Installation of Server Core features/roles

Enough blablabla, this Server Core tool can be found here.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

Posted in Server Core, Tooling/Scripting, Windows Server | 3 Comments »

%d bloggers like this: