Windows Server 2008's Server Core edition is a stripped-down version of the OS—a kind of Windows lite that you control from the command line rather than from a GUI. Are the benefits of reduced resource utilization and improved security offset by a server that some might see as hard to set up and administer? A look at the installation process and some basic configuration commands will help you get Server Core running and connected to your network so that you can begin to answer that question for yourself.
Windows Server 2008’s Server Core edition is a stripped-down version of the OS—a kind of Windows lite that you control from the command line rather than from a GUI. What are the benefits of such a configuration? Server Core’s footprint is about 3MB, considerably less than a full installation of Windows Server. Of course, 3MB is just to host the OS and any server roles—it doesn’t include additional data, such as Active Directory (AD) databases, that you might need for a particular server role. Server Core installs only the necessary components for any of its supported server roles. This reduces the attack surface of the OS, improves its security, and makes it easier to maintain and manage (albeit with a reduced armory of tools). New technologies in Server 2008, notably BitLocker and the read-only domain controller (RODC) functionality, can be used in combination with Server Core to provide even better security.
Are the benefits of reduced resource utilization and improved security offset by a server that some might consider hard to set up and administer? A look at the installation process and some basic configuration commands will help you get Server Core running and connected to your network so that you can begin to answer that question for yourself.
Installation and Setup
Installing Server Core is essentially the same as installing the full version of Server 2008; you simply need to select the Server Core entry instead of the Server option in the installation program (as Figure 1 shows). Not only is Server Core installation extremely simple but, as you might expect, much faster than installing the full edition of the server.
After installation has finished, you’re asked to press the usual key sequence of Ctrl+Alt+Del to open the logon dialog box. It might be a little disconcerting to then be presented with the option of logging on as Other User. Only one user is enabled by default in Server Core, and that’s the administrator. Initially, no password is defined for the administrator account; you must set it the first time you log on. To do so:
- Click Other User.
- In the dialog box shown in Figure 2, enter administrator as the username in the upper box, and leave the lower (password) box empty. Click the arrow to the right of the boxes.
- Enter a password.
To log off, simply type logoff at the command prompt.
Give Server Core an IP
Address and Host Name
You can assign a static IP address and DNS server to a network adapter by using the netsh command, the same way you would with the full version of Server 2008. To assign an IP address, use a command like
netsh interface ipv4 add address
“Local Area Connection”
where 192.168.1.100 is the IP address, 255.255.255.0 is the subnet mask, and 192.168.1.11 is the gateway address. Of course, you should enter the full command without line breaks on the command line.
To assign a DNS server, type
netsh interface ipv4 set dnsserver
“Local Area Connection”
where 192.168.1.101 is the DNS server’s IP address.
Rename and Activate the
If you want to rename the server, you first need to determine the name that was automatically assigned during the installation process. Type hostname at the command prompt to return the server’s name, then issue the following two commands to change the name and reboot the server:
Once Server Core is connected to the Internet, you can activate the server by running the following command:
Enable Remote Desktop
Probably the two most crucial remote tools that you’ll want to use with Server Core for administration initially are Remote Desktop and the Microsoft Management Console (MMC) Windows Firewall with Advanced Security snap-in. First, I’ll show you how to enable and use Remote Desktop, then I’ll address accessing Server Core remotely with MMC and the Windows Firewall with Advanced Security snap-in.
Although it’s possible to make a Telnet connection to Server Core, Remote Desktop is the preferred method because it provides encryption, network level authentication, and other conveniences such as cut and paste. But don’t get too excited— Remote Desktop won’t give you a full-fledged Windows Desktop from which you can administer the server. You’ll just see a command prompt as you would from the console.
Because there’s no command-line tool or MMC snap-in from which you can enable Remote Desktop on Server Core, you’ll need to run the scregedit.wsf script that’s provided as part of Server Core. Scregedit contains various functions that are the only means of performing some tasks such as setting the size of the page file, enabling Terminal Services, and product activation. To run scregedit on Server Core, use the command
scregedit.wsf /AR 0
If you want to access Server Core by using Remote Desktop from a Windows OS other than Vista, replace the /AR 0 switch with /CS 0. To see the full list of scregedit’s possibilities, type the command
Authenticate to Server
Core with MMC
During the initial configuration, or if Server Core will be a standalone server, you might need to authenticate to it from a remote machine by using pass-through authentication. Some, but not all, MMC snap-ins let you specify a username and password when you’re connecting to a remote computer.
The easiest way to get access remotely with MMC is to create a local user on Server Core that has the same username and password as the remote account that you’re using to run MMC. This way, authentication will happen transparently. The new user also needs to be an administrator on Server Core to gain unrestricted access. You can create a user and add the username to the administrators group by entering the following commands:
net user /add <username>
net localgroup administrators
If you join Server Core to a domain, you should delete this account and use a domainbased user for authentication. Whether Server Core is a member of a domain or a standalone server, you should consider configuring Windows Firewall with Advanced Security to restrict which machines can connect remotely to Server Core.
To enable the Windows Firewall with Advanced Security snap-in on any machine used for administration to access a given Server Core box, log on to Server Core as an administrator and type the command
netsh advfirewall set publicprofile
To access other remote administration tools, such as the MMC Event Viewer snap-in, run the following command on Server Core to permit access through Windows Firewall:
netsh firewall set service
After you’ve made these basic changes to Windows Firewall on Server Core, you can use the Windows Firewall with Advanced Security snap-in from a remote computer for all further configuration of Server Core’s firewall. You could additionally modify the firewall rules to allow access to Server Core from specific administration workstations only, if desired. To do so, you change the scope of the predefined inbound rules for Windows Firewall Remote Management, Remote Desktop, and Remote Administration by setting a list of remote IP addresses that are permitted to access Server Core. Figure 3 shows setting the scope of a Windows Firewall Remote Management rule.
Firewall rules are associated with one of three network profiles: Domain, Private, or Public. (Server Core uses the Public network profile out of the box.) To determine which profile is currently active, click the Windows Firewall with Advanced Security node directly below Console Root in the MMC window. You’ll see an overview of the firewall’s settings in the central pane, including information about the active profile. If you change the scope for a rule that’s associated with a profile that’s not currently active, the changes won’t be effective.
For more information about configuring Windows Firewall with Advanced Security, see the Security Pro VIP article “Windows Firewall Shows New Maturity in Vista,” April 5, 2007 (InstantDoc ID 95099). The configuration process is similar in Server 2008 and Vista.
Access the File
The easiest way to get access to Server Core’s file system is to use Windows Explorer on an administration workstation and map drives to the root administrative shares that are enabled by default on Server Core (e.g., c$ and d$). You can connect to these shares only with an account that has administrator privileges on Server Core, and you must enable remoteadmin by using netsh, as shown earlier. The File Server role is installed by default to provide access to these administrative shares, but you can also install features such as File Replication Service (FRS).
To map a network drive to an administrative share on Server Core from a remote machine, use a command similar to the following:
net use z: \\192.168.1.100\c$
Join Server Core to an AD
You can use the netdom command to join Server Core to an existing AD domain, as follows:
Install Server Roles and
Server Core supports the server roles Active Directory Domain Services, Active Directory Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, File Services, Print Server, Streaming Media Services, and Web Server (IIS), among others. For a full list of server roles and other supported features, go to www.microsoft.com/windowsserver2008/servercore.mspx.
With the exception of the Active Directory Domain Services role, you install server roles and features by using the ocsetup command. To list the server roles and features currently installed, run the oclist command. The syntax for ocsetup is the same for both roles and features. The ocsetup command-line tool is case sensitive, but you can get the correct capitalization for a server role or feature from the output of the oclist command (which Figure 4 shows). The following command installs Windows Backup:
start /w ocsetup
Using the /w switch with the start command gives the user an indication of when ocsetup has finished installing the new role or feature by preventing further input at the command prompt until installation is complete. It also stops the user from running another command while ocsetup in running.
To promote Server Core to a DC, you need to generate an unattended .txt file on a full version of Server 2008 and then run dcpromo as shown below on Server Core:
Other Ways to Administer
As if these weren’t enough ways to administer Server Core remotely, you can make use of Windows Remote Shell (WinRS) in Vista. The WinRS client passes commands to a WinRS listener on Server Core, which in turn passes the commands to a prompt, captures the output, and passes it back to the WinRS client. To configure WinRS on Server Core, run the following command:
This command will prompt you to perform a couple WinRS configuration steps.
Below is an example of a command being run against Server Core remotely by using WinRS. You should note that this command line is for a machine that’s a DC or domain member:
The one big disadvantage of WinRS is that it can’t run commands interactively.
You can also use administration tools such as the Windows Management Instrumentation command line (WMIC) and PowerShell by means of WMI calls to manage Server Core. Unfortunately, Server Core doesn’t support PowerShell directly at the time of writing (as of Server Core RC0) because PowerShell relies on the .NET Framework. Hopefully, both will be supported in a future release.
You can activate automatic updating on Server Core by using scregedit to modify the registry and then restarting the Windows Update service, as follows:
scregedit.wsf /au 4
net stop wuauserv
net start wuauserv
As of Server Core RC0, scregedit with the /au 4 switch sets the time for checking updates to the default of 3 a.m. In Server 2008, /au 4 also reboots the server automatically if the updates require it. You can disable automatic updating by using the /au 1 switch and then restarting the Windows Update service. To check the value set for /au, use the /au and /v switches in sequence.
To force an immediate check for updates, you can use the wuauclt command as follows:
Run Antivirus and Other
Windows Installer is supported on Server Core, so you can use the msiexec command to install antivirus and other third-party applications if required. (And who wants to run a server without proper antivirus and backup software these days?) Before you deploy any such solution, though, you should check that it’s officially supported on Server Core by contacting the vendor.
You can run at least two Windows-based applications from the console: notepad and regedit. These are useful tools, but I found it a little odd to be able to run regedit but not dcpromo, with its simple GUI.
Potential Not Yet Fully
One of the biggest potential uses for Server Core—as a Web server—is unlikely to be realized with the current incarnation of the product due to its lack of support for the .NET Framework. Other uses, although limited, could be practical in situations that don’t require frequent changes to server configuration, such as an RODC. Given the trend towards virtualization, Server Core and the hypervisor feature in Server 2008 (a software virtualization layer that sits between the hardware and the OS) together could prove to be one of the “must have” features of the next generation Windows Server.
The lack of a GUI in Server Core needn’t be a disadvantage. Once the basic configuration has been completed, most other settings can be either pushed out automatically by using Group Policy if the server is part of a domain or by using MMC snap-ins on a remote machine. PowerShell is noticeable by its absence, considering it’s Microsoft’s latest solution for managing Windows from the command line. It’s slated for inclusion in future versions of the product.
Despite some of the shortcomings of Server Core, the ability to run Windows with a significantly reduced footprint has the potential to give substantial improvements in security, capacity for virtualization, and performance.