SESSION: #SVR308

Managing Server Core without Breaking a Sweat!

Freddie Louwrens Systems Consultant Stratbits Consulting

The goal of a Server Core installation is

to get it on the network and make it remotely manageable.

75 Minutes of What?
How Core was born Why Core? Installation scenarios Initial configuration Local Management Remote Management

How do you Secure Core Server?

Windows Server 2008/R2 Server Core

Security, TCP/IP, File, Systems, RPC, plus Core Server Sub System
Hyper -V
AD Print

PS

DHCP

AD LDS

.NET 2.0

Cert Srv

DNS

IIS

.NET 3/3.5

WOW 64

GUI, Shell, IE, Mail etc.

File

Medi a

ASP. NET

How Core Was Born

Customer feedback Removal of requirements Four inital roles
Focus areas Side benefits

Why Core?
Footprint Attack surface Management Patching

The Real Reasons for Smaller Footprint

16KB @ $ 495

Footprint
Windows Server 2008 R2 Core HD ~3.0 GB RAM 512 MB for install (runs on 64!) Windows Server 2008 R2 HD ~7.0 GB RAM 512 MB for install

"The memory footprint in RAM for Server Core has been reduced to less than 100MB, compared to roughly 130MB for Windows Server 2008 and 244MB for Windows Server 2003, which didnt have a Server Core install option.
(Ward Ralston, http://www.windowsitpro.com/article/virtualization/why-you-need-windows-server-2008-r2.aspx)

10

Footprint Disk Usage

Disk space / Mb
9000 8000 7000 6000 5000 4000 3000 2000 1000 0 8710

5720

2520

Disk space / Mb 1440

2008 Standard 2008 Standard 2008 Standard 2008 Standard x64 x64 CORE x86 x86 CORE

11

Reducing Disk Usage

pkgmgr /up:<package to remove> Remove all packages you wont need Reboot 23 packages can be remove, gain ~200 MB

12 12

Patches
" Over time, the number of reboots for patching or security updates is significantly reduced for a Server Core installation of which the benefits are obvious. In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis.
(David B Cross, http://blogs.technet.com/b/windowsserver/archive/2010/05/07/server-core-best-practice-for-applications-onwindows-server.aspx)

13

Patches
20 20 18 16 14 20 20

13

13

13

12
10 8 6 4 2 0 Windows Server 2008 R2
Source: Microsoft bulletins / Andrew Mason

# of Patches

Apply All
3 Necessary

Windows Server 2008 R2 Core

Windows Server 2008 R2 (critical)

Windows Server 2008 R2 Core (critical)

14

Installation

Manual installation Automated deployment Template

15

Is it Core?
Separate SKU
0C Datacenter (core installation) 27 Server Datacenter without Hyper-V (core installation) 0E Server Enterprise (core installation) 29 Server Enterprise without Hyper-V (core installation) 2A Microsoft Hyper-V Server 0D Server Standard (core installation) 28 Server Standard without Hyper-V (core installation) 1D Web Server (core installation)

16

Demo
Is It Core?

Is it Core?
WMI / WMIC / PowerShell WMI: Select OperatingSystemSKU from Win32_OperatingSystem WMIC: OS get operatingsystemsku PowerShell: Get-WmiObject Query Select OperatingSystemSKU from Win32_OperatingSystem 14 = E = Enterprise Core

Convert to HEX
Complete table of available SKUs: http://msdn.microsoft.com/en-us/library/ms724358.aspx

18 18

Demo:
Initial Configuration

Configuring Server 2008 Core Commands

netsh interface ipv4 set address name="<ID>" source=static address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway> netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP>index=1 netdom renamecomputer <ComputerName> /NewName:<NewComputerName> netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /password:* slmgr.vbs ato netsh advfirewall firewall set rule group="Remote Administration" new enable=yes start /w ocsetup <Role or Feature>

20

Sconfig
Pros Developed by Microsoft Actively maintained Included
Cons

21

Core Configurator
Pros Developed by a team Actively maintained Shotgun interface
Cons

Download: http://coreconfig.codeplex.com/
22

Core Configuration Console R2

Cons Pros Standard commands Free No installation / features needed Easily extended

Download: http://ccc.codeplex.com or http://www.nullsession.com

23

Smart-X Core Configurator

Pros Shotgun interface Developed by company
Cons

Download: http://www.smart-x.com

24

CMD
Pros Included Well documented Support
Cons

25

PowerShell / VBScript / WMI

PowerShell VBScript WMI
Remote support Reusable

26

PowerShell
Add .Net Framework Add PowerShell Configure

27

PowerShell
C:\>Dism /online /enable-feature /featurename:NetFx2-ServerCore C:\>Dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64 C:\>Dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell C:\>Dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets C:\>C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe PS C:\> import-module ServerManager PS C:\> import-module ActiveDirectory PS C:\> set-executionpolicy remotesigned (unrestricted) PS C:\> enable-psremoting

28 28

Local Management of Roles

Specific commands for roles
Active Directory
DSADD, DSGET + more New-ADUser New-ADGroup Etc...

DNS
DNSCMD

Network Configuration / Firewall / DHCP

NETSH

29

Demo
Local Management

Firewall Configuration
Locally
NETSH

Remote
Group Policy MMC / Server Manager

31

Remote Management of Roles

Firewall configuration Server Manager Remote Server Administration Tools / MMC

32

Demo
Remote Management

Conclusion
Learning curve Security Management

34

 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources

www.msteched.com/Australia
Sessions On-Demand & Community

www.microsoft.com/australia/learning
Microsoft Certification & Training Resources

http:// technet.microsoft.com/en-au
Resources for IT Professionals

http://msdn.microsoft.com/en-au

Resources for Developers

36

Appendix

Demo Steps/Commands used during Session SRV308

1. 2. Systeminfo Determine OS version
a) b) c) d) Wmic Os get name Os get operatingsystemsku Or using powershell get-wmiobject query select operatingsystemsku from win32_operatingsystem

38

Code Used During Demo

Basic Server Configuration 3. SConfig
a) Join Domain & Configure ComputerName b) Set IP Address & DNS c) Firewall

Check and Installing Roles and Features 3. Dism /online /get-features /format:table 4. Dism /online /enable-feature /featurename:CertificateServices 5. Dism /online /enable-feature /featurename:NetFx2-ServerCore 6. Dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64 7. Dism /online /enable-feature /featurename:NetFx3-ServerCore Requirement for ActiveDirectory Powershell

39

Code Used During Demo

Install PowerShell and do some basic PowerShell commands 1. Dism /online /Get-features | find PowerShell 2. Dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell 3. C:\windows\system32\windowspowershell\v1.0\powershell.exe 4. Get-service | Where-Object {$_.Status eq running}

40

Code Used During Demo

DCPromo Server 5. DCPROMO /unattend:C:\Demofiles\unattend.txt 6. Dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets /featurename:BestPractices-PSH-Cmdlets 7. Dism /online /enable-feature /featurename:ActiveDirectory-PowerShell 8. Shutdown /r /t 0 9. Add users to AD using new powershell cmdlets 10. Import-Module ActiveDirectory 11. New-ADUser a) New-aduser bob 12. Bulk import of users and setting the password of each user using Import-CSV C:\demofiles\users1.csv | New-ADUser AccountPassword (ConvertToSecureString P@ssw0rd AsPlainText Force) PassThru Enabled $true 13. New-ADGroup a) New-ADGroup Name TechEdDemo SamAccountName TechEdDemo GroupScope Global GroupCategory Security PassThru 14. Add-ADGroupMember Identity TechedDemo Members Lance,Cadel 15. New-ADOrg
41

Code Used During Demo

Running Best Practices 1. Import-Module BestPractices 2. Import-Module ServerManager 3. Get-WindowsFeature | Where {$_.BestPracticesModelID ne $null} 4. Invoke-BPAModel BestPracticesModelID Microsoft/Windows/DNSServer 5. Get-BPAModel | Get-BPAResult

42