28 November 2012

Windows Server 2012 Core Management step by step

One of the barriers to entry for Windows Server 2008 R2 Core was the fact that managing it was a technical difficulty.  With Server 2012 things are much simpler.  I will take you through installing and adding management functionality.  Right up to the point where you are actually running the full GUI version

Lab Setup
My management machine is Windows Server Standard Full GUI with Hyper-V role enable
The test machine is a virtual machine on this host.
For the sake of keeping script and install paths simple i have built and have left the install ISO attached ot the virtual machines as it's D drive

Getting Up and Running
During the initial installation phase you will notice that the "Server Core Installation" is now the default.  Once the installation finishes and you set the password and log in your are presented with a single command shell.

Step 1 the "sconfig" utility
The easiest way to get your machine added to the network and the domain is to use sconfig from the command prompt.  Below is a screenshot of the sconfig utility.  It present a simple text base interface to perform the essential configuration. Such as joining the domain, changing the computer name, configure network interface.

By default you will notice that "Configure Remote Management" is enabled.  This is important as we will use this later.  Once the server is joined to the domain it can be managed remotely  without further need to interact with the machine directly.

Step 2 Server Manager
From the management server with the full gui or from a Windows 8 with the Remote Server Administration Tools (RSAT) installed you can perform most administrative tasks.  RSAT Download
The following steps are all performed on the management server

  • Open the server Manager
  • Form the Dashboard select option  3 "Add other servers to manage"
  • Specify the server's name and click find now
  • Select the server and click the  > button to add it to the servers list
  • Once added you can select All servers form server manager

You will now see the core machine listed
The status by default will be "Online - Performance counters not started"

  • Right Click the server and select computer management

This will fail and present you with the following error

To resolve this we will use some PowerShell commands to remotely set the firewall rules.

  • Right Click the server and select Windows PowerShell

The shell that opens is a remote shell on the windows Core machine.

Execute the follow commands

  • Enable-NetFirewallRule -displaygroup  "Remote Service Management"
  • Enable-NetFirewallRule -displaygroup  “Remote Event Log Management”
  • Enable-NetFirewallRule -displaygroup "COM+ Remote Administration"
  • Enable-NetFirewallRule -displaygroup "COM+ Network Access"
* Note * At this point the COM+ Rules may not be present. But as you will see it might come in handy later

Or you can string them all together
  • Enable-NetFirewallRule -displaygroup  "Remote Service Management",“Remote Event Log Management”,"COM+ Remote Administration","COM+ Network Access"

If you attempt to use computer management now it will succeed.
  • At this point you can also Right click the server and select "Start Performance Counters"
This will now change the server status to Online

Step 3 Adding and Removing Roles and Features
Since we will be adding and removing features it is a good idea to have a look at the Windows features in PowerShell  form time to time.


This will give you the list off all the installed and available Roles and Features

If you look at the Web Server role you will set that it is marked as Available.  This means that we can simply add the roles and features through the Server Manager GUI on our "Management Server"

If however you select a Role or feature that is indicated as Removed you will have to specify installation media to use.

For a list of what is available in the different versions check out http://fixmyitsystem.com/2012/11/attack-surface-comparison-for-server.html

Step 4 Converting Core to full GUI
Ideally all your servers should be core, but sometimes you will need roles and features or simply functionality that is only available in the GUI.  As an example you may have a software installer that cannot be installed or configured from the command-line.

To convert from Core to the full GUI you need to add two features.  You can do this from your management server's Add roles and Features.

  • Select Role-Based or feature based installation
  • Select the server form the list
  • Select Features
  • Select User Interfaces and Infrastructure
  • --> Graphical Management Tool and Infrastructure
  • --> Server Graphical Shell

The next screen will warn you that you need to specify an alternate source path.  Click on the "Specify Alternate Source Path Link

At this point thing get  "a little tricky"  you don't simply specify the ISO location but you have to specify the installation image location.  The installation image is a WIM file and the various installation flavours "See the first Image" are indexes in the image.

To get the info about this you can PowerShell it   Get-windowsimage –imagepath d:\sources\install.wim

The result is as follows

  • Index 1 =  Windows Server 2012 SERVERSTANDARDCORE
  • Index 2 =  Windows Server 2012 SERVERSTANDARD
  • Index 3 = Windows Server 2012 SERVERDATACENTERCORE
  • Index 4 = Windows Server 2012 SERVERDATACENTER

Roles and Features can inly be installed form an image that contains them so in this case you cannot choose the core version.  Therefore the path you need to specify is:


Once the installation and reboot is complete you will now have the GUI tools available to you.   Adding these components above has also converted your Core install to Full GUI install.

Step 5 Convert Full GUI back to Core
If you check out the available feature with the Get-WindowsFeature PowerShell Command you will see that it now matches the server with GUI

You may need to have the full GUI to perform initial tasks such as install application and configure them.  But ultimately you want to keep your attack and patching surface as small as possible.  It is possible to reverse the steps we performed above to essentially take a Full GUI server back down to a Core server.

This process happens completely in PowerShell

  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart

There are few options here though.  If you know that you will ocassionally need the GUI you can un-install the GUI but leave the install files available.  To do this you un-install the GUI but you do not -Remove the files.

  • Uninstall-WindowsFeature Server-Gui-Shell
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart
Step 6 The in-between-er (Min GUI)

Another permutation here is a step between Core and Full.  It is called Min GUI or Minimal Server Interface In this configuration you have the Server Manager but you do not have the following:
  • Internet Explorer
  • Windows Explorer
  • Desktop
  • Start Screen
To get from Full GUI to Min Gui you execute the following
  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
To get from CORE to Min Gui you execute the following
  • Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source c:\mountdir\windows\winsxs
It is easy to move between the different levels of GUI available to the operating system.  It is of course always best to have as little as possible, but sometimes it is not always practical.  This article show how you can start in one place and end in another.  All it take are a few commands...

No comments:

Post a Comment