TECH | IMMERSION · 3/3.5.NET 2.0 WoW64 GUI, Shell, IE , Media Mail, Etc. Cert Server.NET Framework...
Transcript of TECH | IMMERSION · 3/3.5.NET 2.0 WoW64 GUI, Shell, IE , Media Mail, Etc. Cert Server.NET Framework...
WELCOME TO
TECH | IMMERSION
Track: Getting your Server Core Up and Running
Presenter: Brian McCann
Global Platforms Engineer - [email protected]
Agenda
o Server Core 2008 R2 Updates
o Essential commands to get your server
online
o Best Practices
o Advanced commands and tools for
managing Server Core
What We Won’t Cover
o Marketing Slides
o Installation of the OS
Server Core Additions in R2
o .NET Framework in Server Core– Subset of .NET 2.0
– Subset of .NET 3.0
• Windows Communication Framework (WCF)
• Windows Workflow Framework (WF)
– Subset of .NET 3.5
• WF additions from 3.5
• LINQ
o Subset of ASP.NET support for IIS
o PowerShell– Server Manager cmdlets
– Best Practice Analyzer (BPA) cmdlets
Server Core Additions in R2 (cont)
o File Server Resource Manager (FSRM)
o Certificate Server
o WoW64 as an optional feature
– If running all 64-bit, no need to have
WoW64 installed
– Installed by default
– If removed from the image, reduces
disk footprint by ~150MB
o New command line add/remove tool (dism.exe)
Server Core Footprint
Windows Server 2008 R2 CoreHD ~3.0 GBRAM 512 MB for install
Windows Server 2008 R2HD ~7.0 GBRAM 512 MB for install
”The memory footprint in RAM for Server Core has been reduced to less
than 100MB, compared to roughly 130MB for Windows Server 2008 and
244MB for Windows Server 2003, which didn’t have a Server Core install
option.” (Ward Ralston, http://www.windowsitpro.com/article/virtualization/why-you-need-windows-server-2008-r2.aspx)
Server 2008 R2 Server Core
Architecture
Server Core Server Roles and Optional Features
Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
DNS DHCP FileAD
ServerWith .NetFx, Shell,
Tools, etc.
TS ADFS WDS Etc…
Server, Server Roles
(for example only)
ADLDS
MediaServer
IIS Hyper-VPrint
ASP.NETPS.NET3/3.5
.NET2.0
WoW64
GUI, Shell, IE, Media, Mail, Etc.
Cert Server
.NET Framework Architecture
CLR 2.0
LINQ
CLR 3.0Additions
CLR 3.5Additions
WPF ASP.NETWCF WF
.NET Framework in Server Core
ASP.NET
CLR 2.0
WPF LINQ
CLR 3.0Additions
CLR 3.5Additions
WPFWCF WFASP.NET
CLR 2.0
Patching
”Over time, the number of reboots for patching
or security updates is significantly reduced for
a Server Core installation of which the benefits
are obvious. In some cases, customers can
see up to a 60% reduction in patch
requirements and the number of reboots on a
monthly basis.”
(David B Cross, http://blogs.technet.com/b/windowsserver/archive/2010/05/07/server-core-best-
practice-for-applications-on-windows-server.aspx )
Patching Server Core
WS08 R2 Server Core ReductionCritical Only
All applicable patchesAll roles 39% 51%
Months without reboots 10 10Necessary patches only
All roles 41% 58%Months without reboots 10 10
Necessary patches are: Where binary is in Server Core, but vulnerability isn’t exploitable – Called out as such in the Security Bulletins (e.g. MS08-052):
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Administrator
Join existing domain
Activate the server
Configure the firewall
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Administrator
Join existing domain
Activate the server
Configure the firewall
Netsh to the rescueNetsh int ipv4 set address "Local Area Connection"
static 10.1.1.5 255.255.255.0 10.1.1.1
Netsh int ipv4 add dnsserver name="local area
connection" address=4.2.2.2 index=1
Netsh int ipv4 add winsservers name=“local area
connection" address=10.10.10.10 index=1
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Admininistrator
Join existing domain
Activate the server
Configure the firewall
1. Rename the Administrator account
wmic UserAccount where Name=“Administrator”
call Rename Name=“Admin”
2. Now update the password
Net user [/domain] *
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Administrator
Join existing domain
Activate the server
Configure the firewall
netdom join ComputerName
/domain:DomainName /userd:UserName
/passwordd:*
* Yes, /passwordd:* needs to have that second d at the end of it.
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Administrator
Join existing domain
Activate the server
Configure the firewall
1. Local method - Slmgr.vbs /ato
2. Remote method –
slmgr.vbs ServerName UserName password /ato
Disable – netsh firewall set opmode disable
Or
Netsh advfirewall firewall set rule group=“remote administration” new enable=yesEvent Viewer - Windows Firewall Rule Group - Remote Event Log ManagementServices - Windows Firewall Rule Group - Remote Services ManagementShared Folders - Windows Firewall Rule Group - File and Printer SharingTask Scheduler - Windows Firewall Rule Group - Remote Scheduled Tasks ManagementDisk Management - Windows Firewall Rule Group - Remote Volume ManagementWindows Firewall with Advanced Security - Windows Firewall Rule Group -Windows Firewall Remote Management
5 Essential Tasks
Set static IP address192.168.0.1
Secure the Administrator
Join existing domain
Activate the server
Configure the firewall
Now What???
o Turn on Remote Desktop
– Toggle Remote Desktop on and off:
Cscript \windows\system32\scregedit.wsf /ar 0
o Adding Roles and Features…
Deployment Image Servicing and
Management (dism.exe)
o New Command Line Tool to Add/Remove Roles and Features– Shows install status
– Better error reporting than Ocsetup
o Allows multiple features to be installed from a single command line– Dism /online /enable-feature
/featurename:MicrosoftWindowsPowerShell/featurename:ServerManager-PSH-Cmdlets
o Included in client and server
o Works online and with images
Finding Installed Roles and Features
o Dism /online /get-features
– Equivalent of Oclist
– No dependency hierarchy
o Shows if a package is
– Enabled
– Disabled
– Reboot pending
Best Practices
o There is help
– Sconfig
– Core Configurator
– Core Configurator Console R2
– Smart-X Core Configurator
– Custom BuildScript
o Apply Policy to just Server Core
Sconfig
Pros
o Developed by Microsoft
o Actively maintained
o Part of the OS
Cons
o Not all roles
Core Configurator
Pros
o Actively maintained
o GUI
o Shotgun interface
Download:
http://coreconfig.codeplex.com
Cons
o Must install
o Needs .Net / PowerShell
Core Configuration Console R2
Pros
o Standard commands
o Free
o No installation / features needed
o Easily extended
Download:
http://ccc.codeplex.com
Cons
o No support
o Privately developed
o Not all roles supported
Smart-X Core Configurator
Pros
o Shutgun interface
o GUI
Download:
http://www.smart-x.com
Cons
o Needs install
o Not free
Use the Power of Group Policy
SELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE
OperatingSystemSKU = 12 OR OperatingSystemSKU = 39 OR
OperatingSystemSKU= 14 OR OperatingSystemSKU = 41 OR
OperatingSystemSKU = 13 OR OperatingSystemSKU = 40 OR
OperatingSystemSKU = 29
Which Core is it?
Separate SKUs to help identify them
o 0C Datacenter (core installation)
o 27 Server Datacenter without Hyper-V (core installation)
o 0E Server Enterprise (core installation)
o 29 Server Enterprise without Hyper-V (core installation)
o 0D Server Standard (core installation)
o 28 Server Standard without Hyper-V (core installation)
o 1D Web Server (core installation)
wmic os get operatingsystemsku
(gwmi win32_operatingsystem).operatingsystemsku
o Name and time on cmd line…
– prompt [%computername%]$s[$t]$s$p$g
– HKLM-System-Current-ControlSet-Control-
Session Manager-Environment
o Replace Task Manager
– Use Process Explorer
Advanced Commands & Tools
Reducing the Footprint
o Can remove roles and features from the
Server Core image
– One-way process; once removed, it is gone
unless you reinstall
o Largest footprint savings
– .Net Support ~500MB
– IME Support ~200MB
– WoW64 Support ~150MB
Removing Packages
o Change to \windows\servicing\packages
o Dir *coreedition*.mum /w
o Copy file name up to extension– For example: Microsoft-Windows-
ServerEnterpriseCoreEdition~31bf3856ad364e35~amd64~~6.1.7100.0
o Dism /online /get-features /packagename: <core edition package>
o Dism /online /disable-feature /packagename: <core edition package> /featurename:<name_from_previous_step_to _remove>
Thank You
Backup
.NET Framework 2.0 in Server Core
o Subset of .NET 2 on Server Core
– .NET functionality aligns with functionality in Server Core
– Not installed by default
o To install
– Dism /online /enable-feature /featurename:NetFx2-ServerCore
– If 32-bit support is needed:• Dism /online /enable-feature /featurename:NetFx2-
ServerCore-WOW64
.NET Framework 3 in Server Core
o .NET 3 functionality– No WPF in Server Core
o .NET 3.5 functionality– LINQ
o .NET 3 and 3.5 functionality is installed with a single package– Dism /online /enable-feature /
featurename:NetFx3-ServerCore
– If 32-bit support is needed:• Dism /online /enable-feature /
featurename:NetFx3-ServerCore-WOW64
.NET Namespaces not in Server Core
o System.Data.Design
o System.Deployment.Application
o System.Diagnostics.Design
o System.Media
o System.Messaging.*
o System.Speech.*
o System.Web.UI.Design.*
– Design time support is unavailable,
runtime support for expression
builders is supported
o System.Windows.*
o UIAutomationClientsideProviders
o Microsoft.Aspnet.Snapin
o Microsoft.Ink
o Microsoft.ManagementConsole.*
o Microsoft.StylusInput.*
o Microsoft.VisualBasic.Compatibility.VB6
o Microsoft.Windows.Themes
o Microsoft.WindowsCE.Forms
o Microsoft.WindowsMobile.DirectX.*
o System.ComponentModel.Design.*
IIS Additions to Server Core in R2
o IIS-ASPNET– Enables hosting of ASP.NET applications
o IIS-NetFxExtensibility– Enables hosting of .NET framework managed module extensions
o IIS-ManagementService– Allows remote management via the Web server Management Console
o IIS-PowerShellProvider– IIS PowerShell cmdlets
o IIS-FTPExtensibility– Supports FTP feature extensions, such as custom providers
o IIS-WebDAV– WebDAV extension module
o WCF-HTTP-Activation– Process activation via HTTP support
ASP.NET
o Included with IIS
o Same package as full Server: IIS-ASPNET
o Limitations
– System.Web.Mail classes will fail because
CDOSYS
• Use System.Net.Mail instead
– Web Application Tool (WAT) not available
Remotely Managing IIS on Server Core
o Install the IIS Management Service
– Dism /online /enable-feature /featurename:IIS-ManagementService
o Enable Remote Management
– Set EnableRemoteManagement to 1 under HKLM\Software\Microsoft\WebManagement\Server
o Start the Management Service
– Net start wmsvc
PowerShell in Server Core
o Full Command Line PowerShell
o Scripts and cmdlets are limited like any other code or script
o Installing PowerShell
– Dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
– If 32-bit support is needed:• Dism /online /enable-feature /featurename:
NetFx2-ServerCore-WOW64
• Dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64
WOW64 in Server Core R2
o Installed by default
o Dism /online /disable-feature
/featurename:ServerCore-WOW64
o Required for and must be installed for
– Active Directory
– Active Directory Lightweight Directory Services
Potential Issues with WoW64
o Installers Requiring WoW64
– When an MSI requires WoW64, it will return:• Error 1719. The Windows Installer Service could not
be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
o Applications Requiring WoW64
– When trying to run a 32-bit application, you will receive the following error:
• The subsystem needed to support the image type is not present.