Initial Configuration
The initial steps you'll need to perform on a Server Core installation will depend somewhat on your intended use of the installation, but we think that the following ones are the most obvious:
- Set a fixed IP address.
- Change the server name to match your internal standards.
- Join the server to a domain.
- Change the default resolution of the console.
- Enable remote management through Windows Firewall.
- Enable remote desktop.
- Activate the server.
We'll walk through these steps for you, and leave you with a couple of basic scripts that you can modify to automate these tasks for your environment. Table 9-1 contains the settings we'll be using during this install scenario.
Table 9-1 Settings for Initial Server Core Configuration (Example)
Set IP Address
To set the IP address for the server, you need to use the netsh command-line tool. Follow these steps to configure TCP/IP:
From the command window, use netsh to get the "name" (index number) of the network card.
netsh interface ipv4 show interfaces
The result will be something like the following:
C:\Users\administrator>netsh interface ipv4 show interfaces Idx Met MTU State Name --- --- ----- ----------- ------------------- 2 10 1500 connected Local Area Connection 1 50 4294967295 connected Loopback Pseudo-Interface 1
The Idx value for your real network card (2, in this case) will be used as the name value in future commands for netsh.
Now, using the Idx value from step 2, run the following netsh command:
netsh interface ipv4 set address name="<Idx>" source=static address=<IP Address> mask=<netmask> gateway=<IP Address of default gateway>
Note The netsh lines above, and in examples below, are actually one long command line, but we had to break them (and indent subsequent lines) because of the limitations of the printed page. And it's not just netsh that is a problem—most of the commands you end up having to use with Server Core are long and will be artificially broken in this chapter.
Next, specify the DNS server for the adapter, using netsh again:
netsh interface ipv4 add dnsserver name="<Idx>" address=<IP Address of DNS Server> index=1
For secondary DNS servers, repeat the command in step 4, increasing the index value by one each time.
Renaming the Server and Joining to a Domain
The next step in initial configuration is assigning the name of the server and joining it to a domain. During initial installation of Windows Server 2008, an automatically generated name is assigned to the server and the server is placed in the WORKGROUP workgroup. You'll want to change this to align the computer name with your corporate naming policy and join the server to the correct domain and Organizational Unit. Our naming policy here has three parts: the model of server, the functional role, and a number reflecting its IP address. Thus the Server Core computer we're building in this chapter is named hp350-core-04: it's a Hewlett Packard ML 350 G5 server, it is running Server Core, and the final octet of its IP address is four. Your server naming convention will undoubtedly be different, but the important thing is to be consistent. Our domain for this book is example.local.
To change the name of the server and join it to the example.local domain, follow these steps:
From the command prompt, use the netdom command to change the name of the server:
netdom renamecomputer %COMPUTERNAME% /newname:<newname>
After you change the name, you must reboot the server.
shutdown /t 0 /r
After the server restarts, log on to the Administrator account.
Use the netdom command again to join the domain.
netdom join %COMPUTERNAME% /DOMAIN:<domainname> /userd:<domain admin account> /password:*
You'll be prompted for the password for the domain administrative account you used. Enter the password. When the domain join has succeeded, you'll again need to reboot the server.
shutdown /t 0 /r
After the server restarts, log back on to a domain administrator's account. (You'll need to click Change User because the server will default to the local administrator account.)
Under the Hood Scripting Initial Configuration
If you set up more than one or two Server Core computers, you'll quickly get tired of doing all this interactively from the command prompt. We know we did. You have the choice of either using an unattend.xml file to set options during the install or using simple scripts to automate the process. Both work, and both have their adherents, but we tend to use scripts after the fact. You can modify the following three scripts (which you'll also find on the companion CD) for your environment to automate the initial TCP/IP, server name, and domain join steps. The first script sets the IP address, sets the DNS server, and changes the server name.
echo off
REM filename: initsetup1.cmd
REM
REM initial setup for a Server 2008 Server Core installation.
REM command file 1 of 3
REM
REM Created: 4 September, 2007
REM ModHist: 5/9/07 - switched to variables (cpr)
REM
REM Copyright 2007 Charlie Russel and Sharon Crawford. All rights reserved.
REM You may freely use this script in your own environment, modifying it
REM to meet your needs. But you may not re-publish it without permission.
REM first, set a fixed IP address. You'll need to know the index number
REM of the interface you're setting, but in a default Server Core install,
REM with only a single NIC, the index should be 2. To find the index,
REM you can run:
REM netsh interface ipv4 show interfaces
REM
SETLOCAL
REM Change the values below to match your needs
SET IPADD=192.168.51.4
SET IPMASK=255.255.255.0
SET IPGW=192.168.51.1
SET DNS1=192.168.51.2
SET NEWNAME=hp350-core-04
netsh interface ipv4 set address name="2" source=static
address=%IPADD% mask=%IPMASK% gateway=%IPGW%
REM Next, set DNS to point to DNS server for example.local.
REM 192.168.51.2 in this case
netsh interface ipv4 add dnsserver name="2" address=%DNS1% index=1
REM Now, we need to change the computer name. After we're done, the server
REM must be restarted, and we can continue with the next batch of commands.
REM we use the /force command here to avoid prompts
netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /force
@echo If everything looks OK, the it's time to reboot
pause
REM now, shutdown and reboot. No need to wait.
shutdown /t 0 /r
The second script we use is to actually join the server to the domain.
@echo off
REM Filename: initsetup2.cmd
REM
REM initial setup for a Server 2008 Server Core installation.
REM command file 2 of 3
REM
REM Created: 4 September, 2007
REM ModHist:
REM
REM Copyright 2007 Charlie Russel and Sharon Crawford. All rights reserved.
REM You may freely use this script in your own environment, modifying it
REM to meet your needs. But you may not re-publish it without permission.
SETLOCAL
SET DOMAIN=example.local
SET DOMADMIN=Administrator
REM Join the domain using the netdom join command. Prompts for password
REM of domain administrator account set above
netdom join %COMPUTERNAME% /DOMAIN:%DOMAIN% /userd:%DOMADMIN% /password:*
REM now, shutdown and reboot. No need to wait, and that's all we can do
REM at this time
shutdown /t 0 /r
Finally, use the third script to enable remote management and activate the server.
echo off
REM initsetup3.cmd
REM
REM initial setup for a Server 2008 Server Core installation.
REM command file 3 of 3
REM
REM Created: 4 September, 2007
REM ModHist:
REM
REM Copyright 2007 Charlie Russel and Sharon Crawford. All rights reserved.
REM You may freely use this script in your own environment, modifying it
REM to meet your needs. But you may not re-publish it without permission.
REM Use netsh to enable remote management through the firewall for the
REM domain profile. This is the minimum to allow using remote MMCs to work
REM from other computers in the domain.
netsh advfirewall set domainprofile settings remotemanagement enable
REM allow remote administration group
netsh advfirewall firewall set rule group="Remote Administration" new
enable=yes
REM Allow remote desktop
REM (also works with group="Remote Desktop" instead of name=)
netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new
enable=yes
REM Enable Remote Desktop for Administration, and allow
REM downlevel clients to connect
cscript %windir%\system32\scregedit.wsf /AR 0
cscript %windir%\system32\scregedit.wsf /CS 0
REM Now, run the activation script
REM No output means it worked
Slmgr.vbs -ato
Setting Desktop Display Resolution
To set the display resolution for the Server Core desktop, you need to manually edit the registry. We'd give you a script to do it, but it is dependent on correctly identifying the specific GUID for your display adapter. Not something we want to automate. So, to change the resolution on your Server Core desktop, follow these steps:
Open regedit.
Navigate to HKLM\System\CurrentControlSet\Control\Video.
One or more GUIDs is listed under Video. Select the one that corresponds to your video card. Hint: They each have a device description under the 0000 key that can sometimes help.
Under the GUID for your video card select the 0000 key, and add a DWORD DefaultSettings.XResolution. Edit the value to the X axis resolution you want. For a width of 1024 pixels, use 400 hexadecimal, as shown in Figure 9-3.
Figure 9-3 Editing the display resolution value for the X axis
Add a DWORD DefaultSettings.YResolution. For height of 768 pixels, use 300 hexadecimal.
Note In some cases, these keys will already exist. If they do, you can simply change their value as necessary.
Exit the registry editor and log off using the following:
shutdown /l
Once you log back on, the new display settings will take effect.
Enabling Remote Management
To allow access to the familiar graphical administration tools, you need to enable them to work through Windows Firewall. This requires another set of netsh commands. Use the following steps to enable remote administration and Remote Desktop:
From the command prompt, use the netsh command to enable remote management:
netsh advfirewall set domainprofile settings remotemanagement enable
Now, enable the Remote Administration group of firewall rules.
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
Finally, life is easier when you can connect using remote desktop, so let's enable that, too:
netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new enable=yes
You should now be able to do additional management using familiar graphical tools from another server but connecting to the Server Core computer.
Activating the Server
The final step in basic configuration of the Server Core computer is to activate it. This requires using a Visual Basic script, which is provided. Use the following command:
Slmgr.vbs -ato
Note All the basic initial setup commands for Server Core are included in the three scripts described in the Under The Hood sidebar, and are also available on the CD that comes with the book.
Installing Roles
Windows Server 2008 Core doesn't support all the possible roles and features of the full graphical Windows Server, but it does support the most important infrastructure roles. We think one of the most compelling scenarios for Server Core is as a remote site server to enable basic functionality at a remote site where there isn't anyone on site to administer it. By combining the DHCP Server, DNS Server, File Services, and Print Services roles with a read-only Active Directory Domain Services role, you have a "branch office in a box" solution—just add a remote access device such as a VPN router and you're in business.
The File Services role is added by default as part of the base Server Core installation, but you can add additional role services to support additional functionality.
The command used to install a role in Server Core is Ocsetup.exe. The exact same command is used to uninstall a role, but with the /uninstall command-line parameter. The full syntax for Ocsetup is:
Ocsetup %lt;/?|/h|/help>
Ocsetup <component> [/uninstall][/passive][/unattendfile:<file>] [/quiet]
[/log:<file>][/norestart][/x:<parameters>]
The important thing to remember about Ocsetup is that it is quite unforgiving. It is case- sensitive, and even a slight mistake in the case of the component name will cause the command to fail.
A script to install the roles for this solution, except the domain controller role, would look like this:
@REM filename: SetupBranch.cmd
@REM
@REM Setup file to install roles for a branch office server
@REM
@REM Created: 5 September, 2007
@REM ModHist:
@REM
@REM Copyright 2007 Charlie Russel and Sharon Crawford. All rights reserved
@REM You may freely use this script in your own environment,
@REM modifying it to meet your needs.
@REM But you may not re-publish it without permission.
@REM Using "start /w" with ocsetup forces ocsetup to wait until it
@RME completes before
going on to the next task.
@REM Install DNS and DHCP
@echo Installing DNS and DHCP roles...
start /w ocsetup DNS-Server-Core-Role
start /w ocsetup DHCPServerCore
@REM Now, install File Role Services
@echo Now installing File Role Services...
start /w ocsetup FRS-Infrastructure
start /w ocsetup DFSN-Server
start /w ocsetup DFSR-Infrastructure-ServerEdition
@REM Uncomment these two lines to add NFS support
@REM start /w ocsetup ServerForNFS-Base
@REM start /w ocsetup ClientForNFS-Base
@REM Install Print Server Role
@echo Installing Print Server Role
start /w ocsetup Printing-ServerCore-Role
@REM Uncomment next for LPD support
@REM start /w ocsetup Printing-LPDPrintService
Note You can't include the DCPromo command in the script above because installing the Print Server role requires a reboot, which locks out DCPromo.
You cannot use DCPromo interactively to create a domain controller–you must create an unattend.txt file to use with it. The basic minimum unattend.txt file is:
[DCInstall]
InstallDNS = Yes
ConfirmGC = yes
CriticalReplicationOnly = No
RebootOnCompletion = No
ReplicationSourceDC = hp350-dc-02.example.local
ParentDomainDNSName = example.local
ReplicaOrNewDomain = ReadOnlyReplica
ReplicaDomainDNSName = example.local
SiteName=Default-First-Site-Name
SafeModeAdminPassword = <passwd> UserDomain = example
UserName = Administrator
Password = <passwd>
Important The passwords fields must be correct, and will be automatically stripped from the file for security reasons. For Server Core, you must specify a ReplicationSourceDC value. You should set ReplicaOrNewDomain to the value shown here—ReadOnlyReplica—to create a read-only domain controller.
To install the read-only Domain Controller role, follow these steps:
Use Notepad or your favorite ASCII text editor (we use GVim, which works quite well in Server Core) to create an unattend.txt file with the necessary settings for the domain you will be joining. The specific filename of the unattend file is not important because you specify it on the command line.
Change to the directory that contains the unattend file. If the server has any pending restarts, you must complete them before promoting the server to domain controller.
Run DCPromo with the following syntax:
Dcpromo /unattend:<unattendfilename>
If there are no errors in the unattend file, DCPromo will proceed and promote the server to be a read-only domain controller, as shown in Figure 9-4.
Figure 9-4 Use DCPromo to create a read-only domain controller with an unattend file.
Listing Roles
The Oclist.exe command provides a complete list of the available Server Core roles, role services, and features, as well as their current state. Use
Oclist
to get the exact, case-sensitive list of the features and roles you want to install.
© Microsoft. All Rights Reserved.