Special Coverage: Windows Server 2008
Configuring Roles with Server Manager
At a Glance:
- The difference between roles and features
- What you can do with Server Manager
- Working with wizards
- Managing roles and features from the command line
One of the themes that seems to permeate Windows Server 2008 is that less is more. I don't mean the idea of needlessly cutting out features. Rather, it is the strategy of simplifying and clarifying roles and tools so that you can install exactly what you need—and nothing more. Server Manager
is an important part of this concept in Windows Server® 2008.
There are two aspects to this. First is the crucially important concept of server roles and features, which are the building blocks of Windows Server 2008. Second is the Server Manager tool itself. This tool not only replaces several tools used in Windows Server 2003, but also brings much more functionality into one place so that busy administrators, like you, can get more done more quickly and easily.
Roles and Features
If you've been reading about Windows Server 2008, you've probably come across some terms that you haven't heard used in the context of Windows® before, such as "workloads" and "roles". I'll start by explaining what these terms mean to IT professionals.
At the beginning of the development cycle for Windows Server 2008, we spent a lot of time trying to find out exactly how our users use our server products. (This effort continues, by the way.) In general, we found that people deploy our servers to do specific things. This might not sound like rocket science, but it was a big eye-opener for some of us to learn that people don't buy our servers just to have a server. More importantly, they don't deploy servers to accomplish myriad tasks. Rather, they want a server to do something specific. Of course, there are exceptions, but in most cases, a server is provisioned to perform a particular function.
In response to these revelations, we grouped the "particular things" into broad classifications, called workloads. For example, there is a database workload and an application server workload. Since workloads are broad and sometimes a bit nebulous, we created subcategories within the workloads called roles. A role is a single, very specific thing that a server is expected to do. Think about how you (and the users in your organization) refer to servers on your network. If you're like most users, you probably think of them as the file server, the domain controller, the print server, the Web server, and so on. Since this is how people tend to think about servers, Windows Server 2008 takes the same approach for dealing with roles.
Broadly, there are three main categories of roles in Windows Server 2008: Identity and Access Management (those roles branded as part of Active Directory®), Infrastructure (this includes file servers, print servers, DNS, and so on), and Application (such as the Web Server role and Terminal Services).
There will be about 17 server roles shipping with Windows Server 2008 (these include roles such as Active Directory Certificate Services, Network Policy and Access Services, and Windows Server Virtualization). And additional roles, such as the Streaming Media Services role, will likely be available for download.
Each role really deserves its own article. Some of them are discussed more thoroughly in this issue of TechNet Magazine, some have already been covered, and some are still yet to come. You should explore each of them, starting with the information available at technet2.microsoft.com/windowsserver2008/en/servermanager/default.mspx.
As you start deploying Windows Server 2008, you need to choose which roles are installed on each server. This role-based deployment is an important concept for effectively using Windows Server 2008 and being agile when deploying your resources.
The list of roles doesn't include things like BitLockerTM Drive Encryption and Network Load Balancing (NLB). That is because these are features and although desirable, they are not things that users buy a system specifically to do. Roles, on the other hand, do represent tasks for which systems are bought in order to perform. For example, users don't buy servers in order to implement load balancing. They do, however, buy servers in order to serve a Web site. And while NLB may be an essential aspect of, say, a Web server, it's not the purpose for which the server exists.
Rather than have all of the features of the Server installed and active, an administrator chooses which features need to be installed. (The list of features included with Windows Server 2008 is shown in Figure 1.) By including only the roles and features that are needed, stability and security are improved. You don't have to worry about resources being consumed by features or roles that are not installed. And you don't have to worry about troubleshooting features or securing roles that are not installed.
|Microsoft .NET Framework 3.0 Features|
|BitLocker Drive Encryption|
|BITS Server Extensions|
|Connection Manager Administration Kit|
|Group Policy Management|
|Internet Printing Client|
|Internet Storage Name Server (iSNS)|
|LPR Port Monitor|
|Peer Name Resolution Protocol|
|Quality Windows Audio Video Experience (qWave)|
|Remote Server Administration Tools|
|Removable Storage Manager|
|RPC Over HTTP Proxy|
|Services for NFS|
|Storage Manager for SANs|
|Simple TCP/IP Services|
|Subsystem for UNIX-based Applications|
|Trivial File Transfer Protocol (TFTP) Client|
|Network Load Balancing|
|Windows Server Backup|
|Windows System Resource Manager|
|Windows Internet Naming Service (WINS) Server|
|Wireless LAN Service|
|Windows Internal Database|
|Windows Process Activation Service|
The epitome of this concept is the Server Core installation option. Server Core is beyond the scope of this article, but you can see the logical extension of taking unused roles and features and not even copying them to the hard disk or making them available. One key difference between a normal installation and a Server Core installation is that a normal installation includes the resources required to install additional roles at any time, and it supports all the roles. Server Core, however, does not even have a GUI for its shell, and it only supports a limited number of roles.
The new Server Manager console in Windows Server 2008 makes it easier to manage and secure multiple server roles in an enterprise. Essentially an expanded Microsoft® Management Console (MMC), Server Manager lets you view and manage virtually all of the information and tools that affect your server's productivity. It provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all the roles installed on the server. (Note that it also replaces several features included with Windows Server 2003, such as Manage Your Server, Configure Your Server, and Add or Remove Windows Components.)
In some cases, Server Manager can also reduce the need for the administrator to run the Security Configuration Wizard (SCW) before deploying servers. Server manager will configure your server so that any installed roles are functional—for example, automatically configuring the Windows firewall. In cases, though, where roles have been added and then removed, or when you want to have more control over exact security settings, SCW is still a valuable tool. For more information, see Jesper Johansson's Security Watch column, "Using SCW on Windows Server 2008," in this issue (microsoft.com/technet/technetmag/issues/2008/03).
When working on Windows Server 2008, we took a hard look at how we expected administrators to perform tasks. We found ways in which tools and wizards made it easier to do your job, and we found cases in which there was too much jumping around from tool to tool. We set an important design goal for Windows Server 2008 in general—and Server Manager in particular—to make server administration more efficient by letting administrators perform many types of tasks all in a single place. As a result, with Server Manager, you can:
- View and make changes to server roles and features installed on the server.
- Perform management tasks that pertain to the server, such as starting or stopping services and managing local user accounts.
- Perform management tasks that pertain to the roles installed on the server.
- Check the server status, identify critical events, and analyze configuration issues.
- Install or remove roles, role services, and features using a GUI or command line.
The Server Manager Console presents a lot of information and functionality packed into a small space. Figure 2 shows the Server Manager Console on the File Services role node. The main window of the console contains four collapsible sections: Server Summary, Roles Summary, Features Summary, and Resources and Support.
Figure 2 Server Manager Console showing the File Services Role (Click the image for a larger view)
The Server Summary section includes two subsections, Computer Information and Security Information. The Computer Information subsection displays the computer name, domain, local administrator account name, network connections, and the product ID of the operating system. You can also use commands here to edit this information. The Security Information subsection displays whether Windows automatic updating and Windows Firewall are enabled, as well as whether the Windows Internet Explorer® Enhanced Security Configuration is turned on (either for administrators or other users). Similarly, there are commands available to edit these settings and to view all of the advanced options.
The Roles Summary section contains a table that indicates which roles are installed on the server. The commands in this section allow you to add or remove roles or go to a more detailed console through which you can manage a specific role.
The Features Summary section provides a table that shows which features are installed on the server. Here, as expected, you can add and remove features.
Finally, the Resources and Support section indicates whether the server participates in the Customer Experience Improvement Program and Windows Error Reporting and allows you to configure the server's participation in feedback programs. You can also quickly locate additional related help and research topics available in the Windows Server TechCenters and Technical Libraries.
Each installed role has its own home page within Server Manager. For each of these role home pages, the Resources and Support section offers a menu of recommended configurations or scenarios in which the role or parts of the role work. Each recommended configuration links to a help checklist that guides you through the tasks you need to perform to create the best experience for the given role.
One particularly nice thing about Server Manager is that it bubbles up important information and commands, putting them right where you need them. When, for example, you are looking at the File Services role home page, you immediately see any events related to that role, without having to launch Event Viewer and construct a filter.
However, some roles can generate hundreds of events, so you can also make custom filters right from the role home page. You can choose Filter Events on the side menu and further narrow down the events being displayed. This dialog doesn't provide all of the filtering options available in the event log viewer, but it does allow you to quickly focus only on the events related to this particular role and not worry about filtering out the others.
Likewise, you can see the status of system services (services required by this role, but part of the overall system) and role services (services specific to this role). For some roles, you can choose which parts of a role are available and different sets of role services will be installed. Directly from the role home page, you can start and stop services, as well as specify which services should be monitored as system services for the role.
Working with Wizards
A well-designed wizard can save you time and help prevent errors, especially when dealing with tasks that are performed only occasionally. Previous versions of Windows Server required you to use Configure Your Server, Manage Your Server, and Add or Remove Windows Components to change components installed on your server. Dependency checks were limited, and Add or Remove Windows Components required that installation of one role had to be complete before you could add another role.
Now, using Server Manager wizards, you can install or remove multiple roles, role services, and features in a single session. But more importantly, dependency checks are performed as you progress through the Server Manager wizards, ensuring that all the necessary roles and role services are installed. And roles are configured with default recommended security settings—you can, however, use the Security Configuration Wizard to modify security settings. You can actually have your server completely ready for deployment after a single session in one of the Server Manager wizards.
Server Manager contains a number of wizards, including the Add Roles Wizard, Add Role Services Wizard, Add Features Wizard, Remove Roles Wizard, Remove Role Services Wizard, and Remove Features Wizard.
The Add Roles Wizard, which, as you might have guessed, is used to add roles to the server, automatically checks for dependencies between roles and verifies that all required roles and role services are installed for each selected role. For some roles, such as Terminal Services and Active Directory Certificate Services, the Add Roles Wizard also provides configuration pages that allow the user to specify how the role should be configured as part of the installation process. Figure 3 shows the Select Server Roles page of the Add Roles Wizard.
Figure 3 Using the Add Roles Wizard to select server roles (Click the image for a larger view)
Most roles are composed of multiple subelements, which Server Manager refers to as role services. Once a complex role is installed, you can use the Add Role Services Wizard to add role services to the role.
Similar to the Add Roles Wizard, the Add Features Wizard allows you to install features. You can add one or more features to the system in a single session.
The Remove Roles Wizard, as its name implies, lets you remove roles from a server. The wizard automatically checks for dependencies to ensure that any roles or role services needed for roles not being removed will remain installed. You can also remove role services from an installed role, using the Remove Role Services Wizard. Meanwhile, the Remove Features Wizard lets you remove features from the system.
The Command Line
I sometimes meet an IT pro who simply loathes wizards. While few are so vehement in their opinion, many IT pros do like the option to use a command line. It can be more convenient, enabling simple repeatability and scripting. Server Manager offers a command-line tool, ServerManagerCmd.exe, which is notably easier than the earlier ocsetup and pkgmgr tools. You can use ServerManagerCmd.exe to install and remove roles, role services, and features. And you use simple parameters to display a list of all roles, role services, and features—indicating both those that are installed and those that are available for installation.
Conveniently, this command line enables you to perform unattended installation and removal of roles, role services, and features. You can also use the command line to install or remove a single role, role service, or feature in a command instance, or you can use an XML answer file with the Server Manager command to add or remove multiple roles, role services, and features in a single command instance. And you can view logs of operations, and run queries to display lists of roles, role services, and features that have been installed and those that are available to be installed.
A highlight of this command-line tool is the –whatif parameter, which lets you see exactly what changes would be made to your server if the specified role were installed. For instance, Figure 4 shows the results of running the following command:
Obviously, you can save this output to a file for further analysis.
Figure 4 Using the –whatif parameter to see what changes would be made to the server (Click the image for a larger view)
For a more in-depth look at the details and syntax of ServerManagerCmd.exe, see the "Server Manager Technical Overview Appendix" available at go.microsoft.com/fwlink/?LinkId=107113.
I'd like to thank Gaby Kaplan for her contribution to this article.
Byron Hynes is an Enterprise Technology Strategist in the Enterprise and Partner Group at Microsoft. He has previously worked in the Windows Server division, and as a consultant and trainer. You can reach him at email@example.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.