Happy Fun Time with Windows Server 2008 Server Core–Part I

So, remember the first time you installed a “Server Core” installation of Windows Server?  You were all excited about this whole new paradigm for a Windows server.  Smaller disk footprint!  Smaller attack surface!  Smaller RAM requirements! It all seemed so sexy and sleek, and you were going to run your shit from the command line with the big dawgz!

tumblr_l3gi4jbdYT1qzvl4eo1_400
And what?!

And then you log in for the first time, and you see this:

CoreDesktop

If you’re anything like me, this is the moment where cold, harsh reality begins to set in as you realize exactly how much you don’t know about the Windows command shell.  Sure, you know how to mkdir and rmdir and chkdisk and ipconfig and xcopy.  There was that one time you configured your domain controller to sync with an Internet time source, using w32somethingorother and some ancient instructions you dug up from the bowels of TechNet…but you start tallying up the list of your typical post-install tasks and realize that you have no earthly idea if it’s possible to set the time zone from the command line.  Or set a DNS server and subnet mask on the network interface.  Or configure Windows Updates.  Or change the power settings. Or enable remote desktop.  Or any of a million other little things you probably do almost without thinking.

And now you feel like this:

backspace_copy

If you’re working with Windows Server 2008 R2 (as I do in my production environment), your learning curve is considerably more forgiving thanks to the inclusion of the sconfig utility, as well as the availability of pseudo-GUIs like Core Configurator (which sort of seems like cheating on the whole “server core” concept, but hey, sometimes you just need to get it done).  However, the MCITP Server Administrator and Enterprise Administrator exams currently cover Windows Server 2008 pre-R2.  Pre-R2 Server Core doesn’t have sconfig, and while I think you can still find the old version of Core Configurator that ran on 2008, that won’t help you on the MCITP exams.  You have to do it the old-fashioned way.  And by “it”, I mean “everything”.

This is actually sort of good, though, as it forces you to learn various forms of command-line trickery that you know – deep down in your cold, black sysadmin heartthat you should have made yourself learn years ago.  You’ve grown fat and lazy while indolently clicking around some crappy MMC console. But no more! Of course, it’s easier to see the benefit of being forced to do this stuff “the hard way” when you’re studying for a certification exam and working with a test environment rather than dealing with the time pressures of a production environment.  Also, even after you’ve accepted that real men do it on the command line, there is still the sucktacular fact that you can’t install PowerShell on Server 2008 Core prior to R2 (or you can, but it’s not native).  Speaking of rolling with the big dawgz, PowerShell is where it’s at…but that’s another post altogether.

What I want to do here is provide a list of instructions for performing common post-installation tasks on a Windows Server 2008 Server Core machine.  None of this is information that you can’t find elsewhere, but hopefully I’m performing some helpful service by pulling it all together in one place.  As always, please feel free to point out any significant omissions or egregious errors in comments.

My Setup

In order to practice for my MCITP exams, I have partitioned my home computer (an HP Pavilion with a Core 2 Duo processor and 8 GB of RAM) into a dual-boot machine with Windows Server 2008 R2 Core with the beta of SP1 on the second partition.  Only the Hyper-V and AD-DS roles are enabled, and this machine serves as a virtualization host for my “Contoso” network (thus far consisting of SERVER01 running the full Windows Server 2008 Enterprise and acting as the DNS server and first DC, and SERVER02 running the Server Core install of Windows Server 2008 Enterprise). I made the Hyper-V host a DC in a new domain so I could join a partition on my laptop to that domain and manage/interact with the virtual machines from that laptop.  In my experience, trying to configure remote management for Hyper-V across domains or without a domain is just a huge pain in the ass, and I’m not all that worried about security or best practices in my test environment.

If I was only going to work with these VMs while sitting at my home computer, there would be no need for a domain for the host – its only purpose is to easily enable trust between my the host and my laptop – and it’s probably worth pointing out that installing any other role besides Hyper-V on a virtualization host is most definitely not recommended (and possibly not supported?) by Microsoft. Don’t do this in your production environment.  Let the Hyper-V host be just that, and put the rest of the workloads in virtual machines.

Incidentally, I installed the beta of SP1 on the Hyper-V host because it enables dynamic memory, which makes it possible to cram a lot more virtual machines onto a given box – especially in a test environment where you don’t need to worry about performance under production workloads.

For the rest of this article, I’m assuming that you managed to install the thing and log in, and that if you’re working with a VM, you went ahead and installed the integration components (for Hyper-V) or tools (if you’re using VMware Workstation).

Anyway, back to this whole situation:

FrownyCommandLine

First Things First

At the ripe old age of 36, I no longer have the eagle-sharp eyes of my callow youth, and while I don’t mind working from the command line, working from a tiny, ugly, squinty command line rendered in raster fonts blows goats.

Do yourself a favor and tweak those settings!  First of all, you want to change the display resolution to something larger than a post-it note.  On a Server Core this takes a little digging in the registry, but if you even know what Server Core is  I’m going to assume that you know how to work regedit.

Invoke regedit and navigate to HKLMSystemCurrentControlSetControlVideo.  Under that, you’re see one or more GUIDs:

GUIDS

They each have a subkey called 0000, but only one will have a sub-subkey under 0000 called VolatileSettings.  In the 0000 subkey of that one (and NOT in the VolatileSettings sub-subkey) create or alter the following keys (I’ve always had to create them):

Name Type Binary Value (NOT Hex)
DefaultSettings.XResolution DWORD 32-bit x-resolution (i.e. 1440)
DefaultSettings.YResolution DWORD 32-Bit y-resolution (i.e. 900)

Now close regedit and log out (by typing logoff at the prompt…don’t laugh, I had to look it up).  The new resolution will take effect when you log out, and then you can log back in.

Now that you have some room on the desktop, let’s pretty up that command shell window by right-clicking on the bar at the top of the command prompt window and selecting “Properties”.  On the Options tab, check “Quick Edit Mode”.  On the Font tab, select Lucida Console and set the size to 16.  The settings on the layout tab determine the size of the command shell window, so what’s “ideal” depends on the display resolution as well as the font size you’ve selected.  I’ve set my display to 1440×900 and the font to 16, so I’ll set the layout to a width of 110 and a height of 50.  I set the buffer height to 3000 just to make sure I don’t lose anything that I might want to look at later. On the Colors tab, I usually set the Screen Text color to bright green, which seems easier on the eyeballs than the default gray.

Ah, that’s better:

Tweaked

One of these days I’m going to see if I can install the Consolas font on Server Core, because that’s the least-hideous fixed-width font around IMHO, but for now, anything but skeezy old raster fonts will do.

Time & Date

First, a word of advice that’s not strictly about Server Core: If you’re working with a Hyper-V virtual machine and you intend to make that VM a domain controller, it’s important to turn off the “Time Synchronization” integration service:

IntegrationServices

This is a best practice for domain-joined VMs in any case, but it’s especially important if the Hyper-V host belongs to the domain in which you’re going to make the VM a domain controller.  The subject of configuring network time in a Windows domain is beyond the scope of this discussion, but I’ll just say this: If you don’t turn off the Time Sync integration in a virtualized DC scenario, it will override whatever time configuration you apply to the virtual DC.  The guest DC will be getting it’s time from the host integration services, and the host – being a member of the domain in which the guest is a DC — will in turn be getting it’s time from the guest, so the time-lag between them will start to compound.  Because the guest is a domain controller, your entire domain’s time will begin to diverge from external time.  A lot.  And because Kerberos (among other things) requires some reasonable facsimile of accurate network time, stuff will eventually start to break.

Not that I ever made this horrible mistake in my production environment or anything.  Because that would be crazy.   Ahem.

So anyway, back to Server Core.  This one is pretty easy because it’s not strictly true that Core has no GUI.  There are, in fact, several control panel apps in SC. you just have to launch them from the command line.  That means you have to know their names, of course, but with everybody having Google in their pocket, that shouldn’t really be a problem.

For example, here’s timedate.cpl:

TimeDateCpl

That was easy!  Moving right along…

Networking Configuration:

This stuff involves using ye olde netsh.exe, the Network Shell tool that has been included in Windows NT operating systems since Windows 2000.  Netsh has a sort of internal namespace consisting of a number of nested “contexts” for executing commands for different sorts of things.  I’m not going to pretend that I know even most of them, but I do know how to configure your basic IPv4 settings for a network adapter:

First, you need to know the name of the adapter you’re going to be working with.  Normally, that’s “Local Area Connection”, but if you’ve moved a virtual machine between hosts or changed the virtual networks associated with its adapter, it may be something like “Local Area Connection 3”, so you might want to check:

netsh interface show interface

I know, it sounds retarded.  What you’re doing is invoking netsh, entering the “interface” context, issuing a “show” command in that context and specifying that “show” should return a list of interfaces (because in the interface context, “show” can also return the credentials used to connect to an interface).  It should return a list of network interfaces on the system:

netshShow

So now I know the name of the interface is “Local Area Connection 2”, so the command to set the IPv4 address to 10.0.0.12 is as follows:

netsh interface ipv4 set address name=”Local Area Connection 2″ source=static address=10.0.0.12 mask=255.255.255.0 gateway=10.0.0.1

Pretty straightforward. What you get back is…nothing.  But you can verify that the settings were applied by typing ipconfig

IPSettingsApplied

Next up, we need to configure the DNS settings. We’ll also do this with the Network Shell, like so:

netsh interface ipv4 set dns name=”Local Area Connection 2″ source=static address=10.0.0.1 primary

This command won’t return anything either, but you can verify that it worked with ipconfig /all

IpconfigAll

If you want to replace the loopback address with a real secondary DNS server, you can use the same command, but with the new address and replacing “primary” with “secondary”.  [UPDATE: Wrongola!  I’ll have to get back to you on how to do that.] I should probably note that if you’re going to make this machine a DNS server when you promote it as a DC, you should configure it to point to itself for DNS name resolution – but if you’re making a DC in an existing domain, you can’t do this until after you’ve joined the machine to that existing domain as a member server, because the computer will need working name resolution to locate a domain controller when it joins the domain.  On the other hand, if you’re going to promote this SC as the first DC in a new domain, you can go ahead and set it to point to itself for DNS resolution right now.

Incidentally, you could use the following commands to use DHCP for both IP and DNS settings:

netsh interface ipv4 set address name=”Local Area Connection 2″ source=dhcp

netsh interface ipv4 set dns name=”Local Area Connection 2″ source=dhcp

…although in my home network and my production environment, I manually assign IP addresses to servers and network hardware from a range that I have excluded from my DHCP address pool.

Computer Name & Domain:

To change the computer’s name and join a domain, we’re going to use netdom.exe, which is not quite as hoary as netsh.exe but has been around since Windows 2003/Windows XP.  It’s primary purpose is to manage domain and trust relationships.

To change the computer’s name, you need to know it’s current name.  To do that, type hostname and press enter. This will return (surprise!) the hostname of the local system.  Now on to Netdom:

netdom renamecomputer %computername% /newname:YourNewComputerName

…where %computername% is the current host name and YouNewComputerName is the desired host name.  You’ll get a warning notifying you that some services (like Certificate Services) require the computer name to remain fixed., and asking you if you want to proceed.  You’ll have to press Y for yes or N for no.  Say Y, and you’ll get a notice that you need to restart the computer to complete the operation:

NetDomRename

To do that, use the shutdown command I’ve added to the last command prompt above.  If you’re not familiar with shutdown, the /r parameter indicates a restart and the /t parameter sets the time the user will have before the shutdown begins.  You can also use an /f parameter to force a shutdown or restart.

Now, assuming that you already have a domain to join, let’s join it!  If you haven’t promoted a DC and created a domain yet, skip ahead to the next part about promoting a SC as the first DC in a new domain.

To join a domain, you’ll use Netdom.exe again:

netdom join %computername% /domain:yourdomain.com

…where yourdomain.com is, naturally, the DNS name of your domain.  In my test network, it’s contoso.com.  Naturally, you’ll need to restart.  Use the same shutdown command as above.

Making your Server Core a Domain Controller

So there are two possible scenarios here.  The first is one in which you have already promoted some other computer as the first domain controller in a new domain, so you now have an existing domain in which your Server Core machine can become a domain controller.  This would be the domain you joined above.  The second is one in which your Server Core will become the first DC in a new domain.  In either case, we’ll use dcpromo.exe.  But unfortunately, the UI you may be familiar with from using dcpromo on full-install servers is not available on server core.  Instead, dcpromo is a command-line tool that accepts parameters in place of the information you’d otherwise fill in on the GUI forms.  Let’s start with the first scenario, using my contoso.com domain.

Joining an Existing Domain

First, (and assuming you want your DC to also be an AD-integrated DNS server) use Ocsetup to install the binaries for the DNS server role:

start /w ocsetup DNS-Server-Core-Role

Note that server role names are case-sensitive for ocsetup.  “dns-server-core-role” will fail.  This tool also doesn’t give you any feedback on what happened, so you’ll need to type oclist to verify that the DNS-Server-Core-Role has been installed.

Speaking of the DNS server role, I’m assuming you know that AD requires DNS.  Dcpromo does a pretty good job of automatically handling DNS setup for you (both from the command line and through the GUI).  The default DNS-related actions depend on the operation you’re specifying.  If you’re promoting the first DC in a new forest, the DNS role is installed by default. If you’re promoting into a new tree, a new child domain, or creating a replica DC in an existing domain, dcpromo checks to see if an existing DNS infrastructure can be detected.  If so, the DNS server role will be installed by default.  If dcpromo can’t detect an existing DNS infrastructure while promoting into an existing forest (as I presume would happen if you use BIND or some other non-Windows, non-AD-integrated DNS server), it will not automatically install the role by default.  You can manually specify what dcpromo should do about DNS with the /installDNS parameter.

I highly recommend that you let dcpromo install and configure DNS on your Server Core. If you hate yourself, you can use the dnscmd.exe command-line to manually configure your DNS server.

Dcpromo can accept a wide variety of parameters (more than I’ve listed here) that correspond to the options you see in the “Advanced Mode” of the dcpromo GUI.  You can also store all the parameters in a text file and just use dcpromo /unattend:<path to text file>.  In a production environment, this is an easy way to create a standard DC configuration and quickly provision new DCs.  You can find instructions and the whole list of available parameters here.

We’re just going to type the few parameters that we need on the command line, however.  Note that for parameters omitted, the default values are accepted.  Here we go:

dcpromo /unattend /replicaOrNewDomain:replica /replicaDomainDnsName:contoso.com
/confirmGC:Yes /UserName:CONTOSOAdministrator /Password:*
/safeModeAdminPassword:P@ssw0rd48

Most of these parameters are probably fairly self-explanatory to anyone experienced with the GUI version of dcpromo.  By specifying “replica”, we mean that this DC will be a multimaster-replication partner (aka domain controller) entering into an existing domain, and that domain is contoso.com.  The /confirmCG parameter allows us to specify whether or not the new DC will be a Global Catalog server in the domain.  In a single-domain forest, there’s no real need to give much thought to this – every DC can be a GC.  In a more complex environment you’d need to give some thought to placement of GCs, but there’s plenty of information out there about that topic. Putting “*” for the /Password parameter will cause a password prompt to be presented when the command starts executing.  The /safeModeAdminPassord parameter allows us to specify a password for Directory Services Restore Mode.  If you’re lucky you’ll never need this, but in production environment you should definitely set a strong DSRM password and record it somewhere safe.

After you hit Enter, the first thing dcpromo does is check for the presence of the binaries that constitute the AD Directory Services role.  When it doesn’t find them, it installs them. Incidentally, you should always let dcpromo install the AD DS role on a Server Core machine, rather than using Ocsetup.exe to install the role before kicking off dcpromo.  This is different from a standard Windows Server installation, where you use Server Manager to add the AD DS role before starting dcpromo.

Next, you’ll be prompted for the password for the user name you specified in the /UserName parameter:

DcPromo

Once you enter it, the promotion begins.  If you installed the DNS-Server-Core-Role, the DNS service will automatically be configured and the relevant zone(s) imported from an existing DC/DNS server.

Unlike a lot of command-line tools, dcpromo is pretty verbose about what it’s trying to do and what the results are.

DcPromoVerbose

It will automatically reboot the machine to complete the promotion, however, so read it while you can!

Creating a New Domain

If you’re promoting the Server Core as the first DC in a new domain (and presumably a new forest, unless you’ve got a very fancy multi-domain test environment), you’ll use the same dcpromo syntax with a few differences in the parameters:

dcpromo /unattend /autoConfigDNS=Yes /domainNetBiosName=CONTOSO
/newDomainDnsName=contoso.com /replicaOrNewDomain=domain /newDomain=forest
/forestLevel=3 /domainLevel=3 /safeModeAdminPassword=P@ssword1234

Note that the /forestLevel and /domainLevel parameters are for specifying the forest and domain functional levels, respectively.  The possible values are:

  • 0 = Windows 2000 Server native mode
  • 2 = Windows Server 2003
  • 3 = Windows Server 2008

What happened to 1?  I don’t know.  1 is dead to us.

Anyway, congratulations, Mr. or Ms. Badass – you just promoted a domain controller from the command line!  Hopefully by now you’re feeling more like this:

tron1

…and less like this:

grandma

In my next post, we’ll talk about configuring Windows Update, working with the firewall, configuring the SC for remote management, and a few other odds and ends.

Adding fields to your Outlook contacts

A friend of mine wrote to ask how you can add custom fields or attributes to your Outlook 2007 contacts.  I’d never tried to do that before, so I fired up Ye Olde Virtual PC to find out (I’m running the Office 2010 technical preview on my laptop, and Outlook is considerably different).

Turns out it’s actually pretty simple and yet still remarkably obscure and confusing in that magical way that only Outlook can be!  As with most tasks in Office, there’s probably more than one way to do this.  Here’s what I did:

Open Outlook, go to Contacts and select the “Phone List” view from the list of views on the left-hand navigation pane. 

Click View > Current View > Customize Current View…

Capture

Which gets you this:

Capture2

Click the “Fields” button and you’ll see this:

Capture3

Click “New Field…” to get this:

Capture4

Here you can define your custom field with a name (Favorite Color in my example), a data type (like text, numbers, currency, etc.), and a format.  Do your thing and then click OK three times.  You’ll be back in the Phone List view of your contacts.  Scroll all the way to the right and you’ll see your new field as the last column.

The nifty thing about the Phone List view is that it’s sort of like an Excel spreadsheet.  You can edit your contacts directly without needing to “open” them one by one, which is handy when you’ve added a field that you may want to fill in for all of your contacts (like adding everyone’s favorite color).

If you open an individual contact, you can see your custom fields by using the “Show” area on the “Contact” tab of the Ribbon:

IndividualContact

Click the “All Fields” button and select “User-defined fields in folder” from the Select From menu.

Capture7

One caveat is that your custom field is only added to a specific contacts folder.  Most home users of Outlook only have one contacts folder, and don’t really even think of it as such (because Outlook does such a great job of partially obscuring the underlying structure of your data).  However, it is possible to have multiple contacts folders, and in that instance, you’d have to add your custom fields to each folder separately.

Boo.

This showed up in my inbox the other day:


The TechNet Magazine Team would like to thank you, our valued reader, for the loyalty and trust you have placed in TechNet Magazine. It is a distinct pleasure to deliver content that we consistently hear makes your jobs easier and has helped you grow in your IT careers.

The November 2009 issue of TechNet Magazine will be its last in printed form. However, we are very excited about what the future holds. Be assured the magazine will continue to thrive on the Web.

As a TechNet Plus Subscriber, you have received a printed copy of TechNet Magazine and moving forward you will still have access to all of its great content, as the magazine will retain its place as a key part of the TechNet online community. Many of the features and columns you have enjoyed over the years will continue to be published online. We’ll be enriching the online magazine in many ways, including more frequent posting of articles, more videos in an enhanced video player, and more direct communication with our readers, enabling you to make comments on articles and to submit your own tips and best practices. Check www.technetmagazine.com in the coming months as these features become available.

Boo.  I like print magazine.  What will I read in the bathroom now?