Windows Server Core: Installing ADDS Role

Windows Server Core is a great option for your domain controllers.  Generally speaking domain controllers should not be doing anything else and are rarely logged into interactively anyways.  However promoting a machine to a domain controller from the command line is not as intuitive as it could should be.

This article is also very helpful if you want to script the promotion of your domain controllers.

DCPROMO.exe

Just like on a full server install dcpromo.exe is still used to promote a machine to a domain controller.  One of the nice features of dcpromo.exe is that if the Active Directory Domain Services (ADDS) role is not installed dcpromo.exe will add that role to your server for you.

However if you would like to install the ADDS and DNS roles before you begin the promotion process the command lines would be:

dism /online /enable-feature /featurename:NetFx2-ServerCore

dism /online /enable-feature /featurename:NetFx3-ServerCore

dism /online /enable-feature /featurename:DirectoryServices-DomainController-ServerFoundation

dism /online /enable-feature /featurename:DNS-Server-Core-Role

The full command argument options of dcpromo.exe can be found at the Microsoft TechNet documentation site.

The common arguments used in either a new domain or existing domain scenario are:

unattend Specifies that wizard will not be used (required on core). Can also specify a file location with answers required for promotion to domain controller.
replicaOrNewDomain Specifies whether to add a domain controller to a domain or configure a new domain.Replica – Add to existing domain (used if not specified)
ReadOnlyReplica – Add as RODC to existing domain
Domain – Create new domain
safeModeAdminPassword The password for the Directory Services Restore Mode account.

Creating a new Forest

The bare minimum command to create a new forest is:

dcpromo.exe /unattend /replicaOrNewDomain:domain /newDomain:forest

/newDomainDnsName:serk.local /domainNetbiosName:SERK

/safeModeAdminPassword:<Password for Directory Services Restore Mode>

Remember that when you create a new Forest you are really creating a new Root level Domain so a lot of the commands will be referencing domain creation.

The common parameters used when creating a new forest are:

newDomain Specifies if you are creating a new forest, new child domain, or new tree:
Tree – Creates a new tree
Child – Creates a new child domain
Forest – Creates a new forest
newDomainDnsName Specifies the DNS name of the new domain.
domainNetbiosName Specifies the Netbios name of the new domain.
domainLevel (optional) Specifies the domain level to set this new domain to:
0 – Windows 2000 (used if not specified)
2 – Windows 2003
3 – Windows 2008
4 – Windows 2008 R2
forestLevel (optional) Specifies the forest level to set this new forest to:
0 – Windows 2000 (used on Windows 2008 if not specified)
2 – Windows 2003 (used on Windows 2008 R2 if not specified)
3 – Windows 2008
4 – Windows 2008 R2

Creating a new Domain in an existing Forest

The bare minimum command to create a new domain in an existing forest is:

dcpromo.exe /unattend /replicaOrNewDomain:domain /newDomain:child

/newDomainDnsName:child.serk.local /parentDomainDNSName:serk.local

/domainNetbiosName:CHILD-SERK /childName:child

/userDomain:serk.local /username:administrator /password:*

/safeModeAdminPassword:<Password for Directory Services Restore Mode>

The bare minimum command to create a new tree in an existing forest is:

dcpromo.exe /unattend /replicaOrNewDomain:domain /newDomain:tree

/newDomainDnsName:tree.local /parentDomainDNSName:serk.local

/domainNetbiosName:TREE

/userDomain:serk.local /username:administrator /password:*

/safeModeAdminPassword:<Password for Directory Services Restore Mode>

The common parameters used when creating a new domain in an existing forest are:

newDomain Specifies if you are creating a new forest, new child domain, or new tree:
Tree – Creates a new tree
Child – Creates a new child domain
Forest – Creates a new forest
newDomainDnsName Specifies the DNS name of the new domain.
parentDomainDNSName Specifies the parent domains DNS name.
domainNetbiosName Specifies the Netbios name of the new domain.
childName Specifies the single-label DNS name of this child domain.  For example you would specify child if the child domain was child.serk.local.
username Username of account to create domain in forest with.  Must be an enterprise admin account.
userDomain Domain of account specified in the /username parameter.
password Password of account specified in the /username parameter.  You can either specify the plain text password, or a * which will cause you to be prompted at run-time.
domainLevel (optional) Specifies the domain level to set this new domain to:
0 – Windows 2000 (used if not specified)
2 – Windows 2003
3 – Windows 2008
4 – Windows 2008 R2

Adding a Domain Controller to an Existing Domain

The bare minimum command to add a domain controller to an existing domain is:

dcpromo.exe /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:serk.local

/userDomain=serk.local /username=administrator /password:*

/safeModeAdminPassword:<Password for Directory Services Restore Mode>

The common parameters used adding a domain controller to a domain are:

replicaDomainDNSName If joining an existing domain then specifies the DNS name of the existing domain.
username Username of account to join domain with.  Must be a domain admin account.
userDomain Domain of account specified in the /username parameter.
password Password of account specified in the /username parameter.  You can either specify the plain text password, or a * which will cause you to be prompted at run-time.
ConfirmGc (optional) Specifies whether the new domain controller should be a Global Catalog server:
Yes – Sets the new DC to be a GC.
No – Does not set the new DC to be a GC. (Used if not specified)
replicationSourceDC (optional) The FQDN of the domain controller to replicate the domain information from during promotion.  If you do not specify a replication source an existing domain controller will be automatically chosen.
Advertisements

Windows Server Core: Installing Roles & Features

Once you have joined your Windows Server 2008 R2 machine to the domain you are ready to install roles and features.  Normally you would do this through server manager but in core there is no GUI so there is no server manager.

Roles and Features Available to Install

To get a list of roles and features available to install you can run the command:

dism.exe /online /get-features

dism.exe is the Deployment Image Servicing and Management Tool.  This command is available on all editions of Win7 and Windows Server 2008 R2.

/online tells dism to work on the currently active installation of Windows.  You can also point it to a stored image even if it is not currently running.

/get-features tells dism to get a list of available features and their current status.  The output of this command on my system (truncated to just a few lines) is:

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Features listing for package : Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.1.7600.16385

Feature Name : NetworkLoadBalancingHeadlessServer
State : Enabled

Feature Name : SUACore
State : Disabled

After the basic header information it shows us a feature and it’s current state.  The first two features are “NetworkLoadBalancingHeadlessServer” which is installed and SUACore which is not installed.

The list of roles and features available are at the bottom of this post along with any relevant notes next to them.

Installing a Role or Feature

To install a role or feature we use the command

dism /online /enable-feature /featurename:<Name of Feature>

To install the .Net Framework 2.0 we would use the command:

dism /online /enable-feature /featurename:NetFx2-ServerCore

Available Roles and Features in Windows Server 2008 R2 Core

 

NetworkLoadBalancingHeadlessServer Allows the server to be a member of a Windows Load Balancing cluster
SUACore Subsystem for UNIX
SUACore-WOW64 Subsystem for UNIX
WindowsServerBackup
WindowsServerBackupCommandlet
MultipathIo
DNS-Server-Core-Role
FRS-Infrastructure
BitLocker
BitLocker-RemoteAdminTool Ability to remotely administrate BitLocker on the server
DirectoryServices-DomainController-ServerFoundation Active Directory
DirectoryServices-ADAM-ServerCore Active Directory Lightweight Directory Services (better known as ADAM)
ActiveDirectory-PowerShell Active Directory Powershell Cmdlets
IIS-WebServerRole
IIS-WebServer
IIS-CommonHttpFeatures
IIS-StaticContent
IIS-DefaultDocument
IIS-DirectoryBrowsing
IIS-HttpErrors
IIS-HttpRedirect
IIS-WebDAV
IIS-ApplicationDevelopment
IIS-NetFxExtensibility
IIS-ASPNET
IIS-ASP
IIS-CGI
IIS-ISAPIExtensions
IIS-ISAPIFilter
IIS-ServerSideIncludes
IIS-HealthAndDiagnostics
IIS-HttpLogging
IIS-LoggingLibraries
IIS-RequestMonitor
IIS-HttpTracing
IIS-CustomLogging
IIS-ODBCLogging
IIS-Security
IIS-BasicAuthentication
IIS-WindowsAuthentication
IIS-DigestAuthentication
IIS-ClientCertificateMappingAuthentication
IIS-IISCertificateMappingAuthentication
IIS-URLAuthorization
IIS-RequestFiltering
IIS-IPSecurity
IIS-Performance
IIS-HttpCompressionStatic
IIS-HttpCompressionDynamic
IIS-WebServerManagementTools
IIS-ManagementScriptingTools
IIS-ManagementService
IIS-IIS6ManagementCompatibility
IIS-Metabase
IIS-WMICompatibility
IIS-LegacyScripts
IIS-FTPServer
IIS-FTPSvc
IIS-FTPExtensibility
WAS-WindowsActivationService
WAS-ProcessModel
WAS-NetFxEnvironment
WAS-ConfigurationAPI
IIS-HostableWebCore
ClientForNFS-Base
ServerForNFS-Base
DFSR-Infrastructure-ServerEdition
DHCPServerCore
SNMP-SC
DFSN-Server
TelnetClient
WINS-SC
Printing-ServerCore-Role
Printing-LPDPrintService
Printing-ServerCore-Role-WOW64
ServerCore-EA-IME
ServerCore-EA-IME-WOW64
QWAVE QoS Support for audio and video
NetFx2-ServerCore .Net 2.0 Framework
NetFx2-ServerCore-WOW64 .Net 2.0 Framework for x86
NetFx3-ServerCore .Net 3.5 Framework
WCF-HTTP-Activation
WCF-NonHTTP-Activation
NetFx3-ServerCore-WOW64 .Net 3.5 Framework for x86
MicrosoftWindowsPowerShell
MicrosoftWindowsPowerShell-WOW64
ServerManager-PSH-Cmdlets Powershell Cmdlets for Server Manager
BestPractices-PSH-Cmdlets Powershell Cmdelts for Best Practices Analyzer
PeerDist Branch Cache
Microsoft-Hyper-V
VmHostAgent VDI Agent
CertificateServices Active Directory Certificate Services
SMBHashGeneration Branch Cache
ServerMigration
ServerCore-WOW64
FSRM-Infrastructure-Core
CoreFileServer
LightweightServer
Microsoft-Windows-Web-Services-for-Management-IIS-Extension
FailoverCluster-Core Windows Failover Clustering
FailoverCluster-Core-WOW64

Windows Server Core: SConfig

One of the big challenges with installing Windows Server Core is that after the installation you are presented with this:

Server Core CLI

Even if you are comfortable on the windows command line (and let’s be honest here) most of us (pretty close to all of us) would be hard pressed to even set an IP address.  With PowerShell becoming very popular among IT Pros the CLI skills of the average Windows Administrator are improving but PowerShell was not available on core until R2 was released.

In my environments I try to do as much server configuration by group policy as possible so that helps a lot with manual configuration of settings.  However when using Windows Server 2008 Core you are going to have to input some fairly complex commands to get an IP address set and the server joined to the domain.  In R2 though Microsoft has included a tool called SConfig to simplify those initial configuration tasks.  When you run the command it calls itself Server Configuration, but I choose to let the “S” stand for Simple Configuration.

sconfig.exe Main Screen

As you can see the basic commands you need to get your server up and running are here for you.  Generally speaking I simply run command #2 to set the computer name, command #8 to set the IP settings, and command #1 to join the server to the domain.

After that point I like to let Group Policy take over to provide a central point for configuration settings.  If you are not in an Active Directory environment I would recommend scripting out your settings to provide consistency and easy documentation.

Windows Server Core: Overview

Beginning with Windows Server 2008 Microsoft offered the option to install the operating system without large parts of the graphical user interface (GUI).  This means when you logon to the server all you get is a command line prompt.  There is no Windows Explorer, no start menu and no Internet Explorer among others.  You want to set the IP address?  Use the command line.  Want to reboot?  Use the command line.  Want to . . . ?  Well you get the idea.

Advantages

System Resources: Server core uses less disk space and less memory.  In short there is less running and less installed.  The full installation of Windows Server 2008 R2 is approximately 7.5gb, while in Core it is approximately 3gb.  The disk space savings is not a serious advantage in my mind unless we are looking at a virtual server environment where you would have dozens or hundreds of these machines using a shared resource (the physical machines storage). A default installation of Windows Server 2008 R2 (no 3rd party apps, no roles installed, etc) consumes 385mb of memory after a reboot.  The same setup but a Core install uses 255mb.  That is a 34% decrease in memory usage.  Multiply that by 100 virtual machines in a VMware or Hyper-V farm and that is a serious resource savings.

Security: Since there is simply less stuff installed there is less to patch and less to attack.  The removal of Internet Explorer alone can reduce the number of patches you install significantly.  A component not installed by Core can not be exploited which will provide significant security enhancements.

Raises Required Skill Level of IT Pro: Managing a Server Core system can be significantly harder if you are not comfortable in a command line environment.  Some readers might think this should be in the Dis-advantages section.  However I see it as an opportunity in two ways. First it sets a minimum skill level for any IT Pro working on the system.  I find Server Core is a great way to keep less experienced administrators away from your critical machines. Secondly it forces you to work smarter.  Windows administrators are plagued with never learning how to do something from the command line (and therefore being able to script it, automate, etc) because the GUI tool will get the job done faster than you can learn what the command syntax is.  Once you put yourself in an environment where you do not have a choice you quickly start to grow as a Windows Administrator.  Starting with Windows Server 2008 R2 the .Net framework is available on core and this means that powershell is available.  The best way for a Windows administrator to jump start their career and make significant gains in their productivity is to learn how to use powershell to manage your servers.

Dis-Advantages

Limited Roles Available:The roles available on core are limited.  In Windows Server 2008 R2 Core the roles available are:

  • Active Directory Certificate Services
  • Active Directory Domain Services
  • Active Directory Lightweight Directory Services (aka ADAM)
  • BranchCache Hosted Cache
  • DHCP Server
  • DNS Server
  • File Services
  • Hyper-V
  • Media Services
  • Print Services
  • Web Server (IIS)
    • Note: In Windows Server 2008 the .Net Framework is not available so that means no ASP.net sites.  In R2 the framework is available.

If you are looking to run a role that is not on the list above you will not be able to use core.  Some common examples are Terminal Services, WSUS, Windows Deployment Services and any other not on the list above.

.Net Framework: As noted in the above section the .Net Framework is not available on Core until R2.  The most notable places this is an issue is if you want to run ASP.net sites or if you want to use PowerShell.  Both of these are pretty painful because core makes a great OS for a web server farm and PowerShell makes a great command line interface to manage an OS from. However unless you have licensing issues preventing you from upgrading there is no reason not to move to R2.  Think of R2 as a really good service pack.  It is an incremental upgrade so it’s already heavily tested, it has a good track record already, and it provides a lot of polish that Windows Server 2008 was missing (such as the .Net Framework on Core). As long as I am encouraging you to upgrade to R2 take note that it is only available in x64 so that means if you have REALLY old hardware you will not be able to run R2.  Also watch out for some 3rd party apps which have not updated their products to officially support R2.  For example VMware (ESX, workstation, etc) has to be upgraded to a certain version to officially support R2 (although I have seen it work on versions that supports Windows Server 2008).

3rd Party Applications: Some third party applications simply do not work without a GUI.  Make sure that your anti-virus, backup agents, monitoring agents, inventory agents, etc will install and allow you to do any management you need to do within core.  One piece of software that is notorious for keeping people off of core is network card management software.  If you want to (for example) team a pair of network cards using the Intel or Broadcom software last I heard those do not work on core.

Conclusion

Windows Server Core in the right situations is a great operating system.  Keep an eye on this blog over the next few weeks as I will be publishing some details on how to manage the core operating system.