Performing Initial Configuration of a Windows Server Core Server

In Chapter 5, “Managing Server Roles,” we saw how to perform the initial configuration of a Windows Server 2008 server using the Initial Configuration Tasks screen. Of course, many of these initial configuration tasks can also be performed using an unattend.xml answer file during an unattended installation.

The Windows server core installation option of Windows Server 2008 can also have its initial configuration done in two ways: from the command line after a manual install, or by doing an unattended installation. In this chapter, we’re going to look only at the first method (using the command line after a manual install). For more information on unattended installation of Windows Server 2008, see Chapter 13, “Deploying Windows Server 2008.”

Performing Initial Configuration from the Command Line

Some of the initial configuration tasks you will want to perform on a Windows server core server include the following:

• Set a password for the Administrator account.

• Set the date, time, and time zone.

• Configure networking, which might mean assigning a static IP address, subnet mask, and default gateway (unless DHCP is being used) and pointing the DNS settings to a domain controller.

• Changing the server’s name and joining the domain.

Other initial configuration tasks can include activating your server, enabling Automatic Updates, downloading and installing any available software updates, enabling Windows Error Reporting and the Customer Experience Improvement Program, and so on.

Let’s see how to perform some of these tasks.

Changing the Administrator Password

There are two ways you can change the Administrator password on a Windows server core server:

• Press CTRL+ALT+DEL, click Change Password, and enter your old and new password.

• Type net user administrator * at the command prompt, and enter your new password twice.

Setting Date, Time, and Time Zone

To set the time zone for your server, type control timedate.cpl at the command prompt. This opens the same Date And Time applet that can be opened from Control Panel in the full installation of Windows Server 2008:

The reason for using a Control Panel applet to do these tasks is simply that it’s easier for admins to do it this way than to try and do it from the command line. And because it’s a task that is likely to be performed only occasionally (even just once), and because there are no dependencies between the Date And Time applet and other system components that have been removed from the Windows server core installation option, the product team decided to leave this in as one of the few GUI tools still available in the Windows server core installation option of Windows Server 2008. Of course, you can also specify these settings in an unattend.xml answer file if you’re performing an unattended installation of your server. And by the way, control.exe by itself doesn’t work on a Windows server core installation. Only the two included .cpls work.

Before we go further, let’s briefly hear from one of our experts on the Windows Server 2008 product team at Microsoft concerning configuring the Windows server core installation option of Windows Server 2008:

From the Experts: Shell-less vs. GUI-less

If you have been working with a Windows server core installation, you might have noticed that there is some GUI support in a Windows server core installation of Windows Server 2008. To be completely accurate, the GUI of a Windows server core server is shell-less, not entirely GUI-less. There are several low-level GUI DLLs that are included because of current dependencies, such as gdi32.dll and shlwapi.dll. In a future release we hope to be able to remove the dependencies and also remove these files. However, including them does provide some advantages for making a Windows server core server easier to manage using the current tools.

In Beta 1, we didn’t include any text editor. Although you could remotely connect to a Windows server core server to view logs, edit scripts, and so on, we heard lots of feedback that there should be an on-the-box text editor. Therefore, we added Notepad. However, because of the reduced environment the Windows server core installation option provides, not all of Notepad is functional-for example, help doesn’t work.

In addition, the Windows server core installation option also includes two control panels, which you can access using the following commands:

• Control timedate.cpl

• Control intl.cpl

  Timedate.cpl lets you set the time zone for your server, while intl.cpl lets you change your keyboard for different layouts.

  –Andrew Mason

  Program Manager, Windows Server

Configuring Networking

Now let’s configure networking for our server. First let’s run ipconfig /all and see the server’s current networking settings:

C:\Windows\System32>ipconfig /all Windows IP Configuration    Host Name . . . . . . . . . . . . : LH-3TBCQ4I1ONRA    Primary Dns Suffix  . . . . . . . :     Node Type . . . . . . . . . . . . : Hybrid    IP Routing Enabled. . . . . . . . : No    WINS Proxy Enabled. . . . . . . . : No  Ethernet adapter Local Area Connection:    Connection-specific DNS Suffix  . :     Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)    Physical Address. . . . . . . . . : 00-03-FF-27-88-8C    DHCP Enabled. . . . . . . . . . . : Yes    Autoconfiguration Enabled . . . . : Yes    Link-local IPv6 Address . . . . . : fe80::c25:d049:5b0c:1585%2(Preferred)     Autoconfiguration IPv4 Address. . : 169.254.21.133(Preferred)     Subnet Mask . . . . . . . . . . . : 255.255.0.0    Default Gateway . . . . . . . . . :     DHCPv6 IAID . . . . . . . . . . . : 67109887    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1    fec0:0:0:ffff::2%1    fec0:0:0:ffff::3%1    NetBIOS over Tcpip. . . . . . . . : Enabled  Tunnel adapter Local Area Connection*:    Connection-specific DNS Suffix  . :     Description . . . . . . . . . . . : isatap.{}    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0    DHCP Enabled. . . . . . . . . . . : No    Autoconfiguration Enabled . . . . : Yes    Link-local IPv6 Address . . . . . : fe80::5efe:169.254.21.133%3(Preferred)     Default Gateway . . . . . . . . . :     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1    fec0:0:0:ffff::2%1    fec0:0:0:ffff::3%1    NetBIOS over Tcpip. . . . . . . . : Disabled

Note that ipconfig /all displays two network interfaces on the machine: a physical interface (NIC) and an ISATAP tunneling interface. Before we can use netsh.exe to modify network settings, we need to know which interface we need to configure. To determine this, we’ll use the netsh interface ipv4 show interfaces command as follows:

C:\Windows\System32>netsh interface ipv4 show interfaces  

Idx	Met	MTU	State	Name
-----	-----	-----	------	-----
2	20	1500	connected	Local Area Connection
1	50	4294967295	connected	Loopback Pseudo-Interface 1

Open table as spreadsheet

From this, we can see that our physical interface Local Area Connection has index number 2 (first column). Let’s use this information to set the TCP/IP configuration for this interface. Here’s what we want the settings to be:

• IP address: 172.16.11.162

• Subnet mask: 255.255.255.0

• Default gateway: 172.16.11.1

• Primary DNS server: 172.16.11.161

• Secondary DNS server: none

To do this, we can use two netsh.exe commands as follows:

C:\Windows\System32>netsh interface ipv4 set address name="2" source=static  address=172.16.11.162 mask=255.255.255.0 gateway=172.16.11.1  C:\Windows\System32>netsh interface ipv4 add dnsserver name="2" address= 172.16.11.161 index=1

Now let’s run ipconfig /all again and check the result:

C:\Windows\System32>ipconfig /all Windows IP Configuration    Host Name . . . . . . . . . . . . : LH-3TBCQ4I1ONRA    Primary Dns Suffix  . . . . . . . :     Node Type . . . . . . . . . . . . : Hybrid    IP Routing Enabled. . . . . . . . : No    WINS Proxy Enabled. . . . . . . . : No  Ethernet adapter Local Area Connection:    Connection-specific DNS Suffix  . :     Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)    Physical Address. . . . . . . . . : 00-03-FF-27-88-8C    DHCP Enabled. . . . . . . . . . . : No    Autoconfiguration Enabled . . . . : Yes    Link-local IPv6 Address . . . . . : fe80::c25:d049:5b0c:1585%2(Preferred)     IPv4 Address. . . . . . . . . . . : 172.16.11.162(Preferred)     Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 172.16.11.1    DNS Servers . . . . . . . . . . . : 172.16.11.161    NetBIOS over Tcpip. . . . . . . . : Enabled  Tunnel adapter Local Area Connection*:    Connection-specific DNS Suffix  . :     Description . . . . . . . . . . . : isatap.{}    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0    DHCP Enabled. . . . . . . . . . . : No    Autoconfiguration Enabled . . . . : Yes    Link-local IPv6 Address . . . . . : fe80::5efe:172.16.11.162%3(Preferred)     Default Gateway . . . . . . . . . :     DNS Servers . . . . . . . . . . . : 172.16.11.161    NetBIOS over Tcpip. . . . . . . . : Disabled

So far, so good. Let’s move on.

Changing the Server’s Name

Next let’s change the name of our server. When you install a Windows server core server manually from media, the server is assigned a randomly generated name. We want to change that, and we can use netdom.exe to do this. First let’s see what the current name is, and then let’s change it to DNSSRV because we’re planning on using this particular machine as a DNS server on our network:

C:\Windows\System32>hostname LH-3TBCQ4I1ONRA  C:\Windows\System32>netdom renamecomputer %computername% /NewName:DNSSRV  This operation will rename the computer LH-3TBCQ4I1ONRA to DNSSRV.  Certain services, such as the Certificate Authority, rely on a fixed machine name. If any services of this type are running on LH-3TBCQ4I1ONRA,then a computer name  change would have an adverse impact.  Do you want to proceed (Y or N)? y The computer needs to be restarted in order to complete the operation.  The command completed successfully.

We can restart the server using the shutdown /r /t 0 command. Once the machine is restarted, typing hostname shows that the server’s name has been successfully changed:

C:\Windows\System32>hostname DNSSRV 

Joining a Domain

Now let’s join our server to our domain. We’ll use netdom.exe again to do this, and we’re going to join our server to a domain named contoso.com. Here’s how we do this:

C:\Windows\System32>netdom join DNSSRV /domain:CONTOSO /userd:Administrator /  passwordd:* Type the password associated with the domain user:  The computer needs to be restarted in order to complete the operation.  The command completed successfully.

Again, we’ll use shutdown /r /t 0 to restart the machine. Once it’s restarted, we’ll log on as a domain admin this time and use netdom.exe again to verify that our server has established a secure channel to the domain controller.

Activating the Server

To activate our server, we can use a built-in script named slmgr.vbs found in the %windir%\System32 directory. (This script is also in Windows Vista and in full installations of Windows Server 2008, and it can be run remotely from those platforms to activate a Windows server core installation.) Typing cscript slmgr.vbs /? shows the available syntax for this command:

C:\Windows\System32>cscript slmgr.vbs /? Windows Software Licensing Management ToolUsage: slmgr.vbs [MachineName [User Password]] [<Option>]         MachineName:    Name of remote machine (default is local machine)         User:           Account with required privilege on remote machine         Password:       password for the previous account  Global Options:  -ipk <Product Key>    Install product key (replaces existing key)  -upk     Uninstall product key  -ato     Activate Windows -dli [Activation ID | All]    Display license information (default: current license)  -dlv [Activation ID | All]    Display detailed license information (default: current license)  -xpr     Expiration date for current license state  Advanced Options:  -cpky     Clear product key from the registry (prevents disclosure attacks)  -ilc <License file>    Install license  -rilc     Re-install system license files  -rearm     Reset the licensing status of the machine  -dti     Display Installation ID for offline activation  -atp <Confirmation ID>    Activate product with user-provided Confirmation ID

Let’s first use the –xpr option to display the expiration date for the current license state:

C:\Windows\system32>cscript slmgr.vbs -xpr Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Initial grace period ends 3/31/2007 1:13:00 AM 

Now let’s use –dli to display more info concerning the server’s current license state:

C:\Windows\system32>cscript slmgr.vbs -dli Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.  Name: Windows(TM) Server 2008, ServerEnterpriseCore edition Description: Windows Operating System - Windows Server 2008, RETAIL channel  Partial Product Key: XHKDR License Status: Initial grace period Time remaining: 14533 minute(s) (10 day(s))

Now let’s activate the server using the –ato option:

C:\Windows\system32>cscript slmgr.vbs -ato Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Activating Windows(TM) Server 2008, ServerEnterpriseCore edition     () ... Product activated successfully.

Finally, let’s try the –xpr and –dli options again and see the result:

C:\Windows\system32>cscript slmgr.vbs -xpr Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. The machine is permanently activated.  C:\Windows\system32>cscript slmgr.vbs -dli Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Name: Windows(TM) Server code name “Longhorn”, ServerEnterpriseCore edition Description: Windows Operating System - Server code name “Longhorn”, RETAIL channel Partial Product Key: XHKDR License Status: Licensed

Enabling Automatic Updates

To enable Automatic Updates on our server, we’ll use another built-in script named scregedit.wsf. This script is unique to the Windows server core installation option of Windows Server 2008, and it’s one of the few binaries on a Windows server core server that is not found on a full installation of Windows Server 2008. To view the syntax of this script, type cscript scregedit.wsf /? at the command prompt:

C:\Windows\System32>cscript scregedit.wsf /? Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.  Automatic Updates - Manage Automatic Windows Updates  These settings can be used to configure how Automatic Updates are applied to the Windows system. It includes the ability to disable automatic updates and to set the installation schedule.  /AU [/v][value]    /v  View the current Automatic Update settings    value  value you want to set to.    Options:    4 - Enable Automatic Updates     1 - Disable Automatic Updates   Windows Error Reporting Settings Windows can send descriptions of problems on this server to Microsoft. If you  choose to automatically send generic information about a problem, Microsoft will use the information to start working on a solution.  This setting might be overridden by the following Group Policy:   Key : Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent,    Value : DefaultConsent  /ER [/v][value]    /v  View the current Windows Error Reporting settings    value  value you want to set to.  Opt-in Settings:    2 - Automatically send summary reports (Recommended)    3 - Automatically send detailed reports    1 - Disable Windows Error Reporting  For more information on what data information is collected, go to  http://go.microsoft.com/fwlink/?linkid=50163  Terminal Service - Allow Remote Administration ConnectionsThis allows administrators to connect remotely for administration purposes.  /AR [/v][value]    /v  View the Remote Terminal Service Connection setting    value  (0 = enabled, 1 = disabled)  Terminal Service - Allow connections from previous versions of Windows  This setting configures CredSSP based user authentication for Terminal Service connections  /CS  [/v][value]    /v  View the Terminal Service CredSSP setting    value  (0 = allow previous versions, 1 = require CredSSP)  IP Security (IPSEC) Monitor - allow remote management This setting configures the server to allow the IP Security (IPSEC) Monitor to be  able to remotely manage IPSEC.  /IM [/v][value]    /v  View the IPSEC Monitor setting    value  (0 = do not allow, 1 = allow remote management)  DNS SRV priority - changes the priority for DNS SRV recordsThis setting configures the priority for DNS SRV records and is only useful on Domain Controllers. For more information on this setting, search TechNet for LdapSrvPriority  /DP [/v][value]    /v  View the DNS SRV priority setting    value  (value from 0 through 65535. The recommended value is 200.)  DNS SRV weight - changes the weight for DNS SRV recordsThis setting configures the weight for DNS SRV records and is useful only on Domain Controllers. For more information on this setting, search TechNet for LdapSrvWeight  /DW [/v][value]    /v  View the DNS SRV weight setting    value  (value from 0 through 65535. The recommended value is 50.)  Command Line Reference This setting displays a list of common tasks and how to perform them from the command line.  /CLI 

First let’s see what the current setting for Automatic Updates is on the machine:

C:\Windows\system32>cscript scregedit.wsf /au /v Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.  SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update AUOptions Value not set.

Looks like Automatic Updates is not yet configured, so let’s enable it:

C:\Windows\system32>cscript scregedit.wsf /au 4 Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.  Registry has been updated.

Now let’s verify by using our previous command:

C:\Windows\system32>cscript scregedit.wsf /au /v Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.  SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update AUOptions  View registry setting.4

Note that on a Windows server core server you can configure Automatic Updates only to download and install updates automatically. You can’t configure it to download updates and prompt you to install them later.

There are other initial configuration tasks we could do, but let’s move on. Actually, let’s hear first from one of our experts concerning a configuration task that’s not easy to do from the command line:

From the Experts: Configuring Display Resolution

Although there is no tool on a Windows server core server to allow you to change your display resolution, you can configure this by using an unattend file. However, it is possible to change the display resolution so that you can run at a higher resolution than what you might have ended up with at the end of setup. Doing this requires editing the registry; however, if you pick a resolution your video card or monitor cannot display, you might have to reinstall-although you should still be able to boot and remotely modify the settings in the registry.

To do this, you need to open regedit.exe and navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video

Under this will be a list of GUIDs, and you need to determine which one corresponds to your video card/driver. You might have to experiment to determine the right one. Under the GUID, you can set

\0000\DefaultSettings.Xresolution

\0000\DefaultSettings.Yresolution

to the resolution you would like to use. If these don’t exist, you can create them. You must log off and log back on again for the change to take effect. Be careful doing this because if you specify an unsupported display resolution, you might need to reinstall your machine or remotely connect to the registry from another computer to change it, and remotely reboot.

–Andrew Mason

Program Manager, Windows Server