This blog post is mostly for myself to easily cut and paste from here, but it may be useful to some others. I find myself continually installing and reinstalling Windows 2008 servers for Exchange 2008 dev environments these days. So I have began to write a batch file I cut and paste each time, edit a few parameters, save as SVRCFG.cmd and then double click. This saves me a few minutes of manually typing everything out each time. Multiply this by an average 8 servers per environment and it soon adds up. Nothing here is rocket science, just nice simple command line administration in a batch file.
powercfg /hibernate off
netsh firewall set opmode DISABLE
netdom renamecomputer %computername% /newname:ET01 /force
netsh int ipv4 set address name=10 source=static address=192.168.0.15 mask=255.255.255.0 gateway=192.168.0.254
netsh int ipv4 add dnsserver name=10 address=192.168.0.1
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d "3" /f
servermanagercmd -install Powershell
Shutdown -r -t 2
Things to check:
Change the server name
Change the IP address
Check the Network cards Idx number or "name"
Showing posts with label Server Core. Show all posts
Showing posts with label Server Core. Show all posts
Thursday, 22 January 2009
Tuesday, 18 November 2008
Want to really remotely manage Windows 2008, Server Core?
Following my last post - I wanted to track down when the Administrator password for my domain was changed. Realising that Windows 2008, Server Core would not have a GUI for the Event Log, I assumed the easiest way to access the Security event logs of my Domain Controller would be to use another Windows 2008 server (Standard), open Event Viewer and remotely connect to my Windows 2008, Server Core Domain Controller. However, I was presented with the error message;
"Event Viewer cannot connect to computer DC01. The error reported is: The RPC server is unavailable"
My first thoughts were whether this was related to another Server Core feature or whether my POC network had issues due to being neglected for so long after being moved to a different ESX host. It turns out that the Windows Firewall in Windows 2008 Server Core is not configured to allow remote management. The following commands needed to be run on all my Windows 2008, Server Core Domain Controllers;
Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes
Netsh advfirewall firewall set rule group=”remote administration” new enable=yes
Some Links
Using the Netsh Advfirewall Command-Line Tool
Netsh Commands for Windows Firewall with Advanced Security
There are other Firewall Rule Groups available (taken from Technet)
Event Viewer = "Remote Event Log Management"
Services = "Remote Services Management"
Shared Folders = "File and Printer Sharing"
Task Scheduler = "Remote Scheduled Tasks Management"
Reliability and Performance = "Performance Logs and Alerts" and "File and Printer Sharing"
Disk Management = "Remote Volume Management"
Windows Firewall with Advanced Security = "Windows Firewall Remote Management"
To allow only specific MMC snap-ins to connect, at a command prompt, type:
Netsh advfirewall firewall set rule group=“%Rule Group%” new enable=yes
"Event Viewer cannot connect to computer DC01. The error reported is: The RPC server is unavailable"
My first thoughts were whether this was related to another Server Core feature or whether my POC network had issues due to being neglected for so long after being moved to a different ESX host. It turns out that the Windows Firewall in Windows 2008 Server Core is not configured to allow remote management. The following commands needed to be run on all my Windows 2008, Server Core Domain Controllers;
Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes
Netsh advfirewall firewall set rule group=”remote administration” new enable=yes
Some Links
Using the Netsh Advfirewall Command-Line Tool
Netsh Commands for Windows Firewall with Advanced Security
There are other Firewall Rule Groups available (taken from Technet)
Event Viewer = "Remote Event Log Management"
Services = "Remote Services Management"
Shared Folders = "File and Printer Sharing"
Task Scheduler = "Remote Scheduled Tasks Management"
Reliability and Performance = "Performance Logs and Alerts" and "File and Printer Sharing"
Disk Management = "Remote Volume Management"
Windows Firewall with Advanced Security = "Windows Firewall Remote Management"
To allow only specific MMC snap-ins to connect, at a command prompt, type:
Netsh advfirewall firewall set rule group=“%Rule Group%” new enable=yes
Q: How secure is your Windows 2008 Active Directory?
A: Only as secure as the physical access to any one of your Domain Controllers. If I have physical access to any of your Domain Controllers I will have administrative access to your domain within 10 minutes.
After several weeks of being away from my Hosted Exchange project (it got extended again!) I was back to work on it this week. Whilst I was away I was asked if the Development team could move my Proof of Concept environment to a different ESX host. Of course I had no issue with this as it was not being used whilst I was away. When I attempted to log on today I found that the administrative password I had set was no longer working. I always set the same password for all my development passwords (there is no real requirement for them to be secure) so I know I had not just forgotten it. The team that moved my VMs had no knowledge of the change of password. With it being a POC environment, I had no reason to create other administrative users in the Domain either.
I now have a scenario where I have a dozen servers configured with HMC4.5 and Exchange 2007 that I cannot access. It would take a week or so to reproduce this environment again, so I set about trying to hack the Domain Administrator password. ERD Commander and LockSmith allows you to reset the password on most new Windows Operating Systems. I have in the past tried this on a Windows 2003 Domain Controller to see what would happen and it did allow me to change the Domain's Administrator Active Directory password! As my first port of call I tried this boot disk and tool to see if it would work with a Windows 2008, Server Core Domain Controller. And guess what? It does! This has saved me a lot of work.
I guess this is not really new news, but it is relevant that it also works with Windows 2008 Domain Controllers. So - better make sure that Server Room door is always locked - eh?
After several weeks of being away from my Hosted Exchange project (it got extended again!) I was back to work on it this week. Whilst I was away I was asked if the Development team could move my Proof of Concept environment to a different ESX host. Of course I had no issue with this as it was not being used whilst I was away. When I attempted to log on today I found that the administrative password I had set was no longer working. I always set the same password for all my development passwords (there is no real requirement for them to be secure) so I know I had not just forgotten it. The team that moved my VMs had no knowledge of the change of password. With it being a POC environment, I had no reason to create other administrative users in the Domain either.
I now have a scenario where I have a dozen servers configured with HMC4.5 and Exchange 2007 that I cannot access. It would take a week or so to reproduce this environment again, so I set about trying to hack the Domain Administrator password. ERD Commander and LockSmith allows you to reset the password on most new Windows Operating Systems. I have in the past tried this on a Windows 2003 Domain Controller to see what would happen and it did allow me to change the Domain's Administrator Active Directory password! As my first port of call I tried this boot disk and tool to see if it would work with a Windows 2008, Server Core Domain Controller. And guess what? It does! This has saved me a lot of work.
I guess this is not really new news, but it is relevant that it also works with Windows 2008 Domain Controllers. So - better make sure that Server Room door is always locked - eh?
Thursday, 24 July 2008
Windows 2008, Server Core - DCPromo
To make a Windows 2008, Server Core a Domain Controller you need to run DCPromo and link it to an unattend.txt file. I am sure it is probably possible to accomplish this in one command line, but that would be a lot of switches to write!
One of the items in this unattend.txt file is the Safe Mode admin password. I thought this was a little dodgy as a large amount of folk will accidently leave that unattend.txt file on the computer and therefore accidently leave the password accessible in plain text. But it seems MS were thinking the same thing as I discovered when I copied contents to use on another server and realised the password was gone. DCPromo actually removes the password value in the text file as soon as it is run.
Here is a copy of my unattend.txt for my new Forest –
[DCINSTALL]
InstallDNS=Yes
NewDomain=Forest
NewDomainDNSName=BGibson.Internal
DomainNetBiosName=BGibson
ReplicaOrNewDomain=Domain
ForestLevel=3
DomainLevel=3
DatabasePath="D:\NTDS"
LogPath="E:\Logs"
SYSVOLPath="F:\Sysvol"
RebootOnCompletion=Yes
SafeModeAdminPassword=P@ssword1
Funny errors
To create my first unattend.txt file I plagiarised someone else’s file from the internet. It originally has RebootOnSuccess as one of the switches. Windows 2008 very helpfully give me some advice “Warning: RebootOnSuccess is deprecated, although it is still supported. Consider using RebootOnCompletion instead.” I thought this was quite amusing suggesting the syntax I was using was deprecated.
Not so funny error
Now that I have one Domain Controller up and running, I went to my next Windows 2008, Server Core machine and tried to promote it to be a replica Domain Controller. Unfortunately I immediately received this error message “The wizard cannot access the list of domains in the forest. The error is:
Access is denied.”
After doing some research I became convinced it had to be DNS related. Back to the first Domain Controller and type NSLookup. Immediately got an error as it was trying to connect to ::1 first. Using similar syntax to my last post for adding DNS Servers, I removed this IPV6 reference: netsh int ipv6 delete dnsserver name=2 address=::1. Now when I run NSLookup it connects to its own DNS server as expected. DCPromo of the replica Domain Controller now completes successfully. Here is the unattend.txt I used;
[DCInstall]
InstallDNS=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=HostedExchange.Internal
ReplicaOrNewDomain=replica
ReplicationSourceDC=HE-DC01.HostedExchange.Internal
SafeModeAdminPassword=**********
UserDomain=HostedExchange.Internal
UserName=administrator
Password=************
CreateDNSDelegation=No
One of the items in this unattend.txt file is the Safe Mode admin password. I thought this was a little dodgy as a large amount of folk will accidently leave that unattend.txt file on the computer and therefore accidently leave the password accessible in plain text. But it seems MS were thinking the same thing as I discovered when I copied contents to use on another server and realised the password was gone. DCPromo actually removes the password value in the text file as soon as it is run.
Here is a copy of my unattend.txt for my new Forest –
[DCINSTALL]
InstallDNS=Yes
NewDomain=Forest
NewDomainDNSName=BGibson.Internal
DomainNetBiosName=BGibson
ReplicaOrNewDomain=Domain
ForestLevel=3
DomainLevel=3
DatabasePath="D:\NTDS"
LogPath="E:\Logs"
SYSVOLPath="F:\Sysvol"
RebootOnCompletion=Yes
SafeModeAdminPassword=P@ssword1
Funny errors
To create my first unattend.txt file I plagiarised someone else’s file from the internet. It originally has RebootOnSuccess as one of the switches. Windows 2008 very helpfully give me some advice “Warning: RebootOnSuccess is deprecated, although it is still supported. Consider using RebootOnCompletion instead.” I thought this was quite amusing suggesting the syntax I was using was deprecated.
Not so funny error
Now that I have one Domain Controller up and running, I went to my next Windows 2008, Server Core machine and tried to promote it to be a replica Domain Controller. Unfortunately I immediately received this error message “The wizard cannot access the list of domains in the forest. The error is:
Access is denied.”
After doing some research I became convinced it had to be DNS related. Back to the first Domain Controller and type NSLookup. Immediately got an error as it was trying to connect to ::1 first. Using similar syntax to my last post for adding DNS Servers, I removed this IPV6 reference: netsh int ipv6 delete dnsserver name=2 address=::1. Now when I run NSLookup it connects to its own DNS server as expected. DCPromo of the replica Domain Controller now completes successfully. Here is the unattend.txt I used;
[DCInstall]
InstallDNS=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=HostedExchange.Internal
ReplicaOrNewDomain=replica
ReplicationSourceDC=HE-DC01.HostedExchange.Internal
SafeModeAdminPassword=**********
UserDomain=HostedExchange.Internal
UserName=administrator
Password=************
CreateDNSDelegation=No
Windows 2008, Server Core - First Installation
Windows 2008 Server Core
Today I performed my first installation of Windows 2008 Server Core....into a VMWare environment. As this is completely new to me I will probably blog about a lot simple RTFM tasks to start with as I get used to going back to the command line.
Speed
First thing I noticed was how incredibly quick it was. The Operating System installation took a matter of minutes, not the normal hour or so I have come to expect with Windows Server 2003. I guess this is down to the fact the Core platform installs only the necessary components only and not all the normal bloatware that comes with Operating Systems to date. In fact I was so impressed with the time I deleted my VMWare image and started again so I could time how long it took. (Sad I know). It took only 6 minutes to complete the installation.
So after being impressed with t he speed of installation, when I log on it takes 3 minutes “Preparing your desktop”. WHAT DESKTOP!? Surely the whole point of Server Core is there isn’t one, just the lonesome CMD.exe?
VMWare Tools
Okay, first thing you want to do once you have installed an OS into VMWare is install VMWare Tools. Challenge number 1 – Server Core does not have a GUI, so therefore the nice GUI installation of, , does not exist. So, I click VM > Install VMWare Tools, which of course appears to do nothing – except it has loaded the VMWare Tools ISO...Back to the command line and change my directory to D:\ and type MSIExec /i “VMWare Tools.msi” /passive. Hey presto, I have the VMWare Tools installation wizard.
Of course the install is not going to be that easy, I immediately receive two errors; Error loading tpvmmon.dll & Error loading printui.dll, The specified module could not be found. I click to both as this is my only options. After a reboot it seems that VMWare Tools are more or less installed, despite both the errors. However, I also installed VMWare Tools on my ESX environment, this produced no errors and installed seamlessly.
Display settings and Power Management
By default the screen resolution is not great (does it need to be for a CMD line only interface), but more annoying is the fact it has the automatic screensaver/power management turned on so it forces you to log on again after a period of inactivity. After a bit of RTFM, I found you have to change this in all in Regedit.
ScreenSaver settings:
HKCU\Control Panel\Desktop\
Resolution:
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.XResolution
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.YResolution
To determine which GUID it is, look in each of them at the Device Description. For me it was the GUID associated with VMWare SVGA II. Make sure you remember to change the Base to decimal too!
Simple Tasks
Next issue was how do achieve the things you take for granted with a GUI?
Reboot the server: Shutdown –r (Use shutdown /? to get all the other related tasks)
Set the IP Address:
· Get the interface IDX Number:
netsh int ipv4 show int
· Set IP Address: netsh int ipv4 set address name=%IDX% source=static address=%IP% mask=%SM% gateway=%DG%
· Set DNS Server: netsh int ipv4 add dnsserver name=%IDX% address=%DNS%
Today I performed my first installation of Windows 2008 Server Core....into a VMWare environment. As this is completely new to me I will probably blog about a lot simple RTFM tasks to start with as I get used to going back to the command line.
Speed
First thing I noticed was how incredibly quick it was. The Operating System installation took a matter of minutes, not the normal hour or so I have come to expect with Windows Server 2003. I guess this is down to the fact the Core platform installs only the necessary components only and not all the normal bloatware that comes with Operating Systems to date. In fact I was so impressed with the time I deleted my VMWare image and started again so I could time how long it took. (Sad I know). It took only 6 minutes to complete the installation.
So after being impressed with t he speed of installation, when I log on it takes 3 minutes “Preparing your desktop”. WHAT DESKTOP!? Surely the whole point of Server Core is there isn’t one, just the lonesome CMD.exe?
VMWare Tools
Okay, first thing you want to do once you have installed an OS into VMWare is install VMWare Tools. Challenge number 1 – Server Core does not have a GUI, so therefore the nice GUI installation of
Of course the install is not going to be that easy, I immediately receive two errors; Error loading tpvmmon.dll & Error loading printui.dll, The specified module could not be found. I click
Display settings and Power Management
By default the screen resolution is not great (does it need to be for a CMD line only interface), but more annoying is the fact it has the automatic screensaver/power management turned on so it forces you to log on again after a period of inactivity. After a bit of RTFM, I found you have to change this in all in Regedit.
ScreenSaver settings:
HKCU\Control Panel\Desktop\
Resolution:
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.XResolution
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.YResolution
To determine which GUID it is, look in each of them at the Device Description. For me it was the GUID associated with VMWare SVGA II. Make sure you remember to change the Base to decimal too!
Simple Tasks
Next issue was how do achieve the things you take for granted with a GUI?
Reboot the server: Shutdown –r (Use shutdown /? to get all the other related tasks)
Set the IP Address:
· Get the interface IDX Number:
netsh int ipv4 show int
· Set IP Address: netsh int ipv4 set address name=%IDX% source=static address=%IP% mask=%SM% gateway=%DG%
· Set DNS Server: netsh int ipv4 add dnsserver name=%IDX% address=%DNS%
Subscribe to:
Posts (Atom)
