Remote Management in Windows Server 2008 Server Core
Server Core can be managed remotely using a variety of approaches, including using Remote Desktop or TS Remote App, using Microsoft Management Console (MMC) snap-ins and the Remote Server Administration Tools (RSAT), using Windows Remote Shell (WinRS), using Group Policy, and, to some extent, using Windows PowerShell. This chapter examines each of these remote administration methods and demonstrates how to set them up and use them to manage Server Core.
Using Remote Desktop
You can use Remote Desktop (also known as Terminal Services for Administration) to administer a Server Core installation remotely in exactly the same way you would administer it from the local console of the server. By default, Remote Desktop is disabled on Server Core, so before you can use Remote Desktop to manage a Server Core installation remotely, you must first enable Remote Desktop on the server. This can be done in several ways, as the next sections illustrate.
Enabling Remote Desktop Using Scregedit.wsf
You can use the Scregedit.wsf script to enable Remote Desktop on your Server Core installation by logging on locally to your server and doing the following:
C:\Users\Administrator> cscript %windir%\system32\scregedit.wsf /ar 0 Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Registry has been updated.
To verify that the registry change has been made, do this:
C:\Users\Administrator>cscript %windir%\system32\scregedit.wsf /ar /v Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. System\CurrentControlSet\Control\Terminal Server fDenyTSConnections View registry setting. 0
A value of 0 for the fDenyTSConnections registry value means that Remote Desktop is enabled on the system, while a value of 1 means that Remote Desktop is disabled. If you later decide you want to disable Remote Desktop on your Server Core installation, type cscript %windir%\system32\scregedit.wsf /ar 1 at a command prompt.
Enabling Remote Desktop using Scregedit.wsf also automatically enables the Remote Desktop rule group in Windows Firewall.
Enabling Remote Desktop Using an Answer File
You can use an answer file to enable Remote Desktop during an unattended install of Server Core. You do this as follows:
Add the following component to the specialize configuration pass of your answer file:
In the Properties pane, click the box to the right of the fDenyTSConnections setting; a drop-down arrow appears. Click the drop-down arrow and select False, as shown here.
Add the following component to the oobeSystem configuration pass of your answer file:
In the Properties pane, type C:\Windows\system32\netsh advfirewall firewall set rule group="Remote Desktop” new enable=yes in the box beside CommandLine and type 1 (or another number if you are running multiple FirstLogonCommands) in the box beside Order.
Using Scregedit.wsf to Require Network Level Authentication for Remote Desktop
By default, when Remote Desktop is enabled on Server Core, computers running versions of Microsoft Windows earlier than Windows Vista are allowed to connect. You can use the Scregedit.wsf script to prevent computers running versions earlier than Windows Vista from connecting to Server Core using Remote Desktop by logging on locally to your server and doing the following:
C:\Users\Administrator>cscript %windir%\system32\scregedit.wsf /cs 1 Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Registry has been updated.
Doing this increases the security of your Server Core installation by requiring that the client you are using to administer Server Core uses Network Level Authentication. For more information, see the section “Configuring Remote Desktop to Require Network Level Authentication,” in Chapter 3.
Using an Answer File to Require Network Level Authentication for Remote Desktop
You can use an answer file to require that Network Level Authentication be used for Remote Desktop connections. You do this as follows:
Add the following component to the specialize configuration pass of your answer file:
In the Properties pane, click the box to the right of the UserAuthentication setting and type 1 to require Network Level Authentication, as shown here.
You can also configure the SecurityLayer setting to specify how your server and Remote Desktop clients authenticate each other prior to a Remote Desktop connection being established. The possible values for this setting are shown in Table 6-1.
Table 6-1. The SecurityLayer Setting Values
Remote Desktop Protocol (RDP) is used by the server and the client for authentication prior to a Remote Desktop connection being established. Use this setting if you are working in a heterogeneous network environment.
The server and the client negotiate the method for authentication prior to a Remote Desktop connection being established (this is the default value). Use this setting if all your client computers are running Windows.
Transport Layer Security (TLS) is used by the server and the client for authentication prior to a Remote Desktop connection being established. Use this setting for maximum security.
Using Remote Desktop to Administer Server Core
To use Remote Desktop to administer a Server Core installation, log on to a computer running Windows Vista or Windows Server 2008 and do the following:
Press the Windows key+R to open the Run text box.
Type mstsc and press Enter to open Remote Desktop Connection.
Type the name, either NetBIOS or Fully Qualified Domain Name (FQDN), or the Internet Protocol (IP) address of your Server Core installation in the Computer text box.
Click Options and type the name of a user account that has administrative privileges on the Server Core installation. Be sure to type this user name in the form servername \ username (if the server belongs to a workgroup) ordomainname \username (if the server belongs to a domain), as shown here.
Click Connect. When the Windows Security dialog box appears, type the password for the user account you are using to administer Server Core, as shown here.
Select Remember My Credentials if you want Credential Manager to save the credentials for this user.
Click OK. After a few moments, Remote Desktop Connection should connect to your remote Server Core installation (as shown here), and you then can administer your server using the same methods described in Chapter 5.
When you are finished administering your server, type logoff to end the Terminal Services session with the remote server.
Using TS Remote App for Publishing Cmd to Administer Server Core
You don’t have to use the full version of Remote Desktop to administer Server Core remotely. Instead, you can use Terminal Services RemoteApp to publish the Server Core command interpreter (Cmd) so that it can be started on another computer. That way, the command prompt running on Server Core programs can be accessed remotely using Terminal Services and appear as if it is running on your local administrator workstation. TS RemoteApp programs run side by side with local programs and can be maximized or minimized just as local programs can be.
To use TS Remote App to publish Cmd running on Server Core, do the following:
On the Server Core installation you want to manage, enable Remote Desktop using one of the methods described earlier in this chapter. Then enable the Remote Administration rule group in Windows Firewall by typing the following command:
netsh advfirewall firewall set rule group="Remote Administration” new enable=yes
Now install the Terminal Server role service of the Terminal Services role on a computer running Windows Server 2008. Alternatively, you can install the Terminal Server Tools component of RSAT on a computer running Windows Server 2008, which you can then use as a Terminal Services management station.
On your terminal server (or on your Terminal Services management station), click Start, Administrative Tools, Terminal Services, and finally TS RemoteApp Manager to open the TS RemoteApp console on your terminal server.
Click Connect To Computer in the right Actions pane to open a Select Computer dialog box. Select the Another Computer option and type or browse to the name of your Server Core computer. Click OK. Your TS RemoteApp Manager console is now connected to the Server Core computer.
In the Actions pane, click Add RemoteApp Programs, Next, and Browse to open the Choose A Program dialog box. Browse the local file system of the Server Core computer using the connection to the C$ administrative share on that computer until you find and select the C$\Windows\System32\Cmd.exe file. Click Open, Next, and finally Finish.
In the RemoteApp Programs list, right-click Cmd.exe and select Create .rdp File from the drop-down menu to start the RemoteApp Wizard. Click Next twice and then click Finish. The folder C:\Program Files\Packaged Programs opens on your Server Core computer, displaying the .rdp file for Cmd.
Double-click the .rdp file and click Connect. The Windows Security dialog box appears. Type credentials that have administrative privileges on the remote Server Core installation and then click OK.
Click Run to run Cmd.exe on the remote Server Core installation and display the remote command interpreter as a command-prompt window on your desktop. You can also copy the .rdp file to any computer using the RDC 6.0 client or later and use it to connect to your Server Core installation and open the command prompt on the Server Core computer.
Managing Terminal Services on Server Core
You can use the following two MMC snap-ins for remotely managing Terminal Services (Remote Desktop for Administration) on Server Core:
Terminal Services Manager
Terminal Services Configuration
You can use these snap-ins on a Full installation of Windows Server 2008 that has the Terminal Services role installed, or you can use them on a computer running Windows Vista or Windows Server 2008 that has the RSAT installed.
You can also manage Terminal Services (Remote Desktop for Administration) from the command prompt on a Server Core installation. Table 6-2 lists the commands that you can use to manage Terminal Services locally on Server Core.
Table 6-2. Commands Available for Locally Managing Terminal Services on Server Core
Enables or disables logons to a terminal server
Logs a user off a session and deletes the session
Sends a message to a user or group of users
Displays information about processes running on a terminal server
Displays information about sessions on a terminal server
Displays information about user sessions on a terminal server
Connects to another existing terminal server session
Disconnects a client from a terminal server session
Ends a process
Shuts down a terminal server
For example, to display all Terminal Services sessions on a Server Core installation named SEA-SC2, do this:
C:\Users\tallen>query session /server:SEA-SC2 SESSIONNAME USERNAME ID STATE TYPE DEVICE services 0 Disc console tallen 1 Active rdp-tcp#0 Administrator 2 Active rdpwd rdp-tcp 65536 Listen
The output of the Query Session command shows that administrator Tony Allen (email@example.com) is logged on locally to the Server Core installation, while the default Administrator account (either a built-in local or a domain account) is logged on remotely using a Remote Desktop session.
To log the remote Administrator off of the Server Core installation forcibly, log off session 2 as follows:
C:\Users\tallen>logoff 2 /server:SEA-SC2
Verify the result:
C:\Users\tallen>query session /server:SEA-SC2 SESSIONNAME USERNAME ID STATE TYPE DEVICE services 0 Disc console tallen 1 Active rdp-tcp 65536 Listen