Remote Management in Windows Server 2008 Server Core

  • 9/17/2008

Using WinRS

You can use WinRS to administer a Server Core installation remotely from the command line. WinRS is a command-line tool included in both Windows Vista and the Full installation of Windows Server 2008, which relies on Windows Remote Management (WinRM) to execute remote commands, especially for headless servers. WinRM is Microsoft’s implementation of the WS-Management protocol, a standard Simple Object Access Protocol (SOAP)–based, firewall-friendly protocol that enables hardware and operating systems from different vendors to interoperate. You can think of WinRM as the server side and WinRS the client side of WS-Management.

Configuring WinRM on Server Core

To enable WinRM on a Server Core installation, you need to run a configuration command that creates a “listener” that can respond to WinRS commands issued from other computers. The configuration command also opens an exception for WinRM in Windows Firewall. To enable WinRM, do the following:

C:\Users\tallen>winrm quickconfig
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP
on this machine.
Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP
on this machine.
WinRM firewall exception enabled.

Using WinRS to Administer Server Core in a Domain

The basic syntax for WinRS commands is as follows:

winrs –r:target command

where target is the name (NetBIOS or FQDN) of the Server Core installation that has had WinRM enabled on it, and command is any command string that you want to execute on the Server Core installation. For example, to use WinRS to enable Remote Desktop remotely on a Server Core installation named SEA-SC2, type the following command on any computer running Windows Vista or on a Full installation of Windows Server 2008:

winrs –r:SEA-SC2 cscript %WINDIR%\system32\scregedit.wsf /ar 0

When you type this command on a computer running Windows Vista, for example, the command is executed remotely on the targeted Server Core installation and the command output is piped back to the command shell on your computer running Windows Vista:

C:\Users\Administrator>winrs -r:SEA-SC2 cscript %windir%
\system32\scregedit.wsf /ar 0
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Registry has been updated.

You can do anything using WinRS that you can do at the local command prompt on Server Core. For example, you can perform the initial configuration of your Server Core installation, install and uninstall roles and features on your server, and perform other tasks.

Using WinRS to Administer Server Core in a Workgroup

You can use WinRS to administer a Server Core installation that belongs to a workgroup. Before you can do this, however, you must add the name of your computer to the TrustedHosts table of WinRM on your Server Core installation. For example, to enable a computer running Windows Vista named SEA-DESK155 to execute commands remotely on your Server Core installation using WinRM, type the following on your Server Core computer:

C:\Users\Administrator>winrm set winrm/config/client @{TrustedHosts=
"SEA-DESK155"}
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = false
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
    DefaultPorts
        HTTP = 80
        HTTPS = 443
    TrustedHosts = SEA-DESK155

Requirements for Using WinRS

To use WinRS to administer a Server Core installation remotely, each of the following must be true:

  • Your local computer must be running either Windows Vista or a Full installation of Windows Server 2008.

  • You must enable a WinRM listener on the Server Core installation, and you must open the WinRM exception in Windows Firewall on the Server Core installation; the Winrm quickconfig command can be used to do this.

  • You must execute your WinRS commands using administrator credentials on the Server Core installation. If you are not currently logged on to your computer using such credentials, you can use the Net use command to connect to the Server Core computer using such credentials. For example, to connect to a Server Core installation named SEA_SC2 using the credentials of administrator Tony Allen (tallen@contoso.com), type net use \\SEA-SC2\IPC$ /u:CONTOSO\ tallen at a command prompt. Type Tony’s password when prompted to do so, and then you can execute commands remotely on the Server Core installation using WinRS.

  • Commands or scripts that are executed using WinRS must have no user interface dependencies. This means that you cannot execute commands that prompt you to Press Any Key when they are typed at the local console or require any other interactive response.

Configuring WinRM and WinRS Using Group Policy

You can use Group Policy to configure security for both WinRM and WinRS. The relevant policy settings are found in the following locations:

  • Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)

  • Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Shell