Remote Management in Windows Server 2008 Server Core

  • 9/17/2008

Using MMC Snap-ins and RSAT

You can use Microsoft Management Console (MMC) snap-ins to administer a Server Core installation remotely from a Full installation of Windows Server 2008. You can also install RSAT on either Windows Vista or a Full installation of Windows Server 2008 and use these tools to administer Server Core. The advantage of using RSAT is that it gives you the full complement of MMC consoles; by comparison, on a Full installation of Windows Server 2008, you may be missing some consoles because of certain roles and features not being installed on your server. Using MMC snap-ins or RSAT allows you to administer a Server Core installation the same way that you administer a Full installation—without the need of learning the syntax of many command-line utilities.

Using MMC Consoles to Administer Server Core in a Domain

When you install a server role on a Server Core installation, the appropriate firewall ports needed to manage that role remotely using MMC snap-ins are opened automatically. This means that when you type start /w ocsetup DNS-Server-Core-Role at a command prompt on a Server Core installation, the command installs the DNS Server role and enables the Windows Management Instrumentation (WMI) and DNS Service rule groups to allow the DNS snap-in running on another computer to connect to Server Core.

For example, to use the DNS console found under Administrative Tools on a domain controller named FULL161 to administer a Server Core DNS server named SEA-SC2, perform the following steps:

  1. On the domain controller, click Start, Administrative Tools, and then DNS to open the DNS Manager console.

  2. Right-click the root node of the console and select Connect To DNS Server.

  3. In the Connect To DNS Server dialog box, select The Following Computer and type SEA-SC2 in the text box. Click OK.

  4. The DNS Manager console connects to DNS server SEA-SC2. Expand the console tree to display the configuration of DNS server SEA-SC2, as shown here.

    httpatomoreillycomsourcemspimages416951.jpg

Changing the Focus of an MMC Console

Most (but not all) MMC consoles found under Administrative Tools can have their focus changed to administer a different computer than the local one on which they are being used. Examples of consoles that can have their focus changed include Active Directory Users And Computers, Computer Management, DHCP, DNS, and Event Viewer. Examples of consoles whose focus cannot be changed include Server Manager, Windows Firewall With Advanced Security, and Windows Server Backup.

Using MMC Snap-ins to Administer Server Core

You can also add MMC snap-ins to a new MMC console to administer Server Core remotely. For example, to use the Windows Firewall With Advanced Security snap-in to manage the firewall remotely on a Server Core installation named SEA-SC2, do the following:

  1. Press the Windows key+R, type mmc, and click OK to open an empty MMC console.

  2. Click File, and then click Add/Remove Snap-in. Scroll down the list of snap-ins and double-click Windows Firewall With Advanced Security to select it. When the Select Computer dialog box appears, choose Another Computer and type SEA-SC2 in the text box, as shown here.

    httpatomoreillycomsourcemspimages416953.jpg
  3. Click Finish, and then click OK to add the snap-in to the console. Expand the console tree to view the configuration of Windows Firewall on your Server Core installation.

Some MMC snap-ins require that you also open ports in the firewall on Server Core to use these snap-ins to administer Server Core remotely. For example, for the previous procedure to work, you must first enable the Windows Firewall Remote Management rule group in the firewall on your Server Core installation. This can be done by typing the following command at your Server Core command prompt:

netsh advfirewall firewall set rule group="Windows Firewall Remote Management” new enable=yes

Table 6-3 lists some of the more commonly used MMC snap-ins and the firewall rule group that must be enabled to use these snap-ins to manage Server Core remotely. The general syntax for enabling a rule group in Windows Firewall is as follows:

netsh advfirewall firewall set rule group=”Name of rule group" new enable=yes

Table 6-3. Rule Groups You Must Enable in Windows Firewall to Allow Remote Management by an MMC Snap-in

MMC Snap-in

Rule Group

Event Viewer

Remote Event Log Management

Services

Remote Service Management

Shared Folders

File And Printer Sharing

Task Scheduler

Remote Scheduled Tasks Management

Reliability And Performance

Performance Logs And Alerts

File And Printer Sharing

Windows Firewall With Advanced Security

Windows Firewall Remote Management

Some MMC snap-ins require further configuration of your Server Core installation before you can use them to administer your server. The following sections describe several of these snap-ins and the additional configuration that they require on the server before they will work remotely against it.

Using the Device Manager Snap-in

To allow the Device Manager snap-in to administer Server Core remotely, perform the following steps:

  1. On your Server Core computer, enable the Remote Administration rule group in Windows Firewall.

  2. On a Full installation of Windows Server 2008, open a new MMC console by pressing the Windows key+R, typing mmc, and clicking OK.

  3. Click File, and then Add/Remove Snap-in to open the Add Or Remove Snap-ins dialog box.

  4. Double-click Group Policy Object Editor to display the Group Policy Wizard.

  5. Click Browse, select Another Computer, and type or browse to the name of your Server Core computer. Then click OK, Finish, and finally OK again. The Group Policy Object Editor is now connected to your Server Core computer.

  6. Browse the console tree to find and enable the following policy setting:

    Computer Configuration\Policies\Administrative Templates\System\Device Installation\Allow Remote Access To The PnP Interface.

  7. Close the Group Policy Object Editor. Then, on your Server Core computer, type shutdown –r –t 0 at the command prompt to restart the server.

Using the Disk Management Snap-in

To allow the Disk Management snap-in to administer Server Core remotely, perform the following steps:

  1. Enable the Remote Volume Management rule group in Windows Firewall on your Server Core installation.

  2. Start the Virtual Disk Service (VDS) by typing sc start vds at the command prompt. You can also type sc config vds start= auto to configure the service to start automatically each time the computer boots.

Using the IP Security Policy Management Snap-in

To allow the IP Security Policies snap-in to administer Server Core remotely, type the following command at the command prompt of your Server Core installation:

cscript %windir%\system32\scregedit /im 1

Using the Reliability And Performance Snap-in

No additional configuration is needed to use the Reliability And Performance snap-in, but it can monitor only performance data, not reliability data, on a remote Server Core installation.

Enabling Any MMC Snap-in to Administer Server Core

You can allow any MMC snap-in to administer Server Core remotely by enabling the Remote Administration rule group in Windows Firewall on your Server Core installation. To do this, type the following command:

netsh advfirewall firewall set rule group="Remote Administration” new enable=yes

As described in the section “Using MMC Consoles to Administer Server Core in a Domain,” earlier in this chapter, some snap-ins require additional configuration to get them to work properly for remotely administering Server Core.

Using MMC Snap-ins to Administer Server Core in a Workgroup

To use MMC snap-ins to administer a Server Core installation that belongs to a work-group, you need to perform the following actions on your Server Core installation:

  1. Enable the required rule groups in Windows Firewall (see the previous section for details).

  2. Use Cmdkey to specify different credentials for MMC connections.

For example, to use the Services snap-in on a computer running Windows Vista to administer the services on a Server Core installation named SEA-SC1 that belongs to a workgroup, perform the following steps:

  1. On your Server Core installation, type the following command to enable the Remote Service Management rule group in Windows Firewall:

    netsh advfirewall firewall set rule group="Remote Service Management” new enable=yes

  2. Open a command prompt on your computer running Windows Vista and type the following command:

    cmdkey /add:SEA-SC1 /user:Administrator /pass:Pa$$w0rd

    In this command, the local Administrator account on SEA-SC1 has the password Pa$$w0rd.

  3. Open the Services console under Administrative Tools (or add the Services snap-in to an empty MMC console), right-click the root node, and select Connect To Another Computer. Type SEA-SC1 in the dialog box and then click OK.

You can now manage services remotely on your stand-alone Server Core installation from either a stand-alone or domain-joined computer running Windows Vista or Windows Server 2008.

Using RSAT to Administer Server Core in a Domain

Windows Server 2003 included the Administration Tools Pack (Adminpak.msi), which provided server management tools that allowed administrators to manage Windows 2000 Server and Windows Server 2003 family servers remotely. The Administration Tools Pack could be installed on workstations running Windows XP to provide administrators with a full set of MMC consoles on their workstations for administering servers across their network.

With Windows Server 2008, however, the Administration Tools Pack has been replaced with the Remote Server Administration Tools (RSAT), which enables administrators to manage Windows Server 2008 roles and features remotely from a computer running Windows Vista with Service Pack 1 (SP1). RSAT is included as an optional feature on all editions of Windows Server 2008, and versions of RSAT for installing on 32-bit and 64-bit versions of Windows Vista SP1 Business, Enterprise, and Ultimate editions are available for download from the Microsoft Download Center at http://www.microsoft.com/downloads/. For detailed information concerning the downloadable version of RSAT and the administrative tools it includes, see http://support.microsoft.com/kb/941314.

Using RSAT on either Windows Vista or a Full installation of Windows Server 2008, you can administer roles and features remotely on a Server Core installation the same way that you would administer them on a Full installation of Windows Server 2008.

Installing RSAT on a Full Installation of Windows Server 2008

To install RSAT on a Full installation of Windows Server 2008, perform the following steps:

  1. Start the Add Features Wizard from either Server Manager or Initial Configuration Tasks.

  2. Expand the Remote Server Administration Tools check box and select the check boxes under it for the specific role and feature administration tools that you want to install on your server. Alternatively, you can select the Remote Server Administration Tools check box to install all the role and feature administration tools on your server.

Installing RSAT on Windows Vista SP1

To install RSAT on Windows Vista with Service Pack 1, perform the following steps:

  1. Download the appropriate Windows Installer (.msi) package (either 32-bit or 64-bit) by using the links found at http://support.microsoft.com/kb/941314.

  2. Double-click the downloaded Windows Update Standalone Installer package (Windows6.0-KB941314-x86.msu or Windows6.0-KB941314-x64.msu) to start the Setup wizard. Follow the prompts to complete the installation.

  3. Open Control Panel and click Programs.

  4. Under Programs And Features, click Turn Windows Features On Or Off. Respond to the User Account Control prompt as required.

  5. In the Windows Features dialog box, scroll down and expand the Remote Server Administration Tools check box, then select the check boxes under it to install the remote administration snap-ins and tools that you want to install. You can also install all role and feature administration tools by selecting the Remote Server Administration Tools check box. Click OK when finished.

  6. Configure your Start menu to display the Administration Tools shortcut by right-clicking Start and clicking Properties. Then on the Start Menu tab, click Customize, scroll down to System Administrative Tools, and select Display On The All Programs Menu And The Start Menu. Click OK when finished.

Using RSAT to Administer Server Core Remotely in a Domain

You can use the RSAT tools to administer roles and features remotely on a Server Core installation that belongs to the same domain as your management workstation. As described in the section “Using MMC Snap-ins to Administer Server Core,” earlier in this chapter, you may need to configure Windows Firewall on your remote Server Core installation for some RSAT tools to be able to connect.

For example, to use RSAT on a computer running Windows Vista in the contoso.com domain to manage the DNS Server role on a Server Core installation named SEA-SC2 that belongs to the same domain, follow these steps:

  1. On your Server Core installation, begin by enabling the necessary rule groups in Windows Firewall to allow remote administration of roles and features on the server. To allow remote administration of all roles and features on the server, type the following command:

    netsh advfirewall firewall set rule group="Remote Administration” new enable=yes

    As described in the section “Using MMC Consoles to Administer Server Core in a Domain,” earlier in this chapter, some snap-ins require additional configuration to get them to work properly for remotely administering Server Core.

  2. Click Start, Administrative Tools, and then DNS to open the DNS Manager console. Before the console opens, a Connect To DNS Server dialog box appears. Select the The Following Computer option, type SEA-SC1, and click OK. DNS Manager opens and lets you remotely manage your Server Core DNS server.

Using RSAT to Administer Server Core Remotely in a Workgroup

You can use the RSAT tools to administer roles and features remotely on a Server Core installation that belongs to a workgroup. As described in the section “Using MMC Snap-ins to Administer Server Core,” earlier in this chapter, you may need to configure Windows Firewall on your remote Server Core installation for some RSAT tools to be able to connect.

For example, to use RSAT on a computer running Windows Vista to manage the DNS Server role on a stand-alone Server Core installation named SEA-SC1, do this:

  1. On your Server Core installation, begin by enabling the necessary rule groups in Windows Firewall to allow remote administration of roles and features on the server. To allow remote administration of all roles and features on the server, type the following command:

    netsh advfirewall firewall set rule group="Remote Administration” new enable=yes

    As described in the section “Using MMC Consoles to Administer Server Core in a Domain,” earlier in this chapter, some snap-ins require additional configuration to get them to work properly for remotely administering Server Core.

  2. Open a command prompt on your Windows Vista computer and type the following command:

    cmdkey /add:SEA-SC1 /user:Administrator /pass:Pa$$w0rd

    In the previous command, the local Administrator account on SEA-SC1 has the password Pa$$w0rd.

  3. Click Start, Administrative Tools, and then DNS to open the DNS Manager console. Before the console opens, a Connect To DNS Server dialog box appears. Select the The Following Computer option, type SEA-SC1, and click OK. DNS Manager opens and lets you remotely manage your Server Core DNS server.