April, 2008

Configuring the Firewall on Server Core for Remote Management

On all Windows 2008 Editions, the firewall is on by default. This true in a Server Core as well. Many IT Pro loves a new Windows 2008 Server Core Edition, but friendly speaking manage it from a command line for many Administrators is not so easy. Yes, We can manage Windows 2008 Core remotely, but we have to configure Firewall on the Core box. There are then three scenarios for remote management via MMC:

1. Server Roles – when a server role is installed, the appropriate ports are opened to allow the role to function as well as to allow remote management, so no additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, we can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.
2. Domain joined – Once domain joined, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.
3. Workgroup server – This is the scenario (is most popular when IT Pro demonstrates or tests a new Windows 2008) in which We may need to make firewall configuration changes to allow remote management. If we want all remote managements to work, we can use:

Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

However, there may be situations where we only want to allow certain MMCs to connect for remote administration. Not every MMC snap-in has a firewall group, here are those that do:

On the Server Core box we can enable these by running:

Netsh advfirewall firewall set rule group=“<rule group>” new enable=yes

Where <rule group> is the name in the above table.

Not every MMC snap-in has a rule group to allow it access through the firewall.

MMC Snap-ins that Require Addition Configuration
In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

• Device Manager
  To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy
  1. On a Windows Vista or full Server installation, start the Group Policy Object MMC snap-in
  2. Connect to the Server Core installation
  3. Navigate to Computer Configuration\Administrative Templates\Device Installation
  4. Enable “Allow remote access to the PnP interface”
  5. Restart the Server Core installation

• Disk Management
  You must first start the Virtual Disk Service (VDS) on the Server Core installation

• IPSec Mgmt
  On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

Cscript \windows\system32\scregedit.wsf /im 1/span>

What already installed on Windows 2008 Core

By running Oclist on Windows 2008 Server Core we can get full information what Installed and what Not installed on server.
The full list is very long and not comfortable for reading. If you don’t want to include all of the many “Not Installed” options in the output of Oclist, run:

Oclist | find “  Installed”

How to figure out what OS Edition is running on Server 2008?

We can do this via WMI.
The command line is:

wmic path win32_operatingsystem get OperatingSystemSKU / value
The value Should be converted to hex and then mapped to the list at:
http://msdn2.microsoft.com/en-us/library/ms724358. aspx

Running Windows 2008 Server core under VMware

One of the first software that I install on any OS under VMWARE is VMware Tools. The most important benefit is the VMware enhanced video and mouse drivers. On VMware ESX, VMWare tools must be installed to get the NIC working. The Installation process of VMware Tools on Windows 2008 Server Core edition is a bit tricky. As far as you remember, Server Core it is a command line only version of Windows Server 2008. VMWareTools is a GUI installation so this is not an option for Server Core. Today we have few workarounds …Solution 1

• Log into your Windows Server 2008 Server Core VM with an admin account
• From the VMware Workstation console, click the VM menu Install VMware Tools. This will mount the VMware Tools disk (Windows. iso file) in the virtual CD-Rom drive.
• Switch to drive D: (or whatever drive is your CD drive)
• Type Setup and press Enter
• Click Install to the VMware informational message. The VMware Tools will begin to setup.
• Click Next to install
• Click Next to perform a Typical setup
• Click Install to begin the installation
• When you see the status stall, open Task Manager (Ctrl-Alt-Ins Start Task Manager)
• Click the Applications tab, select the RUNDLL process and choose End Task
• Close Task Manager and click OK to any error messages. Setup will continue as normal.
• Click Finish and click Yes to restart the server
• When Windows Server 2008 Server Core starts up, it will be in 640×480 resolution. As a quick solution, read my “CoreConfigurator - Graphic Management Tool  for Windows Server 2008 Core” post to explain how to configure the resolution in Windows 2008 Server Core :).

Solution 2

• First step, On Server Core we need to mount the VMware Tools ISO by selecting the “Install VMware Tools” option:
• From a command line run the following command:

  msiexec / i “d:\VMware Tools. msi” / qn

Solution 3
This solution a specially for VMware ESX Server. The workaround is to transfer VMWareTools (contained in a file called windows.iso) from your ESX server to a local drive. Use Virtual Center to mount the windows.iso file as a CDROM drive in the Windows 2008 Server Core VM. The exact location of driver is: \ Program Files\VMWare\VMWare Tools\Drivers\VMXNet\w2k of the windows.iso file. The command used to install the drivers is:

C:\Windows\System32> pnputil - i -a vmxnet. inf

You should get the following message:

Microsoft PnP Utility
Processing inf : vmxnet. inf
Successfully installed the driver on a device on the system.
Driver package added successfully.
Published name : oem2. inf

The next step is to set “Hardware Acceleration” for the display adaptor to “Full”. Well, you have to use Registry.
Launch the Registry editor on the command prompt by typing “ regedit”. Then you navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{81E0A29D-B654-4848-9421-BEA1C8A6F938}000

The long number is a GUID and it will be different on your system. You should find Acceleration.Level key in the 0000 folder. To be sure that you’ve found a correct key check in the same location key “Device Description” with a value “VMware SVGA II“. You have to set the Acceleration.Level key value to 0.

Exit from registry and reboot your server.

The END :).

CoreConfigurator - Graphic Management Tool for Windows Server 2008 Core

The default management for Windows Server 2008 Core is the command line. Yes, the main powerful of Windows Server Core becomes available when using such an approach, but sometimes it’s not so user friendly. This is why I’ve been asking so many times if exist anything more graphic :). Yes, one of the first recommendations to work and manage Windows 2008 Server Core is to use MMC from a remote machine, but MMC cannot do everything. Of course to allow work with remote tools this tool should be allowed passage through the firewall packages Server Core. In addition, this is for many more difficult than editing the registry. Therefore, I would like to have a simple graphical tool for configuring local system. The task of developing such an interface is complicated by that the Server Core has a limited set of graphics API, this is a reason why so beautiful MMC doesn’t work on it.

So, if Microsoft has not established such utilities anybody else did this. Look at the utility CoreConfigurator developed by Guy Teverovsky, MVP from Israel.

This is what it can:

• Product Activation Product Activation
• Configuration of display resolution Configuration of display resolution
• Clock and time zone configuration Clock and time zone configuration
• Remote Desktop configuration Remote Desktop configuration
• Management of local user accounts (creation, deletion, group membership, passwords) Management of local user accounts (creation, deletion, group membership, passwords)
• Firewall configuration Firewall configuration
• WinRM configuration WinRM configuration
• IP configuration IP configuration
• Computer name and domain/workgroup membership Computer name and domain / workgroup membership
• Installation of Server Core features/roles Installation of Server Core features / roles

To setup this utility use MSI package and then run the CoreConfigurator. exe file. The following interface will appear.

Just in case, it’s not necessary to install CoreConfigurator, we can simply copy its files into the system. The result will be the same. The video settings look like this:

Setting “Show window content while dragging” may very markedly improve display window objects, if you work with the server via terminal connection. Please note that the setting affects only the current user. According to the picture, to change the time zone, the developer did not reinvent the wheel, and just call to standard timedate.cpl

Remote Desktop Options look like this:

All would be good, but in this version you still have to allow RDP connections in the firewall manually using netsh. Hopefully, in the next version this will be fixed. Management of local users and groups is done through the following windows.

Installation of Roles and Features became a more visual :

Instantly, functionality of firewall management is very limited, but at least he had already to incorporate all necessary rules for the remote control.

Configuring your network interfaces habitually looks fairly.

To set the activation key and Activate the OS is also very simple and all this done via GUI

In addition, let me show winrm interface, interface to rename computer and join it to domain:

It is understandable that CoreConfigurator is not officially supported by Microsoft. Many IT professionals probably have any doubts, whether to trust manufacturer of the software. As usual choice, set its server utility or not is up to you.

PowerShell - The Next Step for System Administrator

I’ve just come back from Seattle where I have been on Global MVP Summit 2008.
Microsoft spoke about new technologies, about new products, about plans and visions.

I have been on many sessions, and I’d like to say what I see as of the highest importance.

If you are Network or Systems Administrator and dealing with Windows environment, you SHOULD start to learn and using PowerShell (if you already not doing so :)). An absolutely every new program / system from Microsoft supports PowerShell, I remember just one exception, Windows 2008 Core. We cannot install and use PowerShell on Windows 2008 Core box, but we can manage and control Windows 2008 Core by using PowerShell on other Windows 2008, Vista or even Windows XP machines.

I’ll try to speak more about PowerShell and I’ll show how PowerShell can serve us in our daily stuff. If you want to do any script and consider about doing it in PowerShell, VB or simple Batch file, I suggest to do it in PowerShell. I’ll try to assist you as much as I could.

2008 MVP Global Summit

At this time I have been in Seattle, on the MVP Summit 2008. Soon I’m going back to home. I had a lot of good sessions about Windows 2008, Exchanges, SharePoint, PowerShell and much more. The detailed report about new Microsoft staff I will write a bit later. It’s not going to be a report with big details, a lot of information on this Summit is under NDA, but I’ll try to publish as much as I can. So, keep checking for a new posts

How to Create File for a Desired File Size

Time to time I get the need to have some temp files of varying sizes. In Linux environment it’s not a problem to do. And, in Windows environment it’s not a problem anymore :).
I’ve used a “dd for windows“. “dd for windows” could be downloded from official web site. I’ve created a very simple script, mkef.bat. Here is a syntax for using mkef.bat:

mkef.bat <filename> <size>

And now the content of mkef.bat:

@echo off
if {%1}=={} @Echo Please use the following syntax: mkef.bat filename size &goto :EOF
if {%2}=={} @Echo Please use the following syntax: mkef.bat filename size &goto :EOF
dd if=/dev/zero of=%1 bs=1024 count=%2

On a long-awaited package, Windows XP SP3

Build 5511 from April 4, 2008 likely will be the last beta build and this build has already distributed to internal testers. If all goes smoothly by the end of next week, Microsoft will bring the RTM final build of SP3 for Microsoft Windows XP.

Windows 2003 Loses Network Connections

If you have a server, with Windows 2003, one day you can find your server disconnected from network :).

It’s exactly what I get. Simple reboot and server lost network connectivity.
Event log full with system errors like:

Event iD: 12291, SAM failed to start the TCP/IP or SPX/IPX listening thread

Event iD: 7023, The IPSEC Services service terminated with the following
error: The endpoint mapper database entry could not be created.

When you check MS Knowledgbase for those errors you will find the following articles, the very popular is those:

http://support.microsoft.com/kb/930220
http://support.microsoft.com/kb/912023
http://support.microsoft.com/default.aspx?scid=kb;en-us;870910

BTW, apparently it’s not caused by SP1. So, if you implemented all WORKAROUNDs mentioned in those articles, and server still disconnected from the network, try VERY simple solution :), changed RPC to start with localsystem instead of network service. Of course, remember to reboot your server :).