If you have a Windows Server 2008 installation of the Server Core, you might run into a few nasty surprises when it comes time to administer the nuts and bolts of the configuration.
The reliance on GUI tools causes some pain from an administration perspective, and when you come to remotely administer the machine you might fund some surprises in store.
Common Error Messages
A common error message (when trying to access Device Manager remotely) is:
Unable to access the computer “ComputerName” Make sure that this computer is on the network, has remote administration enabled, and is running the “Plug and Play” and “Remote registry” services.
The error was: Access Denied
Another common error message, when trying to view the server’s Event Log:
Event Viewer cannot connect to computer “ComputerName”. The error reported is: The RPC server is unavailable
..or how about the Disk Management view?
Disk Management could not start Virtual Disk Service (DS) on “ComputerName”. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall.
Which requires some changes to the Core installation configuration.
Configuring Remote Administration – Firewall Rules
You’ll need local Administration rights and if the machine is on a Domain, you’ll need a domain account (but not necessarily Domain Administration rights). You can also be a member of the Network Operators group, provided you have delegated permission to run netsh advfirewall commands.
To set the firewall rules, you’ll need shell access to the remote system. Once at the command prompt, you can issue the following netsh commands to allow remote access through the server firewall.
To enable remote firewall administration:
Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes
To enable remote administration:
Netsh advfirewall firewall set rule group=”remote administration” new enable=yes
To allow remote management via specific MMC snap-ins, run the following command:
Netsh advfirewall firewall set rule group=”<rulegroup>” new enable=yes
So, for example, to enable Remote Volume Management:
Netsh advfirewall firewall set rule group=”Remote Volume Management” new enable=yes
Additional Configuration
Now, we’re not exactly out of the woods yet. Believe it or not, there are some extra settings for some remote access. In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:
Device Manager
To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy
1. On another machine open an MMC console (easiest way is Start->Run->mmc <enter>), start the Group Policy Object MMC snap-in (you might need to add it)
2. Connect to the Server Core installation
3. Navigate to Computer Configuration\Administrative Templates\System\Device Installation
4. Enable “Allow remote access to the PnP interface”
5. Restart the Server Core installation
Disk Management
You must first start the Virtual Disk Service (VDS) on the Server Core installation
IPSec Mgmt
On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:
Cscript \windows\system32\scregedit.wsf /im 1
Driver Installation
While we’re discussing it – driver installation is a little tricky too on Windows Server Core. To install, you’ll need to get shell access (RDP works well) and then you’ll need to copy the drivers somewhere (preferably onto the system).
References:
http://blogs.technet.com/b/askds/archive/2008/06/05/how-to-enable-remote-administration-of-server-core-via-mmc-using-netsh.aspx
http://blogs.technet.com/b/server_core/archive/2008/01/14/configuring-the-firewall-for-remote-management-of-a-workgroup-server-core-installation.aspx
http://social.technet.microsoft.com/Forums/en/winservercore/thread/48542fe8-a365-4306-bac6-a71cab867cc5
http://ortuno2k.wordpress.com/2011/02/11/installing-drivers-on-windows-server-core/
