Enabling remote administration of a Windows Server Core installation

If you have a Windows Server 2008 installation of the Server Core, you might run into a few nasty surprises when it comes time to administer the nuts and bolts of the configuration. 

The reliance on GUI tools causes some pain from an administration perspective, and when you come to remotely administer the machine you might fund some surprises in store.

Common Error Messages

A common error message (when trying to access Device Manager remotely) is:

Unable to access the computerComputerName” Make sure that this computer is on the network, has remote administration enabled, and is running the “Plug and Play” and “Remote registry” services.

The error was: Access Denied

Another common error message, when trying to view the server’s Event Log:

Event Viewer cannot connect to computer “ComputerName”. The error reported is: The RPC server is unavailable

..or how about the Disk Management view?

Disk Management could not start Virtual Disk Service (DS) on “ComputerName”. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall.

Which requires some changes to the Core installation configuration. 

Configuring Remote Administration – Firewall Rules

You’ll need local Administration rights and if the machine is on a Domain, you’ll need a domain account (but not necessarily Domain Administration rights).  You can also be a member of the Network Operators group, provided you have delegated permission to run netsh advfirewall commands.

To set the firewall rules, you’ll need shell access to the remote system.  Once at the command prompt, you can issue the following netsh commands to allow remote access through the server firewall.

To enable remote firewall administration:

Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes

To enable remote administration:

Netsh advfirewall firewall set rule group=”remote administration” new enable=yes

To allow remote management via specific MMC snap-ins, run the following command:

Netsh advfirewall firewall set rule group=”<rulegroup>” new enable=yes

So, for example, to enable Remote Volume Management:

Netsh advfirewall firewall set rule group=”Remote Volume Management” new enable=yes

Additional Configuration

Now, we’re not exactly out of the woods yet.  Believe it or not, there are some extra settings for some remote access.  In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

Device Manager

To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy

1. On another machine open an MMC console (easiest way is Start->Run->mmc <enter>), start the Group Policy Object MMC snap-in (you might need to add it)

2. Connect to the Server Core installation

3. Navigate to Computer Configuration\Administrative Templates\System\Device Installation

4. Enable “Allow remote access to the PnP interface”

5. Restart the Server Core installation

Disk Management

You must first start the Virtual Disk Service (VDS) on the Server Core installation

IPSec Mgmt

On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

Cscript \windows\system32\scregedit.wsf /im 1

Driver Installation

While we’re discussing it – driver installation is a little tricky too on Windows Server Core.  To install, you’ll need to get shell access (RDP works well) and then you’ll need to copy the drivers somewhere (preferably onto the system).

  • Navigate to the folder containing the INF files, and type in this command:
  • pnputil -i -a C:\Drivers\LAN\filename.inf – where filename.inf is the name of the file containing the driver
  • If you’re not sure which file it is, you can use a wildcard, like this: pnputil.exe -i -a C:\Drivers\LAN\*.inf – this will install all INF files.
  • You can also do pnputil /? to see all the options
  • References:


    Leave a comment

    Your email address will not be published.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.