Windows Server 2008R2 Server Core Installation & Setup Notes

After setting up a W2K8R2 “Server Core” Hyper-V host recently, I thought it a good idea to jot down some notes as to how to navigate the command prompt (mostly) so it can be configured – a flashback to the days of MS-DOS in some ways ;)

NOTE: All of the following commands are on 1 line, annotated with C-style comment before.

// Rename the computer to SERVER1 
netdom renamecomputer %computername% /newname:SERVER1

// Join domain DOM1 using user account DOMUSER1 (prompt for password)
netdom join %computername% /domain:DOM1 /userdd:DOMUSER1 /passwordd:*

// Graceful shutdown & restart with no delay
shutdown /r /t 0

// Add DOM1\DOMUSER1 to the local Administrators group
net localgroup Administrators /add DOM1\DOMUSER1

// Allow remote admin connections through the firewall
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

// Enable Remote Desktop connections
cscript c:\windows\system32\scregedit.wsf /ar 0

// Enable WinRS (Windows Remote Shell) connections
winrm quickconfig

// NOTE: All ocsetup (Optional Component Setup) commands are case sensitive
// Install Hyper-V role
start /w ocsetup Microsoft-Hyper-V

// Install BitLocker feature
start /w ocsetup BitLocker

// Install the Server Core flavour of the .NET Framework (required for PowerShell)
start /w ocsetup NetFx2-ServerCore

// Install the PowerShell feature
start /w ocsetup MicrosoftWindowsPowerShell

// Enable TPM (required for BitLocker, requires confirmation from the BIOS)
manage-bde -tpm –t

// Encrypt drive C: with BitLocker using a randomly-generated password
manage-bde -on C: –recoverypassword

// View the current status of BitLocker encryption
manage-bde -status

Post-install, most of the management you want to do will actually be remote (either using a GUI, or PowerShell scripts), so as long as the firewall is allowing the right type of traffic and the security policies allow it then there should be no problems…

// Allow Device Manager access remotely (note this is read-only, device installation should be done using pnputil.exe locally)
> Run MMC.EXE
> Click File > Add/Remove Snap-in…
> Select Group Policy Object Editor, click Add, click Browse
> Select Another computer, enter the name of the Server Core server, click OK, click Finish
> Click OK
> Drill down to Computer Configuration > Administrative Templates > System > Device Installation
> Enable the policy “Allow remote access to the Plug and Play interface”, click OK

// Open a Windows Remote Shell (WinRS) command prompt on SERVER1
winrs –r:SERVER1 cmd

// Use the Computer Management UI remotely (this is not unique to Server Core and is fairly commonly done)
> Launch COMPMGMT.MSC
> Right-click “Computer Management (Local) ”, click “Connect to another computer… ”
> Enter the name of the Server Core server, click OK

Many of the MMC snap-ins that allow connections to remote machines do so either directly, as with Computer Management, or if the snap-in is loaded into a clean MMC.EXE process, as with the Group Policy Object Editor.

Bear in mind that the snap-in is loaded on the machine where MMC.EXE is running so in the case of policy editing, for example, you need to ensure that you are using the OS/SP level matches or exceeds that of the remote machine being managed.
If the client machine (running the MMC) is using “version 1” snap-ins then it won’t be aware of any “version 2” features of which the remote machine is capable.

If you find yourself with many different MMC windows for managing a server remotely, consider creating your own .MSC file for that server with all the commonly-used snap-ins loaded and configured to point to the server (a kind of custom Server Manager to suit your needs).

Other management consoles are designed to allow connections to multiple servers, such as the Hyper-V Manager where you can simply right-click “Hyper-V Manager” and “Connect to Server… ” to add a server to the list.