New in Windows Server 2019: Server Core app compatibility feature on demand

Microsoft has released Windows Server 2019, so it’s time to look at Microsoft’s latest and greatest.
One of the most exciting features Microsoft added to Windows Server 2019 is the ability to add additional app compatibility to Server Core installations.

 

About App Compatibility on Server Core

One of the biggest challenges with embracing Server Core as an administrator is that not many software vendors have specifically written their products for Server Core installations of Windows Server, or have tested their products on Server Core installations of Windows Server. As you might expect, just like desktop software, these products are tested on Windows Server installations with the Desktop Experience (formerly known as Full Installations), with administrative privileges.
Unfortunately, the challenge isn’t limited to software packages or agents. In the past, this resulted in cases where Server Core wasn’t installed on HP-branded servers, simply because the tools to team the built-in networking adapters was only available as graphical tools. They couldn’t be used…

Windows Server’s ability to temporarily run with the Desktop Experience to install and configure parts of the Operating System, software packages and agents, has eased the process of embracing Server Core. In the end, though, the conclusion from many admins was that it was not worth their time to go this route, because when they removed the GUI layers, eventually things still broke.

 

App Compatibility on Windows Server 2019

In Windows Server 2019, GUI layers can’t be removed. You could do this in Server Core installations of Windows Server 2012 and Windows Server 2012 R2. However, since Windows Server 2016 you can no longer do this. It is expected to remain this way for long-term servicing branch/channel (LTSB/LTSC) versions of Windows Server. The choice between Server Core installation and Windows Server with the Desktop Experience is to be made during installation and will remain this way until reinstallation of Windows Server or decommissioning of the server.

App Compatibility Feature on Demand (FoD)

To ease this pain, and to improve the adoption of Server Core installations on Windows Server for good reasons, Microsoft introduces the Server Core App Compatibility feature on demand feature in Windows Server 2019. This feature significantly improves the app compatibility of Windows Server Core installations, by including a subset of binaries and components from Windows Server with the Desktop Experience, without adding the Windows Server Desktop Experience graphical user interface (GUI) itself.

Specifically, the App Compatibility feature adds:

  • Microsoft Management Console (mmc.exe)
  • Event Viewer (Eventvwr.msc)
  • Performance Monitor (PerfMon.exe)
  • Resource Monitor (Resmon.exe)
  • Device Manager (Devmgmt.msc)
  • File Explorer (Explorer.exe)
  • Windows PowerShell (Powershell_ISE.exe)
  • Failover Cluster Manager (CluAdmin.msc)

 

This way, the functionality and compatibility of Server Core is increased, while keeping it as lean as possible.

As you can see, many of the tips and tricks that were provided on working with Server Core evolve around absent tools that can now (temporarily) be added.

 

Getting started with the App Compatibility Feature on Demand

This optional feature on demand is available on a separate ISO and can be added to Windows Server Core installations and images only, using DISM.exe.

Download the ISO

First, download the Windows Server 2019 Features on Demand ISO image file is available on the Microsoft Evaluation Center. For MSDN subscribers and current Microsoft volume licensing customers, the Features on Demand (FoD) image file is also available in their respective download centers.

This downloads is called en_windows_server_2019_features_on_demand_x64_dvd_c6194375.iso and weighs 335 MB.

Add the App Compatibility feature

Sign into the Server Core installation with local administrator rights, mount the ISO-file or insert is as removable media, and execute the following command:

dism.exe /Online /Add-Capability /CapabilityName: “ServerCore.AppCompatibility~~~~0.0.1.0” /Source: E: /LimitAccess

After the command completes, restart the Server Core installation.

Exchange Server 2019 is coming to Server Core

Last week, the Microsoft Exchange Product Group announced the release of the Exchange Server 2019 public preview! They also lifted the veil on some of the new features/capabilities etc. of this new major build of Exchange Server. To say that I’m excited about this release is an understatement… I feel this Exchange Server version is groundbreaking due to one of its new features, touted by the team as making Exchange Server 2019 the safest Exchange Server yet.

 

Of course, you’ll think I drank too much of the Kool-Aid and simply bought the same line the team has been marketing for the last couple of years for many Microsoft products, including Windows. This time it’s different. This time, it’s not really an Exchange Server feature, but more a platform support feature:

Exchange Server 2019 is coming to Server Core.

 

Yes!

It will be finally possible to install Exchange Server 2019 on Server Core installations of Windows Server 2016 and Windows Server 2019. The Product Group mentions that they consider this the best deployment option. It means there isn’t really a need for a desktop experience. However, it remains an option.

Preview

Exchange Server 2019 and Windows Server 2019 is still in preview, but you can download the Windows Server Insider Preview here (after signup) and the Exchange Server 2019 Preview here. As both versions are still in preview, anything in the above text might still change before either of these products reach Release to Manufacturers (RTM)…

Remote Desktop Connection Broker and Remote Desktop Virtualization Host will no longer be available on Server Core installations

Reading through the Features removed or planned for replacement starting with Windows Server, version 1803, something caught my eye:

Remote Desktop Connection Broker and Remote Desktop Virtualization Host in a Server Core installation

Most Remote Desktop Services deployments have these roles co-located with the Remote Desktop Session Host (RDSH), which requires Server with Desktop Experience; to be consistent with RDSH we’re changing these roles to also require Server with Desktop Experience. We’re no longer developing these RDS roles for use in a Server Core installation. If you need to deploy these roles as part of your Remote Desktop infrastructure, you can install them on Windows Server 2016 with Desktop Experience.

 

To be honest, I was dumbfondled by this message, but I guess Microsoft knows what they’re doing.

 

Remote Desktop Services Architecture

Looking at Microsoft’s Remote Desktop Services architecture, several roles exist:

  • Remote Desktop Gateway (RD Gateway, RDGW)
    The Remote Desktop Gateway (RD Gateway) component enables people on their client devices on the public Internet to securely access Windows desktops and applications.
  • Remote Desktop Web Access (RD Web)
    The Remote Desktop Web Access (RD Web Access) component allows the tenant’s employees to have a single website where they can authenticate and then access Windows desktops and applications.
  • Remote Desktop Connection Broker (RDCB)
    Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to the servers in Remote Desktop Session Host (RD Session Host) server farms, known as collections.
  • Remote Desktop Licensing Server (RDLS)
    Each Remote Desktop Services environment includes an Remote Desktop Licensing server to allow users to connect to the Remote Desktop Session Host (RD Session Host) servers that host the desktops and applications. The licensing server may be configured in “per user” mode or in “per device”  mode.
  • Remote Desktop Session Host (RDSH)
    The Remote Desktop Session Host (RD Session Host) component provides people with session-based desktops and RemoteApp programs.
  • Remote Desktop Virtualization Host (RDVH)
    In contrast to a Remote Desktop Session Host, that offers session virtualization by allowing multiple people to log on interactively to a Windows Server installation, a Remote Desktop Virtualization host (RDVH) offers desktop virtualization where people log onto their own virtualized Windows instance, running on top of a hyper-virtualization platform. This platform is the Remote Desktop Virtualization Host.

In this architecture, typically, multiple Remote Desktop Session Hosts perform the heavy lifting: actually running the applications and/or offering Windows desktops. One (virtual) machine runs the  Remote Desktop Connection Broker (RDCB) and Remote Desktop Licensing Server (RDLS), so people land on the right Remote Desktop Session Host (RDSH) when they are properly licensed. Another (virtual) machine running the Remote Desktop Gateway (RD Gateway, RDGW) and Remote Desktop Web Access (RD Web) roles offer outside connections to the infrastructure. All components can be made highly-available. The infrastructure requires Active Directory Domain Services or Azure AD Domain Services, as well as a Microsoft SQL Server or Azure SQL database (in highly-available scenarios).

Many variants of the above best practices architecture exist, but all of them avoid placing any of the RDS infrastructure role services (RD Gateway, RD Web, RD Connection Broker or RD Licensing) on Remote Desktop Session Hosts or Remote Desktop Virtualization Hosts.

 

… in the real life, though…

Now, when you read closely, Microsoft states that organizations are not following its guidance. Instead, they install the Remote Desktop Connection Broker (RDCB) on one or more of the Remote Desktop Session Hosts.

This has led to the decision to remove the two features from Server Core installations in the following Windows Server releases:

  1. Semi-Annual Channel (SAC) releases: Windows Server, version 1803, and beyond
  2. Long-term Servicing Channel (LTSC) releases: Windows Server 2019, and beyond

Looking at the list of available roles and features for Server Core installations, the Remote Desktop Licensing Server is the only Remote Desktop Services (RDS) role still viable to run on Server Core installations in the near future.

 

Install Windows Server with Desktop Experience

Starting with Windows Server, version 1803 and Windows Server 2019, when you want to run any of the below Remote Desktop Services role services, install a Windows Server with Desktop Experience, instead of a Server Core installation of Windows Server:

  • Remote Desktop Gateway (RD Gateway)
  • Remote Desktop Web Access (RD Web)
  • Remote Desktop Connection Broker (RDCB) *
  • Remote Desktop Session Host (RDSH)
  • Remote Desktop Virtualization Host (RDVH) *

 

Concluding

Thanks to people not following Microsoft’s best practices architecture, we’re now getting screwed out of Server Core for two more RDS Infrastructure roles… or is there something else at play?

 

Windows Admin Center is here

Ever since the first incarnations of Server Core in Windows Server, people have looked at ways to manage ‘Windows Server without GUI’ with a GUI. Today, the newest method of managing Windows Server, dubbed ‘Windows Admin Center’ was released and it promises an entirely new way to manage Windows Server, both ‘Installations with a GUI’ and ‘Server Core installations’.

Let’s take a look!

 

Our strange obsession…

Quoting ‘Graphical is for women’ doesn’t even begin covering admins’ strange obsession with graphical management tools to manage all aspects of Windows Server. We’ve seen tools like CoreConfigurator pop up early on in the Server Core lifecycle, but being capitalized on by Smart-X. We also saw other tools, and I even provided instructions on how to run hvconfig on Server Core installations, before sconfig came to Server Core installations.

However, the industry has mostly moved on. Drivers and other tools no longer rely on having a GUI present to allow installation or configuration. Even Microsoft’s own Remote Server Administration Tools (RSAT) have moved on, although some notable exception apply, like AD FS Management and driver management.

 

Windows Admin Center

Microsoft now offers a brand new toolset, that has been available for the last year as private previews and public previews, codenamed Project Honolulu: the Windows Admin Center.

In contrast to other tools out there, Windows Admin Center offers its experience in full HTML5, so it’s usable in any of the popular browsers admins use today. Windows Admin Center is a locally deployed and can be used to manage servers, clusters, hyper-converged infrastructure, and Windows 10 PCs. It comes at no additional cost beyond Windows and is ready to use in production.

Download Windows Admin Center now.

 

Concluding

While you could use any 3rd party tool to remotely manage your Server Core installations, but wouldn’t you rather use this free tool from Microsoft?

Windows Server 2016 no longer offers to add or remove GUI Layers

In a surprising move, Microsoft decided to remove a feature, that from a security point of view was perhaps the most useful feature in Windows Server.

Let’s look at the recent history of Windows Server:

 

Windows Server 2008 (R2)

Windows Server 2008 and Windows Server 2008 R2 were the first two versions of Windows Server that offered the ability to install the Operating System (OS) as Server Core installations. These optimized installations of Windows Server offered more security (due to a smaller attack surface), less resource use and more agility.

Even though, Windows Server 2008 Server Core headed for a dead end street in some scenarios, some organizations opted to install their Windows Servers as Server Core installs.

 

Windows Server 2012 (R2)

To allow even greater agility, but also to get the installation ‘just right’ using the Graphical User Interface (GUI), Microsoft offered to add and remove GUI layers in Windows Server 2012 and Windows Server 2012 R2. This way, system admins can switch from Full Installations (even with the Desktop Experience feature turned on) to Server Core Installations. We’ve discussed it here, roughly five years ago.

We saw an uptick in the adoption of Server Core due to this opportunity and believe it made the life of admins easier, even though they would not fully benefit as much as they would with a Server Core Installation from the get-go.

 

Windows Server 2016

Now, in Windows Server 2016, Microsoft no longer offers to add and remove GUI layers.

Admittedly, many of the Server Core benefits have become moot points with Windows Server 2016: The newly added security measures in Windows Server add a lot. This removes most of the urgency of removing the GUI, although you can’t install Internet Explorer from Windows Server 2016…

Also, many of the (graphical) tools we needed in Windows Servers to configure the Windows Server installation just right also have grown up and now offer command-line, if not PowerShell support. There’s less and less need to install Windows Server as a Full Installation to configure it.

 

I guess time will tell if Microsoft has made a wise decision by removing the ability to add and remove GUI layers…

Three things to consider when switching the GUI in Windows Server

Windows Server 2012 and Windows Server 2012 R2 allow to switch the Graphical User Interface (GUI) on and off. It’s easy, and already the topic of a previous blogpost.

Note:
The ability to switch GUIs in Windows Server has been removed in Windows Server 2016.

I’ve already showed you how to actually switch between these three GUI modes (with a choice between dism.exe and PowerShell), but what I haven’t pointed out yet, is the things you need to consider when you actually switch between GUI modes:

 

1. Only update in your desired GUI mode

One of the benefits of running a Server Core installation is a smaller attack surface, compared to a Full installation. The attack surface in a Full installation results in a higher amount of vulnerabilities and a higher frequency of updates for the Operating System.

Another benefit of Server Core is a smaller disk footprint, compared to a Full installation. This benefit becomes partly undone when we start installing updates for a Full installation, that we no longer need when we run the server as a Server Core installation most of the time. To this date, there is no way or tool to determine which updates are no longer needed or to actually uninstall these in a simple way.

 

2. Take notice of the support matrix of your agents and add-ons

Even the server running your easiest of tasks needs to adhere to your information security strategy. This results in the installation of many agents and add-ons. Backup, anti-malware and UPS all need their respective software. When your environment also features System Center, you will need software like the Server App-V agent and the System Center Configuration Manager agent.

Even though the Server Core team communicated a whole lot within Microsoft, it’s not plausible to assume every product team took notice of the ability for administrators to switch between GUIs. So, the problems with Microsoft software may already be big, but the bigger question is which software producers have also got the message? Did your anti-malware supplier get it?

Two ways to make sure you’ll be in the clear while switching GUIs, are:

  1. Consult the support matrix from the suppliers of your agents and add-ons
  2. Test your configuration

The best choice, however, remains to install agents and add-ons (remotely) with the Server installation in the desired GUI.

 

3. Take notice of the support matrix of your server applications

The SQL Server team has actively communicated SQL Server 2012 and up supports installation on Server Core. They are one of the product teams outside the Windows Server group to get onboard with Server Core. Other Microsoft Server products, like Exchange Server and Skype for Business Server have not communicated plans in that direction.

Even though the Server Core team communicated a whole lot within Microsoft, not every product displays a warning at installation, warning you not to switch the GUI after installing the product. Many non-Microsoft products also might not contain the warning, at least in the early period after their releases.

PowerShell versions you can expect and get on Server Core Installations

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

 

Built-in versions of PowerShell

The following versions of Windows PowerShell are available by default to Server Core installations, per version of Windows Server:

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell due to a lack of .NET Framework.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 2.0.

Windows Server 2012

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 3.0.

Windows Server 2012 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 4.0.

 

Upgradeable versions of PowerShell

When you’d like a newer version of Windows PowerShell on a Server Core installation, you can upgrade it.

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell, nor upgrades to Windows PowerShell.

There is no supported way to get Windows PowerShell on these systems.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2 can be upgraded to:

  • Windows PowerShell 3.0
    (as part of Windows Management Framework 3.0)
  • Windows PowerShell 4.0
    (as part of Windows Management Framework 4.0)

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012

Server Core installations of Windows Server 2008 R2 can be upgraded to Windows PowerShell 4.0.

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012 R2

There is no upgrade for Windows PowerShell available yet, beyond Windows PowerShell 4.0

About Codename “Tuva”

While discussing Server Core and Nano Server with Aleksandar Nikolic, an old friend and a Microsoft MVP for roughly as long as I have, he shared an interesting tidbit on Nano Server with me.

About Nano Server

Windows Server 2016 offers a new installation option: Nano Server. It is a remotely managed option similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server with the full desktop experience.

See Getting Started with Nano Server for full details.

Apparently, Nano Server’s codename within Microsoft was ‘Tuva’.

About Tuva

Tuva is a region and is a federal subject of Russia according to Wikipedia.
Tuva was an independent state between the World Wars; between 1921 and 1944 Tuva constituted a sovereign, independent nation, under the name of Tannu Tuva, officially, the Tuvan People’s Republic, or the People’s Republic of Tannu Tuva. The independence of Tannu Tuva, however, was recognized only by its neighbours: the Soviet Union and Mongolia.

Tyva voluntarily became a part of The Soviet Union in 1944 and was part of Russia the shortest of all republics in the USSR.

Verifiying the codename

Now, of course, you are curious how to verify the above information.
With the command below you can check the Nano Server codename:

Get-CimInstance win32_operatingsystem | Select caption

 

Concluding

Congratulations, you’ve wasted a minute of your time to learn up on a little known fact of Nano Server, that will make you a more interesting person for small talk.

You’re welcome. 🙂

Making NanoServerImageGenerator.psm1 more useful on a daily basis

I’ve been playing around with Nano Server these couple of days, but grew a bit tired of needing to import the NanoServerImageGenerator.psm1 Windows PowerShell Module at the beginning of every Windows PowerShell session.

Now, you might say I’m a bit too tidy, because I properly close any session I don’t need for the next two minutes. Additionally, the fact that Windows PowerShell Cmdlets from the built-in Windows PowerShell Modules automatically load, doesn’t help me in using the Windows PowerShell Cmdlets from the NanoServerImageGenerator.psm1 Windows PowerShell Module. Yes, I’m that spoiled. 😉

So, I decided to copy the PowerShell Module to the PowerShell Modules folder to get access to its function without even importing  it on the session, effectively adding it to the collection of built-in Windows PowerShell Modules. Using your Windows Server 2016 Installation Media, copy it with these three example PowerShell one-liners in an elevated PowerShell window:

New-Item “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator” -Type Directory

Copy-Item “X:\NanoServer\NanoServerImageGenerator.psm1″ -Destination “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psm1” -Force

New-ModuleManifest -Path  “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psd1” -RootModule NanoServerImageGenerator.psm1

Now, on this system, I can build the Nano Server images I’d want, without running into the otherwise inevitable is not recognized as the name of a cmdlet, function, script file, or operable program errors for the Windows PowerShell Cmdlets in the NanoServerImageGenerator Windows PowerShell Module.

Available Windows PowerShell Cmdlets in NanoServerImageGenerator.psm1 in Windows Server 2016 Technical Preview 4

I’ve been playing around with Nano Server these couple of days and have been extensively using the NanoServerImageGenerator Windows PowerShell Module that shipped with the Installation Media for Windows Server 2016 Technical Preview 4 as the file NanoServerImageGenerator .psm1 file in the NanoServer folder.

You might be wondering which Windows PowerShell Cmdlets are available through this Windows PowerShell Module, so here is the list:

  1. Edit-NanoServerImage
  2. Get-NanoServerPackages
  3. New-NanoServerImage

 

Edit-NanoServerImage

The Edit-NanoServerImage Windows PowerShell Cmdlet can be used to modify a base Nano Server installation image adding packages, drivers  and configuring operating system options.

This cmdlet expects that you ran New-NanoServerImage in advance.
It operates on the image produced by New-NanoServerImage as requested.

Possible operations are: Add packages, add drivers, set computer name, set administrator password, join a domain, enable debug, enable EMS and set static IP address.

 

Get-NanoServerPackages

The Get-NanoServerPackages Windows PowerShell Cmdlet can be used to retrieve the list of available packages from the Windows Server 2016 Technical Preview 4 installation media.

This cmdlet scans the given media and returns a list of packages available to be embedded into the Nano Server image.

 

New-NanoServerImage

The New-NanoServerImage Windows PowerShell Cmdlet can be used to create a base Nano Server installation image.

This cmdlet makes a local copy of the necessary files from the installation media and converts the included WIM Nano Server image into a VHD(X) image. It then makes a copy of the converted VHD(X) image into a user-supplied path. After that, the following operations can be applied:

  • Add packages
  • Add drivers
  • Set computer name
  • Set administrator password
  • Join a domain
  • Enable debug
  • Enable EMS
  • Set static IP address