Best Practices

Upgrade your Windows Server 2012 R2 RTM Server Core Installs

Today, Microsoft has made Windows Server 2012 R2 available to the public.

It’s no longer the fortunate TechNet and MSDN subscribers and Volume Licensing Service Center (VLSC) aficionados who have Windows Server 2012 R2 RTM Server Core bragging rights:

Now everyone and their moms gain access to Microsofts latest and greatest Windows Server product family (and its System Center cousins).

For those of you who have been playing with Windows Server 2012 R2 RTM and Hyper-V Server 2012 R2 RTM since they became available, it’s important to upgrade your Server Core installations from the Release to Manufacturers (RTM) version to the General Availability (GA) version.

For this, you’ll need to download and install these two Windows Server updates:

 

You can easily install these updates through Server Configuration (sconfig.cmd), option 6) Download and Install Updates.

Enjoy! Glimlach

Running into vague errors in Windows Server 2012 Server Core but not in Server with a GUI installations? Here’s one solution

ErrorbuttonThe last couple of months, I ran into a lot of problems on Server Core installations of Windows Server 2012. I used the same installation media as my Server with a GUI installations, but only the Server Core installations were experiencing problems.

Problems I encountered were:

  • Not able to receive an IPv4 address lease from a IPv4 DHCP Server and instead using an APIPA address.
  • Errors when setting the IPv4 address on a Network interface
    (both in sconfig, netsh and with PowerShell)
  • Errors when setting DNS Server addresses on a Network interface
    (both in sconfig, netsh and with PowerShell)
  • Error when allowing remote desktop in sconfig
  • Error when allowing remote firewall management in sconfig
  • Error when allowing the server to be pinged in sconfig
  • “Network location could not be reached” errors
  • “RPC Server unavailable” errors
  • Unable to join an Active Directory domain, while being able to resolve and ping Domain Controllers in the domain, or able to join the domain, but not being able to log on with domain credentials after reboot

I managed to work around some of the errors, but none of my Server Core installations ever made it into full-featured domain members. The problems persisted both in Hyper-V and VMware Workstation-based virtual machines and physical hosts.

Together with my colleague Adnan Hendricks, I troubleshooted the problem and eventually found the Installation Media was at fault. This was the installation media I downloaded from Microsoft TechNet and the Microsoft Volume Licensing Service Center (VLSC) on their first days.

When you download an iso file from Microsoft, you will always be shown a SHA1 checksum for your download. If you find yourself in vague problems (like the ones above) be sure to check the checksum. Download the installation media again, when checksums differ. Instructions and a downloadable program from Microsoft to check the checksums is available through Microsoft KnowledgeBase article 841290.

Tip!

When you download from Microsoft, always compare the checksums after downloading. When you run into problems like the ones above, try to download the installation media again and reinstall the boxes from scratch.

Updating Server Core and switching GUIs

windows_update_icon-120x120Windows Server 2012 offers new capabilities related to Server Core. As I’ve mentioned before, it is now possible to switch the Graphical User Interface (GUI) mode after initial installation. This new capability allows us to configure a Windows Server system to our needs, using the interface we know and love, and then afterwards make it run in Server Core mode for optimum performance and security.

Applicable updates

One of the configuration steps you might want to perform in the Full Graphical Interface (known as ‘Full installation’) is running Windows Update using the familiar Windows Update interface:

WindowsUpdateWinServer2012

This will install all applicable updates to a Windows Server, including updates for the Metro Start Screen and Internet Explorer. However, when you don’t intend to use the server as a Terminal Server and intend to convert it to a ‘MinShell’ or ‘Server Core’ installation, you might think these updates are of no use.

You may opt not to run Windows Update when in Full Installation, and run sconfig.cmd after converting the server to a more optimum GUI mode and install the applicable Windows updates from the command line then. This approach has a downside, though. If you need to switch back to a full installation or ‘MinShell’ installation, the system would be vulnerable immediately after the required reboot.

For instance, if you need to change the binding order of network interface cards (NICs) and convert the box back, because it’s so darn easy in the graphical interface, then, you would miss updates for every component introduced, since the last Service Pack.

So, updating in the Full Installation initially isn’t such a bad idea when you’re getting started with Server Core in Windows Server 2012. I would even recommend it, if you’ve not been using Server Core in Windows Server 2008 or Windows Server 2008 R2.

Disk space penalties

Luckily, when you run Windows Update, the penalty in disk space is minimal.

As you might be aware, since switching GUIs in Windows Server 2012 does not require the installation media, the bits for all three GUI modes are already on the disk.

Under the hood, when you apply Windows updates to Windows Server 2012, you update the files in the Side by Side store in the C:WindowsWinSxS folder, which in turn is linked to the C:WindowsServicingPackages folder.

Switching GUIs and adding/removing Server Roles and Features simply enables and disables hard links to files in the Side by Side store. Updating in Windows Server 2012 involves updating the files in the Side by Side store and, therefore, updates the files in use through these hard links.

This is also the reason why switching GUI modes in Windows Server 2012 doesn’t free up the amounts of disk space we’re used to when comparing Server Core installations to Full installations in Windows Server 2008 and Windows Server 2008 R2. A vanilla Server Core Installation takes up 9 GBs of hard disk space, where a vanilla Full Installation fills up 12 GBs of hard disk space with data.

Freeing up disk space now, more than ever, involves removing the installation files for GUI modes, Server Roles and Server Features. More information on this process is available here. Since this limits the possibilities for the Windows Server installation to perform tasks and provide services in the network, this is not something to take lightly. Of course, when configuring highly customized Windows Server installations you might, if you need security and/or performance and disk space is of the essence.

Concluding

One area of Server Core you don’t have to be concerned with when switching the Graphical User Interface (GUI) in Windows Server 2012 is Windows Updates.

Microsoft has created a delicate balance where new Server Core admins can enjoy updated systems by simply performing maintenance tasks in Full installation mode, while also enabling more seasoned Server Core admins to tweak the box further in terms of used disk space.

3rd Party management applications and Server Core

ProgramMicrosoft introduced the Server Core Installation option in the pre-releases of Windows Server 2008 four years ago. Since that time, many improvements have been made to the manageability of Server Core installations. Also, many dedicated 3rd Party and open source Server Core management applications have been introduced and Server Core admin have adopted these and already existing tools to manage their servers.

Personally, I’m an advocate of using the built-in management capabilities of Windows Server. I feel Microsoft has made big strides in Server Core Management with sconfig and Server Manager Remoting in Windows Server 2008 R2. Realistically though, I still  run into fierce challenges sometimes to configure certain settings.

Sometimes I install an application for these purposes. Temporarily.

There’s a big reason why I won’t install 3rd party local management applications on my Server Core installations. I don’t use Revo Uninstaller and CCleaner on my boxes fulltime. They are part of my Server Core Helper DVD, along with a slew of other tools, but when I’m done with the settings they typically change, these programs are uninstalled.

Here’s why.

  1. Some of the applications I use were never designed or written with Server Core installations in mind. Calling a non-existent API might cause unpredictable behavior in these applications.
  2. Some of the applications have dubious ownership. Although the goal of the program may be to perform an action like removing unused items in Windows (Server Core doesn’t have much of these items, by the way), the goal of the writer or publisher of the application might be completely different. (installing adware, for instance, to gain an income or gathering statistics of usage of Server Core installations to justify the program itself to superiors)
  3. Any 3rd party application increases the attack surface of the installation. Remember, Microsoft uses a non-disclosure policy about vulnerabilities and hotfixes. The application you’ve installed on Server Core might just have a vulnerability that could make an attacker compromise the entire box.
  4. Keeping a Server Core installations with tons of 3rd party applications up to date is hard. Even if you pick applications from software publishers that have a disclosure policy for vulnerabilities, work actively to patch their products and have good reputations, keeping hundreds of their product installations up to date (with their update mechanism) is ad hoc, unreportable and thus unreliable. You lose overview pretty quickly.

A Server Core installation, however, will never be really rid of 3rd party applications. For UPS, anti-malware, backup & restore, reporting, monitoring, asset management and central management agents may still be needed, dependent on the environment.

For these 3rd party agents and applications a policy needs to be in place to keep these agents and applications up to date. Don’t make it harder on yourself than strictly needed and ban loading local management applications on your Server Core installations.