Windows Server 2008

KnowledgeBase: Unable to convert to Server with a GUI from Server Core on an upgraded Windows Server 2012 machine

pilebooksMicrosoft has released KnowledgeBase article 2775484, that describes a situation, where you’re unable to convert an upgraded Windows Server 2012 Full Installation to Server Core and back.

The situation

You upgrade a full installation of Windows Server 2008 x64 or Windows Server 2008 R2 to Windows Server 2012 and choose the option “Server with a GUI”.

After the upgrade you convert the Server with a GUI installation to Server Core.
In this scenario, if you try to convert back to Server with a GUI, the operation may fail and rollback to Server Core.

The cause

This problem occurs, because of three registry entires from Windows Server 2008 or Windows Server 2008 R2 being retained during the upgrade:

These three registry entries exist in

HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTPublishers

 

And are named:

  • {bc2eeeec-b77a-4a52-b6a4-dffb1b1370cb}
  • {57e0b31d-de8c-4181-bcd1-f70e880b49fc}
  • {8c9dd1ad-e6e5-4b07-b455-684a9d879900}

The resolution

To be able to convert the Windows Server 2012 installation, these registry keys need to be removed.

You can perform these actions with RegEdit.ex, but, alternatively, you can start NotePad, paste the following three commands, save the file as a .bat file and then run it from an elevated command prompt:

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTPublishers{bc2eeeec-b77a-4a52-b6a4-dffb1b1370cb}

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTPublishers{57e0b31d-de8c-4181-bcd1-f70e880b49fc}

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTPublishers{8c9dd1ad-e6e5-4b07-b455-684a9d879900}

 

After you restart the machine you will be able to convert the machine to a “Server with a GUI”.

3rd Party management applications and Server Core

ProgramMicrosoft introduced the Server Core Installation option in the pre-releases of Windows Server 2008 four years ago. Since that time, many improvements have been made to the manageability of Server Core installations. Also, many dedicated 3rd Party and open source Server Core management applications have been introduced and Server Core admin have adopted these and already existing tools to manage their servers.

Personally, I’m an advocate of using the built-in management capabilities of Windows Server. I feel Microsoft has made big strides in Server Core Management with sconfig and Server Manager Remoting in Windows Server 2008 R2. Realistically though, I still  run into fierce challenges sometimes to configure certain settings.

Sometimes I install an application for these purposes. Temporarily.

There’s a big reason why I won’t install 3rd party local management applications on my Server Core installations. I don’t use Revo Uninstaller and CCleaner on my boxes fulltime. They are part of my Server Core Helper DVD, along with a slew of other tools, but when I’m done with the settings they typically change, these programs are uninstalled.

Here’s why.

  1. Some of the applications I use were never designed or written with Server Core installations in mind. Calling a non-existent API might cause unpredictable behavior in these applications.
  2. Some of the applications have dubious ownership. Although the goal of the program may be to perform an action like removing unused items in Windows (Server Core doesn’t have much of these items, by the way), the goal of the writer or publisher of the application might be completely different. (installing adware, for instance, to gain an income or gathering statistics of usage of Server Core installations to justify the program itself to superiors)
  3. Any 3rd party application increases the attack surface of the installation. Remember, Microsoft uses a non-disclosure policy about vulnerabilities and hotfixes. The application you’ve installed on Server Core might just have a vulnerability that could make an attacker compromise the entire box.
  4. Keeping a Server Core installations with tons of 3rd party applications up to date is hard. Even if you pick applications from software publishers that have a disclosure policy for vulnerabilities, work actively to patch their products and have good reputations, keeping hundreds of their product installations up to date (with their update mechanism) is ad hoc, unreportable and thus unreliable. You lose overview pretty quickly.

A Server Core installation, however, will never be really rid of 3rd party applications. For UPS, anti-malware, backup & restore, reporting, monitoring, asset management and central management agents may still be needed, dependent on the environment.

For these 3rd party agents and applications a policy needs to be in place to keep these agents and applications up to date. Don’t make it harder on yourself than strictly needed and ban loading local management applications on your Server Core installations.

Fun with FSMO roles and Functional Levels on Server Core Domain Controllers

Sometimes, in an environment with all Server Core Domain Controllers, it is hard to migrate your Active Directory Domain Controllers from Server Core installations of Windows Server 2008 to Server Core installations of Windows Server 2008 R2.

Steps

The steps to migrate Server Core Domain Controllers on Windows Server 2008 to Windows Server 2008 R2 through Transitioning, are:

  1. Perform a system state back-up of the Windows Server 2008 Server Core Domain Controllers
  2. Run adprep.exe or adprep32.exe from the Windows Server 2008 R2 installation media (depending on the processor architecture of the Windows Server 2008 Server Core Domain Controllers, ie. x86 or x64)
  3. Install Windows Server 2008 R2 Server Core on servers and promote them to Domain Controllers for your existing domain, using dcpromo.exe 
  4. Check the dcpromo.log and dcpromoui.log files and the event viewer to search for possible problems
  5. Take care of FSMO roles and Global Catalog placement
  6. Demote your Windows Server 2008 Server Core Domain Controllers
  7. Raise the Domain Functional Level and  Forest Functional Level

For more information on these steps, read this blog post.

While many steps in the process can be performed, like one would on Full installations of these Operating Systems, other steps may be performed using the Remote Server Administration Tools (RSAT). Two steps, in particular, though, proves to be cumbersome when performing through the Remote Server Administration Tools. It turns out, these steps are actually fun to perform on the PowerShell of your Server Core Domain Controllers. These steps would be step 5 and step 7.

    

Manage FSMO roles

On a Windows Server 2008 R2 Server Core Domain Controller to transfer a Flexible Single Master Operations Role, perform one of these PowerShell one-liners:

Tip!
Don’t forget to run Import-Module Active Directory before running any of the below commands…

  • For the Schema Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole SchemaMaster 

        

  • For the Domain Naming Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole DomainNamingMaster 

        

  • For the Primary Domain Controller (PDC) emulator FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole PDCEmulator 

        

  • For the RID Pool Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole RIDMaster 

        

  • For the Infrastructure Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole InfrasturctureMaster 

        

    To transfer all FSMO roles, obviously perform all five one-liners.

    Manage Functional Levels

    In Windows Server 2008 R2, with the new Active Directory PowerShell cmdlets, two new exiting Active Directory PowerShell command emerged:

    1. Set-ADDomainMode
    2. Set-ADForestMode

    These two commands can be used to raise the Domain Functional Level and the Forest Functional Level, respectively. Not only are they able to raise the level, they are also able to return to roll back the functional level raise. (unless one of the Optional Features has been enabled)

    To raise the Domain Functional Level to Windows Server 2008 R2, run the following command, after all the Domain Controllers in your domain run Windows Server 2008 R2:

    Set-ADDomainMode –identity domain.tld –DomainMode Windows2008R2Domain

     

    To raise the Forest Functional Level to Windows Server 2008 R2, run the following command, after all the domains in the forest have been raised to Windows Server 2008 R2:

    Set-ADForestMode –identity domain.tld –ForestMode Windows2008RForest

  • Some Server Core Domain Controllers heading for a dead end street

    Dead end street ahead

    You know, in terms of deploying servers in a smart way, so you can actually utilize them for as long as their economical lifecycle in a supported fashion without a need to reinstall them, I’ve made a stupid decision in advising IT Pros to deploy Server Core Domain Controllers in the last two years.

    The problem, you see, is the product team responsible for Active Directory has made a design choice to leave the old world of RPC behind and to introduce a new way to manage Domain Controllers: using the Active Directory web service.

    Windows Server 2008 R2 is the first Windows Server product featuring this new service, which besides the server component of the web service, also unlocks the usage of a whole load of other goodies like Active Directory PowerShell cmdlets and the Active Directory Administrative Center (ADAC). (when used from a Windows 7 or Windows Server 2008 R2-based management box)

    While the decision was made a while ago, only now do I realize the impact. Now that Microsoft released the Active Directory Management Gateway Service (Active Directory Web Service for Windows Server 2003 and Windows Server 2008) and both Jorge and Tomasz blogged about it. This Stand-alone Update Package basically adds the Active Directory Web Services service to Domain Controllers, running:

    • Windows Server 2003 with Service Pack 2
    • Windows Server 2003 R2 with Service Pack 2
    • Windows Server 2008
    • Windows Server 2008 with Service Pack 2

       

    Except there’s one problem: .Net Framework 3.5 with Service Pack 1 (SP1) is required. Whoops! That’s not exactly available on Server Core installations of Windows Server 2008 in a supported fashion.

    As a consequence Windows Server 2008-based Server Core Domain Controllers can not be used in combination with the Active Directory PowerShell cmdlets and the the Active Directory Administrative Center (ADAC).

    Note:
    Windows Server 2008 R2-based Server Core Domain Controllers, however, can be managed using the Active Directory PowerShell cmdlets and the Active Directory Administrative Center (ADAC). One of the new features of Server Core installations in Windows Server 2008 R2 is the availability of the .Net Framework.

     

    Actually when you try to install the Active Directory Management Gateway Service on a Windows Server 2008-based Server Core Domain Controller a check is performed upon your system.

     Error_SC_ADWGS

    Server Core installations fail the check. The result is an error stating “The update does not apply to your system” as shown above on a x64 Server Core installation of Windows Server 2008 (OperatingSKU 13). This box was setup as a Domain Controller and configured with the Primary Domain Controller emulator (PDCe) FSMO role (DomainRole 5).

        

    Concluding

    When running an environment with Windows Server 2008-based Server Core Domain Controllers, a requirement to use the Active Directory PowerShell cmdlets or Active Directory Administrative Center (ADAC) implicates the need to reinstall the Windows Server 2008-based Server Core Domain Controllers as Full installations or the need to upgrade the Windows Server 2008-based Server Core Domain Controllers to Windows Server 2008 R2-based Server Core Domain Controllers.

    Further reading

    Download Details: Active Directory Management Gateway Service 
    What does the Active Directory Management Gateway Service do?  
    What’s New in AD DS: Active Directory Web Services   
    The Active Directory Management Gateway Service is now available 
    Active Directory Management Gateway Service for Windows Server 2003 and 2008 
    Manage YOUR Windows 2003/2008 DCs USING AD POWERSHELL !   
    The Active Directory Management Gateway Service is now Available for Windows Server 2008 and Windows Server 2003 
    Active Directory Management Gateway Service 
    Have you successfully installed Active Directory Management Gateway Service on 2008? 
    Active Directory Management Gateway Service is RTW 
    Q. What is Active Directory Management Gateway Service (ADMGS)?   
    What is Active Directory Management Gateway Service (ADMGS)? 
    Active Directory Gateway WebService is available for ‘legacy’ OSes