Making NanoServerImageGenerator.psm1 more useful on a daily basis

I’ve been playing around with Nano Server these couple of days, but grew a bit tired of needing to import the NanoServerImageGenerator.psm1 Windows PowerShell Module at the beginning of every Windows PowerShell session.

Now, you might say I’m a bit too tidy, because I properly close any session I don’t need for the next two minutes. Additionally, the fact that Windows PowerShell Cmdlets from the built-in Windows PowerShell Modules automatically load, doesn’t help me in using the Windows PowerShell Cmdlets from the NanoServerImageGenerator.psm1 Windows PowerShell Module. Yes, I’m that spoiled. 😉

So, I decided to copy the PowerShell Module to the PowerShell Modules folder to get access to its function without even importing  it on the session, effectively adding it to the collection of built-in Windows PowerShell Modules. Using your Windows Server 2016 Installation Media, copy it with these three example PowerShell one-liners in an elevated PowerShell window:

New-Item “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator” -Type Directory

Copy-Item “X:\NanoServer\NanoServerImageGenerator.psm1″ -Destination “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psm1” -Force

New-ModuleManifest -Path  “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psd1” -RootModule NanoServerImageGenerator.psm1

Now, on this system, I can build the Nano Server images I’d want, without running into the otherwise inevitable is not recognized as the name of a cmdlet, function, script file, or operable program errors for the Windows PowerShell Cmdlets in the NanoServerImageGenerator Windows PowerShell Module.

Available Windows PowerShell Cmdlets in NanoServerImageGenerator.psm1 in Windows Server 2016 Technical Preview 4

I’ve been playing around with Nano Server these couple of days and have been extensively using the NanoServerImageGenerator Windows PowerShell Module that shipped with the Installation Media for Windows Server 2016 Technical Preview 4 as the file NanoServerImageGenerator .psm1 file in the NanoServer folder.

You might be wondering which Windows PowerShell Cmdlets are available through this Windows PowerShell Module, so here is the list:

  1. Edit-NanoServerImage
  2. Get-NanoServerPackages
  3. New-NanoServerImage

 

Edit-NanoServerImage

The Edit-NanoServerImage Windows PowerShell Cmdlet can be used to modify a base Nano Server installation image adding packages, drivers  and configuring operating system options.

This cmdlet expects that you ran New-NanoServerImage in advance.
It operates on the image produced by New-NanoServerImage as requested.

Possible operations are: Add packages, add drivers, set computer name, set administrator password, join a domain, enable debug, enable EMS and set static IP address.

 

Get-NanoServerPackages

The Get-NanoServerPackages Windows PowerShell Cmdlet can be used to retrieve the list of available packages from the Windows Server 2016 Technical Preview 4 installation media.

This cmdlet scans the given media and returns a list of packages available to be embedded into the Nano Server image.

 

New-NanoServerImage

The New-NanoServerImage Windows PowerShell Cmdlet can be used to create a base Nano Server installation image.

This cmdlet makes a local copy of the necessary files from the installation media and converts the included WIM Nano Server image into a VHD(X) image. It then makes a copy of the converted VHD(X) image into a user-supplied path. After that, the following operations can be applied:

  • Add packages
  • Add drivers
  • Set computer name
  • Set administrator password
  • Join a domain
  • Enable debug
  • Enable EMS
  • Set static IP address

 

Available packages for Nano Server in Windows Server 2016 Technical Preview 4

As described in my blogpost on the differences between Server Core and Nano Server, I stipulated that Nano Server is intended for fabric purposes; to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

This also becomes clear from the packages available in the fourth Technical Preview of Windows Server 2016.

When looking at the contents of the Packages subfolder of the NanoServer folder on the Windows Server 2016 TP4 installation media, the following packages are available:

  • Microsoft-NanoServer-Compute-Package
  • Microsoft-NanoServer-Containers-Package
  • Microsoft-NanoServer-DCB-Package
  • Microsoft-NanoServer-DNS-Package
  • Microsoft-NanoServer-DSC-Package
  • Microsoft-NanoServer-Defender-Package
  • Microsoft-NanoServer-FailoverCluster-Package
  • Microsoft-NanoServer-Guest-Package
  • Microsoft-NanoServer-IIS-Package
  • Microsoft-NanoServer-NPDS-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
  • Microsoft-NanoServer-Storage-Package
  • Microsoft-OneCore-ReverseForwarders-Package
  • Microsoft-Windows-Server-SCVMM-Compute-Package
  • Microsoft-Windows-Server-SCVMM-Package

 

All the above packages are available as .cab files.

The packages can be added to your NanoServer installation image using the New-NanoServerImage PowerShell Cmdlet from the NanoServerImageGenerator.psm1 PowerShell Module in the NanoServer folder on the Windows Server 2016 TP4 installation media.

How is Nano Server different from Server Core?

I get this question a lot:

How is Nano Server different from Server Core?

Obviously, both configuration options for Microsoft’s upcoming Windows Server 2016 release share similarities. In other areas, they are different:

 

Nano Server is a refactoring

Where Server Core installations of Windows Server, since Windows Server 2008, can be seen as skimmed down versions of Windows Server – a normal Windows Servers with bits thrown out -, Nano Server is a complete refactoring of the Operating System.

 

Nano Server is a revolution, not an evolution

Where the goal with Server Core was to provide less attack surface and require less reboots, the goal with Nano Server is to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

Of course, Nano Server does provide a smaller disk footprint (-93%), does require fewer critical security bulletins (-92%) and does require fewer reboots (-80%), but its aim is to provide the fabric for Azure and Azure Stack.

 

Nano Server is introduced in Windows Server 2016

Where Server Core is available since Windows Server 2008, Nano Server will be introduced with Windows Server 2016. Surprisingly, Nano Server will be made available in roughly the same way Server Core was made available in its first reincarnation on Windows Server 2008: There’s no way to switch from Nano Server to a full-blown or Server Core version of Windows Server 2016.

Nano Server is not installed in a traditional way

A main difference, though, between installing Server Core in Windows Server 2008 and Nano Server in Windows Server 2016, though, is that a Nano Server installation is not achieved through the traditional Windows Server Installation Wizard. There are only two options in Windows Server 2016 Installation Wizard:

  1. Windows Server 2016 with Desktop Experience
  2. Windows Server 2016

Where the second option corresponds to a Server Core-like installation.

Instead, Nano Server installations originate from the NanoServer folder on the Windows Server 2006 Installation Media. A new Nano Server VHD image can be built from the PowerShell Module in this folder using the New-NanoServerImage PowerShell Cmdlet.

 

Nano Server is headless

Where Server Core installations offered a management infrastructure, Nano Server is basically headless. Yes, you can log onto it, but it will return an experience that is best described as DOS with the ability to fix networking.

But, you can use Server Manager remotely, as you probably already would have done with Server Core installations of Windows Server 2012 R2, and you can Remote PowerShell into it, which should give you all the configuration goodness you need.

Guess who’s back?

A little while ago, I wrote about Benjamin Herila.

Two months ago, however, Ned Pyle gave an answer to a Server Core-related question. His advice was to contact Andrew Mason. I laughed out loud, but Ned was more up to date with current affairs than I was at that point.

After two years at Amazon, Andrew Mason decided to return to Microsoft.

 

I met Andrew at IT/DEV Connections in Las Vegas last week.

About Andrew Mason

It was a fun reunion. Andrew told me he rejoined Microsoft because the company and its strategies are still close to his heart. Bear in mind; Andrew has worked for Microsoft for many years before he plunged into his Amazon adventure…

Andrew is now working as a Principal Program Manager, focusing on Nano, this time around. He’s still very driven on untangling spaghetti code, and still very passionate at making Windows lean and mean.

His team is not a big team, but neither was his Original Server Core team back in the days. Andrew is a people-person and from his stories, most of his work is to make Program Managers from other teams make their teams deliver on the promises of lean and mean Windows. Yes, that’s called ‘Nano Server‘, these days, but don’t expect a finish line for these initiatives any time soon.

Personal note

Personally, I feel that Andrew is a great asset to Microsoft. It would be a waste if Microsoft would decide to let him go, but Andrew assured me that he won’t be leaving himself, any time soon.

My Server Core April Fools’ Day Prank

We are rapidly closing in on April 1st and, as a Server Core afficianado, I can’t resist playing a practical joke on my colleagues managing our Server Core installations. Inspired by the Scripting Guy blogpost yesterday, I’ll disable all network adapters using the following PowerShell Oneliner:

Get-NetAdapter | Disable-NetAdapter -Confirm:$false

I’ll be running these commands via remote block execution pointing to a couple of Server Core installations offering non-vital and redundant services.  Since we have monitoring, it’ll be interesting to see in what manner and timeframe my colleagues will be able to solve the riddle of their servers falling off the network. Luckily, it’s been a while since anything happened to these hosts, but that is to be expected when you go Server Core.

Some Active Directory Domain Controllers, that second DHCP server, perhaps that second issuing Certification Authority, but certainly the Windows Server Update Services (WSUS) Server will see some action in one week’s time. *evilgrin*

Server Core installations now benefit from Windows Defender, too.

While I write this, Windows Server 2012 R2 is Microsoft’s latest and greatest Windows Server version.

I planned on writing a blogpost on all the new features, specific to Server Core, but decided that this one blogpost would suffice…

  

Server Core vs. Full Installations

Don’t get me wrong, though. Server Core installations offer tons of new features and I really advice you to check it out.

The point is, however, that, these days, Server Core installations aren’t that special anymore. Most of the Server Roles and Features are available for both Full installations and Server Core installations. Also, since Windows Server 2012, you can switch between Server Core and Full (and minumum shell) after installation, making for a really interesting story when admins don’t run Server Core installations.

 

Windows Defender

Which brings me to the one feature specific for Server Core installations in Windows Server 2012 R2. According to the What’s Changed in Security Technologies in Windows 8.1 page on Microsoft TechNet:

In Windows Server 2012 R2 and Windows 8.1, Windows Defender is available on Server Core installation options (without the user interface), and it is enabled by default.

Windows Defender is primarily intended for consumer and unmanaged PC scenarios, and most large organizations will want to use an enterprise antimalware solution such as System Center 2012 Endpoint Protection, which also includes support for ELAM.

  

Concluding

With Windows Defender built into Server Core installations, these installations are now more malware resistant from day 1.

Of course, when you decide to implement an anti-malware solution, like Microsoft’s System Center 2012 Endpoint Protection, the malware scanning part of Windows Defender will be disabled, until such time you uninstall the anti-malware solution (properly).

How to disable Password complexity on Server Core installations

I feel Microsoft is doing a great job when it comes to the default security of their products. I’m not the only one, as Microsoft attitude towards security and user-friendliness has even earned it kudos in the keynote of the Australian Linux Conf last week for its default SecureBoot implementations on OEM hardware.

However, many people struggle with the default password requirements in Windows Server. While it’s pretty easy to change the password requirements in Server with a GUI installations, it’s not that straightforward on Server Core installations. So, here’s a detailed how-to:

    • First, perform your Server Core installation and provide a complex password for the built-in Administrator account, when you’re prompted to do so after the initial installation. This password must meet the following requirements:
      1. Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
      2. Passwords must be at least six characters in length.
      3. Passwords must contain characters from three of the following four categories:
        1. English uppercase characters (A through Z).
        2. English lowercase characters (a through z).
        3. Base 10 digits (0 through 9).
        4. Non-alphabetic characters (for example, !, $, #, %)
    • Now, while logged on as this user, open a command prompt.
    • Type the following command:

secedit.exe /export /cfg C:\secconfig.cfg

Export the Security Configuration (click for original screenshot)

    • This will dump the security configuration settings of the local computer to the file C:\secconfig.cfg.
    • Open Notepad by typing Notepad.exe on the command prompt. In Notepad, use the Open… command from the File menu or Ctrl+O to open C:\secconfig.cfg. In the Open window, click on This PC in the left pane and then select Local Disk (C:). In the bottom right corner change the selection criteria from Text documents (*.txt) to  All Files.

Open the Security Configuration (click for original screenshot)

Now, select secconfig.cfg, double-click it or click Open.

    • In secconfig.cfg we’re going to need to change the value for PasswordComplexity from 1 to 0. Scroll down, until you get to the line that reads PasswordComplexity = 1. Change the 1 to 0. Of course, you can also use Ctrl+F to find it. When you’re really lazy (like I am), you can also deploy a straight Ctrl+H to replace PasswordComplexity = 1 to PasswordComplexity = 0.

Tip!
When you also dislike the passwords of accounts expiring, you can also configure that here. Looking to enable the guest account? Go ahead.

    • When done, use the Save command from the File menu to save the new settings to the file. Next, close Notepad by either clicking on the red tab in the top right corner of the application or by pressing Alt+F4.
    • To load the edited file as your new security configuration, use the following command:

secedit.exe /configure /db %windir%\securitynew.sdb /cfg C:\secconfig.cfg /areas SECURITYPOLICY

Apply the Security Configuration (click for original screenshot)

    • The new Security configuration will apply to all password changes and new password. So, you can change the password for the built-in administrator to whatever you like:

net user .\administrator Z

Change the password for the built-in Administrator account (click for original screenshot)

In the example above, we’ve given the password ‘Z’ to the administrator. Glimlach

 

Further reading

Windows Web Server 2008 R2 Server Core local password complexity
HOWTO: Disable complex password policy on Hyper-V Server 2008?
Disable complexity password on Windows 2008 Server Core

Statistics on 2013

As an avid Server Core fan, I though you might be interested on the topics that were most read on this blog in 2013…

So here goes:

  1. How to install a Server Core R2 Domain Controller
  2. How to disable the Windows firewall on Server Core installations of Windows Server 2012 and Hyper-V Server 2012 
  3. Switching between the four GUI layers in Windows Server 2012 with PowerShell one-liners
  4. Switching between GUI modes in Windows Server 8 
  5. KnowledgeBase: Errors connecting to Windows Server 2008 R2 or Windows Server 2012 Device Manager remotely 
  6. Fun with FSMO roles and functional levels on Server Core Domain Controllers 
  7. Get your Server Core Freak on! 
  8. Updating Server Core and Swithing GUIs 
  9. What would you choose? Flexibility vs. Disk space 
  10. Running into vague errors in Windows Server 2012 Server Core but not in Server with a GUI installation? Here’s one solution 

See you in 2014!

Upgrade your Windows Server 2012 R2 RTM Server Core Installs

Today, Microsoft has made Windows Server 2012 R2 available to the public.

It’s no longer the fortunate TechNet and MSDN subscribers and Volume Licensing Service Center (VLSC) aficionados who have Windows Server 2012 R2 RTM Server Core bragging rights:

Now everyone and their moms gain access to Microsofts latest and greatest Windows Server product family (and its System Center cousins).

For those of you who have been playing with Windows Server 2012 R2 RTM and Hyper-V Server 2012 R2 RTM since they became available, it’s important to upgrade your Server Core installations from the Release to Manufacturers (RTM) version to the General Availability (GA) version.

For this, you’ll need to download and install these two Windows Server updates:

 

You can easily install these updates through Server Configuration (sconfig.cmd), option 6) Download and Install Updates.

Enjoy! Glimlach