Remote Desktop Connection Broker and Remote Desktop Virtualization Host will no longer be available on Server Core installations

Reading through the Features removed or planned for replacement starting with Windows Server, version 1803, something caught my eye:

Remote Desktop Connection Broker and Remote Desktop Virtualization Host in a Server Core installation

Most Remote Desktop Services deployments have these roles co-located with the Remote Desktop Session Host (RDSH), which requires Server with Desktop Experience; to be consistent with RDSH we’re changing these roles to also require Server with Desktop Experience. We’re no longer developing these RDS roles for use in a Server Core installation. If you need to deploy these roles as part of your Remote Desktop infrastructure, you can install them on Windows Server 2016 with Desktop Experience.

To be honest, I was dumbfondled by this message, but I guess Microsoft knows what they’re doing.

Remote Desktop Services Architecture

Looking at Microsoft’s Remote Desktop Services architecture, several roles exist:

• Remote Desktop Gateway (RD Gateway, RDGW)
  The Remote Desktop Gateway (RD Gateway) component enables people on their client devices on the public Internet to securely access Windows desktops and applications.
• Remote Desktop Web Access (RD Web)
  The Remote Desktop Web Access (RD Web Access) component allows the tenant’s employees to have a single website where they can authenticate and then access Windows desktops and applications.
• Remote Desktop Connection Broker (RDCB)
  Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to the servers in Remote Desktop Session Host (RD Session Host) server farms, known as collections.
• Remote Desktop Licensing Server (RDLS)
  Each Remote Desktop Services environment includes an Remote Desktop Licensing server to allow users to connect to the Remote Desktop Session Host (RD Session Host) servers that host the desktops and applications. The licensing server may be configured in “per user” mode or in “per device”  mode.
• Remote Desktop Session Host (RDSH)
  The Remote Desktop Session Host (RD Session Host) component provides people with session-based desktops and RemoteApp programs.
• Remote Desktop Virtualization Host (RDVH)
  In contrast to a Remote Desktop Session Host, that offers session virtualization by allowing multiple people to log on interactively to a Windows Server installation, a Remote Desktop Virtualization host (RDVH) offers desktop virtualization where people log onto their own virtualized Windows instance, running on top of a hyper-virtualization platform. This platform is the Remote Desktop Virtualization Host.

In this architecture, typically, multiple Remote Desktop Session Hosts perform the heavy lifting: actually running the applications and/or offering Windows desktops. One (virtual) machine runs the  Remote Desktop Connection Broker (RDCB) and Remote Desktop Licensing Server (RDLS), so people land on the right Remote Desktop Session Host (RDSH) when they are properly licensed. Another (virtual) machine running the Remote Desktop Gateway (RD Gateway, RDGW) and Remote Desktop Web Access (RD Web) roles offer outside connections to the infrastructure. All components can be made highly-available. The infrastructure requires Active Directory Domain Services or Azure AD Domain Services, as well as a Microsoft SQL Server or Azure SQL database (in highly-available scenarios).

Many variants of the above best practices architecture exist, but all of them avoid placing any of the RDS infrastructure role services (RD Gateway, RD Web, RD Connection Broker or RD Licensing) on Remote Desktop Session Hosts or Remote Desktop Virtualization Hosts.

… in the real life, though…

Now, when you read closely, Microsoft states that organizations are not following its guidance. Instead, they install the Remote Desktop Connection Broker (RDCB) on one or more of the Remote Desktop Session Hosts.

This has led to the decision to remove the two features from Server Core installations in the following Windows Server releases:

1. Semi-Annual Channel (SAC) releases: Windows Server, version 1803, and beyond
2. Long-term Servicing Channel (LTSC) releases: Windows Server 2019, and beyond

Looking at the list of available roles and features for Server Core installations, the Remote Desktop Licensing Server is the only Remote Desktop Services (RDS) role still viable to run on Server Core installations in the near future.

Install Windows Server with Desktop Experience

Starting with Windows Server, version 1803 and Windows Server 2019, when you want to run any of the below Remote Desktop Services role services, install a Windows Server with Desktop Experience, instead of a Server Core installation of Windows Server:

• Remote Desktop Gateway (RD Gateway)
• Remote Desktop Web Access (RD Web)
• Remote Desktop Connection Broker (RDCB) *
• Remote Desktop Session Host (RDSH)
• Remote Desktop Virtualization Host (RDVH) *

Concluding

Thanks to people not following Microsoft’s best practices architecture, we’re now getting screwed out of Server Core for two more RDS Infrastructure roles… or is there something else at play?

Windows Admin Center is here

Ever since the first incarnations of Server Core in Windows Server, people have looked at ways to manage ‘Windows Server without GUI’ with a GUI. Today, the newest method of managing Windows Server, dubbed ‘Windows Admin Center’ was released and it promises an entirely new way to manage Windows Server, both ‘Installations with a GUI’ and ‘Server Core installations’.

Let’s take a look!

Our strange obsession…

Quoting ‘Graphical is for women’ doesn’t even begin covering admins’ strange obsession with graphical management tools to manage all aspects of Windows Server. We’ve seen tools like CoreConfigurator pop up early on in the Server Core lifecycle, but being capitalized on by Smart-X. We also saw other tools, and I even provided instructions on how to run hvconfig on Server Core installations, before sconfig came to Server Core installations.

However, the industry has mostly moved on. Drivers and other tools no longer rely on having a GUI present to allow installation or configuration. Even Microsoft’s own Remote Server Administration Tools (RSAT) have moved on, although some notable exception apply, like AD FS Management and driver management.

Windows Admin Center

Microsoft now offers a brand new toolset, that has been available for the last year as private previews and public previews, codenamed Project Honolulu: the Windows Admin Center.

In contrast to other tools out there, Windows Admin Center offers its experience in full HTML5, so it’s usable in any of the popular browsers admins use today. Windows Admin Center is a locally deployed and can be used to manage servers, clusters, hyper-converged infrastructure, and Windows 10 PCs. It comes at no additional cost beyond Windows and is ready to use in production.

Download Windows Admin Center now.

Concluding

While you could use any 3rd party tool to remotely manage your Server Core installations, but wouldn’t you rather use this free tool from Microsoft?

Windows Server 2016 no longer offers to add or remove GUI Layers

In a surprising move, Microsoft decided to remove a feature, that from a security point of view was perhaps the most useful feature in Windows Server.

Let’s look at the recent history of Windows Server:

Windows Server 2008 (R2)

Windows Server 2008 and Windows Server 2008 R2 were the first two versions of Windows Server that offered the ability to install the Operating System (OS) as Server Core installations. These optimized installations of Windows Server offered more security (due to a smaller attack surface), less resource use and more agility.

Even though, Windows Server 2008 Server Core headed for a dead end street in some scenarios, some organizations opted to install their Windows Servers as Server Core installs.

Windows Server 2012 (R2)

To allow even greater agility, but also to get the installation ‘just right’ using the Graphical User Interface (GUI), Microsoft offered to add and remove GUI layers in Windows Server 2012 and Windows Server 2012 R2. This way, system admins can switch from Full Installations (even with the Desktop Experience feature turned on) to Server Core Installations. We’ve discussed it here, roughly five years ago.

We saw an uptick in the adoption of Server Core due to this opportunity and believe it made the life of admins easier, even though they would not fully benefit as much as they would with a Server Core Installation from the get-go.

Windows Server 2016

Now, in Windows Server 2016, Microsoft no longer offers to add and remove GUI layers.

Admittedly, many of the Server Core benefits have become moot points with Windows Server 2016: The newly added security measures in Windows Server add a lot. This removes most of the urgency of removing the GUI, although you can’t install Internet Explorer from Windows Server 2016…

Also, many of the (graphical) tools we needed in Windows Servers to configure the Windows Server installation just right also have grown up and now offer command-line, if not PowerShell support. There’s less and less need to install Windows Server as a Full Installation to configure it.

I guess time will tell if Microsoft has made a wise decision by removing the ability to add and remove GUI layers…

Three things to consider when switching the GUI in Windows Server

Windows Server 2012 and Windows Server 2012 R2 allow to switch the Graphical User Interface (GUI) on and off. It’s easy, and already the topic of a previous blogpost.

Note:
The ability to switch GUIs in Windows Server has been removed in Windows Server 2016.

I’ve already showed you how to actually switch between these three GUI modes (with a choice between dism.exe and PowerShell), but what I haven’t pointed out yet, is the things you need to consider when you actually switch between GUI modes:

1. Only update in your desired GUI mode

One of the benefits of running a Server Core installation is a smaller attack surface, compared to a Full installation. The attack surface in a Full installation results in a higher amount of vulnerabilities and a higher frequency of updates for the Operating System.

Another benefit of Server Core is a smaller disk footprint, compared to a Full installation. This benefit becomes partly undone when we start installing updates for a Full installation, that we no longer need when we run the server as a Server Core installation most of the time. To this date, there is no way or tool to determine which updates are no longer needed or to actually uninstall these in a simple way.

2. Take notice of the support matrix of your agents and add-ons

Even the server running your easiest of tasks needs to adhere to your information security strategy. This results in the installation of many agents and add-ons. Backup, anti-malware and UPS all need their respective software. When your environment also features System Center, you will need software like the Server App-V agent and the System Center Configuration Manager agent.

Even though the Server Core team communicated a whole lot within Microsoft, it’s not plausible to assume every product team took notice of the ability for administrators to switch between GUIs. So, the problems with Microsoft software may already be big, but the bigger question is which software producers have also got the message? Did your anti-malware supplier get it?

Two ways to make sure you’ll be in the clear while switching GUIs, are:

1. Consult the support matrix from the suppliers of your agents and add-ons
2. Test your configuration

The best choice, however, remains to install agents and add-ons (remotely) with the Server installation in the desired GUI.

3. Take notice of the support matrix of your server applications

The SQL Server team has actively communicated SQL Server 2012 and up supports installation on Server Core. They are one of the product teams outside the Windows Server group to get onboard with Server Core. Other Microsoft Server products, like Exchange Server and Skype for Business Server have not communicated plans in that direction.

Even though the Server Core team communicated a whole lot within Microsoft, not every product displays a warning at installation, warning you not to switch the GUI after installing the product. Many non-Microsoft products also might not contain the warning, at least in the early period after their releases.

PowerShell versions you can expect and get on Server Core Installations

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

Built-in versions of PowerShell

The following versions of Windows PowerShell are available by default to Server Core installations, per version of Windows Server:

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell due to a lack of .NET Framework.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 2.0.

Windows Server 2012

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 3.0.

Windows Server 2012 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 4.0.

Upgradeable versions of PowerShell

When you’d like a newer version of Windows PowerShell on a Server Core installation, you can upgrade it.

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell, nor upgrades to Windows PowerShell.

There is no supported way to get Windows PowerShell on these systems.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2 can be upgraded to:

• Windows PowerShell 3.0
  (as part of Windows Management Framework 3.0)
• Windows PowerShell 4.0
  (as part of Windows Management Framework 4.0)

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012

Server Core installations of Windows Server 2008 R2 can be upgraded to Windows PowerShell 4.0.

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012 R2

There is no upgrade for Windows PowerShell available yet, beyond Windows PowerShell 4.0

About Codename “Tuva”

While discussing Server Core and Nano Server with Aleksandar Nikolic, an old friend and a Microsoft MVP for roughly as long as I have, he shared an interesting tidbit on Nano Server with me.

About Nano Server

Windows Server 2016 offers a new installation option: Nano Server. It is a remotely managed option similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server with the full desktop experience.

See Getting Started with Nano Server for full details.

Apparently, Nano Server’s codename within Microsoft was ‘Tuva’.

About Tuva

Tuva is a region and is a federal subject of Russia according to Wikipedia.
Tuva was an independent state between the World Wars; between 1921 and 1944 Tuva constituted a sovereign, independent nation, under the name of Tannu Tuva, officially, the Tuvan People’s Republic, or the People’s Republic of Tannu Tuva. The independence of Tannu Tuva, however, was recognized only by its neighbours: the Soviet Union and Mongolia.

Tyva voluntarily became a part of The Soviet Union in 1944 and was part of Russia the shortest of all republics in the USSR.

Verifiying the codename

Now, of course, you are curious how to verify the above information.
With the command below you can check the Nano Server codename:

Get-CimInstance win32_operatingsystem | Select caption

Concluding

Congratulations, you’ve wasted a minute of your time to learn up on a little known fact of Nano Server, that will make you a more interesting person for small talk.

You’re welcome. 🙂

Making NanoServerImageGenerator.psm1 more useful on a daily basis

I’ve been playing around with Nano Server these couple of days, but grew a bit tired of needing to import the NanoServerImageGenerator.psm1 Windows PowerShell Module at the beginning of every Windows PowerShell session.

Now, you might say I’m a bit too tidy, because I properly close any session I don’t need for the next two minutes. Additionally, the fact that Windows PowerShell Cmdlets from the built-in Windows PowerShell Modules automatically load, doesn’t help me in using the Windows PowerShell Cmdlets from the NanoServerImageGenerator.psm1 Windows PowerShell Module. Yes, I’m that spoiled. 😉

So, I decided to copy the PowerShell Module to the PowerShell Modules folder to get access to its function without even importing  it on the session, effectively adding it to the collection of built-in Windows PowerShell Modules. Using your Windows Server 2016 Installation Media, copy it with these three example PowerShell one-liners in an elevated PowerShell window:

New-Item “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator” -Type Directory

Copy-Item “X:\NanoServer\NanoServerImageGenerator.psm1″ -Destination “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psm1” -Force

New-ModuleManifest -Path  “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psd1” -RootModule NanoServerImageGenerator.psm1

Now, on this system, I can build the Nano Server images I’d want, without running into the otherwise inevitable is not recognized as the name of a cmdlet, function, script file, or operable program errors for the Windows PowerShell Cmdlets in the NanoServerImageGenerator Windows PowerShell Module.

Available Windows PowerShell Cmdlets in NanoServerImageGenerator.psm1 in Windows Server 2016 Technical Preview 4

I’ve been playing around with Nano Server these couple of days and have been extensively using the NanoServerImageGenerator Windows PowerShell Module that shipped with the Installation Media for Windows Server 2016 Technical Preview 4 as the file NanoServerImageGenerator .psm1 file in the NanoServer folder.

You might be wondering which Windows PowerShell Cmdlets are available through this Windows PowerShell Module, so here is the list:

1. Edit-NanoServerImage
2. Get-NanoServerPackages
3. New-NanoServerImage

Edit-NanoServerImage

The Edit-NanoServerImage Windows PowerShell Cmdlet can be used to modify a base Nano Server installation image adding packages, drivers  and configuring operating system options.

This cmdlet expects that you ran New-NanoServerImage in advance.
It operates on the image produced by New-NanoServerImage as requested.

Possible operations are: Add packages, add drivers, set computer name, set administrator password, join a domain, enable debug, enable EMS and set static IP address.

Get-NanoServerPackages

The Get-NanoServerPackages Windows PowerShell Cmdlet can be used to retrieve the list of available packages from the Windows Server 2016 Technical Preview 4 installation media.

This cmdlet scans the given media and returns a list of packages available to be embedded into the Nano Server image.

New-NanoServerImage

The New-NanoServerImage Windows PowerShell Cmdlet can be used to create a base Nano Server installation image.

This cmdlet makes a local copy of the necessary files from the installation media and converts the included WIM Nano Server image into a VHD(X) image. It then makes a copy of the converted VHD(X) image into a user-supplied path. After that, the following operations can be applied:

• Add packages
• Add drivers
• Set computer name
• Set administrator password
• Join a domain
• Enable debug
• Enable EMS
• Set static IP address

Available packages for Nano Server in Windows Server 2016 Technical Preview 4

As described in my blogpost on the differences between Server Core and Nano Server, I stipulated that Nano Server is intended for fabric purposes; to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

This also becomes clear from the packages available in the fourth Technical Preview of Windows Server 2016.

When looking at the contents of the Packages subfolder of the NanoServer folder on the Windows Server 2016 TP4 installation media, the following packages are available:

• Microsoft-NanoServer-Compute-Package
• Microsoft-NanoServer-Containers-Package
• Microsoft-NanoServer-DCB-Package
• Microsoft-NanoServer-DNS-Package
• Microsoft-NanoServer-DSC-Package
• Microsoft-NanoServer-Defender-Package
• Microsoft-NanoServer-FailoverCluster-Package
• Microsoft-NanoServer-Guest-Package
• Microsoft-NanoServer-IIS-Package
• Microsoft-NanoServer-NPDS-Package
• Microsoft-NanoServer-OEM-Drivers-Package
• Microsoft-NanoServer-Storage-Package
• Microsoft-OneCore-ReverseForwarders-Package
• Microsoft-Windows-Server-SCVMM-Compute-Package
• Microsoft-Windows-Server-SCVMM-Package

All the above packages are available as .cab files.

The packages can be added to your NanoServer installation image using the New-NanoServerImage PowerShell Cmdlet from the NanoServerImageGenerator.psm1 PowerShell Module in the NanoServer folder on the Windows Server 2016 TP4 installation media.

How is Nano Server different from Server Core?

I get this question a lot:

How is Nano Server different from Server Core?

Obviously, both configuration options for Microsoft’s upcoming Windows Server 2016 release share similarities. In other areas, they are different:

Nano Server is a refactoring

Where Server Core installations of Windows Server, since Windows Server 2008, can be seen as skimmed down versions of Windows Server – a normal Windows Servers with bits thrown out -, Nano Server is a complete refactoring of the Operating System.

Nano Server is a revolution, not an evolution

Where the goal with Server Core was to provide less attack surface and require less reboots, the goal with Nano Server is to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

Of course, Nano Server does provide a smaller disk footprint (-93%), does require fewer critical security bulletins (-92%) and does require fewer reboots (-80%), but its aim is to provide the fabric for Azure and Azure Stack.

Nano Server is introduced in Windows Server 2016

Where Server Core is available since Windows Server 2008, Nano Server will be introduced with Windows Server 2016. Surprisingly, Nano Server will be made available in roughly the same way Server Core was made available in its first reincarnation on Windows Server 2008: There’s no way to switch from Nano Server to a full-blown or Server Core version of Windows Server 2016.

Nano Server is not installed in a traditional way

A main difference, though, between installing Server Core in Windows Server 2008 and Nano Server in Windows Server 2016, though, is that a Nano Server installation is not achieved through the traditional Windows Server Installation Wizard. There are only two options in Windows Server 2016 Installation Wizard:

1. Windows Server 2016 with Desktop Experience
2. Windows Server 2016

Where the second option corresponds to a Server Core-like installation.

Instead, Nano Server installations originate from the NanoServer folder on the Windows Server 2006 Installation Media. A new Nano Server VHD image can be built from the PowerShell Module in this folder using the New-NanoServerImage PowerShell Cmdlet.

Nano Server is headless

Where Server Core installations offered a management infrastructure, Nano Server is basically headless. Yes, you can log onto it, but it will return an experience that is best described as DOS with the ability to fix networking.

But, you can use Server Manager remotely, as you probably already would have done with Server Core installations of Windows Server 2012 R2, and you can Remote PowerShell into it, which should give you all the configuration goodness you need.