Archive for the 'Server Core' Category

PowerShell on Server Core

[UPDATE] Instructions below are for Windows Server 2008 which does not have PowerShell or .NET support for Server Core. Windows Server 2008 R2 released later, has native support for these, so you can simply follow these Microsoft instructions to enable PowerShell there: http://support.microsoft.com/kb/976736

Below is a step-by-step instruction on installing Windows PowerShell on Windows Server 2008 in Server Core mode.

Note that these are in no way official or supported by Microsoft. Microsoft is working on official version of .NET and PowerShell for Server Core installations, so eventually you will be able to get this fully supported. Until then below are the instructions you can use at your own risk, etc., etc.

Quick Introduction

Windows Server 2008 has a command-line installation option – Server Core – which significantly reduces the attack surface and patch requirements by the virtue of not having Explorer and other UI components not needed in datacenter.

The problem is that it only ships with traditional cmd.exe and not PowerShell. To make things worse neither PowerShell nor .NET as they are today can be installed on such systems.

Below are the steps you can take to create packages of these tools which can be installed. Basically the whole procedure consists of just four main steps:

  1. Installing Visual C++ Redistributable Packages (required for .NET).
  2. Installing .NET 2.0 SP1
  3. Installing PowerShell.
  4. Jumping around the computer and shouting “I’ve got it!”

So let’s get started!

1. Visual C++ Redistributable Packages

This is the easiest one. All you need to do is download the packages you need:

After that, copy these files to your Server Core computer (e.g. using Robocopy) and simply run them there.

If your Server Core is 32-bit – just run vcredist_x86.exe.
If it is 64-bit, you need to install both x86 and x64 versions (vcredist_x86.exe and vcredist_x64.exe).

2. .NET Framework

This is the most tricky part. PowerShell needs .NET 2.0 and .NET 2.0 is supposed to be a component of Windows Server 2008 so we will have to get a package of the framework which can get installed on such a system. To accomplish that we will:

  1. Download .NET Framework 3.5.
  2. Unpack the setup to get access to the .NET 2.0 Service Pack 1 installation files.
  3. Download and install the Orca MSI editor.
  4. Use Orca to remove the Windows version check.
  5. Run the updated MSI.

2.1. Download .NET: Go to Microsoft’s web site and download full redistributable package of .NET 3.5.

2.2. Unpack the file:
a. Create a folder c:\deploy
b. Save the downloaded .NET framework package to this folder.
c. Download the wonderful deploy.cmd script which Artem has posted and put it into the same folder.
d. Run the script.

After the script executes, the C:\Deploy\AIP folder will have both NetFx20_x64 and NetFx20_x86 folders with .NET 2.0 framework files you need.

2.3. Install Orca:

This is great but unfortunately you cannot just install the files because the MSIs are specifically checking for Windows version. So now we need to disable this check. To do this we will use Microsoft’s Orca MSI editor.

Note: This all needs to be done on a regular, not Server Core, machine. We will copy the results of our Orca operations to the Core box later on.

If you don’t have Orca, follow these steps to download it:
a. Download the Windows SDK for Windows Server 2008 and .NET Framework 3.5 installer.
b. Run the installer and deselect everything except Win32 Developer Tools (this will make sure that you only download the few megs you need.)

Downloading Orca

c. After the installation completes, go to C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin and install Orca.msi.

2.4. Tweak the setup:

Now its time to do some patching.
a. Start Orca and open the MSI you need (C:\Deploy\AIP\NetFx20_x86\NetFx20a_x86.msi for 32-bit version or C:\Deploy\AIP\NetFx20_x64\NetFx20a_x64.msi for x64).
b. Click Component.
c. In x86 locate: Regtlib.exe_Tool_____X86.3643236F_FC70_11D3_A536_0090278A1BB8
In x64 locate that one and Regtlib.exe_Tool_____A64.3643236F_FC70_11D3_A536_0090278A1BB8
d. Change the Condition from (VersionNT < 600) or Version9X to just VersionNT or Version9X.

Allow .NET 2.0 Framework to get installed on Windows Server 2008

e. Save changes (either to that same MSI or a transform file.)

2.5. Install .NET

Copy the files (the whole folder) to your core machine and start the MSI via this command line (note that you need to use msiexec in order to pass the vsextui=1 parameter):

If you saved a transformed file and are running 64-bit version you will probably run:
%SystemRoot%\system32\msiexec.exe /package "NetFx20_x64\NetFx20a_x64.msi" vsextui=1 transforms="ServerCore.mst"

On x86 without a transform that would be:

%SystemRoot%\system32\msiexec.exe /package "NetFx20_x86\NetFx20a_x86.msi" vsextui=1

That’s it. Now we have .NET installed and can go to the final step – PowerShell installation!

3. Windows PowerShell

There is no PowerShell v1 setup for Windows 2008 (again, because it is supposed to be a component) but you can actually download and install the CTP (note: this is a pre-beta code – not for production use). PowerShell v2 CTP2 is available from Microsoft’s downloads page.

Download the version you need, copy the msi over to the Server Core box and simply run the msi.

4. Enjoy!

Now you can start PowerShell!

Just run:
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

And you will see the prompt change to: PS C:>

That’s it. Now you are among the first geeks in the Universe to have PowerShell on Server Core!

PowerShell v2 running on Windows Server 2008 Server Core

Acknowledgments: I could only have this all accomplished thanks to the help I got from Alex Kibkalo and a great post by Artem Pronichkin on installing .NET on Server Core.

Tags: , , , ,

Longhorn RDP Airlift Slides

Here are the slides I was showing on the Longhorn Airlift AD PowerShell session:

LonghornAirlift_ADPowerShell_PowerGUI_Dmitry_Sotnikov.ppt

Overall the session went well. I was surprised that a big part of the audience was not that familiar with PowerShell as such but everyone seemed pretty interested and I saw people taking notes during the session.

We used Longhorn Beta 3 for the demos and everything went surprisingly well. I even demoed experimental cmdlets for granular password policies.

P.S. In case you get the DVD and listen to the session or just were there. During the demo I completely forgot to mention that the new-account.ps1 script I was showing while demonstrating the ADSI approach is from Adam Bell. Thanks to Adam for providing that on his blog!

Tags: , , , , , , , , , , , , , ,

How PowerShell can manage Longhorn Core

It turns out that there actually is a way to manage Longhorn Core with PowerShell.

While I was preparing for my Longhorn Airlift session I kept thinking of the Microsoft’s decision to not allow PowerShell on Longhorn Core, and whether there could be any workaround to that. And it turned out that a workaround exists and is actually pretty straight-forward.

The answer is… using PowerShell remotely! While this answer is not applicable for managing operating system stuff (processes, services, registry, files and so on) AD cmdlets work just fine when installed to any computer in the network – not necessarily a DC.

By default they would pick some DC in the network and run against it with your current credentials, or you can use Connect-QADService to specify a specific DC and/or credentials. And in either case they work just fine even if your DCs are in the “headless” mode.

So to maximize your security in the Longhorn world:

1. Use Server Core installation option.

2. Use PowerShell to manage your AD.

Tags: , , , , , , , ,

No PowerShell for Longhorn Core?

Someone just told me that Longhorn Core server role does not support PowerShell so you have to get back to 20th century command-line style and learn all the different command-line styles of all the components.

(Disclaimer: I have not checked this myself so I hope someone comes out and tells me this is all wrong.)

Server Core role basically allows to install a minimal version of Longhorn and thus significantly reduce the attack surface and make your deployment more stable, efficient and secure. As there is no graphical user interface administrators are using the command-line instead. This makes sense except that the command-line is the same old cmd.exe.

To make it even worse, I was told that you cannot install PowerShell there manually even if you wanted to because PowerShell requires .NET which is not supported on Server Core.

I think this all is a real pity. Server Core and PowerShell were born to be together. I hope this was not an intentional decision but was rather a matter of priorities and having to chose to be able to ship.

Does this mean it’s time to start compiling your SP1 wish-lists?

Tags: , , ,


My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2021
M T W T F S S
 12
3456789
10111213141516
17181920212223
24252627282930
31  

%d bloggers like this: