joeware - never stop exploring... :)

I submitted a bug for Longhorn this last Saturday, Microsoft turned it around two days later and it is listed as fixed. It was an issue I found with LH activation. Gotta love that turnaround speed…

 

Type
Bug
ID
276936

Status
Closed (Fixed)
Access Restriction
Private

Opened By
jricha34
Blocking Issue
No

Opened
5/12/2007
Submission Language
English

Resolved
Closed

5/14/2007 10:04:11 AM

Along with the requests for how is Server Core less resource intensive, there were requests for more info on how to do various things in Server Core that you tend to do right off when setting it up to test. I will admit I am by far not the expert here, lots of other folks have spent a lot more time working on this stuff so I highly recommend using google to go look, but right off, book mark this blog if you haven’t already:

Server Core – http://blogs.technet.com/server_core/default.aspx

 

So let’s assume you don’t use an unattend file to build your server core, you pop in the CD, you enter your license key and select Server Core, what next? All sorts of things, here are some of the things I do, note I don’t guarantee any of this, it isn’t official documentation, it is just stuff that I have worked through or found and work for me.

 

1. The first thing I do is install VMWare Tools. You will click on VM | Install VMWare Tools. Normally you will see a MSI file take off and start the installation process. You likely won’t see that on Server Core, at least I have yet to have seen that in I don’t know how many installs I have done. So what do you do?

Switch to D: Drive (or whatever drive if your CD/DVD is another drive)

Type “VMWare Tools.msi”

Walk through the prompts and reboot when it asks

2. Next, I recommend increasing screen res if you are going to do much from the VMWare Client. If you plan on doing everything through RDP, go ahead and skip this. I never did this until some recent testing forced me to.

The first step is to find where the heck the key is that you need to modify. Since part of the key will have a randomly generated GUID, this isn’t the most straightforward, but hopefully the method I give here will be easy. It involves searching in the right branch for a specific registry key that only exists (to my knowledge) in the subbranch that you want to work on for this action.

reg query hklm\system\currentcontrolset\control\video /s | findstr /i volatile

That will result in one or more strings like

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000\VolatileSettings

You need all of the reg path info prior to the \VolatileSettings. You can then run the following command to change your screen res to 1152×864 (what I tend to run in, if you want something else, change the hex values but be careful, you could dork it up and not get to see your screen on your monitor – remotely modify machine in that case).

reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v DefaultSettings.XResolution /d 480 /f

reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v DefaultSettings.YResolution /d 360 /f

While you are there, you might as well turn on the video hardware acceleration although I haven’t seen it doing much if anything yet… But just in case…

reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v Acceleration.Level /d 0 /f

Obviously, starting with Beta 3, you can also use regedit to do this work.

 

3. I recommend changing the window drag format from full window to outline. This is easier… You do need quotes around the registry key though because some bright boy put a space in the name…

reg add “HKCU\Control Panel\Desktop /v DragFullWindows /d 0 /f

4. For my private lab environments I turn off the screen savers, they annoy me

reg add “HKCU\Control Panel\Desktop /v ScreenSaveActive /d 0 /f

If you prefer you can just change how long it takes for the screen saver to start. This is in seconds (decimal), here I am setting it to 1 hour. Again, not something I recommend for production.

reg add “HKCU\Control Panel\Desktop /v ScreenSaveTimeOut /d 3600 /f

5. Set up CSCRIPT to be your default WSH Script engine. Not sure why it isn’t the default on Server Core…

CSCRIPT //H:CSCRIPT

6. Set up your Server Core so you can RDP into it (including from back level RDP clients)… Assumes you followed Step 5

SCRegEdit.wsf /AR 0 /CS 0

netsh firewall set portopening tcp 3389

If you are a firewall lover and have been playing with netsh in Longhorn you know there is an advfirewall interface available and there are specific rules for RDP called “Remote Desktop (TCP-In)”. You can, if you want, go into advfirewall and enable that rule but you will type far more than using the basic firewall command above and the system is smart enough to know that the above command is enabling the public version of “Remote Desktop (TCP-In)”.

 

7. Rename server (not joined to domain)

netdom renamecomputer %computername% /newname:[insert new name here]

8. Restart computer ASAP

shutdown /g /t 1

9. Log off

logoff

10. Set time/date/timezone

timedate.cpl

11. Pull up task manager

CTRL-SHIFT-ESC

or

taskmgr

12. Check activation status… Assumes you followed Step 5

slmgr -xpr

13. To activate. You don’t have to do this right away, you have a month to play…

slmgr -ato

14. To get a list of some other things you can do

SCRegedit.wsf /cli

 

I could give more but this should be enough to get people moving forward and learning how to do things.

 

  joe

The response I have gotten from the Server Core posts has been pretty good, tons of emails and a several comments posted directly to the blog. Seems people are very interested; that is very good IMO. Some of the emails were asking questions like “We keep hearing it is so much lighter and uses less resources, can you say anything more about that?”

Not really, but I will give it a shot… I just now built a bare bones Server Core guest and a bare bones Full Server guest (both Beta 3) to specifically gather some specs. I loaded the VMWare Tools on the virtuals as well because it annoys me when they aren’t running. Here are the specs:

 

Full Server

Dirs: 22009
Files: 38810
Bytes: 6,359,811,812
Full Reg Dump: 78,976,210 bytes

(From Task Manager – no load)

Physical Memory (MB)
  Total: 510
  Cached: 336
  Free: 6

Kernel Memory (MB)
  Total: 58
  Paged: 38
  Nonpaged: 19

System
  Handles: 7740
  Threads: 403
  Processes: 37
  Page File: 230M / 1509M

 

Server Core

Dirs: 9223
Files: 13022
Bytes: 1,803,802,566
Full Reg Dump: 39,926,858 bytes

(From Task Manager – no load)

Physical Memory (MB)
  Total: 510
  Cached: 185
  Free: 191

Kernel Memory (MB)
  Total: 42
  Paged: 26
  Nonpaged: 16

System
  Handles: 5826
  Threads: 306
  Processes: 28
  Page File: 169M / 1509M

 

Deltas

Dirs: -12786 (58.1% reduction)
Files: -25788 (66.4% reduction)
Bytes: -4556009246 (71.6% reduction)
Full Reg Dump: -39049352 bytes (49.4% reduction)

(From Task Manager – no load)

Physical Memory (MB)
  Total: Same
  Cached: -151 (44.9% reduction)
  Free: +185 (3083.3% increase)

Kernel Memory (MB)
  Total: -16 (27.6% reduction)
  Paged: -12 (31.6% reduction)
  Nonpaged: -3 (15.8% reduction)

System
  Handles: -1914 (24.7% reduction)
  Threads: -97 (24.1% reduction)
  Processes: -9 (24.3% reduction)
  Page File: -61 (26.5% reduction)

Just so I don’t forget what I just worked out.

To change screen resolution on Longhorn Server Core, modify

HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\DefaultSettings.XResolution

HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\DefaultSettings.XResolution

On VMWare Server I am finding 1162×864 works out well. The value for [GUID] will depend on the installation. It seems under \Video\ there are usually multiple GUIDs listed, the first one enumerated usually seems to be the one you need to go in and work on. It is easy to tell (so far), because if you expand the \0000\ key, the right one will have a \VolatileSettings\ key under the \0000\ key. Plus it is the only \0000\ key that will have a value under it for Acceleration.Level. I need to write something to do this modification.

 

To change hardware acceleration, change

HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\Acceleration.Level

to the value 0. The thing is is that it doesn’t seem to really change anything. Mouse experience is still shaky.

 

To change the full window dragging (this helps a lot on VMWare), change

HKCU\Control Panel\Desktop\DragFullWindows

to the value 0.

 

   joe

Have you heard of this thing? Longhorn Server Core that is? Do you know what it is? Do you care? Yes mom, I know you don’t know and you don’t care, you can skip this posting… 🙂

Longhorn Server Core is a new version of Windows Server that looks something like the following image when you log on:

 

This is, of course not what most people are used to seeing and it very likely is going to confuse the hell out of many point and click admins.

For some of us, well a lot of us, this is an extremely exciting development, it represents Microsoft truly trying to embrace security and efficiency in their operating system. The Shell stuff is stripped out as well as just about anything else that isn’t critical to basic operations. This means you can’t use Media Player to play MP3s or use I.E. to web surf… but you know what, you shouldn’t be doing that stuff on servers anyway. Servers are for real work, not screwing around.

Recently though,yesterday in fact,  Susan Bradley of SBS fame mentioned on the ActiveDir Org list that at the MVP Summit another MVP said, and I quote:

“I saw this server core product while I was up there… what were they thinking! No one will use that! I told them they were crazy to even built that.”

That scares me and makes me question the sheer number of people we have as MVPs at the moment but that is a whole other story. I will just assume that this MVP was an XBOX MVP or Flight Simulator MVP or an SBS MVP and doesn’t see the sheer beauty and intelligence behind Server Core.

Microsoft kind of looked around at all of the vulnerabilities they had to patch and realized that if they stripped servers down to the core components, something like 80%+ of the patches weren’t needed. I am sort of making that percentage up based on something I heard a couple of years ago when they first announced this but I think it is pretty darn close. So that makes you wonder, how many other things does that protect you again? My answer… a veritable shitload… especially if you combine this lockdown of the number of bins on the box with all of the great security advanced made in the Vista/Longhorn source tree. Sure some of the stuff is a pain in the ass and sure it is going to break a lot of programs but man it will be nice to feel relatively safe most of the time. Not living in constant fear of what is coming the second Tuesday of the month. Right now, if you religiously patch your servers, you are generally pretty lucky to have an uptime that exceeds a month. It isn’t that Windows Servers can’t do it, I used to do mad uptimes back in the 90’s on NT4 when the security environment wasn’t nearly so harsh, it is just that you have patches coming from the left right and center every month and nearly all of the good ones require a reboot. So Server Core should help with this considerably.

Server Core is also a lot less .FAT than full blown Windows. It is Windows after Weight Watchers with a prom coming up and working to fit into that size 2 slinky dress… This is wonderful for virtualization. I shouldn’t need to list the reasoning behind that, exercise left to the class.

Now you have to keep in mind, with this stripped down version of Windows, not everything is going to run the same or possibly even at all on it. Right off, anything requiring IE is going to find a challenge here. Anything needing the .NET framework at least initially will be SOL. I have even seen bitching in various forums about apps that try to use the builtin ZIP functionality of Windows not working on Server Core… That would be because ZIP functionality isn’t core to the Windows OS… So before you think, I will run everything on this, you will need to be testing.

 

So joe, you ask with a coy look and a teasing flip of the hair… Who is going to use this thing?

Obviously I don’t agree with anonymous MVP guy and think it will be used but I also don’t think that everyone is going to go nuts and install it. I think eventually its use will be extremely high but it will take a bit to get there. I expect the initial deployers will be along these lines:

1. Larger orgs with people who really dig into stuff and tend to understand how it works.
2. Companies who are deploying crazy ass numbers of WAN sites (even if the overall company is small – company with 3000 people across 2000 branches).
3. Admins who have multiplatform experience, i.e. Windows isn’t the only thing they ever professional worked on. \
4. People seriously concerned about security exposure on their servers.
5. People wanting to play with new cool stuff.
6. Admins who want to keep certain servers safe from bad/clueless admins.

That last, #6, isn’t one I originally came up with when I posted this list to activedir.org earlier, but I fully concur with it. Thanks to Steve Evans for seeing I missed it and piped up with it.

 

Now who definitely won’t use Server Core? Right off, Admins who know nothing but the GUI and don’t have the ability to learn anything but the GUI. These people, IMO, need to be thinking that they may have a limited existence, certainly in larger orgs. I was also initially thinking SBS (Small Business Server) was straight out as well. But as I think about it more and more, I like Server Core in an SBS environment… My feelings are generally pretty well documented about how I am not a fan of extra services (read security exposure) on Domain Controllers. I mean, I don’t even like AV engines that have auto update capabilities or external interfaces to manage the software. Then you take an SBS server which is basically a Domain Controller with just about every other possible piece of Server Software that can possibly be installed without the box simply cutting its own throat. If you have a patch or something, say a critical DNS patch, that requires a reboot, in general, your whole domain, your file and print, your web server, your DB Apps, your mailboxes, your internet access, you name it, it all goes down because it is all on the same machine. Most people find that unacceptable. I know I do, if a domain goes down completely in a reboot I wonder what my chances are of it coming back up as well as the chances of me getting to some island before getting called back to fix it. It reminds me of the Disaster Recovery Plan I once heard from a guy who ran AD for a very large company… “We depend on the geographically distributed nature of our data centers and if that fails us we hope to be able to restore from a backup (but don’t test them). Plan B is a bag of cheese puffs and a one way ticket to Aruba.”

Err so where was I… Oh yeah, I segwayed from SBS with a 25 user count to a company approaching 200k users… how *do* I do that? So SBS… I think this would be a great place to run Server Core… You have some cool virtualization coming shortly after Longhorn called the Hypervisor or code name Viridian. Visualize your one physical SBS box running multiple virtuals, like for instance two virtual domain controllers, two virtual file servers, two virtual Exchange Servers, two virtual SQL Servers. Stuff clustered as necessary (AD obviously doesn’t need it) and voila you now have a single physical server in use for SBS but set up so that rebooting a single server for patching or issues you don’t lose the whole darn environment. You will still need to occasionally lose the whole thing but I would expect it to be far less often since it would only  have to be if the “Host” or physical box needed it.  There could be one control guest server on the machine which was full whiz bang GUI and it would be configured to easily manage all of the various virtual guests on the machine. The SBS team could do some amazing things with this I think.

Ok this is enough for me, I am about ready to fall out of my chair and sleep on the floor.

   joe

Ah no. In fact that is absolutely incorrect to the nth decimal place.

This has been coming up a lot lately and I have been fielding quite a few questions on it.

Plain and simple, if you have a Windows Server 2003 RTM Server and you have not disabled the DNS RPC Management Interface you are in immediate danger of being DOS’ed or being hacked. The code is out there. There is no patch for it for you. I blew up the DNS Service on a Windows Server 2003 RTM box about 15 times in a row today just to authoritatively prove it out. If I had the right offset values, I would be able to execute a remote shell as localsystem.

 

So what are the arguments that make you feel you are safe with Windows Server 2003 RTM?

1. I ran Shavlik and it didn’t say there was any patches needed on my Windows Server 2003 RTM Server. It must be safe!

1A: NO, you aren’t safe. This is very simple, Shavlik doesn’t do a security test of your machine, it does a patch list check. It looks at what MSFT has available for your machine and looks at what is installed on your machine, any delta is highlighted as something that needs to be installed.

 

2. I looked at the TSB (Technical Security Bulletin) and it does not mention Windows Server 2003 RTM in the affected software category. It must be safe!

2A: NO, you aren’t safe… Correct, it isn’t mentioned in the affected software category. That category looks like:

Affected Software:
• Microsoft Windows 2000 Server Service Pack 4 — Download the update
• Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 — Download the update
• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems — Download the update
• Microsoft Windows Server 2003 x64 Edition Service Pack 1 and Microsoft Windows Server 2003 x64 Edition Service Pack 2 — Download the update

However you also need to look at the Non-Affected Software category as well. It looks like:

Non-Affected Software:
• Microsoft Windows 2000 Professional Service Pack 4
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2
• Windows Vista
• Windows Vista x64 Edition

What don’t you see in the non-affected software list? You don’t see Windows Server 2003 RTM…. It isn’t specified on either list… There is a very simple reason.

 

Both 1 and 2 are related to the fact that Windows Server 2003 RTM went out of support on April 10, 2007. Yes, exactly one month ago. That means you will no longer see any hotfixes for that version of Windows. Period. Your option is to load either Service Pack 1 or Service Pack 2. Service Pack 1 will be supported until April 14, 2009. For a list of all support dates, check out http://support.microsoft.com/gp/lifesupsps#Windows

Something that confuses people is that Windows Server 2003 RTM is unsupported but Windows 2000 Server SP4 is supported. They think, hey Windows 2000 is older, if that is supported, obviously Windows Server 2003 RTM is supported. That isn’t how it works. I am not going to explain Microsoft Software Lifecycle policy but just trust me, it doesn’t work that way.

So if you take anything away from this blog post take these three things….

1. Windows Server 2003 RTM is NOT safe from the DNS Management RPC Interface Exploit.

2. Shavlik doesn’t do a security check, it does  a patch check. If a patch doesn’t exist for your version of Windows, you won’t be told you need to patch that issue. Since Windows Server 2003 RTM is no longer supported, you should see no more patches listed as needed for it in Shavlik once you patch up to last months patch batch.

3. The Microsoft KBs do not specifically mention Software that is out of support. If you don’t see it, don’t assume that means you aren’t at risk.