Windows 2008 Server Core and Notepad

if you want to use notepad in Server Core, just go ahead. Type Notepad and press return at the command prompt and you get the full GUI version of this tool

Installing Windows 2008 Active Directory on Server Core (Existing Forest)

You can get a nice reference guide of the commands you can easily use to complete most tasks for Windows Server 2008 core from here (just follow the pages through to see all of the commands). But, if all you want to do is get a core DC up and running in an existing Windows 2008 forest then follow this guide. It follows on from my previous post Installing Active Directory on Windows 2008 (New Forest). So, if you’ve followed that, you should already have a DC running in its own forest.

To have a Windows Server Core machine acting as a DC, we first need to install server core and then promote the computer to be a domain controller. The setup screens for installing Server Core are very similar to those for Windows Server and so I have skipped the initial install on the basis that most people will be able to figure this out.

After installing Server Core there are a couple of things we need to do. Change the machine name, assign TCP/IP settings to the network cards etc.

To rename the server we use the netdom utility. The command is

Netdom renamecomputer OldComputerName /newname:NewComputerName

To make life easier, we can tokenise the OldComputerName by passing the command our existing computer name using the %computername% token. So, to change our computer name to “CoreDC” we would use the command

Netdom renamecomputer %computername% /newname:CoreDC

You will be asked to confirm the change as below.

Now the machine has a new name, we need to set its IP address. To do this, we may need to know the name of the interface on the card. This is usually “Local Area Connection”. In a virtualised or multi-card environment then this may not be the correct name. Indeed, there may be some circumstances (though I wouldn’t recommend it for a DC) where you want to have the server sitting in multiple subnets. To do this, we enter the command netsh interface ipv4 show interface to list all the ipv4 enabled interfaces.

To set the IP address for this interface we use the command

netsh interface ipv4 set address name=”Local Area Connection” source=static address=10.1.1.2 mask=255.255.255.0 gateway=10.1.1.254
1

swapping the IP address, subnet mask and gateway for appropriate values and the connection name to the correct value found in the previous step. The 1 at the end of the command signifies the metric for this gateway – setting a metric of 1 sets this as the default gateway. As can be seen from the below, you do not receive an acknowledgement.

IPConfig shows that these values have been set.

We can now set our DNS and WINS values. The commands to use are

Netsh interface ipv4 add dns name=”Local Area Connection” 10.1.1.1

Netsh interface ipv4 add dns name=”Local Area Connection” 10.1.1.3 index=2

The above commands set 10.1.1.1 to be the primary dns server and 10.1.1.3 to be the secondary dns server. This can again be confirmed using IPConfig /all.

Similarly, WINS addresses can also be added and checked.

The server should now be rebooted using shutdown /r /f /t 0 for an immediate reboot.

Once rebooted and logged in, we can check that the server has the new machine name either using IPConfig /all or echo %computername%.

We can now add the computer to the domain, again using the Netdom utility. The command to do this is

Netdom join ComputerName /domain:NameOfDomainToJoin

Again, we can tokenise our computername. My lab has the domain name mydomain.local. Once entered, the command may take several seconds or a minute to complete, just as when you add a computer to the domain via the GUI in Windows 2000/2003. If successful, you will receive a message similar to the below.

We can now reboot the server with the same command as above shutdown /r /f /t 0

Like the GUI version, the AD binaries are not installed. However, unlike the GUI version, the binaries will be automatically installed when we run DCPromo. In the meantime, we may want to install DNS first and we can do this by adding the DNS role to the server using the command line version of Server Manager, OCSetup. To see the list of possible roles that can be installed, enter OCList.

To add the DNS role we can enter the following command

OCSetup DNS-Server-Core-Role

NOTE: This is a case sensitive command – if you mis-enter the command you will receive an error similar to the below.

Running OCList will now show that the DNS Server Core Role is installed

We can now run DCPromo as usual. However, as this is server core, just typing DCPromo merely shows the help file for the command. As we want to promote the server to be a DC in our domain we need to use the /promotion switch. To see the construction of the command we can enter dcpromo /?:Promotion. As this command is quite long you may want to output it to a text file

Dcpromo /?:Promotion > promotion.txt & promotion.txt

This will not only run the command and put it into a file but also open that file in notepad – yes, server core ships with the GUI version of notepad ! To make the text appear you will have to press any key after running the above command. This is because the help file for the promotion event requires you to do this time complete.

To promote the server to be a DC in our domain we can enter the command

Dcpromo /unattend /replicaOrnewDomain:replica
/replicaDomainDNSName:mydomain.local /ConfirmGC:yes
/username:mydomain\administrator /Password:*
/safeModeAdminPassword:LetmeIn123

This will run dcpromo adding our server as a global catalog server to the mydomain.local domain. The Domain restore Mode password will be set to LetMeIn123. We will be asked to enter the domain administrator password when the command is run (by way of the /password:* command)

The server will reboot itself as part of the install. Running OCList will now show Active Directory as being installed.

Alternatively, as we are in an existing forest / domain, you can always use the Users and Computers tool on another server to confirm that your Server Core machine is, in fact, a domain controller.

If you want to demote a Core sever from being a domain controller simply enter the command

Dcpromo /unattend /Administratorpassword:MyNewLocalAdminPassword

If you want to add your domain controllers in different ways, I set our below the RTM version of the Promotion help file which shows the switches to locate the database and sysvol shares on different drives for space and / or performance reasons.

The following is a list of unattend parameters for promotion (default values are enclosed in <>):

/AllowDomainControllerReinstall:{Yes | <No> | NoAndNoPromptEither}

Specifies whether to continue installing this domain controller despite that a domain controller account with the same name is detected. Specify Yes only if you are sure that the account is no longer in use.

 

/AllowDomainReinstall:{Yes | <No> | NoAndNoPromptEither}

Specifies whether an existing domain is recreated.

 

/ApplicationPartitionsToReplicate:”"

Specifies application partitions to be replicated in the format of “partition1″ “partition2″. If * is specified, all application partitions will be replicated.

 

/AutoConfigDNS:{Yes | No} default will be automatically computed based on the environment

Specifies whether Domain Name System (DNS) Server service should be installed.

 

/ChildName:”child_domain_name”

Specifies the single-label DNS name of the child domain.

 

/ConfirmGc:{Yes | No}

Specifies whether you want the domain controller to be a global catalog server.

 

/CreateDNSDelegation:{Yes | No} default will be automatically computed based on the environment

Specifies whether a DNS delegation for this domain should be created in the parent zone.

 

/CriticalReplicationOnly:{Yes | <No>}

Specifies whether the promotion operation performs only critical replication before reboot, and then continues, skipping the non-critical (and potentially lengthy) portion of replication. The non-critical replication will happen after the role installation has finished and the computer reboots.

 

/DatabasePath:”path_to_database_files” default is %SYSTEMROOT%\NTDS

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain database. For example, C:\Windows\NTDS.

 

/DelegatedAdmin:”name of user or group”

Specifies the name of user or group that will install and administer the read-only domain controller.

 

/DNSDelegationPassword:{“password” | *}

Specifies the password for the user name (account credentials) to use for creating or removing DNS delegation. Specify * to prompt the user to enter credentials.

 

/DNSDelegationUserName:”user_name”

Specifies the user name (account credentials) used for creating or removing DNS delegation. If no value is specified, the credentials used for the domain controller installation or removal are used.

 

/DNSOnNetwork:{<Yes> | No}

Specifies whether DNS service is available on the network. This is used only when the network adapter for this computer is not configured with the name of a DNS server for name resolution. Specifying ‘No’ indicates that DNS server will be installed on this computer for name resolution. Otherwise, the network adapter must be configured with a DNS server name first.

 

/DomainLevel:{0|2|3}

The domain functional level cannot be lower than the forest functional level. Default will be automatically computed and set to the existing forest functional level or the value set for /ForestLevel

Specifies the domain functional level when creating a new domain. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

 

/DomainNetBiosName:”domain_NetBIOS_name”

Assigns a network basic input/output system (NetBIOS) name to the new domain.

 

/ForestLevel:{<0>|2|3}

The default forest functional level when creating a new forest is Windows 2000 (0); do not use this switch when promoting a domain controller in an existing forest

Specifies the forest functional level when creating a new forest. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

 

/InstallDNS:{Yes | No} default will be automatically computed based on the environment

Specifies whether Domain Name System (DNS) should be installed for the domain. This switch replaces /AutoConfigDNS.

 

/LogPath:”path_to_log_files” default is %SYSTEMROOT%\NTDS

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files. For example, C:\Windows\Logs.

 

/NewDomain:{Tree | Child | <Forest>}

Indicates the type of domain that you want to create: a new forest, a new domain tree in an existing forest, or a child of an existing domain.

 

/NewDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name for the new domain.

 

/ParentDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name of an existing parent domain when installing a child domain.

 

/Password:{“password” | *}

Specifies the password corresponding to the user name (account credentials) used for the operation. Specify * to prompt the user to enter credentials.

 

/PasswordReplicationAllowed:{“security_principal” | None}

Specifies the names of user, group, and computer accounts whose passwords can be replicated to this RODC. Specify “None” if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.

 

/PasswordReplicationDenied:{“security_principal” | None}

Specifies the names of users, groups, and computer accounts whose passwords are not to be replicated to this RODC. Specify “None” if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.

 

/RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

 

/RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

 

/ReplicaDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name of the domain in which you want to promote an additional domain controller.

 

/ReplicaOrNewDomain:{<Replica> | ReadOnlyReplica | Domain}

Specifies whether to install an additional domain controller (writable or RODC), or to create a new domain.

 

/ReplicationSourceDC:”DNS_name_of_DC”

Indicates the full qualified domain name of the partner domain controller from which you replicate the domain information.

 

/ReplicationSourcePath:”replication_source_path”

Indicates the location of the installation media that will be used to install a new domain controller.

 

/SafeModeAdminPassword:”password” default is empty password (it is required that you do not leave this value blank)

Supplies the password for the administrator account when starting the computer in safe mode or a variant of safe mode, such as directory service restore mode.

 

/SiteName:”site_name”

The default value depends on the type of installation. For a new forest, the default is Default-First-Site-Name. For all other installations, the default is the site that is associated with the subnet that includes the IP address of this server. If no such site exists, the default is the site of the replication source domain controller.

Specifies the name of an existing site where you can place the new domain controller.

 

/SkipAutoConfigDns

This switch is for expert users who want to skip automatic configuration of DNS, including creation of zones and configuration of client settings, forwarders, and root hints. The switch is only in effect if the DNS Server service is already installed on this server. If you specify this switch, ensure that zones are created and properly configured before you install Active Directory Domain Services (AD DS); otherwise, this domain controller will not operate correctly. If the DNS Server service is not installed on this server, this switch is ignored.

 

/Syskey:{<none> | system key}

Specifies the system key for the media from which you replicate the data.

 

/SysVolPath:”path_to_database_file” default is %SYSTEMROOT%\sysvol

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer. For example, C:\Windows\SYSVOL.

 

/TransferIMRoleIfNecessary:{Yes | <No>}

Specifies whether to transfer the infrastructure master (IM) role to this DC, in case it is currently hosted on a global catalog (GC) server, and you do not plan to make this DC a GC. Choose Yes to transfer the IM role to this DC in case this is needed; in that case, make sure to specify “/ConfirmGC:No”. Choose No if you want the IM role to remain where it currently is.

 

/UserDomain:”domain_name”

Specifies the domain name for the user name (account credentials) used for the operation. It also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

 

/UserName:”user_name”

Specifies the user name (account credentials) used for the operation. If no value is specified, the credentials of the current user are used for the operation.

Changing the Screen Resolution in Windows Server 2008 Server Core

Once you install Server Core, and especially after installing VMWare tools, you may find that the screen resolution is amended and you only get a reduced screen as below.

As you can see, you don’t get a vast amount of screen estate and can’t scroll the command box. To fix this, you need to amend the registry. Now, while Server 2008 doesn’t contain many GUI based tools, one of the IS the registry editor. To start up regedit, simply type regedit (or regedt32 if you prefer) and press return. The keys you need to modify are

 

• HKLM\System\CurrentControlSet\Control\Video\{ClassID}000\DefaultSettings.XResolution
  
• HKLM\System\CurrentControlSet\Control\Video\{ClassID}000\DefaultSettings.Yresolution
  

The ClassID is a GUID. There is one for each display driver installed on your system. You can tell which one is currently in use as below the 0000 Key you will have another Key called “Volatile Settings”.

 

So, you need to simply locate the appropriate ClassID for your current driver and, within the Key for that driver, find the DefaultSettings.XResolution and DefaultSettings.YResolution DWord values. You can then change them to appropriate values. When you open one of these values, you will notice that, by default, it is set to Hex.

 

 

Click on Decimal to see (and change) the decimal equivalent.

 

 

That is, by changing to decimal you can enter X as 1024 and Y as 768 (for example). Indeed, as you are in the registry, you can set ANY values you like, even non-standard ones or values that your card and / or monitor are not capable of displaying. So, choose sensible values (it is a generally non-GUI based O/S after all).

You can now reboot the server (using shutdown /r /f for example) and, after rebooting, you will have your new screen resolution.

Install VMWare Tools on Windows 2008 Server Core

Windows 2008 Server Core, for the most part, does not allow GUI tools to run. If you are trying to learn 2008 in a VMWare Workstation environment, this can lead to poor performance due to the lack of VMWare drivers. Clicking on VM | Install VMWare Tools will not get you very far on its own. Instead, you need to undertake a command line installation of the tools.

First, to load the tools in your D: drive (presuming that you only have a C: drive configured for core, click on VM | Install VMWare Tools.

Next, transfer to your d: drive by typing d: and pressing return. Once there, list the contents of the d drive by use of the dir command.

Note that you can see setup.exe. Now, simply type setup and press return. Bizarrely, you will now be in the GUI based setup as normal.

 

Simply click on next, next, Install to complete the installation.

 

Hyper-V goes RTM

Hyper-V went RTM today. It’s been released as a patch to the version that shipped with Windows 2008 RTM. You can download the patch here.

Programming Windows Firewall

Here’s a trick for you for Vista. You can configure the windows firewall to allow / disallow incoming out outgoing ports and software. BUT if you just go in to Control Panel you won’t be able to see how to do this. Instead, follow the instructions below.

In Vista, click on Start and search for Firewall.

 

Note that you see two items – Windows Firewall and Windows Firewall with Advanced Security.

Select Windows Firewall with Advanced Security and Roberts your Mothers Brother.

Mark all Outlook Appointments as Private

It sometimes happens that your organisation decides that now would be a good time for everybody to start sharing diaries. However, you may already have a number of appointments set up where you don’t want other people to access the details. To mark all of the appointments in your calendar as private you can run a script that will read every item in your calendar, whether the appoint has occurred in the past or is due to take place in the future, will mark the appointment as a private appointment and will save that appointment (now marked as private) to your calendar. The script below was written for Outlook 2003.

To do this, open Outlook and press Alt + F11

This will open the visual basic editor

 In the General window paste the code below

 Dim myOlApp As New Outlook.Application

Public myOlItems As Outlook.Items

Public Sub MarkCalendarItemsAsPrivate()

Set myOlItems = myOlApp.GetNamespace(“MAPI”).GetDefaultFolder(olFolderCalendar).Items

For Each Appointment In myOlItems

Appointment.Sensitivity = olPrivate

Appointment.Save

Next Appointment

End Sub

 Your screen should now look like the below

 Return to Outlook and click on Tools | Macro | Macros

 

 With the MarkCalendarItemAsPrivate item selected click on Run

 

 Wait for about 60 seconds and access your calendar – all of your appointments should now be marked as private. You can now allow access to details of specific meetings but, remember, you will still need to mark all new appointments as private.

Piping Out to the clipboard

We all know how to pipe out to text files, right ? From a command prompt type in your command followed by > and then the name of the file to output the result to.

 

For example

 

ipconfig /all > c:\myfiles\ipconfigresults.txt

 

will put the results of ipconfig /all into a text file called ipconfigresults.txt in the myfiles folder and the more advanced ones among us know how to not only pipe the command out but also open that text file automatically after the command has completed.

 

For example

 

ipconfig /all > c:\myfiles\ipconfigresults.txt & c:\myfiles\ipconfigresults.txt

 

Well, that leaves a permanent file on your hard drive which you might or might not want. Plus, if you want the text in another file you have to open the text file as above, select it all and then copy it to the clipboard.

 

Now, you can doo all of that in one go without leaving that pesky file behind – just pipe the command to the clipboard !

 

For example

 

ipconfig /all | clip

 

will put the output of the ipconfig / all command on your clipboard. You can now eith3er paste it into notepad for a temporary file or paste it into any more permanent file, as part of producing customer documentation for example.

Installing Active Directory on Windows 2008 (New Forest)

To create a new forest on Windows 2008, follow these simple steps.

First, ensure that you have assigned at least a static IP V4 address to the server.

Install – the Active Directory Role – access server manager (Start | Server Manager) and click on Roles

Click Next to go through the “before you begin” page.

Click on Next until the confirmation screen and then click on “Install”.

This will install the binaries to run Active Directory onto the server. It will not install Active Directory itself. For that, you still need to run DCPromo.

When the binaries are installed, click on close and you will see that the binaries are installed but there is an error (as DCPromo has not been run).

If you click on the “error” you will be taken to the next screen

Click on the link and DCPromo will run – in the alternative, you can just enter dcpromo in the search box or at a command prompt. Click through the first two notification screens and then select to create a new forest. Next, enter a DNS domain for your new forest root domain (the first domain in the forest).

Setup will then check that the DNS and Netbios names are not already in use. Select a forest functional level (select 2008 if you will only be running Windows 2008 domain controllers in this forest).

If you are not running a separate DNS infrastructure (and I recommend that you don’t) then select to install DNS.

If you have not configured static IP addresses on your server then you will receive the error below. It is likely that you will not have configured a static IP V6 address in most environments. If this is the case and you are not using IP V6 then this warning can be ignored (select the Yes option).

As we are installing DNS for the first time, the next error can also be ignored (click on Yes).

 Next, select locations for the Active Directory Database, Logs and SYSVOL share. Depending on the size of your organisation you may want to move these items to separate disks on separate spindles to improve performance. If you are planning to use the sysvol share to install software, you may want to move this to a larger volume than the system volume to accommodate all of the installs.

You will then be asked to enter a password for Directory Services Restore Mode. This is not your domain password but is the password that will be used if you boot the domain controller to perform a restore (authoritative or non-authoritative) of Active Directory. This password should be complex and stored somewhere safe. I don’t recommend that you use a ’standard’; password in the belief that you will remember it as these do sometimes change meaning that you will not recall this password when you need it most. I would suggest that, instead, the password is recorded in a secure password database.

You will then be asked to confirm the settings you are about to apply and will be given the opportunity to export these settings if you need to use them later in an answer file (something you shouldn’t do in this case as you wouldn’t normally want ot create a new forest with the same domain name - you’d normally want to create another domain controller in this domain or another domain within this forest).

Click on Next and AD will start ot install. You can also choose to set the server to reboot upon completion of configuration.

Once completed click on Finish (below).

Upon reboot, you will now have a new forest running Active Directory. As you can see, this is almost exactly the same process as for Windows 2000/2003 with the exception that you need to install the binaries first before you can promote the server to a Domain Controller.

Initial Configuration Tasks on Windows 2008 Lost Pane

If you’ve selected to “Do not show this window at logon” and then can’t get back to the initial configuration taks pane in Windows Server 2008, simply click on the start button and type oobe.exe in the the search field and press return.

This command can also be run from a command prompt.