Monday, February 9, 2009

Installing Windows Server 2008 Core part 2

So not exactly square one but time to repeat a couple of steps including configuring an IP address, changing the computer name, and enabling Remote Desktop. And why does the command prompt disable QuickEdit Mode by default — would anyone complain if Microsoft took it upon themselves to set some reasonable default settings?



Having installed R2, getting PowerShell is easy:

C:\> start /w ocsetup MicrosoftWindowsPowerShell

And starting it:

C:\> windows\system32\windowspowershell\v1.0\powershell.exe

The TechNet blog indicates .Net 2.0 is an optional install on Core. It's required for PowerShell and it is installed along with PowerShell as a prereq if it isn't already installed. And while I'm doing the .Net thing I might as well install 3.0 and 3.5 (note the command prompt, not PowerShell):

C:\> start /w ocsetup NetFx3-ServerCore

Set the date/time/timezone:

C:\> control timedate.cpl

And the international settings:

C:\> control intl.cpl

Allow the Event Viewer MMC snap-in to connect through the Windows Firewall. As an aside, I originally copied the following command from a TechNet webpage and when I ran it I was getting an error Group cannot be specified with other identification conditions. It turns out the quotes used on the webpage were the issue; replacing them with the standard double quotes fixed the problem:

C:\> Netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

And the same for Services, Windows Firewall with Advanced Security. I would kind of like to know how to restrict the MMC connectivity to particular machines on the local network, something to add to my TODO list. Also note the group name Remote Service Management has Service singular. The sites I've been referencing, including TechNet, all have this as Services plural:

C:\> Netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

C:\> Netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes

After some digging I believe I can now at least restrict MMC connectivity to my local subnet. This obviously isn't a panacaea but does adhere to the principle of defence in depth. Note these commands can't be applied to a rules group but must instead be applied to each individual rule in the group:

C:\> Netsh advfirewall firewall set rule name="Remote Event Log Management (NP-In)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Event Log Management (RPC)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Event Log Management (RPC-EPMAP)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Service Management (NP-In)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Service Management (RPC)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Service Management (RPC-EPMAP)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Windows Firewall Remote Management (RPC)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Windows Firewall Remote Management (RPC-EPMAP)" new remoteip=localsubnet

C:\> Netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new remoteip=localsubnet

Managing services remotely from my Vista VM using the Services snap-in doesn't provide an option to specify alternate credentials and as a consequence the connection fails with access denied. The convenient workaround for this is to add an administrative account with the same username and password as my Vista account to Win2K8:

C:\> net user dave letmein /add

C:\> net localgroup Administrators /add dave


So now I have convenient access to view the event log on the server and a familiar interface for managing services. So I might as well take the opportunity to disable DHCP, DNS Client, TCP/IP NetBIOS Helper.

2 comments:

Greg Gonzalez said...

Just ran into the same double-quote issues from the TechNet post. Wondering how many hours it would have taken me to figure this one out, as they look identical inside the shell. Thanks a ton for posting the error and solution!

Unknown said...

I just had the double quote thing happen as well. Thank you for the post on this issue. Thanks.