Using Server Manager

OK, you’ve installed your server, performed the initial configuration tasks, and maybe installed a role or two-such as file server and DHCP server-on your machine as well. Now what? Once you close ICT, another new tool automatically opens-namely, Server Manager (shown in Figure 4-2). I like to think of Server Manager as “Computer Management on steroids,” as it can do everything compmgmt.msc can do plus a whole lot more. (Look at the console tree on the left in this figure and you’ll see why I said this.)

Figure 4-2: Main page of Server Manager

The goal of Server Manager is to provide a straightforward way of installing roles and features on your server so that it can function within your business networking environment. As a tool, Server Manager is primarily targeted toward the IT generalist who works at medium-sized organizations. IT specialists who work at large enterprises might want to use additional tools to configure their newly installed servers, however-for example, by performing some initial configuration tasks during unattended setup by using Windows Deployment Services (WDS) together with unattend.xml answer files. See Chapter 13, “Deploying Windows Server 2008,” for more information on using WDS to deploy Windows Server 2008.

Server Manager also enables you to modify any of the settings you specified previously using the Initial Configuration Tasks screen. For example, in Figure 4-2 you can see that you can enable Remote Desktop by clicking the Configure Remote Desktop link found on the right side of the Server Summary tile. In fact, Server Manager lets you configure additional advanced settings that are not exposed in the ICT screen, such as enabling or disabling the Internet Explorer Enhanced Security Configuration (IE ESC) or running the Security Configuration Wizard (SCW) on your machine.

Managing Server Roles

Let’s dig a bit deeper into Server Manager. Near the bottom of Figure 4-2, you can see that we’ve already installed two roles on our server using the ICT screen. We’ll learn more about the various roles, role services, and features you can install on Windows Server 2008 later in Chapter 5, “Managing Server Roles.” For now, let’s see what we can do with these two roles that have already been installed.

Clicking the Go To Manage Roles link changes the focus from the root node (Server Manager) to the Roles node beneath it. (See Figure 4-3.) This page displays a list of roles installed on the server and the status of each of these roles, including any role services that were installed together with them. (Role services will be explained later in Chapter 5.)

Figure 4-3: Roles page of Server Manager

The status of this page is updated in real time at periodic intervals, and if you look carefully at these figures you’ll see a link at the bottom of each page that says “Configure refresh.” If you click this link, you can specify how often Server Manager refreshes the currently displayed page. By default, the refresh interval is two minutes.

Selecting the node for the File Server role in the console tree (or clicking the Go To File Server link on the Roles page) displays more information about how this role is configured on the machine (as shown in Figure 4-4). Using this page, you can manage the following aspects of your file server:

• View events relevant to this role (by double-clicking on an event to display its details).

• View system services for this role, and stop, start, pause, or resume these services.

• View role services installed for this role, and add or remove role services.

• Get help on how to perform role-related tasks.

  
  Figure 4-4: Main page for File Server role

Note the check mark in the green circle beside File Server Resource Manager (FSRM) under Role Services. This means that FSRM, an optional component or “role service” for the File Server role, has been installed on this server. You probably remember FSRM from Windows Server 2003 R2-it’s a terrific tool for managing file servers and can be used to configure volume and folder quotas, file screens, and reporting. But in Windows Server 2003 R2, you had to launch FSRM as a separate administrative tool-not so in Windows Server 2008. What’s cool about Server Manager is that it is implemented as a managed, user-mode MMC 3.0 snap-in that can host other MMC snap-ins and dynamically show or hide them inline based on whether a particular role or feature has been installed on the server.

What this means here is that we can expand our File Server node, and underneath it you’ll find two other snap-ins-namely, File Server Resource Manager (which we chose to install as an additional role service when we installed the File Server role on our machine) and Shared Folders (which is installed by default whenever you add the file server role to a machine.) And underneath the FSRM node, you’ll find the same subnodes you should already be familiar with in FSRM on Windows Server 2003 R2. (See Figure 4-5.) And anything you can do with FSRM in R2, you do pretty much the same way in Windows Server 2008. For example, to configure an SMTP server for sending notification e-mails when quotas are exceeded, right-click on the File Server Resource Manager node and select Properties. (In addition to hosting the FSRM snap-in within Server Manager, adding the FSRM role service also adds the FSRM console to Administrative Tools.)

Figure 4-5: File Server role showing hosted snap-ins for File Server Resource Manager and Shared Folders

Here are a few more important things to know about Server Manager. First, Server Manager is designed to be a single, all-in-one tool for managing your server. In that light, it replaces both Manage Your Server (for adding roles) and the Add/Remove Windows Components portion of Add Or Remove Programs found on previous versions of Windows Server. In fact, if you go to Control Panel and open Programs And Features (which replaced Add Or Remove Programs in Windows Vista), you’ll see a link called Turn Windows Features On And Off. If you click that link, Server Manager opens and you can use the Roles or Features node to add or remove roles, role services, and features. (See Chapter 5 for how this is done.)

Also, when Server Manager is used to install a role such as File Server on your server, it makes sure that this role is secure by default. (That is, the only components that are installed and ports that are opened are those that are absolutely necessary for that role to function.) In Windows Server 2003 Service Pack 1 or later, you needed to run the Security Configuration Wizard (SCW) to ensure a server role was installed securely. Windows Server 2008 still includes the SCW, but the tool is intended for use by IT specialists working in large enterprises. For medium-sized organizations, however, IT generalists can use Server Manager to install roles securely, and it’s much easier to do than using SCW. In addition, while Server Manager can be used for installing new roles using smart defaults, SCW is mainly designed as a post-deployment tool for creating security policies that can then be applied to multiple servers to harden them by reducing their attack surface. (You can also compare policies created by SCW against the current state of a server for auditing reasons to ensure compliance with your corporate security policy.) Finally, while Server Manager can only be used to add the default Windows roles (or out-of-band roles made available later, as mentioned in the extensibility discussion a bit later), SCW can also be used for securing nondefault roles such as Exchange Server and SQL Server. But the main takeaway for this chapter concerning Server Manager vs. SCW is that when you run Server Manager to install a new role on your server, you don’t need to run SCW afterward to lock down the role, as Server Manager ensures the role is already secure by default.

Server Manager relies upon something called Component Based Servicing (CBS) to discover what roles and services are installed on a machine and to install additional roles or services or remove them. For those of you who might be interested in how this works, there’s a sidebar in the next section that discusses it in more detail. Server Manager is also designed to be extensible. This means when new features become available (such as Windows Server Virtualization, which we talked about in Chapter 3, “Windows Server Virtualization”), you’ll be able to use Server Manager to download these roles from Microsoft and install them on your server.

Server Manager is designed to manage one server only (the local server) and cannot be used to manage multiple servers at once. If you need a tool to manage multiple servers simultaneously, use Microsoft System Center. You can find out more about System Center products and their capabilities at http://www.microsoft.com/systemcenter/, and it will be well worth your time to do so. In addition, the status information displayed by Server Manager is limited to event information and whether role services are running. So if you need more detailed information concerning the status of your servers, again be sure to check out System Center, the next generation of the SMS and MOM platforms.

Unlike using Computer Management, you can’t use Server Manager to remotely connect to another server and manage it. For example, if you right-click on the root node in Server Manager, the context menu that is displayed does not display a Connect To A Different Computer option. However, this is not really a significant limitation of the tool because most admins will simply enable Remote Desktop on their servers and use Terminal Services to remotely manage them. For example, you can create a Remote Desktop Connection on a Windows Vista computer, use it to connect to the console session on a Windows Server 2008 machine, and then run Server Manager within the remote console session. And speaking of Computer Management, guess what happens if you click Start, right-click on Computer, and select Manage? In previous versions of Windows, doing this opened Computer Management-what tool do you think opens if you do this in Windows Server 2008?

Finally, a few more quick points you can make note of:

• Server Manager cannot be used to manage servers running previous versions of the Windows Server operating system.

• Server Manager cannot be installed on Windows Vista or previous versions of Microsoft Windows.

• Server Manager is not available on a Windows server core installation of Windows Server 2008 because the supporting components (.NET Framework 2.0 and MMC 3.0) are not available on that platform.

• You can configure the refresh interval for Server Manager and also whether the tool is automatically opened at logon by configuring the following Group Policy settings:

  • Computer Configuration\Administrative Templates\System\Server Manager\Do Not Open Server Manager Automatically At Logon

  • Computer Configuration\Administrative Templates\System\Server Manager\ Configure The Refresh Interval For Server Manager

The Security Configuration Wizard (SCW) reduces the attack surface of Windows Servers by asking the user a series of questions designed to identify the functional requirements of a server. Functionality not required by the roles the server is performing is then disabled. In addition to being a fundamental security best practice, SCW reduces the number of systems that need to be immediately patched when a vulnerability is exposed. Specifically, SCW:

• Disables unneeded services.

• Creates required firewall rules.

• Removes unneeded firewall rules.

• Allows further address or security restrictions for firewall rules.

• Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP).

  SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that, when applied, configure services, Windows Firewall rules, specific registry values, and audit policy. Those security policies can be applied to an individual machine or can be transformed into a group policy object and then linked to an Organizational Unit in Active Directory.

  With Windows Server 2008 some important improvements have been made to SCW:

• On Windows Server 2003, SCW was an optional component that had to be manually installed by administrators. SCW is now a default component of Windows Server 2008 which means Administrators won’t have to perform extra steps to install or deploy the tool to leverage it.

• Windows Server 2008 will introduce a lot of new and exciting functionality in Windows Firewall. To support that functionality, SCW has been improved to store, process, and apply firewall rules with the same degree of precision that the Windows Firewall does. This was an important requirement since on Windows Server 2008 the Windows Firewall will be on by default.

• The SCW leverages a large XML database that consists of every service, firewall rule and administration option from every feature or component available on Windows Server 2008. This database has been totally reviewed and updated for Windows Server 2008. Existing roles have been updated, new roles have been added to the database, and all firewall rules have been updated to support the new Windows Firewall.

• SCW now validates all XML files in its database files using a set of XSD files that contains the SCW XML schema. This will help administrators or developers extend the SCW database by creating new SCW roles base on their own requirements or applications. Those XSD files are available under the SCW directory.

• All SCW reports have been updated to reflect the changes made to the SCW schema regarding support for the new Window Firewall. Those reports include the Configuration Database report, the Security Policy report and the Analysis report that will compare the current configuration of Windows Server 2008 against an SCW security policy.

  SCW provides an end to end solution to reduce the attack surface of Windows Server 2008 machines by providing a possible configuration of default components, roles, features, and any third-party applications that provide an SCW role.

  SCW is not responsible for installing or removing any roles, features, or third-party applications from Windows Server 2008. Instead, Administrators should use Server Manager if they need to install roles and features, or use the setup provided with any third party application. The installation of roles and features via Server Manager is made based on security best practices.

  While SCW complements well Server Manager, its main value is in the configuration of the core operating system and third-party applications that provide an SCW role. SCW should be used every time the configuration of a default component on Windows Server 2008 needs to be modified or when a third-party application is added or removed. In some specific scenarios, like for remote administration, running SCW after using Server Manager might provide some added value to some specific roles or features. Using SCW after modifying a role or feature through Server Manager is not a requirement, however.

  –Nils Dussart

  Program Manager for the Security Configuration Wizard (SCW), Windows Core Operating System Division

ServerManagerCmd.exe

In addition to the Server Manager user interface, there is also a command-line version of Server Manager called ServerManagerCmd.exe that was first introduced in the IDS_2 build of Windows Server 2008 (that is, the February CTP build). This command-line tool, which is found in the %windir%\system32 folder, can be used to perform the following tasks:

• Display a list of roles and features already installed on a machine.

• Display a list of role services and features that would be installed if you chose to install a given role.

• Add a role or feature to your server using the default settings of that role or feature.

• Add several roles/features at once by providing an XML answer file listing the roles/ features to be installed.

• Remote roles or features from your server. What ServerManagerCmd.exe can’t do includes the following:

• Install a role or feature, and change its default settings.

• Reconfigure a role or feature already installed on the machine.

• Connect to a remote machine, and manage roles/features on that machine.

• Manage roles/features on machines running a Windows server core installation of Windows Server 2008.

• Manage non-OOB roles/features-such as Exchange Server or SQL Server.

Let’s take a look at the servermanagercmd –query command, which displays the list of roles and features currently available on the computer, along with their command-line names (values that should be used to install or remove the role or feature from the command line). When you run this command, something called discovery runs to determine the different roles and features already installed.

After discovery completes (which may take a short period of time), the command generates output displaying installed roles/features in green and marked with “X”.

You can also type servermanagercmd –query results.xml to send the output of this command to an XML file. This is handy if you want to save and programmatically parse the output of this command.

Let’s now learn more about ServerManagerCmd.exe from one of our experts at Microsoft:

Rolling out a new internal application or service within an organization frequently means setting up roles and features on multiple servers. Some of these servers might need to be set up with exactly the same configuration, and others might reside in remote locations that are not readily accessible by full-time IT staff. For these reasons, you might want to write scripts to automate the deployment process from the command line.

One of the tools that can facilitate server deployment from the command line is ServerManagerCmd.exe. This tool is the command-line counterpart to the graphical Server Manager console, which is used to install and configure server roles and features. The graphical and command-line versions of Server Manager are built on the same synchronization platform that determines what roles and features are installed and applies user-specified configurations to the server.

ServerManagerCmd.exe provides a set of command-line switches that enable you to automate many common deployment tasks as follows:

View the List of Installable Roles and Features

You can use the –query command to see a list of roles and features available for installation and find out what’s currently installed. You can also use –query to look up the command-line names of roles and features. These are listed in square brackets [] after the display name.

Install and Uninstall Roles and Features

You can use the –install and –remove commands to install and uninstall roles and features. One issue to be aware of is that ServerManagerCmd.exe enables you only to install and uninstall. Apart from a few notable exceptions for required settings, you cannot specify configuration settings as you can with the graphical Server Manager console. You need to use other role-specific tools, such as MMC snap-ins and command-line utilities, to specify configuration settings after installing roles and features using Server-ManagerCmd.exe.

Run in “What-If” Mode

After you create a script to set up the server with ServerManagerCmd.exe, you might want to check that the script will perform as expected. Or you might want to see what will happen if you type a specific command with ServerManagerCmd.exe. For these scenarios, you can supply the –whatif switch. This switch tells you exactly what would be installed and removed by a command or answer file, based on the current server configuration, without performing the actual operations.

Specify Input Parameters via an Answer File

ServerManagerCmd.exe can operate in an interactive mode, or it can be automated using an answer file. The answer file is specified using the –inputPath <answer.xml> switch, where <answer.xml> is the name of an XML file with the list of input parameters. The schema for creating answer files can be found in the ServerManagerCmd.exe documentation.

Redirect Output to a Results File

It is usually a good practice to keep a history of configuration changes to your servers in case you need to troubleshoot a problem, migrate the settings of an existing server to a new server, or recover from a disaster or failure. To assist with record keeping, you can use the resultPath <results.xml> switch to save the results of an installation or removal to a file, where <results.xml> is the name of the file where you want the output to be saved.

–Dan Harman
Program Manager,
Windows Server, Windows Enterprise Management Division

You’ll learn more about using ServerManagerCmd.exe for adding roles and features in Chapter 5, but for now let’s move on and look at more tools for managing Windows Server 2008.

Remote Server Administration Tools

What if you want to manage our file server running Windows Server 2008 remotely from another machine? We already saw one way you could do this-enable Remote Desktop on the file server, and use Terminal Services to run our management tools remotely on the server. Once we have a Remote Desktop Connection session with the remote server, we can run tools such as Server Manager or File Server Resource Manager as if we were sitting at the remote machine’s console.

In Windows Server 2003, you can also manage remote servers this way. But you can also manage them another way by installing the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a different Windows Server 2003 machine, or even on an admin workstation running Windows XP Service Pack 2. And once the Tools Pack is installed, you can open any of these tools, connect to your remote server, and manage roles and features on the server (provided the roles and features are installed).

Is there an Adminpak for Windows Server 2008? Well, there’s an equivalent called the Remote Server Administration Tools (RSAT), which you can use to install selected management tools on your server even when the binaries for the roles/features those tools will manage are not installed on your server. In fact, the RSAT does Adminpak one better because Adminpak installs all the administrative tools, whereas the RSAT lets you install only those tools you need. (Actually, you can just install one tool from Adminpak if you want to, though it takes a bit of work to do this-see article 314978 in the Microsoft Knowledge Base for details.)

What features or roles can you manage using the RSAT? As of Beta 3, you can install management tools for the following roles and features using the RSAT:

• Roles

  • Active Directory Domain Services

  • Active Directory Certificate Services

  • Active Directory Lightweight Directory Services

  • Active Directory Rights Management Services

  • DNS Server

  • Fax Server

  • File Server

  • Network Policy and Access Services

  • Print Services

  • Terminal Services

  • Web Server (IIS)

  • Windows Deployment Services

• Features:

  • BitLocker Drive Encryption

  • BITS Server Extensions

  • Failover Clustering

  • Network Load Balancing

  • Simple SAN Management

  • SMTP Server

  • Windows System Resource Management (WSRM)

  • WINS Server

How do you install individual management tools using the RSAT? With Windows Server 2008, it’s easy-just start the Add Feature Wizard, and select the RSAT management tools you want to install, such as the Terminal Services Gateway management tool. (See Figure 4-6. Note that installing some RSAT management tools might require that you also install additional features. For example, if you choose to install the Web Server (IIS) management tool from the RSAT, you must also install the Configuration APIs component of the Windows Process Activation Service [WPAS] feature.)

Figure 4-6: Installing a management tool using the RSAT feature

The actual steps for installing features on Windows Server 2008 are explained in Chapter 5. For now, just note that when you install an RSAT subfeature such as TS Gateway, what this does is add a new shortcut under Administrative Tools called TS Gateway. Then if you click Start, then Administrative Tools, then TS Gateway, the TS Gateway Manager console opens. In the console, you can right-click on the root node, select Connect To TS Gateway Server, and manage a remote Windows Server 2008 terminal server with the TS Gateway role service installed on it without having to enable Remote Desktop on the terminal server.

Finally, the Windows Server 2003 Adminpak can be installed on a Windows XP SP2 workstation, which lets you administer your servers from a workstation. Can the RSAT be installed on a Windows Vista machine so that you can manage your Windows Server 2008 machines from there?

As of Beta 3, the answer is “not yet.” Plans for how RSAT will be made available for Windows Vista are uncertain at this moment, but it’s likely we can expect something that can do this around or shortly after Windows Vista Service Pack 1. We’ll just have to wait and see.