Remotely managing your Server Core using Compmgmt.msc

Remote management of Server Core installations helps you. It prevents you from having to struggle with the command line interface on the console of your Server Core installation, while at the same time benefit from a lot of the new stuff Windows Server 2008 and Server Core have to offer.

About MMC

I feel the best management tools available for Windows Server are Microsoft's own Microsoft Management Console (MMC) Snap-Ins, which have been around since the Windows NT4 Option pack and have been improved in functionality ever since. While the functionality of version 3.0 of the Microsoft Management Console (MMC) framework has increased to embrace Windows Server 2008, there are some pitfalls in remotely managing your Server Core installations using the most common Snap-Ins.

     

Computer Management

The most common remote management scenarios will be based on the Snap-Ins contained in the Computer Management Microsoft Management Console Snap-In (compmgmt.msc) on Windows Vista and Windows Server 2008. These Snap-Ins are:

• System Tools
  • Task Scheduler (taskschd.msc)
  • Event Viewer (eventvwr.msc)
  • Shared Folders (fsmgmt.msc)
  • Local Users and Groups (lusrmgr.msc)
  • Reliability and Performance (perfmon.msc)
  • Device Manager (devmgmt.msc)
• Storage
  • Disk Management (diskmgmt.msc)
• Services and Applications
  • Services (services.msc)
  • WMI Control (wmimgmt.msc)

Most of the Computer Management Tools can be easily accessed on Server Core by simply opening up the firewall to allow Remote Management and redirecting the Computer Management Microsoft Management Console Snap-In (compmgmt.msc) to your Server Core server.

The command to use on the console of your Server Core box should look something like:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

This will open up the three rules in the group that allow Remote Management.

    

System Tools

The following five MMC Snap-Ins in the System Tools folder inside the Computer Management Microsoft Management Console Snap-In (compmgmt.msc) are now unlocked:

• Task Scheduler (taskschd.msc)
• Event viewer (more on that below) (eventvwr.msc)
• Shared Folders (fsmgmt.msc)
• Performance Monitor (perfmon.msc)
• Device Manager (devmgmt.msc)

If your situation requires special firewall settings you can specify them using the information in my previous post on configuring the Windows Firewall in Server Core. For instance, this will show you how to allow only the local subnet or an IP range of computers to benefit from the enabled rule.

Reliability Monitor

The firewall rule will enable you to use the System Tools inside the Computer Management Microsoft Management Console Snap-In (compmgmt.msc). There's one exception though: the Reliability Monitor in the Reliability and Performance folder. (perfmon.msc) This tool is not available in Server Core and thus cannot be managed remotely. the Performance Monitor works though.

Event Viewer

A little while ago I wrote a blogpost on handling events in Server Core. Using the Event Viewer Snap-In (eventvwr.msc) is considerably more useful in most scenarios compared to using wevtutil.exe. Event Log Subscriptions and Event Forwarding might prove even more useful. In the mentioned blogpost I explained how to configure WinRM and the Event Viewer MMC Snap-In (eventvwr.msc) in a Windows Vista or Windows Server 2008 box to use these features.

Device Manager

By default the Device Manager (devmgmt.msc) is read-only. You can circumvent this default behavior by enabling remote management of the PnP interface through policies. This policy setting is located underneath Computer Configuration, Administrative Templates, System, Device Installation. It is called Allow remote access to the PnP interface.

You can change this policy by redirecting your Group Policy Editor (gpedit.msc) to your Server Core box (as described here) or using Group Policies within Active Directory. Don't forget to issue the gpupdate command on the console of your Server Core box when you want the policy to take effect promptly.

   

Storage

Disk Management (diskmgmt.msc) is a remote management item requiring a little tinkering. by default it won't work unless both machines are part of the same domain, (take a look at the Logon Considerations below for a workaround) both machines have the Remote Disk Management exception enabled for the Windows Firewall and the box to remotely manage has the Virtual Disk service started. (by default this service is set to start manual on Server Core)

Configuring the Virtual Disk Service

Because the Virtual Disk service is set to start manual on Server Core installations of Windows Server 2008, you need to set the service to start automatically and after that start the service. You can accomplish this using the following two commands from the console of your Server Core box:

sc config vds start=auto
net start vds

Enabling exceptions in the firewalls

Enabling the service is not enough. You need to enable the Remote Disk Management exception on the Server Core machine and the machine you're managing your Server Core from. That's right: both boxes.

Since NetSh is available on Windows Vista, full installations of Windows Server 2008 and Server Core installations of Windows Server 2008 you can simply type the following command on the managing box and the manageable box:

netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

 

Now you're ready to begin using the Disk Management portion of the Computer Management MMC Snap-In.

   

Services and Applications

In the context of Server Core management the only two interesting things to mention in the Services and Application folder of Computer Management is the Services MMC Snap-in (services.msc) and the WMI Snap-In (wmimgmt.msc). They work just like the Snap-ins on Full installations of Windows Server 2008.

    

Delegation Considerations

If delegation is used in your scenario you can actually use the Windows Firewall to finely grained control who from where has access to what. The Windows Firewall in Windows Server 2008 actually has a lot of firewall rules (and rule groups) that are extremely useful for delegation.

These rule groups work, without enabling any other rule group to perform specific management tasks:

1. Remote Event Log Management
2. Remote Scheduled Task Management
3. Remote Service Management
4. Windows Firewall Remote Management
5. Performance Logs and Alerts

You can enable each of these groups using the command above. For example, to allow Windows Firewal Remote Management, simply type the following command on the console of your Server Core box:

netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes

Delegation can be extremely useful when combined with the Advanced Firewall security . The latter allows you to filter the usage of the open Management firewall rules based on:

• Allow all connections, or only encrypted connections
• Specify specific programs or services the rule applies (not available for built-in rules)
• Specify specific ports or protocols the rule applies (not available for built-in rules)
• Specify which local IP address the rule applies to
• Specify which firewall profile (domain, private, local) the rule applies to
• Specify which type of connections (LAN, Wireless, Remote access) the rule applies to
• Specify which remote IP address (range) the rule applies to
• Only allow connections from specific computers
• Only allow connections from specific users

   

Logon Considerations

In certain scenarios you will need to provide additional credentials. These scenarios might include: (but are not limited to)

• The server to be managed and the client/server from which you want to manage the server are not part of the same domain and there is no trust between the domains.
• The server to be managed and the client/server from which you want to manage the server are part of a workgroup configuration
• You have setup your environment according to the principle of Least Administrative Privilege and use a (non-administrative) user account on your workstation and want to be able to manage your Server Core installation from the workstation.

Using Cmdkey

In first two scenarios you can use Cmdkey.exe. This tools enables you to create, list and delete stored usernames and passwords or credentials. In this case you want to use cmdkey to create a stored username and password for the remote server on the client/server you want to use to remotely manage the server. The command will look something like:

cmdkey /add:ServerName /user:Servername\administrator /pass:*

Note:
This command will ensure the entered username and password will be used by default to access the server over the network. In some situations this will pose a security risk.

Alternatively you can use the User Accounts portion of the Control Panel to administer these network passwords. When you open User Accounts, there is a shortcut named Manage your network passwords. When you click the shortcut you can add, remove, edit network passwords. It also alows for backing up and restoring your list with Stored User Names and Passwords.

    

Concluding

Why struggle with the command line on the console of your Server Core when you can manage it remotely using Microsoft Management Console (MMC) Snap-ins?

Stay tuned, because I'm also looking at the Remote Server Administration Tools (RSAT), and the Hyper-V Release Candidate 0 Management tools. More posts on managing Server Core usng Microsoft Management Console are definitely on their way!

Further reading

Microsoft Management Console
Firewall management in Server Core, Part 2 
Handling Server Core Events 
Remotely Managing Windows 2008 Server Core Settings through MMC Snap-ins 
Remotely Manage Devices in Windows 2008 Server Core
Cmdkey 
Getting started with managing Server Core 
What you can and cannot do in Server Core 
Longhorn Server Core
TechNet forums - Problems remotely managing the Virtual Disk Service on Server Core
TechNet forums - Volume Manager on Server Core in Workgroup Editions - Access denied 
TechNet forums - Reliability and Performance Monitor 
TechNet forums - Server Core remote admin problem 
You do not have the requested permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’ 
How to use the “netsh advfirewall firewall” context instead of the “netsh firewall” context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista 
Introduction to Windows Firewall with Advanced Security
Configuring the Firewall on Server Core for Remote Management 
Configuring the Firewall on Server Core for Remote Management 
How to Configure Windows 2008 Advanced Firewall with the NETSH CLI
Configuring Windows Server 2008 Server Core 
Manage Server Core Remotely 
Managing Windows 2008 Server Core Local Settings 
Managing Windows 2008 Server Core Local Settings
Troubleshooting RPC across Firewalls (or, what the developers forgot to explain) 
Some basic commands will get you started with the GUI-less Server Core 
A few commands to get started with Windows Server Core 
Windows Server 2008: Windows Firewall with Advanced Security