Configuring Server Roles in Windows 2008 : New Roles in 2008

10/9/2010 7:39:34 PM
Windows Server 2008 offers many new ways to “skin the Active Directory cat,” if you will. With the introduction of these new roles is a new way to determine how they are implemented, configured, and managed within an Active Directory domain or forest. We will be discussing each of these Active Directory roles in depth later in this chapter, but the new roles (and the official Microsoft definitions) are as follows:
  • Read-only domain controller (RODC): This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

  • Active Directory Lightweight Directory Service (ADLDS): Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers.

  • Active Directory Rights Management Service (ADRMS): Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.

  • Active Directory Federation Services (ADFS): You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company’s Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.

So, these are the roles themselves, but as also mentioned, they can be managed in a number of new ways:

  • Server Manager: This is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.

  • Server Core: Server Core brings not only a new way to manage roles, but an entirely new way to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.

Discussing Server Core is going to take considerably longer, so let’s start with Server Manager.

Using Server Manager to Implement Roles

Although we will be discussing Server Manager (Figure 1) as an Active Directory Management tool, it’s actually much more than just that.

Figure 1. Server Manager

In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.

Table 1 outlines some of the additional roles and features Server Manager can be used to control:

Table 1. Partial List of Additional Server Manager Features
Active Directory Certificate ServicesManagement of Public Key Infrastructure (PKI)
Dynamic Host Configuration ServerDynamic assignment of IP addresses to clients
Domain Name ServiceProvides name/IP address resolution
File ServicesStorage management, replication, searching
Print ServicesManagement of printers and print servers
Terminal ServicesRemote access to a Windows desktop or application
Internet Information ServerWeb server services
Hyper-VServer virtualization
BitLocker Drive EncryptionWhole-disk encryption security feature
Group Policy ManagementManagement of Group Policy Objects
SMTP ServerE-mail services
Failover ClusteringTeaming multiple servers to provide high availability
WINS Server 
Legacy NetBIOS name resolution 
Wireless LAN ServiceEnumerates and manages wireless connections

Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 2).

Figure 2. Opening Server Manager

So, those are the basics of Server Manager. Now let’s take a look at how we use Server Manager to implement a role. Since we will be discussing the four Active Directory roles in depth later in this chapter, let’s take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

Using the Add Role Wizard

Notice in Figure 1 that the Server Manager window is broken into three different sections:

  • Provide Computer Information

  • Update This Server

  • Customize This Server

Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server.

Click the Add Roles icon.

At the Before You Begin window, read the information provided, and then click Next.

From the list of server roles (Figure 3), click the check box next to Web Server (IIS) and then click Next.

Figure 3. List of Server Roles

If you are prompted to add additional required features, read and understand the features, and then click Add Required Features.

When you return to the Select Server Roles screen, click Next.

Read the information listed in the Introduction to Web Server (IIS) window, and then click Next.

For purposes of this exercise, we will select all of the default Role Services, and then click Next.

Review the Installation Summary Confirmation screen (Figure 4), and then click Install.

Figure 4. The Installation Summary Confirmation Screen

When installation is complete, click Close.

Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.

Configuring & Implementing...: Scripting vs. GUI

Sure, you can always use a wizard to implement a role, but you also have the option of using a script. Realistically speaking, it’s generally not the most efficient way to deploy a role for a single server, however. Unless you are going to copy and paste the script, the chance of error is high in typing out the commands required. For example, take the following IIS script syntax:

start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-Common HttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing; IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET; IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter; IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IISLoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IISODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication; IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IISRequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic; IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IISManagementConsole;IIS-ManagementScriptingTools;IIS-Management-Service;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTP PublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-Windows ActivationService;WAS-ProcessModel;WAS-NetFxEnvironment; WAS-ConfigurationAPI

This script installs ALL of the IIS features, which may not be the preferred installation for your environment, and within the time it took to type it out, you may have already completed the GUI install!

Using Server Core and Active Directory

For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn “heavy” (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.

What Is Server Core?

What is Server Core, you ask? It’s the “just the facts, ma’am” version of Windows 2008. Microsoft defines Server Core as “a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles.” Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running.

Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 5). With Server Core, you won’t find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools.

Figure 5. The Server Core Console

Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles:

  • Active Directory Domain Services Role

  • Active Directory Lightweight Directory Services Role

  • Dynamic Host Configuration Protocol (DHCP)

  • Domain Name System (DNS) Services Role

  • File Services Role

  • Hyper-V (Virtualization) Role

  • Print Services Role

  • Streaming Media Services Role

  • Web Services (IIS) Role


Internet Information Server is Microsoft’s brand of Web server software, utilizing Hypertext Transfer Protocol to deliver World Wide Web documents. It incorporates various functions for security, allows for CGI programs, and also provides for Gopher and FTP servers.

Although these are the roles Server Core supports, it can also support additional features, such as:

  • Backup

  • BitLocker

  • Failover Clustering

  • Multipath I/O

  • Network Time Protocol (NTP)

  • Removable Storage Management

  • Simple Network Management Protocol (SNMP)

  • Subsystem for Unix-based applications

  • Telnet Client

  • Windows Internet Naming Service (WINS)


BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 that protects servers at locations, such as branch offices, as well as mobile computers for all those roaming users out there. BitLocker provides offline data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.

The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.

Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.

Configuring the Directory Services Role in Server Core

So let’s put Server Core into action and use it to install Active Directory Domain Services. To install the Active Directory Domain Services Role, perform the following steps:

The first thing we need to do is set the IP information for the server. To do this, we first need to identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column.

Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name= “<ID>” source=static address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway>. ID represents the number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and <Default Gateway> represents the IP address of the server’s default gateway. See Figure 6 for our sample configuration.

Figure 6. Setting an IP Address in Server Core

Assign the IP address of the DNS server. Since this will be an Active Directory Domain Controller, we will set the DNS settings to point to the DNS server. From the console, type netsh interface ipv4 add dnsserver name=“<ID>” address=<DNSIP> index=1. >. ID represents the number from step 1, and <StaticIP> represents the IP address of the DNS server (in this case, the same IP address from step 2).

So, here is where things get a little tricky. When installing the Directory Services role in a full server installation, we would simply open up a Run window (or a command line) and type in DCPromo. Then, we would follow the prompts for configuration (domain name, file location, level of forest/domain security), and then restart the system. Installing the role in Server Core isn’t so simple, yet it’s not exactly rocket science. In order to make this installation happen, we are going to need to configure an unattended installation file. An unattended installation file (see Figure 2.7) s nothing more than a text file that answers the questions that would have been answered during the DCPromo installation. So, let’s assume you have created the unattended file and placed it on a floppy disk, CD, or other medium, and then inserted it into the Server Core server. Let’s go ahead and install Directory Services:

Sign in to the server.

In the console, change drives to the removable media. In our example, we will be using drive E:, our DVD drive.

Once you have changed drives, type dcpromo answer:\answer.txt. Answer.txt is the name of our unattended file (see Figure 7).

Follow the installation process as it configures directory services. Once the server has completed the installation process, it will reboot automatically.

Figure 7. Installing Directory Services in Server Core

When the server reboots, you will have a fully functional Active Directory implementation!

  •  Windows Server 2003 : Creating and Configuring Application Directory Partitions
  •  Windows Server 2003 : Configuring Forest and Domain Functional Levels
  •  Windows Server 2003 : Installing and Configuring Domain Controllers
  •  Manage Server Core
  •  Configure Server Core Postinstallation
  •  Install Server Core
  •  Determine Your Need for Server Core
  •  Install Windows Server 2008
  •  Windows Server 2008 : Configure NAP
  •  Incorporate Server Core Changes in Windows Server 2008 R2
  •  Decide What Edition of Windows Server 2008 to Install
  •  Perform Other Pre-Installation Tasks
  •  Developing Windows Azure Services that Use SQL Azure
  •  Creating Windows with Mixed Content
  •  Mixing Windows and Forms
  •  Exploring an Assembly Using ildasm.exe
  •  The Assembly/Namespace/Type Distinction
  •  Communicate Between Two Machines on the Same Network (WCF)
  •  Communicate Between Processes on the Same Machine (WCF)
  •  Create a TCP/IP Client and Server
    Top 10
    Use Preview to Edit On Your Mac (Part 1)
    How fast is Windows 8? (Part 1)
    ASUS Radeon HD 7950 : is not only powerful, but also energy saving
    Safeguarding Confidential Data in SharePoint 2010 : Enabling SQL Database Mirroring
    IIS 7.0 : Managing Administration Extensions
    Gamepad - How It Works (Part 3) - Inside Kinect of Microsoft
    QPad MK-50 Pro Gaming Keyboard
    Just My Type (part 2) - ZAGGfolio,Writer Plus, keyPAD, Professional Workstation
    iPad Therapy (Part 3)
    Home Theatre Pc Software And Operating Systems (Part 7) - Playing Back Blu-rays
    Most View
    Kickstarting A Revolution? (Part 3)
    Beginer's Guide To Sports Photography (Part 3)
    Silverlight Recipes : Networking and Web Service Integration - Accessing Resources over HTTP
    Active Directory Domain Services 2008 : Seize the Schema Master Role, Seize the Domain Naming Master Role
    Windows 7 : Using Desktop Gadgets (part 1) - Using the Calendar gadget
    iPhone 3D Programming : Textures and Image Capture - Creating Textures with the Camera
    Windows Phone 7 Advanced Programming Model : Advanced Data Binding (part 3) - Showing Progress & Lazy Load Images
    SQL Server 2008 : Using the OUTPUT Clause with the MERGE Statement
    Apple's Undiscovered Country : Apple TV
    The Human Touch
    Binding Application Data to the UI objects in Silverlight
    Using the iPhone Simulator
    Microsoft SQL Server 2005 : Report Definition and Design (part 4)
    Samsung Series 5 530U4B
    iPhone Application Developmen : Using the View-Based Application Template (part 3)
    Choosing The Right Parts For Your Build (Part 2) - Choosing the right motherboard
    Windows System Programming : File Locking
    The Android Phone computer (Part 2) - The world of OTG & Big screen entertainment
    Windows Server 2008 : Domain Name System and IPv6 - Understanding DNS Queries
    Windows Phone 7 Development : Debugging Application Exceptions (part 1) - Debugging Page Load Exceptions