Server Core R2 DC promotion fails due to unavailable ADDS binaries

Standard

I encountered an issue promoting a Server Core R2 to a domain controller. The DCPROMO on Server Core is handled via unattended mode with answer file. The error I received is below. It was due to Server Core’s inability to install/confirm ADDS binaries.

C:UsersAdministrator>dcpromo /unattended:answer.txt
Checking if Active Directory Domain Services binaries are installed…
Failed to detect if Active Directory Domain Services binaries were installed. The error was: An error with no description has occurred.

And the DCPROMOUI.log also shed some light on the nature of the issue.

dcpromoui 504.204 001E 03:01:08.709     Unable to find identity string for package name Microsoft-Windows-ServerCore-Package
dcpromoui 504.204 001F 03:01:08.709   Failed to retrieve the parent package name
dcpromoui 504.204 0020 03:01:08.709   HRESULT = 0x800F0818
dcpromoui 504.204 0021 03:01:08.709   HRESULT = 0x800F0818
dcpromoui 504.31C 0022 03:01:08.709     HRESULT = 0x800F0818
dcpromoui 504.31C 0023 03:01:08.709   Enter GetErrorMessage 800F0818

My attempt to add the binaries via the DISM also failed.

dism /online /enable-feature /featurename:DirectoryServices-DomainController-ServerFoundation

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Error: 0x800f0818

DISM failed. No operation was performed.
For more information, review the log file.

The DISM log file can be found at C:WindowsLogsDISMdism.log  

The OCSETUP attempt also failed sighting the same error.

ocsetup DirectoryServices-Domain-Controller-ServerFoundation

 

image

 

After I had ensured that the OS was up-to-date with patches and updates, I stumbled upon System Update Readiness Tool KB947821. What is System Update Readiness Tool ? it is a patch that helps you find the inconsistencies with system files.

System resources, such as file data, registry data, and even in-memory data, can develop inconsistencies during the lifetime of the operating system. These inconsistencies might be caused by various hardware failures or might be caused by software issues. In some cases, these inconsistencies can affect the Windows servicing store, and they can cause software updates not to work. The System Update Readiness Tool tries to resolve these inconsistencies.

The System Update Readiness Tool creates a log file that captures any issues that the tool found or fixed. The log file is located at the following location:

  • %SYSTEMROOT%LogsCBSCheckSUR.log
  • %SYSTEMROOT%LogsCBSCheckSUR.persist.log

On this Server Core, the CheckSUR.log indicated issues with two files (its an update specific MUM file with its catalog file), that the tool found to be corrupted.

Checking System Update Readiness.
Binary Version 6.1.7600.20822
Package Version 10.0
2011-02-19 20:53

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs
(f)    CBS MUM Corrupt    0x00000000    servicingPackagesPackage_for_KB2207566_RTM~31bf3856ad364e35~amd64~~6.1.1.0.mum        Expected file name Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum does not match the actual file name

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Summary:
Seconds executed: 165
Found 1 errors
  CBS MUM Corrupt Total count: 1

Unavailable repair files:
    servicingpackagesPackage_for_KB2207566_RTM~31bf3856ad364e35~amd64~~6.1.1.0.mum
    servicingpackagesPackage_for_KB2207566_RTM~31bf3856ad364e35~amd64~~6.1.1.0.cat

I also came across this Technet forum post, which is similar in nature but is applicable to different corrupt files with different symptoms, however it was this post that gave me the idea to fix my problem.

Solution :

1. I downloaded the KB2207566 (Windows6.1-KB2207566-x64.msu) as indicated by SUR log, and copied it to Server Core (c:temp). Note that this patch already had been installed but for some reason had the mentioned files corrupted.

2. I then extracted the MSU file into a sub folder and extracted the *.cab files.

C:UsersAdministrator>cd c:temp

c:temp>wusa Windows6.1-KB2207566-x64.msu /extract:c:servicingkb2207566

c:temp>cd kb2207566

c:tempkb982214>mkdir files

c:tempkb982214>expand Windows6.1-KB2207566-x64.cab -F:* files

The two files I had to replace were these :

image

The location for the existing files that had to be replaced was c:windowsservicingpackages and an issue I ran into, as it was indicated on the Technet post (when I simply attempted to UNC and copy from another regular W2K8 machine) was that these were protected files and the copy/create option was denied. Lot of systems folders/files in Windows 7 and Windows Server 2008 have a different owner than ‘administrators’ and the TrustedInstaller is set as owner and has full control rights set.

image

3. And I then opted to use the command line option to take the ownership of the folder and assign ‘administrators’ the full rights on the Server Core.

takeown /f c:windowsservicingpackages /r /d y

icacls c:windowsservicingpackages /grant administrators:F /T

4. And lastly I copied the extracted files and replaced.

C:tempkb982214files>copy "package_for_kb2207566_rtm~31bf3856ad364e35~amd64~~6
.1.1.0.cat" c:WindowsservicingPackages

Overwrite c:WindowsservicingPackagespackage_for_kb2207566_rtm~31bf3856ad364e
35~amd64~~6.1.1.0.cat? (Yes/No/All): y
      

1 file(s) copied.

C:tempkb982214files>copy "package_for_kb2207566_rtm~31bf3856ad364e35~amd64~~6
.1.1.0.mum" c:WindowsservicingPackages

Overwrite c:WindowsservicingPackagespackage_for_kb2207566_rtm~31bf3856ad364e
35~amd64~~6.1.1.0.mum? (Yes/No/All): y

1 file(s) copied.

No restart was required and the DCPROMO with the answer file succeeded as it was now able to install the ADDS binaries and the DC promoted successfully.

Note that prior to the fix I also noticed that I was unable to enable the remote management from the SCONFIG (option 4, sub option 3) which also worked afterwards.

Can I install KMS on Server Core ?

Standard

Server Core seems to be the perfect candidate for installing KMS. Key Management Service mediates your Volume Licensing with Microsoft Activation Services and acts as the man-in-the-middle for the activation for all your KMS clients that comprise of Vista, Windows 7, Windows Server 2008 and R2. With Windows 7 and Windows Server 2008 R2, what you have in KMS is Volume Activation 2.0. In contrast with KMS, what you have is MAK that stands for multiple activation key. MAK is targeted for clients that stay off the network whereas KMS is designed for your internal clients. Following I have a simple overview design of how it works.

image

My Windows Server 2008 R2 Server Core has a very small footprint, it is a single processor/20gb hd/512mb ram machine. The first thing you need is the KMS Host key from your Microsoft Volume Licensing site or from your TAM.
The command to register the machine as the KMS host is slmgr /ipk <your key>


moz-screenshot-5

Once it is registered, you need to activate the host itself. Run slmgr -ato
You can check the status and brief description of the KMS host by running slmgr –dli

moz-screenshot-6

The verbose information is provided via slmgr –dlv

moz-screenshot-7

Once KMS is setup, it will register its SRV record in DNS. You can verify from your workstation if it has done so via,

nslookup -type=srv _vlmcs._tcp

From then on clients will automatically be reverted to your KMS host for activation but as hinted in the drawing above, starting with Windows 7 and 08 R2, the minimum threshold (activation attempts/requests) that are needed to fully activate the KMS host is 25 Vista/Windows 7 clients or 5 Server 2008 (R2). This number can comprise of virtual and physical loads, previously this was limited to physical systems only. The slmgr -dlv will show you the total requests received.
Note that the KMS is desgined to let you better manage your internal activation for compliance reason. Micrsoft does not go receive any internal information from between the KMS host and KMS client. KMS has you abide your EA Volume Licenseing, check the VL Product Groups shown in the diagram that are pertinent for your environment. I find the group B to be most commonly required.

Important note : Installing/configuring the KMS does not open up the pertinent firewall port (default port 1688). From running “slmgr -dli” you will notice that it says that the KMS is listening on port 1688 but the rule is not enabled so you may do so like this.

netsh advfirewall>FIREWALL add rule name=”KMS” dir=in action=allow protocol=tcp
localport=1688
Ok.

For more information see this link.

Getting started with Server Core is easier now in R2

Standard

Perhaps, inspired by Guy’s utility ‘Server Core Configurator’. There is now a menu driven utility call SCONFIG.exe in R2 version of Server Core. This allows you to do all the initial configuration tasks, such as rename the computer, join to domain, set an new IP or DNS, or enabled the RDP etc.

08core-2009-06-09-19-54-57

Previously you had to rely on netdom, netsh, and WMIC to perform these initial tasks, unless you had the Server Core Configurator (as mentioned above) installed. Note that this SCONFIG menu is very much similar to that of Hyper-V menu.

Here are a few posts that you may find helpful for the pre-R2 Server Core.

http://www.shariqsheikh.com/blog/index.php/200804/how-to-setup-ip-configuration-of-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-disable-windows-firewall-in-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-enable-rdp-for-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-can-i-rename-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-activate-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-promote-server-core-to-be-a-rodc/
http://www.shariqsheikh.com/blog/index.php/200805/install-server-roles-and-features-on-server-core/

Hyper-V is just like a server core, with Hypervisor added

Standard

Ever since Microsoft joined VMware in handing out their introductory type-1 hypervisor solutions (without management software) out for FREE, there is a fair share of confusion in IT community regarding the standalone Hyper-V. Hyper-V is a standalone product that will run on a bare-metal box and will need to be managed via Windows Server 2008 Hyper-V Management (feature). Hyper-V is built on Windows Server 2008 Server Core and Windows Admins will find it easy to adjust to managing it. Especially those who have had experience with Server Core.

I wrote a few posts earlier on managing Server Core, regarding the initial configuration, opening the needed ports thru firewall, network configuration etc. You will find that there is another layer of managment window on top of that CLI window you are used to seeing in Server Core. That window is there for you to manage the Hyper-V.

As you log in to Hyper-V both windows the CLI and Hyper-V Configuration pop up, with first one in the background. On Hyper-V configuration window, there is 16 options (sub-menu) that are pretty self explanatory and allow you to setup initial configurations such as adding the server to domain, configuring NIC, enabling RDP, and remote management (WinRM) and so forth.

Remember that with the substantial feedback from IT pros, this new version of Server Core (that Hyper-V is built upon) now has the limited .NET layer added which will make the server management easier but as expected it adds to its size to its previous versions. This is of course only part of recently released Hyper-V R2.

Here are some screenshots of Hyper-V R2.

Can a RODC also be a DHCP ?

Standard

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Is there a GUI to manage Server Core ?

Standard

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.

How to turn on Automatic Updates in Server Core

Standard

Its pretty simple to turn the automatic updates in Server Core by using scregedit to modify the registry, simply type in this command :

cscript c:\Windows\system32\scregedit.wsf /au 4

After that, you do have to stop and start the Windows Update service

net stop wuauserv
net start wuauserv

The swtich /au 4 sets the time for checking the updates at 3am. It also sets the server to reboot if the updates require it to. You can disable automatic updates by using /au 1 switch or /v to view the current settings. To force an immediate check for updates, run the following command:

wuauclt /detectnow

Remotley Administer Server Core from Vista or Windows Server 2008

Standard

You can use Windows Remote Shell (WinRS) in Vista and Windows Server 2008 to remotely manage and administer Server Core. The WinRS client passes the commands to a WinRS listener on Server Core, which passes the commands to a prompt, captures the output and returns it to the WinRS client. To do this, you have to enable Windows Remote Managment (WinRM) on Server Core, you will run the following command :

winrm quickconfig

You can then run for example this command to see the license status on the Server Core remotely from Vista or the full installation on Windows Server 2008

winrs -r:NameofServerCore "cscript c:\Windows\System32\slmgr.vbs -dli"

Note that you can also use tools such as Windows Management Instrumentation command line (WMIC) and PowerShell thru WMI calls to manager Server Core. At this time Server Core does not support PowerShell directly since it relies on .NET Framework which is not there in Windows Server without Windows

Install Server Roles and features on Server Core

Standard

So In Windows Server 2008, there are roles such as AD Domain Services, DHCP, DNS, the roles services pertaining to roles such as AD Certificate Services, DFS, and finally there are optional features such as .NET Framework Services, Network Load Balancine (NLB), etc. With the exception of the Active Directory Domain Services role, you install server roles and features by using the ocsetup command. The syntax for ocsetup is the same for roles and features. The command is case sensitive, and you need to know the correct capitalization for a server role or feature, you can get that by running oclist command.

For instance, the following command installs Windows Server Backup, which is a feature

start /w ocsetup WindowsServerBackup

Using the /w switch indicates when ocsetup has finished installing the new role of feature. It also stops user from initiating another command while it’s running.

You can also find out what is already installed by running following oclist syntax

oclist | find "installed"

How to promote Server Core to be a RODC

Standard

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.