Less is More — Windows 2008 Server Core
In the movie Apollo 13 Jim Lovell (Tom Hanks) references “computers that fit in a single room,” as an example of how far technology has come.
In this day of powerful servers just an inch thick, it is easy to forget that just ten years ago a server was a very large computer. Each server cost thousands of dollars so the idea of “wasting” an entire server on just one or two functions was ridiculous.
File servers also served as domain controllers, and print servers, and WINS servers, and DHCP servers, and so on.
Managing severs meant going into the server room and accessing the server via its own keyboard and monitor. And, when Microsoft released a patch you installed it on every server in your enterprise.
Although the earliest servers did little more than allow files and printers to be shared while providing some basic user authentication, with each successive version, more functions were added. Each new function increased the resource requirements, as well as increasing the complexity of managing all of those functions.
Fast forward to today’s modern network environments where servers are managed remotely, and are routinely configured to perform just one specific task. In other words, all of the features of a full blown Windows Server install are no longer used by many servers. This is where the Windows 2008 Server Core Install comes in.
The Windows 2008 Server Core installation installs only the bare minimum of resources and functions. Minimum really means minimum.
There is no start bar, no Windows Explorer, no desktop shell, no PowerShell, no .Net framework, no Server Manager, no MMC Console, no Administrative Tools, and most of the Control Panel applets are missing as well.
So how do you manage a Sever Core?
Old school: using the command line and scripts. Anyone managing a Core Server will want to bookmark the A-Z command-line reference right away.
If you have trouble with this link, just go to Microsoft’s website, the A-Z command-line reference is under: Windows Server TechCenter > Windows Server 2003 Technical Library > Windows Server 2003: Product Help > Windows Server 2003 Product Help > Administration and Scripting Tools > Command-line reference or on Technet under “Windows Command-Line Reference A-Z”
You can also manage some (but not all) of the server functions remotely with the familiar MMC. So why would anyone do such a thing?
Fewer Resources, Better Security, Easier Maintenance
For starters, the Core install requires far less resources than the full install. Just half the disk space of a full install is required and the Core server can technically run on less than the “required” 512 MB of RAM (as little as 100 MB if no server roles are installed). Unfortunately, the setup program cannot run on less, so for practical purposes the minimum is 512 MB.
Even though most servers in the corporate environment today far surpass these minimums, if the operating system isn’t using those resources, then your programs can be using them which means faster response times and fewer resource management problems.
Equally important is the increased security such an installation provides. After years of locking down user accounts, group policies, and network connections, attacks no longer occur along the “front lines.” Gone are the days when hackers accessed servers via a brute force password program, or copying off the file containing user accounts.
Now, hackers gain access to servers by exploiting the inevitable flaws that creep into program code that stretches for millions of lines. An attack that allows unauthorized access by creating some sort of buffer overrun in the DHCP server process cannot be successful against a server that does not even have the DHCP code installed anywhere on the machine.
A Core Server installs approximately forty services by default versus nearly seventy-five services on a full install. That makes thirty-five fewer points of attack. This smaller footprint provides fewer targets not only for hackers, but for viruses and other malicious code as well.
Along with the increased security, a Core Install reduces the number of patches and updates that must be applied. Again, if the code does not even exist on the machine, there is no need to patch it. Indeed, there would be nothing to patch!
Microsoft has implemented the Server 2008 code in such a way that administrators will never have to sort through the various patches. All Server 2008 patches will be coded with applicability rules.
If the subsystem being updated does not exist on the server, the patch will automatically not be run. Preliminary data from Microsoft suggests that a Core Install would reduce server patches by 50% over a full install.
While decreased use of resources and better security are great, it isn’t much use if the server cannot perform a meaningful role in the enterprise. Therefore, the Server Core install can be extended by adding certain roles to the server.
In essence, the server becomes a “Core Plus” server. That is, a Core Sever plus the code for the additionally installed role. For example, a file and print server installed at a remote office with just a few users can be setup as a Core Plus File/Print Server.
Under this methodology, there will never be a need to manage, review the logs, or patch the Active Directory systems on that server. As a bonus, the server will run with considerably less overhead.
Available Roles for a Core Server Install are:
- Active Directory Server
- Active Directory LDS Sever
- DHCP Server
- DNS Server
- File Server (DFSR & NFS)
- Print Server
- Streaming Media Server
- Windows Virtualization Server
Most other roles cannot be installed on a Core Server and would require the full server code due to dependence on multiple subsystems or APIs.
Additionally, certain features can optionally be loaded on a Core Install including: Bitlocker, Failover Clustering, Multipath I/O, Removable Storage Management, SNMP Services, Subsystem for UNIX-based Apps, Windows Server Backup, Read Only Domain Controller, and WINS Server. Again, most other features would be unavailable.
Chances are many environments have servers acting in this fashion right now. It is likely that a DNS Server is not also handling print services.
With the Core Server installation such a server is transformed from being a fully installed server that allows a lot of code to sit unused into a server that only has the code it needs installed.
By providing the Core Install option, Microsoft has answered critics who complain about continuously bloating software and administrative overhead, while at the same time providing a valuable tool for arsenal of the design of enterprise architecture.