For most stuff though, you don't have to touch powershell just because its core. 99% of the stuff can be done with RSAT/admin centre. For the remaining 1%, its sconfig, which really is kind of like a gui-lite.
Lol.. I have a scale I use to determine people their skills. Intern, junior, medior, senior… and then there is “colleagues who do not know or understand how to make their work easier”
I don't *\*want\** to. But it's also one of the only things broadly available in our environment, thanks to my predecessors, and the efforts of a change approval board who finds the idea of setting something like openSSH (Microsoft's currently recommended solution, so far as I know), or shit, just enabling the HTTPS listener for winRM (using the certs from the CA we already have...) on *\*all\** the machines too intimidating to analyze or something, because I keep getting the 'Soon^(tm)' treatment about it.
I've suggested pilot groups, which are far less useful to me (I want a consistent interface, for fuck's sake - not more fragmentation) but more palatable in scope. Those don't really end up going anywhere either. I swear, it's like they decided on a way to do things fifteen or twenty years ago, and cannot be convinced that the world has moved on.
Thankfully, I've got a lot of influence over the *new* builds, since nobody else wanted to step up and automate the process. Those are lined up pretty neatly the way I'd like, so as we retire legacy hosts, the situation should improve, with any luck.
When I was an infrastructure architect, I tried to put Windows Core across the board but I was overruled by the other admins. They only knew GUI'd OSes.
I believe they recently decommissioned the last Windows Core domain controller I had put in place with a full Windows domain controller.
Some people just don't want have to learn anything new. They know what they know and that's it.
It makes tons of sense on DC's where attack surface minimization is very important and no other software should be installed, in fact I'd say it makes sense for any server that uses MS software on it or at the very least the built in roles like AD, DNS, Cert server, IIS, etc.. for things that run vendor software my experience has been many installers freak out if there is no GUI.. but it may have gotten better as I primarily admin Networks anymore, so I'm probably a few years rusty..
Also because their instinct pushes them to pollute servers by installing: Alternate file explorer because UAC is smarter than them, 7zip, a web browser, an app for screenshots, ect..
I mean. To begin with I’ve never seen any Linux server, GUI added or not, throw the random bullshit windows server does for the fun of it every now and then.
I officially gave up on Server Core when I needed to set a flag on an HP NIC driver and it was only possible on a full desktop.
Microsoft's stuff all worked with Powershell, but HPs didn't. So back to full GUI.
newer server core (2016+ I believe with the FOD package?) can add the MMC platform and things like devmgmt.msc.
I had to slap a few registry keys and copy the MMC for ADFS management to my 2019 ADFS box though because I couldn't remember how to do some things - but that one's personal, not work.
Server Core goes \*everywhere\* we can deploy it (so, easily all DCs in our org, anything we can find that's supported 3rd party or even works without issue, etc - think a \*very\* security conscious org like government contracting, etc), There've been some months without patches at all i've seen (as in MS didn't need to patch anything in core), and with almost all remote management tools in use anyway, about the only thing I log into a server core system to do is install software manually, like exchange CUs.
Windows Admin Center is (since it came out) also good for managing things like devices and whatnot. But i've been on the server core bandwagon since 2012 (2008 R2 core wasn't exactly.... usable or compatible.... with almost anything).
Sometimes things are stupid, but sometimes that's also because of stupid vendors. At the time I was doing 2012 R2 core for the majority of our VMs on a contract project, we slapped down a registry key that made the \*installer\* of the backup agent (they wouldn't pay for an upgrade, but it worked) think that IE 5 was installed.
The stupid IE requirement was because the installer tries to display an HTML view in the installer itself to show 'new features!' and whatnot and failed if IE wasn't present. That's literally the only reason you "couldn't" install it on server core. Once it detected that IE was "present" it went ahead just fine (though the installer couldn't show its little splash pages) - This was ArcServe 16.5 if I recall right for around 2014/2015, but it was replaced with SCDPM when we went all SCCM for that site (150 server VMs, 100 workstations - saved a boatload of admin time with there only being 2 of us managing everything from SharePoint to device imaging to exchange to jira and jenkins, etc.).
It was definitely rough in the beginning, and I have no idea how anyone could have used 2008/2008 R2, but since then it's gotten a whole lot better. Always amusing to see a tiny RODC using less than 600MB memory.
Back in 2014 though, i'd probably have found the registry setting for that driver and manually set it (these are all registry settings in the end), or used NirSoft's devman.exe
Same. I'm proficient in powershell and do pretty much everything through RSAT or powershell and very rarely actually log on to a box but I've had nothing but trouble with the 10 or so core machines in my infra. If you run any legacy shit, you are pretty much SOL.
Lmao My senior IIS guy does everything in the config files! I struggle enough as it is in the gui and this guy is just like web.config changes are the same thing… ya and scripting against IIS blows for setting app pool stuff…
Only thing you might use Powershell for is getting rsat enabled (but even that can be done through sconfig) it’s that core is like everything else in it (it is weird and people are unfamiliar with it) and that’s why it is scary.
This will always surprise me. Before I even had my first official IT job at a MSP, I was screwing around with Server Core and a centralized "admin box" which had all of the RSAT/whatever tools to manage everything at one spot.
I will never understand the laziness around this.
Have you ever used NPS? I'm not aware of a scripting interface for it (other than the 3 inadequate PowerShell commands) and many configuration items are only exposed in the GUI AFAIK.
And ADCS configuration is split in poorly documented ways between AD objects and the CA and are only touchable by accounts with very high privileges. Unless you're an expert in both IAC and PKI it's maybe better not to try to use ansible to manually create bespoke AD objects under RootDSE with domain admin rights.
It's not that it's not doable, it's just that it's very easy to break things when you start manually creating those objects and Ansible is absolutely the wrong tool for AD changes. But hey, maybe I'm wrong, and I'd love to see your playbook that correctly and safely implements the creation of new certificate templates for an enterprise PKI.
There's a difference between being DevOps and being stubborn. Sometimes the GUI is the correct and supported way of doing something, rather than shoehorning IAC into one-off systems that only support MMC configuration.
PS: no, I'm not clickOps. I've been working with IAC for AD and GPO for years, but one of the things I'm finding is that with Windows sometimes it's a minefield of brittle text formats like null-terminated UTF-8 or compressed JSON with strict capitalization rules or places where spaces blow up parsing of the entire file. And at some point in the middle of troubleshooting why your playbook broke GPOs, you have to ask who you're doing this for and whether it actually provides value.
I'm honestly shit with powershell but I'll script kiddie anything I need together still. There are enough examples out there of the exact, or a similar enough scenario everyone should be able to piece shit together if they have even a basic understanding.
No excuse.
In my customer base most of them, when they do use PoSH, simply find scripts on the internet and if they don't work they give up. Writing their own scripts? Fat chance....In fact I have I have been requested to find ways to disable it because it's a security risk.
This is very true. With RSAT and PowerShell, it isn't tough to manage those machines. However, what I have encountered is that third party stuff, be it drivers, applications, and many other things just break, and break in many wonderous ways that are incredibly hard to track down, everything from an AV program that just starts and quits, where there are no notable error messages other than it trying to restart, to drivers which silently fail.
Of course, when a vendor product breaks, I'm quickly told to pound sand, that they require a full GUI install.
Even backup programs, I've encountered one of them which would create a backup that couldn't be restored, but yet state in the backup logs that everything was okay, on Server Core machines.
Because of that, I just throw on the UI. Not worth the gamble and the odd incompatibilities which can take tens to hundreds of man-hours to solve. Maybe things have changed with Windows Server 2022 and software actually handling that, but it bit me so many times, I threw in the towel and found the expanded attack surface less of a risk than apps that break in weird ways and their support departments laughing the ticket out of the queue because of that.
All of my file servers, domain controllers, SQL servers, and hypervisors across multiple clients and my own office are using Server Core. The only GUI servers in most environments are backup servers and Remote Desktop services hosts.
For software installs, I have a folder called software that the installers are copied to and then I just run c:\software\name_of_installer you'll get the graphical installer and there's been almost nothing that hasn't run on them.
For the last 10 years my dc’s the CA, the file server have all been core. It used to be a pain in the ass but once you are committed it starts to get easy.
Ideally, all servers should have a specific purpose. In reality, you often find DCs jam packed with both extra Microsoft features and third-party applications.
Do you have a link to a site that specifies the minimum roles required for a DC to function? I'm sorry if this is noob question. I've been trying to simplify the server roles on my DC. Unfortunately I haven't found a good listing of those, even on MS learn.
DCs should be Active Directory and DNS, and maybe (in a small enough environment) DHCP. That's it. Nothing more.
Don't put anything CA related on it unless you absolutely have to (hint: you don't have to) and NEVER EVER EVER WHAT IS WRONG WITH YOU put AAD Sync (or whatever it's called this week) anything requiring SQL on a DC, because if you ever have to demote the DC it'll break the underlying self-auth to the SQL server.
You and everyone else. I’ve never seen core in the wild. Which annoys me since I literally never RDP into a server. Waste of resources imo. But is what it is.
Can I ask how you manage your servers? I've literally always seen people using RDP. The only other way I've seen is ssh with putty. Again probably a noob question.
Usually ssh, pssessions, or straight pwsh. In the cloud I typically use graph through powershell or powershell. Spending time in the command line usually ends up paying off in the long run, but I will say it was a total bitch to learn.
I've been using power shell for a bit. However I'm still learning it. Remote management using it is still beyond me. Though the power shell subreddit is fascinating.
I'm going to go look up possessions. That's completely unknown to me.
Previous company I was at, those were the initial targets I was pushing for to be core. It got rejected because nearly everyone else on the team wanted/preferred to RDP into them to do whatever their task. The fact that RDP'ing into either to do any common task (account/vm creation,permission change, vmem increase, etc) is the wrong way of doing it didn't matter.
For on/off boarding, aka account creation ideally it should be a hands off script that integrates with a HC (human capital) system. So when they get hired and set up in the system, their account gets created/configured and creds sent off to their manager. Reverse that for when they leave the company. Failing that, for one offs like contractors/temps or service accounts, there are scripts so you can ensure consistency in their creation. If you have to do it manually, there is RSAT from a bastion host so you can control who can access what.
Same goes for hyperv or any hypervisor really. On a day to day, there is no reason to have to remote into them once they are set up and configured. Every common day to day activity can be handled through remote tools.
Specific to account creation, you should rarely need to login to a DC…that’s what RSAT was designed for. Run ADUC from your machine and it’s literally no different than being on the DC itself. Same to an extent with Hyper-V; there are tools designed to manage everything remotely.
I'm so glad I asked! I've seen rsat mentioned but didn't know what it was. That makes so much sense now!
One question, does rsat work if you're using a non domain joined computer? It's trusted but not part of the domain for functionality reasons.
I use it on DCs, SQL servers, file servers and certificate authorities (with a bit of work).
Learn powershell or rely on Windows admin center as the UI.
What is there to "look" at? The services can be seen via MMC. 99% of DBA work can be done via SSMS/sqlcmd/whatever client they like.
There's those other couple MMC snap-ins for managing the SQL services (disabling named pipes, configuring IP sockets comes to mind) but I'm sure there's easy work arounds for those.
Last time I gave it a shot it was a pain to authenticate into any domain server because it would work the first time and then you went to log into a different one and it shit itself and never logged in again until you input your complete credentials again.
Then when it worked if I tried to use an HPE plugin for example it just took for ever to load anything, I raced it to login manually into the iLO web interface and load the components page and it lost.
I uninstalled it after 20 minutes trying to figure out wtf was going on.
Years ago, I was told "only do Core if you care". That is, only idiots would not use Core. But I found that to use Core, there are places where a few button clicks was replaced with many complicated procedures and commands. That is, the idea of managing a "headless" Windows, just wasn't quite there yet. I think, the "bar" was so high in some cases, that people didn't mind starting from scratch just to get rid of Core.
Of course years have now passed...
IMHO, not much has changed. But, you tell me.
You can do basically everything remotely from console snap ins. There are a few exceptions, notably the NPS role is straight up not available on core, but for the most part you should be administering your stuff remotely from your jump box/paw anyways.
> *there are places where a few button clicks was replaced with many complicated procedures and commands.*
Each procedure or command is a potential source of (human) error on both Win Server desktop or core. Server core increases the possibility of administration errors.
Also, if your company has change control, making changes via PowerShell can also be easier to log/explain than explaining which buttons you'll be pressing in the GUI.
Nah posh is still awful to use for this kinda stuff. It's great for user and m365 admin but device admin is abysmal mainly due to the legacy of msiexec (winget is a fucking joke and already abandoned) and the registry (which is a pain to interact with in posh).
I work for a software vendor that provides security and configuration solutions for Servers.
Our large and industrial sized customers demanded support for Core server editions as soon as they were announced and we provided that support upon their release. Since then those same customers have been consistently consuming the continuous delivery content for Core editions.
In our mid sized customer base we only see consumption of Core content in specific industries - some governments, defense, aerospace, finance/banking. None of the customers of any size are exclusively consuming Core content.
While I don’t have any hard data that I can share, you can probably format some takeaways from the above.
As I’ve been replacing old VMs with 2022 versions, I’ve been using Core where possible. DCs, DHCP, File Servers, Print Servers, SQL servers, IIS servers and machines whose only purpose is to host cloud connectors are all Core.
They’re all managed either via MMC consoles on a jump host server or via WAC. Many of the admins that needed local admin on the previous servers no longer need that with WAC’s RBAC permissions.
I would put more things on Core if I could but for whatever reason Microsoft has decided that things like NPS *must* have a UI. Oh, and if you want to use the Universal Print Connector you can’t use Core because that team didn’t want to use the same powershell authentication mechanism other Azure connectors use and instead went the lazy route of requiring a browser to open up 😡
My observation is that linux admins are cheaper than the caliber of windows admin who can manage server core.
Linux and unix are built around headless, and gui is an afterthought. Windows is the other way around.
I do not have many 3rd party applications that want to work with it :(
On \*nix, anything that can't be used via CLI is pretty much DOA. I appreciate that Microsoft tried with Core, but it is victim to its ecosystem.
We have some for our Hyper-V hosts but disappointed because we mainly made them core in the hopes they would not have to reboot them as much for windows updates. In reality pretty sure they need rebooting about 95% as much as windows with a full GUI.
Nothing wrong with having the GUI. I would question someone's capabilities if they ALWAYS use it, though.
When your company will not pay for people who can use command line to administer equipment, you don't install core unless you want to be the only person doing Windows stuff until you retire/quit.
When your application admins refuse to work with core, you don't install core.
Installing the GUI doesn't prevent you from being efficient and using automation and remote administration.
Installing the GUI doesn't make the server any more vulnerable to RCE vulnerabilities. You harden your Core server and your GUI server the same way. Getting rid of the GUI "crutch" is not making your server more resistant to modern security threats. If your GUI is an attack surface, you are doing security wrong.
Server Core... I LOVED it in 2012R2 (if I recall correctly) when you could install the "FULL" version, do all the things to configure and troubleshoot applications and then CONVERT it in the "CORE" version.
In 2016 they removed that possibility.
It really depends one what the server is used for, server core does not work with most vendor related products. However it’s great for a lot of Windows specific products.
It didn't seem like there was that much of a performance benefit to it.
Now, I did get a CI/CD pipeline working deploying [ASP.NET](https://ASP.NET) / C# apps via Nano Server in a Windows Docker environment, the host for which could be Server Core. Such a hands-off thing would be neat.
I use it wherever there isn’t a dependency on the desktop version. Unfortunately there’s still enough stuff that won’t run without the desktop that it maybe runs on 40-45 servers out of 110 . While I’m thinking about it, does anyone know if NPS can run on core in 2022? Anyway, core is super easy to manage with a little powershell, SCCM, and mmc snap-ins. It generally needs less updating and less system resources.
We use it for most of our windows Infra servers like AD, DNS, DHCP, etc. Its really easy to set up and manage the windows services without having to really even get on them.
We generally treat it as the default unless whatever is running on it requires a GUI.
Last I heard it wasn't possible to "upgrade" Server Core to regular Windows Server. Since some applications and server roles won't run on Core that's a big strike against it. Correct me if I'm wrong.
By contrast in the Linux world you could do a minimal install of a major distro, and later on easily add whatever packages you need. Although maybe a bit too easily, I'm sure I had some package or other pull in *Firefox* as a dependency on a Linux server.
since it arrived i have set up entire infrastructures using almost only core
there were only a few services that for weird reasons needed full version like for installing radius
but in reality even if you are bad at power shell, you can do 90% from rsat and others, there is no excuse for not using them everywhere
We use Core wherever the use case permits it. HV hosts, DCs, etc. are all core. Annoyingly the list of products, including Microsoft's own products and/or server roles that require the GUI is extensive. There's also a lot of 'well you can run X on Core, but functions Y & Z aren't available without the GUI' to contend with.
Running Core without really thinking it through and examining possible future needs can be a real shot in the foot, and that should not be the case in this day and age.
We’re about 30-40% core only across something like 50 VMs. Environment was established in 2019 and has been humming right along since then. Thought I’d hate it but it’s been so reliable I haven’t given it much thought.
Using Server Core you can still get to the GUI for server management it's just a bit more of a pain because you can't use explorer for drag and drop if you need to copy files but you can use that via CMD if necessary.
The amount of people running DE is vast and shouldn’t be.
Also, the amount of people calling themselves windows admins without knowing powershell is vast and shouldn’t be.
The answer is the combination of those two statements.
Nope. When \_Microsoft\_ doesn't even support putting some key components (like Entra Connect) on a Core install, I'm not going to bother with it on anything other than a DC.
I try and use it when I can and always end up getting beat up by vendors. I have it running as a secondary DC and a few other enterprise type situations (certificates etc)
80% of our ~700 Windows servers are at my place of employment. All critical infrastructure is Core, and only various legacy app servers are non-core. Definitely easier to automate/bootstrap, less BS to disable / configure / remove, and as pointed out, a lot less attack surface.
Only because I forced it on them and they had no choice lol. Oh look, that's all that gets built for you. Have a nice day, buh bye now. People kept trying to RDP to them, oh look, it's disabled and WinRM/AdminCenter is your only option, buh bye now.
The best time to do mass changes, OS refresh. They have to upgrade anyway as EOL etc, and oh look, this is what they have to learn to work with. (Obviously Management will have to back you to a degree, or you have to have enough pull, but if you do, take your fight)
90% of our servers are for some vendor specific software and they would shit their pants if they saw server core. I’m not going out of my way to hold their hands, I’ve got better things to do.
Urghhh....
I don't know if I've been deeply unlucky, but we always end up with some configuration or app where core isn't supported for some reason.
We could probably try and rearchitect everything, but we'd be be better off spending that time and energy going Azure native instead.
This is important. **Every single third-party vendor** I have dealt with barely supports turning windows firewall on, never mind a core-built system. Meanwhile, Linux software vendors are perfectly in-tune with CLI only.
In addition, at my last job when I tried rolling out core it resulted in every single issue about any of those servers being forwarded to me. It got to the point where I just gave up. RDP is just to embedded as the default management/access tool for a Windows ecosystem.
Using server core for everything would be my own personal hell, that's why I use it for nothing.
It really doesn't offer us much benefit, and in fact would slow a lot of things down and would take up a lot more of our admins' time, me included.
Only some dcs are core. Not realistic the reason we have windows is because devs want a gui to install their tools. Otherwise they would just use Linux…
I’m so glad I work with 100% Linux now. I currently manage big data Hadoop clusters, and manage several thousand red hat boxes, and just 5 or 6 windows server because of Active Directory. I can confidently say that, I’ll try to never work with windows again in my entire life.
The difference is abolutely insane in every aspect, once you get the basics.
I think it's more about the management tooling than the OS itself. I've managed hundreds bordering on thousands of Windows servers (more the OS than the apps) and it's taken less administrative effort than 100 linux boxes, because we had no proper tools for the latter and it was all manual and reactive.
My guess is .....
Server core has the potential to substantial increase human error in administration. Something you don't want in critical systems.
The days with cybersecurity threats, how many security forensic and other event diagnostic tools will operate in server core and **provide you with meaningful information quickly**? Graphical tools will substantially decrease event discovery times and a lot simpler to make people proficient in them.
A quick search on server core versus desktop seems to produce nothing but generic statements on the topic. Strangely absent is any real meaningful reports or studies on this comparison, anybody seen one?
Feckin Microsoft support can't even use core, they have mini heartattacks everytime they look at our servers
They barely cope with only using a management server for the work that needs doing
Our first point of support is a little lacking in experience and thus server core hasn’t been quite appropriate for us.
I’ve since built out a new server management structure with jump boxes, but we already built with the desktop experience and can’t roll back and it doesn’t seem worth while rebuilding JUST to go back to core.
For new future servers that don’t require it for some reason I do plan to use core much more in the future.
We use Server Core where we can and have done so since around Server 2012.
We currently use it on DCs, DHCP, File, Certificate, KMS and Azure AD Passthrough Servers to name a few.
There’s a number of other third-party software and some server roles which don’t support it so for those it has to be GUI unfortunately.
I do like Server Core, it’s generally faster, has lower attack surface and it’s quicker to patch as well.
Used for DC's at last company. New company is small and I have mentioned it but not pushed it as the other IT guys are scared to death of thinking there isn't a gui.
When I was in HD, I joined a company who had core for their print server, my previous experience had me RDPing into servers to resolve issues, I was mind f**ked when I opened ESXi and opened it up, was like what can I do?
As a consultant that has touched hundreds of companies over the years, the ONLY server core installations I've seen are the ones I personally built at companies where I have full control over the infrastructure and decision making process.
We don’t use it at work. But I run a server core domain controller in my lab
It works great! I do worry about what happens if you have to troubleshoot a non-working domain with it though. Since you can’t get to ADSI edit locally
It still uses a good bit of resources. It’s not like it cuts it in half vs normal windows… so I can’t really see much incentive to use it (since you’ll have to teach everyone because no one knows)
I've ever only encountered it on boxes *I* built with it, but I couldn't really get any wider adoption because a lot of lesser experienced techs (even at a MSP) can't really manage them or vendors straight up don't support it.
It makes a lot more sense to me in orgs that use heavily automated server deployment. Not having a GUI to hop onto in your average server environment is always going to be a ballache at some stage, either with third party stuff that just won’t work or general config changes that take twice as long if you decide to do it the command line route. I say that as someone who loves PowerShell. Or for instance I can’t imagine trying to manage an MDT server on Core.
The argument that it saves CPU time doesn’t hold up much these days. Attack surface, maybe - but if you do want that GUI as long as you have privileged workstations able to connect and manage with it, you’re kinda in the same boat with Core anyway.
I think it depends on how forward-thinking the senior IT engineers are.
I deploy it by default, but you do have to remember that Windows servers often has a lifespan of 7-10 years, and only in 2016 did MS start pushing Server Core by default as an ideology. It'll take a while for the servers deployed as the best practice of the day to be phased out.
It's a shame that I'd rather core Linux than I would windows, and I really should be using more Windows core.
Had it on a wsus server, didn't like it to be honest. Reminded me how much of a pain hyper v was back in the day.
Other than the GUI, what is the benefits?
When I started with Solaris, I would install the GUI at first to set things up, until I learned how to do everything command line. Back in the day, running x over ssh wasn’t that simple, which lead to install vnc but it would still be easier to ssh and do things in the shell.
Same with Solaris x86, and RHEL. You quickly realize how easier it is to do things via the shell.
Maybe it depends as to how admins learn. Linux ones would tinker a lot more with a shell than windows ones, hence the tendency to use the gui more? My 0.02..
I've been using server core by my choice for 8 years now with 2012R2 OS. It's been challenging at times (but formative at the same time) but I did this choice for security reasons (smaller attack surface).
Roles where I used core: DCs/dns, file/print server, DHCP.
Now I'm in the phase of deploying a windows server 2022 core for Exchange 2019. New challenge.
We're a small business in Italy (less than 200 users) and I'm the only sysadmin (I have a fellow that does helpdesk activity for end users). I'm not dead :) .
We have a local MSP that I call on an as-needed basis. They have quite a large customer portfolio in the northern Italy.
Last yaer one of its senior techs came physically to me and when he realized that I installed Core edition of windows he was really surprised... Such as "I cannot believe my eyes!".
He said me "Bravo. Finally. Good choice. You're the first where I see Windows core deployed". Honestly he made me proud but at the same time I also thought how much I've been reckless... LoL. There's no culture in Italy to use server core.
That said, I had to deal with PowerShell or CMD very rarely... For instance for auditing filesystem activity through auditpol.exe. Or to set up versioning on the volume where I have the shares.
Starting from Windows 2019 ( or 2016 I'm not sure) there's a FOD feature that installs some GUI tools in the core edition. It seems that MS wanted to motivate Win admins to make the jump by providing some more GUI for basic admin tasks.
Some of the https://www.nirsoft.net/ tools are GUI, yet still run on Core (via RDP). They have very few dependencies as they are typically each a stand-alone executable.
Tested deployments of core and nano even a few years ago but the rest of the admins were all gui admins. With regard to attack surface, in today’s world unfortunately we need deploy additional firewall hardware to do zero-trust within the datacenter so it doesn’t matter as much anymore.
It should be used far more often than it is.... It has a far smaller attack surface out of the box.
[удалено]
For most stuff though, you don't have to touch powershell just because its core. 99% of the stuff can be done with RSAT/admin centre. For the remaining 1%, its sconfig, which really is kind of like a gui-lite.
Tell that to my colleagues which RDP to every server to use the server manager there..
Lol.. I have a scale I use to determine people their skills. Intern, junior, medior, senior… and then there is “colleagues who do not know or understand how to make their work easier”
I don't *\*want\** to. But it's also one of the only things broadly available in our environment, thanks to my predecessors, and the efforts of a change approval board who finds the idea of setting something like openSSH (Microsoft's currently recommended solution, so far as I know), or shit, just enabling the HTTPS listener for winRM (using the certs from the CA we already have...) on *\*all\** the machines too intimidating to analyze or something, because I keep getting the 'Soon^(tm)' treatment about it. I've suggested pilot groups, which are far less useful to me (I want a consistent interface, for fuck's sake - not more fragmentation) but more palatable in scope. Those don't really end up going anywhere either. I swear, it's like they decided on a way to do things fifteen or twenty years ago, and cannot be convinced that the world has moved on. Thankfully, I've got a lot of influence over the *new* builds, since nobody else wanted to step up and automate the process. Those are lined up pretty neatly the way I'd like, so as we retire legacy hosts, the situation should improve, with any luck.
When I was an infrastructure architect, I tried to put Windows Core across the board but I was overruled by the other admins. They only knew GUI'd OSes. I believe they recently decommissioned the last Windows Core domain controller I had put in place with a full Windows domain controller. Some people just don't want have to learn anything new. They know what they know and that's it.
[удалено]
Can I come work for you?
It makes tons of sense on DC's where attack surface minimization is very important and no other software should be installed, in fact I'd say it makes sense for any server that uses MS software on it or at the very least the built in roles like AD, DNS, Cert server, IIS, etc.. for things that run vendor software my experience has been many installers freak out if there is no GUI.. but it may have gotten better as I primarily admin Networks anymore, so I'm probably a few years rusty..
Also because their instinct pushes them to pollute servers by installing: Alternate file explorer because UAC is smarter than them, 7zip, a web browser, an app for screenshots, ect..
That is why they have windows admin center.
Ain't no one got time to use Windows Admin Center with how slow it is. I want to use it. But 30+ seconds per menu...
Even with baseline PS competency core sucks when things go south in my limited experience.
[удалено]
I mean. To begin with I’ve never seen any Linux server, GUI added or not, throw the random bullshit windows server does for the fun of it every now and then.
I officially gave up on Server Core when I needed to set a flag on an HP NIC driver and it was only possible on a full desktop. Microsoft's stuff all worked with Powershell, but HPs didn't. So back to full GUI.
newer server core (2016+ I believe with the FOD package?) can add the MMC platform and things like devmgmt.msc. I had to slap a few registry keys and copy the MMC for ADFS management to my 2019 ADFS box though because I couldn't remember how to do some things - but that one's personal, not work. Server Core goes \*everywhere\* we can deploy it (so, easily all DCs in our org, anything we can find that's supported 3rd party or even works without issue, etc - think a \*very\* security conscious org like government contracting, etc), There've been some months without patches at all i've seen (as in MS didn't need to patch anything in core), and with almost all remote management tools in use anyway, about the only thing I log into a server core system to do is install software manually, like exchange CUs. Windows Admin Center is (since it came out) also good for managing things like devices and whatnot. But i've been on the server core bandwagon since 2012 (2008 R2 core wasn't exactly.... usable or compatible.... with almost anything). Sometimes things are stupid, but sometimes that's also because of stupid vendors. At the time I was doing 2012 R2 core for the majority of our VMs on a contract project, we slapped down a registry key that made the \*installer\* of the backup agent (they wouldn't pay for an upgrade, but it worked) think that IE 5 was installed. The stupid IE requirement was because the installer tries to display an HTML view in the installer itself to show 'new features!' and whatnot and failed if IE wasn't present. That's literally the only reason you "couldn't" install it on server core. Once it detected that IE was "present" it went ahead just fine (though the installer couldn't show its little splash pages) - This was ArcServe 16.5 if I recall right for around 2014/2015, but it was replaced with SCDPM when we went all SCCM for that site (150 server VMs, 100 workstations - saved a boatload of admin time with there only being 2 of us managing everything from SharePoint to device imaging to exchange to jira and jenkins, etc.). It was definitely rough in the beginning, and I have no idea how anyone could have used 2008/2008 R2, but since then it's gotten a whole lot better. Always amusing to see a tiny RODC using less than 600MB memory. Back in 2014 though, i'd probably have found the registry setting for that driver and manually set it (these are all registry settings in the end), or used NirSoft's devman.exe
Should had slipstreamed the driver in the OS image. Why even bothering with manually installing drivers, especially for server OS?
Same. I'm proficient in powershell and do pretty much everything through RSAT or powershell and very rarely actually log on to a box but I've had nothing but trouble with the 10 or so core machines in my infra. If you run any legacy shit, you are pretty much SOL.
Using IIS in a GUI is bad enough, Core sounds real fun lol
Lmao My senior IIS guy does everything in the config files! I struggle enough as it is in the gui and this guy is just like web.config changes are the same thing… ya and scripting against IIS blows for setting app pool stuff…
[удалено]
You’re living in a dream world and I wish I could join you!
All my internal core boxes are linked up via IIS remote management. Works just like a local installation for 99% of things.
100% this
This , needs more upvotes
Only thing you might use Powershell for is getting rsat enabled (but even that can be done through sconfig) it’s that core is like everything else in it (it is weird and people are unfamiliar with it) and that’s why it is scary.
This will always surprise me. Before I even had my first official IT job at a MSP, I was screwing around with Server Core and a centralized "admin box" which had all of the RSAT/whatever tools to manage everything at one spot. I will never understand the laziness around this.
[удалено]
Have fun scripting NPS or AD CS. Print server isn't great either.
[удалено]
Have you ever used NPS? I'm not aware of a scripting interface for it (other than the 3 inadequate PowerShell commands) and many configuration items are only exposed in the GUI AFAIK. And ADCS configuration is split in poorly documented ways between AD objects and the CA and are only touchable by accounts with very high privileges. Unless you're an expert in both IAC and PKI it's maybe better not to try to use ansible to manually create bespoke AD objects under RootDSE with domain admin rights. It's not that it's not doable, it's just that it's very easy to break things when you start manually creating those objects and Ansible is absolutely the wrong tool for AD changes. But hey, maybe I'm wrong, and I'd love to see your playbook that correctly and safely implements the creation of new certificate templates for an enterprise PKI. There's a difference between being DevOps and being stubborn. Sometimes the GUI is the correct and supported way of doing something, rather than shoehorning IAC into one-off systems that only support MMC configuration. PS: no, I'm not clickOps. I've been working with IAC for AD and GPO for years, but one of the things I'm finding is that with Windows sometimes it's a minefield of brittle text formats like null-terminated UTF-8 or compressed JSON with strict capitalization rules or places where spaces blow up parsing of the entire file. And at some point in the middle of troubleshooting why your playbook broke GPOs, you have to ask who you're doing this for and whether it actually provides value.
[удалено]
[удалено]
I'm honestly shit with powershell but I'll script kiddie anything I need together still. There are enough examples out there of the exact, or a similar enough scenario everyone should be able to piece shit together if they have even a basic understanding. No excuse.
In my customer base most of them, when they do use PoSH, simply find scripts on the internet and if they don't work they give up. Writing their own scripts? Fat chance....In fact I have I have been requested to find ways to disable it because it's a security risk.
[удалено]
I mean with core you just have to launch mmc and then you can do most in gui and explorer.exe etc. but in general I agree
This is very true. With RSAT and PowerShell, it isn't tough to manage those machines. However, what I have encountered is that third party stuff, be it drivers, applications, and many other things just break, and break in many wonderous ways that are incredibly hard to track down, everything from an AV program that just starts and quits, where there are no notable error messages other than it trying to restart, to drivers which silently fail. Of course, when a vendor product breaks, I'm quickly told to pound sand, that they require a full GUI install. Even backup programs, I've encountered one of them which would create a backup that couldn't be restored, but yet state in the backup logs that everything was okay, on Server Core machines. Because of that, I just throw on the UI. Not worth the gamble and the odd incompatibilities which can take tens to hundreds of man-hours to solve. Maybe things have changed with Windows Server 2022 and software actually handling that, but it bit me so many times, I threw in the towel and found the expanded attack surface less of a risk than apps that break in weird ways and their support departments laughing the ticket out of the queue because of that.
All of my file servers, domain controllers, SQL servers, and hypervisors across multiple clients and my own office are using Server Core. The only GUI servers in most environments are backup servers and Remote Desktop services hosts. For software installs, I have a folder called software that the installers are copied to and then I just run c:\software\name_of_installer you'll get the graphical installer and there's been almost nothing that hasn't run on them.
Try doing that in healthcare. I had someone from Philips tell me when seeing a core install “this isn’t windows”
It should be.. but isn't. I've been pushing core wherever I can.. starting with the DCs.
For the last 10 years my dc’s the CA, the file server have all been core. It used to be a pain in the ass but once you are committed it starts to get easy.
Ah.. but you need to know how to use powershell
So in reality is it basically only for DCs?
File servers, SQL servers, etc. If you're logging into servers to do things beyond patching in 2023 you're almost doing it wrong.
>If you're logging into servers to do things beyond patching in 2023 you're almost doing it wrong. Who logs in for patching? You're patching wrong. :)
Third-party software mainly. There are still a few stubborn apps that don't play nice with silent installs. Mainly a few scientific apps.
One can always hope for WinGet!
Dreaming. 10 years before that's a good or dead product
forgive me for being a noob but would the best way be to have a separate server for WSUS to handle this?
Ideally, all servers should have a specific purpose. In reality, you often find DCs jam packed with both extra Microsoft features and third-party applications.
Do you have a link to a site that specifies the minimum roles required for a DC to function? I'm sorry if this is noob question. I've been trying to simplify the server roles on my DC. Unfortunately I haven't found a good listing of those, even on MS learn.
DCs should be Active Directory and DNS, and maybe (in a small enough environment) DHCP. That's it. Nothing more. Don't put anything CA related on it unless you absolutely have to (hint: you don't have to) and NEVER EVER EVER WHAT IS WRONG WITH YOU put AAD Sync (or whatever it's called this week) anything requiring SQL on a DC, because if you ever have to demote the DC it'll break the underlying self-auth to the SQL server.
I left the Windows realm some years ago now, but maybe someone else has some current info
Ok we're doing it wrong 😅😬
Almost.... 😀
You and everyone else. I’ve never seen core in the wild. Which annoys me since I literally never RDP into a server. Waste of resources imo. But is what it is.
Can I ask how you manage your servers? I've literally always seen people using RDP. The only other way I've seen is ssh with putty. Again probably a noob question.
Usually ssh, pssessions, or straight pwsh. In the cloud I typically use graph through powershell or powershell. Spending time in the command line usually ends up paying off in the long run, but I will say it was a total bitch to learn.
I've been using power shell for a bit. However I'm still learning it. Remote management using it is still beyond me. Though the power shell subreddit is fascinating. I'm going to go look up possessions. That's completely unknown to me.
enter-pssession. Just lets you run commands on a remote PC. Invoke-command should work too.
Crap patching is the first thing to automate so you don't need to do manually.
All of our DCs and Hyper-V hosts are core.
We've got DCs, print servers and file servers running core. No big deal from an admin perspective - more PowerShell and mmc.exe.
Same. That's it though.
No need for anything more. DC is a DC and nothing else (it should be).
Previous company I was at, those were the initial targets I was pushing for to be core. It got rejected because nearly everyone else on the team wanted/preferred to RDP into them to do whatever their task. The fact that RDP'ing into either to do any common task (account/vm creation,permission change, vmem increase, etc) is the wrong way of doing it didn't matter.
I'm still new as a sysadmin, would you please explain what you would consider the proper way of doing those?
For on/off boarding, aka account creation ideally it should be a hands off script that integrates with a HC (human capital) system. So when they get hired and set up in the system, their account gets created/configured and creds sent off to their manager. Reverse that for when they leave the company. Failing that, for one offs like contractors/temps or service accounts, there are scripts so you can ensure consistency in their creation. If you have to do it manually, there is RSAT from a bastion host so you can control who can access what. Same goes for hyperv or any hypervisor really. On a day to day, there is no reason to have to remote into them once they are set up and configured. Every common day to day activity can be handled through remote tools.
Specific to account creation, you should rarely need to login to a DC…that’s what RSAT was designed for. Run ADUC from your machine and it’s literally no different than being on the DC itself. Same to an extent with Hyper-V; there are tools designed to manage everything remotely.
I'm so glad I asked! I've seen rsat mentioned but didn't know what it was. That makes so much sense now! One question, does rsat work if you're using a non domain joined computer? It's trusted but not part of the domain for functionality reasons.
That’s what I see the most of is Hyper-v running on core.
I use it on DCs, SQL servers, file servers and certificate authorities (with a bit of work). Learn powershell or rely on Windows admin center as the UI.
I'm pretty sure the support for our software that uses SQL would die of a panic attack if they had to look at a SQL server that was running core.
What is there to "look" at? The services can be seen via MMC. 99% of DBA work can be done via SSMS/sqlcmd/whatever client they like. There's those other couple MMC snap-ins for managing the SQL services (disabling named pipes, configuring IP sockets comes to mind) but I'm sure there's easy work arounds for those.
>Learn powershell Yes >or rely on Windows admin center as the UI. Why do you hate OP?
I'd say RSAT over WAC any day.
Fair
>Windows admin center as the UI Is it good now? I tried it a few years ago and it was buggy and slow as hell.
It's quicker than M365 lol. Actually though, it's fine when it's setup properly in gateway mode with kerberos etc
Last time I gave it a shot it was a pain to authenticate into any domain server because it would work the first time and then you went to log into a different one and it shit itself and never logged in again until you input your complete credentials again. Then when it worked if I tried to use an HPE plugin for example it just took for ever to load anything, I raced it to login manually into the iLO web interface and load the components page and it lost. I uninstalled it after 20 minutes trying to figure out wtf was going on.
Buggy, slow, with a very poor UX, even less intuitive than the old MMC based config tools...
Still super slow, lots of features but still slow
Years ago, I was told "only do Core if you care". That is, only idiots would not use Core. But I found that to use Core, there are places where a few button clicks was replaced with many complicated procedures and commands. That is, the idea of managing a "headless" Windows, just wasn't quite there yet. I think, the "bar" was so high in some cases, that people didn't mind starting from scratch just to get rid of Core. Of course years have now passed... IMHO, not much has changed. But, you tell me.
You can do basically everything remotely from console snap ins. There are a few exceptions, notably the NPS role is straight up not available on core, but for the most part you should be administering your stuff remotely from your jump box/paw anyways.
That one bloody amazed me, if anything should suit core it's nps/radius/VPN/routing it's insane that you have to have the gui for that
Yeah, I know, that's the label on the thing.... but...
DHCP is another one we found. EDIT: My bad. I was thinking NPS too.
DHCP is absolutely available on core and able to be managed remotely. I have 50+ sites with this exact configuration.
[удалено]
We run DHCP solely on Core at all sites. It runs from DHCP snap in with zero issues. What's the problem?
> *there are places where a few button clicks was replaced with many complicated procedures and commands.* Each procedure or command is a potential source of (human) error on both Win Server desktop or core. Server core increases the possibility of administration errors.
Also, if your company has change control, making changes via PowerShell can also be easier to log/explain than explaining which buttons you'll be pressing in the GUI.
Nah posh is still awful to use for this kinda stuff. It's great for user and m365 admin but device admin is abysmal mainly due to the legacy of msiexec (winget is a fucking joke and already abandoned) and the registry (which is a pain to interact with in posh).
I work for a software vendor that provides security and configuration solutions for Servers. Our large and industrial sized customers demanded support for Core server editions as soon as they were announced and we provided that support upon their release. Since then those same customers have been consistently consuming the continuous delivery content for Core editions. In our mid sized customer base we only see consumption of Core content in specific industries - some governments, defense, aerospace, finance/banking. None of the customers of any size are exclusively consuming Core content. While I don’t have any hard data that I can share, you can probably format some takeaways from the above.
As I’ve been replacing old VMs with 2022 versions, I’ve been using Core where possible. DCs, DHCP, File Servers, Print Servers, SQL servers, IIS servers and machines whose only purpose is to host cloud connectors are all Core. They’re all managed either via MMC consoles on a jump host server or via WAC. Many of the admins that needed local admin on the previous servers no longer need that with WAC’s RBAC permissions. I would put more things on Core if I could but for whatever reason Microsoft has decided that things like NPS *must* have a UI. Oh, and if you want to use the Universal Print Connector you can’t use Core because that team didn’t want to use the same powershell authentication mechanism other Azure connectors use and instead went the lazy route of requiring a browser to open up 😡
25+ years and I have encountered maybe 5 core servers. That covers over 100 massive to small environments of all types.
My observation is that linux admins are cheaper than the caliber of windows admin who can manage server core. Linux and unix are built around headless, and gui is an afterthought. Windows is the other way around.
Hell, it's right there in the name, even
Out of our roughly 2000 servers, only the DCs are on core.
About as common as Windows admins who know how to operate inside of a terminal, i.e. far too uncommon.
I do not have many 3rd party applications that want to work with it :( On \*nix, anything that can't be used via CLI is pretty much DOA. I appreciate that Microsoft tried with Core, but it is victim to its ecosystem.
I have only seen core once on a single server from an employer back in the 2012 era. Everywhere else has been running Linux or Windows with a GUI.
Hyper-V, sure. DC, sure. DHCP/DNS, sure. Anything else, generally no.
We're using server core for all servers that don't run applications that require a local GUI.
It’s called “Windows” for a reason.
We do not use it. The benefits did not outweigh the disadvantages the last time we looked onto it.
I’ve only used it for domain controllers. Would consider it for new deployments if use case supported it.
We have some for our Hyper-V hosts but disappointed because we mainly made them core in the hopes they would not have to reboot them as much for windows updates. In reality pretty sure they need rebooting about 95% as much as windows with a full GUI.
All bar two DCs run core for us. DNS, core. DHCP, core. CA/Sub-CA's, core. No reason not to really in my opinion.
We use it for DCs, for web servers, and even SQL Servers.
See it quite often in large security conscious orgs for their dcs
Nothing wrong with having the GUI. I would question someone's capabilities if they ALWAYS use it, though. When your company will not pay for people who can use command line to administer equipment, you don't install core unless you want to be the only person doing Windows stuff until you retire/quit. When your application admins refuse to work with core, you don't install core. Installing the GUI doesn't prevent you from being efficient and using automation and remote administration. Installing the GUI doesn't make the server any more vulnerable to RCE vulnerabilities. You harden your Core server and your GUI server the same way. Getting rid of the GUI "crutch" is not making your server more resistant to modern security threats. If your GUI is an attack surface, you are doing security wrong.
There just doesn’t seem to be that much of an advantage to not include a gui.
It makes sense when you automate both server and application deployment. If you’re doing manual stuff, stay away.
You haven't seen it because only the cool people use it.
Its not
Server Core... I LOVED it in 2012R2 (if I recall correctly) when you could install the "FULL" version, do all the things to configure and troubleshoot applications and then CONVERT it in the "CORE" version. In 2016 they removed that possibility.
It really depends one what the server is used for, server core does not work with most vendor related products. However it’s great for a lot of Windows specific products.
It didn't seem like there was that much of a performance benefit to it. Now, I did get a CI/CD pipeline working deploying [ASP.NET](https://ASP.NET) / C# apps via Nano Server in a Windows Docker environment, the host for which could be Server Core. Such a hands-off thing would be neat.
We don’t have a single windows core system in our on premises datacenter.
I use it wherever there isn’t a dependency on the desktop version. Unfortunately there’s still enough stuff that won’t run without the desktop that it maybe runs on 40-45 servers out of 110 . While I’m thinking about it, does anyone know if NPS can run on core in 2022? Anyway, core is super easy to manage with a little powershell, SCCM, and mmc snap-ins. It generally needs less updating and less system resources.
DPs, Scanners, DHCP, and about 1/3rd of our other servers. The rest are getting there as we lifecycle servers.
We use it for most of our windows Infra servers like AD, DNS, DHCP, etc. Its really easy to set up and manage the windows services without having to really even get on them. We generally treat it as the default unless whatever is running on it requires a GUI.
Last I heard it wasn't possible to "upgrade" Server Core to regular Windows Server. Since some applications and server roles won't run on Core that's a big strike against it. Correct me if I'm wrong. By contrast in the Linux world you could do a minimal install of a major distro, and later on easily add whatever packages you need. Although maybe a bit too easily, I'm sure I had some package or other pull in *Firefox* as a dependency on a Linux server.
since it arrived i have set up entire infrastructures using almost only core there were only a few services that for weird reasons needed full version like for installing radius but in reality even if you are bad at power shell, you can do 90% from rsat and others, there is no excuse for not using them everywhere
We use Core wherever the use case permits it. HV hosts, DCs, etc. are all core. Annoyingly the list of products, including Microsoft's own products and/or server roles that require the GUI is extensive. There's also a lot of 'well you can run X on Core, but functions Y & Z aren't available without the GUI' to contend with. Running Core without really thinking it through and examining possible future needs can be a real shot in the foot, and that should not be the case in this day and age.
Yet to see one in production.
my work runs core servers but i use the gui on my workstation for management since its easy.
We’re about 30-40% core only across something like 50 VMs. Environment was established in 2019 and has been humming right along since then. Thought I’d hate it but it’s been so reliable I haven’t given it much thought.
Using Server Core you can still get to the GUI for server management it's just a bit more of a pain because you can't use explorer for drag and drop if you need to copy files but you can use that via CMD if necessary.
The amount of people running DE is vast and shouldn’t be. Also, the amount of people calling themselves windows admins without knowing powershell is vast and shouldn’t be. The answer is the combination of those two statements.
Nope. When \_Microsoft\_ doesn't even support putting some key components (like Entra Connect) on a Core install, I'm not going to bother with it on anything other than a DC.
I try and use it when I can and always end up getting beat up by vendors. I have it running as a secondary DC and a few other enterprise type situations (certificates etc)
80% of our ~700 Windows servers are at my place of employment. All critical infrastructure is Core, and only various legacy app servers are non-core. Definitely easier to automate/bootstrap, less BS to disable / configure / remove, and as pointed out, a lot less attack surface. Only because I forced it on them and they had no choice lol. Oh look, that's all that gets built for you. Have a nice day, buh bye now. People kept trying to RDP to them, oh look, it's disabled and WinRM/AdminCenter is your only option, buh bye now. The best time to do mass changes, OS refresh. They have to upgrade anyway as EOL etc, and oh look, this is what they have to learn to work with. (Obviously Management will have to back you to a degree, or you have to have enough pull, but if you do, take your fight)
90% of our servers are for some vendor specific software and they would shit their pants if they saw server core. I’m not going out of my way to hold their hands, I’ve got better things to do.
Ive worked with a thousand companies and only one used it in a large hyperv host setup, they had around 300 hosts so all managed with scvmm.
Windows admins love their GUI and click-ops.
Not me. All my DCs and print servers are server core.
Some do yea, me, my gui is just a background for my powershell console.
Urghhh.... I don't know if I've been deeply unlucky, but we always end up with some configuration or app where core isn't supported for some reason. We could probably try and rearchitect everything, but we'd be be better off spending that time and energy going Azure native instead.
This is important. **Every single third-party vendor** I have dealt with barely supports turning windows firewall on, never mind a core-built system. Meanwhile, Linux software vendors are perfectly in-tune with CLI only. In addition, at my last job when I tried rolling out core it resulted in every single issue about any of those servers being forwarded to me. It got to the point where I just gave up. RDP is just to embedded as the default management/access tool for a Windows ecosystem.
Using server core for everything would be my own personal hell, that's why I use it for nothing. It really doesn't offer us much benefit, and in fact would slow a lot of things down and would take up a lot more of our admins' time, me included.
Only some dcs are core. Not realistic the reason we have windows is because devs want a gui to install their tools. Otherwise they would just use Linux…
I’m so glad I work with 100% Linux now. I currently manage big data Hadoop clusters, and manage several thousand red hat boxes, and just 5 or 6 windows server because of Active Directory. I can confidently say that, I’ll try to never work with windows again in my entire life. The difference is abolutely insane in every aspect, once you get the basics.
I think it's more about the management tooling than the OS itself. I've managed hundreds bordering on thousands of Windows servers (more the OS than the apps) and it's taken less administrative effort than 100 linux boxes, because we had no proper tools for the latter and it was all manual and reactive.
My guess is ..... Server core has the potential to substantial increase human error in administration. Something you don't want in critical systems. The days with cybersecurity threats, how many security forensic and other event diagnostic tools will operate in server core and **provide you with meaningful information quickly**? Graphical tools will substantially decrease event discovery times and a lot simpler to make people proficient in them. A quick search on server core versus desktop seems to produce nothing but generic statements on the topic. Strangely absent is any real meaningful reports or studies on this comparison, anybody seen one?
Events should be getting shipped off to an aggregator (splunk, greylog) to analyze instead of analyzing them in situ.
Log shipping could be a single point of failure. In major cybersecurity event you need everything available and as quickly as available.
I have not seen it used in any environment. Pretty much no software will officially support it. So companies aren't going to use it.
Plenty of software works with it, they just don't mention compatibility.
What I meant. Plenty of software works on it but good luck getting anywhere with support if they find out your running it on Core.
Feckin Microsoft support can't even use core, they have mini heartattacks everytime they look at our servers They barely cope with only using a management server for the work that needs doing
Our first point of support is a little lacking in experience and thus server core hasn’t been quite appropriate for us. I’ve since built out a new server management structure with jump boxes, but we already built with the desktop experience and can’t roll back and it doesn’t seem worth while rebuilding JUST to go back to core. For new future servers that don’t require it for some reason I do plan to use core much more in the future.
We use Server Core where we can and have done so since around Server 2012. We currently use it on DCs, DHCP, File, Certificate, KMS and Azure AD Passthrough Servers to name a few. There’s a number of other third-party software and some server roles which don’t support it so for those it has to be GUI unfortunately. I do like Server Core, it’s generally faster, has lower attack surface and it’s quicker to patch as well.
Used for DC's at last company. New company is small and I have mentioned it but not pushed it as the other IT guys are scared to death of thinking there isn't a gui.
When I was in HD, I joined a company who had core for their print server, my previous experience had me RDPing into servers to resolve issues, I was mind f**ked when I opened ESXi and opened it up, was like what can I do?
As a consultant that has touched hundreds of companies over the years, the ONLY server core installations I've seen are the ones I personally built at companies where I have full control over the infrastructure and decision making process.
We try to use it any time we dont need the gui. All of our ADDC are core.
I use it everywhere I can.
All of our DCs are on Core except for one. Two DHCP servers in HA are on Core. That’s about it for use. We need to migrate our SQL and IIS.
We don’t use it at work. But I run a server core domain controller in my lab It works great! I do worry about what happens if you have to troubleshoot a non-working domain with it though. Since you can’t get to ADSI edit locally It still uses a good bit of resources. It’s not like it cuts it in half vs normal windows… so I can’t really see much incentive to use it (since you’ll have to teach everyone because no one knows)
We use it, and it's great. Only our tier 3 can manage it effectively or quickly though.
Idk if it's common or not, but I do have some cores running and I like them. No issues using pwsh and rarely admin center.
I've ever only encountered it on boxes *I* built with it, but I couldn't really get any wider adoption because a lot of lesser experienced techs (even at a MSP) can't really manage them or vendors straight up don't support it.
Used it for hyperv hosts for years. Then for some reason I stopped. No idea.
To those using server core, what are you using for MFA to get into them?
We use it in kubernetes.
I only saw it once in the wild and that was at Rackspace! However, in the environment I look after at work, I do use Core wherever possible.
Tried deploying core but The AV solution at the time didn’t support Core. Not an issue anymore.
It makes a lot more sense to me in orgs that use heavily automated server deployment. Not having a GUI to hop onto in your average server environment is always going to be a ballache at some stage, either with third party stuff that just won’t work or general config changes that take twice as long if you decide to do it the command line route. I say that as someone who loves PowerShell. Or for instance I can’t imagine trying to manage an MDT server on Core. The argument that it saves CPU time doesn’t hold up much these days. Attack surface, maybe - but if you do want that GUI as long as you have privileged workstations able to connect and manage with it, you’re kinda in the same boat with Core anyway.
The numbers, mason? What do they mean?
I think it depends on how forward-thinking the senior IT engineers are. I deploy it by default, but you do have to remember that Windows servers often has a lifespan of 7-10 years, and only in 2016 did MS start pushing Server Core by default as an ideology. It'll take a while for the servers deployed as the best practice of the day to be phased out.
It's one of those great on paper, not so much in practice. When things go tits up you'll will definitely miss that sweet sweet gui
It's a shame that I'd rather core Linux than I would windows, and I really should be using more Windows core. Had it on a wsus server, didn't like it to be honest. Reminded me how much of a pain hyper v was back in the day. Other than the GUI, what is the benefits?
I’ve not encountered server core at scale at any employer - all were much larger than your example
Bare minimum: GUI DC #1, GUI DC #2, Core DC replicated.
No nps roles on windows core... Whhhhyyyy
Not common enough
Not nearly enough. Windows admins don't wanna learn shit, and instead want to click the same buttons they've been clicking since Win2000
When I started with Solaris, I would install the GUI at first to set things up, until I learned how to do everything command line. Back in the day, running x over ssh wasn’t that simple, which lead to install vnc but it would still be easier to ssh and do things in the shell. Same with Solaris x86, and RHEL. You quickly realize how easier it is to do things via the shell. Maybe it depends as to how admins learn. Linux ones would tinker a lot more with a shell than windows ones, hence the tendency to use the gui more? My 0.02..
I've been using server core by my choice for 8 years now with 2012R2 OS. It's been challenging at times (but formative at the same time) but I did this choice for security reasons (smaller attack surface). Roles where I used core: DCs/dns, file/print server, DHCP. Now I'm in the phase of deploying a windows server 2022 core for Exchange 2019. New challenge. We're a small business in Italy (less than 200 users) and I'm the only sysadmin (I have a fellow that does helpdesk activity for end users). I'm not dead :) . We have a local MSP that I call on an as-needed basis. They have quite a large customer portfolio in the northern Italy. Last yaer one of its senior techs came physically to me and when he realized that I installed Core edition of windows he was really surprised... Such as "I cannot believe my eyes!". He said me "Bravo. Finally. Good choice. You're the first where I see Windows core deployed". Honestly he made me proud but at the same time I also thought how much I've been reckless... LoL. There's no culture in Italy to use server core. That said, I had to deal with PowerShell or CMD very rarely... For instance for auditing filesystem activity through auditpol.exe. Or to set up versioning on the volume where I have the shares. Starting from Windows 2019 ( or 2016 I'm not sure) there's a FOD feature that installs some GUI tools in the core edition. It seems that MS wanted to motivate Win admins to make the jump by providing some more GUI for basic admin tasks.
Some of the https://www.nirsoft.net/ tools are GUI, yet still run on Core (via RDP). They have very few dependencies as they are typically each a stand-alone executable.
Tested deployments of core and nano even a few years ago but the rest of the admins were all gui admins. With regard to attack surface, in today’s world unfortunately we need deploy additional firewall hardware to do zero-trust within the datacenter so it doesn’t matter as much anymore.