The World According to Mitch

I have been a big fan of Windows Server Core since I first learned about it in Windows Server 2008. It has come a long way since that first generation; today you can run nearly every server-based application without the Graphical User Interface (GUI). However, one role that has always been a great candidate for Server Core is the domain controller. I will mention that while I have always said that your domain controller should never be used as anything else, I make exceptions for Domain Name Resolution (DNS) and Dynamic Host Configuration Protocol (DHCP), which will usually reside on my domain controllers.

Server Core is now the default installation of Microsoft Windows Server. Whereas you were originally given the option of installing Windows Server or Windows Server Core, today the installation options are either Windows Server, or Windows Server (Desktop Experience). In other words, the default behaviour is meant to be experienced without the GUI.

The results of that will look like this:

Okay, that’s great… now Microsoft expects us to manage our servers without the GUI? Are we meant to learn how to administer everything from PowerShell? While that is certainly possible, it is not necessary. Microsoft offers the Remote Server Administration Tools (RSAT) that will install the comfortable MMC consoles on a management server (or a jump box) that can connect to and manage your domain controllers (or most any other Server Core role) without having to learn cmdlets to do so.

I have my domain controllers (which nobody aside from the Domain Administrators should ever log on to) configured with the appropriate roles. Now I want to configure my jump box – a Windows 10 or 11 workstation with the appropriate tools to manage them.

Step 1: Open Windows PowerShell as Administrator. Yes, it is possible to do all of this from the GUI, but I find it much easier to do from PowerShell… especially since you can just cut and paste the cmdlets from this article. Remember that from Windows 11 we are not opening PowerShell but Terminal.

Windows 11	Windows 10

By right-clicking on the Start Menu, you can select the appropriate console. When prompted, accept the UAC warning. You are absolutely about to make changes to your system.

Step 2: See what your options are. In Windows 10 and 11, the RSAT tools are what we call Windows Capabilities. This changed a few years ago, when they were called Windows Optional Features. Run the following cmdlet to see what choices you have:

Get-WindowsCapability –name *RSAT* –online | Select-Object –Property Name

This will show you a list of the names of the available RSAT tools, without any of the padding. That list should look something like this:

While there are a lot of options to choose from the ones that I need to manage my domain controllers are:

Name
—-
Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Rsat.DHCP.Tools~~~~0.0.1.0
Rsat.Dns.Tools~~~~0.0.1.0
Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Rsat.IPAM.Client.Tools~~~~0.0.1.0
Rsat.ServerManager.Tools~~~~0.0.1.0

In other words, I need to install these six tools. While there are some people who would say that you can just install all of them with a single cmdlet, I do not feel the need to install any console that I do not actively need. However if you are of that mind, use the following cmdlet to do so:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online

Step 3: As I said, I would rather just install the ones that I will be using, so I would run the following:

Add-WindowsCapability –name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Add-WindowsCapability –name Rsat.DHCP.Tools~~~~0.0.1.0

Add-WindowsCapability –name Rsat.Dns.Tools~~~~0.0.1.0

Add-WindowsCapability –name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

Add-WindowsCapability –name Rsat.IPAM.Client.Tools~~~~0.0.1.0

Add-WindowsCapability –name Rsat.ServerManager.Tools~~~~0.0.1.0

Step 4: The installation of all of them will take a few minutes, but when they are done there will be no reboot necessary. You can now click on the Start Menu and scroll down to (and expand) Windows Administrative Tools. All of the GUI consoles to manage your Server Core will now appear in the list.

You will have to connect each one to the remote server (or more likely servers), and you might need to open firewall ports if they are in different network segments… but as long as your jump box (or management server) is a domain member, and the account you are using to do so has the permissions to do so, you can now manage your server roles without actually logging on to the server… which means there is no longer any need to have the GUI installed.

Conclusion

Not only does removing the GUI shrink your attack surface, it also saves you several gigabytes on the installation. On a physical server that might mean a lot, but when you are looking at dozens or even hundreds of virtual machines in a Hyper-V (or VMware) environment, the cost savings are substantial. When you consider that in the cloud you are paying for resources used, that can add up to a significant cost saving every month, reducing the operational costs of your cloud infrastructure.

Now go forth and GUI no more!