Chapter 4
IN THIS CHAPTER
Understanding the default settings in Windows Server 2022
Getting an overview of the configuration process
Providing the information your server needs to be set up properly
Updating Windows Server 2022 with the latest patches, hotfixes, and everything in between
Customizing Windows Server 2022 to your preferences
Configuring your server startup options with BCDEdit
Now that you’ve installed Windows Server 2022, it’s time for the fun to begin! As an administrator, your next task after installing the server operating system is to configure it to do what you want it to do.
Microsoft introduced the Server Manager feature in Server 2008, and it was updated heavily in Windows Server 2012 to support Remote Management, as well as multi-server management. Server Manager is your starting location for the majority of the configuration tasks that you need to accomplish on your server if you’re working on a server that has Desktop Experience.
If you’re working on a Server Core system, you won’t use Server Manager on the console. Instead, you’ll use the sconfig utility to do your initial configuration, assuming that you aren’t deploying Server Core images that are already configured for your environment. Of course, you can use Server Manager to administer your Server Core systems remotely, with a little setup initially to get things going. I cover that subject in my overview of the configuration process.
When Windows Server 2022 is first installed, there are some settings that are created or set by default. Typically, these are things that you’ll want to change, such as setting the server’s name, setting an IP address, joining the server to a domain, and so on. Table 4-1 covers these default settings and discusses what they’re set to out of the box to give you a better idea of what you’re starting with.
TABLE 4-1 Windows Server 2022 Default Settings
Setting | Default Value | Description |
---|---|---|
Computer Name | WIN-<randomstring> | This will be a randomly generated name starting with WIN-. You should change the name based on your organization’s naming standards. When you change the name, you’ll be required to restart the system. |
IP Address | Assigned by DHCP | By default, your brand-new server is using DHCP to automatically receive an IP address. If your organization uses DHCP to manage IP addresses, you’re good to go. If not, you may need to set a static IP address. |
Domain or Workgroup | Workgroup named WORKGROUP | Windows Server 2022 begins life joined to a workgroup named WORKGROUP. If it’s going to be a standalone server, then that setting may work well for you. Servers in workgroups are not domain joined. If your server needs to be joined to a domain, you’ll want to change this setting. Doing so will require a reboot. |
Windows Update | Automatic update download | Updates are downloaded automatically, but they aren’t installed until you allow them to be. |
Microsoft Defender Firewall | Public and private profiles: On Core OS functionality: Allowed | In its default state Microsoft Defender Firewall has a public and a private profile. Core functionality needed for the operating system to function is allowed automatically. The domain profile will appear if the server becomes domain joined. |
Microsoft Defender Antivirus | Real-time protection: On | Provides real-time virus/malware scanning. It prevents malware from installing and/or running on your server. Automatic sample submission is also enabled by default. This sends sample files to Microsoft for analysis. |
Roles and Features | Some roles/features are installed | Some roles and features are enabled out of the box to allow the server basic functionality. It’s important to note that just because a role or feature is selected, that doesn’t mean that the role as a whole is installed. |
Remote Management | Enabled | Allows the server to be managed by PowerShell remotely. Also allows applications or commands that require Windows Management Instrumentation (WMI) to manage the server. |
Remote Desktop | Disabled | Allows users to connect to the desktop of the server remotely. Allowed users can be configured individually or by security groups. |
When you start with a freshly installed server, it isn’t configured to do much of anything. You’ll need to take some basic configuration steps. Some of these steps are the basics like setting the day and time; others are tasks that will allow you to manage your systems remotely.
Here’s the basic process:
You can find the specifics on how to do each of these tasks in the following section.
When you’re deploying new servers, you have to perform certain tasks, such as activating the operating system with a valid Microsoft product key, setting the time zone, changing the name, and adding the server to the domain. In this section, I explain how to provide information for the server on both Windows Server 2022 with Desktop Experience and Server 2022 Core.
Many system administrators got their start with the graphical user interface (GUI) of a Windows Server operating system. Windows Server 2022 continues the tradition of the GUI with the Desktop Experience installation. Let’s take a look at what is involved with configuring Windows Server 2022 with Desktop Experience.
One of the first things that you do after installing the Windows Server operating system is activate it with a valid product key. You can do this through the desktop interface or through PowerShell.
In this section, I cover activating through the desktop interface. I cover activation through PowerShell in the later section on activation for Server Core.
Log into the server.
Server Manager opens automatically.
To start the activation process, click the Not Activated hyperlink next to Product ID.
A dialog box launches automatically asking for the product key.
Enter your product key and click Next.
You’re prompted to activate Windows.
Click Activate.
You get a confirmation that Windows has been activated.
Click Close.
You’re left on the Activation screen shown in Figure 4-1, where you see that your version of Windows is now activated.
Setting the time zone is a common task in the server provisioning process. You may want to set the server to the time zone that you are in, or to the same time zone as a corporate office located elsewhere. This is common if your servers are in a co-location and you want them to be on the same time zone as your local systems.
Click the hyperlink next to Time Zone.
This may already be set to the correct time zone for your area.
Setting the computer name is a must in an enterprise environment. Most organizations have a naming convention that you need to follow, but the names the organization requires will certainly be easier to remember than the default randomly generated name. Joining to the domain is one of the simpler steps, but also one of the most important steps to enable centralized authentication management and configuration capabilities.
Click the hyperlink next to Computer Name.
This will be the default name that starts with WIN- and will be followed by a random string of letters and numbers.
In the Computer Name field, enter the name that you want for your server, and then click OK.
A dialog box appears telling you that you need to restart the server.
Click the Close button in the System Properties dialog box.
You’re prompted to either Restart Now or Restart Later.
Click Restart Now if you want to reboot the server immediately. Click Restart Later if you want to finish other administrative tasks you may have first.
If you click Restart Later, you’ll need to manually reboot the server when you’re ready.
Click OK.
A dialog box appears telling you that you need to restart the server.
Click Restart Now or Restart Later.
After the restart, the server will be joined to the domain.
Your server will use a dynamically assigned IP address by default. If this is not desirable, you’ll want to set a static IP address so that the server will continue to use the same address.
Click Internet Protocol Version 4, and then click the Properties button.
By default, the server is set to obtain an IP address automatically and obtain DNS server addresses automatically. If this is what is desired, then no changes are necessary.
Manually enter the addresses for the preferred DNS servers.
See Figure 4-2 for an example.
Many system administrators have configured a Windows Server with a GUI, but not many have used Windows Server Core. As you see in this section, Windows Server Core has a simple interface, and when you learn how to navigate it, you may find it simpler to work with than Windows Server with Desktop Experience.
Windows Server Core gives you a few different options for activating your copy of Windows Server 2022. In this section, I cover activating via sconfig, as well as activating via PowerShell.
Sconfig is the built-in configuration utility in Windows Server Core. It’s a text-based menu that allows you to do the majority of your initial configuration tasks all from one central location. By default, sconfig launches automatically after you’ve logged in.
Enter your 25-character product key in the dialog box that pops up, and then click OK.
After the key is installed, you see a message saying the key was installed successfully.
When you’re back on the sconfig screen, type 2 to Activate Windows, and then press Enter.
A Command Prompt window launches again with the slmgr.vbs script to perform the activation. Assuming there are no errors, this will complete with no message.
After you’ve logged into Windows Server Core, you’re presented with the sconfig utility. From there, you can activate your copy of Windows. To set the license and do the activation from the command line, you’ll need to select menu option 15, “Exit to command line (PowerShell)”. To activate, you have to set the key. You do this with the Windows Server License Manager script, slmgr.vbs.
To install the product key that will be needed for your version of Windows Server 2022, use the following command with the parameter -ipk
. Just replace <
productkey
>
with your 25-character license key, including the dashes.
slmgr.vbs -ipk <productkey>
You get a dialog box that tells you the product key installed successfully. Click OK.
After the license key is installed, you use the same script with the -ato
parameter to do an online activation of your copy of Windows. You do that with the following command:
slmgr.vbs -ato
If the activation was successful, you get a dialog box that says the product was activated successfully (see Figure 4-3).
Much like activation in Windows Server Core, you can set the time zone via sconfig or PowerShell. In this section, I cover both methods. The great thing about PowerShell version is that it will work on Windows Server with Desktop Experience as well.
Sconfig is the built-in configuration utility in Windows Server Core. Because it's a simple text-based menu, it provides a simple way for administrators to configure the time zone without needing scripting knowledge to do so.
From the sconfig utility, type 9 to go into the settings for Date and Time.
The Date and Time dialog box appears.
If you prefer to work in PowerShell, you can also set the time zone from there. This utilizes the control command to call the Control Panel’s Date and Time screen.
In PowerShell, type the following:
Set-TimeZone -Id <Time Zone Id>
Setting the name and adding a server to a Windows domain are some of the most common activities that system administrators do with new servers. With Windows Server Core, there are two methods that you should know to complete this task: sconfig (the configuration utility in Windows Server Core) and PowerShell.
The sconfig utility in Windows Server Core makes it simple to change the name of your server with its text-driven menus. Follow these steps:
In the sconfig utility, type 2 to change the computer name.
You’re prompted to enter a new name.
Enter the new name, and press Enter.
You need to restart your computer to apply the change.
When the server has the correct name, you may want to add it to a Windows domain. You can do this with the sconfig utility as well.
Enter the password of the user and press Enter.
You need to restart your computer to apply the change.
Although sconfig is a nice utility, you may want to be able to script the changes that you want to make. Whenever this is the case, PowerShell can be very helpful. From running batch scripts in the Command Prompt, to running PowerShell scripts in PowerShell, both methods work regardless of whether you’re on Windows Server Core or Windows Server with Desktop Experience.
From the sconfig utility, type 15 to exit to command line (PowerShell).
The PowerShell window opens on your Server Core box.
Rename-Computer
command to change the name of your server:
Rename-Computer -NewName <new-name>
The ability to script the joining of the domain is a useful skill if you're going to be deploying any quantity of servers. Not only does adding a domain via PowerShell make it simpler to do, but it also helps to ensure that there are no mistakes in the process of joining the domain.
From the sconfig utility, type 15 to exit to command line (PowerShell).
The PowerShell window opens on your Server Core box.
Use the Add-Computer command to add the server to the domain.
Here’s an example:
Add-Computer -DomainName "your_domain_name" -Restart
A dialog box appears asking for a username and password.
Click OK.
The server restarts.
Before you can set the IP address for the adapter with PowerShell, you need to find out what the index of your interface is. You can do this by typing the following:
Get-NetAdapter
The output lists all network adapters. In this case, you want the one that says Ethernet. After you have the index number, you can set the IP address and the DNS servers. On my server, the index is 4.
Use the following command to set the static IP address. InterfaceIndex
is the index number for my network card, IPAddress
is the IP address I want to assign, PrefixLength
is the subnet mask that I want to use, and DefaultGateway
is the gateway address for the local network (see Figure 4-4).
New-NetIPAddress -InterfaceIndex 4 -IPAddress 192.168.1.50 -PrefixLength 24 -DefaultGateway 192.168.1.1
To set the DNS Server after that, the command uses the same index number for my network card. ServerAddresses
is used to identify the DNS servers that the system should use (see Figure 4-5). If you have more than one, you can separate them with a comma.
Set-DNSClientServerAddress -InterfaceIndex 4 -ServerAddresses 8.8.8.8, 8.8.4.4
After you have installed your brand-new Windows Server, and maybe even done some of the basic configuration work like changing the name and joining the domain, you'll want to update the server. Updates contain fixes for security vulnerabilities and new features, and should always be installed before turning a server over to the team that requested it.
Considering how important it is to stay up to date on Windows Server updates, most organizations are going to set up automatic updates. You may have a server that can’t be set to receive updates automatically, or there may be an emergency patch that was issued and you want to apply it right away. In this section, I explain how to do automatic updates and manual updates.
Most organization use automatic updates. The following directions walk you through setting up your server to reach out to Microsoft’s update servers (the default behavior).
Select Enabled.
You’re given configuration options.
Under Configure Automatic Updating, you can see that it’s set to Auto Download and Notify to Install. This is the default setting.
Click the drop-down box and select the setting that works best for your environment.
In my case, I’ve chosen Auto Download and Schedule the Install. See Figure 4-6 for an example.
You hear about the next big security vulnerability on the news media, and vendors release patches to the vulnerability very quickly after that. When a security vulnerability impacts your Windows Server systems, you may want to start a manual update — that way, your systems are protected outside of your normal patching windows. If your organization uses a patching solution, the patch may be pushed from that system, but there are always a few systems that don’t take the patch for whatever reason. You may have to manually update when that occurs.
Click the hyperlink next to Last Checked for Updates.
This may say Never if it hasn’t been run yet.
Click the Check for Updates button.
The server will check to see if there are any updates available.
Windows Server Core has the same needs when it comes to receiving updates from Microsoft that Windows Server with Desktop Experience does. In this section, I show you how to set up automatic updates and how to perform manual updates from PowerShell.
There are two ways you can enable automatic updates on Server Core: using the sconfig utility and using PowerShell.
The text-driven menu provided by the sconfig utility makes enabling automatic updates very simple. You can set up automatic updates in just four quick steps:
From the sconfig menu, type 5 to configure Windows Update settings, and then press Enter.
You’re given the choice of selecting A for automatic download and install, D for download only (which is the default), or M for manual updates.
Type A for automatic download and installation of Windows updates.
You get a text confirmation that the change was successful.
To set updates to automatic via PowerShell, you need to navigate to C:Windowssystem32
and stop the Windows Update service. It may already be stopped. Then you can use the script program to execute scregedit.wsf. Adding the switch /AU 4 enables automatic updates, /AU 1 would disable automatic updates. The following example enables Windows updates:
net stop wuauserv
cscript scregedit.wsf /AU 4
net start wuauserv
If you would like to see an example of what this looks like and what the responses should be, please see Figure 4-7.
To force Server Core to then detect and install any available updates, simply type the following command and press Enter.
wuauclt /detectnow
After your Windows Server operating system is installed, the next step is to customize it and make it your own! This involves things like installing roles and features, setting up remote administration, and configuring the firewall.
I'll start the customization discussion with the Desktop Experience. When you log into a server with Desktop Experience enabled, by default Server Manager will launch. A lot of the configuration and customization tasks you may have can be accomplished from Server Manager.
Roles and features are added in Windows Server 2022 with Desktop Experience through Server Manager.
Check the check box next to the role that you want to install and click Next.
For this demonstration, I’ve chosen File Server under File and Storage Services (see Figure 4-8).
When a server has Desktop Experience, administrators often prefer to work with the server over Remote Desktop. This is disabled by default; you enable it to use it. If the firewall on the server is enabled and does not have Remote Desktop enabled, you won’t be able to connect to it. You need to enable the Remote Desktop – User Mode (TCP-In) rule listed in the Inbound Rules of your server’s firewall.
In the dialog box that appears, select Allow Remote Connections to This Computer.
A dialog box appears telling you that a firewall exception will be made for Remote Desktop.
Assuming that you’re going to use the Windows Firewall on your server, you need to know how to enable applications through the firewall. By allowing inbound traffic, you enable the server to do the job you plan on using it for.
Click the Private: On link next to Microsoft Defender Firewall.
The Firewall & Network Protection app opens.
Whether you’re running PowerShell commands against your Windows Server Core system while connected to the console or through remote PowerShell, you can do much of your configuration work with just a few PowerShell commands.
To get really good working with Server Core, half of the battle you face is learning how to find the things you want. In Server with Desktop Experience, you have the GUI to guide you. Not so with Server Core.
Let’s look at the example I used with the Desktop Experience server. You want to install the File Server role. Before you can install the role, you need to find out what to call it. By using Get-WindowsFeature
, you can find the names of the roles and features you’re interested in. If you have an idea of what the name is, you can do a wildcard search. In the following example, I’ve used *file*
to indicate that I want the Get-WindowsFeature
cmdlet to return results that have the word file in them.
Get-WindowsFeature *file*
When you type the preceding command, you get three results of items that have file in their names. You can see File Server under Display Name. For the installation command, you need the name under the Name column. In this case, it's FS-FileServer. Now you’re ready to install it! Use the following command to install the File Server (see Figure 4-10):
Install-WindowsFeature FS-FileServer
You see a progress bar as the feature is installed. After it’s installed, if you run the first command again, you see that all three results are now installed. File and iSCSI Services was installed because File Server relies on it.
Remote Management is enabled by default in Windows Server 2022. If it was disabled in your environment, you can enable it by running the Configure-SMRemoting
command. This allows you remotely administer your server with Server Manager.
Configure-SMRemoting -Enable
To be able to administer the server remotely with PowerShell, you need two additional commands. Enable-PSRemoting
configures PowerShell to receive remote commands that are sent to your system. Winrm quickconfig
will analyze and automatically configure the WinRM service for you. This is very helpful when you just want it to work and don't need to customize it. The command starts the WinRM service if it isn’t already started, and ensures that WinRM is set to automatically start. It also configures listeners for HTTP and HTTPS, and ensures that the Windows firewall is allowing HTTP and HTTPS traffic inbound.
The Enable-PSRemoting
command will not give you any output if it succeeds. You’ll simply be presented with the PowerShell prompt again.
Enable-PSRemoting -force
Running winrm quickconfig
is a little different. After it runs its analysis, it tells you what needs to be changed and asks for a yes or no as to whether it can make the necessary changes. Select Y and press Enter. If everything looked good during the analysis, you'll be told that WinRM is already running and is already set up for Remote Management instead of the yes/no question.
winrm quickconfig
Working with the Microsoft Defender Firewall on Server Core is pretty simple. You need to find the name of the rule you want to work with first. You can do that with the Get-NetFirewallRule
command (see Figure 4-11). Using the Format-table
command at the end makes the output more easily readable. Try the command without it — you'll see what I mean!
Get-NetFirewallRule *remote* | Format-table
The preceding command looks for any rules that have remote in the name. You can see each rule and whether it's enabled.
Let’s enable the Remote Firewall Management rules. These would allow you to administer this server’s firewall from another system. The rules you’re interested in are RemoteFwAdmin-In-TCP
and RemoteFWAdmin-RPCSS-In-TCP
.
Here are the commands you'll use to enable these (see Figure 4-12):
Set-NetFirewallRule –Name "RemoteFwAdmin-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteFwAdmin-RPCSS-In-TCP" –Enabled True
If the commands complete successfully, you’ll get no response. You’ll be returned to the PowerShell prompt. If you run your search again, you’ll see that these rules are now enabled.
With Windows Server 2008, Microsoft introduced a utility called BCDEdit, which allows you to manipulate the Windows boot configuration data (BCD) store. The BCD is used to tell the operating system how it should boot; it contains all the boot configuration parameters needed to support that function. This replaced the older bootcfg.exe
utility that was used to edit the boot.ini
file pre–Windows Vista. You must be a member of the local Administrator's group on a system to use BCDEdit. This is an advanced utility that is useful in troubleshooting issues that are preventing a server from booting properly.
Table 4-2 lists some of the more common options available for BCDEdit.
TABLE 4-2 BCDEdit Common Options
Option | Description |
---|---|
| Enables or disables boot debugging. |
| Configures the type of debugging connection. |
| Enables or disables kernel debugging. |
| Deletes boot entries from the datastore — use with caution! |
| Deletes or removes a boot entry option — use with caution! |
| Sets the order used by the boot manager when displaying the multiboot menu. |
| Lists all the entries in the boot configuration datastore. |
| Exports the contents of the BCD; can be used as a backup to restore the BCD. |
| Imports the contents of an exported file; can be used as a restore option if needed. |
| Sets a value in a boot option. |
Most often, you'll use bcdedit /set
to make changes to your boot configuration datastore. Before you make any changes, you need to know what your BCD looks like currently. You can use the /enum
option to do that. In Figure 4-13, you can see the current settings for the Windows Boot Manager and the Windows Boot Loader.
You may notice that the description in the Windows Boot Loader just says Windows Server. Maybe you want it to be more descriptive than that. You can change it with bcdedit /set
. You need the ID of the object that you're wanting to work on. In this case, you’re wanting to edit the Windows Boot Loader; the identifier that you can see in Figure 4-13 is {current}
. The full command you type will look something like this:
bcdedit /set {current} description "Windows Server 2022 Standard"
bcdedit /set "{current}" description "Windows Server 2022 Standard"
When you get the message The operation completed successfully
, use bcdedit /enum
again. You'll see your new description. See Figure 4-14 for my example.
Why would you want to change the name on the Windows Boot Loader? Consider the example of a multiple boot system that has the same operating system on both disks. The disks are used for very different purposes, so you want to ensure that you remember which is which. Being able to change the descriptions will simplify choosing the appropriate disk in the boot menu. BCDEdit can also be used to change the order of the boot menu. This is useful if you want to set one of your disks to be first in the list and the default disk to boot to after a certain amount of time.
3.133.158.36