Microsoft's official enterprise support blog for AD DS and more
Hello, this is LaNae Wade from the Directory Services team.
Windows Server 2008 Core introduces some challenges in administering servers without an explorer shell. Here are some netsh commands that will help you administer your Server Core installation remotely through MMC snap-ins.
Allowing Administration of Server Core from a Remote MMC
To administer the Server Core installation from a remote MMC you must configure the Windows Firewall.
If you do not configure the firewall to allow remote administration via MMC you will get an error. For example:
When you attempt to connect to a Windows Server 2008 Core installation via Device Manager you may receive the following message:
Unable to access the computer “ComputerName” Make sure that this computer is on the network, has remote administration enabled, and is running the “Plug and Play” and “Remote registry” services.
The error was: Access Denied
When you attempt to connect to a Windows Server 2008 Core installation via Event Viewer you may receive the following message:
Event Viewer cannot connect to computer “ComputerName”. The error reported is: The RPC server is unavailable
Disk Management could not start Virtual Disk Service (DS) on “ComputerName”. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall.
In order to run the Netsh advfirewall commands you must have the correct permissions.
· If you are a member of the Network Operators group you can run the commands from any command prompt.
· If you are not a member of the Local Administrators or Network Operators group and do not have delegated permissions to run the netsh advfirewall command, you can only run the commands that display information. You cannot make any changes to the settings.
Before you can make any changes to the firewall settings remotely you must first enable remote administration of the firewall by typing the following command at a command prompt:
Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes
Once the firewall has been configured for remote administration you can began to allow remote management through MMC snap-ins. You can configure the firewall to allow remote management via all MMC snap-ins or you can specify particular MMC snap-ins.
The following command will allow you to remotely manage a Server Core installation through all MMC snap-ins.
Netsh advfirewall firewall set rule group=”remote administration” new enable=yes
To allow remote management via specific MMC snap-ins, run the following command.
Netsh advfirewall firewall set rule group=”<rulegroup>” new enable=yes
Note: You can reference the table below for available rulegroups. Some snap-ins will require more configuration before you can connect to them through a firewall. Also, some MMC snap-ins do not have an associated rule group that allows connections through firewalls.
If you look at the chart above you will see Disk Management and its corresponding rule group. This is one of the MMC snap-ins that will need additional configuration. In order to use this snap-in for remote management you must first start the Virtual Disk Service (VDS) on the computer that is running the Server Core installation. You also have to configure the Disk Management rules on the computer that is running the MMC snap-in. The command to enable the Remote Volume Management Rule group is as follows.
Netsh advfirewall firewall set rule group=”Remote Volume Management” new enable=yes
Running this command will enable the Remote Volume Management – Virtual Disk Service Loader (RPC), Remote Volume Management – Virtual Disk Service (RPC), and Remote Volume Management – Virtual Disk Service (RPC-EPMAP) inbound rules. Remember these rules must be enabled on both the server that is running the MMC and the remote Server Core installation.
You now know some of the commands you can run to enable remote management through MMCs. There are other commands besides netsh that would allow you to enable remote management through MMCs not covered in this blog. Check out the NETSH Technical Reference it has a lot of this information in it, as well as a ton of other netsh commands. You can download it from the link below.
- LaNae Wade
Thanks for this valuable info. However, you have an internal link in the text. Please check the bullet point that start "If you are not a member of the Local Administrators or Network Operators group and do not have delegate"
Fixed - thanks for the sharp eyes!
Hi LaNae...Just last week I published an article on Server Core to help admins get the commands they needed to get the server up and configured. http://msmvps.com/blogs/ad/archive/2008/06/04/administrator-s-guide-to-server-core-commands.aspx
Great link, dsmvp!
This is the following command that I believe should work to enable the remote desktop protocol (3389) for the domain profile only:
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
I am getting a "Only the enable parameter can be used to update rules specified by a group" when it is run.
I have tried to follow the help in the exact order indicated by it, and I get errors again.
Any input would be truly appreciated!
Server Core 2008 Standard x64.
It' because you're trying to specify the profile in the same command as a Group, when you must use a Name. So for this to work, you'd run:
netsh advfirewall firewall set rule name="remote desktop (tcp-in)" new enable=yes profile=domain
Basically, groups cover all the groupings, regardless of profiles. To use profiles you must specify names, if that makes sense. To see all the Names you can run:
netsh advfirewall firewall show rule name=all > blah.txt
then read blah.txt to see everything.
Thank you very much for helping me out with that clarification.
I knew it was my struggle with trying to figure out the syntax that was holding things back.
That is the KB article where the original example came from.
Is the example given, then, in the Enable Specific Services section wrong?
Arrrgh! Yes, the KB is wrong. I'll edit that ASAP. Great catch Philip, thanks for following up on this. :)
You are very welcome. I am glad that the struggle has finally come to an end! :D
We’ve been at this for over a year (since August 2007), with more than 100 posts (127 to be exact), so
Going insane without your familiar MMC snap-ins?  http://blogs.technet.com/askds/archive/2008/06/05/how-to-enable-remote-administration-of-server-core-via-mmc-using-netsh.aspx