Windows Server 2019 Core

時間 2020-01-06

標籤 windows server core 欄目 Windows 简体版

原文原文鏈接

SQL Server 2019 Serial Key

Enterprise: HMWJ3-KY3J2-NMVD7-KG4JR-X2G8G
Enterprise Core: 2C9JR-K3RNG-QD4M4-JQ2HR-8468J ios

Technorati 標記: windows server, 2019, core

Strandard: PMBDC-FXVM3-T777P-N4FY8-PKFF4

win server 2019 core: shell

安裝更新 windows

sconfig 瀏覽器

設置時區：服務器

control timedate.cpl app

設置區域： dom

control intl.cpl ssh

記事本： tcp

notepad ide

註冊表：

regedit/regedt32

修改計算機名：

netdom renamecomputer %computername% /newname:DC01

Installing and Configuring OpenSSH on Windows Server 2019

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Set-Service -Name ssh-agent -StartupType ‘Automatic’

Set-Service -Name sshd -StartupType ‘Automatic’

Start-Service ssh-agent

Start-Service sshd

ssh username@domain@hostname_or_IP_address

將PowerShell 設置成默認的命令Shell：

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\' -Name Shell -Value 'PowerShell.exe -noExit'

查看網卡IP配置：

Get-NetIPAddress

肯定須要修改IP地址的網卡進行配置：

New-NetIPAddress -InterfaceIndex 12 -IPAddress 192.168.16.20 -PrefixLength 24 -DefaultGateway 192.168.16.2

修改DNS服務器：

Set-DNSClientServerAddress -InterfaceIndex 12 -ServerAddress "192.168.16.2,223.5.5.5"

啓用遠程桌面：

cscript C:\Windows\System32\Scregedit.wsf /ar 0

Get-NetFirewallRule -Name *SMB* | Select Name,Enabled,Direction,Action,PrimaryStatus

1.Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI):

Install-WindowsFeature -Name AD-Domain-Services

$Password = Read-Host -Prompt 'Enter SafeMode Admin Password' -AsSecureString

Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath C:\Windows\NTDS -DomainMode WinThreshold -DomainName nipit.cn -DomainNetbiosName NIPIT -ForestMode WinThreshold -InstallDns:$true -LogPath C:\Windows\NTDS -NoRebootOnCompletion:$true -SafeModeAdministratorPassword $Password -SysvolPath C:\Windows\SYSVOL -Force:$true

a new domain or forest functional level for Windows Server 2019 so a value of 「WinThreshold」 or 7 puts it in Windows Server 2016 mode. The valid values are:

Default
Windows Server 2003: 「Win2003」 or 「2」
Windows Server 2008: 「Win2008」 or 「3」
Windows Server 2008 R2: Win2008R2 or 「4」
Windows Server 2012: 「Win2012」 or 「5」
Windows Server 2012 R2: 「Win2012R2」 or 「6」
Windows Server 2016: 「WinThreshold」 or 「7」

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Create a new DWORD called EnableAutoTray and set the value to 0

Creating New AD User in Powershell from Existing User:

set-ADUser administrator -PasswordNeverExpires $true

$user = Get-ADUser administrator –Properties *

New-ADUser -Name 'gazh' -Instance $user

New-ADUser -Name 'gazh' -Instance $user -AccountPassword (Read-Host "Password" -AsSecureString)

Add-ADGroupMember -Identity "Domain Admins" -Member gazh

Add-ADGroupMember -Identity "Enterprise Admins" -Member gazh

Add-ADGroupMember -Identity "Schema Admins" -Member gazh

安裝第二個Domain Controller:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Install-ADDSDomainController -InstallDns -Credential (Get-Credential nipc\gazh) -DomainName "nipc.com.cn"

刪除第一個Domain Controller:

Uninstall-WindowsFeature ADCS-Web-Enrollment

Uninstall-WindowsFeature ADCS-Cert-Authority

Uninstall-WindowsFeature AD-Certificate

Uninstall-WindowsFeature DHCP,Web-Server

Uninstall-ADDSDomainController

Uninstall-WindowsFeature dns,AD-Domain-Services

To clean up server metadata by using Ntdsutil

Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials of an Enterprise Administrator if required, and then click Continue.
At the command prompt, type the following command, and then press ENTER:
ntdsutil
At the ntdsutil: prompt, type the following command, and then press ENTER:
metadata cleanup
At the metadata cleanup: prompt, type the following command, and then press ENTER:
remove selected server <ServerName>
In Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata.
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier.
At the metadata cleanup: and ntdsutil: prompts, type quit, and then press ENTER.
To confirm removal of the domain controller:

2.Use PowerShell to Install a DHCP Server on a Windows Server 2019 (Server Core) Active Directory Domain Controller

Install-WindowsFeature -Name DHCP

Add the DHCP scope to the server:

Add-DhcpServerv4Scope -Name '192.168.16.0' -StartRange 192.168.16.101 -EndRange 192.168.16.199 -SubnetMask 255.255.255.0

設置Scope Option

Set-DhcpServerv4OptionValue -ScopeID '192.168.16.0' -DNSServer 192.168.16.20 -DNSDomain nipit.cn -Router 192.168.16.2

或Server Option:

Set-DhcpServerv4OptionValue -DNSServer 192.168.16.0 -DNSDomain nipit.cn -Router 192.168.16.2

Authorize the DHCP server 域受權：

Add-DhcpServerInDC -DnsName dc01.nipit.cn

Display information about the scope.

Get-DhcpServerv4Scope | Select-Object -Property *

3. Installing Certificate Services in Server Core 2019

Role Name:

Active Directory Certificate Services AD-Certificate

Certification Authority ADCS-Cert-Authority

Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol

Certificate Enrollment Web Service ADCS-Enroll-Web-Svc

Certification Authority Web Enrollment ADCS-Web-Enrollment

Network Device Enrollment Service ADCS-Device-Enrollment

Online Responder ADCS-Online-Cert

Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment

Install-AdcsCertificationAuthority -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName NIPIT-CA

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 50 -CACommonName NIPIT-CA

配置 Certificate Authority Web Enrollment:

Install-AdcsWebEnrollment

打開：http://<servername>/certsrv

就能夠經過瀏覽器申請證書了。

4. 遠程管理Windows Server Core 2019 上的IIS:

Install-WindowsFeature Web-Mgmt-Service

netsh advfirewall firewall add rule name=」IIS Remote Management」 dir=in action=allow service=WMSVC

New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound -Action Allow -Service WMSVC

Open the Registry Editor by running 「regedit」.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server

set 「EnableRemoteManagement」 to 「1」

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server]
"EnableRemoteManagement"=dword:00000001

reg import file.reg

Configure the Web Management Service to run on boot by running the following command.

Install the Web-Server role
Install the Web-Mgmt-Service
Enable Remote Management
Set the WMSVC service to start automatically
Create connection from Remote IIS Management Console

Set-Service -Name WMSVC -StartupType Automatic

Get-Service WMSVC | Select-Object -Property Name, StartType, Status

Set-Service -Name WMSVC -Status Running -PassThru

Invoke-WebRequest http://aka.ms/WACDownload -UseBasicParsing -outfile wac.msi -PassThru

msiexec /i wac.msi /qn /L*v log.txt SME_PORT=8080 SSL_CERTIFICATE_OPTION=generate

New-NetFirewallRule -DisplayName "Allow Windows Admin Center port 8080" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080

Enable and Disable Windows Firewall:

Set-NetFirewallProfile -All -Enabled false

Set-NetFirewallProfile -All -Enabled true

netsh advfirewall set allprofiles state off

netsh advfirewall set allprofiles state on

New-NetFirewallRule -Name "Block HTTP" -DisplayName "Block HTTP" -Enabled 1 -Direction Inbound -Action Block -LocalPort 80 -Protocol TCP

Get-NetFirewallRule -Name *Block* | Select Name,Enabled,Direction,Action,PrimaryStatus

Get-NetFirewallRule -Name FPS-ICMP* |Set-NetFirewallRule -Enabled true

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |select Name,Enabled,Direction,Action

Enable-NetFirewallRule -DisplayacGroup "File and Printer Sharing"

To configure Windows Firewall to allow MMC snap-in(s) to connect

To allow all MMC snap-ins to connect, run
Enable-NetFirewallRule -DisplayGroup "Remote Administration"
To allow only specific MMC snap-ins to connect, run:
Enable-NetFirewallRule -DisplayGroup "<rulegroup>"

MMC snap-in Rule group

Event Viewer Remote Event Log Management

Services Remote Service Management

Shared Folders File and Printer Sharing

Task Scheduler Performance Logs and Alerts

File and Printer Sharing

Disk Management Remote Volume Management

Windows Firewall with Advanced Security Windows Firewall Remote Management

使用MMC管理遠程的Windows Server Core服務器，須要先在遠程服務器上打開一些防火牆規則:

#
# This script works on a variety of settings that are easiest done from the
# local machine to make it remotely manageable by a management workstation.

# Ensure Server Manager remoting is enabled
Configure-SMRemoting.exe -Enable

# 設置一些防火牆規則

#  容許Ping
Set-NetFirewallRule –Name "FPS-ICMP4-ERQ-In" –Enabled True
Set-NetFirewallRule –Name "FPS-ICMP6-ERQ-In" –Enabled True
Set-NetFirewallRule –Name "FPS-ICMP4-ERQ-Out" –Enabled True
Set-NetFirewallRule –Name "FPS-ICMP6-ERQ-Out" –Enabled True

#  Enable remote volume management - firewall rules need to be set on both
#  source and destination computers
#  ***NOTE*** Policy must also be set on system to "Allow remote access
#  to the Plug and Play interface"
#  This is done with gpedit.msc locally or gpedit for domain policy
Set-NetFirewallRule –Name "RVM-VDS-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RVM-VDSLDR-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RVM-RPCSS-In-TCP" –Enabled True

#  容許 DCOM 管理入站規則(由於其它功能可能會打開DCOM-IN，因此有可能會報錯找不到對象，不影響)
Set-NetFirewallRule –Name "ComPlusNetworkAccess-DCOM-In" –Enabled True


#  Enable remote service management
Set-NetFirewallRule –Name "RemoteSvcAdmin-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteSvcAdmin-NP-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteSvcAdmin-RPCSS-In-TCP" –Enabled True

#  Enable Remote Event Log Management
Set-NetFirewallRule –Name "RemoteEventLogSvc-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteEventLogSvc-NP-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteEventLogSvc-RPCSS-In-TCP" –Enabled True

#  Enable Remote Scheduled Tasks Management
Set-NetFirewallRule –Name "RemoteTask-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteTask-RPCSS-In-TCP" –Enabled True

#  Enable Windows Firewall Remote Management
Set-NetFirewallRule –Name "RemoteFwAdmin-In-TCP" –Enabled True
Set-NetFirewallRule –Name "RemoteFwAdmin-RPCSS-In-TCP" –Enabled True

#  Enable WMI management requests in
Set-NetFirewallRule –Name "WMI-WINMGMT-In-TCP" –Enabled True

#  Set some services to automatically start and start them.
Set-Service -Name PlugPlay -StartupType Automatic
Start-Service PlugPlay
Set-Service -Name RemoteRegistry -StartupType Automatic
Start-Service RemoteRegistry
Set-Service -Name vds -StartupType Automatic
Start-Service vds

#  Enable Remote Desktop
(Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null
(Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) | Out-Null

$srvr = Read-Host "Enter name to assign to this computer:"
(Get-WmiObject win32_computersystem).rename($srvr)

$domain = Read-Host "Enter domain this computer should join (you will be prompted for credentials):"
Add-Copmuter -DomainName $domain

Write-Host -ForegroundColor Yellow "System will now be rebooted."
Shutdown -r -t 5