Using roles, role services, and features
Making supplemental components available
Installing components with Server Manager
Installing components at the prompt
Tracking installed roles, role services, and features
You prepare servers for use by installing and configuring the following components:
Server roles. Server roles are related sets of software components that enable servers to perform a specific function for users and other computers on networks. A computer can be dedicated to a single role, such as Active Directory Domain Services (AD DS), or a computer can provide multiple roles.
Role services. Role services are software components that provide the functionality of server roles. Each server role has one or more related role services. Some server roles, such as Domain Name Syste m (DNS) and Dynamic Host Configuration Protocol (DHCP), have a single function, and installing the role installs this function. Other roles, such as Network Policy And Access Services and Active Directory Certificate Services, have multiple role services that you can install. With these server roles, you can choose which role services to install.
Features. Features are software components that provide additional functionality. Features, such as Windows Internet Naming Service (WINS) and Windows Server Backup, are installed and removed separately from roles and role services. A computer can have multiple features installed or none, depending on its configuration.
You configure roles, role services, and features by using the Server Manager console. Server Manager’s command-line counterpart is the ServerManager module for Windows PowerShell.
Note
Although Server Manager enables you to work with a local server, other servers must be added for management, as discussed in “Adding servers for management” in Chapter 4. For ease of reference in this chapter, I will refer to servers added for management in Server Manager as managed servers.
Before modifying a server’s configuration, you should carefully plan how adding or removing a role, role service, or feature will affect a server’s overall performance. Although you typically want to combine complementary roles, doing so increases the workload on the server, so you need to optimize the server hardware accordingly. Also, keep in mind that roles, role services, and features can depend on other roles, role services, and features. When you install roles, role services, and features, Server Manager prompts you to install any additional roles, role services, or features that are required. If you try to remove a required component of an installed role, role service, or feature, Server Manager warns that you cannot remove the component unless you also remove the other role, role service, or feature.
Table 6-1 provides an overview of the primary roles and the related role services that you can deploy on a server running Windows Server 2012 R2. In addition to roles and features that are included with Windows Server 2012 R2 by default, Server Manager enables integration of roles and features that might become available on the Microsoft Download Center as optional updates to Windows Server 2012 R2.
Table 6-1. Primary roles and related role services for Windows Server 2012 R2
Role | Description |
|---|---|
Active Directory Certificate Services (AD CS) | AD CS provides functions necessary for issuing and revoking digital certificates for users, client computers, and servers. It includes these role services: Certification Authority, Certification Enrollment Policy Web Service, Certification Authority Web Enrollment, Network Device Enrollment Service, and Online Responder. |
Active Directory Domain Services (AD DS) | AD DS provides functions necessary for storing information about users, groups, computers, and other objects on the network and makes this information available to users and computers. Active Directory domain controllers give network users and computers access to permitted resources on the network. |
Active Directory Federation Services (AD FS) | AD FS complements the authentication and access-management features of AD DS by extending them to the World Wide Web. |
Active Directory Lightweight Directory Services (AD LDS) | AD LDS provides a data store for directory-enabled applications that do not require AD DS and do not need to be deployed on domain controllers. |
Active Directory Rights Management Services (AD RMS) | AD RMS provides controlled access to protected email messages, documents, intranet pages, and other types of files. It includes these role services: Active Directory Rights Management Server and Identity Federation Support. |
Application Server enables a server to host distributed applications built using ASP.NET, Enterprise Services, and Microsoft .NET Framework 4.5. It includes COM+ Network Access, TCP Port Sharing, and other role services. | |
DHCP Server | DHCP Server provides centralized control over IP addressing. DHCP servers can assign dynamic IP addresses and essential TCP/IP settings to other computers on a network. |
DNS Server | DNS Server is a name-resolution system that resolves computer names to IP addresses. DNS servers are essential for name resolution in Active Directory domains. |
Fax Server | Fax Server provides centralized control over sending and receiving faxes in the enterprise. A fax server can act as a gateway for faxing and enables you to manage fax resources, such as jobs, reports, and fax devices on the server or on the network. |
File And Storage Services | File And Storage Services provides essential services for managing files and storage and the way they are made available and replicated on the network. A number of server roles require some type of file service. It includes these role services and subservices: BranchCache for Network Files, Data Deduplication, Distributed File System (DFS), DFS Namespaces, DFS Replication, File Server, File Server Resource Manager, Services for Network File System (NFS), File Server VSS Agent Service, iSCSI Target Server, iSCSI Target Storage Provider, Server for NFS, Storage Services, and Work Folders. |
Hyper-V | Hyper-V provides services for creating and managing virtual machines that emulate physical computers. Virtual machines have separate operating system environments from the host server. |
Network Policy And Access Services (NPAS) | NPAS provides essential services for managing network access policies. It includes these role services: Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). |
Print And Document Services | Print And Document Services provides essential services for managing network printers, network scanners, and related drivers. It includes these role services: Print Server, Distributed Scan Server, Internet Printing, and LPD Service. |
Remote Access | Remote Access provides services for managing routing and remote access to networks. Use this role if you need to configure virtual private networks (VPNs), Network Address Translation (NAT), and other routing services. It includes these role services: DirectAccess and VPN (RAS), Routing, and Web Application Proxy. |
Remote Desktop Services provides services that enable users to run Windows-based applications that are installed on a remote server. When users run an application on a terminal server, the execution and processing occur on the server, and only the data from the application is transmitted over the network. | |
Volume Activation Services | Volume Activation Services provides services for automating the management of volume license keys and volume key activation. |
Web Server (IIS) | Internet Information Services (IIS) is used to host websites and web-based applications. Websites hosted on a web server can have both static content and dynamic content. You can build web applications hosted on a web server by using ASP.NET and .NET Framework 4.5. When you deploy a web server, you can manage the server configuration by using IIS 8 modules and administration tools. It includes several dozen role services. |
Windows Deployment Services (WDS) | WDS provides services for deploying computers running Windows in the enterprise. It includes these role services: Deployment Server and Transport Server. |
Windows Server Essentials Experience | Essentials Experience provides services previously only available with Windows Server Essentials, including services for deploying workplaces, which are remotely accessible through a web gateway. It requires single-domain installation. |
Windows Server Update Services (WSUS) | WSUS provides services for Microsoft Update, enabling you to distribute updates from designated servers. It includes the WID Database, WSUS Services, and Database role services. |
Table 6-2 provides an overview of the primary features that you can deploy on a server running Windows Server 2012 R2. Unlike early releases of Windows, some important server features are not installed automatically. For example, you must add Windows Server Backup to use the built-in backup and restore features of the operating system.
Table 6-2. Primary features for Windows Server 2012 R2
Feature | Description |
|---|---|
.NET Framework 4.5 | .NET Framework 4.5 provides APIs for application development. It replaces .NET 3.5 as the default framework. Only the framework and TCP Port Sharing are installed by default. Other subfeatures include ASP.NET 4.5, HTTP Activation, Message Queuing Activation, Named Pipe Activation, and TCP Activation. |
Background Intelligent Transfer Service (BITS) | BITS provides intelligent background transfers. When this feature is installed, the server can act as a BITS server that can receive file uploads from clients. This feature isn’t necessary for downloads to clients using BITS. Additional subfeatures include IIS Server Extension and Compact Server. |
BitLocker Drive Encryption provides hardware-based security to protect data through full-volume encryption that prevents disk tampering while the operating system is offline. Computers that have Trusted Platform Module (TPM) can use BitLocker Drive Encryption in Startup Key or TPM-Only mode. Both modes provide early integrity validation. | |
BitLocker Network Unlock | BitLocker Network Unlock provides support for network-based key protectors that automatically unlock BitLocker-protected operating system drives when a domain-joined computer is restarted. |
BranchCache | BranchCache provides services needed for BranchCache client and server functionality. It includes HTTP protocol, Hosted Cache, and related services. |
Client For NFS | Client For NFS provides functionality for accessing files on UNIX-based NFS servers. |
Data Center Bridging | Data Center Bridging supports a suite of Institute of Electrical and Electronics Engineers (IEEE) standards for enhancing LANs and enforcing bandwidth allocation. |
Enhanced Storage | Enhanced Storage provides support for Enhanced Storage Devices. |
Failover Clustering | Failover Clustering provides clustering functionality that enables multiple servers to work together to provide high availability for services and applications. Many types of services can be clustered, including file and print services. Messaging and database servers are ideal candidates for clustering. |
Group Policy Management | Group Policy Management installs the Group Policy Management Console (GPMC), which provides centralized administration of Group Policy. |
Ink And Handwriting Services | Ink And Handwriting Services provides support for use of a pen or stylus and handwriting recognition. |
Internet Printing Client | Internet Printing Client provides functionality that enables clients to use HTTP to connect to printers on web print servers. |
IP Address Management Server | IP Address Management Server provides support for central management of the enterprise’s IP address space and the related infrastructure servers. |
iSNS Server Service | iSNS Server Service provides management and server functions for Internet SCSI (iSCSI) devices, enabling the server to process registration requests, deregistration requests, and queries from iSCSI devices. |
LPR Port Monitor | LPR Port Monitor installs the LPR Port Monitor, which enables printing to devices attached to UNIX-based computers. |
Media Foundation provides essential functionality for Windows Media Foundation. | |
Message Queuing | Message Queuing provides management and server functions for distributed message queuing. A group of related subfeatures is also available. |
Multipath I/O (MPIO) | MPIO provides the functionality necessary for using multiple data paths to a storage device. |
Network Load Balancing (NLB) | NLB provides failover support and load balancing for IP-based applications and services by distributing incoming application requests among a group of participating servers. Web servers are ideal candidates for load balancing. |
Peer Name Resolution Protocol (PNRP) | PNRP provides Link-Local Multicast Name Resolution (LLMNR) functionality that enables peer-to-peer, name-resolution services. When you install this feature, applications running on the server can use LLMNR to register and resolve names. |
Quality Windows Audio Video Experience | Quality Windows Audio Video Experience is a networking platform for audio video (AV) streaming applications on IP home networks. |
RAS Connection Manager Administration Kit | RAS Connection Manager Administration Kit provides the framework for creating profiles for connecting to remote servers and networks. |
Remote Assistance | Remote Assistance enables a remote user to connect to the server to provide or receive Remote Assistance. |
Remote Differential Compression | Remote Differential Compression provides support for differential compression by determining which parts of a file have changed and replicating only the changes. |
Remote Procedure Call (RPC) over HTTP Proxy | RPC over HTTP Proxy installs a proxy for relaying RPC messages from client applications to the server over HTTP. RPC over HTTP is an alternative to having clients access the server over a VPN connection. |
Remote Server Administration Tools (RSAT) | RSAT installs role-management and feature-management tools that can be used for remote administration of other Windows Server systems. Options for individual tools are provided, or you can install tools by top-level category or subcategory. |
Simple Mail Transfer Protocol (SMTP) Server | SMTP Server is a network protocol for controlling the transfer and routing of email messages. When this feature is installed, the server can act as a basic SMTP server. For a full-featured solution, you need to install a messaging server such as Microsoft Exchange Server. |
SNMP Services is a protocol that simplifies management of TCP/IP networks. You can use SNMP for centralized network management if your network has SNMP-compliant devices. You can also use SNMP for network monitoring through network-management software. | |
Simple TCP/IP Services | Simple TCP/IP Services installs additional TCP/IP services, including Character Generator, Daytime, Discard, Echo, and Quote of the Day. |
SMB 1.0/CIFS File Sharing Support | File Sharing Support provides support for legacy file shares and clients. |
SMB Bandwidth Limit | SMB Bandwidth Limit enables you to limit specific categories of SMB traffic such as Live Migration over SMB. |
User Interfaces And Infrastructure | User Interfaces And Infrastructure enables you to control the user experience and infrastructure options (Graphical Management Tools And Infrastructure, Desktop Experience, or Server Graphical Shell). Desktop Experience provides Windows desktop functionality on the server (but these functions can reduce the server’s overall performance). |
Windows Biometric Framework | Windows Biometric Framework provides the functionality required for using fingerprint devices. |
Windows Internal Database | Windows Internal Database enables the server to use relational databases with Windows roles and features that require an internal database, such as AD RMS; Universal Description, Discovery, and Integration (UDDI) Services; Windows Server Update Services (WSUS); Windows SharePoint Services; and Windows System Resource Manager. |
Windows PowerShell | Windows PowerShell enables you to manage the Windows PowerShell features of the server. Windows PowerShell and the Windows PowerShell ISE are installed by default. |
Windows PowerShell Web Access | Windows PowerShell Web Access enables the server to act as a web gateway for remotely managing servers in a web browser. |
Windows Process Activation Service | Windows Process Activation Service provides support for distributed, web-based applications that use HTTP and non-HTTP protocols. |
Windows Server Backup | Windows Server Backup enables you to back up and restore the operating system, system state, and any data stored on a server. |
Windows Standards-Based Storage Management | Windows Standards-Based Storage Management provides support for managing standards-based storage and includes management interfaces and extensions for Windows Management Instrumentation (WMI) and Windows PowerShell. |
Windows TIFF IFilter focuses on text-based documents, which means that searching is more successful for documents that contain clearly identifiable text (for example, black text on a white background). | |
WinRM IIS Extension | WinRM IIS Extension provides an Internet Information Services (IIS)–based hosting model. WinRM IIS Extension can be enabled at either the website or virtual-directory level. |
WINS Server | WINS Server is a name-resolution service that resolves computer names to IP addresses. Installing this feature enables the computer to act as a WINS server. |
Wireless LAN Service | Wireless LAN Service enables the server to use wireless networking connections and profiles. |
WOW64 Support | WOW64 Support supports WOW64, which is required on a Full Server installation. Removing this feature converts a Full Server installation to a Server Core installation. |
XPS Viewer | XPS Viewer is a program you can use to view, search, set permissions for, and digitally sign XPS documents. |
Microsoft designed Server Manager and the underlying framework for managing components to be extensible. This makes it easier to provide supplemental roles, role services, and features for the operating system.
You can make these components available for installation and configuration by completing the following steps:
Download the installer package or packages from the Microsoft website. Typically, these are provided as a set of Microsoft Update Standalone Packages (.msu) files.
Double-tap or double-click each installer package to register it for use.
If Server Manager is running on the server, restart or refresh Server Manager to make the new components available.
In Server Manager, use the appropriate wizard to install and configure the supplemental role, role service, or feature.
Server Manager is the primary tool you use to manage roles, role services, and features. Not only can you use Server Manager to add or remove roles, role services, and features, but you can use it to view the configuration details and status for these software components.
By default, Server Manager is started automatically. If you closed the console or disabled automatic startup, you can open the console by tapping or clicking the related option on the taskbar. Another way to do this is by pressing the Windows key, typing ServerManager.exe in the Apps Search box, and then pressing Enter.
Server Manager automatically creates server groups based on the roles of managed servers. When you select a role-based group in the left pane, the Servers panel shows the managed servers that have this role. As shown in Figure 6-1, the details for the selected server group provide the following information for all servers in the group:
The status of related system services. You can manage a service (and its dependent services) by pressing and holding or right-clicking and then selecting Stop Services, Start Services, or Restart Services. In many cases, if a service isn’t running as you think it should, you can tap or click Restart Services to resolve the issue by stopping and then starting the service.
Error and warning events the related services and components have generated recently. If you tap or click an event, you get additional information about the event (if available).
Summary information about the related role services and features, including the number of related role services and features installed and the name and subpath of the related role, role service, or feature in the UI. For example, with Storage Services, the component type is listed as Role Services, and the path is listed as File And Storage ServicesStorage Services.
You can refresh the server details manually by tapping or clicking the Refresh Servers button on the toolbar. Otherwise, Server Manager refreshes the details periodically for you. If you want to set a different default refresh interval, tap or click Manage and then tap or click Server Manager Properties. Next, set the new refresh interval in minutes and then tap or click OK.
When you select All Servers in Server Manager, the Roles And Features pane provides details on the current roles and features that are installed on all managed servers. As you set out to add roles to a server, keep in mind that some roles cannot be added at the same time as other roles, and you have to install each role separately. Other roles cannot be combined with existing roles, and you’ll see warning prompts about this.
You can add a server role or feature by following these steps:
In Server Manager, select Add Roles And Features on the Manage menu. This starts the Add Roles And Features Wizard.
On the Select Installation Type page, Role-Based Or Feature-Based Installation is selected by default. Tap or click Next.
On the Select Destination Server page, shown in Figure 6-2, you can choose to install roles and features on running servers or virtual hard disks. Only servers that are running Windows Server 2012 or later and that have been added for management are listed. Either select a server from the server pool or select a server from the server pool on which to mount a virtual hard disk (VHD). If you are adding roles and features to a VHD, tap or click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD. When you are ready to continue, tap or click Next.
On the Select Server Roles page, shown in Figure 6-3, select the role or roles to install. Some roles cannot be added at the same time as other roles. You have to install each role separately. Other roles cannot be combined with existing roles, and you’ll see warning prompts about this. A server running a Server Core installation can act as a domain controller and hold any of the flexible single-master operations (FSMOs) roles for Active Directory.
If additional features are required to install a role, you see an additional dialog box. Tap or click Add Features to close the dialog box and add the required features to the server installation. Tap or click Next to continue.
With some roles, you see an extra wizard page, which provides additional information about using and configuring the role. You might also have the opportunity to install additional role services as part of a role. Read the information page and select additional role services to install as appropriate.
On the Select Features page, select the feature or features to install. If additional features are required to install a feature you selected, you see an additional dialog box. Tap or click Add Features to close the dialog box and add the required features to the server installation. When you are ready to continue, tap or click Next.
On the Confirm Installation Selections page, tap or click the Export Configuration Settings link to generate an installation report that can be displayed in Internet Explorer.
For information on managing binary source files, see “Managing server binaries” later in this chapter.
Restarting the destination server might be required to complete the installation of some roles and features. To restart the destination server automatically if required, select the related check box. If you do not select this check box and a restart is required, you will need to restart the server manually to complete the installation.
After you review the installation options and save them as necessary, tap or click Install to begin the installation process. The Installation Progress page tracks the progress of the installation. If you close the wizard, tap or click the Notifications icon in Server Manager and then tap or click the link provided to reopen the wizard.
When Setup finishes installing the server with the roles and features you selected, the Installation Progress page will be updated to reflect this. Review the installation details to ensure that all phases of the installation were completed successfully. If any portion of the installation failed, note the reason for the failure. Review the Server Manager entries for installation problems and take corrective actions as appropriate.
Inside OUT: Completing additional installation tasks
Any additional actions that might be required to complete the installation are listed when Setup finishes installing the roles and features you selected. Typically, you have a link you can click to begin these additional tasks. For example, installing a domain controller is a multipart process that begins with installing the components required for the role. After this, you must promote the server and configure directory services—all of which can be done in Server Manager.
If you close the Add Roles And Features Wizard, tap or click the Notifications icon in Server Manager to display a list of recent notifications, as shown in the graphic that follows:
In this example, there are several important notifications:
The first notification tells you that the automatic refresh of server information failed. This can happen for several reasons, with the most common reason being that one or more of the servers added for management is offline or otherwise inaccessible.
The second notification tells you that CorpServer64 must be restarted to complete the installation of an added feature. You also could confirm that a restart was required by selecting the All Servers node in Server Manager, where you’d see a status of Online - Restart Pending For CorpServer64 (as long as the server was online and accessible). Finally, tapping or clicking the Add Roles And Features link opens the Add Roles And Features Wizard, where you’d see the Installation Progress page and could note exactly what had been installed to require the restart.
The third notification tells you that CorpServer64 has a post-deployment configuration task that needs to be performed for DHCP. Tapping or clicking Complete DHCP Configuration opens the DHCP Post-Install Configuration Wizard.
You can remove a server role by following these steps:
In Server Manager, select Remove Roles And Features on the Manage menu. This starts the Remove Roles And Features Wizard.
On the Select Destination Server page, you can choose to remove roles and features from running servers or virtual hard disks. Only servers that are running Windows Server 2012 R2 and that have been added for management are listed. Either select a server from the server pool or select a server from the server pool on which to mount a VHD. If you are removing roles and features from a VHD, tap or click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD. When you are ready to continue, tap or click Next.
On the Remove Server Roles page, shown in Figure 6-4, clear the check box for the role you want to remove. If you try to remove a role that another role or feature depends on, a warning prompt appears stating that you cannot remove the role unless you also remove the other role. If you tap or click the Remove Features button, Setup removes the dependent roles and features. Note that if you want to keep related management tools, you should clear the Remove Management Tools check box prior to tapping or clicking the Remove Features button and then click Continue. Tap or click Next.
On the Remove Features page, the currently installed features are selected. To remove a feature, clear the related check box. If you try to remove a feature that another feature or role depends on, you see a warning prompt stating that you cannot remove the feature unless you also remove the other feature or role. If you tap or click the Remove Features button, Setup removes the dependent roles and features. Note that if you want to keep related management tools, you should clear the Remove Management Tools check box and then click Continue prior to tapping or clicking the Remove Features button. Tap or click Next.
On the Confirm Removal Selections page, review the components that Setup will remove based on your previous selections. Restarting the destination server might be required to complete the removal of some roles and features. To restart the destination server automatically if required, select the related check box. If you don’t select this check box and a restart is required, you need to restart the server manually to complete the removal.
Tap or click Remove. The Removal Progress page tracks the progress of the removal. If you close the wizard, tap or click the Notifications icon in Server Manager and then tap or click the link provided to reopen the wizard.
When Setup finishes modifying the server configuration, you see the Removal Progress page. Review the modification details to ensure that all phases of the removal process were completed successfully. As necessary, note any additional actions that might be required to complete the removal, such as restarting the server or performing additional removal tasks. If any portion of the removal failed, review the Server Manager entries for removal problems and take corrective actions as appropriate.
Binaries needed to install roles and features are referred to as payloads. With Windows Server 2012 R2, payloads normally are stored in subfolders of the Windows Side-by-Side folder (%SystemDrive%WindowsWinSXS). However, to enhance security, you can disable roles and features and remove the payload used to install these roles and features. When you remove a payload, servers try to get the required binary files from Windows Update by default. In Group Policy, you can configure an alternative to Windows Update by specifying an alternative download location.
If you want to remove binaries, you use Windows PowerShell to do this and not Server Manager. The ServerManager module for Windows PowerShell is the command-line counterpart of Server Manager.
The Get-WindowsFeature cmdlet returns a detailed list of a server’s current state with regard to roles, role services, and features. When you type get-windowsfeature at a Windows PowerShell prompt, you see the state of each role, role service, and feature listed as one of the following:
Available. Meaning the component is available for installation
Installed. Meaning the component is already installed
Removed. Meaning the payload for the component has been removed
As shown in the partial listing that follows, each role, role service, or feature is listed by display name and then by its management naming component:
[ ] Active Directory Certificate Services AD-Certificate Removed
[ ] Certification Authority ADCS-Cert-Authority Removed
[ ] Certificate Enrollment Policy Web Serv... ADCS-Enroll-Web-Pol Removed
[ ] Certificate Enrollment Web Service ADCS-Enroll-Web-Svc Removed
[ ] Certification Authority Web Enrollment ADCS-Web-Enrollment Removed
[ ] Network Device Enrollment Service ADCS-Device-Enrollment Removed
[ ] Online Responder ADCS-Online-Cert Removed
[X] Active Directory Domain Services AD-Domain-Services Installed
[ ] Active Directory Federation Services AD-Federation-Services Available
[ ] Federation Service ADFS-Federation Available
[ ] AD FS 1.1 Web Agents ADFS-Web-Agents Available
[ ] AD FS 1.1 Claims-aware Agent ADFS-Claims Available
[ ] AD FS 1.1 Windows Token-based Agent ADFS-Windows-Token Available
[ ] Federation Service Proxy ADFS-Proxy Available
[X] Active Directory Rights Management Se... ADRMS InstalledBy using Install-WindowsFeature followed by the management name, you can install a role, role service, or feature and get its binaries if necessary. Use –includeallsubfeature when adding components to add all subordinate components. Use –includemanagementtools when adding components to add the related management tools.
You can uninstall a role, role service, or feature by using Uninstall-WindowsFeature. If you specify a top-level role with role service and feature subcomponents, the subcomponents are also uninstalled.
To uninstall a role, role service, or feature and then remove the related binaries from the Windows Side-By-Side folder, you use the –Remove parameter with Uninstall-WindowsFeature. If you specify a top-level role with role service and feature subcomponents, the binaries for the subcomponents are also removed.
Use –includemanagementtools when removing components to remove the related management tools.
In the previous example, Active Directory Certificate Services and its subcomponents were removed. Knowing this, you could retrieve the binaries for the role, subordinate role services, and features and then install these components and the related management tools by entering the following command:
install-windowsfeature ad-certificate –includeallsubfeature -includemanagementtools
Because adding or removing components requires administrator privileges, you must run this command at an elevated Windows PowerShell prompt.
By default, when you use Install-WindowsFeature, payloads are restored through Windows Update. You can use the –Source parameter to restore a payload from a Windows Imaging (WIM) mount point. For example, if an image for Windows Server 2012 R2 is available at the network path \ImageServer32WinServer12R2EE, you could specify the source as follows:
install-windowsfeature -name ad-certificate -includeallsubfeature -source \imageserver18winserver12r2ee
The path you specify is used only if the required binaries are not found in the Windows Side-By-Side folder on the destination server. You also can mount the Windows Server 2012 R2 distribution media and use the WindowsWinSXS folder from the installation image as your source. To do this, follow these steps:
Log on to the server by using an account with administrator privileges. Insert the installation disc into the server’s disc drive.
Open an elevated command prompt. Create a folder to mount the Installation image by typing the following command: mkdir c:mountdir.
Locate the index number of the image you want to use by typing the following command at the elevated prompt: dism /get-wiminfo /wimfile:e:sourcesinstall.wim, where e: is the drive designator of the server’s disc drive.
Mount the installation image by typing the following command at the elevated prompt: dism /mount-wim /wimfile:e:sourcesinstall.wim /index:2 /mountdir:c:mountdir /readonly, where e: is the drive designator of the server’s disc drive, 2 is the index of the image to use, and c:mountdir is the mount directory. Mounting the image might take several minutes.
Open an elevated Windows PowerShell prompt. Use Install-WindowsFeature with the source specified as c:mountdirwindowswinsxs, as shown in this example:
install-windowsfeature -name ad-domain-services -includeallsubfeature -source c:mountdirwindowswinsxs
You can use Group Policy to control whether Windows Update is used to restore payloads and to provide alternate source paths for restoring payloads. The policy you want to work with is Specify Settings For Optional Component Installation And Component Repair, which is under Computer ConfigurationAdministrative TemplatesSystem. This policy also is used for obtaining payloads needed to repair components.
If you enable Specify Settings For Optional Component Installation And Component Repair (as shown in Figure 6-5), you can do the following:
Set an alternate source file path for payloads as a network location. For network shares, type the UNC path to the share, such as \CorpServer82WinServer2012. For mounted Windows images, type the WIM path prefixed with WIM: and include the index of the image to use, such as WIM:\CorpServer82WinServer2012install.wim:4.
Restrict downloading payloads from Windows Update. If you enable the policy and use this option, you do not have to specify an alternate path. In this case, payloads cannot be obtained automatically, and administrators will need to specify the alternate source path explicitly.
Designate Windows Update as the source for repairing components rather than Windows Server Update Services.
Earlier in the chapter, in the Managing server binaries section, I discussed using the ServerManager module and its cmdlets. Now it’s time to take a closer look at the module and its cmdlets and provide additional examples.
When you want to manage server configuration at a prompt or in a script, you use Windows PowerShell and the ServerManager module. Not only can you use this module’s cmdlets to add or remove roles, role services, and features, but you can use them to view the configuration details and status for these software components.
You manage roles, role services, and features by using the following cmdlets, which are part of the ServerManager module:
Get-WindowsFeature. Lists the server’s current state with regard to roles, role services, and features.
Get-WindowsFeature [[-Name] ComponentNames] [-ComputerName Computer] [-Credential Credential] [-LogPath LogFile.txt] [-Vhd VhdPath] [–WhatIf]
Install-WindowsFeature. Installs the named role, role service, or feature. The –IncludeAllSubFeature parameter enables you to install all subordinate role services and features of the named component.
Install-WindowsFeature [-Name] ComponentNames [-ComputerName Computer] [-IncludeAllSubFeature] [-IncludeManagementTools] [-Credential Credential] -LogPath LogFile.txt] [-Source SourcePath] [-Restart | -Vhd VhdPath] [–WhatIf]
Uninstall-WindowsFeature. Removes the named role, role service, or feature.
Uninstall-WindowsFeature [-Name] ComponentNames [-ComputerName Computer] [-IncludeManagementTools] [-Credential Credential] [-LogPath LogFile.txt] [-Remove] [-Restart | -Vhd VhdPath] [–WhatIf]
When applicable, you can do the following:
Use the –ComputerName parameter to specify the name or IP address of a remote computer to work with. Only one computer can be specified.
Use the –Credential parameter to pass in a credential for authentication. Credential objects are returned by the Get-Credential cmdlet.
Use the –LogPath parameter to log error details to a named log file as an alternative to the default logging used. The value you specify sets the path and the name of the log file.
Use the –Restart parameter to restart the computer automatically (if restarting is necessary to complete the operation).
Use the –Vhd parameter to specify the path to an offline VHD, which can be a relative local path on the target computer, such as C:virtserver12b.vhd, or a network share specified by the UNC path, such as \server42currserver12b.vhd.
Use the –WhatIf parameter to display the operations that would be performed if the command were executed.
Installable roles, role services, and features have a corresponding component name that identifies the component so that you can manipulate it from the Windows PowerShell prompt. This also is true for supplemental components you’ve made available by downloading and installing their installer packages from the Microsoft website. You specify the list of components to install using the –Name parameter. This parameter matches actual component names and not display names. With Get-WindowsFeature, you can use wildcard characters. With Install-WindowsFeature and Uninstall-WindowsFeature, you cannot use wildcards but can use pipelining to get the required input names from another command, such as Get-WindowsFeature.
Every installable role, role service, and feature has a component name. This name identifies the component so that it can be manipulated from the prompt. Remember, supplemental components are made available by downloading and installing their installer packages from the Microsoft website.
Table 6-3 provides a hierarchical listing of the component names associated with roles, related role services, and related subcomponents. When you are installing a role, you can use the –IncludeAllSubFeature parameter to install all the subordinate role services and features listed under the role and the –IncludeManagementTools parameter to install the related management tools.
Table 6-3. Component names for key roles and role services
Component Name | Role | Role Service | Subcomponent |
|---|---|---|---|
AD-Certificate | Active Directory Certificate Services[a] | ||
AD-Domain-Services | Active Directory Domain Services[b] | ||
AD-Federation-Services | Active Directory Federation Services[c] | ||
ADLDS | Active Directory Lightweight Directory Services | ||
ADRMS | Active Directory Rights Management Services | ||
ADRMS-Server | Active Directory Rights Management Server | ||
ADRMS-Identity | Identity Federation Support | ||
Application-Server | Application Server[d] | ||
DHCP | DHCP Server | ||
DNS | DNS Server | ||
Fax | Fax Server | ||
FileAndStorage-Services | File And Storage Services | ||
File-Services | File and iSCSI Services | ||
FS-FileServer | File Server | ||
FS-BranchCache | BranchCache for Network Files | ||
FS-Data-Deduplication | Data Deduplication | ||
FS-DFS-Namespace | DFS Namespaces | ||
FS-DFS-Replication | DFS Replication | ||
FS-Resource-Manager | File Server Resource Manager | ||
FS-VSS-Agent | File Server VSS Agent Service | ||
FS-iSCSITarget-Server | iSCSI Target Server | ||
iSCSITarget-VSS-VDS | iSCSI Target Storage Provider | ||
FS-NFS-Service | Server for NFS | ||
Storage-Services | Storage Services | ||
Hyper-V | Hyper-V | ||
NPAS | Network Policy and Access Services | ||
NPAS-Policy-Server | Network Policy Server | ||
NPAS-Health | Health Registration Authority | ||
Host Credential Authorization Protocol | |||
Print-Services | Print and Document Services | ||
Print-Server | Print Server | ||
Print-Scan-Server | Distributed Scan Server | ||
Print-Internet | Internet Printing | ||
Print-LPD-Service | LPD Service | ||
RemoteAccess | Remote Access | ||
DirectAccess-VPN | DirectAccess and VPN (RAS) | ||
Routing | Routing | ||
Remote-Desktop-Services | Remote Desktop Services[e] | ||
VolumeActivation | Volume Activation Services | ||
Web-Server | Web Server (IIS)[f] | ||
WDS | Windows Deployment Services | ||
WDS-Deployment | Deployment Server | ||
WDS-Transport | Transport Server | ||
ServerEssentialsRole | Windows Server Essentials Experience | ||
UpdateServices | Windows Server Update Services | ||
UpdateServices-WidDB | WID Database | ||
UpdateServices-Services | WSUS Services | ||
UpdateServices-DB | Database | ||
[a] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [b] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [c] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [d] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [e] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [f] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. | |||
Table 6-4 provides a hierarchical listing of the component names associated with features and related subfeatures. When you are installing a feature, you can use the –IncludeAllSubFeature parameter to install all the subordinate second-level and third-level features listed under the feature and the –IncludeManagementTools parameter to install the related management tools.
Table 6-4. Component names for key features and subfeatures
Component Name | Feature | Subcomponent |
|---|---|---|
NET-Framework-Features | .NET Framework 3.5 Features[a] | |
NET-Framework-45-Features | .NET Framework 4.5 Features | |
NET-Framework-45-Core | .NET Framework 4.5 | |
NET-Framework-45-ASPNET | ASP.NET 4.5 | |
NET-WCF-Services45 | WCF Services[b] | |
BITS | Background Intelligent Transfer Service (BITS)[c] | |
BitLocker | BitLocker Drive Encryption | |
BitLocker-NetworkUnlock | BitLocker Network Unlock | |
BranchCache | BranchCache | |
NFS-Client | Client for NFS | |
Data-Center-Bridging | Data Center Bridging | |
EnhancedStorage | Enhanced Storage | |
Failover-Clustering | Failover Clustering | |
GPMC | Group Policy Management | |
Web-WHC | IIS Hostable Web Core | |
InkAndHandwritingServices | Ink and Handwriting Services | |
Internet-Print-Client | Internet Printing Client | |
IPAM | IP Address Management (IPAM) Server | |
ISNS | iSNS Server service | |
LPR-Port-Monitor | LPR Port Monitor | |
ManagementOdata | Management OData IIS Extension | |
Server-Media-Foundation | Media Foundation | |
MSMQ | Message Queuing[d] | |
Multipath-IO | Multipath I/O | |
NLB | Network Load Balancing | |
PNRP | Peer Name Resolution Protocol | |
qWave | Quality Windows Audio Video Experience | |
CMAK | RAS Connection Manager Administration Kit (CMAK) | |
Remote-Assistance | Remote Assistance | |
RDC | Remote Differential Compression | |
RSAT | Remote Server Administration Tools | |
RSAT-Feature-Tools | Feature Administration Tools[e] | |
RSAT-Role-Tools | Role Administration Tools[f] | |
RPC-over-HTTP-Proxy | RPC over HTTP Proxy | |
Simple-TCPIP | Simple TCP/IP Services | |
FS-SMB1 | SMB 1.0/CIFS File Sharing Support | |
FS-SMBBW | SMB Bandwidth Limit | |
SMTP-Server | SMTP Server | |
SNMP-Service | SNMP Service[g] | |
User-Interfaces-Infra | User Interfaces and Infrastructure | |
Server-Gui-Mgmt-Infra | Graphical Management Tools and Infrastructure | |
Desktop-Experience | Desktop Experience | |
Server-Gui-Shell | Server Graphical Shell | |
Biometric-Framework | Windows Biometric Framework | |
PowerShellRoot | Windows PowerShell | |
PowerShell | Windows PowerShell 4.0 | |
PowerShell-V2 | Windows PowerShell 2.0 Engine | |
PowerShell-ISE | Windows PowerShell ISE | |
WindowsPowerShellWebAccess | Windows PowerShell Web Access | |
WAS | Windows Process Activation Service[h] | |
Search-Service | Windows Search Service | |
Windows-Server-Backup | Windows Server Backup | |
Migration | Windows Server Migration Tools | |
WINS | WINS Server | |
Wireless LAN Service | ||
WoW64-Support | WOW64 Support | |
XPS-Viewer | XPS Viewer | |
[a] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [b] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [c] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [d] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [e] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [f] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [g] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. [h] Indicates that the component has unlisted subordinate components that generally are installed together by adding the –IncludeAllSubFeature parameter. | ||
As discussed previously, you can determine the roles, role services, and features that are installed on a server by typing get-windowsfeature at a Windows PowerShell prompt. Each installed role, role service, and feature is highlighted and marked as such, with roles and role services listed in the output before features, as shown in the following example:
Display Name Name Install State
------------ ---- -------------
[ ] Active Directory Certificate Services AD-Certificate Available
[ ] Certification Authority ADCS-Cert-Authority Available
[ ] Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol Available
[ ] Certificate Enrollment Web Service ADCS-Enroll-Web-Svc Available
[ ] Certification Authority Web Enrollment ADCS-Web-Enrollment Available
[ ] Network Device Enrollment Service ADCS-Device-Enrollment Available
[ ] Online Responder ADCS-Online-Cert Available
[X] Active Directory Domain Services AD-Domain-Services Installed
...
[X] .NET Framework 4.5 Features NET-Framework-45-Fea... Installed
[X] .NET Framework 4.5 NET-Framework-45-Core Installed
[X] ASP.NET 4.5 NET-Framework-45-ASPNET Installed
[X] WCF Services NET-WCF-Services45 Installed
[ ] HTTP Activation NET-WCF-HTTP-Activat... Available
[ ] Message Queuing (MSMQ) Activation NET-WCF-MSMQ-Activat... Available
[ ] Named Pipe Activation NET-WCF-Pipe-Activat... Available
[X] TCP Activation NET-WCF-TCP-Activati... Installed
[X] TCP Port Sharing NET-WCF-TCP-PortShar... Installed
[ ] Background Intelligent Transfer Service (B... BITS Available
[ ] IIS Server Extension BITS-IIS-Ext Available
[ ] Compact Server BITS-Compact-Server Available
[ ] BitLocker Drive Encryption BitLocker AvailableBecause the –Name parameter, which enables you to look for components with a specific name, accepts wildcards, you can easily check the installation status and availability of related components. This example returns a list of components with a management name that starts with NET or web:
get-windowsfeature –name net*, web*
Technically, you don’t need to include –Name. The –Name parameter is the first expected parameter. Thus, you could perform the previous search by entering the following:
get-windowsfeature net*, web*
Because you won’t always be working with a local computer at the prompt, you can use the –ComputerName parameter to specify the name or IP address of the remote computer you want to work with. In this example, you get the status of components on CorpServer18:
get-windowsfeature –computername corpserver18
For the purposes of documenting a server’s configuration, you can save the output in a file as standard text by using the redirection symbol (>) as shown in this example:
get-windowsfeature > MySavedResults.txt
Here, you save the output to a file named MySavedResults.txt in the current (working) directory.
You can install roles, role services, and features by typing Install-WindowsFeature ComponentName at an elevated prompt, where ComponentName is the management name of the component to install as listed in Table 6-3 or Table 6-4. In the following example, you install DHCP Server and the DHCP console for managing DHCP Server on CorpServer15:
Install-windowsfeature dhcp –ComputerName corpserver15 –includemanagementtools
Here, you don’t need to include the –IncludeAllSubFeature parameter because DHCP Server doesn’t have any subordinate role services or features. As Windows PowerShell works, you see a Start Installation progress bar. When the installation is complete, you see the result. The output for a successful installation should look similar to the following:
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {DHCP Server}As you can see, the output specifies an exit code, a list of the exact change or changes made, whether the installation was successful, and whether a restart is needed. The exit code can be different from the Success status. For example, if the components you specify are already installed, the exit code is NoChangeNeeded, as shown in this sample output:
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No NoChangeNeeded {}Here, you see that Install-WindowsFeature was successful but didn’t actually make any changes. The Feature Result also shows no changes.
You don’t have to name the component or components explicitly that you want to install. Install-WindowsFeature accepts redirected output for component names, enabling you to use another command to get the name or names of the components you want to work with. For example, if you want to install multiple components, such as all .NET components across the multiple .NET frameworks that are available, you could use Get-WindowsFeature to help you do this, as shown in the following example:
get-windowsfeature -name NET-* | install-windowsfeature
Here, you use Get-WindowsFeature to obtain a list of components with names that start with NET– and then pipe that list to Install-WindowsFeature. The result is that you install all .NET components across all available .NET frameworks.
Component installation doesn’t always succeed, and that’s a common reason that the server cannot be accessed, as shown in this example with accompanying error text:
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
False Maybe Failed {}
install-windowsfeature : WinRM cannot process the request. The following error
occurred while using Kerberos authentication: Cannot find the computer
corpserver15. Verify that the computer exists on the network and that the
name provided is spelled correctly.Here, Windows Remote Management (WinRM) couldn’t connect to the remote computer. Typically, this occurs because the server is offline or otherwise unavailable. This also could occur if you entered an incorrect server name.
Inadequate user rights is another common reason for component installation to fail, as shown in this example, with accompanying error text:
install-windowsfeature : You do not have adequate user rights to make changes to
the target computer. If you are already a member of the Administrators group on
the target computer, the changes might have failed because of security restrictions
imposed by User Account Control. Try running Install-WindowsFeature in a Windows
PowerShell session that has been opened with elevated rights (Run as administrator).
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
False No Failed {}Normally, when you are using Windows PowerShell for administration, you use an elevated, administrator prompt, and your current credentials pass through to remote computers you work with. However, if your account doesn’t have appropriate user rights, you need to provide different credentials; you can do this by using the –Credential parameter. You’ll be prompted for the user’s password if you follow the –Credential parameter with a user name, as shown in this example:
Install-windowsfeature dns -credential "CPANDLwrstanek" –includemanagementtools
Here, you just type the password and press Enter when prompted to run the command with the named account’s permissions. Rather than entering credentials for an account each time you want to perform administration, you can store credentials and then refer to the stored credential, as shown in this example:
$cred = get-credential install-windowsfeature dns -credential $cred –includemanagementtools
Here, you use Get-Credential to prompt for a user name and password and then store those credentials in the $cred variable. Next, you refer to the stored credentials to install DNS. Because the credentials are stored for the duration of your current Windows PowerShell session, you can refer to them as needed for additional administration.
To test the installation prior to performing that actual operation, you can use the –Whatif parameter, as shown in the following example:
get-windowsfeature -name BIT* | install-windowsfeature -whatif
If you run this command, you might be surprised to see that BitLocker components are included along with BITS components. To resolve this, you need to be more specific when specifying the component name to match. If you intend to install BitLocker and BitLocker Network Unlock, you can use the following command instead:
get-windowsfeature -name bitlock* | install-windowsfeature -whatif
If a restart is required to complete an installation, you can have Install-WindowsFeature restart the computer by including the –Restart parameter. For planning purposes, especially on highly active production servers, keep in mind that both successful and failed installations could require a restart.
You can uninstall roles, role services, and features by typing Uninstall-ServerManager ComponentName at an elevated command prompt, where ComponentName is the name of the component to uninstall as listed in Table 6-3 or Table 6-4. Because Uninstall-ServerManager automatically uninstalls any subordinate role services and features of the specified component, you normally want to test the uninstallation prior to performing that actual operation. To do this, you can use the –Whatif parameter, as shown in the following example:
uninstall-windowsfeature net-framework-45-features -whatif
Here, you want to uninstall .NET Framework 4.5 and related features, which include .NET Framework 4.5 (NET-Framework-45-Core), ASP.NET 4.5 (NET-Framework-45-ASPNET), and multiple subcomponents of WCF Services (NET-WCF-Services45). However, if you want to uninstall only the WCF Services, you enter the following instead:
uninstall-windowsfeature net-wcf-services45
As with Install-WindowsFeature, you don’t have to name the component or components explicitly that you want to uninstall. Uninstall-WindowsFeature accepts redirected output for component names, enabling you to use another command to get the name or names of the components you want to work with. For example, if you want to uninstall multiple components, such as all .NET components across the multiple .NET frameworks that are available, you could use Get-WindowsFeature to help you do this, as shown in the following example:
get-windowsfeature -name NET-* | uninstall-windowsfeature
To ensure that the command works exactly as expected, you should test the command first by using the –Whatif parameter, as shown in the following example:
get-windowsfeature -name NET-* | uninstall-windowsfeature -whatif
As with installing components, the command output specifies whether a restart is required to complete the task. If a restart is required to complete a removal, you can have Uninstall-WindowsFeature restart the computer by including the –Restart parameter.
If an error occurs, and Uninstall-WindowsFeature cannot perform the specified operation, you see an error. Tips and techniques for resolving common errors are discussed in the previous section, Installing components at the prompt.