Hyper-V: The Server Core installation option is recommended for servers running Hyper-V
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Hyper-V Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2012 or Windows Server 2008 R2 |
Product/Feature |
Hyper-V |
Severity |
Warning |
Category |
Configuration |
Note
An update is available for Hyper-V Best Practices Analyzer (BPA) for Windows Server 2008 R2 and Microsoft Hyper-V Server 2008 R2. The update is appropriate for servers that run Hyper-V in Windows Server 2008 R2 with Service Pack 1 (SP1) and that have the Hyper-V BPA installed. The update includes addresses issues between the Hyper-V BPA and new features that were introduced in SP1. This update also fixes several other issues in BPA. For more information, see article 2485986 in the Microsoft Knowledge Base.
Issue
This server is running a full installation instead of a Server Core installation.
Impact
Running a full installation exposes a larger attack surface and may require more maintenance, such as installing updates.
Resolution
Export all virtual machines and locally stored data. Then, reinstall the operating system with the Server Core installation option. Finally, import the exported virtual machines.
For instructions on exporting and importing virtual machines, see the following procedures. For information about the Server Core installation option, see the Server Core Installation Option Getting Started Guide (https://go.microsoft.com/fwlink/?LinkId=181520).
By default, membership in the local Administrators group, or equivalent, is the minimum required to complete the import and export procedures. However, an administrator can use Authorization Manager to modify the authorization policy so that a user or group of users can complete this procedure. For more information, see Using Authorization Manager for Hyper-V Security (https://go.microsoft.com/fwlink/?LinkId=142886). To complete the optional procedure to configure constrained delegation, membership in the Domain Administrators group is required.
To export a virtual machine
Open Hyper-V Manager. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
In the results pane, under Virtual Machines, right-click a virtual machine and then click Export.
In the Export a Virtual Machine dialog box, type or browse to a location that has enough free space to store all of the virtual machine resources. When you export a virtual machine, all virtual hard disks (.vhd files), snapshots (.avhd files), and saved state files associated with the virtual machine are copied to the specified folder.
Important
In a domain environment, if you specify a remote location such as a shared network folder or a folder on the server you want to import the virtual machine to, you must configure the server running Hyper-V for constrained delegation. You need to do this so that the computer account of the server running Hyper-V can present delegated credentials for the Common Internet File System (CIFS) service type. For instructions, see the following procedure.
- Click Export.
If you need to configure constrained delegation, complete the following procedure and then export the virtual machines.
To configure constrained delegation
- On a computer that has the Active Directory Domain Services Tools feature installed, in Administrative Tools, open Active Directory Users and Computers, and then navigate to the computer account for the computer running Hyper-V.
Note
If Active Directory Users and Computers is not listed, install the Active Directory Domain Services Tools feature. For instructions, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/fwlink/?LinkId=140463).
Right-click the computer account for the computer running Hyper-V, and then click Properties.
On the Delegation tab, click Select this computer for delegation to specified services only, and then click Use any authentication protocol.
To allow the Hyper-V computer account to present delegated credentials to the remote computer:
Click Add.
In the Add Services dialog box, click Users or Computers, select the remote computer, and then click OK.
In the Available services list, select the cifs protocol (also known as the Server Message Block (SMB) protocol), and then click Add.
After exporting the virtual machines, reinstall the operating system with the Server Core installation option, and then complete the following procedure.
To import a virtual machine to another server
Connect to the server running Hyper-V and open Hyper-V Manager.
In the Action pane, click Import Virtual Machine.
In the Import Virtual Machine dialog box, specify the location where you exported the virtual machine. Unless you want to reimport this virtual machine, leave the import settings as they are.
Click Import.