Working with Server Core Computers

Agents can be installed on Windows computers that are configured to run the Server Core operating environment. Server Core is a Windows installation option that provides a low-maintenance server environment with limited functionality.

Most Agent operations are not affected by running on Server Core. However, there are specific features that are not available or not applicable because of the limitations of the Server Core environment itself. For example, the Run with Privilege menu option is not available on Server Core computers because Server Core does not support Windows Explorer and other graphical user interface applications. However, you can use the runasrole command line utility to run specific applications using a specified role.

Similarly, there's no notification area applet or desktop rights available on Server Core computers. However, you can access the Authorization Center, agent control panels, and agent command-line utilities from the Server Core command prompt.

The following list summarizes the Agent for Windows features that are not supported on Server Core computers:

  • You cannot create, select, or switch desktops or use any desktop-related

    features because the Windows desktop is not available on Server Core.

  • You cannot select Run with Privilege as a right-click menu option for

    applications because Windows Explorer is not available on Server Core.

  • You cannot open the Authorization Center or access the notification

    area applet because the Windows desktop and Windows Explorer are not

    available on Server Core.

  • You cannot open applications such as the Privilege Elevation Service

    Settings or DirectAudit Agent Control Panel from Start menu shortcuts

    because the Windows desktop and Windows Explorer are not available on Server

    Core.

You should note that only Agents for Windows are supported for the Server Core environment. A small number of other Verify Privilege Server Suite for Windows support a command line interface, but are not configured to support a Server Core environment.

Server Core supported platforms

IBM Security supports the following versions of the Server Core environment:

  • Windows Server 2012 Server Core
  • Windows Server 2012 Minimal Server Interface
  • Windows Server 2012 R2 Server Core
  • Windows Server 2012 R2 Minimal Server Interface

You should note that Server Core is not supported on Windows Server 2008 because Windows Server 2008 Server Core does not support any version of the .NET Framework. The Agent for Windows requires the .NET Framework. For more information about the supported libraries and .NET functionality on Server Core, see the reference material available on the Microsoft Developer Network website for the operating system you have deployed.

Joining a zone

One of the first tasks after installing the Agent is to join a zone. You can do by launching the Privilege Elevation Service Settings from the command prompt.

To open the Privilege Elevation Service Settings to join a zone:

  1. Navigate to the Agent installation directory.

    By default, the agent files are installed in the C:\Program Files\Centrify\Agent for Windows directory.

  2. Run Centrify.DirectAuthorize.Agent.Config.exe.

  3. Click Join zone.

  4. Type all or part of the zone name, click Find Now, then select the zone to join and click OK.

  5. Click Close to close the control panel.

If you later need to change the zone, run diagnostics, refresh the authorization cache, or view or modify log settings, you can run Centrify.DirectAuthorize.Agent.Config.exe to perform those tasks.

Viewing Authorization Details

By default, access control, privilege management, and auditing features are enabled after you install and configure the Agent for Windows. To see details about your rights, role definitions, role assignments, and auditing status, you can launch the Authorization Center from the command prompt.

To open the Authorization Center on a computer with the Server Core operating system:

  1. Navigate to the Agent for Windows installation directory.

    By default, the agent files are installed in C:\Program Files\Centrify\Agent for Windows directory.

  2. Run Centrify.DirectAuthorize.Auth.Center.exe.

Configuring auditing options:

By default, access control, privilege management, and auditing features are enabled when you install the Agent for Windows. To configure auditing options and specify the audit installation for the agent, you can launch the DirectAudit Agent Control Panel from the command prompt.

To open the DirectAudit Agent Control Panel to configure auditing features:

  1. Navigate to the Agent installation directory.

    By default, the agent files are installed in the C:\Program Files\Centrify\Agent for Windows directory.

  2. Run Centrify.Winagent.serviceconfig.exe to launch Agent Configuration. Click Add Service to add Auditing and Monitoring Service. Choose an installation. Click Setting on the Agent Configuration for configuration.

  3. Click Configure.

  4. Select a color quality, then click Next.

    Because the Server Core operating system uses very few graphical elements, in most cases you should accept the default setting of Low for the color quality. This setting minimizes the storage requirements for auditing if you have enabled video capture auditing.

  5. Accept the default offline data location and maximum size or type a different location, then click Next.

    You can also drag the slider to change the maximum percentage of the drive the offline data can consume. In most cases, however, you should leave the default setting unchanged.

  6. Select the audit installation, then click Next.

  7. Review your configuration settings, then click Next.

  8. Click Finish to close the configuration wizard.

  9. Click Close to close the control panel.

Running command line programs

The Agent for Windows includes several command line programs for performing administrative tasks. The following command line programs are supported on Server Core computers:

  • dzinfo
  • dzdiag
  • dzrefresh
  • dzflush
  • dzdump
  • runasrole

For more information about the command line options or output for these commands, see the Administrator’s Guide for Windowsor run the command with the /help option.