Figure 5.1 Configuration levels available in Windows Server 2012 R2
Consider a Hyper-V host. The host operating system is the management partition for
the virtual machine, providing critical services and connectivity, which means that if
the host operating system must be restarted, every virtual machine also has to be
restarted. For this reason, it’s critical that the maintenance and reboots required are as
minimal as possible, and that means running all Hyper-V servers at the Server Core
configuration level and managing them remotely. I should point out that in a
production environment, the Hyper-V hosts should be clustered, which means that a
host can be patched and rebooted with no impact to virtual machine availability,
because virtual machines can be moved between hosts with no downtime. However, it
is still desirable to minimize maintenance and reboots as much as possible.
SERVER CORE STILL SEEMS TO HAVE A LOT OF PATCHES IN
WINDOWS SERVER 2012
In the Windows Server 2008 time frame, about 50 percent fewer patches applied
to Server Core compared to a full installation (Server with a GUI), enabling
servers to go many months without a reboot. For Windows Server 2012, many
organizations found that many patches were required for Server Core, which
meant similar reboots for Server Core and a Server with a GUI deployment.
There are a number of binaries present on Server Core that are used, but
vulnerabilities that may get patched in the binary do not always apply to Server
Core. The problem is that Windows Update will see the binary present and patch
it and therefore require a reboot, but determining whether the patch applies to
Server Core requires reading the security bulletin related to the patch. For
example, in a single year about 10 critical patches with bulletins were released,
but you would find that fewer than half of these were needed on Server Core if
you read the bulletin. If you just ran Windows Update, though, they would have
all been applied.
If you want the most optimal Server Core patching with the least possible reboots,
you cannot just run Windows Update. Instead, you need to verify the security
bulletins for critical updates to check whether they apply to Server Core. On the
plus side, this does show that Server Core, even without the patching, is
inherently less susceptible to vulnerabilities.Although all management can be done remotely, if you ever experience a problem
where the management tools would aid the resolution or even the graphical shell,
simply add the components using Server Manager or PowerShell. Once the problem is
resolved, remove them again. Likewise, if you have not automated the deployment of
servers and like to perform initial configuration using graphical tools, you can install
servers in the Server with a GUI mode, and then after the server is fully configured,
the management tools and graphical shell can be removed to run in Server Core mode.