A headless server makes a lot of sense in certain environments. It can alleviate the hassle of a keyboard, video, mouse (KVM) switch, provide additional physical security for the server, and give you a very clean Web-based management interface. For most headless installations, simply removing the keyboard, mouse, and monitor is enough. However, you can go one step further. You can maximize physical security by removing a device that is usually integral to the proper operation of a Windows 2000 server—the video card. In this Daily Feature, I’ll show you how to remove the video card from your server without compromising the server’s ability to do its job.

Why remove the video card? In a word, security

In the Daily Feature “Streamline administration by running a headless Windows 2000 server,” you’ll learn more about running a Windows 2000 server without a keyboard, mouse, or monitor. In the article, I note that I don’t usually recommend running a server without a video card because video cards are so cheap. However, there are reasons for disabling the video card. For example, if you just remove a server’s keyboard, mouse, and monitor, someone might be able to attach their own. However, putting in a video card requires internal surgery, which makes your server much more difficult to hack.

Sounds interesting! What do I need?
For starters, you need a system capable of running Windows 2000 Server—and a server that has a video card installed. While it’s possible to run a Windows 2000 server without a video card, you can’t install Windows 2000 Server on a system that doesn’t initially have a video card. The chosen system should have either a PCI or AGP video card. If the server has onboard video, make sure you can disable video from within the server’s BIOS.

Running Terminal Services in remote administration mode eases management. Normally, I’d recommend a program such as VNC over Terminal Services. However, since VNC’s method of operation is to redirect output from the console to the network, and since there is no console, it doesn’t work that well. Terminal Services, on the other hand, creates a virtual interface for the user and doesn’t interfere with the console display.

The process
To begin configuring your headless server, install Windows 2000 Server on a fairly new machine that has a video card you can either remove or disable. You must also install at least Service Pack 2 on your server. I recommend you update your server to the latest Service Pack, currently Service Pack 3.

Next, install any components that you want to run on the server. For example, if you want this server to be a DHCP server, install the appropriate software. Make sure you install TCP/IP on your server and assign it a TCP/IP address.

You must install the Microsoft Server Appliance Kit

To run your server without a video card, you must download some software from Microsoft. Microsoft has released the Server Appliance Kit (SAK), which allows you to create a server appliance—in essence, a machine running Windows 2000 Server without a video card. The SAK does much more, though. It includes a management framework that enables additional functionality. And the SAK actually removes the drivers for the monitor, keyboard, and mouse, forcing remote server management.

Download and unpack the SAK from Microsoft by running the self-extracting executable. This will place the SAK files in C:\SAK on your server. To install the SAK, run the Setup.exe program from the C:\SAK directory.

Setup runs like most wizards you’re familiar with. Follow the on-screen instructions and accept the recommendations made by the installer to install the Development Environment. Click your way through the wizard, paying careful attention to the choices you’re given. Some of the key parts of the wizard that you should be aware of include the following:

  • Click Yes on the Server Appliance Solution screen.
  • When the Select The Type Of Appliance window appears, select Custom Appliance.
  • On the Feature Selection screen, select all of the optional components.

After the wizard finishes installing the SAK, you must reboot your server. Once the reboot completes, you can use your Web browser to navigate to the server IP address on port 8099 to use the new Web-based management features, as shown in Figure A. Some of you may see a potential security problem in connecting to the server over standard HTTP. Not to worry: A secure version of the management system is accessible with HTTPS at port 8098.

Figure A
You can administer SAK from your administration workstation’s Web browser.

Prepare for surgery
With a fully functional Web-based method of administering the server, you can perform the videocardectomy. However, just like a real surgeon, you have to do some prep work. You can’t just grab a screwdriver and start tearing your server apart.

The SAK provides a utility, Saprep.exe, that makes it easy to remove the software components that drive the video card, keyboard, and mouse. In essence, the utility simply removes the drivers for these devices from the system, neatly slicing the nerves that bind the hardware to the operating system.

Make sure remote access is enabled

Before running Saprep.exe, be completely sure that you have remote access to the server. Running Saprep.exe disables local control over the server, so if you can’t remotely access your server, you have a very expensive paperweight. You’ll have to reinstall Windows 2000 from scratch.

Once you’re sure you can remotely access your server, you can run Saprep.exe. To do so, open a command prompt and navigate to the C:\SAK\oemtools\nullvga folder. Type saprep -d and press [Enter]. The -d parameter indicates to the Saprep utility that you want to remove the drivers for the input and display devices. Executing this program will result in two single lines of text indicating that the program ran successfully.

You must reboot your server to make it completely headless. If you reboot your server at this point without removing the video card and monitor, you’ll see two or three screens of text flow by, indicating that various modules are loading. The Windows 2000 Server splash screen will appear, with the moving bar meandering across the screen as it always does. However, that’s all that will happen. The server will appear to hang, but in reality, all the services are loaded and ready to use. Eventually, the screen will go blank. Your server will be fully functional via the Web interface, but the console will no longer function.

Now you can use the screwdriver
The next step is to remove the video card, making the server work without it. Exactly how you do so will depend on the particulars of your server, so I can’t offer much guidance here. You’ll either need to open the case on your server and physically remove the video card, or you’ll have to disable it in your server’s BIOS.

When surgery is complete, put the machine back together, minus the video card. Disconnect the keyboard and mouse, and then boot the system. If all has gone well, the system should boot without any problems. Some computers don’t work well without a video card, and you may get beep errors, but in most cases, the system should boot.

Off with their heads!
When the server boots, you’re done. You’ll have a completely headless server without a video card, monitor, or keyboard—not even a mouse! And, I do have to admit, the geek in me is having fun running a server without a video card.