Admin onthe Bridge

Windows Admin Center (WAC) is the new headquarters for administrators, where web-based servers and clients can be managed locally and in the cloud. Although WAC cannot yet fully replace Server Manager, Microsoft is constantly expanding the feature set. In this article, I show you how to launch and work with the new server control room.

WAC currently works with Google Chrome and Microsoft Edge; other browsers do not yet support the functions in the management solution sufficiently. Because WAC cannot be used with Internet Explorer, on a server, you can only open WAC directly if Chrome or Edge is installed, although it is not necessary for the gateway endpoint, because the browser is only needed on the client you use for access.

PowerShell sessions and remote desktop connections can also be accessed directly through WAC. Additionally, you will find functions for managing Windows 10 workstations, clusters, and hyper-converged clusters. Finally, virtual machines (VMs) can be managed in Azure and synchronized with local machines.

Continuous Improvements

Microsoft extends WAC's capabilities by providing a new version every six months. New versions are quickly integrated, because only the Microsoft installer (MSI) file of the latest version needs to be installed on the computer on which the WAC gateway is installed. The gateway can, of course, be reinstalled at any time with this MSI file.

In each new version, Microsoft adds new functions, which are usually first introduced in a beta version as a plugin and are only fully integrated in a later version. To use the new functions, just install the new version on the server that provides the WAC gateway. When Microsoft provides new functions in extensions, they can be updated within the WAC. All that is required is a connection to the Internet. After connecting, you can find out which WAC version is installed by clicking the question mark icon in the upper right corner.

Installing and Updating the WAC Gateway

The connection between WAC and a server relies on an intermediate hop through the gateway. Therefore, all servers communicate with the gateway, and administrators also communicate with the gateway in their web browsers. The gateway in turn communicates with the respective server over Windows Remote Management (WinRM), Remote PowerShell, or Windows Management Instrumentation (WMI). For the remote connection between the servers to work, remote administrators must be enabled on the servers involved.

The gateway can be installed on servers with a graphical interface, but also on core servers. It runs on Windows Server 2012 R2 and newer and on workstations with Windows 10 version 1709 and newer. When a new WAC version is released, you can install it on the gateway, which updates the old version; you can then use the new functions. The WAC gateway cannot be installed on domain controllers.

During the install, you specify a port and the certificate that secures the connection by SSL (Figure 1). If you do not specify a certificate during installation, WAC uses a self-signed certificate. In this case, administrators receive a certificate warning when logging on to the gateway.

WAC can also be installed at the command line, which is useful, for example, if you want the gateway to run on a core server. The command is:

msiexec /i <InstallerName>.msi /qn /L*v log.txt SME_PORT=<Port> SSL_CERTIFICATE_OPTION=generate

For example, with a self-signed certificate, use:

msiexec /i WindowsAdminCenter1704.msi /qn /L*v log.txt SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate

If WAC is running on the core server, access is also over the network in a web browser. To manage core servers with WAC, remote administration must be enabled on the corresponding server.

Connecting or Importing Servers

Once the gateway endpoint for WAC is installed, it can be accessed by https://<Gateway Endpoint>:<Port>. You need to enter your username (as the administrator) in the login window. WAC uses Active Directory for authentication. All current Windows servers from 2012 onward can be connected to the network, as can complete clusters and individual workstations.

If a connection does not work, it helps to enable remote administration on the corresponding server with winrm quickconfig. After a successful connection, the server can be managed by WAC. To add servers, click the Add link and then select the corresponding object (Figure 2).

When WAC is called for the first time, various notes on its functionality appear. When the setup is complete, the browser displays the WAC startup window, and the server where the gateway endpoint is installed is automatically added. To connect additional servers, first establish a new server connection by clicking Add in the main WAC window. Then you can choose to add a legacy server (Add Server Connection), a PC (Add Windows PC Connection), a cluster (Add Failover Cluster Connection), or a hyper-converged cluster (Add Hyper-Converged Cluster Connection).

To connect additional servers to be managed by WAC, you can either enter the server fully qualified domain name (FQDN) in the window or import a list of servers from a comma-separated text file. Both are quick and easy and let you add tags. For example, all Hyper-V hosts can be marked with the Hyper-V Host tag. You still need to enter your account name and login data for the server to be connected. WAC lets you connect different servers with different authorizations.

Managing Servers in WAC

Clicking on the server that is already connected in WAC opens the main page of the Admin Center. On the left side are the administration tasks available for all servers (Figure 3). In the upper area, you can switch between the web-based Server Manager, the Failover Cluster Manager, the Hyper-Converged Cluster Manager, and Computer Management for PCs. The main window displays additional commands and information about the respective server or PC. The upper area shows various commands and the lower area shows information and options about the server.

When you click on a server in the window, a connection is established, and the last access time is displayed. In this context, the notification area is helpful. You can open it by clicking on the bell icon in the upper right corner, and it will provide all actions performed and their details. To manage a computer, you can select an alternative user account for access from Manage As. You can also edit tags on the WAC home page.

Now the commands on the left side are available for server administration. You can install server roles, customize the Windows firewall, open the registry, and much more. On the Overview page, you can restart or shut down the server. Changing the server name, including domain membership, is also possible after selecting Edit Computer ID. Clicking on a menu item (e.g., Roles & features or Firewall) displays additional commands and information on the right side. In this way, numerous settings can be made on servers over the network, including installing server roles and managing Windows updates. For Hyper-V hosts, the Server Manager can also be used to configure the virtual switches. Warnings and errors are also displayed here and can be corrected.

To install roles in WAC, navigate to the Roles & features item. The main window shows all the available server roles and lists the roles that are already installed in the State column. Click on a server role to install (or uninstall) it. Individual role services can also be installed or uninstalled at this point.

Working with Tags and Finding Objects

As mentioned, you can assign tags to individual objects and servers in WAC. You can do this when adding a server, but also at any time later. You will find the tags in the Tags column of the WAC overview. Use the Edit Tags menu item to assign one or more tags to servers (e.g., dc, File Server, Data Center1). On the far right, you can select several servers at once and assign a tag at the same time. Once created, tags are displayed in WAC and do not need to be retyped. Not only can you see the tags in the Tags column in WAC, you can also search for tags in the search box.

Deep Access to Remote Servers

In addition to managing server roles and settings, you also use WAC to access the server's filesystem and perform file actions. You can upload and download files from the PC connected to the WAC, view file information, create folders, and delete and rename data. The web-based File Explorer is found in the Files item on the left.

The Registry item opens the web-based Registry Editor. Besides reading entries in the registry, you can export and import entries and, of course, edit or create keys and values. Additionally, PowerShell offers a PowerShell session in the web browser, through which you can execute commands on the remote-controlled server. Remote Desktop allows connections from computers running Remote Desktop.

Role-Based Access Control

Role-based access controls help define which administrators can access WAC and which servers they can manage. You can access role-based access control in Active Directory Users and Groups. In general, WAC distinguishes between three user types:

• WAC Administrators are given comprehensives authorizations.
• WAC Hyper-V Administrators can manage virtual computers and switches. The other tools can be used for read access, but changes are not allowed.
• WAC Readers can display but not change settings.

As soon as you activate the feature, the corresponding rights become available; the best way of using these is with groups in Active Directory. You can enable role-based access control for each server once you have connected to it. In the lower area, click on Settings so you can use Role-based Access Control to set up the permissions for the respective server. First, enable the permissions in general, which you can do by clicking Apply on the respective server. New groups are also created on the server for this purpose. By joining users to these groups, you then control the WAC permissions that administrators receive on the server.

Using Certificates in WAC

If you will be using WAC on a permanent basis in production, you will want to deploy proper certificates (you could also use the Active Directory certificate services). In principle, you first need to assign a certificate to the server on which the WAC gateway is running. To begin, call certlm.msc, where you will find the necessary tools. Then, you can, for example, retrieve new certificates.

In a certificate's properties, you then retrieve the fingerprint in the Details tab. Now store this fingerprint in WAC. To do this, open the installation program and click the Change option. By the way, even in a new installation with a certificate, you can store the certificate's fingerprint in the corresponding field. WAC will then use the certificate for admin connections.

Extending WAC

You will find WAC options at top right. Here, you can install extensions and connect to Microsoft Azure. These extensions integrate third-party functionality, as well as advanced features for Windows servers, such as the Windows Server Storage Migration wizard in Server 2019.

Microsoft also provides an API that lets you program extensions, which can be added directly to WAC through a separate menu item.

Azure Features in WAC

After connecting WAC to Azure, you can manage Azure VMs, back up servers on the local network with Azure Backup, replicate VMs with Azure Site Recovery in Azure with high availability, and take advantage of other Microsoft Azure features.

To connect WAC to Microsoft Azure, you only need to make the appropriate configuration on the server running the WAC gateway. Once connected, administrators who access the gateway with a browser will also have access to Azure functions.

To connect, use the gear icon to access the settings. The Azure menu item lets you trigger the process by selecting Register (Figure 4). A code appears on the right-hand side, which you will need for registration. Copy the code to the clipboard, click on the Device Login link, log in with your Azure account, and paste the code in the window. WAC is then connected to the appropriate Azure subscription.

Next, you need to control WAC authorizations in the Azure portal. If WAC is registered in Azure, an overview of the corresponding authorizations is displayed. You can also remove these authorizations. On the Azure portal, you still need to activate WAC authorizations in the WAC Azure settings by selecting Display in Azure. On the Azure portal, click Settings in the registered app, then Required Permissions, and finally Grant Permissions.

You can use the Storage Replication menu item to control the replica settings of Windows servers in the Standard and Datacenter editions, and even to install the necessary server roles and features. Use the Backup menu item to connect the server to Azure Backup, which can be used to back up servers in Azure. If Hyper-V is installed on a server, WAC can also be used to manage the replication of VMs via Microsoft Azure.

If WAC is installed locally and connected to Microsoft Azure, it can both manage Azure VMs and interact with Azure services in the local data center. For example, servers on the local network can be backed up to the cloud with Azure Backup, VMs can be replicated with Azure Site Recovery for high availability, and other Azure features can be used.

Managing Hyper-V with WAC

You can install and manage Hyper-V on a Windows 2019 server with WAC – as usual through Roles & features. First check whether Hyper-V is already installed on a Windows server. If this is not the case, you can install in a web browser. After the installation, you will see two menu items, Virtual Computers and Virtual Switches, which you can use to manage the corresponding elements on the selected Hyper-V host. The Inventory menu item gives you access to the server's VMs, and you can manage them from the More option. Settings in the lower left corner lets you make server-specific settings in WAC, such as the Hyper-V configuration of a host.

WAC also integrates the new Windows Server System Insights function in the System Insights menu item. You can monitor a Hyper-V host here with a machine learning wizard. Additionally, Insights can also create forecasts (e.g., as to when bottlenecks might occur on a server).

Managing Active Directory

WAC version 1904 and newer supports Active Directory, DNS, and DHCP management. To install it, you have to go to the settings through the gear symbol in the upper right corner, where you will see the additional functions below Extensions. The Installed extensions menu item shows those already integrated and can also be used to update extensions. WAC displays a message when a new version of an extension becomes available.

If Active Directory, DNS, and DHCP are installed on a server, WAC shows you the corresponding menu items (e.g., Active Directory). Currently, users can already be managed and passwords can be reset, which is especially interesting for support departments.

In Control of Windows Firewall

The Firewall item shows for which network profiles the firewall is active and what the default setting is for unknown incoming and outgoing traffic. The items Incoming Rules and Outgoing Rules let you view the respective stored firewall rules and, if necessary, adjust, delete, or deactivate them. It is also possible to activate firewall rules.

Two menu items, Processes and Services, let you monitor and control the processes and system services on the server, whereas Select columns lets you define in WAC which information appears when you manage processes.

Conclusions

WAC offers an effective way to manage different servers on the network. It is worthwhile at least to test the tool. WAC can also be used to manage older Windows servers and their functions in a web browser, so the free tool offers real added value.