Managing Windows Server: With Windows Admin Center
Managing Windows Server: With Windows Admin Center
WAC uses a modern web interface that displays important indicators in live charts.
(Windows-Admin-Center-Leistungsindikatoren.png)
Only WAC provides a GUI for capacity planning with system insights. (Windows-Admin-Center-System-Insights.png)
• Unique and not present in RSAT, such as Storage Spaces Direct monitoring. This also
includes useful little helpers like an RDP web client and a file upload service, which are
also covered here.
• Missing completely. This applies to important services such as Active Directory, DHCP,
DNS and Remote Desktop Services.
In addition to these four modules and the functions Currently, there are mainly extensions from
they contain, Admin Center has a mechanism for hardware manufacturers that allow users to
adding extensions. It allows Microsoft or third-party monitor servers or storage systems.
vendors to mount their tools in the web console.
To install Admin Center, you need at least Windows 10 or Server 2016 or 2019 (windows-admin-center-server-2012r2-setup.png).
thomas-krenn.com | 8
A specific feature of installing WAC on Windows be established with this server in order to use it as
Server is that you can upload or create an SSL a gateway for the management of other machines.
certificate. This allows secure HTTPS connections to
When WAC is installed on a Windows server, it serves as a gateway to manage other resources. Source: Microsoft
(Admin-Center-Architektur.png)
However, this does not work if you install the web a gateway.
tools on a client PC running Windows 10. As a result, rights management is also not available
In this case, you can only manage remote systems in this case.
from this particular machine – it cannot be used as
With Windows Admin Center, servers can be managed from version 2012 and newer while limited support is available for Server
2008 R2 since version 1806. (windows-admin-center-server-2012r2.png)
IE – the only browser natively available under Windows Server – is not supported (Windows-Admin-Center-IE11.png)
thomas-krenn.com | 10
This results in the paradoxical situation where the server console as it has neither of the two required
new admin tools cannot be used with the default browsers.
Access rights to the gateway can also be configured for Azure AD users. (windows-admin-center-azure-ad.png)
In this example, Admin Center would use the that already exists on the computer, you have to
default SSL port (443) and generate a certificate specify it instead.
itself during setup. If you want to use a certificate
SSL_CERTIFICATE_OPTION=generate
or for existing certificates:
SME_THUMBPRINT=<thumbprint> SSL_CERTIFICATE_OPTION=installed
If you want to remove Admin Center, you will need to use msiexec again:
msiexec /x C:\Users\me\WindowsAdminCenter1804.msi
A confirmation window will appear as the final step for removing the software.
These older tools do not allow a granular allocation Rights Management controls both access to the
of permissions. gateway itself and the managed endpoints.
WAC, on the other hand, has role-based permission
management from the outset. However, this is only
available if WAC was installed in gateway mode on
a Windows server.
Please note that the mere name of the group is In addition to selecting the role, the user group can
sufficient if it is located in the same domain as be assigned to the smart card security group, which
the gateway server. A notation according to the forces users to log on using a smart card.
domain\group pattern is therefore not required.
As the name suggests, Hyper-V Administrators all three groups are not permitted to make Remote
are limited to managing the hypervisor and virtual Desktop connections, Hyper-V Admins cannot view
machines, and Readers get read-only access. Since VM consoles in WAC.
In addition, three local groups are created whose add them to these newly created local groups.
names are identical to those of the roles. To assign This task can be automated through group policies.
users or groups with the permissions of these roles,
thomas-krenn.com | 15
In larger environments, this interactive configuration The detour with the local groups can be avoided by
of endpoints is not practical. In such cases, you can adapting the JEA files accordingly and assigning the
download the entire package, consisting of the JEA roles directly to an AD group. The exact procedure is
and DSC files and the PowerShell modules, and described in this documentation.
distribute it to the target machines via the preferred
mechanism.
Adding roles
The first step is to select the menu item Role & on the plus symbol (“Install” button).
Features from the navigation bar. In the list that Since the installation of Hyper-V requires a restart,
appears, select Hyper-V and add the role by clicking you can also enable the automatic restart option.
As soon as the server is available again, you can left navigation bar.
start configuring the most important parameters. The page currently displays five menu items in the
This is done under Settings, the bottom entry in the Hyper-V Host Settings section.
thomas-krenn.com | 17
They largely correspond to those in Hyper-V networks. Also missing are the configurations for
Manager, except that the paths for VMs and virtual Hyper-V replica and the virtualization of GPUs on RD
drives are grouped under “General” up virtual Virtualization Hosts.
Creating a vSwitch
Before you can start setting up virtual machines on and set. For this task, there is a separate entry in the
the host, you need to create one or more vSwitches Admin Center navigation bar called Virtual Switches.
When creating a new switch, you can only specify Other options, such as adding a description, only
its name and select the type (external, internal, become available when you save the new vSwitch
private). If you choose “external”, the tool displays and then edit its settings. In contrast to Hyper
the available NICs to which you can bind the V-Manager, you cannot assign a VLAN ID for the
vSwitch. network of the management operating system.
Scenarios are also conceivable in which the WAC the management of Hyper-V servers from outside
gateway is placed in the DMZ – thereby enabling the corporate network.
thomas-krenn.com | 19
However, admins who manage their environment likely stick with the conventional tools.
from a Windows workstation in the LAN will most
Creating a new VM
While creating a new virtual machine in Hyper-V There you click on the “+ New” button and enter
Manager is done using a wizard, WAC uses a single the required data for the new VM. These include the
web form for the task. This can be opened by name of the VM, the drive and directory where the
following the Virtual Machines link in the navigation VM is to be stored, the number of virtual CPUs and
and then switching to the Inventory tab page. the amount of memory.
Here, you can also select the VM generation (1 or 2), It should be noted that, as a rule, mounting an ISO
the network and an existing drive under “Memory file from a network share does not work. The reason
=> Add drive” if you don't want to create a new one. for this is that the credentials used to log on to the
In addition, the VM can be immediately assigned Hyper-V host are not passed on to the computer
an ISO image as a virtual DVD drive to install the on which the file share is located. In this case, you
guest OS. need to set up a Kerberos delegation first.
In Hyper-V Manager, you would connect to the VM same, except that you have to turn on the VM
at this point and then start it. Once the appropriate before connecting to it. To do this, you open the
message is displayed, you would press a button to “More” drop-down menu and select “Connect”.
start the VM from the virtual DVD drive. This will start the RDP web client, provided you have
In Admin Center the procedure is basically the previously enabled the Remote Desktop feature on
thomas-krenn.com | 21
After connecting to the VM, you have to restart it via “Send Ctrl + Alt + Del” (Windows-Admin-Center-Hyper-V-VM-Boot-Fehler.png)
An alternative is to download the .rdp file, which is This variant also requires a restart of the VM while
available in the same menu when the VM is running. the RDP client is open (via More => Reset).
In this case, you would connect via the native RDP With this option, however, one breaks away from
client. the purely web-based approach and thereby
negates one of the main advantages of WAC.
thomas-krenn.com | 22
From here, the interactive installation of the guest response behavior is completely satisfactory.
OS progresses as normal and the RDP web client’s
If you open the page under More => Settings, you Management under Networks.
will find a list with eight categories, ranging from One of the most common tasks in VM management
General and Memory to Networks and Checkpoints. is changing the operating state, i.e. starting,
This largely corresponds to what Hyper-V Manager stopping, shutting down the guest, or turning it off.
offers. However, in some categories individual All of these actions can be performed through the
settings are missing – such as Bandwidth browser interface.
Starting, stopping and shutting down VMs via Admin Center (Windows-Admin-Center-Hyper-V-VM-Betriebszustand.png)
The snapshots cannot be managed from the the Checkpoints section, you can then apply, delete,
context of the Inventory list, but rather by following or rename snapshots.
the link that is attached to the name of the VM. In
On this page, Admin Center also provides an WAC is therefore better suited for monitoring VMs
overview of the VM’s most important performance than Hyper-V Manager.
data, which is also displayed as live charts.
If you select the menu item Remote Desktop from display a button that opens the corresponding
the WAC navigation bar, the tool will indicate if the settings.
feature is not active on the target computer and
Admin Center will notify you that Remote Desktop is not enabled on the target machine and will offer to turn it on. (admin-center-remotedesktop-
deaktiviert.png)
Here, you can activate Remote Desktop on the to only allow computers with network-level
remote computer and activate the security option authentication.
Admin Center cannot activate the firewall rules for Remote Desktop on a German Windows machine.
(admin-center-remotedesktop-aktivieren-firewall-fehler.png)
In this case, you have to change the settings By entering “Remote Desktop” in the search box,
manually by switching to Firewall in the navigation you can find the rules that apply to it and activate
bar and then to the tab Incoming rules. them manually.
Tools as RemoteApp
Now, nothing should stand in the way of item called RemoteApp (it’s a known problem that
establishing a Remote Desktop connection. The it sometimes doesn’t appear in the list.
connection will show the complete desktop of the If it isn’t displayed, you have to adjust the URL
server. Alternatively, Admin Center offers the option manually as shown in the screenshot below). Here
to activate the RemoteApp tool when activating you can enter individual applications that you want
Remote Desktop access (see screenshot above). to access this way – for instance, MMC-based or
After reloading the page in the browser, the Admin other GUI tools.
Center navigation bar should contain another menu
Overall, the load times of the web-based RDP sporadically resort to this option.
client are relatively long, so you will probably only
As you will quickly notice, this method also has a per operation and can’t transfer entire folders.
drawback. It only allows the copying of a single file
If you upload a ZIP file, you can unzip it automa- under Share, which opens a relatively simple dialog
tically. To do this, activate the option “Extract file box.
after upload”. Alternatively, you can use the Extract Once more, it is quickly apparent that Admin Center
command from the More menu. is relatively poorly equipped compared to the native
In addition to transferring files, this tool also allows Windows tools. If you want to share a directory not
you to delete and rename files as well as create only via SMB, but perhaps also via NFS or configure
folders. Since version 1807, the module can also features like SMB encryption, quotas or offline files,
share files and folders in the network. The new you will still need to use Server Manager.
function is hidden in the More drop-down menu
11. Summary
With Windows Admin Center, Microsoft is following interface does not yet exist.
an industry-wide trend toward web-based admin In addition, the rudimentary role concept does not
consoles. This results in significant advantages for allow for the granular delegation of tasks.
users, such as platform independence on the client, What’s clear is that Microsoft is continually
the easier delegation of tasks to standard users developing Admin Center and providing new
and the management of private and public cloud releases at quick intervals. However, there is no
resources via a single interface. explicit roadmap as to when and whether the web-
At the moment, Admin Center only scratches the based tools will cover further roles and features of
surface of what is possible here as it only supports Windows Server – particularly the management of
Google Chrome and Microsoft Edge on Windows 10 Active Directory or Remote Desktop Services.
at the frontend while a mobile version of the web
thomas-krenn.com | 30
Microsoft promotes Admin Center each time Server Manager starts in Windows Server 2019.
(Windows-Admin-Center-Hinweis-Server-Manager.png)
Currently, WAC can only replace RSAT in a few areas. Another positive aspect is the advanced integration
At the same time, it provides a GUI for Windows of Azure services, which are foreign to MMC-based
Server features that cannot be managed with RSAT. tools. So, if you don’t want to limit yourself to
This includes hyper-convergent infrastructures and PowerShell, you will have to get used to the idea of
new Windows Server 2019 features such as System using both RSAT and WAC over the longer term.
Insights and Storage Migration Services.
Thomas-Krenn.AG
Speltenbach-Steinäcker 1
D-94078 Freyung
thomas-krenn.com