Updated 6/5 to include a web server cert.
At time of this entry the version of Windows Admin Center that was installed is 1804.25. I'm going to attempt to cover multiple topics being asked around Windows Admin Center, This one will cover How to Install on Windows Server Core 2016 and how to add an Active Directory group to give console access for accounts that do not have Administrator rights on the Gateway Server. In the very near future I will add how to configure just enough admin (JEA) for role based access (RBAC) and How to change Windows Admin Center console access to Azure Active Directory credentials.
On Windows 2016 Server Core Server
Note: Outside of a lab I would want the endpoint url to be a friendly name like wac.contoso.com. Since I am using a self-generated certificate the url will be the name of the server. Recommendation is to use a cert with Subject alternate names defined and add a friendly dns name.
- Also -
Windows Admin Center Requires, WMF version 5.1 or higher to be installed on both the Gateway Server and all the managed servers.
Using Self Signed Cert
Download Windows Admin Center onto the Gateway Server.
- msiexec /i WindowsAdminCenter1804.25.msi /qn /L*v log.txt SSL_CERTIFICATE_OPTION=generate
- Or just type in the msi name and follow the prompts. Very Simple.
I use the same web server cert that I used in the Windows Hello for Business POC.
Configure an Internal Web Server Certificate template
Once it's been published log back onto the server that will be running Windows Admin Center, and install the certificate. This method I will use a friendly URL.
Get-Certificate -template "internalwebserver" -dnsname windowsadmincenter.contoso.com,wac.contoso.com cert:\localmachine\my
Get the thumbnail:
Get-ChildItem -path cert:\LocalMachine\My | where dnsnamelist -like "*windowsadmincenter*"
Run the msi: WindowsAdminCenter1804.25.msi
Use the certificate thumbnail
Once done verify it is installed
Verify Windows Admin Center Installed
Run start powershell
Run Get-CimInstance -ClassName Win32_softwarefeature | where productname -like "Windows Admin*" |fl
Run get-service serverman*
Run Test-netconnection -port 443 -ComputerName localhost
On a Windows Desktop
Try connecting to Windows Admin Center for the first time by opening up a non-Internet Explorer browser like Edge, Firefox, etc..
https://servername * if cert warning appears bypass, this is due to the self signed certificate.
Grant Console Access to Non-Server Administrators
Lets control who has access to the console. By default all local administrators on the server I installed it on has rights.
In Active Directory create a group (in this demo I will call it "Windows Admin Center Access") this group will be used to give rights to log into the Windows Admin center. Add non server administrative users to the group.
In Windows Admin Center, select the settings button
Then select Gateway Access
Just going to cover Active Directory Groups for now, but could configure this to leverage Azure AD Groups and Accounts.
Under Gateway users, select Add, and type in the group name, then select save
The group has been added
For now I will leave the Gateway Administrators alone. Select Close.
Now try to logon with a user in the group that was given user access.
Should be able to log right in
If the account doesn’t have rights to Windows Admin Center expect a Not Authorized Error
This is all for now stay tuned for for the other post.