Hello everyone! I recently set up a test environment in the Azure Government portal. The Azure Government environment is slightly different from the standard Azure portal, and I want to get familiar with some of the differences. While exploring this new environment, I figured it would also be a good time to try out the new way to manage my infrastructure, whether on premises or in the cloud - the new Windows Admin Center (WAC)!
Before getting into the meat of this blog, here's some information about how I've configured this lab.
- This is not an environment that I am going to be keeping around forever, so it is not set up exactly as I would set up a production or permanent test lab.
- None of my servers have public IP addresses, so to manage them I set up a jump host (JumpHost.ContosoGov.com). This is where I'll install the WAC and run any other management tools that are needed - Group Policy Management and Active Directory Users and Computers.
- The WAC can also run locally on a machine if not acting as a proxy between clients and servers, but typically is just used for testing in this configuration.
- The WAC is very lightweight and does not need a client installed on any endpoints. It uses Remote PowerShell and WMI over WinRM, so there are only a few ports which need to be opened and which may already be for remote management.
- WAC will only run on Windows 10 (at least version 1709), Windows Server 1709 or higher, or Windows Server 2016. See supported Operating Systems here for reference.
For a better understanding of the traffic and configuration I'm describing, see the image below:
Now, on to the meat!
First things first, you'll need to download the installer which is available at https://aka.ms/wacdownload. The version I downloaded and installed is 1804.25, which is currently the latest version available.
I downloaded the .MSI to my jump host server since my plan was to use it as my management point for everything in my test environment. Unsurprisingly the .MSI launches a wizard which is straightforward and familiar looking to anyone who has used a Microsoft installer before.
As shown below, I like to have desktop shortcuts, so I checked the box to create one, but that's a personal preference. I left the default check to allow the installer to modify the trusted hosts settings on my jump host. This was an easy choice, it is much easier to let the installer do what it knows how to do and save myself some manual configuration later.
Next up was configuration of the management site which defaults to port 443, the port for SSL. This means that we need to have a certificate to connect to this port. This being a temporary test environment, I don't have any certificates to use. Fortunately, the installer will take care of that too, and will create a self-signed certificate for you. The caveat to this is that the certificate is only good for 60 days and is not trusted by default by any clients that connect to it. If this were a production environment, or even a test environment which I planned on keeping around, I would get a proper, trusted certificate.
One more click and we're all finished! Fast, easy, and straightforward.
And here's our handy desktop shortcut!
You'll notice from the screen-grab above that I have Google Chrome installed here. One of the things to be aware of is that the WAC will only run on modern browsers, so your choices are Microsoft Edge or Google Chrome. As I'm running the WAC on Windows Server 2016, I cannot install the Edge browser and so I have installed Chrome.
When launching the WAC for the first time, we're asked what browser we want to use. You can try Internet Explorer if you like (I did), but it's not going to work. So, once you've satisfied your curiosity about Internet Explorer, choose to use Google Chrome and always open it with that app.
The first time the Windows Admin Center is launched, there is an alert that the connection is not private. Click on the Advanced button to access the button to let you continue.
Here's what it looks like if you are using Edge from a Windows 10 workstation (and you would click on the Go on to the webpage (not recommended) link to proceed):
After clicking Proceed to jumphost.contosogov.com (unsafe) to pass the warning you'll get a prompt from the WAC itself looking for a login. This is going to be the account you will use to manage the servers and workstations, so it should either be a member of the Domain Admins group or another group which will have administrative privileges on those machines.
The first time in the WAC you will get a short two-page tour of the center. I've included screenshots here, so you can just skip the tour when you do the install. There's not much to see in it.
Now we get into the real fun: the actual user interface! Since this is the first install of the product, we only have one machine to manage - the local server the client is installed on. The information here is straightforward: we get the full name of the machine, what type it is, the last time we connected to it, the account we are managing it as, and any tags we have assigned to it.
Now we need to add other machines for us to manage. Click on the Add button to bring up the Add Connections options.
We currently have four options to choose from:
- Windows PC
- Failover Cluster
- Hyper-Converged Cluster
Now my lab only has servers, so I clicked the Add Server Connection button to bring up the server screen. Here we have the option to Add Tags and to either add a server or import servers from a list.
For testing out this new management tool I only want to add a single server. I start with my domain controller, AZDC01. After entering the name, I am prompted to enter credentials again to manage the server.
And here is where I ran into my first problem. I used the same account which I had logged into the jump host, and logged into the WAC, to connect to the domain controller. That account is also a domain administrator, so I should have had no issues connecting at all, but instead I got an accessed denied message.
Reading through the documentation here, I saw this code to configure single sign-on (I had skipped large portions of the article as it did not apply to my situation). I tested it out on one of my web servers first.
$gateway = "JumpHost"
$node = "WEB01"
$gatewayObject = Get-ADComputer -Identity $gateway
$nodeObject = Get-ADComputer -Identity $node
Set-ADComputer -Identity $nodeObject -PrincipalsAllowedToDelegateToAccount $gatewayObject
This worked like a charm, and WEB01 was added to my list of machines to be managed. This is a handy take-away tip if you're like me and skimmed the documentation.
Unfortunately, that's not really the way I wanted to handle adding connections. Sure, that script can be modified to run through a list of servers and that would be fine. But, I wanted to make sure that as new servers come online in the future they wouldn't get missed.
To that end, I decided to create a security group (CONTOSOGOV\WAC) and push it to all computers in my domain as a member of the local administrators group through group policy.
Again, this is my test environment, and one that will not be kept around, so I targeted the Default Domain Policy. If I were planning on keeping my lab intact, or in a production environment, I would instead target OUs with my servers instead of blanketing the entire domain.
Now that I did that, I had to give it a good bit of time to replicate and apply to the servers. After my wait, I tried adding another server. This time it was web02, which is a Windows 2016 Server Core.
Again, I got access denied from the sign in pop-up! But this time I used the "Use another account for this connection" option. I use the same account (CONTOSOGOV\Zuko) and got another prompt from the webpage.
The odd thing here is that it goes back and forth between entering the passwords, between the web page and this WAC log in, and eventually takes. Looking into what was causing this behavior, I checked out the event logs. The WAC has its own event log under the Applications and Services Logs -> Microsoft-ServerManagementExperience.
Here I had a lot of Event ID 0's, but a few of them were errors.
Looking at the errors, they show a 401 message – PSRemotingTransportException. Access is denied. This error occurs when the prompt from the browser happens, not when logging into the application. I have not verified this yet with a Windows 10 client and the Edge browser, but it has consistently occurred for me in the Chrome browser with several different user accounts and every server I have attached to. The error only happens when making the initial connection.
Once through the back and forth with the browser, the server gets added to the WAC and is available for management.
It's not visible from the image above, but there is a checkbox next to each server that when you take your mouse over the area you can see. Since we just added WEB02, we have never connected and collected data, so we'll do that now. I clicked the checkbox next to WEB02 and my options in the top row are now available for me to choose from. I click Connect to pull information from the server.
You can see we now have pulled in a lot of management options. Remember, this tool is designed to replace most of your existing Microsoft Management Consoles (MMCs) and other management tools, so there's a lot to explore in here. Here's just a small sampling of what is available in WAC.
You can see performance data, change the server name, and even restart or shutdown the server:
You can browse through the file structures on the servers and transfer files to/from the target server:
You can dig through event logs (and yes, I see the irony of using the old school Event Log Viewer in my earlier example. 😊For documentation purposes I hadn't officially connected to a server in the WAC, and needed to show how to view the errors) :
You can even use PowerShell remotely:
There are some details to consider:
- While I set my group policy preference to push the CONTOSOGOV\WAC group to the local admins group on all my machines, that does not apply to domain controllers (DCs).
- Domain controllers don't have local groups, and if the account that is being used to manage the servers is not a Domain Administrator, they will not be able to manage any DCs. Not to worry, you can connect to the WAC with a non-privilege account and use a privileged account to connect to any DCs.
There are a lot of features to be discovered here, and I plan on digging into them over the coming weeks and reporting back on what I've discovered.
Let me know what you think, and if you have any questions!