Changes implemented by Essentials Role on Windows Server 2012 R2

[This post comes to us courtesy of Sandeep Biswas and Rituraj Choudhary from Global Business Support]

Today we will discuss about the changes made to the server when the Essentials Experience role is installed and configured on a Windows Server 2012 R2 machine in an existing Active Directory domain.

The Essentials role requires the following server roles and their dependent features to be installed:

1. .Net Framework 4.5 Features

2. BranchCache

3. Remote Server Administration Tools

4. Web Server (IIS)

5. Windows Process Activation Service

6. Windows Server Backup

Additionally, while configuring the server using the Configure Windows Server Essentials wizard, the following role is installed:

1. Active Directory Certificate Services

When the Essentials role is configured on a Server, it automates certain changes to the server. These are described below:

Active Directory Modifications

1. The Server’s machine account is added as a member of the following groups:

a. Pre-Windows 2000 Compatible Access: A backward compatibility group which allows read access to all users and groups in the domain

b. Cert Publishers: Members of this group are permitted to publish certificates to the directory

2. The following Managed Service Accounts are created:

a. MediaAdmin: Service account used by Windows Server Essentials Media Streaming Service during configuration

b. ServerAdmin: Service account used by Windows Server Essentials Management Service during configuration

3. The ServerAdmin account is added as a member of the Administrators, Domain Admins and the Enterprise Admins groups. The MediaAdmin account is added as a member of the Administrators group

4. The following Global Security Groups are created:

a. WseAltertAdministrators: Users with permissions to view alerts in the network

b. WseAllowAddInAccess: Users with permissions to access Windows Server Essentials Add-ins

c. WseAllowComputerAccess: Users with permissions to access computer remotely in Remote Web Access

d. WseAllowDashboardAccess: Users with permissions to access Dashboard remotely in Remote Web Access

e. WseAllowHomePageLinks: Users with permissions to access links gadget in Remote Web Access

f. WseAllowMediaAccess: Users with permissions to access the media library in Remote Web Access

g. WseAllowShareAccess: Users with permissions to access shared folders in Remote Web Access

h. WseInvisibleToDashboard: Domain users that are hidden from Windows Server Essentials Dashboard

i. WsemanagedGroups: Groups managed by Windows Server Essentials

j. WseRemoteAccessUsers: Users with permissions to use VPN to connect to the server network remotely

k. WseRemoteWebAccessUsers: Users with permissions to use Remote Web Access

5. The Domain Admins Security group is added as a member of all the Essentials’ specific Global Security groups except the following:

a. WseInvisibleToDashboard

b. WseInvisibleToDashboard


Windows Server Essentials services that are installed and configured

1. Windows Server Essentials Computer Backup Service: This service helps you to backup data from and restore data to a client computer

2. Windows Server Essentials Health Service: This service evaluates key health criteria and generates alert notifications when an important condition is met

3. Windows Server Essentials Management Service: This is the centralized management pivot for Windows Server Essentials Experience role. It manages system settings and backgrounds of Windows Server Essentials

4. Windows Server Essentials Media Streaming Service: This service provides media streaming from the server to the client computers

5. Windows Server Essentials Notification Service: This service manages the Notifications Provider Service for the Windows Server Essentials Experience role

6. Windows Server Essentials Provider Registry Service: This service registers and enables discoverability of server role services and providers on computers running Windows Server Essentials

7. Windows Server Essentials Storage Service: This service manages the storage of the server


Web sites that are added and configured to the Internet Information Services (IIS) Manager console

1. Default Web Site

    – Bin
    – CertEnroll
    – CertSrv
    – Connect
    – Customization
    – home
    – Remote
    – Resources
    – services

2. Mac Web Service

    – bin

3. WSS Certificate Web Service

    – Bin
    – download


Active Directory Certificate Services components that are configured

1. Certification Authority: Root CA is used to issue certificates to users, computers and services, and to manage their validity

2. CA Web Enrollment: Web enrollment allows users to connect to a CA by means of a Web browser in order to:

  • Request and review certificate requests
  • Retrieve certificate revocation lists (CRLs)
  • Perform smart card certificate enrollment

Note: When you attempt to deploy Windows Server Essentials Experience role on a workgroup box, the configuration will first ask you to bring up a new Active Directory domain and configure other roles and features that the role depends on. Once it completes successfully, the Essentials role configuration will begin. For more information, please refer to this blog.