Introducing Server management tools


I am Kriti Jindal, a program manager on the Server management tools team.

At last year’s Ignite and Build conferences, Jeffrey Snover (Technical Fellow) and Andrew Mason (Principal PM Manager) first demoed the Server management tools. Server management tools offers a set of web-based GUI and command line tools to manage Windows Servers. Today, we are announcing the public preview of Server management tools!

For a quick overview of the features supported, checkout my demo video: https://channel9.msdn.com/Series/Nano-Server-Team/Remote-Server-Management-Tools-on-Nano-Server.

For those of you interested in a deeper dive, continue reading!

Server management tools overview

As I mentioned above, Server management tools offers a set of web-based GUI and command line tools to manage Windows Servers. This is especially useful when managing headless servers such as Nano Server and Server Core. These tools also provide rapid access to your on premises infrastructure alongside your Azure resources. In this first release, the tools can only be used to manage Windows Server 2016 Technical Preview SKUs running on-premises as well as in Azure. The tools are hosted in Microsoft Azure.

Currently, the tools offer the following capabilities:

  • View and change system configuration
  • View performance across various resources and manage processes and services
  • Manage devices attached to the server
  • View event logs
  • View the list of installed roles and features
  • Use a PowerShell console to manage and automate

This is a preliminary set of tools that are required for basic server diagnostics. If you have specific requests on what tools would be most valuable to you, please let us know using the Windows Server Management Tools UserVoice feedback site.

Setup and deployment

A Server management tools gateway is required to enable communication between the Microsoft Azure portal and your Windows Server 2016 machines. A gateway is typically deployed and configured on the same local network as the Windows Server machine(s) you wish to manage. The machine must have an internet connection.

If the machine hosting the gateway is a Windows Server 2012 R2 machine, please install WMF 5.0. This is required to use PowerShell to manage Windows Server 2016 Technical Preview or Nano Server machines from Windows Server 2012 R2. Use the following link to install WMF 5.0: http://aka.ms/wmf5download

If the machine hosting the gateway is a Windows Server 2016 Technical Preview machine, no additional preparation is required.

You will also need an Azure subscription to use Server management tools.

Now let’s discuss how you can setup the Server management tools gateway and start managing your machine(s).

Step 1: Create a new Server management tools connection

Ok so you have a machine that you want to be able to manage via Server management tools. To begin your deployment, log in to your Azure portal account and search for “Server management tools” in Marketplace or navigate to it: https://portal.azure.com/#create/Microsoft.RSMTNodes/preview.

Select the Server management tools, read the description, review the terms of this Preview release, and click “Create”.

This will open a form prompting you to fill out the information for the connection you are establishing.

Please provide the NAME/IP/FQDN of the machine you want to connect to. If you have an existing resource group and gateway, you may opt to select them here rather than to create a new group or gateway.

If this is the first Server management tools connection you are creating, you will also need to choose to create a new Server management tools gateway and give it a name. You will be prompted to complete the gateway configuration after the Server management tools connection is created.

Once the form has been completed, click create at the bottom of the screen and you will be taken back to the Azure Startboard. Assuming “Pin to Startboard” was checked, you will see a tile appear that will indicate the deployment is in progress. Please note that you are not actually creating the connection to the machine but just a resource in Azure. The connection to the machine is initiated once you provide the credentials on the main Server management tools blade.

Once the deployment succeeds, you will be taken to the Server management tools blade where you can provide the credentials and connect to the machine. The User Name and Password are not being created by the connection, and must already exist on the machine and have proper permissions. I.e. use a user account which is a member of the local Administrators group on the target server you are connecting to.

Step 2: Configuring a new Server management tools Gateway

If you are creating a new gateway, you will see the following status:

Click to open the Gateway Configuration page and read carefully and follow the directions to set up your on-premises machine or Azure VM as the gateway.

Note: Please unzip the zip file and run the gateway MSI installer from the folder you unzipped to. If you run the MSI from the zip file without unzipping first, you will need to also specify the profile.json file.

After installing the gateway MSI, return to the Azure portal, and click Refresh. You will now be prompted to enter the credentials to start managing the machine. You will see the following status:

Congratulations! You have established a remote connection to your resource and are now able to perform management tasks on it through the Azure Portal.

Managing Workgroup machines

In order to connect to workgroup machines (e.g. non-domain-joined Nano Servers), run the following command in PowerShell or Command Prompt as Administrator.  TargetMachineNameOrAddress should be the NetBIOS name, FQDN or IP address (IPv4 or IPv6) that you’ve used when creating the Server management tools connection in Azure (which is also the name displayed at the top of the blade). You can also add multiple machines by separating them with commas.

Command Prompt: winrm set winrm/config/client @{ TrustedHosts=”TargetMachineNameOrAddress” }
PowerShell: winrm set winrm/config/client ‘@{ TrustedHosts=”TargetMachineNameOrAddress” }’

NOTE: The commands above will replace any previous list of registered trusted hosts with the host(s) you specify in the command. You can use the following command in PowerShell with the Concatenate parameter to add a computer name to an existing list of trusted hosts.
Set-Item wsman:\localhost\Client\TrustedHosts TargetMachineNameOrAddress –Concatenate

Additional connectivity requirements

If you wish to connect using the local Administrator account, you will need to enable this policy on the target machine by running the following command in an administrator session on the target machine:

REG ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

If you wish to connect to a workgroup machine which is not on the same subnet as the gateway, run the following command in an administrator session on the target machine:

NETSH advfirewall firewall add rule name=”WinRM 5985” protocol=TCP dir=in localport=5985 action=allow

The Server management tools team is looking forward to your feedback on the public preview. You can provide feedback on the tools directly via the feedback button in the Azure portal. We also routinely monitor the Windows Server Management Tools UserVoice feedback site for suggestions on improvements and encourage you to submit your ideas there.

Thanks,

Kriti

Comments (56)

  1. Adz says:

    I though jeffrey snover was technical fellow

  2. Asd says:

    He wasn’t last year ^^

  3. Chris Smith says:

    Looks really slick and I can’t wait for it to support 2012!

  4. Lyon TIll says:

    Slight update to the winrm above:
    winrm set winrm/config/client ‘@{ TrustedHosts="<>" }’

    1. Lyon, thanks for pointing this out! I didn’t realize the difference until now. Single quotation marks are required in PowerShell, but not in the Command Prompt. You can also use Set-Item with the Concatenate parameter to add a computer name to an existing list of trusted hosts, instead of replacing the list. I’ve updated the blog post with this info.

  5. AWC says:

    Not cool, Why do I have to connect to Azure to manage a local device?

  6. Mycroft says:

    What AWC said. We do not use any cloud services for anything else; now, you’re saying I have to have an Azure account to manage my on-premises servers? I truly hope this is a temporary state of affairs.

  7. Bert says:

    Like AWC and Mycroft I don’t see any benefit for me to have management tools in the (paid) cloud for management of on premises server. I need this toolset in my LAN.

  8. Walter says:

    Well, if you only have your own LAN infrastructure this might not do you much good. However, if you are in a hybrid environment, with servers locally and in Azure, this does help out a lot.
    Even better, for MSP’s supporting multiple customers that can have all sorts of infrastructure (on local LAN, in a datacenter, in Azure or even in something like Amazon cloud), this looks like a great way to manage and maintain your servers….

  9. Anthony says:

    I echo the concerns above — I like the cloud option for those situations where you have workloads in hybrid cloud situations but this seems to create a situation where if there is, lets just say, a fiber cut outside a company’s data center not only do
    they lose access to cloud services (and other WAN provided connectivity) but they also lose the ability to manage their own infrastructure? that seems like an unacceptable risk for production environments. This needs to be able to run stand alone on prem (meaning
    without Azure stack for those in a VMWare world) if we are to see the true promise of Nano Server.

  10. AWC says:

    I agree with Walter if you have a hybrid environment, but I live in a world where almost all my workloads are local.

    It’s not uncommon for Google, Microsoft, and all the other providers that get you to the cloud to have both scheduled and unscheduled service interruptions. My company has seen this as a consumer of cloud services and we have very good internet services, which
    is why I’m unwilling to risk not being able to manage mission critical local workloads if there is an interruption anywhere in the service path.

    As Anthony said " This needs to run stand alone on prem…"

    There are too many layers and too many ways something can go wrong, and lets face it, when things go wrong they seldom go wrong in the best way possible…

    I hope you’re listening Microsoft…

  11. Brendan says:

    Hi everyone – I’m a PM in the Server org working on the management tools with Kriti.

    This is great feedback; we know that a cloud dependency is not the right option for many businesses, so we’re evaluating how to make our tools available in other delivery vehicles, including Azure Stack.

    Traditional MMC snap-ins will continue to work against Nano Server as well, so even if the link to the cloud is broken, classic management strategies (including PowerShell) are still viable. If you have an interest in providing more feedback, or talking with
    us about your requirements, please feel free to email me at brendanp @ microsoft.com

    thanks!

  12. Jason says:

    Just chiming in…Azure is a no-go for us.

    I wish we could simply have some simple, easy-to-use tools that we can fully host locally without it being chatty with the outside world. There are too many areas in our environment where we couldn’t do Azure-managed stuff even if we really wanted to, due to
    laws and regulations (such as PCI).

  13. I wonder if there will be an On-Premise version from Server Manager running from another Windows Server 2016 GUI Management Server?

  14. BillF says:

    Brendan,
    What about those of us who work for ‘3 letter’ Government agencies? Azure would be a no go.

    1. Ben says:

      @Schulz – Why this shameless plug for your books here. I see it has no relevance to the topic. Please STOP doing such ads in technical posts.

  15. David Arbogast says:

    On Prem is of little interest to me as it eliminates too many benefits. Being web-based, this is a toolset that naturally allows a "work from anywhere" approach, and it seems easier to leverage it this way than to deploy and secure another web based tool
    on local servers. I am an Azure fan, however, unlike some commenting here… and I leverage cloud services. If my datacenter was to become unavailable for any reason, I’d appreciate having my management tools in the cloud as I work through DR and continue
    to manage my other resources…. Ideally, without driving to the office at 2am on a Sunday….

  16. Emma says:

    I use Semantic Sales to manage with email mess. It let me save up to 9 hours a week. Follow up reminder, missed e-mail reminder. Also it has an option — when I receive letter from new contact, they sending me his accounts in FB and Linkedin.
    https://semanticsales.com

  17. Joe Raby says:

    I looked at the RSAT tools for Windows 10 (support for Server 2016 TP4) and it still lacks a GUI console for WDS. Why?? Why do you require that a GUI console for WDS run only on a server? I thought the whole purpose of RSAT and general best practise was
    to get rid of GUI consoles off of servers. Command-lines just don’t cut it, and using something like cloud management over Azure for a small business server (Essentials) isn’t realistic. However, best practises are. And getting GUI consoles off of servers
    is still a noble goal. Also, I thought Essentials was built for people that didn’t have some high-level enterprise certification – this is why command-lines just don’t work for this product even though there are WDS integration scenarios (client PC backup
    and restore) in the Dashboard, however, all server installations would benefit from having a WDS console in RSAT.

  18. Dev Ramdin says:

    I agree with the other comments that it would be great to have a way to deploy this on premises. Perhaps as a Server 2016 role/feature.

  19. Cloud-Ras says:

    Lets say that if a server won’t boot in Azure, would this make it a possibility to manage the server?

  20. Mike Brown says:

    Will these tools be able to manage 2012R2 Servers?

  21. BizD3v says:

    Will we be able to manage multiple locations from a single Server Management Service? Early demos made it seem that way and we were looking forward to a "single pane of glass" to manage servers at multiple offices. Unlike others here who IMHO are missing
    the point, I’m less interested in "corrupting" this tool’s purpose by addressing on-perm (plenty of tools to do that, as you point out), but rather really leveraging it to do things a local or VPN connection can’t.

  22. Kriti Jindal says:

    Hi everyone. Thanks for the great feedback. We will investigate the feasibility of the features requested in the comments.

    @BizD3v, I would love to further understand your scenario. Please reach out to me. My email is kritij@microsoft.com.

  23. John says:

    Hello, is it possible to manage Nano Server via powershell directly from my PC?

  24. MNscripter says:

    John, you most certainly can! PSRemoting works, just keep in mind that the set of available cmdlets in the nano session is reduced.

  25. Kriti Jindal says:

    To get more details on managing Nano Server, you can also refer to
    https://technet.microsoft.com/en-us/library/mt126167.aspx

  26. Mark Kazokas says:

    I do not understand why we cannot have both. We are a small University and do not currently have an Azure account, nor do not have any plans for it in the immediate future. While, I would not have a problem managing Nano systems using Powershell, there is a big learning curve, as I am not the only onsite admin. I do not feel comfortable deploying Nano out without, at the very least, a remote management gui tool, so other (not as technical) users can survive when I am not available. Can’t the same tools be developed to run from an on prem server, which would not only be more responsive, but also would allow me to continue to manage my Nano servers in the event of our internet connection going down (this has happened for nearly 2 full days a few weeks ago)

    1. Kriti Jindal says:

      Thanks for the feedback Mark. There has been a lot of customer feedback in this space and we are evaluating options for an on-prem solution. We understand that dependency on the cloud is not ideal for all businesses. I would love to understand the limitations, if any, for getting an Azure subscription. Please feel free to email me at kritij@microsoft.com.

      1. anotherhostingadmin says:

        Chiming in on all the others that are not happy with the way this SMT is working: As a managed hosting service provider, I manage quite a number of customers. For this we have very strict rules and security in place, and jumphosts that are not reachable from the internet that connect to those customers via an out-of-band network. Now with this tool we are supposed to log on to a public cloud provider, then with that make a connection to a Windows machine, and have this windows machine be a gateway to the innards of a highly secure datacenter.. I don’t think so..

        I can see this tool works just fine if you want to manage something that’s in Azure already, but for secure environments this just won’t fly.

        1. Kriti Jindal says:

          Thanks for the feedback. It is definitely helpful for us to understand various scenarios where cloud dependency is not an option for our customers.

  27. Gary says:

    Unfortunately, for both me and my main employer, the licensing model of this, and both the coming licensing model of azure stack leave a hugely unpalatable taste in our mouth.

    Azure on-prem is now a dead end for us. Whereas we were happy to pay for system center datacenter licensing and use Azure Pack, subscription only and usage based billing of on-prem products means we will not be deploying this or stack. Our Azure Pack deployments are now just run and maintain, while we evaluate other options all the way down to allowing users limited SCVMM console access.

    Nevermind the fact that some of our scenarios are entirely off-internet or on tightly controlled governmental networks beyond just FedRAMP level of concerns.

    1. Kriti Jindal says:

      Hi Gary,
      Server Management Tools do not have a licensing model, and neither does the Azure subscription associated with them. If you only use Server Management Tools in your Azure subscription, you should not incur any cost.
      As for Azure Stack, please reach out directly to Vijay.tewariATmicrosoft.com.
      Thanks!

  28. Anas says:

    When I try to install the gatewayservice.msi file I got an error message saying: “server management tools gateway setup wizard ended prematurely”

    Any idea about this error please?

    1. Kriti Jindal says:

      Thank you for the feedback Anas. I will need some more details to help you with the issue. Could you please email me kritij@microsoft.com and we can continue the discussion.

      1. Christoffer Martinsson says:

        Hi,

        I also experienced this error (2012R2). In my case it seems to be related to the creation of the self-signed certificate:

        “GenerateEncryptionCert returned actual error code 1603” appears if running .msi with logging.

        Trying with an existing certificate throws: SetPrivateKeyPermissions returned actual error code 1603

        Any ideas?

        Br,
        Chris

        1. Kriti Jindal says:

          Thanks for the feedback Chris. This is a known issue with WS2012R2 and we are working on releasing a fix. I apologize for the inconvenience.

  29. drag racer says:

    Thanks for sharing!

  30. Dan Herrmann says:

    What are valid anti-malware tools for Nano Server

    1. Hi Dan, Windows Defender is an optional package on Nano Server and currently the recommended anti-malware solution. Please see our Nano Server blog for updates and future questions on Nano Server – https://blogs.technet.microsoft.com/nanoserver/

  31. OB says:

    Is there, or will there ever be, an API for invoking Powershell code on gateway servers or devices behind them using .net?
    We would like to add support for SMT via Azure in our existing UWP app which currently uses a custom gateway server 🙂

  32. Sheeraz says:

    Why on earth would you move your users to manage local infrastructure via Azure? What about unscheduled outage? What about System small businesses internet issues – Internet outage means no admin work? even though Internet outage is thing of the past but it has happened and probably will continue to happen and yes, PS is not a skill everyone possess.

    1. Hi Sheeraz, MMC snap-ins will continue to work, so even if the link to the cloud is broken, classic management strategies (including PowerShell) are still viable. Also, a lot of customers are seeing the benefits of cloud-based management, such as less infrastructure to manage, and getting quicker updates to the tools. But we do understand that this doesn’t work for everyone and we’re tracking the request for on-premises based tools. Please vote and comment if you’d like: https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/12288024-make-the-azure-based-management-tools-for-nano-ser

  33. Cloud-Ras says:

    Ehmm…- is this going to be downloadable og is it only accessble throug Microsoft Azure?
    Is it possible to install on WAP?

    1. Hi, currently the tools are only available via Azure, but we’re tracking the request to make it available on-premises. Please vote or comment if you’d like: https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/12288024-make-the-azure-based-management-tools-for-nano-ser

  34. smlbbr says:

    I wanted to try out the tools, but when attempting create a new connection, the Subscription section states “A billable subscription is required.” Currently we are just using “Access to Azure Active Directory,” but I was under the impression all that is needed is an Azure account. Am I missing something? Unfortunately, I don’t have much experience with Azure, and we have no futures plans in leveraging any of the paid features due to budget constraints.

    1. Hi, sorry for the late reply. If you are only using Azure AD, you might only have an Azure account, but not a billable subscription which requires a payment method attached to your account. While SMT is a free service that will not charge you for using any Azure resources, Azure does require a subscription to be able to use the service.

  35. Ryan McDonald says:

    I wanted to say thank you for making the Server Management Tools a service in Azure. For those of us that don’t have constraints with running workloads in Azure it’s great to consume it as a service, and not have one more piece infrastructure that I need to manage. I’m looking into how the management tools log events in Azure. Do the Server Management Tools log to the Azure Activity Log? Are there additional logs available on the gateway server? Any other guidance on logs would be appreciated.

    1. Hi Ryan, sorry for the late reply. There is some level of logging done on the gateway server via ETW logs in Applications and Services > Microsoft > ServerManagementTools > Gateway > Admin for every request routed through the gateway to a target server. However, this doesn’t map well to what tool/blade you are using in the Azure portal and the request body is not logged due to security reasons. You can probably tell the request time, target node and sometimes the feature/tool used, but not in a very user-friendly or readable way. We are aware that auditing/logging is important for IT admins and we are tracking this in our backlog, but haven’t had time to work on this yet.

  36. John Babbitt says:

    I’ve been looking for a way to remotely manage Windows Server 2016 Core. I need to be able to switch between GUI and Core but that’s no longer an option, apparently. So, how do I uncheck IPv6, LLDP+related, get to Disk Management remotely to allocate and set up Drive D:, reassign drive letters, and all the stuff we used to do via GUI? Is there a better software than RSAT, because RSAT doesn’t include Disk Management nor Network Settings among many other items. Since our policy prohibit cloud-based services from accessing our servers, the Azure option is not viable. Where does this all leave us on-premise-only customers? Are we SOL and have to figure out how to do everything by PowerShell, if PowerShell can even edit the tiny details such as disabling LLDP? At the moment, I’l extremely unhappy with Server 2016; bloated if full GUI installation, unable to manage if Core installation, can’t toggle between the two, no FULL remote server management GUI-based tools available.

    1. Hi John, thanks for the feedback! We are aware that on-premises management tools is a must-have for many of our users. We are tracking this and other feature requests via UserVoice. I’d encourage you to go to the following link, upvote on features and subscribe for updates on the feature announcements: https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/12288024-make-the-azure-based-management-tools-for-nano-ser

  37. Phil B says:

    When installing the GatewayService on a 2012 server I get the message “To install this software, you must be running Windows Server 2012 R2 or later” but MS documentation I copied from the portal below says something else.

    “Gateway Requirements
    The gateway server requires an outbound internet connection to retrieve requests from the Azure portal and a WinRM connection to each of the target servers.

    The gateway server must be running Windows Server 2012, 2012 R2 or 2016.

    If the gateway server is running Windows Server 2012 or 2012 R2, Management Framework (WMF) 5.0 is also required.”

    1. Sorry, that’s a misstatement in our documentation. We currently only support gateway installation on WS2016 and WS2012 R2. If installation on WS2012 is important to you, please go here and vote for this feature: https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/18670969-gateway-installation-on-ws2012-not-r2

  38. Stephen Collum says:

    I am liking this tool so far, essentially a static Server Manager that I don’t have to set back up after I image my workstation. However, I would really like to add my 2008 R2 servers but I am getting a connection error. Are 2008 servers supported?

  39. I wonder if there will be an On-Premise version from Server Manager running from another Windows Server 2016 GUI Management Server?

Skip to main content