1

I want to be able to fully manage servers in an Active Directory environment using a GUI from a central Windows Server.

I bring this question to Server Fault because there seem to be multiple types of "Remote Management" within Windows Server and the various articles I've found describe enabling it in different, confusing, ways.

An example of my ideal workflow:

  1. Log into the only central server with a GUI.
  2. Go to All Servers and right click the server I wish to manage.
  3. Click "Computer Management" and be able to manage the things available to do so through that MMC. i.e. Disk Management, Device Manager, Task Scheduler, etc.

When researching how to do this, the following things are what confuse me:

  1. I have to enable firewall exceptions for managing specific functions remotely. i.e. Disk Management requires the Remote Volume Management firewall group enabled. This is separate from the "Configure Remote Management" available in the Core server's sconfig.cmd
  2. I have to do that on both the server to be managed, and the server doing the managing.
  3. Windows Remote Management is not a catch-all for all these functions.

#1 confuses me because going into sconfig.cmd on the Core installation of a server that's to be managed says 4) Configure Remote Management Enabled. So presumably this should already do that. If it isn't doing that, what is it actually enabling?

#2 confuses me because those Firewall groups affect incoming connections only. Why this would be relevant to the managing server, I don't know.

#3 confuses me because it seems that's something specifically for Powershell/Command Prompt management and has nothing to do with enabling the individual components. It seems like a poor naming choice, or lack of clarification. I'm not certain of this however.

My primary question is: How do I achieve what I want with minimal firewall/setting changes in Active Directory?

Am I coming at this from the wrong angle or misunderstanding something regarding how to enable these features? It just seems like this is more work than it needs to be, and confusing than necessary, given how widely used I'd expect these features to be.

If I go forward with the various guides I've found, I'm likely to enable/allow things that shouldn't or don't need to be enabled/allowed.

Payden K. Pringle
  • 119
  • 6
  • 1
    Have you already done `winrm quickconfig`? That should pretty much be it. Then you'll want to make sure you install the management tools on the management server or workstation. You might have to separately enable PS remoting. – Todd Wilcox Dec 12 '17 at 20:51
  • Running `winrm quickconfig` states the service is already running on the machine and that it is already set up for remote management. Even with that result, doing something like managing volumes/disks in Disk Management through Computer Management does not work until I enable the Remote Volume Management firewall exceptions. So I'm still not sure what WinRM being enabled actually does. – Payden K. Pringle Dec 12 '17 at 22:32
  • 1
    Winrm does pretty much everything *except* disk management. I didn’t actually know you could enable remote volume management before now. I’ll have to try it. AFAIK there is no master remote management guide from Microsoft. If you make sure you can dontelote powershell then I think you’ll have either all or almost all of it. – Todd Wilcox Dec 12 '17 at 22:45
  • 1
    @ToddWilcox WinRM can do disk management. There is even GUI functionality in Server Manager via the 'File and Storage Services/Volumes/Disks'. Or you can of course use Powershell via WinRM. – Zoredache Dec 12 '17 at 23:07
  • 1
    `managing volumes/disks in Disk Management through Computer Management` - The 'Computer Management' MMC is more or less deprecated in favor of Server Manager. If you use the older tools, then you need to make exceptions for the older protocols. – Zoredache Dec 12 '17 at 23:09

1 Answers1

1

How do I achieve what I want with minimal firewall/setting changes in Active Directory?

Windows has been around for a couple decades now. There are a lot of older protocols. There are several protocols used, and many tools. The older tools have not been fully transitioned to the newest protocols.

Unfortunately this means to permit management with all the various tools, you are going to make lots of exceptions related to WinRM, WMI, RPC, DCOM, SMB, and so on.

Of course if all your remote managements will be performed by some kind of privileged access computer, then you could just make a big exception for that privileged system, instead of making exceptions per protocol.

1) confuses me because going into sconfig.cmd on the Core installation

That option is primarily focused on making ServerManager and Powershell remoting work. These are the 'new/current' management protocols. It doesn't make the required exceptions for the older tools.

3) confuses me because it seems that's something specifically for Powershell/Command Prompt management and has nothing to do with enabling the individual components. It seems like a poor naming choice, or lack of clarification

WinRM is a specific technology that is new(ish) as part of the windows management framework and Powershell. You could argue it is ambiguously named. But older communication methods using RPC, DCOM and so on also had annoying names. Most new functionality has all been focused on using WinRM.

Zoredache
  • 128,755
  • 40
  • 271
  • 413