Microsoft’s Windows Admin Center (WAC) is a useful tool. Replacing both the on-desktop Server Manager and the PC-hosted Remote Server Admin Tools, it’s a modern web front end to the management APIs that have become part of Windows Server over the past decade or so.
If you’ve used PowerShell Remoting to manage servers, then you’re familiar with many of the underlying principles of WAC. Once authorised and connected to the Windows Management Interface on a server, you’ve got access to all the services and tools you’ve used, from working with the server hardware (even with vendor-specific features), all the way to managing Active Directory, or controlling virtual infrastructures running on Azure.
Windows Admin Center and the remote administrator
With most of us around the world locked down and working from home, tools like WAC are increasingly important. They give us what we need to keep the lights on in data centres and in the public cloud, supporting remote access across the public internet without the bandwidth and security impact of using Remote Desktop.
Since its launch, just over two years ago in April 2018, Microsoft has been adding new features and fine-tuning the platform. With the 1910.2 release, there’s very little you can’t do with WAC, making it an ideal tool for times like these. There is one caveat: it’s really intended for recent Windows Server releases, so if you have anything older than Windows Server 2012 in your data center it won’t be supported. In practice, you’re best off using WAC with Windows Server 2016 and later; Windows Server 2012 requires installing the Windows Management Framework before you can use it with WAC.
Once set up, you get access to all the admin tools you used to get with RSAT, and more. The web-based UI is quick and responsive, with a plugin-based model for updating existing features and adding new ones. It’s worth ensuring that all your management tools are up to date.
WAC on PC and on servers
There are two installation options. Trusted administrators can install it on their PCs, which then get access through the WAC service to managed PCs and servers. The local service includes its own web server, although you’ll need to choose the correct certificate for secure connections.
It’s certainly a simple way of quickly rolling out WAC to remote workers, with a small download from Microsoft. First set up the appropriate groups and permissions in Active Directory and give administrators VPN access to your management VLAN. Once they’re connected you should find they need very little training; the tools in WAC are familiar, building on the built-in server management features and on popular administration suites like those from Sysinternals.
SEE: 250+ tips for telecommuting and managing remote workers (TechRepublic Premium)
The second installation option is perhaps better suited to a world where all administration is remote. Instead of local copies of WAC running on untrusted systems, you only need to install one copy on a server behind your firewalls, giving you additional control.
If you install Windows Admin Center on a server it runs as a gateway, with no UI on the host server. Administrators can log on via a secure HTTPS session, secured by a security certificate on the host. While WAC offers a self-signed option, it’s better to use an appropriate SSL certificate from a trusted certificate authority as modern browsers will treat a self-signed connection as insecure — even if it’s to a local IP address over a trusted VPN.
Secure administration with a WAC Gateway install
With a gateway on a central server in your data center, all your remote admins need is a VPN and browser. The WAC gateway behaves like a local instance, routing WMI connections to servers. Users can add managed servers and desktops via Active Directory. It’s a relatively low-impact service, so you don’t need a physical server to run a gateway; it works well in a virtual machine. Installation is quick, and the final step details the URL and port you need to use to connect to it.
Like the local version, the WAC gateway needs to be configured to manage specific servers, clusters, or virtual machines running on Azure. You can then log in using your administrative credentials, choosing the server, VM, or PC you want to manage. Connections are fast enough to give you much-needed real-time access to tools like the new Performance Monitor, which helps diagnose issues with the metrics you need.
If you need direct access to a server, WAC includes a remote desktop view that works for both Windows Server Core’s console and the full Windows Server desktop experience. It’s a useful tool to have, but really should be reserved for rare occasions when hands-on access is needed — most likely when installing software. Most common operations are supported inside WAC or using its built-in remote PowerShell tools.
Managing access to WAC
By keeping your administration tools inside the browser, the gateway approach reduces the risk of leaked credentials or system compromise from remote devices. You can control access to your servers, using tools like Azure Active Directory to control access with single sign-on for approved administrators.
You can define roles to control what resources your team has access to, with Gateway Administrators managing Gateway Users. Active Directory groups are an important tool, with options for role-based access control, allowing you to limit the features users can manage on servers. Roles are deployed to machines, and when a user logs into a Windows Admin Center Gateway and opens a management session on a server, they can only use the role they’ve been assigned.
Like much of Microsoft’s current approach to infrastructure, there’s a lot of Azure integration in WAC, so you can use it as a tool for managing Azure services in a hybrid cloud. This is an interesting approach, and one that fits in with much of Microsoft’s recent work around extending its Azure Stack brand, which uses WAC as a management tool alongside the Azure Portal.
Web-based portals like WAC make an ideal platform for remote administration. The concepts developed in Azure translate well to your own data centre, and on to your staff’s PCs and tablets. The modern browser is a powerful and capable tool, giving you the opportunity to quickly move staff to working remotely without significant investments in hardware and infrastructure.
