Manage On-Premises Hyper-V from Azure

cloud hand hero img
In this article I explain how you how you can (remotely and securely) manage your on-premises Hyper- V hosts, including Nano Server, from Azure’s (remote) server management tools, on Windows 7, Macs, and even non-Windows tablets.


The Problem with Server Management Tools

How would you manage servers today? Unfortunately, I expect that most of you will say “I log into the server and …”. Although I remain an advocate for a GUI on Windows Server (mainly for troubleshooting reasons), I still prefer working remotely. The best way to manage a server is to use the Remote Server Administration Toolkit (RSAT), a set of tools that you would normally get on a server, but can be installed on your PC.
That sounds perfect until you enter the real world. Most enterprises seem to adopt, not necessarily for widespread usage, newer versions of Windows Server faster than they deploy client OSs. This is often because there are some services that require a newer OS. The business might demand the latest CRM application, which requires Windows Server 2016 (WS2016). Some new ERP solutions might take advantage of a performance feature in WS2016. Or maybe you’ve opted to deploy WS2016 Hyper-V because of Nano Server, security, administration, operational, scalability, or management features? While that doesn’t force you to upgrade the guest OSs of your virtual machines, you might have been forced to look at your PCs. To manage Nano Server at all, or any other Windows Server installation type from your PC, you need to install RSAT on your PC. But RSAT is only ever designed to be installed on the matching desktop OS. For example:

  • RSAT for Windows Server 2012 required Windows 8
  • RSAT for Windows Server 2012 R2 required Windows 8.1
  • RSAT for Windows Server 2016 requires Windows 10

How many organizations do you think have deployed anything newer than Windows 7, even with the since-ended free upgrade to Windows 10? Not that many. And while some IT departments might be free to do limited upgrades for themselves, I’d wager that many more are limited by how they are licensed or by internal company policies (for example, “you use what you support”).
You cannot expect to work around the problem by using an older version of the administration tools with a newer version of the Windows Server OS.
Two workarounds were commonly used:

  • Local login: Administrators logged into each Windows Server that they were configuring, littering the server infrastructure with profiles, and probably browsing the Internet from a now-insecure system.
  • Remote Desktop Services (RDS): A better way was to install the server administration features on an RDS farm, using session hosts that were on the latest version of Windows Server. The administration tools could be published to each administrator. These published applications would run on the RDS farm, but be published as shortcuts on administrator PCs and appear to run locally. Combined with an RDS gateway and a good passphrase (passwords are for losers) policy, this also solved the problem of securely managing systems from a remote location. A nice solution, but we’re deploying more systems and using more capacity to manage to make management easier; doesn’t that sound wrong?

What if there was a solution that offered some of the benefits of the RDS option, such as centralized installation administration tools, always up-to-date versions, security, remote accessibility, and with the ability to use many kinds of devices … or browsers.

Azure Server Management Tools

Microsoft first started to talk about the Server Management Tools (in preview at the time of writing) in Azure back at Ignite 2015. The company first pitched the tools as a way to get a GUI experience for Nano Server, but that wasn’t quite correct because the solution, like RSAT, manages all kinds of on-premises Windows Server installations.
The solution offers you a set of GUI tools for server administration that run in your browser, via the Azure Portal. This means that to use the solution to manage Windows Serve 2016, including Nano Server:

  • You don’t need Windows 10 PCs (although Enterprise E3 or higher is best for a secure platform)
  • You can even use a Mac, iPad or Android tablet!
  • You can use Internet Explorer 11, Edge (latest), Safari (latest, Mac only), Chrome (latest), or Firefox (latest)

The Azure Portal is a web service, so administrators can sign in from anywhere to manage your on-premises servers. If you have configured Azure AD with either Azure AD Connect or ADFS, then you will also have single sign-on. You can further secure this remote access using conditional multi-factor authentication (MFA), a feature of Azure AD Premium.

How Server Management Tools Works

The system, from the customer perspective, is actually pretty simple. We deploy a Server Management Tools gateway onto a Windows Server 2016 server that is running on-premises. This will act as a proxy for discovering machines on our network and for funneling traffic to/from the management tools running in Azure.
A connection is created in Azure for each on-premises server that we want to manage; the server must be accessible to the gateway via IPv4/IPv6 address or DNS name. Credentials to manage the server must be either:

  • Saved after you create the connection.
  • Supplied on demand when managing a server via the connection.

Overview of Azure Server Management Tools architecture [Image Credit: Microsoft]
Overview of Azure Server Management Tools architecture [Image Credit: Microsoft]

I’ll explain how you can deploy this solution in a later post. For you Hyper-V administrators, there’s some good news. As with all good cloud services, Microsoft is continually adding features to the Server Management Tools. One of these additions was a Hyper-V console – Yay! We finally get a new Hyper-V management tool … sort of. But at least we get a great new way to manage those brand new WS2016 hosts from anywhere, and lack of Windows 10 deployments is no longer a blocker for adopting the most secure hypervisor and private cloud platform that is commercially available.