Manage Servers using Server Manager in Windows 8.1

I’m a strong advocate of using PowerShell Remoting instead of RDP or Remote Server Administration Tools (RSAT) wherever possible for server administration, but there’s no doubt that GUI management tools still have their place. The first thing you’ll miss if you go the PowerShell route is Server Manager, in particular its dashboard, which gives a graphical overview of servers so you can quickly establish if there are any problems that need attention. In this article, I’ll show you how to manage servers using Server Manager in Windows 8.1.

Server Manager is easy to set up if you have an on premise Active Directory (AD) domain, but if you want to manage standalone servers, servers in the cloud, or run Server Manager on a workgroup PC, then you’ll need to take some extra configuration steps.

Server Manager's Dashboard The Server Manager Dashboard (Image: Russell Smith)

In this article, I’m going to show you how to configure a Windows Server 2012 R2 Azure virtual machine (VM) so it can be managed using Server Manager from an on-premises PC running Windows 8.1. In this example, there is no VPN in place between the on-premises site and the Azure virtual network. Although this is not a recommended configuration, it might be useful for lab environments or scenarios where security isn’t critical.

The instructions in this article can be adapted to suit any cloud or on-premises server management scenario by removing any steps specific to Azure. If you have a VPN configured between your on-premises LAN and Azure virtual network, then adding servers running in the Azure cloud to Server Manager is no different to adding servers on your local network. For more information on Azure point-to-site VPNs, see Configure Microsoft Azure to Accept Point-to-Site VPN Connections on the Petri IT Knowledgebase.

Microsoft Server Manager and WinRM

Server Manager uses the Windows Remote Management (WinRM) protocol over HTTP, not the fully encrypted HTTPS channel that can be configured for PowerShell Remoting. That’s not to say that WinRM over HTTP doesn’t employ any encryption or that credentials will be exposed in clear text, but nevertheless it is intended for use on secure private networks.

If you want access to other remote server administration tools, such as those that can be launched from Server Manager’s Tools menu, including the Active Directory Administrative Center (ADAC) and Active Directory Users and Computers (ADUC), you should install RSAT on a computer that’s joined to the appropriate domain and that has access to domain controllers over a secure private network.

Enable Remote Management in Server Manager

Server Manager remote management is enabled by default in Windows Server 2012, but is disabled in Windows Server if deployed from Azure’s image gallery. To enable Server Manager remote management:

  1. Log in to Windows Server 2012 R2.
  2. Switch to the Start screen, type powershell and make sure that Windows PowerShell is selected in the search results. Press CTRL+SHIFT+ENTER to start PowerShell with administrative privileges. If prompted, enter administrator credentials to continue.
  3. In the PowerShell prompt, type configure-smremoting.exe –enable and press ENTER.

Enable remote management in Server Manager

Enable remote management in Server Manager (Image: Russell Smith)

Configure Microsoft Azure

The following steps modify the default WinRM Windows Firewall rules and adds an endpoint to the Azure cloud service configuration hosting the server. This is only required if you do not have a VPN in place between your on-premises LAN and Azure virtual network.

Modify the Default Windows Firewall Rule for WinRM

The default firewall rule for WinRM restricts inbound access to devices with IP addresses on the local subnet. If you want to connect using Server Manager over the Internet, we need to change the rule to allow any address or a specific public IP address.

In an elevated PowerShell window, type the following command and press ENTER. I recommend that you replace any with a specific public IP address.

​ set-netfirewallrule -name "WINRM-HTTP-In-TCP-PUBLIC" –remoteaddress any

I established the exact name for the WinRM inbound rule associated with the Public firewall profile by running the following command:

​ get-netfirewallrule -policystore activestore | where { $_.DisplayName -eq "Windows Remote Management (HTTP-In)" }

Modify the default WinRM Windows Firewall Rule

Modify the default WinRM Windows Firewall Rule (Image: Russell Smith)

Add an Azure Endpoint

Azure automatically configures an endpoint for WinRM over HTTPS for PowerShell Remoting when you create a new virtual machine. No endpoint is created for WinRM over HTTP for security reasons, so we will need to add one manually.

  1. Sign in to the Azure Management Portal.
  2. Click BROWSE on the left of the portal.
  3. Click Virtual Machines in the Browse blade.
  4. In the Virtual machines blade, click the server for which you want to add the endpoint.
  5. In the server’s blade, scroll to the bottom and click the Endpoints tile.
  6. In the Endpoints blade, click ADD.
  7. In the Add an endpoint blade, type WinRM in the ENDPOINT box. Set PROTOCOL to TCP and type 5985 in both the PUBLIC and PRIVATE PORT fields.
  8. Leave FLOATING IP set to DISABLED and click OK.

Add a WinRM over HTTP endpoint in Azure

Add a WinRM over HTTP endpoint in Azure (Image: Russell Smith)

You can check the status of the operation by clicking NOTIFICATIONS on the left of the portal. It may take a couple of minutes to create the endpoint.

Alternatively, if you have the PowerShell for Azure configured on a management PC, then you can run the following command from an elevated prompt to configure the endpoint, replacing contososrv1 with the name of the cloud service and VM name as appropriate. For more information about configuring PowerShell for Azure, see Setup Windows Azure PowerShell Management.

​ get-azurevm -servicename "contososrv1" -name "contososrv1" | add-azureendpoint -name "winrm" -protocol "tcp" -publicport 5985 -localport 5985 | update-azurevm

Configure Server Manager on the On-Premises Management PC

Now the server side has been configured, let’s install and set up Server Manager on the local management PC. In this example I’m installing RSAT on Windows 8.1.

If you plan to launch Server Manager with a standard user account, you will need to manually start the local WinRM service, or set the service startup type to Automatic.

  • Press the WINDOWS key to switch to the Start menu, type powershell, making sure that Windows PowerShell is selected in the search results. Press CTRL+SHIFT+ENTER to launch the prompt with elevated privileges. If prompted, give consent or enter administrative credentials.
  • In the PowerShell prompt, type start-service winrm and press ENTER to start the WinRM service. If you want the service to start automatically every time Windows is booted, type set-service winrm -startuptype automatic and press ENTER.

Because we are not using WinRM over HTTPS, or connecting to servers in the same domain as our on premise management PC, we need to add the DNS name of the remote server to the WinRM Trusted Hosts List.

  • In the elevated PowerShell prompt, type set-item wsman:localhostclienttrustedhosts contososrv1.cloudapp.net -concatenate –force and press ENTER, replacing contososrv1.cloudapp.net with the Fully Qualified Domain Name (FQDN) of the remote server to be added to Server Manager. The -concatenate parameter adds new hosts to the list without overwriting existing entries.

Now we are ready to launch Server Manager and add the remote server.

  • Press the WINDOWS key to switch to the Start menu, type server manager, and select Server Manager from the search results.
  • In Server Manager, make sure Dashboard is selected on the left.
  • On the right pane of Server Manager, click Add other servers to manage.
  • In the Add Servers dialog, switch to the DNS tab.

Add a remote server in Server Manager

Add a remote server in Server Manager (Image: Russell Smith)

  • In the Search box, type the FQDN of the remote server and press ENTER.
  • Highlight the server in the search results and click the right arrow in the middle of the dialog to add the server to the list of selected servers on the right.
  • Click OK.
  • Now click All Servers on the left of Server Manager.
  • In the SERVERS box at the top of the right pane, right click the newly added server and select Manage As… from the menu.
  • In the Windows Security dialog, enter a username and password that’s valid on the remote server. The account must be a member of the local or domain administrators group.
  • Check Remember my credentials and click OK.

After a few seconds, the Manageability status under SERVERS should change to Online if Server Manager is able to successfully connect to the server. Any previous errors that occurred prior to adding credentials for the server can be ignored.