Remote Management wasn’t quite there with Windows Server 2008. It’s getting better with the R2 release, but you still have homework to do.
Do you remember the day you first laid your hands on Windows Server 2008? That was an exciting day. It had been five long years since the last major server OS release. You couldn’t finish your first install fast enough.
You entered your username and password at the logon screen. You were greeted with a new wizard called Initial Configuration Tasks. When you closed that wizard, you got your first look at the much-ballyhooed Server Manager.
“This is it,” you may have thought excitedly as you clicked through the roles and features. “From this single screen, they’ve finally integrated all my management consoles into one place. Now, let me right-click at the top and point this thing to manage another server. Uh, wait a minute …”
You know what happened next. That was when you realized the first release of Server Manager wasn’t a solution for remote administration. In all fairness, prior to the release of Windows Server 2008, Microsoft announced that it wasn’t going to be a solution for remote administration. Still, most of us still found ourselves stunned as we realized the Server Manager remote functionality eally wasn’t there.
Thankfully, Microsoft listens to its customers. That remote functionality eventually arrived with Microsoft Windows Server 2008 R2. With the now-current OS, right-clicking the top-level node in Server Manager exposes a new context menu item called “Connect to Another Computer.”
Having that new context menu item doesn’t necessarily mean it works right out of the box. Head back to the top-level node in Server Manager. Right-click your server’s name and choose to Connect to Another Computer. You’ll find another surprise. Your first attempt at remotely managing that computer might not work. In its place, you’ll find an error message similar to Figure 1. Getting the Server Manager remote management ready for use requires that you first configure a few settings.
Figure 1 The error message associated with “Connect to Another Computer.”
To understand why these settings are necessary, you have to look at how remote management works under the covers. Part of the Server Manager remote management functionality is provided by Windows PowerShell. Making a configuration change in Server Manager actually executes a Windows PowerShell command in the background. Server Manager provides the interface for these activities, executing the Windows PowerShell commands on your behalf and reporting on their results.
Windows PowerShell is only the mechanism for sending remote commands. To complete the circle, each remote server also needs a service to listen for incoming commands and execute them locally. That service is Windows Remote Management (WinRM), which is neither enabled nor configured by default. You can use Group Policy to turn it on.
Create a new Group Policy Object (GPO) and link it to an Organizational Unit of servers. Then navigate to Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Remote Management | WinRM Service. You’ll find a number of settings, the most important of which is Allow automatic configuration of listeners. This setting turns on WinRM and instructs it to listen for remote management commands.
Figure 2 Allow automatic configuration of listeners.
Once you’ve enabled the configuration page (see Figure 2), you can restrict which hosts are allowed to remotely manage servers by IP range. You’ll want to limit this to the computers of IT staff you trust to perform remote management.
There’s a second GPO setting you’ll need to adjust for environments operating with the Windows Firewall activated. Navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security. Create three predefined inbound rules that allow traffic from the Remote Event Log Management, Remote Service Management and Windows Firewall Remote Management experiences.
If Group Policy isn’t an option, you can also enable remote management manually within Server Manager. Start by clicking the link titled “Configure Server Manager Remote Management,” and you’ll see a dialog box (see Figure 3). Check the box marked Enable remote management of this server from other computers. You’ll need to check this box on any server you want to manage from somewhere else.
Figure 3 Configure Server Manager Remote Management.
Now you’re ready to start remotely managing other Windows Server 2008 R2 computers. You must first install the tools associated with managing remote roles, role services and features to the local computer from the Remote Server Administration Tools feature. There are certain tasks you can’t do using Server Manager remote management. These include:
Performing remote management with Windows Remote Management (WinRM) might require a bit more setup, but you’ll end up with a better architecture for remote server management. Why? At its core, WinRM is designed to manage Windows Servers across a minimum of network ports. It communicates using only the HTTP protocol over a single port: TCP/5985. That single port and protocol combination eliminates many of the network security problems attributed to the remote procedure call (RPC)-based tools of the past.
Managing servers via RPC, as you’re probably aware, requires you to open a significant range of ports into every Windows server. That’s not good for security. WinRM, on the other hand, provides a mechanism to manage your servers via a single and well-guarded network entry point. Locking it down to a small range of trusted source IP addresses further protects servers from would-be attackers.
Reducing remote management to a single port also helps when the servers you’re managing are on the other side of a firewall. Using WinRM, you can remotely manage servers in network perimeters or other protected networks without significantly exposing them to attack.
Today’s Server Manager remote management may still be a bit limited in what it can accomplish over the network. However, the move to WinRM and Windows PowerShell as the protocol and shell of choice signals that Microsoft is moving in the right direction.
Who knows—someday soon we might be rid of RPC-based management forever. Now that’s a day I would absolutely want to remember.
Greg Shields, MVP, is a partner at Concentrated Technology. Get more of Shields’ Jack-of-all-trades tips and tricks at ConcentratedTech.com.