Active Directory comprehensive guide, from installation and configuration to security auditing. Part 3: Windows Server 2022 and Windows Server Core 2022 configuration tools
Table of contents
6. Active Directory configuration tools and snap-in. Creating and Managing Active Directory Users
7. Understanding the AD infrastructure
Before moving on to deploying Active Directory, let's take a look at the Windows server configuration tools. New features are now available that are especially useful for setting up a server without a graphical interface, since they greatly facilitate this process – now, instead of entering commands, a few clicks in the web interface are enough. For a server with a graphical interface, this can also be useful – a systematic interface, easy connection, remote administration.
You do not need to repeat all the settings shown in this section. At the stage of preparing to install Active Directory, we need computers joined in the Windows Domain to have static IP addresses and laconic names. We will return to setting up static IP addresses on the router and workstations in the next part. In this part, it is important for you to get an idea of what tools you can manage the server and which tool to use if necessary to configure or check the current state.
Windows Admin Center is a lightweight browser-based GUI platform and toolkit for IT administrators to manage Windows Server and Windows 10. It is the next step in the evolution of familiar built-in administration tools such as Server Manager and Management Console (MMC). providing an improved, more comfortable, integrated and safer working environment.
Windows Admin Center is free to use with a paid Windows license. Windows Admin Center (available as a separate download) can be used with valid Windows Server or Windows 10 licenses at no additional cost. Its use is governed by the Windows Supplemental License Agreement.
Windows Admin Center is powered by PowerShell, essentially a graphical interface for generating PowerShell commands.
Windows Admin Center is optimized for Windows Server 2019 and 2022 to enable key themes in the Windows Server 2019 and 2022 release: hybrid cloud scenarios and hyper-converged infrastructure management in particular. Although Windows Admin Center will work best with Windows Server 2019 and 2022, it supports managing a variety of versions that customers already use: Windows Server 2012 and newer are fully supported. There is also limited functionality for managing Windows Server 2008 R2.
Although Windows Admin Center can manage many common scenarios, it doesn't completely replace all traditional Microsoft Management Console (MMC) tools. For a detailed look at what tools are included with Windows Admin Center, read more about managing servers in our documentation. Windows Admin Center has the following key capabilities in its Server Manager solution:
- Displaying resources and resource utilization
- Certificate Management
- Managing Devices
- Event Viewer
- File Explorer
- Firewall Management
- Managing Installed Apps
- Configuring Local Users and Groups
- Network Settings
- Viewing/Ending Processes and Creating Process Dumps
- Registry Editing
- Managing Scheduled tasks
- Managing Windows Services
- Enabling/Disabling Roles and Features
- Managing Hyper-V VMs and Virtual Switches
- Managing Storage
- Managing Storage Replica
- Managing Windows Updates
- PowerShell console
- Remote Desktop connection
Windows Admin Center also provides these solutions:
- Computer Management – Provides a subset of the Server Manager features for managing Windows 10 client PCs
- Failover Cluster Manager – Provides support for ongoing management of failover clusters and cluster resources
- Hyper-Converged Cluster Manager – Provides an all-new experience tailored for Storage Spaces Direct and Hyper-V. It features the Dashboard and emphasizes charts and alerts for monitoring.
Windows Admin Center is complementary to and does not replace RSAT (Remote Server Administration Tools) since roles such as Active Directory, DHCP, DNS, IIS do not yet have equivalent management capabilities surfaced in Windows Admin Center.
Windows Admin Center can be installed on Windows 10 (version 1709 or later) running in desktop mode. Windows Admin Center can also be installed on a server running Windows Server 2016 and later in gateway mode, and then accessed through a web browser from a Windows 10 computer.
Windows Admin Center uses PowerShell at the system level, you can take a look at the scripts it uses. Showscript was added in Windows Admin Center Evaluation 1806 and is now part of the public channel.
The Windows Admin Center platform does not require Internet access and Microsoft Azure. Windows Admin Center can manage Windows Server and Windows instances anywhere: on physical systems, in virtual machines on any hypervisor, or in the cloud. While integration with various Azure services will be added over time, these will be additional features that will not be required to work with Windows Admin Center.
Official page of the program: https://aka.ms/WindowsAdminCenter
Windows Admin Center can be installed on a server computer or workstation. In this example, I will be doing the installation on Windows 10.
There are two versions of Windows Admin Center:
- Windows Admin Center is like a stable version that is updated less often
- Evaluation version of Windows Admin Center – like a beta version
By default, it is suggested to download the trial version from the page https://www.microsoft.com/evalcenter/evaluate-windows-admin-center
On this download page, you must enter information about yourself.
You can download the stable version from the direct link: https://aka.ms/wacdownload
From the documentation, you might think that the stable version is older, but this is not the case. At the time of this writing, the documentation says that the stable version is 1910, and the preview version (judging by the changelog) is version 2103. But in fact, 2103.2 is downloaded as the stable version.
Download the file and run it with a double click.
Windows Admin Center sends diagnostic data anyway, here you can choose how much information you want to send: the first option is less, the second is more.
This window is informational and tells us about usage scenarios: https://aka.ms/WindowsAdminCenter-install
Select the desired settings (I added creating a shortcut on the desktop):
We are warned that the first time we start, we will definitely need to select the certificate used to encrypt connections.
Start Windows Admin Center:
A web browser window will open with the address https://localhost:6516/
If there are updates for components, the program will install them. You may need to restart Windows Admin Center after updates.
You will see a list of computers available for connection. By default, only the local computer is available. Click on this connection.
You will see a tab with an overview of this computer.
To manage your local computer, go to the appropriate tab on the left side.
The following sections are available:
- Apps & features
- Azure Monitor
- Azure Security Center
- Files & file sharing
- Local users & groups
- Performance Monitor
- Scheduled tasks
Local user and group management tab:
Setting up shared access to a network folder:
Pay attention to the “View PowerShell Scripts” button (this is the Showscript function mentioned earlier):
When you press it, you can select the function of this section that interests you and the code used to perform actions will be shown. This can help you get started learning PowerShell and become familiar with specific command examples for in-demand Windows System Administration steps in PowerShell.
To shut down or restart your computer in Windows Admin Center, go to the Overview tab and click Restart or Shutdown.
Setting up a local computer is not the main advantage of Windows Admin Center. The key function is to connect and control a remote computer.
In the previous part, we installed Windows Server without a GUI. We did not configure the server, we limited ourselves to changing the computer name. The server may need to set a static IP address, perform system updates, assign a role, and perform other tasks. Let's take a look at how to do all this in Windows Admin Center.
Note that although this example uses a server without a graphical desktop, you can connect to Windows Admin Center and a server with a graphical desktop if Windows Admin Center is more comfortable for you than the standard server interface.
So, in Windows Admin Center, go to the “All connections” section (home page) and click the “Add” button:
You can choose from several options, for example:
- Windows PCs
- Server clusters
- Azure VMs
I am connecting to the server, so I select the appropriate option.
I enter the server name “test-server” and wait for it to be found:
The bottom line is that you need to choose one of two options:
- Use the credentials of this computer on the remote server (if the username and password match)
- Specify the server administrator username and password for connection
Please note that depending on the server language, the administrator name is different, for example:
When the server is found, select the option
- Add with credentials – that is, the connection to this server will be saved along with the username and password
- Add – connection to this server will be saved without username and password
Now, to connect to the server, just click on its name:
Please note that the set of sections is different for the server and for the workstation:
- Azure hybrid center
- Azure Kubernetes Service
- Active Directory
- Azure Backup
- Azure File Sync
- Azure Monitor
- Azure Security Center
- Files & file sharing
- Installed apps
- Local users & groups
- Performance Monitor
- Remote Desktop
- Roles & features
- Scheduled tasks
- Storage Migration Service
- Storage Replica
- System Insights
Items in bold are server-specific. In turn, the section “Apps & features” is additionally available for the workstation.
On the “Updates” tab, you can view and select to install a server updates:
On the “Networks” tab, you can view the properties of network adapters and configure them. For example, here you can set a static IP address for a server without a GUI.
If you want to change the server name, workgroup or domain, then go to the “Overview” tab → “Edit computer ID”:
In the “Registry” section, you can edit the registry of the remote computer:
For our purposes (remember, we are deploying Active Directory), the “Roles and Features” tab is especially important. Here we can set the server roles. We will return to this tab in the next part of this guide.
So, the Windows Admin Center utility is lightweight, works in modern browsers, it makes it easier to connect to remote computers and allows you to manage servers and workstations in the web interface.
However, sometimes you need to configure your computer at the command line – that's the topic of the next section.
Some actions, such as renaming a computer, joining a domain or changing a workgroup, installing updates, changing network adapter settings, adding a local administrator, restarting and shutting down the server, can be done using the SConfig utility that is loaded with the server.
SConfig is a command line server management utility that comes preinstalled with Windows Server and runs automatically when the server is turned on.
1) Domain/workgroup – join a computer to a domain/workgroup
2) Computer name – change the computer name
3) Add local administrator
4) Remote management: Enabled
5) Update setting: Download only
6) Install updates
7) Remote desktop: Disabled
8) Network settings
9) Date and time
10) Telemetry setting: Required
11) Windows activation
12) Log off use
13) Restart server
14) Shut down server
15) Exit to command line (PowerShell)
If you want to disable SConfig autoloading at login, select option “15) Exit to command line (PowerShell)” and run the command in the command line:
Set-SConfig -AutoLaunch $false
If you closed or removed SConfig from startup, but want to start this program again, then at the command line, enter:
An example of renaming a computer in SConfig is shown in the previous part. Let's see how to set a static IP address in SConfig.
Select the eighth option (“Network settings”):
A list of network adapters in the system will be displayed, select the one that you want to configure, for this enter its index (value from the first column):
At the next step, we are asked to choose from three actions:
1) Set network adapter address
2) Set DNS servers
3) Clear DNS server settings
We select the first action:
To select automatic IP address assignment (DHCP) enter “D”; to select a static IP address setting, enter “S”.
Enter the desired IP address or leave blank to cancel.
Enter the subnet mask, you can just press Enter to set the suggested mask (255.255.255.0).
Enter the default gateway.
After entering, the specified settings will be applied immediately. Information about this will be displayed on the screen. Press Enter to continue.
In the same way, you can set the DNS server settings:
Let's take a look at a few PowerShell commands for configuring and managing a server. They can be performed both directly while sitting in front of the computer, and remotely.
These examples do not mean that you need to configure a static IP this way. For example, you can assign static IP addresses to computers in the router settings (this is the approach that will be used in the next part). If the router uses DHCP (automatic configuration of network devices with the assignment of IP addresses), then when setting a static IP, you must select an IP that is not included in the DHCP range.
The following command will give the server a new name (server-core-1) and reboot it for the changes to take effect:
Rename-Computer -NewName server-core-1 -Restart
Typically, the server requires that it have a static IP address, along with its configuration, you need to set the subnet mask, gateway and DNS server address.
To configure a network interface, you need to find out its index:
You can use the following command to present information more conveniently:
Get-NetIPAddress | Format-Table
The screenshot shows that the network interface we are interested in has the index “6”. It is the only one that is a real interface, the rest are software (virtual) pseudo interfaces.
Additionally, you can sort by interface index number:
Get-NetIPAddress | Sort-Object -Property InterfaceIndex | Format-Table
As an example, the server will be assigned the IP address 192.168.1.3, the subnet mask 255.255.255.0 (/24) and the gateway 192.168.1.1. Please note that you must understand in advance how your network works and know which IP addresses are available.
The following command will assign the server, that is, the network interface with the specified index, an IP address, mask and gateway:
New-NetIPAddress -InterfaceIndex 6 -IPAddress 192.168.1.3 -PrefixLength 24 -DefaultGateway 192.168.1.1
Note that the New-NetIPAddress cmdlet will only work correctly when changing from a dynamic (DHCP) to a static IP address. When changing the static IP address and other network settings using New-NetIPAddress, you will encounter an error. You need to start by removing the old settings, for details, see the article “How to set IP address, netmask, default gateway and DNS for a network interface in PowerShell”.
Let's make sure that the settings have been successfully applied:
Get-NetIPAddress | Format-Table
Optionally, you can set the DNS server settings. But these settings will still be rewritten to the IP address of the current server, since it will have the “DNS” role, which is installed together with the “Active Directory Domain Services” role.
If you want to specify one DNS server, then use a command like this:
Set-DnsClientServerAddress -InterfaceIndex INTERFACE_INDEX -ServerAddresses IP_DNS
Use the syntax to specify two DNS servers:
Set-DnsClientServerAddress -InterfaceIndex INTERFACE_INDEX -ServerAddresses ("IP_DNS_1","IP_DNS_2")
Set-DnsClientServerAddress -InterfaceIndex 6 -ServerAddresses ("184.108.40.206","220.127.116.11")
Check that the server is assigned the correct IP address, subnet mask, gateway and DNS server address using the command:
The server has been assigned the correct IP address, subnet mask, gateway, and DNS server address.
You can restart your computer in PowerShell with the command:
An example of a command to reboot a remote computer with the name Win-Server-Core and the Administrator user:
Restart-Computer -ComputerName Win-Server-Core -Credential Administrator -Force
For details, see the article: How to restart computers in PowerShell
You can turn off the computer in PowerShell with the command:
An example of a command to shutdown a remote computer with the name Win-Server-Core and the Administrator user:
Stop-Computer -ComputerName Win-Server-Core -Credential Administrator -Force
For details, see the article: How to shut down computers in PowerShell
- Active Directory comprehensive guide, from installation and configuration to security auditing. Part 5: Join computers to Active Directory. Check and unjoin from Active Directory (88.9%)
- Active Directory comprehensive guide, from installation and configuration to security auditing. Part 2: Install Windows Server 2022 and Windows Server Core 2022 (70.4%)
- Active Directory comprehensive guide, from installation and configuration to security auditing. Part 1: Introduction to Active Directory (concepts, usage, difference from Workgroup) (69.2%)
- Active Directory comprehensive guide, from installation and configuration to security auditing. Part 4: Install Active Directory Domain Services in Windows Server 2022 (69%)
- How to set up the PowerShell environment on Windows and Linux (54.7%)
- Utilities for information gathering, OSINT and network analysis in Windows and Linux (RANDOM - 1.3%)