How-to: Administer Active Directory/Windows Server remotely using a privileged account

[easyreview title=”Complexity rating” icon=”geek” cat1title=”Level of experience required, to follow this how-to.” cat1detail=”Though this wasn’t easy to work out, hopefully the how-to is easy-peasy to follow. You may need to do a little research if your platform differs much from mine (Windows 7/Server 2008).” cat1rating=”1.5″ overall=”false”]Oh my, how hard did Microsoft make this?

The scenario: like all good domain administrators, I have a day-to-day non-privileged account, for normal access and a domain account for use as and when I need it.

The objective: use an MMC (Microsoft Management Console) to administer the domain from my normal workstation, with my domain admin account.

This should be easy, right? Fire up the MMC, type in your domain administrator credentials and you’re away? Wrong. What you actually need to do is something like this. This is to administer AD running on Windows Server 2008 from a Windows 7 workstation:

Step 1: Install Remote Server Administration Tools

Install the Administration Tools Pack for the server[s] you intend to administer. For Windows 7, this pack is amongst the features you can install for the o/s. There are however some caveats and you would do well to read the comments on this Technet article, if you get stuck.

Step 2: Configure WinRM

If you want to manage a server such as Windows Server 2008 remotely (not just Active Directory), you’ll need to configure WinRM (Windows Remote Management) on the remote server. Until you do, your attempts to connect may result in error messages like “Server Manager cannot connect to Server1. Click Retry to try to connect again”. Certainly, this is what happened for me:

07 Server Manager cannot connect

On the remote server, in an elevated command prompt:

C:\Users\rob.admin>winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP
on this machine. WinRM firewall exception enabled.


That alone, might not be enough. The next hurdle I encountered was similar, but this time the issue concerned the WS-Management catalog (whatever that is):

08 The resource URI was not found in the WS-Management catalog

For Windows Server 2008, you also need to install a feature called “WinRM IIS Extension”. In Server Manager –> Add Features:

09 Add WinRM IIS extension

This feature installation takes forever (well, quarter of an hour, for me). Why? Who knows.

You still might not be able to connect to a Server 2008 box after this. Try installing version 3 of the Windows Management Framework. You can download that here. Note: this depends on Service Pack 2 of Windows Server 2008, the previous version of Windows Management Framework (which gives you PowerShell 2.0) and .NET 4.

If you still can’t connect, shrug your shoulders and just accept the fact that Remote Management is one of the things that Microsoft improved dramatically in R2 of Server 2008. You will still be able to use many MMC snap-ins, but some (like the “Server Manager” snap-in, ironically) will just fail.

Step 3: Create your MMC

I’ll just use a simple example here. First: Start –> Run –> mmc.

Within the console, Add/Remove Snap-in:

01_Add_Remove_Snap-in

Choose your desired snap-in (e.g. AD Users and Computers):

02_Choose_desired_snap-in

Click “Add >”. The snap-in will appear on the right. Continue for all the snap-ins you’ll want to use, then click “OK”.

Save your custom MMC. I would recommend putting it somewhere where you’re not going to be hit by UAC problems – i.e. not in the root of your C: drive, not under C:\Windows, etc.

Step 4: Create a shortcut to your MMC

You can’t directly run the MMC. Don’t try. Create a shortcut. You can put this shortcut on your Desktop, or wherever you like. So, for example, right-click the Desktop and click New –> Shortcut.

You need to specify the shortcut as C:\Windows\System32\runas.exe /netonly /user:your-domain-admin-user@your-domain "mmc C:\Path\To\MMC\DomainAdmin.msc":

04_Create_shortcut

Having created your shortcut, set it always to run as Administrator. Right-click –> Properties –> Advanced:

03_Run_shortcut_elevated

Step 5: Run the shortcut

When you run the shortcut, you should now see a UAC prompt and after that a command prompt, asking you for your domain admin password:

05_Credentials_prompt

For me, it’s not instant, but eventually, the MMC loads and runs as intended:

06_MMC_running

Happy days. No more RDP. 🙂