Windows Admin Center (formerly Project Honolulu) is one of the essential tools for managing Windows Server infrastructure and overall IaaS management tools. However, it seems like WAC cannot be installed on Domain Controler, as Microsoft claimed:
Why installing Windows Admin Center on Domain Controller is essential?
Windows Admin Center isn't just a suitable tool for managing gateways, especially domain controllers. It helps reduce the managing costs, and minimal maintenance times, which is helping a lot in small and medium businesses - which roughly don't have many servers for running services.
For me, and maybe, hundreds of people out there, think the same way: Installing Windows Admin Center, but not other tools, is the best way to solve all, not only cost problems but also technical problems.
Current installation and security problem
In v1 (?) and Windows Admin Center (Modernized Gateway)
Basically, all installation problems are already mentioned in my original post on Microsoft Tech Community about how I can install WAC on Domain Controller.
:warning: Warning
Installing my modified WAC installer means you accepted the risk of opening the port, running for serving the Windows Admin Center. Please proceed with high caution.
Problems with the opening port and configuration in Windows Admin Center (Modernized Gateway)
In my suggestion, there are many ways to solve the risk of opening the WAC serving port, including:
Using Windows Admin Center policies for Domain Controller. You can specify which computer is allowed to access, and which is not. In case it's not, the sign-in page is not displayed, instead, it will return something like this: This site can’t be reached
Force use HTTPS and certificate authentication for both Web and WinRM service. That includes even if the computer is allowed, but if the currently signed-in user is not on the whitelist, that user still cannot access, and the browser or even the port check still returns the same thing: This site can’t be reached or Port is not open. (Maybe the default configuration is "Only Domain Admins and Enterprise Admins are allowed"?)
The normal WAC sign-in on non-DC may still be the same as the previous versions, but with the Domain Controller, instead of entering username and password, the user needs to provide a Security key (hardware) or Smart Card (software), or both (depending on organization's configurations). The first configuration must be on localhost:<port>, and then the promoted admin can add other admins.
Double-check on connecting with devices, even when you're in the Windows Admin Center main page/portal, you're still required to re-enter your credential.
Conclusion
I understand that this topic may be challenging for those in the Microsoft and cyber-security fields, but I am here to help us find a solution.
Hope @trungtran-msft will find a better way to solve this for me, and other Microsoft customers. I don't want to buy/subscribe 3rd party software anymore.
Although Azure Arc is a good tool, it is not as powerful as on-premises tools.😊
Windows Admin Center (formerly Project Honolulu) is one of the essential tools for managing Windows Server infrastructure and overall IaaS management tools. However, it seems like WAC cannot be installed on Domain Controler, as Microsoft claimed:
Why installing Windows Admin Center on Domain Controller is essential?
Windows Admin Center isn't just a suitable tool for managing gateways, especially domain controllers. It helps reduce the managing costs, and minimal maintenance times, which is helping a lot in small and medium businesses - which roughly don't have many servers for running services.
For me, and maybe, hundreds of people out there, think the same way: Installing Windows Admin Center, but not other tools, is the best way to solve all, not only cost problems but also technical problems.
Current installation and security problem
In v1 (?) and Windows Admin Center (Modernized Gateway)
Basically, all installation problems are already mentioned in my original post on Microsoft Tech Community about how I can install WAC on Domain Controller.
Problems with the opening port and configuration in Windows Admin Center (Modernized Gateway)
In my suggestion, there are many ways to solve the risk of opening the WAC serving port, including:
This site can’t be reachedWinRMservice. That includes even if the computer is allowed, but if the currently signed-in user is not on the whitelist, that user still cannot access, and the browser or even the port check still returns the same thing:This site can’t be reachedorPort is not open. (Maybe the default configuration is "OnlyDomain AdminsandEnterprise Adminsare allowed"?)usernameandpassword, the user needs to provide aSecurity key(hardware) or Smart Card (software), or both (depending on organization's configurations). The first configuration must be onlocalhost:<port>, and then the promoted admin can add other admins.Conclusion
I understand that this topic may be challenging for those in the Microsoft and cyber-security fields, but I am here to help us find a solution.
Hope @trungtran-msft will find a better way to solve this for me, and other Microsoft customers. I don't want to buy/subscribe 3rd party software anymore.
Although Azure Arc is a good tool, it is not as powerful as on-premises tools.😊