If you've read any of my prior posts, you know I like to be able to do things without a lot of prep, in a short amount of time. Yes, I like the K.I.S.S principle – Keep It Simple, Stan.
I also enjoy the sense of accomplishment that comes when I can leave work and know that I actually made progress in the pursuit of "the well-managed IT infrastructure."
Like the song by Rush, "One Little Victory," sometimes the small wins turn out to be big.
Well, in this post, I'm going to show you how you can get value/benefits from the Remote Server Administration Tools (RSAT) on Windows Server 2012 or Windows 8.
"Frank, what's an RSAT and should I want one?"
Remote Server Administration Tools includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell CMDlet and providers, and command-line tools for managing roles and features that run on Windows Server 2012. In limited cases, the tools can be used to manage roles and features that are running on Windows Server 2008 R2 or Windows Server 2008 and some of the tools work for managing roles and features on Windows Server 2003.
- These are 'in-the-box' on a Windows Server 2012 install and available as a free download for Windows 8
- http://www.microsoft.com/en-us/download/details.aspx?id=28972
- See the bottom half of this post for Windows 8 deployment details.
You can do this today.
This afternoon.
Not next week, next month or next year.
No need to wait for SP1 or R2.
No need for Schema extensions.
No Enterprise Admin membership.
No 2012 DCs required.
Of course, there is no free lunch, though and there are some requirements:
- For the most bang-for-the-buck in terms of PowerShell 3.0 AD CMDlets, you'll need at least one Windows Server 2008 R2 Domain Controller running the Windows Management Framework 3.0
- For the AD Recycle Bin UI to be of interest, you'll need the AD Recycle Bin enabled - http://technet.microsoft.com/en-us/library/jj574144.aspx#BKMK_EnableRecycleBin
- This can only be enabled after you've enabled Windows Server 2008 R2 Forest Functional Level
- For the Fine Grained Password UI to be of interest, you'll need to be at Windows Server 2008 Domain Functional Level or beyond - http://technet.microsoft.com/en-us/library/cc770842.aspx
- Here's a handy link which lists all the tools in the RSAT pack as well as a "support matrix"
Now that we've covered that, you can get benefits from the new tools of Windows Server 2012 in short order.
I should state clearly and emphatically that you should NOT circumvent established processes and procedures for deploying a new OS/system into your production environment. Hopefully, a base build "design" is a pre-requisite to deployment of a new OS to your production environment.
However, in terms of learning, ramp-up and proof of concepts, you can deploy a Windows Server 2012/Windows 8 system as a member of your domain as easily as any other Windows OS.
So, download the Windows Server 2012/Windows 8 trial or utilize your Microsoft benefits to obtain the install media for the OS and let's get started!
Provision a VM or maybe re-purpose a physical machine and install the OS.
Configure the system and join the system to your dev/test domain – you do have a dev/test environment, right?
Patch it up via Windows Update, WSUS, SCCM or your company's patching mechanisms.
- This is another great aspect for your proof of concept – "How will we patch the new OS?"
Windows Server 2012
When you're ready and you've signed in, open Server Manager and run the "Add Roles and Features" Wizard:
- Click Manage > Add Roles and Features.
- Click Next.
- Verify "Role-based or feature-based installation" is selected and click Next.
- Verify/select your Windows Server 2012 server from the Server Pool and click Next.
- Don't select any option on the "Select server roles" page (we're not adding any Roles). Click Next.
- On the "Select features" page of the Wizard, select 'Group Policy Management' and scroll down to choose any other Remote Server Administration Tools you want and click Next.
- Click Install.
- Click Close to complete the install.
Now, let's discuss a few of the awesome tools you just added and how they can help you manage the infrastructure:
AD CMDlets for PowerShell 3.0
- Don't be late - Automate!
- Folks, if I can be a functional PowerShell technician, ANYONE can
- See Mr. Ashley McGlone's AD PowerShell post for some AD-PoSH Joy
- "Be useful now" examples:
- Find enabled user accounts in AD with passwords set to not expire (and then set out to answer if/why those accounts need passwords that don't expire)
- Get-ADUser –filter {objectclass –eq "user"} –properties * |Select samaccountname,passwordneverexpires,enabled
- Enumerate the membership of your Domain Admins group (and then set out to reduce that membership!)
- Get-ADGroupMember "Domain Admins" –recursive | select samaccountname,name | format-table -autosize
Server Manager
- Add some servers into the default "All Servers" Server Group (or create your own custom Server Group)
- Right-click "All Servers" and choose "Add servers"
- Multi-select a few servers from the domain and add them in…
- Recall that in Windows Server 2012, remote management is enabled by default.
- On prior OSes, you'll need to enable remote management and also install WinRM or you'll see a message like the one highlighted in blue above (SRV2008R2-01 in the screen shot above)
- Legacy OS management is limited - http://support.microsoft.com/kb/2693643
- See my prior Server Manager Post for more details and links to the updates needed to manage down-level OSes
- Once that's installed/enabled on your down-level systems, refresh your Server Group and voila!
- Below, I have two 2008 R2 machines and the local 2012 machine in my Server Group
- "Be useful now" example:
- Highlight one of the remote servers in the Server Manager console
- Right-click and choose a function targeted to the remote system
AD Administrative Center (ADAC)
- Recycle Bin UI
- What?
- A GUI to ease the recovery of some AD objects such as Users, Groups and OUs - http://technet.microsoft.com/en-us/library/jj574144.aspx#BKMK_EnableRecycleBin
- Where?
- Look for the 'Deleted Items' container under the Domain node object in ADAC.
- If you don't see the container, the AD Recycle Bin feature hasn't been enabled yet or AD replication hasn't carried that change all the way around AD yet.
- Why?
- Who doesn't want to be the AD recovery hero!?
- Fine Grained Password Policy UI
- What?
- A GUI to ease creation and administration of Fine Grained Password Policies - http://technet.microsoft.com/en-us/library/jj574144.aspx#BKMK_FGPP
- Where?
- Look for the 'Password Settings Container' under the 'SYSTEM' container beneath the Domain node object in ADAC.
- Why?
- Bolster the security of your sensitive accounts with longer password lengths, forced complexity and more frequent password changes than your ordinary users.
- "Be useful now" example:
- In ADAC, you can now enable accidental deletion protection on many more objects through the UI.
- This feature has been an "ounce of prevention" from AD disasters due to accidental OU deletions and now the UI is expanded for Users, Computers and Groups
- Check out Jasmin's recent blog post for some more ADAC gems - http://blogs.technet.com/b/askpfeplat/archive/2013/03/19/four-things-i-like-about-active-directory-administrative-center-adac-in-windows-server-2012.aspx
Group Policy Management Console
- Check replication status of one specific GPO, or all of them
- 'Push' GPUPATEs to all systems in any given OU
- Or, for more granularity, use PowerShell 3.0's GPO CMDlet to invoke a GPUpdate
- Exposes new GPO settings for Windows Server 2012 / Windows 8
- Settings references - http://www.microsoft.com/en-us/download/details.aspx?id=25250
- My GPMC post
- "Be useful now" example:
- Check the replication status of a single GPO
- Open GPMC and drill-down into the Group Policy Objects container in a target Domain
- Select the GPO in question, click the 'Status' tab, click 'Detect Now' and the DCs in the domain will all be checked for the replication status of that specific GPO
Windows 8
You can achieve these same small victories via Windows 8, too, but you'll need to download the Remote Server Administration Tools for Windows 8 before you'll be able to see/use the Tools discussed here.
- Here is an excellent link describing all the Tools and a matrix of OS support for each one
- After you install the RSAT pack on Window 8, there will be a Tile for Server Manager and one for the Administrative Tools folder on the Start screen.
- You can add shortcuts to your "tools of choice" in a few ways:
- Method 1 – pin the specific tool(s) you want to the Start screen and/or Taskbar
- Click the Administrative Tools Tile
- Right-click the shortcut(s) and select "Pin to Start" or "Pin to Taskbar"
- Also, from the Start screen, you can 'pin' the tool you want to the Taskbar on the Desktop.
- Right-click the Tile and select "Pin to taskbar"
- Method 2 – select the option to "show Administrative tools" on the Start screen
- ** WARNING ** - this will put a lot of Tiles on your Start screen and could be considered by some to be Start screen pollution J
- From the Start screen, open the Charms bar (WinKey + C or move the mouse to the lower or upper right corner of the screen)
- Select "Settings"
- Then "Tiles"
- Move the slider for "Show administrative tools" to "Yes"
- You'll get them all…
There you have it – useful tools by 4:00 pm. Don't be late for dinner!
Cheers!
Hilde