Jan 28 2024 04:30 PM - edited Jan 28 2024 06:50 PM
:warning:
Warning: Installing Windows Admin Center on DC is NOT recommended because of these problems:
- The installer may modify your security settings (in WinRM, Registries, etc.)
- It leaves an opening port for connection - which is not good
- WAC always lets the first connection be installed on the machine. In this case, it is your DC. Once someone can access the portal, the attacker can easily attack the whole Active Directory site.
As you know, we CANNOT INSTALL Windows Admin Center on Domain Controller easily. As Microsoft claimed:
Installing Windows Admin Center on a Domain controller is not supported. Read more about domain controller security best practices.
However, in some cases, deploying Windows Admin Center is necessary for managing servers and making less effort. If you're testing your domain controller with Windows Server Insider, WAC lets you much easier on controlling your Active Directory Domain Services.
Windows Admin Center bundled with .msi file. Kinda easy to open and modify it with some tools. Turns out, the code blocks the installation is simple like this:
Installed OR (MsiNTProductType <> 2) OR (INSTALLATION_TYPE ~= "AzureVmExtension")
Where `MsiNTProductType <> 2` means the launch condition mustn't run on Windows NT Type 2.
Following this instruction, I could easily figure it out. Then I modified the condition into this:
Installed OR (MsiNTProductType >= 1) OR (INSTALLATION_TYPE ~= "AzureVmExtension")
Save the MSI, then move it into the Domain Controller and install it.
The modernized gateway is much better, with no installation restriction at first. However, as I mentioned earlier, WAC is not fully supported on Domain Controller, so it wasn't properly installed. Whenever I tried to install it onto my DC, I always received the same error messages:
XXXX/XX/XX XX:XX:XX Level=ERROR ExitCode=1 Message=Register-WACLocalCredSSP: Failed to register CredSSP session configuration. XXXX/XX/XX XX:XX:XX Level=ERROR ExitCode=1 Message=Enable-WACPSRemoting: Failed to configure PowerShell Remoting. Error: Access is denied.
Tracking for the installation procedures, I figured out the Register-WACLocalCredSSP and Enable-WACPSRemoting are from this file:
C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration\Microsoft.WindowsAdminCenter.Configuration.psm1
I modified a few lines of it, then ran it, then started the Windows Admin Center.
Import-Module .\Microsoft.WindowsAdminCenter.Configuration.psm1 Enable-WACPSRemoting Register-WACLocalCredSSP
And, IT WORKS!
No worry, I have updated everything in this GitHub repo. You can try old-modified WAC, or download modified script for private uses. You're welcome~
Mar 11 2024 12:16 AM
Mar 17 2024 08:45 AM - edited Mar 17 2024 08:45 AM
Thanks for your response.