Installing Windows Admin Center on Domain Controller (Solved)

Brass Contributor

:warning:

Warning: Installing Windows Admin Center on DC is NOT recommended because of these problems:

  1. The installer may modify your security settings (in WinRM, Registries, etc.)
  2. It leaves an opening port for connection - which is not good
  3. WAC always lets the first connection be installed on the machine. In this case, it is your DC. Once someone can access the portal, the attacker can easily attack the whole Active Directory site.

Why do we need to install Windows Admin Center on Domain Controller?

 

As you know, we CANNOT INSTALL Windows Admin Center on Domain Controller easily. As Microsoft claimed:

 

Installing Windows Admin Center on a Domain controller is not supported. Read more about domain controller security best practices.
 

However, in some cases, deploying Windows Admin Center is necessary for managing servers and making less effort. If you're testing your domain controller with Windows Server Insider, WAC lets you much easier on controlling your Active Directory Domain Services.

 

On Windows Admin Center (v1?)

 

Windows Admin Center bundled with .msi file. Kinda easy to open and modify it with some tools. Turns out, the code blocks the installation is simple like this:

 

image-1

 

Installed OR (MsiNTProductType <> 2) OR (INSTALLATION_TYPE ~= "AzureVmExtension")

 

Where `MsiNTProductType <> 2` means the launch condition mustn't run on Windows NT Type 2.

Following this instruction, I could easily figure it out. Then I modified the condition into this:

 

Installed OR (MsiNTProductType >= 1) OR (INSTALLATION_TYPE ~= "AzureVmExtension")
 

Save the MSI, then move it into the Domain Controller and install it.

 

On Windows Admin Center (Modernized Gateway)

 

The modernized gateway is much better, with no installation restriction at first. However, as I mentioned earlier, WAC is not fully supported on Domain Controller, so it wasn't properly installed. Whenever I tried to install it onto my DC, I always received the same error messages:

 

XXXX/XX/XX XX:XX:XX Level=ERROR ExitCode=1 Message=Register-WACLocalCredSSP: Failed to register CredSSP session configuration.

XXXX/XX/XX XX:XX:XX Level=ERROR ExitCode=1 Message=Enable-WACPSRemoting: Failed to configure PowerShell Remoting. Error: Access is denied.
 

Tracking for the installation procedures, I figured out the Register-WACLocalCredSSP and Enable-WACPSRemoting are from this file:

 

C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration\Microsoft.WindowsAdminCenter.Configuration.psm1
 

I modified a few lines of it, then ran it, then started the Windows Admin Center.

 

Import-Module .\Microsoft.WindowsAdminCenter.Configuration.psm1
Enable-WACPSRemoting
Register-WACLocalCredSSP
 

And, IT WORKS!

 

image-2

 

Okay, I don't have a good MSI editor.

 

No worry, I have updated everything in this GitHub repo. You can try old-modified WAC, or download modified script for private uses. You're welcome~

 

shiroinekotfs_0-1706488410179.png

 

 

2 Replies
Thank you for this! It is greatly appreciated

Thanks for your response.