Managing non-domain joined server is a topic included in 70-410 exam updated for Server 2012 R2. Essentially it requires you to know some extra steps involved into making Server Manager work for you when you need to manage non-domain joined server (either one resided in workgroup or in non-trusted domain).
Unfortunately book I’m using to prepare for exam (“MCSA 70-410 Cert Guide R2: Installing and Configuring Windows Server 2012“) doesn’t go beyond telling beyond teaching you how to do “Manage As…” in Server Manager (don’t get me wrong, this is a good book which covers other things nicely). So in the book they just show you that you have to know how to do this:
But it is barely enough. For example you have to know that this “Manage As…” functionality of Server Manager works almost for all roles and features except for but RDS and IPAM do not support this functionality. Next, and more importantly there are extra steps you need to perform before you can manage non-domain joined server (and no it is not only involves adding it from DNS tab as opposed to Active Directory tab in Add Server dialog). Steps are the following:
0) Add non-domain joined server to server manager. Use DNS tab in Add Server dialog to add non-domain joined server.
Once this is done, server will be added but you will likely will get Refresh Failed and also “Kerberos target resolution error” for newly added server. Which means that you are unable to communicate with this server. Sample screenshot of this error can be found below:
1) Add non-domain joined server into trusted hosts on a management server. On management server (the one from which you run Server Manager) you have to add your target non-domain joined server to Trusted Hosts list by means of issuing the following PS command:
Set-Item wsman:localhost\client\trustedhosts Non-DomainJoinedServer1 -Concatenate -Force
Use this command to view your current Trusted Hosts list:
(Get-Item wsman:localhost\client\trustedhosts).value
2) Configure UAC to allow elevated remote sessions on a target non-domain joined computer. By default this is not allowed on a worgroup computers. You can this by issuing this PS command:
New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
You may check current setting with this command:
(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').LocalAccountTokenFilterPolicy
3) Enable Remote Management (HTTP-In) inbound rule on managed computer.
4) At this point you should be able to do that “Manage As” trick:
Here is a nice video covering this process – “Free Tutorial: Managing Non-Domain Joined Servers“
Another ting of note is that there is downwards compatibility which only allows you to manage older OS versions from newer server manager but not the other way round.
Further reading:
3 Comments
Hello,
thank you for your HowTo, but i found a typo in your Powershell Command for adding the Registry Value. You wrote “New-ItemPropery” instead of New-ItemProperty… Powershell throws an error by copy&paste the line.
Happy easter.
Christian
Thanks for letting me know Christian, corrected this.
Good stuff! Thanks so much for the info.