Tag Archives: RDS

How to manage non-domain joined server using Server Manager

Managing non-domain joined server is a topic included in 70-410 exam updated for Server 2012 R2. Essentially it requires you to know some extra steps involved into making Server Manager work for you when you need to manage non-domain joined server (either one resided in workgroup or in non-trusted domain).

Unfortunately book I’m using to prepare for exam (“MCSA 70-410 Cert Guide R2: Installing and Configuring Windows Server 2012“) doesn’t go beyond telling beyond teaching you how to do “Manage As…” in Server Manager (don’t get me wrong, this is a good book which covers other things nicely). So in the book they just show you that you have to know how to do this:

But it is barely enough. For example you have to know that this “Manage As…” functionality of Server Manager works almost for all roles and features except for but RDS and IPAM do not support this functionality. Next, and more importantly there are extra steps you need to perform before you can manage non-domain joined server (and no it is not only involves adding it from DNS tab as opposed to Active Directory tab in Add Server dialog). Steps are the following:

0) Add non-domain joined server to server manager. Use DNS tab in Add Server dialog to add non-domain joined server.

Once this is done, server will be added but you will likely will get Refresh Failed and also “Kerberos target resolution error” for newly added server. Which means that you are unable to communicate with this server. Sample screenshot of this error can be found below:

Server Manager - Kerberos Target Resolution Error

1) Add non-domain joined server into trusted hosts on a management server. On management server (the one from which you run Server Manager) you have to add your target non-domain joined server to Trusted Hosts list by means of issuing the following PS command:

Set-Item wsman:localhost\client\trustedhosts Non-DomainJoinedServer1 -Concatenate -Force

Use this command to view your current Trusted Hosts list:

(Get-Item wsman:localhost\client\trustedhosts).value

2) Configure UAC to allow elevated remote sessions on a target non-domain joined computer. By default this is not allowed on a worgroup computers. You can this by issuing this PS command:

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

You may check current setting with this command:

(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').LocalAccountTokenFilterPolicy

3) Enable Remote Management (HTTP-In) inbound rule on managed computer.

4) At this point you should be able to do that “Manage As” trick:

Server Manager - Manage As

Here is a nice video covering this process – “Free Tutorial: Managing Non-Domain Joined Servers

Another ting of note is that there is downwards compatibility which only allows you to manage older OS versions from newer server manager but not the other way round.

Further reading:

Add Servers to Server Manager

How to: Remotely enable inbound Remote Desktop rule in Windows Server 2008 R2 firewall

In situations when you unable to connect to remote WS 2008 box via RDS due to Windows Firewall being enabled without inbound RDS rule enabled you may try to enable required firewall rule remotely.

If PS on machine in question is configured for remoting you may open remote PS session on this machine, using following command:


enter-pssession -computername REMOTE_COMPUTER_NAME

If remote PS session opened successfully you may run both PS commands and regular CLI commands for remote machine there. To check inbound RDS rule for Windows firewall use:


netsh advfirewall firewall show rule name=”Remote Desktop (TCP-IN)”

If this role not enabled issue following command to enable it:


netsh advfirewall firewall set rule name=”Remote Desktop (TCP-IN)” new enable=yes

Starting with Windows Server 2012 you may control Windows Firewall with PS commandlets which is much more convenient and easier.


How to: do a quick check on who is connected to the server via RDP

Apart from obvious ways to do it via Windows Server GUI which is the long way (plus if you working with multiple versions like Server 2003 and 2008 it differs slightly and requires you to remember the “path” through GUI to find this information) there are CLI tool to accomplish this:

qwinsta available starting from Windows XP, if run locally lists RDP connections to local host and alternatively it can do this for remote machines (in the same domain) if run with /server key:

qwinsta /server:%SERVERNAME%

Output of this command gives you list of users connected to server along with their session ID, which you can use to disconnect sessions via command line with help of the second tool rwinsta which can be used with following syntax:

rwinsta /server:%SERVERNAME% %SESSION_ID%

Note on etimology of those commands:

qwinsta stands for Query WINdows STAntion

rwinsta stands for Reset WINdows STAntion

Starting from Windows Server 2003 you can also use query session command for the same purpose.

How to: add all known RDS license servers to specified license servers list

To add all known RDS license servers to specified license servers list you could use RDS Host Configuration console (tsconfig.msc), but in Windows Server 2008 R2 GUI doesn’t allow for multiple select and therefore if you need to add all known license servers via GUI it is a little bit inconvenient.

Better option to accomplish this is via PowerShell, here is how:

\n[code lang=”powershell”]\nimport-module remotedesktopservices\ncd RDS:RDSConfigurationLicensingSettingsSpecifiedLicenseServers\ndir ..RegisteredLicenseServers | new-item -force</blockquote>\n[/code]

And as you most likely going to do it remotely you should use Enter-PSSession -ComputerName YOUR_SERVER_NAME to start remote PS session. In case PSRemoting is not enabled (use Test-WSMan to check) go to target machine and use Enable-PSRemoting – force to enable it.

What /admin key for mstsc.exe actually does

/admin key is usually used for RDS server administration. When you use mstsc.exe /admin to connect to the Windows Server with RDS role installed it does the following for the initiated connection:\n\n- Disables RDS client access licensing\n\n- Disables timezone redirection\n\n- Disables RD Connection Broker redirection\n\n- Disables RD Easy Print\n\n- Disables PnP device redirection for this connection only\n\n- Changes the remote session theme to Windows Classic View (it it’s available) for this connection only