次の方法で共有


Remote Management with Server Manager

Applies To: Windows Server 2008 R2

In Windows Server® 2008 R2, you can use Server Manager to perform some management tasks on remote computers. To manage a computer remotely by using Server Manager, you connect Server Manager to a remote computer in the same manner you would connect Microsoft Management consoles (MMCs) for other technologies.

Supported remote management scenarios

The following remote management scenarios are supported from Server Manager in Windows Server 2008 R2.

Server Manager Source Operating System Targeted at Windows Server 2012 and Windows Server 2012 R2 Targeted at Windows Server 2008 R2 Targeted at Windows Server 2008 Targeted at Windows Server 2003 R2 Targeted at Windows Server 2003

Windows Server 2008 R2

Not supported

Server Manager on a full installation of Windows Server 2008 R2 can be used to manage roles and features that are installed on another server that is running Windows Server 2008 R2, either the full installation option, or the Server Core installation option.

Not supported

Not supported

Not supported

Windows® 7

Not supported

Server Manager is installed as part of Remote Server Administration Tools on a computer that is running Windows 7. This can be used to manage roles and features on a computer that is running either the full or Server Core installations of Windows Server 2008 R2.

Not supported

Not supported

Not supported

Source computer   To Remote Computer Domain C (added as trusted host)
 

Domain A

Domain B

Workgroup

 

Domain A

     

Domain B

 

   

Workgroup

   

Note

If you are managing a remote computer from a computer that is running Windows 7, start the Windows Remote Management (WinRM) service to allow for the addition of trusted hosts. Open a Command Prompt session with elevated user rights by clicking Start , clicking All Programs , clicking Accessories , right-clicking Command Prompt , and then clicking Run as administrator . Type the following, and then press Enter : net start winrm
For remote connections in a Workgroup to Workgroup/Domain scenario, the remote computer must be added to the trusted hosts list on the source computer. To do this, run the following command on the source computer in a Command Prompt window that is opened with elevated user rights.
winrm set winrm/config/client @{TrustedHosts="RemoteComputerName"}
For remote connections in a Workgroup to Workgroup/Domain scenario, if a user is not logged on by using the source computer’s built-in administrator account, the following WinRM registry key must be configured to allow remote access from the source computer. This change is required because of a User Account Control (UAC) limitation on non-administrator accounts that are members of the Administrators group. To change this registry key, run the following command on the source computer at a command prompt that is opened with elevated user rights.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
By default, WinRM allows for a maximum of five connections to a remote computer to be active per user. To increase the limit, run the following command on the source computer, in which X represents the number of connections that you want to allow, at a command prompt that is opened with elevated user rights.
winrm s winrm/config/winrs @{MaxShellsPerUser="X"}

Security considerations for remote management by using Server Manager

Important

You must be a member of the Administrators group on computers that you want to manage by using Server Manager.

Because Server Manager remote management capability is provided by using Windows PowerShell technology, Server Manager remote management inherits security considerations from Windows PowerShell. A malicious user can try to steal logon credentials provided by an administrator over a remote connection, but generally, this is a low risk. Other potential threats of which there is very low risk include modification of dynamic link libraries (DLLs) by malicious users, or tries to obtain sensitive or personally identifying data in the Server Manager log file. Users who have rights to access the local computer can read Server Manager log files, but log files do not contain sensitive personal or account information such as passwords.

Tasks that you can perform on a remote server by using Server Manager

You can perform the following tasks in Server Manager on a remote computer.

  • View Windows automatic updating status

  • Run Best Practices Analyzer scans on roles. For more information, see Running and Filtering Scans in Best Practices Analyzer.

  • View or change Windows Customer Experience Improvement Program (CEIP) status

  • Configure Windows Error Reporting

  • View or change Windows Firewall information

  • View and manage roles from role home pages

Note

To use role- or feature-specific tools or snap-ins in a Server Manager console that is connected to a remote server, those tools must be installed on the source computer by using Remote Server Administration Tools.

  • View Internet Explorer Advanced Security Configuration settings

  • Manage services from a role home page

Tasks that you cannot perform remotely by using Server Manager

Primarily to minimize security risks to your servers, the following tasks cannot be completed in a remote Server Manager session.

  • Add or remove roles, role services, and features

  • Configure Remote Desktop settings

  • Configure System Properties

  • Check for new roles

  • Change Windows automatic updating settings

  • Change network settings

  • Change the computer name or domain membership

  • Change Internet Explorer Advanced Security Configuration settings

  • Run the Security Configuration Wizard, if the source computer is a server that is running Windows Server 2008 R2

Enabling or disabling remote management in Windows Server 2008 R2

To help protect servers from unauthorized access, and before administrators can connect to a computer that is running Windows Server 2008 R2 remotely by using Server Manager, Server Manager remote management must be enabled on the destination computer.

Before you configure a server for remote management by using Server Manager, you must enable several Group Policy settings that control Windows Firewall exceptions. Follow the steps in To set Group Policy for Server Manager remote management to verify that no Group Policy settings override configuration of the server for remote management.

Note

Procedures in this section can be completed only on a computer that is running Windows Server 2008 R2. You cannot enable or disable remote management on a computer that is running Windows 7 because Windows 7 cannot be managed by using Server Manager.

  • To set Group Policy for Server Manager remote management

  • To configure Server Manager remote management by using the Windows interface

  • To configure Server Manager remote management by using Windows PowerShell

To set Group Policy for Server Manager remote management

  1. On the computer that you want to manage remotely, open Local Group Policy Editor . To do this, click Start , click Run , type gpedit.msc in the Open box, and then press Enter .

  2. Expand Computer Configuration , Administrative Templates , Windows Components , Windows Remote Management , and then select WinRM Service .

  3. In the details pane, double-click Allow automatic configuration of listeners .

  4. Select Enabled , and then click OK .

  5. In the tree pane, expand Windows Settings , Security Settings , Windows Firewall with Advanced Security , and then Windows Firewall with Advanced Security .

  6. Right-click Inbound Rules , and then click New Rule .

  7. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined .

  8. On the Predefined pull-down menu, select Remote Event Log Management . Click Next .

  9. On the Predefined Rules page, click Next to accept the new rules.

  10. On the Action page, select Allow the connection , and then click Finish . Allow the connection is the default selection.

  11. Repeat steps 5 through 10 to create new inbound rules for the following two additional predefined rule types.

    • Remote Service Management

    • Windows Firewall Remote Management

  12. Close Local Group Policy Editor .

To configure Server Manager remote management by using the Windows interface

  1. On the computer that you want to manage remotely, open Server Manager. To open Server Manager, click Start , point to Administrative Tools , and then click Server Manager .

  2. In the Server Summary area of the Server Manager home page, click Configure Server Manager Remote Management .

  3. Do one of the following.

    • To let this computer to be managed remotely by using Server Manager, select Enable remote management of this server from other computers .

    • To prevent this computer from being managed remotely by using Server Manager, clear the Enable remote management of this server from other computers check box.

    • If you want to enable remote management, but cannot change the setting, follow the steps in the procedure To set Group Policy for Server Manager remote management, and then go on to the next step.

  4. Click OK .

  5. Verify that exceptions to the following firewall rules are enabled, and are not disabled by Group Policy settings.

    • Remote Service Management (NP-In)

    • Remote Service Management (RPC)

    • Remote Service Management (RPC-EPMAP)

    • Remote Event Log Management (NP-In)

    • Remote Event Log Management (RPC)

    • Remote Event Log Management (RPC-EPMAP)

    • Windows Firewall Remote Management (RPC)

    • Windows Firewall Remote Management (RPC-EPMAP)

    To do this, do the following.

    1. Open the Windows Firewall with Advanced Security snap-in by doing one of the following:

      • In the Security Information area of the Server Manager main window, click Go to Windows Firewall .

      • In the Server Manager tree pane, expand Configuration , and then click Windows Firewall with Advanced Security .

      • Click Start , point to Administrative Tools , and then click Windows Firewall with Advanced Security .

    2. In the Getting Started area of the Windows Firewall with Advanced Security details pane, click Inbound Rules .

    3. In the list of rules, locate the rules that are specified in this step.

    4. If No is displayed in the Enabled column for any of the specified rules, double-click the rule to open the Properties dialog box for the rule.

    5. On the General tab of the rule’s Properties dialog box, select Enabled . Click OK .

Note

Although remote management by using Server Manager is still possible if exceptions to the Remote Event Log Management firewall rules are disabled, remote connection times can be very slow, depending on the number of roles and features that are running on the computer that you want to manage, unless exceptions to these firewall rules are enabled. We recommend that you enable Remote Event Log Management firewall rules to prevent connection delays.

To configure Server Manager remote management by using Windows PowerShell

  1. On the computer that you want to manage remotely, open a Windows PowerShell session with elevated user rights. To do this, click Start , click All Programs , click Accessories , click Windows PowerShell , right-click the Windows PowerShell shortcut, and then click Run as administrator .

  2. In the Windows PowerShell session, type the following, and then press Enter .

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

  3. Type the following, and then press Enter to enable all required firewall rule exceptions.

    Configure-SMRemoting.ps1 -force -enable

To configure remote management on the Server Core installation option of Windows Server 2008 R2

  1. On the computer that you want to manage remotely, at the command prompt that opens by default when a member of the Administrators group logs on to the computer that is running the Server Core installation option of Windows Server 2008 R2, type the following, and then press Enter .

    Dism.exe /Online /Enable-Feature /FeatureName:NetFx2-ServerCore /FeatureName:MicrosoftWindowsPowerShell /FeatureName:ServerManager-PSH-Cmdlets /FeatureName:BestPractices-PSH-Cmdlets

  2. After the installation has completed, close all applications, and then restart the computer.

    To verify that Windows PowerShell and cmdlets for Server Manager and Best Practices Analyzer are installed, try entering the oclist command, which returns a list of all Windows features that are installed on the computer.

  3. After the operating system has finished loading, log on to the computer as, at minimum, a member of the local Administrators group.

  4. In the Command Prompt window that opens after you have logged on to the computer, type the following to open a Windows PowerShell session, and then press Enter .

    powershell

  5. In the Windows PowerShell session, type the following, and then press Enter .

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

  6. Type the following, and then press Enter to enable all required firewall rule exceptions.

    Configure-SMRemoting.ps1 -force -enable

Connecting to remote computers by using Server Manager

Do the following to manage a remote server by using Server Manager.

To connect to another computer by using Server Manager

  1. Open Server Manager. To open Server Manager, click Start , point to Administrative Tools , and then click Server Manager .

  2. In the tree pane, right-click Server Manager , and then click Connect to Another Computer .

  3. In the Connect to Another Computer dialog box, enter the name or IP address of another computer that is running Windows Server 2008 R2 in the Another computer text box, or browse for another server on the network. Click OK .

    In the Another computer string box, you can specify a NetBIOS name, a fully-qualified domain name (FQDN), or an IPv4 or IPv6 address. If no port number is specified, the default port number is used. The following are examples of formats you can specify in the Another computer text box.

    • ComputerName

    • ComputerName:PortNumber

    • IP address: n.n.n.n

    • IPv6 address: [ n:n:n:n ]

    • IPv4 address with port number: n.n.n.n:PortNumber

    • IPv6 address with port number: [ n:n:n:n ]: PortNumber

Note

If an administrator has changed the computer’s default port number, the nondefault port must be opened in Windows Firewall to allow incoming connections on that port. Port 5985 is opened by default when WinRM is configured as described in To set Group Policy for Server Manager remote management in this topic. Nondefault ports remain blocked until opened. For more information about how to unblock a port in Windows Firewall, see the Help for Windows Firewall. For more information about how to configure WinRM, in a Command Prompt session, type winrm help , and then press Enter .

After you connect to a remote computer, notice that the name of the computer changes in the Server Manager console. The computer name in the Server Manager node of the tree pane, the **Full Computer Name** field in the **Server Summary** area of Server Manager, and the computer name in the console heading all change to the name of the remote computer to which you are connected. Because Server Manager resolves IP addresses to FQDNs, if you connected to a remote computer by using an IP address, the Server Manager console displays the FQDN of the remote computer.

Note

If you are connecting to a computer in a different domain by using an IP address, the remote connection might fail, because of DNS Server limitations that can result in a failure to resolve the IP address to a host name. If this occurs, try connecting by specifying an FQDN.

To run the Server Manager Get-WindowsFeature cmdlet on a remote computer from a Windows PowerShell session

  1. Open a Windows PowerShell session with elevated user rights. To do this, click Start , click All Programs , click Accessories , click Windows PowerShell , right-click the Windows PowerShell shortcut, and then click Run as administrator .

  2. Type the following, for which ComputerName is the name of the remote computer that is running Windows Server 2008 R2, and UserName is the name of a user who is a member of the Administrators group on the remote computer, and then press Enter .

    Enter-PSSession <ComputerName> –credential <UserName>

  3. You are prompted to enter your password in a secure dialog box. Type your password, and then press Enter .

  4. In the Windows PowerShell session, type the following to load the Server Manager snap-in, and then press Enter .

    Import-Module ServerManager

  5. Type the following, and then press Enter .

    Get-WindowsFeature

  6. After the results of the Get-WindowsFeature cmdlet are displayed in your Windows PowerShell session, type the following to close the Windows PowerShell session, and then press Enter .

    Exit-PSSession

Managing multiple computers by using Server Manager and MMC

You can also create a custom Microsoft Management Console (MMC) that contains multiple Server Manager snap-ins, each targeted to manage a different remote computer.

To manage multiple computers by using Server Manager and MMC

  1. To open Microsoft Management Console, click Start , click Run , type mmc , and then click OK .

  2. On the File menu, click Add/Remove Snap-in .

  3. In the Available snap-ins list, select Server Manager .

  4. Click Add to add Server Manager to the Selected snap-ins list.

  5. Repeat the previous step as many times as needed to add Server Manager snap-ins to your MMC. Click OK .

  6. In the tree pane of the new MMC, right-click the top node of a Server Manager snap-in, and then click Connect to Another Computer .

  7. In the Connect to Another Computer dialog box, enter the name or IP address of another computer in the Another computer string box, or browse for another server on the network. Click OK .

    After you connect to a remote computer, notice that the name of the computer changes in the Server Manager node of the tree pane.

  8. If you have additional Server Manager snap-ins in the MMC, repeat this procedure from step 6 to connect additional Server Manager snap-ins to other remote computers.

  9. On the File menu, click Save to save your custom MMC.

Remote management from Windows 7

Although computers that are running Windows 7 cannot be managed by using Server Manager, you can install Server Manager on a computer that is running Windows 7 by installing Remote Server Administration Tools. Remote Server Administration Tools for Windows 7 is available for download on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=131280). After Remote Server Administration Tools is installed, you can connect a Server Manager console to a remote computer that is running Windows Server 2008 R2, and perform the management tasks on the destination server that are identified in Tasks that you can perform on a remote server by using Server Manager in this topic.

After you install Remote Server Administration Tools on a computer that is running Windows 7, just as on a computer that is running Windows Server 2008 R2, you can create a custom Server Manager MMC to manage multiple remote computers that are running Windows Server 2008 R2. To create a custom Server Manager MMC on a computer that is running Windows 7 and Remote Server Administration Tools, see Managing multiple computers by using Server Manager and MMC in this topic.

To manage remotely from a computer that is running Windows 7

  1. Install Remote Server Administration Tools on the computer that is running Windows 7.

    Download the Remote Server Administration Tools package from the Microsoft Web site, then follow the instructions that are provided on the Download Center page to install Remote Server Administration Tools.

Note

To use role- or feature-specific tools or snap-ins in a Server Manager console that is connected to a remote server, those tools must be installed on the source computer by using Remote Server Administration Tools.

  1. After Remote Server Administration Tools is installed, open Server Manager. To open Server Manager, click Start , point to Administrative Tools , and then click Server Manager .

  2. In the tree pane, right-click Server Manager , and then click Connect to Another Computer .

  3. In the Connect to Another Computer dialog box, enter the name or IP address of a computer that is running Windows Server 2008 R2 in the Another computer string box, or browse for another server on the network. Click OK .

    After you connect to a remote computer, notice that the name of the computer is displayed in the Server Manager console. You can see the name of the remote computer to which you are connected in the Server Manager node of the tree pane, the Full Computer Name field in the Server Summary area of Server Manager, and the computer name in the console heading.