# Adding Microsoft Windows servers in DDI Central > **Note:** PowerShell version 5.1.2 or higher is required for a successful setup. Ensure that **Windows Remote Management** services are running on the Windows DNS and DHCP servers you plan to onboard into DDI Central's Management UI Console. ## Step 1. WinRM Setup - [Enabling WinRM HTTP](#step-by-step-guide-to-enable-winrm-http-on-the-app-console-server) - [Enabling WinRM HTTPS](#step-by-step-guide-to-enable-winrm-https-on-the-app-console-server) ## Step 2. Microsoft Server Setup - [Creating Clusters](#creating-microsoft-clusters-in-ddi-central) - [Adding Servers](#adding-microsoft-dns-and-dhcp-servers) - [Advanced DNS-DHCP-IPAM Discovery](#ddi-central-discovery-process) - [Bypassing Discovery](#bypassing-the-discovery-process-to-setup-new-servers-from-scratch) ## Step 3. Server Settings - [Flush DNS Cache](#action-1-flush-dns-cache) - [Server Reconfiguration](#action-2-server-reconfiguration) - [DNS and DHCP Service Rediscovery](#action-3-dns-and-dhcp-rediscover) - [DNS and DHCP Servers Suspending and Resuming](#action-4-dns-and-dhcp-servers-suspending-and-resuming) ## Step-by-step guide to enable WinRM HTTP on the App Console server 1. ### Modifying Ideal Timeout and Connection Parameters Run the following commands: ```powershell winrm set winrm/config/service '@{MaxConnections="2000"}' winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="2000"}' winrm set winrm/config/winrs '@{IdleTimeout="900000"}' ``` ## Step-by-step guide to enable WinRM HTTP on all DNS/DHCP servers to be onboarded 1. ### Enabling WinRM ```powershell winrm quickconfig ``` 2. ### Modifying Ideal Timeout and Connection Parameters ```powershell winrm set winrm/config/service '@{MaxConnections="2000"}' winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="2000"}' winrm set winrm/config/winrs '@{IdleTimeout="900000"}' ``` 3. ### Enabling Authentication #### 1. Basic Authentication **Description:** Sends the username and password in plain text (Base64 encoded). Requires a secure channel (e.g., HTTPS) to protect the credentials during transmission. ```powershell winrm set winrm/config/service/auth '@{Basic="true"}' ``` #### 2. CredSSP (Credential Security Support Provider) **Description:** Enables delegation of user credentials from the client to the target server. ```powershell Enable-WSManCredSSP -Role "Server" ``` #### 3. Negotiate **Description:** Uses either Kerberos or NTLM for authentication. ```powershell winrm set winrm/config/service/auth '@{Negotiate="true"}' ``` 4. ### Setting up the Windows Remote Machine #### 1. Enable unencrypted communication ```powershell winrm set winrm/config/service '@{AllowUnencrypted="True"}' ``` #### 2. Configure Trusted Hosts ```powershell winrm set winrm/config/client '@{TrustedHosts="ip_address"}' ``` > **Note:** Enter the IP address of the host running the DDI Central Console for WinRM to treat it as a trusted host. ![WinRM Configuration](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_1.png) #### 3. Restarting the WinRM Service ```powershell Restart-Service WinRM ``` 5. ### Inspecting WinRM listener configuration ```powershell winrm enumerate winrm/config/listener ``` ![WinRM Listener](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_2.png) ## Step-by-step guide to enable WinRM HTTPS on the App Console server 1. ### Modifying Ideal Timeout and Connection Parameters ```powershell winrm set winrm/config/service '@{MaxConnections="2000"}' winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="2000"}' winrm set winrm/config/winrs '@{IdleTimeout="900000"}' ``` ## Step-by-step guide to enable WinRM HTTPS on all DNS/DHCP servers to be onboarded 1. ### Modifying Ideal Timeout and Connection Parameters ```powershell winrm set winrm/config/service '@{MaxConnections="2000"}' winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="2000"}' winrm set winrm/config/winrs '@{IdleTimeout="900000"}' ``` 2. ### Enabling Authentication #### Basic ```powershell winrm set winrm/config/service/auth '@{Basic="true"}' ``` #### CredSSP ```powershell Enable-WSManCredSSP -Role "Server" ``` #### Negotiate ```powershell winrm set winrm/config/service/auth '@{Negotiate="true"}' ``` 3. ### Setting up the Windows Remote Machine #### Enable encrypted communication ```powershell winrm set winrm/config/service '@{AllowUnencrypted="False"}' ``` #### Configure Trusted Hosts ```powershell winrm set winrm/config/client '@{TrustedHosts="ip_address"}' ``` > **Note:** Enter the IP address of the host running the DDI Central Console for WinRM to treat it as a trusted host. ![WinRM HTTPS Setup](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_1.png) #### Restarting the WinRM Service ```powershell Restart-Service WinRM ``` 4. ### Verifying the valid server certificate ```powershell Get-ChildItem -Path Cert:\LocalMachine\My ``` ![Certificate Verification](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/win-3.png) > **Note:** Copy the Thumb print value generated by the above command and store it securely. 5. ### Creating a server certificate using domain name ```powershell $cert = New-SelfSignedCertificate -DnsName "$domain_name" -CertStoreLocation "Cert:\LocalMachine\My" -KeyExportPolicy Exportable -KeyLength 2048 -KeyAlgorithm RSA -Type SSLServerAuthentication -NotAfter (Get-Date "2042-12-31") ``` > **Note:** For `$domain_name`, enter the domain name in double quotes (" "). 6. ### Execute the following command to enable HTTPS ```powershell New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbprint $cert.Thumbprint -Force ``` > **Note:** Replace `$cert.Thumbprint` with the hexadecimal thumbprint value in double quotes. 7. ### Enabling WinRM ```powershell winrm quickconfig -transport:https ``` 8. ### Inspecting WinRM listener configuration ```powershell winrm enumerate winrm/config/listener ``` ![WinRM HTTPS Listener](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_4.png) ## Creating Microsoft Clusters in DDI Central Upon successful signup, the first glimpse within the DDI console reveals an empty dashboard. To create new clusters: - Click on the **Windows** icon at the top right corner. ![Windows Cluster](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/clusters-windows_11zon.png) ![Cluster Screenshot](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/screenshot_2026-02-03_at_3.01.02_pm.png) ![Cluster Screenshot](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/screenshot_2026-02-03_at_3.01.24_pm.png) - The Add Cluster window appears prompting you to enter the name and type of the cluster: DNS, DHCP or Both. ![Add Cluster](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/clusters-page-31.png) - Select the OS as **Windows**. ![Select OS](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/clusters-page-4.png) > **Note:** Clusters in DDI Central are logical groupings of servers. Each cluster has its own IP plans, DNS manager and DHCP manager. - Click **Save**. - You’ll be redirected to **Settings → Servers** to add Microsoft servers. ## Adding Microsoft DNS and DHCP servers 1. On the **Servers** page, click **Add Server**. 2. The **Create Server** page appears. ![Add New Microsoft Windows Server](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/windows-credential-4.png) 3. Enter server details: - **Server Name** - **Type**: Both, DNS, or DHCP only - **Server IP** - **Primary Domain Controller (PDC)** ![PDC Server](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/pdc-server_page.png) > DDI Central allows only one PDC per cluster. - **Username** (format depends on DC placement) - `username@domainname` - `hostname\username` - **Password** - **Windows HTTP Port** (default 5985) - **Windows HTTPS Port** (default 5986) - **SSL**: Yes/No - **Authentication**: Basic, CredSSP, Negotiate, NTLM - **Encryption**: Never, If supported, Always ### DDI Central discovery process Specify whether to discover existing DNS/DHCP configurations: - **No** - **DNS only** - **DHCP only** - **Both** ![DNS Discovery](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/win_9.png) ![DHCP Discovery](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_10.png) > **Note:** Discover DNS and DHCP together for DDNS-enabled domains. #### DNS configurations discovered - DNS Authoritative Zones - AD Zones - Stub Zones and Forwarders - DDNS Zones - DNS Zone Scopes - Client Subnets - Query Resolution Policies - Response Rate Limiting - Forwarders - DNS Recursion Settings #### DHCP configurations discovered - DHCP scopes and subnets - Reservations - DHCP policies - Dual stack IP plans - Failover configurations - Vendor and User Classes - Standard and Custom DHCP options ## Bypassing the Discovery process to setup new servers from scratch Specify **No** during discovery. ![Bypass Discovery](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/win_11.png) You can migrate domains and define primary/secondary nameserver roles. ## Action 1: Flush DNS Cache Click **Flush DNS Cache**. ![Flush Cache](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/flush-cache1.png) - Choose **Flush All** or **Flush Specific**. ![Flush Options](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/flush-cache2.png) - Enter zone name and click **Flush Cache**. ![Flush Specific](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/flush-cache3.png) > **Note:** Flush DNS Cache improves DNS reliability and performance. ## Action 2: Server Reconfiguration The **Server Reconfiguration** action simplifies recovery for failed Windows DNS/DHCP servers. ![Server Reconfiguration](https://www.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/server_reconfigure_and_rediscover.png) ## Action 3: DNS and DHCP Rediscover The **Rediscover** option synchronizes DNS/DHCP configurations updated outside DDI Central. > Click **Rediscover** under **Settings → Server**. > **Note:** Use **Check Status** to verify onboarded servers. ![Check Status](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/winserver_check_status.png) ## Action 4: DNS and DHCP Servers Suspending and Resuming Suspend servers via **Servers → Actions → Suspend**. ![Suspend Server](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/server-suspend1.png) > **Note:** The app console server cannot be suspended. ![Suspend Confirmation](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/server-suspend2.png) Resume using **Resume Operations**. ![Resume Server](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/server-activate1.png) ![Resume Confirmation](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/server-activate2.png)