Docs/Getting Started·Entra ID·Server Core·EWS Migration·EWS Deprecation

Advanced

Server Core & Remote Administration

Install CYNC on Windows Server Core (headless) and administer it remotely from the WinUI 3 dashboard on another machine via gRPC over HTTPS.

All features included: Server Core support and remote gRPC administration are available at every user count - no tier restrictions. A license is required for more than 10 target users.

When to use Server Core

Windows Server Core is a minimal installation option that removes the graphical shell. It has a smaller attack surface, requires fewer updates, and uses less disk space and memory. If your CYNC server runs in a datacenter or as a VM without interactive access, Server Core is the recommended deployment.

On Server Core, the WinUI 3 admin dashboard cannot run locally (no GUI). Instead, CYNC exposes a gRPC-over-HTTPS endpoint that the dashboard on a separate workstation connects to for remote administration.

1Install CYNC on Server Core

Copy Cync.Setup.exe to the Server Core machine and install silently via the command prompt or PowerShell:

Cync.Setup.exe /quiet EnableRemoteAdmin=1

The installer detects Server Core and installs only the service component. The WinUI 3 dashboard is automatically excluded when no desktop shell is present. All prerequisites (.NET 10 runtime) are bundled for offline installation.

Note: On Server Core, the certificate for Entra ID authentication must be imported via PowerShell or certutil. See the certificate section of the Entra ID Setup guide.

2Service management

CYNC registers as a Windows Service named CyncService. Use standard Windows service commands to manage it:

Check service status

sc query CyncService

Start the service

sc start CyncService

Stop the service

sc stop CyncService

Set to automatic start

sc config CyncService start= auto

Or use PowerShell cmdlets:

Get-Service CyncService
Start-Service CyncService
Stop-Service CyncService
Restart-Service CyncService

The service runs as LocalSystem by default. It starts automatically on boot and continues syncing on the configured interval. Logs are written via Serilog and can be viewed locally or through the remote dashboard.

3Remote administration via gRPC

The CYNC service includes a built-in gRPC server that the WinUI 3 dashboard can connect to over HTTPS. This allows full administration of a headless Server Core installation from your workstation.

How it works

Local (default)

When the dashboard and service are on the same machine, they communicate via a named pipe. No network configuration required.

Remote (gRPC/HTTPS)

When the dashboard is on a different machine, it connects to the service over HTTPS using gRPC. Basic authentication over TLS secures the connection - you enter Windows admin credentials in the connect dialog, which are validated on the server via LogonUser.

Remote capabilities

The remote dashboard provides the same functionality as the local dashboard:

  • View sync status and real-time progress
  • Trigger manual sync
  • Configure Entra ID connection settings
  • Manage source and target users
  • View sync history and export to CSV
  • View service logs remotely with level filtering
  • Activate or deactivate license
  • Change sync interval and other settings
  • Check for updates and apply them one-click

4HTTPS configuration

To enable remote administration, the CYNC service needs its HTTPS endpoint enabled. This is configured via appsettings.Production.json or the installer opt-in. Kestrel handles TLS natively - no netsh binding required.

Enable via installer

During silent install, pass the EnableRemoteAdmin=1 flag:

Cync.Setup.exe /quiet EnableRemoteAdmin=1

Enable manually

Create or edit appsettings.Production.json alongside the service binary:

{
  "Admin": {
    "Remote": {
      "Enabled": true,
      "Port": 5123,
      "CertificateThumbprint": ""
    }
  }
}

If CertificateThumbprint is left empty, CYNC auto-generates a self-signed certificate (CN=CyncRemoteAdmin, RSA-2048, 10-year validity) and stores it in the Local Machine certificate store.

Firewall

When running as a Windows Service, CYNC automatically creates a Windows Firewall rule (CYNC Remote Admin) for the configured port on Domain and Private profiles. No manual firewall configuration is needed.

If you prefer to manage the rule manually, you can create it with PowerShell:

New-NetFirewallRule `
  -DisplayName "CYNC Remote Admin" `
  -Direction Inbound `
  -LocalPort 5123 `
  -Protocol TCP `
  -Action Allow `
  -Profile Domain,Private

Connect from the dashboard

  1. Open the CYNC dashboard on your workstation.
  2. In the connection dialog, select Remote instead of the default Local (named pipe).
  3. Enter the server hostname or IP address and port (e.g. cync-server.contoso.com:5123).
  4. Enter your Windows admin username and password for the remote server. The credentials are sent via Basic authentication over TLS.
  5. Click Connect. The service validates the credentials and checks that the user is a member of the local Administrators group.

Authentication: Remote admin uses Basic authentication over TLS. The service validates credentials via Windows LogonUser and requires the authenticated user to be a member of BUILTIN\Administrators on the CYNC server.

Security considerations

  • All remote connections use TLS (HTTPS) - credentials are never sent in plain text.
  • Rate limiting is applied automatically (60 requests/min per remote IP) to protect against brute-force attacks on Basic auth.
  • Restrict the firewall rule to specific source IPs (admin workstations) rather than allowing all inbound traffic.
  • Use a certificate from your internal PKI or a trusted CA for TLS instead of the auto-generated self-signed certificate.
  • The remote endpoint is disabled by default. Enable it only when remote administration is required.
Previous: Entra ID SetupBack to Docs