Managing servers based on pairing keys to implement an administrative domain-wide policy

The invention claimed is: 1. A method for pairing a server, comprising: receiving, from an unpaired server, a pairing request that includes a pairing key and a requested value representing one of: a requested label, a requested configured characteristic, or a requested server state; determining whether to approve or reject the pairing request, comprising: identifying a pairing profile that includes a pairing key that matches the pairing key in the pairing request; determining that the pairing profile includes a locked default value that matches the requested value; determining whether the locked default value differs from the requested value; and determining whether to approve or reject the pairing request based on whether the locked default value differs from the requested value; and responsive to determining to approve the pairing request: notifying the unpaired server that the unpaired server is now a managed server; generating a description of the managed server, wherein the managed server description includes a set of one or more labels that describe the managed server, wherein the generated managed server description uses the locked default value responsive to approval of the pairing request; generating management instructions for the managed server based on the managed server description and based on an administrative domain-wide management policy that includes a rule that refers to managed servers using a label; and sending the management instructions to the managed server. 2. The method of claim 1 , further comprising: attempting to validate the pairing key in the pairing request, comprising: attempting to identify a pairing profile that includes a pairing key that matches the pairing key in the pairing request; and responsive to failing to identify the pairing profile that includes the pairing key that matches the pairing key in the pairing request: determining that the pairing key in the pairing request is invalid; and determining to reject the pairing request. 3. The method of claim 2 , wherein attempting to validate the pairing key in the pairing request further comprises: responsive to identifying the pairing profile that includes the pairing key that matches the pairing key in the pairing request, determining whether the pairing key in the pairing request has been exhausted, has expired, or has been revoked; and responsive to determining that the pairing key in the pairing request has been exhausted, has expired, or has been revoked: determining that the pairing key in the pairing request is invalid; and determining to reject the pairing request. 4. The method of claim 1 , wherein the pairing request further includes information regarding the unpaired server, and wherein determining whether to approve or reject the pairing request further comprises: identifying a pairing profile that includes a pairing key that matches the pairing key in the pairing request; determining that the pairing profile includes a test to perform using the unpaired server information; performing the test using the unpaired server information; and responsive to the test failing, determining to reject the pairing request. 5. The method of claim 4 , wherein the test concerns the unpaired server's geographical location, operating system, service information, cloud service provider, or threat status. 6. The method of claim 1 , further comprising responsive to determining to approve the pairing request and prior to notifying the unpaired server that the unpaired server is now the managed server: analyzing information associated with the unpaired server; and based on the analysis, approving or rejecting a change of the unpaired server to the managed server, wherein generating the managed server description comprises setting a server state of the managed server to a “managed” server state. 7. The method of claim 1 , further comprising prior to receiving, from the unpaired server, the pairing request that includes the pairing key: generating the pairing key; and storing the pairing key. 8. The method of claim 7 , further comprising prior to receiving, from the unpaired server, the pairing request that includes the pairing key: sending the pairing key to the unpaired server using out-of-band communication. 9. The method of claim 1 , further comprising responsive to determining to reject the pairing request: generating a log entry that includes the pairing request, a reason for rejecting the pairing request, or a timestamp indicating when the rejection occurred; and storing the log entry. 10. A non-transitory computer-readable storage medium storing computer program modules for pairing a server, the computer program modules comprising instructions for performing steps comprising: receiving, from an unpaired server, a pairing request that includes a pairing key and a requested value representing one of: a requested label, a requested configured characteristic, or a requested server state; determining whether to approve or reject the pairing request, comprising: identifying a pairing profile that includes a pairing key that matches the pairing key in the pairing request; determining that the pairing profile includes a locked default value that matches the requested value; determining whether the locked default value differs from the requested value; and determining whether to approve or reject the pairing request based on whether the locked default value differs from the requested value; and responsive to determining to approve the pairing request: notifying the unpaired server that the unpaired server is now a managed server; generating a description of the managed server, wherein the managed server description includes a set of one or more labels that describe the managed server, wherein the generated managed server description uses the locked default value responsive to approval of the pairing request; generating management instructions for the managed server based on the managed server description and based on an administrative domain-wide management policy that includes a rule that refers to managed servers using a label; and sending the management instructions to the managed server. 11. The non-transitory computer-readable storage medium of claim 10 , wherein the computer program modules further comprise instructions for performing steps comprising: attempting to validate the pairing key in the pairing request comprising: attempting to identify a pairing profile that includes a pairing key that matches the pairing key in the pairing request; and responsive to failing to identify the pairing profile that includes the pairing key that matches the pairing key in the pairing request: determining that the pairing key in the pairing request is invalid; and determining to reject the pairing request. 12. The non-transitory computer-readable storage medium of claim 11 , wherein attempting to validate the pairing key in the pairing request further comprises: responsive to identifying the pairing profile that includes the pairing key that matches the pairing key in the pairing request, determining whether the pairing key in the pairing request has been exhausted, has expired, or has been revoked; and responsive to determining that the pairing key in the pairing request has been exhausted, has expired, or has been revoked: determining that the pairing key in the pairing request is invalid; and determining to reject the pairing request. 13. The non-transitory computer-readable storage medium of claim 10 , wherein the pairing request further includes information regarding the unpaired server, and