Remote Control Domain Controller

This topic contains 9 replies, has 4 voices, and was last updated by Profile photo of Richard Diphoorn Richard Diphoorn 7 months, 1 week ago.

  • Author
    Posts
  • #38055
    Profile photo of Alan Willis
    Alan Willis
    Participant

    I was watching an MVA (Microsoft Virtual Academy) video by Jason Helmick and Jeffery Snover on Powershell 3.0 it seemed like a good place to start and learn the fundamentals so I started following along with them through examples for Enter-PSSession to remotely control one of the Domain controllers. I started the Powershell IISE as an Administrator on my workstation the example failed with the following description.

    PS C:\WINDOWS\system32> Enter-PSSession -ComputerName co-5023
    Enter-PSSession : Connecting to remote server co-5023 failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer
    name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
    default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the
    about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession -ComputerName co-5023
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (co-5023:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    I checked the Get-Help about_Remote_Troubleshooting and followed the suggestions to isolate the problem without success.

    I am brand new to Powershell and not afraid to read or listen when someone with experience offers a suggestion. I work for a small school district and we have a single Domain, I have multiple Domain controllers both physical and Virtual (running Hyper V) I was really intrigued with the option of automating several task through Powershell and disappointed when I was unable to use the tool properly.

    any and all help appreciated.

  • #38062
    Profile photo of Arie H
    Arie H
    Participant

    Read about how to configure and enable WinRM. IIRC on Domain Controllers its disabled and not configured for security reasons.

    This is also assuming you don't have windows firewall blocking as its a domain controller in which case further reading on network ports used by WinRM should point you in the necessary ports that you need to open.

    might help but not only.

  • #38065
    Profile photo of Alan Willis
    Alan Willis
    Participant

    HI Arie
    Domain Controller is a Windows Server 2012 r2 and I went through the about_remote_troubleshooting to include the get-service winRM to make sure it was running and also checked the advanced settings on the firewall. my admin workstation is running Windows 10 Pro and both the workstation and Domain Controller are running WMF 5.0
    I'm sure I am overlooking a simple setting or syntax to allow me to access the Domain controller. When Jason demonstrated how easy it was I was impressed. I should have remembered Murphy's Law "when everything seems to be going fine you've obviously overlooked something"
    Thanks for the suggestion Arie, at least I know I'm not alone in the Powershell Universe ๐Ÿ™‚

  • #38095
    Profile photo of Arie H
    Arie H
    Participant

    Hi Alan,

    You're not alone in the PowerShell Universe. Were all but Get-StarDust ๐Ÿ™‚

    Try running the Enter -PSSession from a different sever or station.
    Try from the domain controller itself.

    I assume you run the PowerShell with admin rights and the your domain user has sufficient permission on the domain controller.
    I also assume you don't have a group policy set to disable the necessary service.

    If RM is configured correctly, you should be able to run something like this
    Get-Service -ComputerName DC1
    If this works, the RemoteManagement works even if PowerShell remoting doesn't , in which case PowerShell remoting is the culprit.

  • #38121
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Normally this would work out of the box on W10 & W2012R2, if they are in the same domain and/or you use the proper permissions. PSRemoting is enabled by default.

    Is name resolving working correctly for the target from your W10 computer?

    What does Test-WSMan gives you when you run that on the target?

    Try to troubleshoot with the help of: https://www.penflip.com/powershellorg/secrets-of-powershell-remoting/blob/master/diagnostics-and-troubleshooting.txt

  • #38125
    Profile photo of Justin King
    Justin King
    Participant

    To be clear, the winrm service running is NOT enough to ensure you can connect to the box. The service supports limiting source IPs and other tricks. quick and dirty way to get it working: "winrm quickconfig", it will check the service, ensure permissions are defaulted, and open the firewall ports. Be aware this makes Winrm open to anyone in the domain with creds, which may or may not be a good thing.

  • #38132
    Profile photo of Alan Willis
    Alan Willis
    Participant

    Hi again Arie
    Looking at your note:
    all commands run from an elevated Administrator prompt ISE 64 bit
    we are a small school district and I personally created the Windows Server 2012r2 I am trying to connect to from my workstation.
    The server manager on my workstation allows me to initiate a Remote Desktop Session without any problems. I was really hoping to be able to learn enough to automate several of my daily task with a script.

    I have tried to enter-Pssession from my workstation as well as several of the member servers and both of the Domain Controllers. each time it gives me the following information

    PS C:\Windows\system32>
    PS C:\Windows\system32> Enter-PSSession

    cmdlet Enter-PSSession at command pipeline position 1
    Supply values for the following parameters:
    ComputerName: co-aww-14
    Enter-PSSession : Connecting to remote server co-aww-14 fail
    the destination is running and is accepting requests. Consul
    the WinRM service, run the following command on the destinat
    At line:1 char:1
    + Enter-PSSession
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (co-aww-14:St
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    I am certain there is an answer to the problem once I learn enough to ask the correct question.

    patient and persistent
    Alan

  • #38135
    Profile photo of Alan Willis
    Alan Willis
    Participant

    Hi Richard and Justin
    testing both recommendations I got the following results

    PS C:\Windows\system32> test-wsman

    wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor : Microsoft Corporation
    ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

    PS C:\Windows\system32> winrm quickconfig
    WinRM service is already running on this machine.
    WinRM is already set up for remote management on this computer.
    PS C:\Windows\system32>

    I am inside our domain (small school district, small domain) ๐Ÿ™‚

    Richard I will go through the article you referenced.

    still patient and persistent and thanks to everyone
    Alan

  • #38186
    Profile photo of Alan Willis
    Alan Willis
    Participant

    Hello Aire, Richard and Justin
    Thanks for all the help and suggestions.
    Richard the article you referenced
    powershellorg ยท Secrets of PowerShell Remoting
    pointed me in the right direction and it was a blocked port or more to the point a missing checkmark on the firewall settings. With that part behind me I can continue following the tutorials shown in the Microsoft Virtual Academy and hopefully learn a little.

    again my thanks to all of you
    Alan

  • #38193
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    That's great to hear Alan! Enjoy your PowerShell experience!

You must be logged in to reply to this topic.