I
I
Igor2021-12-10 14:01:25
System administration
Igor, 2021-12-10 14:01:25

How to properly configure Windows Server management through WAC in a domain?

Faced non-trivial behavior of all remote control services within a domain. Once, for no apparent reason, Windows Admic Center lost access to all remote machines in the domain and started throwing an error:

Failed to connect to the remote server name.domainname. Error message: WinRM cannot complete the operation Make sure that the computer name is correct, that the computer is reachable over the network, and that the firewall has set an exception for the WinRM service that allows access to this computer. By default, the WinRM firewall exception for public profiles restricts access to remote computers on the same local subnet. See the "about_Remote_Troubleshooting" help topic for details.

At the same time, when trying to forward a remote Powershell to some machines, the forwarding passes, to others it throws errors, such as:

Enter-PSSession : Сбой подключения к удаленному серверу name.domainname. Сообщение об ошибке: Access is
denied. Подробности см. в разделе справки "about_Remote_Troubleshooting".
строка:1 знак:1
+ Enter-PSSession name.domainname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (name.domainname:String) [Enter-PSSession], PSRemotingTr
   ansportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed


It comes to the point of absurdity: there are two servers completely identical in hardware, put into operation at the same time, have on board the same edition of Windows Server Core installed from the same source, plugged into neighboring switch ports, one is available, the second is not.

In order to avoid incorrect settings on the hosts, a group policy created similar to this one was thrown into the system: https://support.auvik.com/hc/en-us/articles/204424... with a couple of nuances (does not obey ipv6, delayed start of the WinRM service instead of immediate).

The rules were rolled out by gpupate / force. Checking winrm listener returns quite live parameters:

winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, %все другие локальные айпишники%


It would be possible to sin on firewalls, but I tried to open everything, without success:
Get-NetFirewallRule -DisplayName "Windows Remote Management*"


Name                          : WINRM-HTTP-In-TCP
DisplayName                   : Windows Remote Management (HTTP-In)
Description                   : Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]
DisplayGroup                  : Windows Remote Management
Group                         : @FirewallAPI.dll,-30267
Enabled                       : True
Profile                       : Domain, Private
Platform                      : {}
Direction                     : Inbound
Action                        : Allow
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}

Name                          : WINRM-HTTP-Compat-In-TCP
DisplayName                   : Windows Remote Management - Compatibility Mode (HTTP-In)
Description                   : Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80]
DisplayGroup                  : Windows Remote Management (Compatibility)
Group                         : @FirewallAPI.dll,-30252
Enabled                       : False
Profile                       : Any
Platform                      : {}
Direction                     : Inbound
Action                        : Allow
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}

Name                          : WINRM-HTTP-In-TCP-PUBLIC
DisplayName                   : Windows Remote Management (HTTP-In)
Description                   : Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]
DisplayGroup                  : Windows Remote Management
Group                         : @FirewallAPI.dll,-30267
Enabled                       : True
Profile                       : Public
Platform                      : {}
Direction                     : Inbound
Action                        : Allow
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}


The Internet is replete with ideas to make winrm quickconnect on remote machines, which does not play any role, since group policy is applied, or it is necessary to either allow listening to ipv6 addresses, or completely disable them on a remote network card (tried both options, unsuccessfully).

MMC snap-ins behave diametrically opposite: they successfully connect to hosts, but a good half of the tabs throw out Access Denied, after which the process completely freezes.

The only working crutch is installing Google Chrome on Windows Server Core and managing the server from a local browser, but this is just a game that you don’t want to make a local standard.

CHADNT? I'm already exhausted.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question