Tuesday, June 30, 2015

Windows Server 2012 R2 - Aspects of Remote Management - Down-level Servers

In my last blog post, I examined aspects of remote management with Windows 2012 R2 where the server to be managed (the target server) was running Windows 2012 R2. In this blog post, I'll take a look at managing "down-level" servers, in particular Windows 2008 R2, with Server Manager.

Concerning remote management, Windows 2012 R2 is different compared to previous server versions in two ways:
  • Unlike Windows 2008/R2 (but like Windows 2012), WinRM and remote PowerShell are enabled by default. Of course, the administrator must still authenticate to the remote server before executing commands.
  • The execution policy for PowerShell scripts is set to RemoteSigned (by default) in Windows 2012 R2. The default setting for all other recent Windows operating systems, including Windows 8.1, 8.0, 7, and even 2012 (server), is Restricted.

In the lines that follow, I'll demonstrate how we can add down-level servers to Server Manager, some the the problems we may encounter, and some troubleshooting.

First of all, we should be aware of some pre-requisites:

If we want to manage Windows 2008/R2 servers  from Windows 2012 R2, the down-level servers should have these pre-requisites installed:
  • .NET Framework 4.5
  • Windows Management Framework (WMF) 4.0

If we are using Windows 2012, we would install these versions on the down-level servers:
  • .NET Framework 4.0
  • Windows Management Framework (WMF) 3.0

If we want to use WinRM to manage the remote servers, we have to execute the following command on those servers:

winrm qc

or...

winrm quickconfig

I'll dissect what this command accomplishes by attempting to add a Windows 2008 R2 server to Server Manager without running it first.

In this test lab, we have:

  • DC10: the remote server running Windows 2008 R2
  • SVR1: the Windows 2012 R2 server with Server Manager.


It seems that we can add DC10 to Server Manager without a problem:






However, we have an error.



Let's troubleshoot this.

1. Server Manager uses WinRM. Is the WinRM service started?

PS C:\> get-service winrm | fl name,status

Name   : winrm
Status : Running



2. What about firewall rules?

WinRM access is governed by the "Windows Remote Management" rule. Get-NetFirewallRule does not seem to work with Windows 2008 R2 even though I have installed PowerShell version 4:

PS C:\> Get-NetFirewallRule
Get-NetFirewallRule : The term 'Get-NetFirewallRule' is not recognized as the name of a cmdlet, function, script file, or operable program.

PS C:\> $psversiontable

Name          Value
----          -----
PSVersion     4.0
[...]

So let's use the venerable NETSH command (click to enlarge):



No, the rule is not enabled.

We can enable the rule in the Windows Firewall console or with NETSH:

PS C:\> netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes

Updated 2 rule(s).
Ok.



Can we connect to DC10 now? No, the error persists:





3. Has a WinRM listener been configured?

Apparently not:

PS C:\> winrm enumerate winrm/config/listener
PS C:\>

Running the command "winrm qc" will configure all that needs to be configured for remote access. It would make sense to run it from the start. It is only to demonstrate with it accomplishes (and how we might troubleshoot) that I did not run it immediately in this example. Moreover, running the command summarizes what it does:

PS C:\> winrm qc

WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Now if we run the same command as above, we see that a listener has been enabled:

PS C:\> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.16.0.10, ::1 [...]


Once we have completed all the steps above, we can manage the down-level target server with Server Manager.


2 comments:

  1. I would like to share with you my experience, I went to www.vanskeys.com to buy a key, to my surprise, their attitude is very good, but the key work is normal, there is very little money I spent, very happy the first purchase and recommend it to you.

    ReplyDelete
    Replies

    1. windows 10 pro product key sale , upgrade windows 7 starter cd key windows 7 professional cd key , windows 10 serial key not working , buy windows 10 product key , windows 10 product keys free , windows 10 activation windows 7 product key , windows 10 product key numbers , windows 10 activation , lrV86W

      windows server 2012 r2 buy

      office 2013 key sale

      cheap rosetta stone french

      Delete