Remote management and remote powershell is not working in new 2012 domain

I set up a windows 2012 domain in a test lab to prepare for migrating us to a new 2012 domain in one of our environments.

I created a DC with DNS, DHCP, etc.  That part went fine....

I then gave my user account enterprise admin and domain admin groups

I then created 2 new member server VMs.

I added them to server manager on the 2012 DC and I cannot remotely manage them or view any information or remote power access on them.  

From server manager I see:

The metadata failed to be retrieved from the server due to the following error: the winRM client received an HTTP server error status 500.

I also see:

ONLINE - Data retrieval failures occured

If I launch powershell to another server it says:

servername failed with the following error message: the winRM client received an HTTP server error status 500 but the remote service did not include any other information about the cause of the failure.
FullyQualifiedErrorId:  CreateRemote RunspaceFailed

I have WinRM enabled by default on these servers.

I appear to be missing something here....

What is needed to get this working?

It is possible that I am missing some roles or features that need to be installed but I am having problems finding out exactly what needs to be installed to make WinRM function.
NBFAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arrorynCommented:
I think the OOB setting for Server 2012 has the firewall restricting remote access.

Directly on the two member servers, you want to open powershell and run "sconfig"

This menu will allow you to enable RDP access, remote management etc.

Sconfig tool
0
NBFAuthor Commented:
Remote management is configured to ON by default.  I set it again using powershell and it had no effect.  I must still be missing some setup or components.  I still need help.  I still can't find any decent, "how to set this up" documentation and what I have found is not complete.
0
NBFAuthor Commented:
i disabled the firewall completely and I can now remote manage the event logs, etc however it still says online data retrieval failure in the server manager.  So something other than firewall rules must be the problem.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

NBFAuthor Commented:
Installing features and remote Restart options are also greyed out.
0
NBFAuthor Commented:
I have done the following as troubleshooting steps:

1.  Installed WinRM IIS Extension
2. Run powershell command from as admin Configure-SMRemoting.exe -enable
3.  Run winrm quickconfig

None of this has worked.  I still cannot remote powershell, add roles and features, restart server through server manager on remote systems.  Restart server and add roles is greyed out.  

Same errors specified above continue.
Capture1.JPG
Capture2.JPG
0
Rob StoneCommented:
Can you do any remote management via powershell?

Try from Test-2012-APP1:
Invoke-Command -computername "Test-2012-APP2" {Get-Services}

In my lab I had some WinRM issues when I had DHCP configured on router and my IP's weren't static (and changed hence errors).
0
NBFAuthor Commented:
All servers have static IPs in my test lab and are properly in DNS.

If I try to remote powershell in either direction to any server in the domain I get the error in the attached screenshot.
Capture3.JPG
0
NBFAuthor Commented:
All server times are properly syncing with the DC.  All have the same time zone as well.
0
NBFAuthor Commented:
I still need help with this.

I built a brand new 2nd test lab this time with 2012 R2 Preview build.

I set up a AD//DNS server and 2 member servers again.  Added the 2 member servers to server manager and all of the exact same problems are here as well.  Something is missing out of the setup documentation.  Anyone know how to get remote administration working, specifically to fix the greyed out options as well as remote powershell?
0
Rob StoneCommented:
I found these commands, it may help narrow down the issue.  I haven't tried the 2012 R2 preview build, but was the first lab built with 2012 RTM eval?

When testing the commands below you can use IP Address or hostname.

Test WinRM communication on the local and remote machines

This section addresses how to test whether WinRM is working on the local system, and whether it can communicate with the remote system. Test remote communication in both directions between machines.

Local communication:

Locate listeners and addresses: (No output means WinRM is not installed)
    winrm e winrm/config/listener

Localhost Ping:
(Successfully completing this step pretty much insure complete access to WSMan on the local system)
    Winrm id

Further:
Check state of configuration settings:
    winrm get winrm/config

Check the state of WinRM service:
    winrm get wmicimv2/Win32_Service?Name=WinRM


Remote communication:
Locate listeners and addresses:
    winrm e winrm/config/listener

Remote Ping:
(Successfully completing this step pretty much insure complete access to WSMan on the remote system)
    Winrm id –r:machinename

Further:
Check state of configuration settings:
    winrm get winrm/config -r:machinename

Check the state of WinRM service:
    winrm get wmicimv2/Win32_Service?Name=WinRM -r:machinename


The only other thing I wondered was, what state the ExecutionPolicy was set to in the R2 eval. You can run Get-ExecutionPolicy in powershell to check the current level. It may be worth having it set to RemoteSigned or Unrestricted in this lab environment (use Set-ExecutionPolicy RemoteSigned).
0
NBFAuthor Commented:
My first lab was 2012 retail version available on MS VLC site.  Newly built and fully patched very basic config.  The 2nd test lab with the exact same behavior is 2012 R2 preview.  All I did was build 3 servers, use static IPs, set up one as AD/DNS and the others as member servers, disabled firewall, winRM is on by default, installed WINRM IIS extensions, .net Framework 4.5 is installed.  Something is missing.......  I am blaming my config at this point but I don't know what I am missing.  All of the MS documentations makes it appear that this should work out of the box on 2012 and 2012 R2 preview.

I will run these commands today and see what I can come up with.
0
NBFAuthor Commented:
Well it looks like the issue is the 500 error that is returned.  This occurs when testing in both directions from any server.  Whenever testing locally it works just fine on all 3 servers.  Unfortuantely I cannot get many hits when searching for these errors via google so I am still stumped why WINRM won't respond with anything but a 500 error remotely but will respond fine locally.  Here is an example output from 1 of my 3 servers during these tests.  The output is identical on the other 2 servers aside from a difference in IP address.

C:\Users\Administrator>winrm e winrm/config/listener Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.16.53.2, ::1, fe80::5efe:172.16.53.2%13, fe80::
9da6:bfbb:b459:2cf3%12

C:\Users\Administrator>Winrm id
IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 6.3.9431 SP: 0.0 Stack: 3.0
    SecurityProfiles
        SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprof
ile/http/spnego-kerberos


C:\Users\Administrator>winrm get winrm/config Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;G
XGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30

C:\Users\Administrator>winrm get wmicimv2/Win32_Service?Name=WinRM Win32_Service
    AcceptPause = false
    AcceptStop = true
    Caption = Windows Remote Management (WS-Management)
    CheckPoint = 0
    CreationClassName = Win32_Service
    Description = Windows Remote Management (WinRM) service implements the WS-Ma nagement protocol for remote management. WS-Management is a standard web service s protocol used for remote software and hardware management. The WinRM service l istens on the network for WS-Management requests and processes them. The WinRM S ervice needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se rvice provides access to WMI data and enables event collection. Event collection  and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i s preconfigured to share a port with IIS on the same machine.  The WinRM service  reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators s hould ensure that any websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract = false
    DisplayName = Windows Remote Management (WS-Management)
    ErrorControl = Normal
    ExitCode = 0
    InstallDate = null
    Name = WinRM
    PathName = C:\Windows\System32\svchost.exe -k NetworkService
    ProcessId = 936
    ServiceSpecificExitCode = 0
    ServiceType = Share Process
    Started = true
    StartMode = Auto
    StartName = NT AUTHORITY\NetworkService
    State = Running
    Status = OK
    SystemCreationClassName = Win32_ComputerSystem
    SystemName = TEST-2012R2-DC
    TagId = 0
    WaitHint = 0

C:\Users\Administrator>winrm id -remote:test-2012r2app1 WSManFault
    Message = The WinRM client received an HTTP server error status (500), but t he remote service did not include any other information about the cause of the f ailure.

Error number:  -2144108176 0x80338170
The WinRM client received an HTTP server error status (500), but the remote serv ice did not include any other information about the cause of the failure.

C:\Users\Administrator>winrm id -remote:test-2012r2app2 WSManFault
    Message = The WinRM client received an HTTP server error status (500), but t he remote service did not include any other information about the cause of the f ailure.

Error number:  -2144108176 0x80338170
The WinRM client received an HTTP server error status (500), but the remote serv ice did not include any other information about the cause of the failure.

All of the WinRM commands run remotely against another server produce these same error messages so I only included this one error.
0
NBFAuthor Commented:
http://morgansimonsen.wordpress.com/2009/11/14/winrm-problem-on-new-exchange-2010-server/

I tried removing and reinstalling WINRM IIS EXT using powershell commands:

Import-Module ServerManager
remove-WindowsFeature WinRM-IIS-Ext

and then...

Import-Module ServerManager
Add-WindowsFeature WinRM-IIS-Ext

This successfully removed and reinstalled winRM however it still does not function and I get 500 errors.
0
NBFAuthor Commented:
I also tried running:
winrm invoke Restore winrm/Config @{}

This should remove the listener however when I run it I get output that says "Restore_OUTPUT" which is what I should see but then I run winrm e winrm/config/listener and it still shows there is a listener listening on port 5985.  It should be deleting the listener and not showing anything.  This is odd to me...
0
Rob StoneCommented:
With your servers, are they all physical? I wonder if a network firewall is blocking the traffic?

You could try adding Hyper-V and spin up a VM to see if RM works. I have to admit that my lab runs off VM's atm, but when I used a hub I was OK when working with Physical's.
0
NBFAuthor Commented:
This is a virtual environment on a single subnet in an isolated test network.  172.16.53.2 is the DC, 172.16.53.3 is server 1, 172.16.53.4 is server 2.  Firewall is disabled on the VMs.  No physical firewall exists between the servers.
0
NBFAuthor Commented:
I solved the issue.



I built 2 more 2012R2 servers in production.  These servers winRM worked out of the box.   I realized in my test lab we have a proxy server for internet access.

I had to run the command netsh WINHTTP set proxy xxx.xxx.xxx.xxx:xxxx to force windows update to use the proxy server to download updates.  I think this is what is breaking winRM and why I get the 500 errors.

Kind of a bummer that you can't set this proxy up and have winRM function at the same time...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NBFAuthor Commented:
found my own answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.