<div>
By default, only admins can use PS Remoting connections. Isn't that sufficient for security?<br />
<br />
The trusted host setting in WSMan only applies to outbound connections. It is a security means only for restricting to which machines you can connect to - if you do bot want or are not able to use Kerberos, that is.<br />
<br />
So no, setting trusted hosts is no common practise, because almost useless, for servers.
</div>


<div>
Not sure what exactly you are trying to achieve<br />
<br />
The scenario you are asking is practically not possible most of the time<br />
1st of all if you have 200 domain controllers, this is very big environment and it might not be possible to connect all DCs with each other because of network constraints / connectivity<br />
<br />
Now when you say PS remoting to be enabled between domain controllers only, by default when you enable communication between two DCs, you need to enable most of the ports (I can say any-any)<br />
<br />
As far as I understand PS-Remoting, it is allows you to connect to server from your workstation via PowerShell, is that what you are trying to achieve?<br />
In that case not sure why you want to remoting to 200 DCs via powershell, AD administration should be done from admin workstation and you should keep administration points as minimum as possible to manage AD effectively<br />
<br />
You may use script provided in below post to PS-Remoting to DC from your workstation<br />
<a href="http://theitjesus.com/powershell-remote-session-to-domain-controller/" rel="ugc">http://theitjesus.com/powershell-remote-session-to-domain-controller/</a>
</div>


<div>
In case we need to run a script on all 200 dc from 20 admin workstations I need to enter these 20 hosts in trusted hosts file, correct ? So that no other machine can connect to these dc using ps Remoting including other domain controllers.
</div>


<div>
Still there are cavets in doing so<br />
You need to enable ps remoting on all 200DCs......?<br />
<b>Enable-PSRemoting –force</b> need to be run on all DCs followed by you must restart winrm service - <b>Restart-Service WinRm</b><br />
<br />
Also need to run below command on all DCs from elvated command prompt / PowerShell:<br />
winrm set winrm/config/client '@{TrustedHosts=&quot;machineA,<wbr />machineB&quot;}<wbr />'<br />
OR<br />
Set-Item WSMan:\localhost\Client\Tr<wbr />ustedHosts<wbr /> -Value &quot;machineA,machineB&quot;<br />
Also after running above command again you have to restart the winrm service because until it won't take effect <br />
<br />
After that you can connect to DC from Win7 and above machines by running script /command in last post<br />
You need to ensure that firewall on DCs are not preventing RPC ports<br />
Check below article for more details:<br />
<a href="http://www.computerperformance.co.uk/powershell/powershell_wsman.htm" rel="ugc">http://www.computerperformance.co.uk/powershell/powershell_wsman.htm</a><br />
<a href="https://technet.microsoft.com/en-us/magazine/ff700227.aspx" rel="ugc">https://technet.microsoft.com/en-us/magazine/ff700227.aspx</a><br />
<br />
Instead of PS-Remoting Better you could use GPO to deploy schedule tasks and apply scripts through GPO<br />
Also in future you will be in trouble if you are trying remoting from DCs...
</div>


<div>
Again, the TrustedHosts is <u>outbound</u>, and to prevent access <u>to</u> untrustworthy hosts, e.g. by malicious software. You would have to set that up on the 20 admin machines, and it does not add (much) security if you do.
</div>


<div>
Thanks. With respect to firewall ports, I need to have 5985 and 5986 opened, correct? Do you think it makes sense to use https (5986) or http should be good enough.<br />
<br />
Regarding Trusted Hosts, I am a bit confused, I should add these 20 machines on all the dcs trusted hosts list. Nothing is required on the 20 hosts, I can just ps remote from these 20 machines to any dc, correct?
</div>


<div>
Yes that's right wrt trusted host.<br />
while adding machine under trustedhost list use machines FQDN instead of single label names<br />
<br />
Incase of https (5986) connection you need to install SSL certificate on server and need to create https listener<br />
<br />
If you use default http listener, no special configuration is required<br />
<br />
steps required to enable https PS Remoting on server:<br />
<a href="https://github.com/AppVeyor/AppRolla/wiki/Configuring-Windows-PowerShell-remoting" rel="ugc">https://github.com/AppVeyor/AppRolla/wiki/Configuring-Windows-PowerShell-remoting</a>
</div>


<div>
An additional note: &nbsp;I do find it weird that a number of blog posts (including one by Jeffrey Hicks) mention configuring TrustedHosts on the machine you are connecting <i>to</i> (i.e. the remote machine).<br />
<br />
I think it's best to read the built-in PS help topics on remoting, as they seem to describe it correctly - something configured on the local machine that you will be establishing the connection <i>from</i>.<br />
about_Remote<br />
about_Remote_Requirements<br />
about_Remote_Troubleshooti<wbr />ng &nbsp;*has the most info on TrustedHosts<br />
about_Remote_FAQ
</div>


<div>
Mahesh is wrong. As both I and footech told, Trusted Hosts is set on the <u>admin</u> machine running the PowerShell commands, not the target. This is now the third time I post that. We both also mentioned you need it only if not able to use Kerberos, e.g. outside of a domain.
</div>


<div>
Ok, I think I got it. Let me summarize my understanding:<br />
<br />
I have a forest with 5 domains. I have a workstation that I use for admin purposes. This workstation is a member of the root domain. &nbsp; I login into this machine with domain admin credentials. I don't need to worry about setting up trusted hosts on the domain controllers or this workstation as I will use be using Kerberos. I can ps remote to any dc and run the commands I want. <br />
Am I correct so far.
</div>


<div>
OK<br />
I was wrong<br />
<br />
Its my miss understanding<br />
<br />
What Footech and Qlemo said is correct<br />
<br />
I have checked PowerShell remoting references<br />
<br />
Thanks
</div>


<div>
Thanks. &nbsp;One last thing is that do I need ports 5985 and 5986 open on firewalls if I am using Kerberos.
</div>


<div>
<div class="content wysiwyg-content">
Hello experts,<br />
<br />
I am in the process of configuring PS Remoting on domain controllers. I need some guidance on trusted hosts. Instead of using * is it better practice to include all domain controllers in trusted hosts, so that only domain controllers can do ps Remoting with other domain controllers. If there are 200 domain controllers how to achieve this.<br />
<br />
Thanks.
</div>
</div>


Hello experts,

I am in the process of configuring PS Remoting on domain controllers. I need some guidance on trusted hosts. Instead of using * is it better practice to include all domain controllers in trusted hosts, so that only domain controllers can do ps Remoting with other domain controllers. If there are 200 domain controllers how to achieve this.

Thanks.

Activ e Directory: PS Remoting

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell provides full access to the Component Object Model (COM) and Windows Management Instrumentation (WMI), enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and Common Information Model (CIM) enabling management of remote Linux systems and network devices.

Powershell

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.