Parity123
asked on
Activ e Directory: PS Remoting
Hello experts,
I am in the process of configuring PS Remoting on domain controllers. I need some guidance on trusted hosts. Instead of using * is it better practice to include all domain controllers in trusted hosts, so that only domain controllers can do ps Remoting with other domain controllers. If there are 200 domain controllers how to achieve this.
Thanks.
I am in the process of configuring PS Remoting on domain controllers. I need some guidance on trusted hosts. Instead of using * is it better practice to include all domain controllers in trusted hosts, so that only domain controllers can do ps Remoting with other domain controllers. If there are 200 domain controllers how to achieve this.
Thanks.
Not sure what exactly you are trying to achieve
The scenario you are asking is practically not possible most of the time
1st of all if you have 200 domain controllers, this is very big environment and it might not be possible to connect all DCs with each other because of network constraints / connectivity
Now when you say PS remoting to be enabled between domain controllers only, by default when you enable communication between two DCs, you need to enable most of the ports (I can say any-any)
As far as I understand PS-Remoting, it is allows you to connect to server from your workstation via PowerShell, is that what you are trying to achieve?
In that case not sure why you want to remoting to 200 DCs via powershell, AD administration should be done from admin workstation and you should keep administration points as minimum as possible to manage AD effectively
You may use script provided in below post to PS-Remoting to DC from your workstation
http://theitjesus.com/powershell-remote-session-to-domain-controller/
The scenario you are asking is practically not possible most of the time
1st of all if you have 200 domain controllers, this is very big environment and it might not be possible to connect all DCs with each other because of network constraints / connectivity
Now when you say PS remoting to be enabled between domain controllers only, by default when you enable communication between two DCs, you need to enable most of the ports (I can say any-any)
As far as I understand PS-Remoting, it is allows you to connect to server from your workstation via PowerShell, is that what you are trying to achieve?
In that case not sure why you want to remoting to 200 DCs via powershell, AD administration should be done from admin workstation and you should keep administration points as minimum as possible to manage AD effectively
You may use script provided in below post to PS-Remoting to DC from your workstation
http://theitjesus.com/powershell-remote-session-to-domain-controller/
ASKER
In case we need to run a script on all 200 dc from 20 admin workstations I need to enter these 20 hosts in trusted hosts file, correct ? So that no other machine can connect to these dc using ps Remoting including other domain controllers.
Still there are cavets in doing so
You need to enable ps remoting on all 200DCs......?
Enable-PSRemoting –force need to be run on all DCs followed by you must restart winrm service - Restart-Service WinRm
Also need to run below command on all DCs from elvated command prompt / PowerShell:
winrm set winrm/config/client '@{TrustedHosts="machineA, machineB"} '
OR
Set-Item WSMan:\localhost\Client\Tr ustedHosts -Value "machineA,machineB"
Also after running above command again you have to restart the winrm service because until it won't take effect
After that you can connect to DC from Win7 and above machines by running script /command in last post
You need to ensure that firewall on DCs are not preventing RPC ports
Check below article for more details:
http://www.computerperformance.co.uk/powershell/powershell_wsman.htm
https://technet.microsoft.com/en-us/magazine/ff700227.aspx
Instead of PS-Remoting Better you could use GPO to deploy schedule tasks and apply scripts through GPO
Also in future you will be in trouble if you are trying remoting from DCs...
You need to enable ps remoting on all 200DCs......?
Enable-PSRemoting –force need to be run on all DCs followed by you must restart winrm service - Restart-Service WinRm
Also need to run below command on all DCs from elvated command prompt / PowerShell:
winrm set winrm/config/client '@{TrustedHosts="machineA,
OR
Set-Item WSMan:\localhost\Client\Tr
Also after running above command again you have to restart the winrm service because until it won't take effect
After that you can connect to DC from Win7 and above machines by running script /command in last post
You need to ensure that firewall on DCs are not preventing RPC ports
Check below article for more details:
http://www.computerperformance.co.uk/powershell/powershell_wsman.htm
https://technet.microsoft.com/en-us/magazine/ff700227.aspx
Instead of PS-Remoting Better you could use GPO to deploy schedule tasks and apply scripts through GPO
Also in future you will be in trouble if you are trying remoting from DCs...
Again, the TrustedHosts is outbound, and to prevent access to untrustworthy hosts, e.g. by malicious software. You would have to set that up on the 20 admin machines, and it does not add (much) security if you do.
ASKER
Thanks. With respect to firewall ports, I need to have 5985 and 5986 opened, correct? Do you think it makes sense to use https (5986) or http should be good enough.
Regarding Trusted Hosts, I am a bit confused, I should add these 20 machines on all the dcs trusted hosts list. Nothing is required on the 20 hosts, I can just ps remote from these 20 machines to any dc, correct?
Regarding Trusted Hosts, I am a bit confused, I should add these 20 machines on all the dcs trusted hosts list. Nothing is required on the 20 hosts, I can just ps remote from these 20 machines to any dc, correct?
Yes that's right wrt trusted host.
while adding machine under trustedhost list use machines FQDN instead of single label names
Incase of https (5986) connection you need to install SSL certificate on server and need to create https listener
If you use default http listener, no special configuration is required
steps required to enable https PS Remoting on server:
https://github.com/AppVeyor/AppRolla/wiki/Configuring-Windows-PowerShell-remoting
while adding machine under trustedhost list use machines FQDN instead of single label names
Incase of https (5986) connection you need to install SSL certificate on server and need to create https listener
If you use default http listener, no special configuration is required
steps required to enable https PS Remoting on server:
https://github.com/AppVeyor/AppRolla/wiki/Configuring-Windows-PowerShell-remoting
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
An additional note: I do find it weird that a number of blog posts (including one by Jeffrey Hicks) mention configuring TrustedHosts on the machine you are connecting to (i.e. the remote machine).
I think it's best to read the built-in PS help topics on remoting, as they seem to describe it correctly - something configured on the local machine that you will be establishing the connection from.
about_Remote
about_Remote_Requirements
about_Remote_Troubleshooti ng *has the most info on TrustedHosts
about_Remote_FAQ
I think it's best to read the built-in PS help topics on remoting, as they seem to describe it correctly - something configured on the local machine that you will be establishing the connection from.
about_Remote
about_Remote_Requirements
about_Remote_Troubleshooti
about_Remote_FAQ
Mahesh is wrong. As both I and footech told, Trusted Hosts is set on the admin machine running the PowerShell commands, not the target. This is now the third time I post that. We both also mentioned you need it only if not able to use Kerberos, e.g. outside of a domain.
ASKER
Ok, I think I got it. Let me summarize my understanding:
I have a forest with 5 domains. I have a workstation that I use for admin purposes. This workstation is a member of the root domain. I login into this machine with domain admin credentials. I don't need to worry about setting up trusted hosts on the domain controllers or this workstation as I will use be using Kerberos. I can ps remote to any dc and run the commands I want.
Am I correct so far.
I have a forest with 5 domains. I have a workstation that I use for admin purposes. This workstation is a member of the root domain. I login into this machine with domain admin credentials. I don't need to worry about setting up trusted hosts on the domain controllers or this workstation as I will use be using Kerberos. I can ps remote to any dc and run the commands I want.
Am I correct so far.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
OK
I was wrong
Its my miss understanding
What Footech and Qlemo said is correct
I have checked PowerShell remoting references
Thanks
I was wrong
Its my miss understanding
What Footech and Qlemo said is correct
I have checked PowerShell remoting references
Thanks
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks. One last thing is that do I need ports 5985 and 5986 open on firewalls if I am using Kerberos.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
The trusted host setting in WSMan only applies to outbound connections. It is a security means only for restricting to which machines you can connect to - if you do bot want or are not able to use Kerberos, that is.
So no, setting trusted hosts is no common practise, because almost useless, for servers.