- Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
- Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
The GUI server is my production Hyper-V host, and I wanted to use Server Manager to keep an eye on the lab server. There are many, many guides on this out there. However, what I found since the last time I did this was that something is always missing from my notes or the posts I am trying to follow. For example, I had the server showing up and populated correctly in Server Manager, but I was unable to view the storage.
First off, I'll assume you have completed the installation of the operating system. Once logged in, you will see the SConfig tool. Here, our goal is to configure Windows Remote Management (WinRM) to work over HTTPS. First, we have to enable Remote Desktop.
Choose option 7 (Remote Desktop) and then press E to enable it.
When asked which authentication method to enable, choose option 1.
You should then see a message box indicating it has enabled Remote Desktop.
Now you can Remote Desktop to your Core server if you wish.
Once logged in, select the cmd window floating in the background. Enter this command:
winrm e winrm:config:listener
This will show you the current listeners configured by WinRM.
You can see we just have one listener enabled using the default HTTP.
Type PowerShell and press Enter.
Run this command:
get-childitem cert:\localmachine\my
You should receive no output for this, and this means you have no certificates installed on the machine.
Using this post as a guide, we can set up a self-signed certificate and assign it to a WinRM listener.
New-SelfSignedCertificate -DnsName hyper-v-host.sbs.local ‑CertStoreLocation cert:\localmachine\my New-SelfSignedCertificate
Now this certificate is self-signed, so our GUI server won't trust it. We will need to install this certificate on our GUI server. Make a note of the thumbprint from your new certificate, as we will need that in our next command.
First, we can store our certificate in a variable.
$cert = get-childitem cert:\localmachine\my | where { $_.ThumbPrint -eq "E941D147E708A1EA04EEA8E48B7A88328B5AC47D" }
We need to protect our certificate with a password, which we need to store as a secure string.
$password = ConvertTo-SecureString P@ssw0rd -AsPlainText –Force
Now we can export our certificate.
$cert | Export-PfxCertificate -FilePath c:\hyper-v-host.pfx -Password $password
We can collect that file later and then install it on our GUI server.
Now we need to set up our WinRM HTTPS listener. Switch back to cmd.
The command we need to enter is quite long and needs two pieces of information: your server's fully qualified domain name (FQDN) and the thumbprint of the certificate we just generated.
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="hyper-v-host.sbs.local"; CertificateThumbprint="E941D147E708A1EA04EEA8E48B7A88328B5AC47D"}
Now we can run our first WinRM command and make sure our listener is enabled.
winrm e winrm/config/listener
We can see here we now have two listeners enabled.
Moving over to our GUI server, we need to configure some things before we can connect to the Core server.
We need to store the password for the Core server's built-in Administrator account in the credential store.
Open a PowerShell window and enter the following:
cmdkey /add:hyper-v-host /user:administrator /pass:P@ssw0rd cmdkey /add:hyper-v-host.sbs.local /user:administrator /pass:P@ssw0rd
Notice we have saved the credential for the hostname and the FQDN.
Next we can add the Core server as a trusted host.
set-item wsman:\localhost\client\trustedhosts -Value hyper-v-host ‑Concatenate set-item wsman:\localhost\client\trustedhosts -Value hyper-v-host.sbs.local ‑Concatenate
Again we add both the hostname and the FQDN.
We can now use PowerShell remoting to connect to our Core server, which is lucky since we need to do a couple of other bits. We need to configure the firewall for file and print sharing, allow remote access for local accounts, and enable remote firewall management.
Enter-PSSession HYPER-V-HOST New-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWORD netsh advfirewall set currentprofile settings remotemanagement enable netsh advfirewall set rule group="File and Printer Sharing" new enable=Yes
We can now browse the folders on our Core server.
If we open the c$ share, we can get our certificate and install it.
Right-click the PFX file and follow the Certificate Import Wizard to install the certificate into the Trusted Root Certificate Authorities for the local machine.
Trusted Root Certificate Authorities store
We should now have done enough to get Server Manager able to manage our Core server remotely.
Open Server Manager and choose option 3 to add other servers.
Choose the DNS tab and enter the name of your Core server.
Use the arrow to add it to the list of selected computers and click OK. Server Manager will add the server.
Move to All Servers and we can see our server listed.
Subscribe to 4sysops newsletter!
You should see Online in the Manageability column, and that's all there is to it.
Hi Robert, this is a great how to. I am dealing with a similar setup now. I followed your how to. I am not sure if there are any HTTPS secured connections in the end. You are creating the HTTPS-Listener on Port 5986. If I netstat the connections while running Server Manager, Hyper-V Manager or a PS Session there is no traffic to port 5986 – only to 5985. If I do a “Enter-PSSession HYPER-V-HOST -UseSsl” I can see a connection to 5986. So for PS Session there is a switch to force HTTPS (in my opinion this is missing in your how-to). Since I could not find any equivalent HTTPS-/UseSsl-option in Server Manager and Hyper-V Manager I think there is no possibility to secure those connections with HTTPS. What do you think? Am I missing something?
Another thing is that in my opinion you do not need to export the private key to the connection machine. The private key is only necessary on the machine with the HTTPS-listener.
Greetings
Michael
Exactly Michael! Just adding the HTTPS Listener wont make it use it. You can easily test it if you remove the HTTP Listener, Server Manager won't work.
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
Of course, to be able to delete it you need to remove the "Allow remote server management through WinRM" Policy.
I've try to run exclusively on HTTPS and this work with the switch -usessl for WinRS/WinRM/PS and WEF work fine with only a HTTPS Listener. Ex:
winrs -r:<some computer> -usessl ipconfig /all
winrm invoke stopservice wmicimv2/Win32_Service?name=w32time -r:<some computer> -usessl
But, as said here https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#windows-remote-management-winrm-listener-settings
Server Manager relies on default WinRM listener settings on the remote servers that you want to manage. If the default authentication mechanism or the WinRM listener port number on a remote server has been changed from default settings, Server Manager cannot communicate with the remote server.
Hello Robert and thanks for this guide. While tedious as a task it was quite fun getting to the end (almost got it).
Some remarks:
1. C:\Users\Administrator.TESTDOM>winrm e winrm:config:listener
WSManFault
To make it work I had to replace the colons with the backslash.
C:\Users\Administrator.TESTDOM>winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 172.19.120.131, ::1, fe80::5efe:172.19.120.131%3, fe80::e91b:de5b:80db:af16%2
2. While I had the local administrator credentials correctly stored into the remote machine I couldn’t initiate the remote PSS. It was strange I had to put the user in machine\user format to make it work.
*I don’t know if it matters I was logged on as a domain admin while working on core server.
So what worked for me was:
PS C:\Users\Administrator> Enter-PSSession -ComputerName core2016 -Credential core2016\Administrator
Now I can connect to the core server via Windows Server Manager BUT… in Manageability I get:
Online – Access Denied
So close 🙂
Checked the LocalAccountTokenFilterPolicy it was created just fine. Using the domain admin account it connected just fine.
Hi!
Seriouly, a great guide for any newcomer, like me, to the "core" business…
As you, I spent days looking around for working guides to be able to manage entirely my 2019 core server remotely from Win10's server manager apps. With your help, I was able to manage my disks, network cards and use a certificate with others servers on the lan. I have found only one typo (or maybe it happens only with WS2019?). I was never able to run this command :
netsh advfirewall set rule group="File and Printer Sharing" new enable=Yes
I had to add "firewall" to make it work:
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
Hope it might help someone!
thanks!
Guy