-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRMTdemo01.ps1
314 lines (235 loc) · 7.01 KB
/
RMTdemo01.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
<#
Demo01 - Summit 2018 Troubleshooting remoting
Richard Siddaway
Need W16RMT01 running
Remove existing checkpoints and then
checkpoint W16RMT01 before starting demo
#>
<#
NOTICE THE ERROR MESSAGES
ERROR MESSAGES DON'T ALWAYS MATCH DOCUMENTATION
ASSUMING THAT NETWORK CONNECTIVITY
TO REMOTE SYSTEM EXISTS AND HAS
BEEN CHECKED
WON'T COVER DOUBLE HOP PROBLEM IN THIS SESSION
USE CREDSSP OR SEE ASHLEY MCGLONE SESSION FROM
SUMMIT 2017
#>
#region START
<#
Remoting should just work
Enabled by default in
Windows Server 2012 and above
#>
$sb = {
Get-CimInstance -ClassName Win32_OperatingSystem |
select Caption
}
$s = New-PSSession -ComputerName W16RMT01
Invoke-Command -Session $s -ScriptBlock $sb
Remove-PSSession -Session $s
#endregion START
#region scenario1
<#
#########################
run scenario1 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<#
############################
run FIXscenario1 on W16RMT01
############################
#>
#endregion scenario1
#region scenario2
<#
#########################
run scenario2 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<#
############################
run FIXscenario2 on W16RMT01
IGNORE Set-WSManQuickConfig error
############################
#>
#endregion scenario2
#region scenario3
<#
#########################
run scenario3 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<#
############################
run FIXscenario2 on W16RMT01
############################
#>
#endregion scenario3
#region scenario4
<#
#########################
run scenario4 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<#
############################
run FIXscenario4 on W16RMT01
############################
#>
#endregion scenario4
#region scenario5
<#
#########################
run scenario5 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<# Possible errors
ERROR: ACCESS IS DENIED
- or -
ERROR: The connection to the remote host was refused.
Verify that the WS-Management service is running on
the remote host and configured to listen for
requests on the correct port and HTTP URL.
#>
<#
############################
run FIXscenario5 on W16RMT01
Enable-PSRemoting FAILS if a public network exists
use the -SkipNetworkProfileCheck parameter
############################
#>
#endregion scenario5
#region scenario6
<#
#########################
run scenario6 on W16RMT01
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
<#
############################
run FIXscenario6 on W16RMT01
Enable-PSRemoting FAILS if a private network exists
use the -SkipNetworkProfileCheck parameter
############################
#>
#endregion scenario6
#region scenario7
## https://blogs.msdn.microsoft.com/wmi/2009/07/22/new-default-ports-for-ws-management-and-powershell-remoting/
<#
#########################
run scenario7 on W16RMT01
also drops firewall
#########################
#>
$s = New-PSSession -ComputerName W16RMT01
$s = New-PSSession -ComputerName W16RMT01 -Port 8080
## can mix and match ports
$s2 = New-PSSession -ComputerName W16DC01
Invoke-Command -Session $s,$s2 -ScriptBlock $sb
Get-PSSession | Format-Table -AutoSize
Get-PSSession | Remove-PSSession
<#
############################
run FIXscenario7 on W16RMT01
############################
#>
#endregion scenario7
#region scenario8
$cred = Get-Credential -Credential manticore\billbell
$s = New-PSSession -ComputerName W16RMT01 -Credential $cred
<#
############################
run TestScenario8 on W16RMT01
############################
#>
#endregion scenario8
#region - connect by IP
$s = New-PSSession -ComputerName '10.10.54.73'
<#
############################
This is a client side issue
Use trusted hosts or certificates
############################
#>
Start-Service winrm
Get-Item -Path wsman:localhost\client\trustedhosts
## documenation often says use * - DON'T
Set-Item -Path wsman:localhost\client\trustedhosts -Value '10.10.54.73' -Force
Get-Item -Path wsman:localhost\client\trustedhosts
$cred = Get-Credential -Credential manticore\richard
$s = New-PSSession -ComputerName '10.10.54.73' -Credential $cred
Invoke-Command -Session $s -ScriptBlock $sb
Remove-PSSession -Session $s
Set-Item -Path wsman:localhost\client\trustedhosts -Value '' -Force
Get-Item -Path wsman:localhost\client\trustedhosts
#endregion - connect by IP
#region - non-domain
$s = New-PSSession -ComputerName W16ND01
Test-Connection -ComputerName W16ND01 -Count 1
<#
############################
This is a client side issue
Use trusted hosts or certificates
############################
#>
##
## Port 5986 is standard for HTTPS access
Test-NetConnection -ComputerName W16ND01 -Port 5986
$cred = Get-Credential W16ND01\Administrator
$nd = New-PSSession -ComputerName W16ND01 -UseSSL -Credential $cred
$nd
Invoke-Command -Session $nd -ScriptBlock $sb
##
## need a HTTPS listener
## first standard listener = HTTP
Get-ChildItem -Path WSMan:\localhost\Listener
## remote listeners
Invoke-Command -Session $nd -ScriptBlock {Get-ChildItem -Path WSMan:\localhost\Listener}
Invoke-Command -Session $nd -ScriptBlock {
Get-ChildItem -Path WSMan:\localhost\Listener\ |
where Keys -like "*HTTPS*" |
Format-List
}
<#
############################
To create an HTTPS listener
## get thumbprint
$tp = Get-ChildItem -Path Cert:\LocalMachine\My\ |
where Subject -eq 'CN=W16ND01' |
select -ExpandProperty Thumbprint
## create listener
New-WSManInstance -ResourceURI winrm/config/Listener `
-SelectorSet @{Address="*";Transport="HTTPS"} `
-ValueSet @{HostName="W16ND01";CertificateThumbprint="$tp"}
## may need firewall rule to allow HTTPS remoting
## TO CHECK:
## port based rule for 5986
$pr = Get-NetFirewallPortFilter -Protocol TCP |
where LocalPort -eq 5986
Get-NetFirewallRule -AssociatedNetFirewallPortFilter $pr
############################
#>
Remove-PSSession -Session $nd
#endregion - non-domain
#region OTHER
<#
ERROR: The WS-Management service cannot complete the operation
within the time specified in OperationTimeout.
FIX: modify timeout settings - client and server as shortest is used
OR use timeout options in New-PSsessionOption
#>
<#
ERROR: The total data received from
the remote client exceeded allowed maximum.
FIX: modify quota settings
OR use options in New-PSsessionOption
#>
Get-Command New-PSSessionOption -Syntax
#endregion OTHER