locked
Online-Verify WinRM 3.0 service installed, running, and required firewall ports are open RRS feed

  • Question

  • Hello everyone

    I've just updated my workstation to Windows 8 Pro, yea! - sigh, and now I'm going through trying to get all my management tools working properly and want to use the new Server Manager tools.  So I've dutifully installed the windows 8 RSAT tools and begun to add in my servers.   However most of my servers are 2003, 2008, 2008 R2 with only 1 solitary 2012 and I'm now suffering the above error on all my 2008 servers.  Having done some 2012 training I was expecting this and jumped in to install .net 4, WMF 3.0 as requested.  I've not installed the performance counter hot fix yet but I don't believe that has any bearing on this issue (correct me if I'm wrong).   

    So having followed the advice in the links below and verified that all the relevant services are running I still get the WinRM error under Server Manager against these 2008 servers.  I get this whether I use the Server Manager on Windows 8 or Server 2012 and I'm at a loss to fix it.

    To confirm what I've done  

    1. Windows 2008 R2 SP 1 - Domain Controller

    2. Installed .Net 4 using the full standalone package - dotNetFx40_Full_x86_x64  (49,268KB size - file version 4.0.30319.1)

    3. Installed WMF 3.0 using - Windows6.1-KB2506143-x64.msu (16,171KB size)

    4. Ran the Command WinRM QuickConfig - which set up WinRM and applied the appropriate firewall rule - confirmed as being there.   The result below is from running the command WinRM id which as you can see indicates that version 3 is in use. 

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>WinRM id
    IdentifyResponse
        ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
        ProductVendor = Microsoft Corporation
        ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
        SecurityProfiles
            SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprof
    ile/http/spnego-kerberos


    C:\Windows\system32>

    5. Restarted the DC just to make sure (I've actually done this several times now - no change in the results)

    6. Disabled the firewalls on the clients and servers

    6. Refreshed and Restarted both the Windows 8 workstation and the 2012 Server.

    I have this issue on multiple servers that I've done the above process through so it's not an isolated incident but I'm at a loss to know what I've got wrong. From all the searching I've done on the net it would be a number of people have experienced the issue but the above steps resolved it; I appear to be the exception.   Does anyone have any thoughts or advice as to how I can resolve the issue as I would like to benefit from the new Server Manager without having to update all my servers to 2012 :).

    Blessings

    Jez

    http://blogs.technet.com/b/servermanager/archive/2012/09/10/managing-downlevel-windows-based-servers-from-server-manager-in-windows-server-2012.aspx

    http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx

    Wednesday, January 9, 2013 5:21 PM

All replies

  • Managing Downlevel Windows-based Servers from Server Manager in Windows Server 2012
    http://blogs.technet.com/b/servermanager/archive/2012/09/10/managing-downlevel-windows-based-servers-from-server-manager-in-windows-server-2012.aspx


    According to the above blog, you’ve ensured that


    1. WMF 3.0 has been successfully installed.
    2. .NET 4.0 has been successfully installed. Verify .NET version http://support.microsoft.com/kb/318785
    3. You’ve turned off firewall on both sides, so it should not be a WinRM or DCOM communication problem.


    Seems all the prerequisites are met. I would suggest restart the Windows Remote Management Service on your Windows 2088 R2 server and re-run winrm –quickconfig

    Thursday, January 10, 2013 4:56 AM
  • Hi Zhang

    Thanks for the response - I've attached a picture of the registry from one of the DC's with the problem which shows .Net v4.0.30319

    

    I've restarted the service and run WinRM again as suggested but that just informs me that WinRM is already set up for remote management on this server. Sadly however the issue remains. 

    Quite frustrating really - if anyone else has any thoughts I'd appreciate them.

    Blessings

    Jez

    Thursday, January 10, 2013 10:07 AM
  • I've taken a closer look at the error listed and it doesn't make sense.  The error states, 

    Configuration refresh failed with the following error:  The metadata failed to be retrieved from the server, due to the following error: The client cannot connect to the destination specified in the request.  Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS--Management service running on the destination, most commonly IIS or WinRM.  If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

    According to the troubleshooting guide linked above this would suggest the target computer, my DC, is not available or is not a Windows based machine.  Well clearly the DC is, Server 2008 R2 SP1, and it is reachable you can RDP to it, ping it by name etc.   So I'm even more puzzled.

    Does anyone have any thoughts on this more detailed error?

    Blessings

    Jez

    Friday, January 11, 2013 1:31 PM
  • Did you find a solution to this?

    I'm in the same situation as you...

    Wednesday, March 13, 2013 3:56 PM
  • Did you find a solution to this?

    I'm in the same situation as you...

    http://buenoflex.com/archives/60 might help
    Tuesday, April 2, 2013 11:22 AM
  • Hi Guys

    try to run winrm qc

    for me, this command fixed the problem

    • Proposed as answer by sulce Tuesday, April 9, 2013 9:10 AM
    Tuesday, April 9, 2013 8:54 AM
  • Here's what I did to fix the error.

    Ran

    winrm quickconfig in Powershell

    I downloaded the following updates

    http://www.microsoft.com/en-au/download/details.aspx?id=17851

    and

    http://www.microsoft.com/en-us/download/details.aspx?id=34595

    Once I ran both updates and restarted the VM I was able to see the status change to Online.

    • Proposed as answer by APA IT Support Wednesday, June 26, 2013 5:22 PM
    • Edited by APA IT Support Wednesday, June 26, 2013 5:24 PM Updated the Powershell command
    Wednesday, June 26, 2013 5:21 PM
  • Thanks for the tip.  Ran winrm quickconfig in power shell and now server is online.  :)

    Lonnie Tharp Sysadmin CYR-P LLC.

    Wednesday, July 10, 2013 2:12 PM
  • I know this is late to the game, but I just came through this same situation---sort of. In my case, the root cause was that another admin had setup a Group Policy for Remote Management (to turn on WinRM's HTTP/HTTPS listeners) and had forgotten to set it to listen on any IP address.

    The symptoms of my problem were:

    1. The Server Manager app reported "Online - Verify WinRM 3.0 service installed, running, and required firewall ports are open" for the remote servers listed.
    2. The local machine had a Microsoft-Windows-WinRM error in the System EventLog with the following text "The WinRM service failed to create the following SPNs: WSMAN/servername.domain.com; WSMAN/servername". Unfortunately, that led me to this post about SPNs, which was the wrong solution for me, as it turned out (though the final post in that thread is the correct way to go about things, if you really need to alter the permissions on the NETWORK SERVICE account).
    3. Running winrm id reported WinRM was all installed correctly on each server. (Stack = 3.0, and OS = 6.3.9600 because these servers are all 2012 r2)
    4. Running winrm qc (winrm quickconfig is the same thing) reported that everything was setup correctly and running.
    5. I used netsh advfirewall firewall show rule name="Windows Remote Management (HTTP-In)" to verify that the firewall rules had port 5985 open on my current NLA profile (domain, in my case).
    6. I used netstat -a -b to confirm that a local process was actually bound to (and using) port 5985. And I discovered that nothing was, so that was my first real clue.
    7. Finally, I used winrm enumerate winrm/config/listener to confirm that WinRM wasn't actually listening on the port. The fact that it reported "ListeningOn=null" led me to this post on StackOverflow, which finally led back to the GPO being the problem.

    If that doesn't solve your problem, perhaps those later steps will help you (or someone else) further troubleshoot a WinRM problem.


    • Proposed as answer by Jwfii Sunday, September 7, 2014 1:03 AM
    Wednesday, February 19, 2014 5:06 PM
  • This right here :)

    Thanks a lot.

    Thursday, May 15, 2014 2:44 PM
  • Yep, winrm qc worked for me as well. Thank You!!!
    Saturday, September 6, 2014 3:57 PM
  • Thank you, it worked for me.
    Thursday, April 30, 2015 3:46 AM
  • I know this is late to the game, but I just came through this same situation---sort of. In my case, the root cause was that another admin had setup a Group Policy for Remote Management (to turn on WinRM's HTTP/HTTPS listeners) and had forgotten to set it to listen on any IP address.

    The symptoms of my problem were:

    1. The Server Manager app reported "Online - Verify WinRM 3.0 service installed, running, and required firewall ports are open" for the remote servers listed.
    2. The local machine had a Microsoft-Windows-WinRM error in the System EventLog with the following text "The WinRM service failed to create the following SPNs: WSMAN/servername.domain.com; WSMAN/servername". Unfortunately, that led me to this post about SPNs, which was the wrong solution for me, as it turned out (though the final post in that thread is the correct way to go about things, if you really need to alter the permissions on the NETWORK SERVICE account).
    3. Running winrm id reported WinRM was all installed correctly on each server. (Stack = 3.0, and OS = 6.3.9600 because these servers are all 2012 r2)
    4. Running winrm qc (winrm quickconfig is the same thing) reported that everything was setup correctly and running.
    5. I used netsh advfirewall firewall show rule name="Windows Remote Management (HTTP-In)" to verify that the firewall rules had port 5985 open on my current NLA profile (domain, in my case).
    6. I used netstat -a -b to confirm that a local process was actually bound to (and using) port 5985. And I discovered that nothing was, so that was my first real clue.
    7. Finally, I used winrm enumerate winrm/config/listener to confirm that WinRM wasn't actually listening on the port. The fact that it reported "ListeningOn=null" led me to this post on StackOverflow, which finally led back to the GPO being the problem.

    If that doesn't solve your problem, perhaps those later steps will help you (or someone else) further troubleshoot a WinRM problem.


    For us it was also caused by the GPO, but due to a "missunderstanding" of the ip-filter: 

    Applying the IP Filter 192.168.1.1-192.168.1.30 does not mean: "Only Accept Connections from that machines" - It means "Listen on these IPs, IF any of these IPs belong to you" - The Server that refused to work had the ip .32 - therefore refused to listen on that ip, since it is not inside the defined scope.

    (therefore we also saw the listeningOn = null problem) 

    Wednesday, October 21, 2015 11:50 AM
  • Hi,

    Facing the same issue, rebooted many times, checked WinRM services working fine restarted WInRM services, firewall off in both end, still could not make it.

    Windows server 2012 working fine, the issue is with Windows server 2008.

    PLEASE SUGGEST......!!!

    Friday, February 3, 2017 6:17 AM
  • Thank you! You saved me from ripping my hair out any further!
    Wednesday, February 15, 2017 2:32 PM
  • That was it for me. I was getting the "ListeningOn=null" message too. My new Server 2016 Core was giving me this error though the winrm qc said all was working. By default my servers were going to the Computers OU but my already established servers were in an OU called Servers. My Servers OU had a group policy that had the RM configured as in the post here: Basically...

    Computer Configuration/Windows Settings/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service

    Allow remote server management through WinRM had an ipv4 filter set to the IP address of my jumphost the winrm e winrm/config/listener command generated the ListeningOn=null issue.

    I solved this by setting the Filter to "*" and sorting the permissions on firewall level instead.


    Wednesday, April 12, 2017 6:09 PM
  • Наконец-то и мы решили такую же проблему.  Она заключалась в неверной настройке WinRM в GP, где, как и у товарищей выше, были назначены пулы адресов, в которые не входили проблемные серверы. Установка * в политике, поставила всё на свои места. Проблема с удалённым управлением серверами через консоль исчезла.

    Ошибок вида "убедитесь, что служба winrm 3.0 установлена, запущена, а необходимые порты брандмауэра открыты" больше нет. 

    Большое спасибо конференции за помощь.


    Тирекс


    • Edited by tirex5555 Wednesday, September 4, 2019 8:42 AM грамматика
    Wednesday, September 4, 2019 8:41 AM
  • That did the trick! Thanks!

    GPO: Windows Components/Windows Remote Management (WinRM)/WinRM Service/Allow Remote Server Management through WinRM

    It must be "Enabled", but the option "IPv4 filter" should NOT be empty.

    Please, use "*" in "IPv4 filter" option to have WinRM listening on all device's interfaces, or uses an IP range (like "192.168.0.1-192.168.0.254", for example. DO NOT use CIDR notation (192.168.0.0/24). That was my huge mistake.

    Thursday, February 13, 2020 2:54 PM