Setting up WinRm for event forwarding


  • Hi

    I'm testing Event Forwarding and have hit a wall.  Current configuration is

    1. Windows 2008 R2 domain controller (QFD00003).  Event subscription created for source initiated subscription.  IIS is installed on this server.

    2. I have a Test OU with a group policy applied which specifies the automatic listener configuration and the WinRM Service with a servername pointing to the domain controller.

    3. I have a Windows XP SP3 workstation (QFW10006) with WS-Management 1.1 installed in the test OU and confirmed the above policy is applied.  Have ran winrm quickconfig and see the following message

    Winrm already is setup for remote management on this machine.

    If I check the listener winrm enumerate winrm/config/listener, I get the following message

    Listener [Source="GPO']

      Address = *

      Transport = HTTP

      Port = 80


      Enabled = True

      URLPrefix - wsman


      ListeningOn =,

    4. The firewall log on the event source had a rule for port 80, but not for 5985.  I added this manually to the firewall.

    5. Firewall is running on the DC, but the domain profile is off.  Traffic is allowed and there is a rule for Windows Remote Management.

    6. If i run the command winrm id /r:qfw10006 /a:none from QFD00003, I get the below message.


    Message = The client cannot connect to the destination specified in the request.  Verify that the service on the destination is running and is accepting requests.  Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.  If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig'.

    Error number: -2144108526 0x80338012

    I'm a bit stuck as to get past this.  I've seen a couple of things talking about making sure the credentials are in the Local Administrators group for Windows XP and Event Log Readers for Windows 7, but as no credentials are specified in the Source Inititated Subscription, I'm not sure what to do.  Does it refer to the Network Service account?  I've also read something about making sure the Network Service account is a member of the IIS_WPG group.  Is this on the DC?  I can't find this group on my test server.

    Please can someone help?




    jeudi 14 avril 2011 08:54

Toutes les réponses

  • Anyone?
    mercredi 20 avril 2011 12:59
  • Hi Matt

    Have you tried make a telnet to your DC to port 80?

    Let me know.



    mercredi 7 septembre 2011 20:04
  • For anyone else who has been looking to set this up I used this to setup server 2008 even subscriptions.
    lundi 23 avril 2012 09:41
  • Hi Matt,

    First and foremost, IIS has nothing to do with event collection - neither in push or pull mode. The remote management uses the HTTP protocol, but it provides its own listener. Given you shouldn't be running anything on a domain controller at all other than the AD DS service itself, I'd remove this unless you've already put it there for other reasons and can't relocate whatever it's hosting.

    There's also a second reason for mentioning this though, and I suspect this is at least contributing to your issues even if it's not the entire cause of the problems: it sounds like you have configured both IIS and the WinRM listener to listen on port 80 which isn't going to work, as you can only have one service or the other owning the port.

    So again, if you only put IIS on the domain controller for this one purpose, remove the server role as it's not required (in addition to not being a good idea).

    Have a read of the following resources, as in their own way, they're all little gems:

    • Event forwarding and you
      Great overall read, and the SDDL tips are critical in certain scenarios - I wouldn't have gotten some of those working without being made aware about this.
    • Wecutil.exe
      Great reference, but more importantly, provides examples of pull and push configuration files, which is important to know about if you're configuring quite a few machines.
    • Configure computers to forward and collect events
      Pretty basic overview. I think you're already past what this article discusses.


    mercredi 2 mai 2012 08:32