Auteur de questions
I'm testing Event Forwarding and have hit a wall. Current configuration is
1. Windows 2008 R2 domain controller (QFD00003). Event subscription created for source initiated subscription. IIS is installed on this server.
2. I have a Test OU with a group policy applied which specifies the automatic listener configuration and the WinRM Service with a servername pointing to the domain controller.
3. I have a Windows XP SP3 workstation (QFW10006) with WS-Management 1.1 installed in the test OU and confirmed the above policy is applied. Have ran winrm quickconfig and see the following message
Winrm already is setup for remote management on this machine.
If I check the listener winrm enumerate winrm/config/listener, I get the following message
Address = *
Transport = HTTP
Port = 80
Enabled = True
URLPrefix - wsman
ListeningOn = 127.0.0.1, 172.23.0.250
4. The firewall log on the event source had a rule for port 80, but not for 5985. I added this manually to the firewall.
5. Firewall is running on the DC, but the domain profile is off. Traffic is allowed and there is a rule for Windows Remote Management.
6. If i run the command winrm id /r:qfw10006 /a:none from QFD00003, I get the below message.
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig'.
Error number: -2144108526 0x80338012
I'm a bit stuck as to get past this. I've seen a couple of things talking about making sure the credentials are in the Local Administrators group for Windows XP and Event Log Readers for Windows 7, but as no credentials are specified in the Source Inititated Subscription, I'm not sure what to do. Does it refer to the Network Service account? I've also read something about making sure the Network Service account is a member of the IIS_WPG group. Is this on the DC? I can't find this group on my test server.
Please can someone help?
Toutes les réponses
First and foremost, IIS has nothing to do with event collection - neither in push or pull mode. The remote management uses the HTTP protocol, but it provides its own listener. Given you shouldn't be running anything on a domain controller at all other than the AD DS service itself, I'd remove this unless you've already put it there for other reasons and can't relocate whatever it's hosting.
There's also a second reason for mentioning this though, and I suspect this is at least contributing to your issues even if it's not the entire cause of the problems: it sounds like you have configured both IIS and the WinRM listener to listen on port 80 which isn't going to work, as you can only have one service or the other owning the port.
So again, if you only put IIS on the domain controller for this one purpose, remove the server role as it's not required (in addition to not being a good idea).
Have a read of the following resources, as in their own way, they're all little gems:
- Event forwarding and you
Great overall read, and the SDDL tips are critical in certain scenarios - I wouldn't have gotten some of those working without being made aware about this.
Great reference, but more importantly, provides examples of pull and push configuration files, which is important to know about if you're configuring quite a few machines.
- Configure computers to forward and collect events
Pretty basic overview. I think you're already past what this article discusses.
- Event forwarding and you