question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked RichMatheisen-8856 edited

Invoke-Command hanging

Hi, I have a server which hosts Windows Admin Center 2110 and has outbound port tcp/5985 opened to all servers in the forest. All of a sudden, I noticed I could not connect anymore to any server via Invoke-Command - it just hangs and in the log I see this:

Attempting session creation retry 1 for error code -2144108270 on session Id e0985d88-9c46-44b2-a4d0-5ebe948de1af (EventID 8198)

However when I use FQDN as ComputerName parameter value of Invoke-Command I am able to connect ... Odd. A few days ago I was able to list something from all servers using their hostname only.

Any help would be appreciated, thx in advance!

windows-server-powershellwindows-server-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

The first question in situations like these is always going to be What has changed?

If it works with FQDN but not hostname has there been a change in certificates? WinRM uses Kerberos and that depends on certs.
Has there been a change in the WinRM "TrustedHosts" list on the server running your script? ON the machines that are the target of you Invoke-Command?

You mention "forests". Does that imply multiple domains in the forest? Has there been a change in the trusts between domains?

WinRM is used by PowerShell, but WinRM is a service provided by the operating system.




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered RichMatheisen-8856 commented

Only change I am aware of is upgrade of Windows Admin Center to version 2110 from 2103. What is interesting I can connect to Domain Controllers using hostname but not to any member server in the domain. During upgrade of WAC I allowed that WAC can change trusted hosts but I see its value is the same as on WAC in other forest upgraded as well to version 2110 on which PS remoting works fine using hostname of all member servers.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

Assuming that you're using default ports for WinRM and there are no firewall rules that would disallow connections, I'd start with these cmdlets: Test-WinRM, Test-WSMan, and Connect-WSMan.


You may fare better at getting answers by adding a windows-server-management tag to your original post.



0 Votes 0 ·
BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered RichMatheisen-8856 edited

PS C:\windows\system32> Connect-WSMan -ComputerName server1
Connect-WSMan : The connection to the specified remote host was refused. Verify that the WS-Management service is
running on the remote host and configured to listen for requests on the correct port and HTTP URL.
At line:1 char:1
+ Connect-WSMan -ComputerName server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (server1:String) [Connect-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.ConnectWSManCommand


PS C:\windows\system32> Test-WSMan -ComputerName server1
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046"
Machine="server1.domain.com"><f:Message>WinRM cannot complete the operation. Verify that the
specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for
the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public
profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -ComputerName server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

NOTE: I managed to access server1 via Invoke-Command -ComputerName server1 from domain controller!

· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

Any chance your machine is using a proxy server?

 netsh winhttp show proxy
0 Votes 0 ·
BojanZivkovic-7448 avatar image BojanZivkovic-7448 RichMatheisen-8856 ·

Yes, but it is nothing new. I restored VM from backup taken before WAC upgrade and situation is the same. It works without proxy but why? Proxy was there before and even with proxy I could connect to DCs but not to member servers?






0 Votes 0 ·
RichMatheisen-8856 avatar image RichMatheisen-8856 BojanZivkovic-7448 ·

Does your proxy setting have a bypass list? Does it include your intranet domain? Also, check the machine's TCP/IP settings for a default DNS domain. If there is one, is it your intranet domain?

0 Votes 0 ·
Show more comments