5.6. Enable networking configurations for Active Directory Domains

To enable remote scripting and to configure right domain policies for Windows Remote Management complete the following instructions on a domain controller machine (all actions are performed via Group Policy Management\Default Domain Policy/Edit):

  1. Set the WinRM service to auto start.

    • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management).

    • Set Startup Mode to Automatic.

  2. Add firewall exceptions to allow the service to communicate.

    • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security .

    • Right click on Windows Firewall with Advanced Security to create a new Inbound Rule.

    • Select the type of rule as Predefined as Windows Remote Management .

      The Predefined rule will automatically create two rules as shown below:

    • Configure the Action as Allow the connection and click Finish.

  3. Set script execution policy.

    • Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell .

    • Enable Script Execution .

    • Set Execution Policy to Allow all scripts.

  4. Setup WinRM service.

    • Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Windows Remote Management (WinRM) -> WinRM Service.

    • Create a WinRM listener.

      1. To allow automatic configuration of listeners, select Enabled.

      2. Set IPv4 filter to * (all addresses or specify range)

      3. Allow CredSSP authentication and click OK.

  5. Setup WinRM client.

    • Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Windows Remote Management (WinRM) -> WinRM Client.

    • Configure the trusted host list (the IP addreses of the computers that can initate connections to the WinRM service). To do this, set TrustedHostsList to * (all addresses or specify range).

    • Allow CredSSP authentication and click OK.

  6. Enable credentials delegation.

    • Go to Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation.

    • Select Enabled to allow delegation fresh credentials.

    • Under Options click on Show. Set WSMAN to * (all addresses or specify range). Click on Next Setting.

    • Select Enabled to allow delegation fresh credentials with NTLM-only server authentication.

    • Under Options click on Show. Set WSMAN to * (all addresses or specify range). Click on Finish.

  7. Enable creating WSMAN SPN.

    • Go to Start-> Run. In the dialog box, type ADSIEdit.msc and click Enter.

    • Expand OU=Domain Controllers menu item and select CN=domain controller hostname. Go to Properties -> Security -> Advanced -> Add.

    • Enter NETWORK SERVICE, click Check Names, then Ok. In the Permission Entry select Validated write to service principal name. Click Allow and OK to save your changes.

  8. Restart WinRM service and update policies.

    • On the domain controller machine, execute the following commands in PowerShell:

      Restart-Service WinRM 

    • On other hosts in domain, execute the following commands:

      gpupdate /force

    • Ensure that SPN-s WSMAN is created for your environment. Execute the following command on your domain controller machine:

      setspn -l $Domain_Controller_Hostname

      You should see output similar to the following:

  9. Check the WSMAN SPN on other host in domain. Execute the following command on any one of your host machines:

    setspn -l $Domain_Controller_Hostname

    You should see output similar to the following: