3.7. (Optional) Enable Networking Configurations for Active Directory Domains

If your environment is using Active Directory, you must enable remote scripting and configure domain policies for Windows Remote Management, complete the following instructions on a domain controller machine.

  1. Open the Group Policy Management Editor by clicking Default Domain Policy from Group Policy Management > Domains > <domain name> > Default Domain Policy, and then click Edit.

  2. Set the WinRM service to autostart.

    1. From the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Remote Management (WS-Management).

    2. Set Startup Mode to Automatic.

  3. Add firewall exceptions to allow the service to communicate.

    1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

    2. To create a new Inbound Rule, right-click Windows Firewall with Advanced Security.

    3. Specify the rule type as Predefined, Windows Remote Management.

      The Predefined rule automatically creates two rules:

    4. Configure Action as Allow the connection.

    5. Click Finish.

  4. Set script execution policy.

    1. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.

    2. At Setting, select Turn on Script Execution.

    3. Set Execution Policy to Allow all scripts.

  5. Set up the WinRM service.

    1. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.

      [Note]Note

      In Windows Server 2012, the "Allow automatic configuration of listeners" option has changed to "Allow remote server management through WinRM".

    2. Create a WinRM listener.

      1. To allow automatic configuration of listeners, select Enabled, and then set IPv4 filter to * (all addresses) or specify a range:

      2. Allow CredSSP authentication and click OK.

  6. Set up the WinRM client.

    1. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client.

    2. Configure the trusted host list (the IP addresses of the computers that can initiate connections to the WinRM service).

      Set TrustedHostsList to * (all addresses) or specify a range.

    3. Set Allow CredSSP authentication to Enabled, and click OK.

  7. Enable credentials delegation.

    1. Go to Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation.

    2. To allow delegation of fresh credentials, select Enabled.

    3. Under Options, select Show. Set WSMAN to * (all addresses) or specify a range. Click Next Setting.

    4. Select Enabled to allow delegation of fresh credentials with NTLM-only server authentication.

    5. Under Options click Show. Set WSMAN to * (all addresses), or specify a range. Click Finish.

  8. Enable the creation of WSMAN SPN.

    1. Go to Start > Run. In the dialog box, enter ADSIEdit.msc. Click Enter.

    2. Expand the OU=Domain Controllers menu item and select CN=domain controller hostname.

    3. Go to Properties > Security > Advanced > Add.

    4. Enter NETWORK SERVICE, click Check Names, then click OK.

    5. In the Permission field, select Validated write to service principal name.

    6. Click Allow.

    7. To save your changes, click OK.

  9. Restart the WinRM service and update policies.

    1. At the domain controller machine, open a PowerShell window and enter:

       Restart-Service WinRM 

    2. At each of the other hosts in domain, enter:

       gpupdate /force 

    3. Ensure that SPN-s WSMAN is created for your environment.

      At your domain controller machine, enter:

       setspn -l Domain_Controller_Hostname 

      You should see output similar to the following:

  10. Check the WSMAN SPN on other hosts in the domain. Run the following command on any one of your host machines:

    setspn -l Domain_Controller_Hostname

    You should see output similar to the following:


loading table of contents...