How to Programmatically Set Up Powershell Remoting on an Azure VM - powershell

My goal is to write a Powershell script that will run New-AzureRmResourceGroup and New-AzureRmResourceGroupDeployment in order to provision a resource group according to an ARM .json template file. Said resource group includes a virtual machine, virtual network, network security group, public IP address, network interface attached to the virtual machine, and two storage accounts. After that, I want the same script to go on and copy a specific program installer to the virtual machine in that resource group and run that installer, automatically without further user interaction. However, I can't seem to begin a remote Powershell session with the virtual machine. I run the command:
$sess = New-PSSession -ComputerName **.***.**.*** -Port XXXX -Credential $cred
where the *s are the IP address of the Virtual Machine; XXXX is the Port that is open for RDP according to the Network Security Group associated with the virtual network that the Virtual Machine is on; and $cred contains the credentials of the admin user on the Virtual Machine.
The command always returns an error:
New-PSSession : [**.***.**.***] Connecting to remote server **.***.**.*** failed with the following error message :
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
Note that I did make sure to add the Virtual Machine's IP address to the list of Trusted-Hosts on my local machine. (Until I did that, I got a different error message.) Also, I am able to connect to the Virtual Machine if I click on its Connect button in the Azure portal and then click on the .rdp file that's downloaded. This remote session uses the same IP address, port, and credentials as the one I'm trying and failing to set up in Powershell. This is what I don't understand.
Why does that happen? Is there some additional work I need to do to prepare the VM for accepting remote Powershell sessions? Is there any way to configure it in the ARM template so that the VM will be ready to accept them from the get-go? (It would be difficult if I need to run some commands on the VM to set Powershell remoting up, since I can't Powershell remote in to run them because of this very problem. Maybe I could run them as a custom script extension?)
Final notes: This VM is "new" style, not "classic" style. I know there is lots of documentation out there for "classic" style Azure VMs, but that's not what I'm working with. Also, even after running winrm quickconfig on the VM as the error suggested, and enabling administrative rights remotely to local users, I get the same error when I run New-PSSession.

Open up 5985-5986 on your NSG
Drop the port part on your command:
$sess = New-PSSession -ComputerName ... -Credential $cred
WinRM endpoint is set up automatically for new VM's (if you don't somehow override it). But you need to open 5985 for nonsecure and 5986 for secure remoting

Related

Cannot connect to server using Enter-PSSession

I'm quite new to PowerShell and am trying to write a script that connects to our web server from our db server and pulls a file across. Unfortunately I'm hitting hurdles straight out of the gate with the following error when trying to use the Enter-PSSession cmdlet:
http://imgur.com/jzpmV6z
I can confirm that PowerShell on the web server is set up and ready to receive connections:
http://imgur.com/o3g4bxK
I am at a loss as to what to check now. Any help would be greatly appreciated.
EDIT: Just to confirm, I am able to RDP into the web server from the db server fine.
If you are not using domain joined Machines and domain user accounts you will need to add the destination server to your trusted hosts list
Set-Item WSMan:\LocalHost\Client\TrustedHosts\ -Value "192.168.100.234"
You should check if you have machines add first
Get-Item WSMan:\Localhost\Client\TrustedHosts
if you do you will need to append the new ipaddress or the pervious values will be overwritten.
You should also check the network profiles on both machines. Powershell remoting will not work with the network profile set to Public.
EDIT:
You need to run: Enable-PsRemoting not winrm qc to allow powershell remoting
winrm is only half the puzzle.
Hello. dont Have a reputation to post a comment, so read some info
heare. If you have a domain you can try to do this: In the group
policy mmc: Policies/Administrative Templates /Windows
Components/Windows Remote Management (WinRM)/WinRM Service
Allow Remote Server management through WinRM
Set the Policy to Enabled.
Set the IPv4 and IPv6 filters to *
enter link description here
Or you can try to do something like this:
On local host and remote PC
Set-ExecutionPolicy remotesigned -Scope CurrentUser -Force| Out-Null
winrm qc -q| Out-Null

Remote Powershell session connection failure with Kerberos authentication

I have an on-premises network and an Azure virtual network that are connected together via a gateway.
With this setup, all machines (on-premises and Azure) are joined to the domain which allows me remote access to the administrative shares as well as remote Powershell sessions on each machine in the Azure virtual network from machines in my office. For example, I can simply open up Windows Explorer and type in the address bar \\machinename\c$ or I can open a remote Powershell session by using the command $Session = New-PSSession -ComputerName machinename.
This works perfectly for one of my Azure subscriptions, but on another Azure subscription that appears to be configured identically, the remote Powershell command is failing with error:
New-PSSession : [machinename] Connecting to remote server machinename failed with the following error message : WinRM cannot process the request. The following error occurred while
using Kerberos authentication: Cannot find the computer machinename. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information,
see the about_Remote_Troubleshooting Help topic.
When I look in DNS on the Azure domain controller, the machine that I am trying to connect to exists. When I look in DNS on-premises, the machine is missing. What it looks like to me is a replication problem between the two domain controllers.
The first thing that is likely to be suggested is to start looking at WinRM configurations on the client machine. To be clear, the same machine is able to connect successfully to machines in a virtual network in a different Azure subscription so it is very unlikely that anything on the client machine needs to be changed. Nevertheless, I Googled the Kerberos error with remote Powershell and have checked that the TrustedHosts setting on the client is set to *.
Interestingly enough, I can successfully open a remote Powershell session from a machine in the Azure subscription to a machine in my office, I just can't go the other direction....from Azure to my office. This would seem to indicate maybe a one-way trust instead of two-way, but I am not sure how to verify this.
I ran the tool and it is reporting that everything is working with regard to replication.
So I guess what I am wondering is if this is truly a replication issue or if someone can give me an idea of what the problem might really be.
Edit 1
Now it looks like the domain controller in the Azure network is replicating just fine but any other VM that I add to the Azure network is not replicating. Based on this I will guess that the replication is working, but it would seem it only works for the domain controller and not any other machine. I have no idea what that means.
Based on the error message, it seems that the DNS records on Azure domain controller are not replicated to the on-premises domain controller.
To verify this, you can run the command below on the on-premises machine, and use the IP address as the value of parameter -ComputerName instead of the machine name. The PowerShell session should be established successfully if this is a DNS issue.
New-PSSession -ComputerName IP address of server on Azure
Also, you can run the following commands on the domain controllers to check the replication status.
repadmin /kcc
repadmin /replisummlry
If the output of commands are successfully, you can run the following command to replicate manually, and check the DNS again.
repadmin /syncall
Finally, to check the trust relationship, you can refer to the following link for step-by-step guide.
https://technet.microsoft.com/en-us/library/cc753821(v=ws.11).aspx
Update
Based on the new information you provided, I would recommend to check the type of DNS zone on the Azure DNS server. Please make sure the type is Primary zone, and store the zone in Active Directory.
You can check this by using the DNS Manager.

How to PSSession VM from Resource Manager?

I have VMs in Resource Manager and I want to do remote PowerShell scripting from runbook these VMs. I already know how to do it in classic virtual machines and use with success.
Now, is remote PowerShell over SSL with a certificate enabled by default on Azure VMs created with the Azure Resource Manager? How do I connect with Enter-PSSession or Invoke-Command?
I tried this code without success.
Enter-PSSession -ComputerName <public-IP> -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
And I got this error
Enter-PSSession : Connecting to remote server <public-IP> failed with the following error message : The WinRM client
cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not
joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts
configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not
be authenticated. You can get more information about that by running the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Note: That I am running this with Powershell Runbook in Azure Automation.
and tried the suggested answer here
You need to put a cert in Azure Key Vault (plus some other steps) to enable WinRM to ARM VMs. Then you need to do the same thing as in the Connect-AzureVM runbook, but using this cert instead of the Azure Classic VM's cert, to set up trust between the hosts.
See this thread for more details on the steps required. This may be useful as well.

Trigger task in AzureVM from local machine via command line

What is the way to trigger a task that is in task manager of AzureVM from command prompt of my local machine??
I tried this (with AzureVm and task names)
schtasks /run /s <VMName> /tn <TaskName>
This gave me the error
ERROR: The network path was not found.
Both AzureVM and local machine are running windows server 2012 R2.
To properly answer this question it will depend on what network connectivity exists between your local machine and the Azure VM. If you are connecting to the Azure VM over the internet then you need to either open a port for the VM on the load balancer, or you need to create a public IP address for the specific VM so that you can access all of the ports of the VM over the internet. Alternatively if you have a site to site or point to site connection to the VM then you can access the VM directly as you are doing.
Assuming that you are connecting to the VM over the internet, the easiest approach is going to be to create a public IP address for the VM, then connect to the VM using either the DNS name of the public IP address or just using the IP address directly. If you wanted to go through the load balancer then you would need to determine which port and protocol (UPD/TCP) schtasks is using so that you can open the correct port.
Also remember that the Windows Firewall on the VM may need to be updated to allow scheduled tasks to be executed remotely.
An alternate option is to use Remote PowerShell to execute the schtasks on the VM. Please see the following blog post that provides great overview on using remote powershell with Azure VMs: http://michaelwasham.com/windows-azure-powershell-reference-guide/introduction-remote-powershell-with-windows-azure/

How to configure a VM from HyperV host using Powershell

I have a HyperV server with over 10 VMs hosted on it. They all use a base image so they are not connected to a domain nor do they have there NIC configured. Is there a way that I could run commands from the host to configure the VMs NIC and join the domain as if I was actually logged in?
This is easily done if I just pop open the VM from HyperV:
###Joining domain###
$domain = "mydomain.gbl"
$cred = get-credential mydomain\defaultuser
Add-Computer -DomainName $domain -Credential $cred
Now this approach is ok if I had only a few machines but since I have so many and even more machines to come that need configuration, I am trying to find a way to automate these tasks.
Maybe I could create a scheduled task on the VMs from the host?
Since you're running Server 2008 your only option (AFAICS) would be to configure the network interfaces of the VMs with static MAC addresses (e.g. with the PowerShell Management Library for Hyper-V), set up a DHCP to provide the VMs with IP addresses. After that you should be able to do something e.g. with PsExec if the Windows Firewall is disabled on the VMs. If it isn't, you'll have to log in manually. You need at least some basic configuration for remote management.