Connecting to a remote domain controller using PowerShell

Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller.  I try to minimize logging onto servers as much as possible.  Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

I will be discussing two approaches below to connect to a domain controller:

  1. Connecting from a client machine on the same domain
  2. Connecting from a client machine on a different domain or a workstation/server

Before we get started, and regardless of which approach you take below, the following will need to be installed on the client Windows machine. Primarily you need to get the Active Directory Module for Windows PowerShell installed.

Installing the Active Directory Module

GUI:

The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

PowerShell:

You can also install the module from the PowerShell console using the command:

The RSAT-AD-PowerShell can be installed not only on the domain controllers, but also on any domain member server or even a workstation. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).

Approach 1: Connecting from a client machine on the same domain

First step you need to do is find all of your domain controllers and allow remote connections to it.

Logon to your one of your domain controllers and open up PowerShell:

You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.

You can read more about WinRM here.

Alternatively, the following command can be ran in an elevated Powershell console on the DC. This enables WinRM and configures the firewall so that it can accept incoming commands.

Once that is done you are ready to connect to your domain controller.

Make sure your system is configured to run PowerShell scripts.

Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.

Now all command you enter will be applied to the DC.

To check if your connection is successful. Try the command below to get a list of all of your domain controllers.

Approach 2: Connecting from a client machine on a different domain or a workstation

Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It’s extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. This requires some additional configuration steps outlined below.

Logon to your one of your domain controllers and open up PowerShell and run the following:

The following registry key needs to be added to the target domain controllers:

Make sure the ports are open:

By default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively.

The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).

In some environments, you may need to check if the server authentication certs are valid and not expired. Also, in some situations I have seen that if the client is not resolving the FQDN, it is because the DNSzone doesn’t exist in the source domain. Either the zone can be added, or the host file can be modified to add the DC’s FQDN.

Trusted Hosts:

Adding the client IP or name can help avoid errors.

Depending on your environment and what is allowed or not one of the following should work for your situation.

View the computers of TrustedHosts list

To view the list of TrustedHosts added to the machine, type the following command. By default, its value is blank.

Add all computers to the TrustedHosts list

Using the Set-Item cmdlet and the wildcard you can add all the computers to the TrustedHosts list with the following command.

Add all domain computers to the TrustedHosts list

In the following command, replace .yourdomain.com with your own domain name.

Add specific computers to the TrustedHosts list

You can add specific computers you choose based on their hostname by separating them with a comma (,) using the following command.

Where ComputerName can be in the Server01 or Server01.yourdomain.com format

Add a computer to an existing list of TrustedHosts

If you have already added some computers to the TrustedHosts list and want to add an additional computer, without deleting the previous entries, you should use the following method. This is because the TrustedHosts list is updated based on the last Set-Item command you have run overwriting the previous entries.

Use the following command to save the current TrustedHosts computer list to a curList variable.

To add a computer to the current list, type the following command by specifying both the variable you created and the computer name you are going to add.

Alternatively, to avoid using a variable, add the -Concatenate switch to the Set-Item command to add both new and previous entries. For example:

Add computers to the TrustedHosts list using the IP address

Similarly to the previous commands, you can use an IPv4 or IPv6 address. In the case of IPv6, you have to type the address between [].

Add computers to the TrustedHosts list using multiple IP address (Most common)

Another way to add trusted hosts is via an elevated Command Prompt:

Importing the AD Module:

Before using any cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).

With this configuration, it’s now possible to authenticate and execute a command remotely with explicit credentials.

Lets check if it is working:

It WORKS! 🙂

Common Errors & Solutions:

Error: WinRM service started.  Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…… Change the network connection type to either Domain or Private and try again.

Solution: 

Explanation:

The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center.

 

Error: Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….

Solution:

Explanation:

In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the above error.

Error: Cannot connect to host…

Solution:

Check with your network/ firewall team if  the port 5985, 5986, and 9389 are open.

Explanation: 

Most of the times the ports are overlooked and are the root cause as to why the connection is not working