I'm having partial success enabling WinRM through Active Directory GPO's on our Server 2008 R2 environment.
I've created a GPO that enables "Allow automatic configuration of listeners" and also enables all the necessary predefined WinRM Firewall rules.
This GPO works fine for our webservers. Indeed, this is reflected by the "Server Manager Remote Management" nicely flipping to "enabled" in Server Manager Server Summary.
However, the same GPO applied to both our Management servers, which are Domain Controllers, does not give the same result. I see the GPO settings being applied, including the listener as confirmed by
C:\Windows\system32>winrm e winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.32.40.210, 10.32.40.211, 10.32.40.212
But in Server Manager, Server Summary, Remote Management remains on "disabled" and indeed when trying to connect to one of these machines Server Manager gives an "Access Denied".
Manually enabling WinRM locally via Server Manager "Configure Server Manager Remote Management" on either of these machines works fine.
What can be the cause? Can it have something to do with theses machines being DC's and needing extra settings in the GPO?
Nick Reid
Best Answer
Thanks but if you had read my post you would see that I had already done exactly as you say. As it turns out, in our case it was not easy at all. The problem was, and still is, that Sql Server Reporting Server 2008 user claims the HTTP Kerberos SPN, which is therefore not available for the machine itself, which is what winrm needs. I wonder if they are aware of this conflict at Microsoft?
In summary SSRS 2008 R2 and WinRM are mutually exclusive because they both need the HTTP SPN configured differenty: WinRM at the machine level, SSRS at the domain account level.
SSRS 2008 R2 docs: http://msdn.microsoft.com/en-us/library/cc281382.aspx