I'm unable to PSRemote to my Hyper-V host, nor can I connect to it using Hyper-V Manager. This occurs from a client VM, but not the server VM. I can PSRemote and connect without problem from the server.
This is my setup:
- [HOST] is Hyper-V 2016
- [SERVER] is a Server Essentials 2016 VM
- [CLIENT] is a domain-joined VM, running Windows 10 v1607
- I'm signed into both [SERVER] and [CLIENT] under the domain admin account
Error Message:
Enter-PSSession : Connecting to remote server [HOST] failed with the following error message : WinRM cannot complete
the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and
that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote computers within the same local subnet. For more
information, see the about_Remote_Troubleshooting Help topic.
[HOST] Firewall Configuration:
Troubleshooting Steps:
- I've set the WinRM firewall entry on [HOST] to
Allprofiles andAnyremote address - I've disabled the firewall on [HOST] entirely
- I've scoured the troubleshooting steps found here
- I've successfully run this command on [HOST]:
C:\>winrm set winrm/config/client @{TrustedHosts="CLIENT"} - I've successfully run this command on [HOST]:
PS C:\> Enable-PSRemoting -Force - I've started the WinRM service on [CLIENT]
- I've reviewed this Q&A, but the suggestions provided there don't work for me.
- I've reviewed all of the Q&A here, but none apply directly. The closest I found was this one, but I'm not sure how to temporarily disable GPO on [CLIENT] as described.
The WinRM event log on [CLIENT] shows these errors:
Command:
Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational -MaxEvents 10 | Where-Object {$_.LevelDisplayName -eq "Error"} | fl
Result:
TimeCreated : 3/18/2017 12:43:46 PM
ProviderName : Microsoft-Windows-WinRM
Id : 142
Message : WSMan operation CreateShell failed, error code 2150859046
TimeCreated : 3/18/2017 12:43:46 PM
ProviderName : Microsoft-Windows-WinRM
Id : 161
Message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the
computer is accessible over the network, and that a firewall exception for the WinRM service is enabled
and allows access from this computer. By default, the WinRM firewall exception for public profiles
limits access to remote computers within the same local subnet.
TimeCreated : 3/18/2017 12:43:46 PM
ProviderName : Microsoft-Windows-WinRM
Id : 138
Message : The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)
This also occurred before I upgraded both [HOST] and [SERVER] from 2012R2 to 2016, so it leads me to believe that it's something on [CLIENT].
Oddly, I was temporarily able to connect from [CLIENT] immediately after the upgrade. I don't recall whether that was before I turned on the default security GPO on [SERVER] and imported my custom (non-security-related) GPO settings from backup; perhaps it might be related to that?
Is there a firewall rule on [CLIENT] that I need to create/enable? I can't turn the firewall off as a troubleshooting step, as it's managed by the default WSE GPO; as previously mentioned I don't know how to temporarily override that (or even if it's safe to do so).
Best Answer
I certainly wouldn't have expected this to be the answer...
On a whim, I tried connecting using the FQDN (e.g.
host.domain.tld). To my surprise, it sailed right through, under bothEnter-PSSessionand Hyper-V Manager.It might be something in the TCP/IP DNS settings on [CLIENT]. I'll have to check on that.
But for the time being, this does the trick.
--EDIT--
OK, got it.
The hosts file on [CLIENT] had a stale record with an outdated IP address for [HOST]. That's why WinRM would only work when I used the FQDN.
I removed the record and everything started working correctly immediately.