Is it possible to connect remotely using an alias/CName?

I have a remote server that contains a Data directory which contains some folders/files i want to delete (based on name match)

Suppose the actual server is: D2WP68JVM.domain.com and lets say i have a CName for that server: server1.domain.com

I have a database table thats populated with the server containing these folders/files but as a CName server1.domain.com for easier user readability/maintenance…because its much easier to identify an alias server than the actual server name with all the alphanumeric it has in the server its pointing to D2WP68JVM.domain.com.

the problem lies with connecting remotely to the CName to remove the files

Invoke-Command -Computer 'server1.domain.com' -ScriptBlock {Remove-Item $args[0] -force } -ArgumentList 'C:\Data\filetodelete.db'

this results in error:

[server1.domain.com] Connecting to remote server server1.domain.com failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer server1.domain.com. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (server1.domain.com:String) [], PSRemotingTransportException + FullyQualifiedErrorId : NetworkPathNotFound,PSSessionStateBroken
so is it at all possible to connect with CName? only using the actual server works...

https://social.technet.microsoft.com/Forums/en-US/4f6af581-7d64-445b-80d7-91063cb35237/is-it-possible-to-connect-remotely-using-an-aliascname?forum=winserverpowershell

https://stackoverflow.com/questions/55426096/is-it-possible-to-connect-remotely-using-an-alias-cname

Simple answer, Nope, nor could you use an A/AAAA record alias either. They both will fail by default.
Also, before you might ask, No, adding them to the trusted host list does not change that failure state.
How do I know this, been there, done that, gave up on it.

[quote quote=147719]Simple answer, Nope, nor could you use an A/AAAA record alias either. They both will fail by default.

Also, before you might ask, No, adding them to the trusted host list does not change that failure state.

How do I know this, been there, done that, gave up on it.

[/quote]
Oh man…so now I have to modify my table to the actual servers :frowning:

I really like your flat out honesty in the answer lol. Straight to the point too

You should be able to pass the -Credential parameter and explicitly give admin credentials to run Invoke-Command with a cname. This should be the same if you are trying to use an IP address.

pwshliquori

pwshliquori
Nope, never got that to work at all.

Hi,

Please read the docs from Microsoft. I am able to use cnames in my org as well as IP addresses using the credential parameter.

From Microsoft docs: "

Type the NETBIOS name, IP address, or fully qualified domain name of one or more computers in a comma-separated list. To specify the local computer, type the computer name, localhost, or a dot (.).

To use an IP address in the value of ComputerName, the command must include the Credential parameter. Also, the computer must be configured for HTTPS transport or the IP address of the remote computer must be included in the WinRM TrustedHosts list on the local computer. For instructions for adding a computer name to the TrustedHosts list, see “How to Add a Computer to the Trusted Host List” in about_Remote_Troubleshooting."

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-5.1

pwshliquori

You can try using:

[pre]
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value client1.example.local
Get-Item -Path WSMan:\localhost\Client\TrustedHosts
[/pre]

This should allow you to use a cname with the -Credential parameter. To clear the entry, run:

[pre]
Clear-Item -Path WSMan:\localhost\Client\TrustedHosts -Force
[/pre]

The key to this is depending on the entry of the Set-Item command, when running Invoke-Command, the name must match what is in the trusted hosts or it will not work.

[pre]
Invoke-Command -ComputerName client1.example.local -ScriptBlock {
$env:COMPUTERNAME
} -Credential example.local\administrator
[/pre]

Let me know how you make out.

pwshliquori

[quote quote=147891]You can try using:

PowerShell
3 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.9048px; width: 7.20119px; left: 45px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value client1.example.local
Get-Item·-Path WSMan:\localhost\Client\TrustedHosts
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This should allow you to use a cname with the -Credential parameter. To clear the entry, run:
<textarea class="ace_text-input" style="opacity: 0; height: 17.9048px; width: 7.20119px; left: 45px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
Clear-Item -Path·WSMan:\localhost\Client\TrustedHosts -Force
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The key to this is depending on the entry of the Set-Item command, when running Invoke-Command, the name must match what is in the trusted hosts or it will not work.
PowerShell
4 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.9048px; width: 7.20119px; left: 45px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
4
Invoke-Command -ComputerName client1.example.local -ScriptBlock {
$env:COMPUTERNAME
} -Credential example.local\administrator
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Let me know how you make out.

pwshliquori

[/quote]
What is I am using a server to connect to remotely to that other server? We call it a utility box server to do all our development.

So then would that server still count as a localhost? Or would I replace localhost with the utility server?

You would be running the Set-Item command on the computer that is using the Invoke-Command Cmdlet. To test, you can try using:

[pre]
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value *.example.com
[/pre]

Just be aware this sets the trusted hosts to every machine on the domain and is not recommended at all. Make sure you clear the trusted after you have tested and only add the computers you need.

pwshliquori

[quote quote=147896]You would be running the Set-Item command on the computer that is using the Invoke-Command Cmdlet. To test, you can try using:

<textarea class="ace_text-input" style="opacity: 0; height: 18px; width: 6.59781px; left: 44px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value *.example.com
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Just be aware this sets the trusted hosts to every machine on the domain and is not recommended at all. Make sure you clear the trusted after you have tested and only add the computers you need.

pwshliquori

[/quote]

ok so i added it to trusted host and i also used credential, now i get this error:

The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: “winrm quickconfig”. For more information, see the
about_Remote_Troubleshooting Help topic.

 

i went to the server and checked winrm, it says this:

 

WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

Adding to the TrustedHosts list and connecting with parameter works for A/AAAA records. Not sure for CNAME(Alias).

Check the logs to see if there are any entries for WSMan. Try on your local machine:

[pre]
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational |
Where-Object -Property LevelDisplayName -eq ‘Error’ |
Format-List
[/pre]

There may be other logs on why this failed besides the error you see in the console.

Questions:
Is the firewall enabled?
Which version of Windows are you using?
Did you try restarting the WinRM service?

pwshliquori

[quote quote=148560]Check the logs to see if there are any entries for WSMan. Try on your local machine:

PowerShell
4 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.9048px; width: 7.20119px; left: 45px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
4
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational |
Where-Object -Property LevelDisplayName -eq 'Error' |
Format-List
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
There may be other logs on why this failed besides the error you see in the console.

Questions:

Is the firewall enabled?

Which version of Windows are you using?

Did you try restarting the WinRM service?

pwshliquori

[/quote]

Is the firewall enabled?

Firewall is only enabled against going from development to test environment or production. However for now I am just trying to get this to work for dev server to dev server, in which the firewall is loose or open for this

Which version of Windows are you using?

10

Did you try restarting the WinRM service?

Yes. I also enabled psremoting

Can you try running the Invoke-Command against the cname again and use -port 5985 ? Port 5985 is the default HTTP listener port for WinRM.

[pre]
Invoke-Command cname.domain.local -ScriptBlock {
Get-ChildItem -Path C:
} -Credential domain\administrator -Port 5985
[/pre]

pwshliquori

[quote quote=148607]Can you try running the Invoke-Command against the cname again and use -port 5985 ? Port 5985 is the default HTTP listener port for WinRM.

PowerShell
4 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.9048px; width: 7.20119px; left: 45px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
4
Invoke-Command cname.domain.local -ScriptBlock {
Get-ChildItem -Path C:\
} -Credential domain\administrator -Port 5985
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwshliquori

[/quote]
Actually I think its already trying thru that port, because when I checked the configuration of wine, it showed 5985/5986 (I thing 86 is https)

You are correct, just trying to force it through and troubleshoot with you. If you are testing dev to dev server, can you try to temporarily disable the firewall and test it out? Just to rule out the firewall is not an issue?

pwshliquori

[quote quote=148610][/quote]
I have turned off firewall on server1.domain.com and still error persisted. i also turned off firewall on the utility (development) server and the error still persisted. also, there is already an exception created for the WinRM service and its ports, so we can definitely rule out its not a firewall issue

How are you connecting to the utility box to run Invoke-Command? Via RDP or PSRemoting?

pwshliquori

[quote quote=148640]How are you connecting to the utility box to run Invoke-Command? Via RDP or PSRemoting?

pwshliquori

[/quote]
well i use remoteNG, which is basically an easier way to RDP into the many servers we have. so ya i guess RDP