ICM fails on call back to local PC

%3CLINGO-SUB%20id%3D%22lingo-sub-1426673%22%20slang%3D%22en-US%22%3EICM%20fails%20on%20call%20back%20to%20local%20PC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426673%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20an%20odd%20issue%20with%20Powershell.%26nbsp%3B%20I%20discovered%20that%20I%20cannot%20ICM%20from%20the%20domain%20controller%20to%20a%20remote%20workstation%20-%20and%20I%20also%20cannot%20ICM%20from%20the%20actual%20workstation%20PC%20console%20back%20to%20itself.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20had%20been%20properly%20configured%20%26amp%3B%20working%20until...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Recent%20details%3A%26nbsp%3B%20We%20had%20an%20SBS%202008%20DC%2C%20migrated%20to%20WS2019.%26nbsp%3B%20When%20I%20finally%20transferred%20DNS%20%26amp%3B%20DHCP%20and%20took%20the%20old%20server%20offline%20is%20when%20the%20ICM%20problem%20began.%26nbsp%3B%20Before%20the%20SBS%202k8%20came%20offline%20and%20the%20two%20DCs%20were%20still%20replicating%20AD%20%26amp%3B%20etc.%2C%20I%20could%20ICM%20from%20the%20WS2019%20DC%20with%20no%20problem.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20what%20to%20make%20of%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20side%20note%2C%20the%20DHCP%20snap-in%20strips%20the%20domain%20from%20the%20server%20name%20and%20replaces%20it%20with%20'mshome.net'%26nbsp%3Bno%20matter%20how%20many%20times%20I%20delete%20it%20and%20add%20it%20back%20in%20-%20and%20does%20not%20allow%20any%20interaction.%26nbsp%3B%20But%20the%20Get-DHCPServer(...)%20cmdlets%20report%20all%20the%20correct%20settings%2C%20scope%2C%20exclusions%2C%20etc.%20-%20so%20I've%20ignored%20this%20for%20the%20most%20part.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Linear_z_0-1590761285577.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195364iB14BBF5B0305B5FD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Linear_z_0-1590761285577.png%22%20alt%3D%22Linear_z_0-1590761285577.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Linear_z_3-1590757513118.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195351iE3D7E3860B4EC5EB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Linear_z_3-1590757513118.png%22%20alt%3D%22Linear_z_3-1590757513118.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E--------------------------------%3C%2FP%3E%3CP%3EBack%20to%20the%20initial%20question%2C%20this%20is%20an%20example%20of%20events%20pulled%20from%20WinRM%20%2F%20ICM%20where%20the%20client%20%26amp%3B%20destination%20are%20the%20same%20computer%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThinking%20perhaps%20User%20%26amp%3B%20Computer%20domain%20mismatch%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Linear_z_2-1590756809446.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195349i2AD82E3F2F69F17F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Linear_z_2-1590756809446.png%22%20alt%3D%22Linear_z_2-1590756809446.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Linear_z_1-1590756758129.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195348i3A7D1A21D4046936%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Linear_z_1-1590756758129.png%22%20alt%3D%22Linear_z_1-1590756758129.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%20This%20might%20be%20correlated%20-%20RDP%20attempt%20from%20the%20DC%20to%20remote%20PC.%26nbsp%3B%20Strange%20error%20since%20the%20DC%20is%20the%20computer%20being%20used%2C%20but%20says%20the%20DC%20can't%20be%20contacted%20for%20NLA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Linear_z_0-1590761644158.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195365i47A505AF553C74F4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Linear_z_0-1590761644158.png%22%20alt%3D%22Linear_z_0-1590761644158.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1426673%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EICM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvoke-Command%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1429118%22%20slang%3D%22en-US%22%3ERe%3A%20ICM%20fails%20on%20call%20back%20to%20local%20PC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1429118%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F683408%22%20target%3D%22_blank%22%3E%40Linear_z%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20what%20I%20can%20deduce%2C%20it%20was%20GPO.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20SBS2k8%20had%20a%20policy%20object%20%3CSPAN%20class%3D%22mediumtext%22%3E%3CSTRONG%3E%22Allow%20automatic%20configuration%20of%20listeners%22%3C%2FSTRONG%3E%3C%2FSPAN%3E%20which%20is%20not%20present%20in%20WS2019%20and%20caused%20this%20to%20occur%20once%20the%20old%20server%20came%20offline%20and%20the%20forest%20functional%20level%20was%20elevated%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20winrm%20enumerate%20winrm%2Fconfig%2Flistener%3CBR%20%2F%3EListener%20%5BSource%3D%22GPO%22%5D%3CBR%20%2F%3EAddress%20%3D%20*%3CBR%20%2F%3ETransport%20%3D%20HTTP%3CBR%20%2F%3EPort%20%3D%205985%3CBR%20%2F%3EHostname%3CBR%20%2F%3EEnabled%20%3D%20true%3CBR%20%2F%3EURLPrefix%20%3D%20wsman%3CBR%20%2F%3ECertificateThumbprint%3CBR%20%2F%3E%3CU%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3EListeningOn%20%3D%20null%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20when%20the%20IP%20filter%20for%20the%20client%20listeners%20was%20set%20back%20to%20%22%20*%20%22%20and%20GPO%20refreshed%2C%20Invoke-Command%20works%20from%20the%20DC%20as%20expected.%20%3Athumbs_up%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20side%20note%3A%20the%20clients%20produce%20a%20new%20error%20now%20when%20ICM'ing%20to%20themselves%20-%20which%20I%20had%20tried%20initially%20as%20a%20test%20measure%20since%20the%20DC%20would%20actually%20do%20that%20successfully.%26nbsp%3B%20This%20really%20is%20immaterial%20though%20because%20there%20is%20no%20reason%20to%20ever%20do%20this%2C%20but%20now%20it%20says%3A%20%22The%20WinRM%20client%20sent%20a%20request%20to%20an%20HTTP%20server%20and%20got%20a%20response%20saying%20the%20requested%20HTTP%20URL%20was%20not%20available.%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20a%20puzzle%20to%20work%20on%20when%20there's%20nothing%20else%20to%20do%20-%20but%20for%20now%20it's%20of%20no%20concern.%26nbsp%3B%20%F0%9F%A4%B7%E2%80%8D%3Amale_sign%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

Hi there.

 

I've an odd issue with Powershell.  I discovered that I cannot ICM from the domain controller to a remote workstation - and I also cannot ICM from the actual workstation PC console back to itself. 

 

This had been properly configured & working until...

 

(Recent details:  We had an SBS 2008 DC, migrated to WS2019.  When I finally transferred DNS & DHCP and took the old server offline is when the ICM problem began.  Before the SBS 2k8 came offline and the two DCs were still replicating AD & etc., I could ICM from the WS2019 DC with no problem.)

 

Not sure what to make of it. 

 

On a side note, the DHCP snap-in strips the domain from the server name and replaces it with 'mshome.net' no matter how many times I delete it and add it back in - and does not allow any interaction.  But the Get-DHCPServer(...) cmdlets report all the correct settings, scope, exclusions, etc. - so I've ignored this for the most part.)

 

Linear_z_0-1590761285577.png

 

Linear_z_3-1590757513118.png

 

--------------------------------

Back to the initial question, this is an example of events pulled from WinRM / ICM where the client & destination are the same computer:

 

Thinking perhaps User & Computer domain mismatch?

 

Linear_z_2-1590756809446.png

 

Linear_z_1-1590756758129.png

 

Any ideas? 

 

Thanks!

 

 

P.S. This might be correlated - RDP attempt from the DC to remote PC.  Strange error since the DC is the computer being used, but says the DC can't be contacted for NLA.

 

Linear_z_0-1590761644158.png

 

1 Reply

@Linear_z 

 

From what I can deduce, it was GPO. 

 

The SBS2k8 had a policy object "Allow automatic configuration of listeners" which is not present in WS2019 and caused this to occur once the old server came offline and the forest functional level was elevated:

 

PS C:\WINDOWS\system32> winrm enumerate winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

 

So when the IP filter for the client listeners was set back to " * " and GPO refreshed, Invoke-Command works from the DC as expected. :thumbs_up: 

 

On a side note: the clients produce a new error now when ICM'ing to themselves - which I had tried initially as a test measure since the DC would actually do that successfully.  This really is immaterial though because there is no reason to ever do this, but now it says: "The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available." 

 

Maybe a puzzle to work on when there's nothing else to do - but for now it's of no concern.  🤷‍:male_sign: