Sunday, February 15, 2009

PowerShell Adventures

So I want to be able to administer IIS 7 remotely using PowerShell. Installation on W2K8r2 is easy via start /w ocsetup MicrosoftWindowsPowerShell. And there is a PowerShell Snap-in for IIS 7.0. And in case you're wondering, the location of powershell.exe is added to the path during installation, you just need to restart the console for it to take effect (i.e. there is no need to try to hack the registry in order to add the location of powershell.exe to the PATH environment variable). So a few common commands to get started:



Help

Get help for a particular cmdlet, e.g. help get-process.

Get-Alias

Returns a list of aliases for PowerShell cmdlets.

Get-Command

Returns a list of PowerShell cmdlets.

Get-Process

Returns a list of all the running processes

Get-Service | sort status,name

Get-Service | Where-object{$_.status -like "running"}

Get a list of services - in the first case sort by status and name, in the second case filter output to include only running services


Now it would be kind of cool to be able to use the new Windows PowerShell Integrated Scripting Environment to administer the server. Turns out in some cases it just works. Remoting however requires the Windows PowerShell V2 Community Technology Preview 3 (CTP3) on your Vista box. Check out the help text related to remoting:



PS C:\> help about_remote_requirements
TOPIC
    about_remote_requirements

...

    NOTE: Many cmdlets, including the Get-Service, Get-Process, Get-WMIObject,
          Get-Eventlog and Get-Event cmdlets get objects from remote computers,
          but they use .NET methods to retrieve the objects. They do not use the
          Windows PowerShell remoting infrastructure. The requirements in this
          document do not apply to these cmdlets.

Currently the WinRM service is stopped on the server. Looks like I need to do some configuration:



 CONFIGURE WS-MANAGEMENT  

    The remoting features of Windows PowerShell are supported by the WinRM service, which is 
    the Microsoft implementation of the WS-Management protocol. To use the remoting features,
    you need to change the default configuration of WS-Management on the system. 

    Windows PowerShell provides a script to configure WS-Management. The script is located
    in the Windows PowerShell installation directory ($pshome).

    To run the configuration script:

        1. Open Windows PowerShell with the "Run as Administrator" option.

        2. At the command prompt, type:

        & $pshome\configure-wsman.ps1

Sadly there is no $pshome\configure-wsman.ps1 on either my Vista box or my server. What to do? I tracked down Installation and Configuration for Windows Remote Management. Following the instructions and running PS C:\> winrm quickconfig on the server gives me this:



PS C:\> winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Enable the WinRM firewall exception.
Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
WinRM firewall exception enabled.
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Cool, that all looks good. If only the same thing worked on Vista:



PS C:\> winrm quickconfig
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Set the WinRM service type to delayed auto start. 
Start the WinRM service. 
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. 
Enable the WinRM firewall exception.

Oh dear. I did however manage to locate PowerShell Remoting on Windows 2008 R2 Server Core. This indicates there is a built-in function called Enable-PSRemoting. Running this in my Vista PowerShell reveals:



PS C: Enable-PSRemoting
Windows PowerShell remoting features are not enabled or not supported on this machine.
This may be because you do not have the correct version of WS-Management installed or this version of Windows does not support remoting currently.
 For more information, type 'get-help about_remote_requirements'.
At line:13 char:37

But I know where to get the WinRM CTP. This is a Windows Update and requires a restart. Now things are looking up:



PS C:\Windows\System32> enable-psremoting
WinRM has been updated to receive requests.
WinRM service type changed successfully. 
WinRM service started. 
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users. 

WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. 
WinRM firewall exception enabled.

But I'm not quite there yet:



PS C:\Windows\System32> Enter-PSSession -computerName myServer
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process the reque
st. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS tran
sport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure
 TrustedHosts. You can get more information about that by running the following command: winrm help config.
At line:1 char:16
+ Enter-PSSession <<<<  -computerName myServer
    + CategoryInfo          : InvalidArgument: (myServer:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed,Microsoft.PowerShell.Commands.EnterPSSessionCommand

Checking my server listener configuration I have:



PS C:\Users\Administrator> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 10.20.1.251, ::1, fe80::100:7f:fffe%6, fe80::5efe:10.20.1.251%4, fe
80::585e:792b:91b3:9876%3

So no joy. I need to remove the HTTP Listener and add an HTTPS Listener. I'm going to save that exercise for another post - this one's starting to go feral. Right now I'm more interested in getting the IIS PowerShell snap-in installed so I can start managing IIS. If you've read this far only to discover there is no resolution I apologise and I hope you appreciate that I share your frustration.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)