Troubleshooting issues configuring Server management tools


UPDATE: The troubleshooting guide below has been integrated into the Server management tools menu in the Azure portal! We'll be continuously updating the content, so click on the "Diagnose and solve problems" menu to see the up-to-date guide if you run into any problems.

image

 

Having trouble setting up or using Server management tools? See our troubleshooting guide below for solutions to common issues. This troubleshooting guide will become part of the Azure portal UI as a separate menu under Server management tools shortly, but we wanted to share this out in case you get stuck in the meantime. And if you can't find a solution to your problem, please file a bug on our UserVoice forum or reach out to us on Twitter!

I can’t connect to a server

  • Is the gateway’s health status displayed as “OK”?
    On the Server management tools connection blade, go to the Overview menu, check the Gateway name in the Essentials section and make sure it shows “OK”. If not, click on the Gateway name to open the Gateway blade and see details on the error. You can also find solutions to common gateway issues in the “Diagnose and solve problems” menu on the Gateway blade.
  • Is the target server a workgroup (non-domain joined) machine?
    If yes, you will need to add the target server to the Trusted Hosts list on the gateway machine. On the gateway machine, run the following command in PowerShell or Command Prompt as Administrator.  TargetMachineNameOrAddress should be the NetBIOS name, FQDN or IP address (IPv4 or IPv6) that you’ve used when creating the Server management tools connection in Azure (which is also the name displayed at the top of the blade). You can also add multiple machines by separating them with commas.
    Command Prompt: winrm set winrm/config/client @{ TrustedHosts="TargetMachineNameOrAddress" }
    PowerShell: winrm set winrm/config/client ‘@{ TrustedHosts="TargetMachineNameOrAddress" }’

    NOTE: The commands above will replace any previous list of registered trusted hosts with the host(s) you specify in the command. You can use the following command in PowerShell with the Concatenate parameter to add a computer name to an existing list of trusted hosts.
    Set-Item wsman:\localhost\Client\TrustedHosts TargetMachineNameOrAddress –Concatenate
  • Are you connecting with a local user account?
    When entering credentials in the server connection's "Manage as" dialog box, you can use a local or domain account that is a member of the local administrators group on the target server. When using a local user account that is not the built-in administrator account, you will need to enable the policy on the target machine by running the following command in PowerShell or Command Prompt as Administrator on the target machine.
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
  • Are you connecting to a workgroup machine on a different subnet?
    In order to connect to a workgroup machine which is not on the same subnet as the gateway, make sure the firewall port for WinRM (TCP 5985) allows inbound traffic on the target machine. You can run the following command in PowerShell or Command Prompt as Administrator on the target machine to create this firewall rule:
    NETSH advfirewall firewall add rule name=”WinRM 5985” protocol=TCP dir=in localport=5985 action=allow
  • "CANNOT CONNECT" error when connecting to a server
    If you get a “CANNOT CONNECT” error when entering credentials in the “Manage as” popup dialog box, make sure the credentials are correct and the user is a member of the target server’s local administrators group. In some cases, WinRM also requires that the user additionally be a member of the Remote Management Users group.
  • Are you having a problem only when connecting to a Windows Server 2012 or 2012 R2 machine?
    If you can connect to a Windows Server 2016 machine, but not to a 2012 or 2012 R2 machine, also check the “I can’t set up a connection to a Windows Server 2012 or 2012 R2 machine” section below.

I can’t set up a connection to a Windows Server 2012 or 2012 R2 machine

In order to connect to a Windows Server 2012 or 2012 R2 machine using Server management tools, an additional WMI provider package and Windows Management Framework 5.0 is required. When connecting to the server using Server management tools, it will detect and ask if you would like these packages installed. If an error occurs while installing the packages, or if you cannot connect to the server after the packages are installed, try one or more of the following methods.

  • Check the installation logs on the gateway machine
    Check the WMI and WMF installation logs on the gateway machine for any errors or details. These logs should be your first point of reference for troubleshooting and can be found in the path below. WMI installation logs are located in the Providers subfolder and WMF installation logs are located in the WMF5 subfolder.
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\Logs\ServerManagementPrerequisites
  • Check the installation logs on the target machine
    If you need more detailed logs for advanced troubleshooting, check the WMI and WMF installation logs on the target machine.
    %systemdrive%\SMTInstallers\Logs
  • WinRM error on the target machine
    If the following error occurs after installing the packages or when connecting to a Windows Server 2012 or 2012 R2 machine, log on to the target machine and run “services.msc” to launch the Services MMC snap-in. Then restart the “Windows Remote Management (WS-Management)” service.
    “The WinRM client received an HTTP server error status (500), but the remote service did not include any other information about the cause of the failure”
  • If you’ve tried all the steps above but still can’t connect to the target machine, see the additional troubleshooting steps in the “I can’t connect to a server” section above.

I can’t connect to a gateway

To resolve common issues, try one or more of the following methods.

  • Make sure the Health status on the gateway blade is displayed as “OK” and there aren’t any additional errors or warnings displayed.
  • Log on to the gateway machine and make sure it can connect to the public internet.
  • Run “services.msc” to launch the Services MMC snap-in and make sure the “ServerManagementToolsGateway” service is running. Also try restarting the service.
  • Make sure the system date/time on the gateway machine is correct. Gateway authorization will fail if the system time between the gateway and the Server management tools Azure service differ by more than 15 minutes.
  • You can try reinstalling the gateway deployment package. On the gateway machine, go to “Programs and Features” and uninstall “Server management tools gateway”. Generate a gateway deployment package, download and install it on the gateway machine.

Installing the gateway service on Server Core

  • The gateway service can be installed on Windows Server 2012 R2, Windows Server 2016 Full Installation or Server Core. To install on Server Core, use the following command to install the GatewayService.msi via command line. A certificate is required to securely store the credentials to connect to your target machines and using the following command options will generate a self-signed certificate for this purpose.
    GatewayService.msi /qn GATEWAYPROFILEJSON=.\profile.json ACCEPTEULA=true ACCEPTPRIVACYPOLICY=true
  • To use an existing certificate installed on the machine, use the following command options. Replace EnterThumbprintHere with your certificate encryption thumbprint.
    GatewayService.msi /qn GATEWAYPROFILEJSON=.\profile.json ACCEPTEULA=true ACCEPTPRIVACYPOLICY=true ENCRYPTION_CERTIFICATE_OPTION=root ENCRYPTION_THUMBPRINT=EnterThumbprintHere

Gateway installer fails to install

  • The GatewayService.msi installation will fail with the error “Installation ended prematurely” if you attempt to install the .msi from a remote file share. Copy the entire .zip package to a local disk on the gateway machine and install from there.

How do I update the gateway service?

  • You can configure gateway updates to occur automatically or manually in the Gateway update blade. If “Automatic” is selected, the update will be installed within 30 minutes after the update has become available. If “Manual” is selected, you will need to choose “Schedule now” to schedule a one-time update to occur within the next 30 minutes.
  • If an immediate update is necessary, you can do so by restarting the gateway service. Log on to the gateway machine, run “services.msc” to launch the Services MMC snap-in. Restart the "ServerManagementToolsGateway" service and the update will occur within a few minutes.

Issues with the gateway certificate

Certificate requirements may change, or certificates may expire. To resolve, try one of the following solutions:

  • Use the gateway installer to register a new certificate. Previously saved credentials will need to be re-entered.
    1. On the gateway machine, go to “Programs and Features” and uninstall “Server management tools gateway”.
    2. On the setup blade, generate a new gateway deployment package, download and install it on the gateway machine. During the install, choose either a new self-signed certificate or an existing installed certificate.
    3. If you had saved credentials for your connections, you can use Manage As to enter the credentials again since the new certificate cannot decrypt previously saved credentials.
  • Use the certificate rotation script to register a new certificate. Previously saved credentials will continue to work.
    1. On the gateway machine, open PowerShell with Administrator privileges.
    2. Change directory to the Scripts folder where the gateway software is installed, e.g. C:\Program Files\ServerManagementToolsGateway\Scripts
    3. Run the New-GatewayEncryptionCert.ps1 with no parameters to generate a new self-signed certificate, or with the -Thumbprint <thumbprint> parameter to use an existing installed certificate.
    4. Restart the gateway service. If you had saved credentials for your connections, they will continue to work if you access the connections at least once during the certificate rotation period (currently 30 days), which allows the previously saved credentials to be re-encrypted using the new certificate.

Known issues and limitations

  • Nano Server
    Online domain join and online change in workgroup membership of Nano servers is not supported. See below for instructions on joining Nano Server to a domain.
    Getting Started with Nano Server - Joining Nano Server to a domain
    Nano Server Domain Join (Deployment-at-a-scale an introduction)
  • Registry Editor
    Editing Binary values is not supported.
  • Services
    Any action taken on a service, such as Start or Stop service, will be reflected in the UI after 10 seconds.
  • Certificate Manager
    Certificate import and export are not supported on the Nano Server version of Windows Server 2016 Technical Preview (TP) 5. You will get an error that 'CertPKICmdlet.dll' is missing. This will be fixed in the RTM version of Nano Server.
Comments (4)

  1. Thanks Lee, Excellent document. Do we need to install Diagnose and solve problems toll or it will existing ?

    1. Hi Harvansh,
      No, you don't need to install anything. It's part of our menu in the Azure web portal, so it should show up and be updated automatically.

  2. Amrik Kalsi says:

    I have a workgroup machine for which I keep getting the below error :-
    "Unable to connect to the server 'hv01': 'Cannot find the feature with the name 'cim'"
    Intermittently, its encryption instead of 'cim'. I have not been able to test this feature once. I have checked the status of the gateway and it says OK, I have run the following commands as well, still no luck :-

    Command Prompt: winrm set winrm/config/client @{ TrustedHosts=”TargetMachineNameOrAddress” }
    PowerShell: winrm set winrm/config/client ‘@{ TrustedHosts=”TargetMachineNameOrAddress” }’

    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

    Although, the firewall is turned off, I still ran the command below :-

    NETSH advfirewall firewall add rule name=”WinRM 5985” protocol=TCP dir=in localport=5985 action=allow

    I am passing the credentials as UN=Adminstrator which is a local admin.

  3. Amrik Kalsi says:

    The gateway status is OK.
    The server is Windows 2016 and is in workgroup.
    We ran the commands below :-

    Command Prompt: winrm set winrm/config/client @{ TrustedHosts=”TargetMachineNameOrAddress” }
    PowerShell: winrm set winrm/config/client ‘@{ TrustedHosts=”TargetMachineNameOrAddress” }’

    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

    Although firewall is rutned off, I still ran the command :-
    NETSH advfirewall firewall add rule name=”WinRM 5985” protocol=TCP dir=in localport=5985 action=allow

    We are getting the error below :-

    Unable to connect to the server 'hv01': 'Cannot find the feature with the name 'cim'.

    Intermittently, instead of cim, its encryption. not sure whats going on.

Skip to main content