================================================================================ TROUBLESHOOTING CONNECTION ISSUES ================================================================================ Error: "WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network..." This means WinRM can't reach the remote PC. Follow these steps: ================================================================================ STEP 1: VERIFY NETWORK CONNECTIVITY ================================================================================ On YOUR computer (H2PRFM94): A. Test DNS Resolution ────────────────────────────────────────────────────────────── PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com Expected: Should return IP address (e.g., 10.134.48.255) If fails: - Try with just hostname: Resolve-DnsName G9KN7PZ3ESF - Try with IP directly: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986 B. Test Basic Ping ────────────────────────────────────────────────────────────── PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2 Expected: Should get replies If fails: - PC might be blocking ICMP (that's OK, continue) - Try: Test-Connection G9KN7PZ3ESF - Try IP: Test-Connection 10.134.48.255 C. Test Port 5986 Connectivity ────────────────────────────────────────────────────────────── PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986 Expected: ComputerName : g9kn7pz3esf.logon.ds.ge.com RemoteAddress : 10.134.48.255 RemotePort : 5986 InterfaceAlias : Ethernet SourceAddress : 10.x.x.x TcpTestSucceeded : True If TcpTestSucceeded = False: - Port 5986 is blocked by firewall - Continue to STEP 2 ================================================================================ STEP 2: CHECK FIREWALL ON REMOTE PC (G9KN7PZ3ESF) ================================================================================ ON THE REMOTE PC (G9KN7PZ3ESF): A. Check Windows Firewall Rule ────────────────────────────────────────────────────────────── PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Format-List Expected: DisplayName : WinRM HTTPS-In Enabled : True Direction : Inbound Action : Allow If Enabled = False: PS> Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In" B. Check Firewall Profile ────────────────────────────────────────────────────────────── PS> Get-NetFirewallProfile | Select-Object Name, Enabled If firewall is ON for Public profile, the rule might not apply. Fix: PS> Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any C. Verify Port 5986 is Listening ────────────────────────────────────────────────────────────── PS> netstat -an | findstr :5986 Expected: TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING TCP [::]:5986 [::]:0 LISTENING If not listening: - WinRM listener not created properly - Re-run Deploy-PCCertificate.bat D. Check WinRM Service ────────────────────────────────────────────────────────────── PS> Get-Service WinRM | Select-Object Status, StartType Expected: Status : Running StartType : Automatic If not running: PS> Start-Service WinRM PS> Set-Service WinRM -StartupType Automatic ================================================================================ STEP 3: CHECK NETWORK FIREWALL (Between PCs) ================================================================================ If local firewalls are OK but still can't connect: A. Check if Corporate Firewall Blocks Port 5986 ────────────────────────────────────────────────────────────── Some networks block high ports or only allow specific ports. Test from YOUR computer: PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986 If TcpTestSucceeded = False: - Network firewall is blocking port 5986 - Contact network admin to allow TCP 5986 between management PC and shopfloor PCs B. Check if Same Subnet ────────────────────────────────────────────────────────────── WinRM public profile default only allows same subnet. On YOUR computer: PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'} On REMOTE PC: PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'} Compare: - Your IP: 10.x.y.z - Remote IP: 10.134.48.255 If different subnets and Public profile: - Either change network profile to Private/Domain - Or configure firewall to allow remote subnet ================================================================================ STEP 4: ALTERNATIVE - USE IP ADDRESS INSTEAD OF FQDN ================================================================================ Sometimes DNS or certificate CN issues prevent FQDN connections. From YOUR computer, try with IP: ────────────────────────────────────────────────────────────── PS> Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986 If this works but FQDN doesn't: - DNS issue, use IP address for now - Certificate CN might not match (but should work with proper CA) ================================================================================ STEP 5: CHECK YOUR COMPUTER'S WINRM CLIENT ================================================================================ On YOUR computer (H2PRFM94): A. Enable WinRM Client ────────────────────────────────────────────────────────────── PS> Enable-PSRemoting -Force This configures YOUR computer as WinRM client. B. Check WinRM Service on YOUR Computer ────────────────────────────────────────────────────────────── PS> Get-Service WinRM Expected: Running If not: PS> Start-Service WinRM C. Set Trusted Hosts (if needed) ────────────────────────────────────────────────────────────── Only needed if not using HTTPS with proper certificates. Check current: PS> Get-Item WSMan:\localhost\Client\TrustedHosts If blank and having issues: PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Force ================================================================================ STEP 6: VERIFY CA CERTIFICATE ON YOUR COMPUTER ================================================================================ On YOUR computer (H2PRFM94): A. Check if CA is Installed ────────────────────────────────────────────────────────────── PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*Shopfloor*" } Expected: Should show "CN=Shopfloor WinRM CA" If NOT found: PS> Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root B. Verify Certificate is Trusted ────────────────────────────────────────────────────────────── PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*Shopfloor*" } | Format-List Subject, Thumbprint, NotAfter Make sure: - Subject matches: CN=Shopfloor WinRM CA - NotAfter is in the future - No errors ================================================================================ STEP 7: DIAGNOSTIC COMMANDS CHECKLIST ================================================================================ Run these in order on YOUR computer: 1. Test DNS: PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com 2. Test Ping: PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2 3. Test Port: PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986 4. Check CA installed: PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"} 5. Test WinRM: PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 Run these on REMOTE PC (G9KN7PZ3ESF): 1. Check firewall: PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" 2. Check port listening: PS> netstat -an | findstr :5986 3. Check service: PS> Get-Service WinRM 4. Check listener: PS> winrm enumerate winrm/config/listener ================================================================================ COMMON SOLUTIONS ================================================================================ Issue: TcpTestSucceeded = False Solution: 1. On remote PC: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any 2. On remote PC: Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In" 3. Contact network admin if corporate firewall blocks port 5986 Issue: Certificate errors Solution: 1. Install CA on your computer: Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root 2. Verify CA is in Trusted Root Issue: DNS not resolving Solution: 1. Use IP address: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986 2. Or use short hostname: Test-WSMan -ComputerName G9KN7PZ3ESF -UseSSL -Port 5986 Issue: Different subnets Solution: 1. Change firewall rule profile: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any 2. Or configure firewall to allow your management PC's IP ================================================================================ QUICK FIX COMMANDS ================================================================================ On REMOTE PC (G9KN7PZ3ESF): ────────────────────────────────────────────────────────────── # Enable firewall rule for all profiles Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any -Enabled True # Restart WinRM service Restart-Service WinRM On YOUR computer (H2PRFM94): ────────────────────────────────────────────────────────────── # Enable WinRM client Enable-PSRemoting -Force # Install CA certificate (if not already) Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root # Test connection Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 ================================================================================