Using remote management tools to administer

As a best practice, you should not log on directly to a domain controller to perform any administration tasks. Instead, install administration tools on a trusted workstation where you perform your other day-to-day work assignments. Then, use the administration tools to connect to the domain controller remotely from that workstation.

You can use either of the following tools and technologies for remote RODC management:

  • Microsoft Remote Server Administration Tools (RSAT)
  • Windows Remote Management (WinRM) protocol and Windows Remote Shell (WinRS)

To remotely manage Windows Server 2008 domain controllers, you can use the Microsoft Remote Server Administration Tools for Windows Vista. This tool set is available as a download file at Microsoft Remote Server Administration Tools for Windows Vista (KB941314) ( So that you can install RSAT, your workstation must be running Windows Vista with Service Pack 1 (SP1).

If the workstation is running a 64-bit version of Windows Vista, you can use Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems. The 64-bit version is available at Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems (KB941314) (

You can use RSAT to remotely manage servers running either a Server Core installation or a full installation of Windows Server 2008.

You can also manage Windows Server 2008 domain controllers from another server that runs Windows Server 2008. To use a server that runs Windows Server 2008 for remote management, you have to install the Remote Server Administration Tools because they are not installed by default. To manage domain controllers, you need to install at least the Active Directory Domain Controller tools. Depending on what other administration you plan to perform, you might also choose to install Group Policy Management, Distributed File System (DFS) Management, and Windows Server Backup. For more information, see Installing Remote Server Administration Tools.

You can use WinRM and WinRS to manage remote servers, including RODCs. WinRM is the Microsoft implementation of the WS-Management protocol. WinRS is a shell tool that relies on WinRM to execute remote commands.

WinRM and WinRS are especially well suited for managing an RODC that is deployed in a perimeter network (also known as a DMZ) because they use TCP port 80, which is a standard Internet services port that most firewalls leave open. These tools are also well suited for branch office scenarios because they do not require an administrator to log on to an RODC to remotely manage it.

To use WinRM, install it on the computer that you use for administration and on the remote server that you want to manage.

For more information about using WinRM and WinRS, see the following resources:

  1. On the computer that you want to manage, run the following command to enable WinRM:Winrm qc –quiet
    The –quiet parameter is useful if you want to automate other tasks, such as RunOnce.
  2. Open an elevated command prompt. For example, type the following command, and then press ENTER:Runas <Administrator> cmd

    Where <Administrator> is the name of an account that is a member of the Administrators group on the computer that you want to manage.

  3. In the command prompt window that opens after you run the previous command, use WinRS with the following syntax to run commands remotely.Winrs –r:<name of the computer you want to manage> <command to execute>

    For example, to view the replication partners for a domain controller, you can run the following command, and then press ENTER:

    Winrs –r:RODC01 repadmin /showrepl



The Windows PowerShell remoting features are supported by the WS-Management protocol and the Windows Remote Management (WinRM) service that implements WS-Management in Windows. Computers running Windows 7 and later include WinRM 2.0 or later.

You can verify the availability of WinRM and configure a PowerShell for remoting by following these steps:

1. Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator.

2. The WinRM service is configured for manual startup by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command:
get-service winrm
The value of the Status property in the output should be “Running”.

3. To configure Windows PowerShell for remoting, type the following command:
Enable-PSRemoting –force

In many cases, you will be able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as:
winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}'

When you are working with computers in workgroups or homegroups, you must either use HTTPS as the transport or add the remote machine to the TrustedHosts configuration settings. If you cannot connect to a remote host, verify that the service on the remote host is running and is accepting requests by running the following command on the remote host:
winrm quickconfig

Filewall configure
  1. Get-winEvent (event Viewer): Remote Event Log Management(NP-In), Remote Event Log Management(RPC), Remote Event Log Management(RPC-EPMAP). Or filter by Group > Filter by Remote Event Log Management, and enable all the three
  2. Performance Monitor: Performance Logs and Alerts(TCP-IN) , Performance Logs and Alerts(DCOM-in) in Domain profile and private profile, or Filter by group > Filter by Performance Logs and Alerts, and enable all the three.