1
00:00:00,540 --> 00:00:02,640
So let's go back into our environment.

2
00:00:02,640 --> 00:00:06,750
We'll first look at how we connect to a remote system without using a

3
00:00:06,750 --> 00:00:10,680
trusted host entry and what that looks like and what happens if it's not

4
00:00:10,680 --> 00:00:14,940
trusted, we'll then add a trusted host entry,

5
00:00:14,940 --> 00:00:18,850
and then we'll reconnect it back to the system now that

6
00:00:18,850 --> 00:00:21,640
that trusted host entry has been added.

7
00:00:21,640 --> 00:00:24,460
So we're on the Windows 10 client machine,

8
00:00:24,460 --> 00:00:30,240
and this machine, if I just click the Start menu here and just type advanced,

9
00:00:30,240 --> 00:00:33,210
what I can then do is click View advanced system settings,

10
00:00:33,210 --> 00:00:34,550
click on Computer Name,

11
00:00:34,550 --> 00:00:37,500
and you'll then be able to see that it says computer name

12
00:00:37,500 --> 00:00:44,440
TRAININGWIN10VM and then WORKGROUP, so it's not on a domain of any description.

13
00:00:44,440 --> 00:00:46,140
So I'm going to click Cancel here.

14
00:00:46,140 --> 00:00:46,530
Now,

15
00:00:46,530 --> 00:00:51,020
the goal here is to use this non‑domain joined machine to

16
00:00:51,020 --> 00:00:53,930
remotely administer a domain machine.

17
00:00:53,930 --> 00:00:57,040
In this case, it'll be the Active Directory server.

18
00:00:57,040 --> 00:01:02,540
Now to initiate a PowerShell session, we're going to use Enter‑PSSession,

19
00:01:02,540 --> 00:01:05,080
and then we'll pass the ComputerName, and we'll use the

20
00:01:05,080 --> 00:01:09,720
IP address of the domain controller, so 10.0.0.5,

21
00:01:09,720 --> 00:01:11,340
and we'll just press Enter.

22
00:01:11,340 --> 00:01:17,240
Now of course, it fails instantly because it has no way of authenticating.

23
00:01:17,240 --> 00:01:21,670
It gives us a message about the WINRM client can't process it.

24
00:01:21,670 --> 00:01:24,340
It talks about a different authentication scheme.

25
00:01:24,340 --> 00:01:28,440
So how do we get this process to work?

26
00:01:28,440 --> 00:01:31,810
Well, first off, this is where we talk about the trusted hosts,

27
00:01:31,810 --> 00:01:35,180
and we'll need to make a change in the trusted hosts

28
00:01:35,180 --> 00:01:37,350
on the Active Directory server.

29
00:01:37,350 --> 00:01:40,480
So we'll just flick across now to the Active Directory

30
00:01:40,480 --> 00:01:43,940
server and make this adjustment.

31
00:01:43,940 --> 00:01:46,810
So here we are on the domain controller.

32
00:01:46,810 --> 00:01:52,540
Now we need to set the trusted host value on this machine to

33
00:01:52,540 --> 00:01:56,720
allow the non‑domain machine to communicate.

34
00:01:56,720 --> 00:01:58,710
Now I'm using PowerShell to do this,

35
00:01:58,710 --> 00:02:03,460
so we can actually use a command called Set‑Item.

36
00:02:03,460 --> 00:02:08,540
But before we do that, it's always good to check what the value is going to be.

37
00:02:08,540 --> 00:02:10,840
So I'm going to say Get‑Item,

38
00:02:10,840 --> 00:02:15,340
and the syntax we use is using a protocol called WSMan,

39
00:02:15,340 --> 00:02:19,080
and then I'm going to type localhost, which is this machine,

40
00:02:19,080 --> 00:02:25,740
\Client\TrustedHosts, and then I can press Enter.

41
00:02:25,740 --> 00:02:29,510
Now you'll see it goes and queries inside the machine in the

42
00:02:29,510 --> 00:02:33,720
WSMan protocol and comes back and says, okay, I've got that property,

43
00:02:33,720 --> 00:02:38,050
but I don't have any value associated to that one.

44
00:02:38,050 --> 00:02:43,140
So, the first thing we have to do here is to set that to the value that we need.

45
00:02:43,140 --> 00:02:49,000
So I'm going to say Set‑Item, we'll go back and use that same string value,

46
00:02:49,000 --> 00:03:00,840
so WSMan:\localhost\Client\TrustedHosts.

47
00:03:00,840 --> 00:03:07,350
Then we'll set the property of ‑Value to be the IP address of our machine,

48
00:03:07,350 --> 00:03:14,880
which is 10.0.0.8, and then I'm going to use the word ‑Force to force that in,

49
00:03:14,880 --> 00:03:16,140
and we'll press that.

50
00:03:16,140 --> 00:03:19,100
We'll then just go up and choose the Get option to make

51
00:03:19,100 --> 00:03:22,040
sure that we now have a value that's set.

52
00:03:22,040 --> 00:03:22,770
Now,

53
00:03:22,770 --> 00:03:27,260
we can use a specific IP address here to say this is the IP

54
00:03:27,260 --> 00:03:29,690
addresses that I wish to allow to come in.

55
00:03:29,690 --> 00:03:30,600
So for example,

56
00:03:30,600 --> 00:03:33,300
if we were using the 10 range, I could put the IP

57
00:03:33,300 --> 00:03:36,540
address of whatever the machines would be,

58
00:03:36,540 --> 00:03:41,240
or I could use a different approach, which I'm going to do here,

59
00:03:41,240 --> 00:03:45,780
and I'm going to get rid of my IP addresses and just use an asterisk, or a star,

60
00:03:45,780 --> 00:03:48,020
press Enter, and then I'll choose the Get,

61
00:03:48,020 --> 00:03:50,480
and you'll see the Value is now set to the *,

62
00:03:50,480 --> 00:03:53,640
which means any IP address can communicate.

63
00:03:53,640 --> 00:03:56,880
So depending on how secure you would like to be in your environment,

64
00:03:56,880 --> 00:03:59,940
you can determine whether it needs to be IP address

65
00:03:59,940 --> 00:04:01,830
specific or whether we use a star.

66
00:04:01,830 --> 00:04:04,590
For the purposes of this, I'll just use a star for now.

67
00:04:04,590 --> 00:04:07,740
So let's go back to our Windows 10 machine, and

68
00:04:07,740 --> 00:04:10,440
we'll reinitiate that connection.

69
00:04:10,440 --> 00:04:12,540
Okay, so we're back on the Windows 10,

70
00:04:12,540 --> 00:04:15,400
so let's go back and initialize that session again.

71
00:04:15,400 --> 00:04:20,180
So we've added 10.0.0.8, or the asterisk sign,

72
00:04:20,180 --> 00:04:23,640
which basically allows any IP address to connect,

73
00:04:23,640 --> 00:04:25,480
so in theory this should connect.

74
00:04:25,480 --> 00:04:26,940
So I'm going to press Enter.

75
00:04:26,940 --> 00:04:28,160
Now notice what happens.

76
00:04:28,160 --> 00:04:30,030
It fails again.

77
00:04:30,030 --> 00:04:32,940
So there must be another thing that needs to be done.

78
00:04:32,940 --> 00:04:34,630
And sure enough, there is.

79
00:04:34,630 --> 00:04:40,230
So I'm going to clear this screen, and what we'll do is we'll run Get‑Item,

80
00:04:40,230 --> 00:04:54,410
like we did on the previous machine, and I'll say localhost\Client\TrustedHosts,

81
00:04:54,410 --> 00:04:55,670
and we'll see what value.

82
00:04:55,670 --> 00:04:58,140
And see we have no value here.

83
00:04:58,140 --> 00:05:01,220
Now you may be wondering why we have to set a value on this side too.

84
00:05:01,220 --> 00:05:06,130
So the key is if we're utilizing this type of approach using trusted hosts,

85
00:05:06,130 --> 00:05:09,050
we do need to enter values in both sides.

86
00:05:09,050 --> 00:05:10,740
Now for ease and convenience of this,

87
00:05:10,740 --> 00:05:12,770
I'm actually just going to use the asterisk sign,

88
00:05:12,770 --> 00:05:16,870
so I'm going to say Set‑Item WSMan,

89
00:05:16,870 --> 00:05:24,300
so reissue the same command that we just added on the AD server,

90
00:05:24,300 --> 00:05:28,040
except the IP address is obviously not going to be itself.

91
00:05:28,040 --> 00:05:37,340
So TrustedHosts ‑Value "10.0.0.5", which is the AD server,

92
00:05:37,340 --> 00:05:38,730
and then we'll say ‑Force.

93
00:05:38,730 --> 00:05:40,280
So think how that works.

94
00:05:40,280 --> 00:05:46,540
We've got 10.0.0.8 on the one side and 10.0.0.5 on the other one.

95
00:05:46,540 --> 00:05:48,590
Now of course, I'm not going to set it as 5,

96
00:05:48,590 --> 00:05:53,580
I just want to put it as a star because once we put specific IP addresses in,

97
00:05:53,580 --> 00:05:57,600
then any machines that don't have those IP addresses struggle to then

98
00:05:57,600 --> 00:06:00,520
connect because they're not listed as trusted hosts.

99
00:06:00,520 --> 00:06:04,080
So I'm going to set this value here, I'm then going to choose Get,

100
00:06:04,080 --> 00:06:07,040
and sure enough, I now have a value.

101
00:06:07,040 --> 00:06:11,070
So let me clear this here and just loop through my session values here,

102
00:06:11,070 --> 00:06:14,190
and I'm going to say Enter‑PSSession ‑ComputerName,

103
00:06:14,190 --> 00:06:15,610
and sure enough, it now works.

104
00:06:15,610 --> 00:06:21,830
So now that we have the entry for the trusted hosts in both locations,

105
00:06:21,830 --> 00:06:23,640
they are able to communicate.

106
00:06:23,640 --> 00:06:26,090
Now we could have used the IP addresses to make it more

107
00:06:26,090 --> 00:06:28,540
restrictive, or we can use the star.

108
00:06:28,540 --> 00:06:32,030
I'm just going to exit here, and that will take me back out.

109
00:06:32,030 --> 00:06:36,250
But you can see in the console here that the PowerShell command when it's

110
00:06:36,250 --> 00:06:41,530
connected to the remote server or machine is prefixed with the IP address

111
00:06:41,530 --> 00:06:44,740
or the name of the machine that's there.

112
00:06:44,740 --> 00:06:48,050
Now what about if you did want to use IP addresses?

113
00:06:48,050 --> 00:06:51,540
Now what we can do is we can create a variable,

114
00:06:51,540 --> 00:06:54,740
and what I'm going to do here is say Get‑Item,

115
00:06:54,740 --> 00:06:58,580
we're going to use the same kind of syntax that we did before,

116
00:06:58,580 --> 00:07:10,640
so WSMan:\localhost\Client\TrustedHosts),

117
00:07:10,640 --> 00:07:14,440
and then I'll just say .Value, like so.

118
00:07:14,440 --> 00:07:17,450
I can then double‑check what's in that one.

119
00:07:17,450 --> 00:07:18,710
I used host.

120
00:07:18,710 --> 00:07:20,690
Just be careful of the names of variables.

121
00:07:20,690 --> 00:07:24,870
Host is a standard variable. Hosts is the one I created.

122
00:07:24,870 --> 00:07:28,130
And you can see it shows me an asterisk, or a star,

123
00:07:28,130 --> 00:07:29,740
so I'm going to clear that down.

124
00:07:29,740 --> 00:07:34,530
What I can then do is if I wanted to append a value to it,

125
00:07:34,530 --> 00:07:38,550
so let's say I didn't have the star, I had the specific IP address,

126
00:07:38,550 --> 00:07:41,540
so what we'll do is I can say Set‑Item

127
00:07:41,540 --> 00:07:52,660
WSMan:\localhost\Client\TrustedHosts ‑Value.

128
00:07:52,660 --> 00:07:59,560
Now let's say that we did add the domain and we weren't using the star,

129
00:07:59,560 --> 00:08:00,690
I could do this.

130
00:08:00,690 --> 00:08:05,240
And then if I get my Get command here, if we just loop through,

131
00:08:05,240 --> 00:08:07,490
you can see it's now set to an IP address.

132
00:08:07,490 --> 00:08:11,630
Let's say I wanted to allow the AD server to communicate,

133
00:08:11,630 --> 00:08:16,670
but I also wanted the file server and any other IP addresses.

134
00:08:16,670 --> 00:08:20,250
What we're able to do is once we've got those values,

135
00:08:20,250 --> 00:08:24,760
if we go back to my variable here, which is get the value,

136
00:08:24,760 --> 00:08:29,320
$hosts, you'll see it's now got 10.0.0.5.

137
00:08:29,320 --> 00:08:32,990
If I want to add another IP address to that one,

138
00:08:32,990 --> 00:08:39,340
I can say Set‑Item, set the path, or just actually type WSMan,

139
00:08:39,340 --> 00:08:43,140
it doesn't really make a difference in the syntax here,

140
00:08:43,140 --> 00:08:49,640
localhost\Client\TrustedHosts.

141
00:08:49,640 --> 00:08:54,440
What I can then do is use that variable that we have

142
00:08:54,440 --> 00:08:57,980
and then say 10.0.0.10, for example.

143
00:08:57,980 --> 00:09:02,120
So I'm appending to the existing one that's there.

144
00:09:02,120 --> 00:09:03,940
So I'm going to press Enter.

145
00:09:03,940 --> 00:09:05,620
Now, what does that look like?

146
00:09:05,620 --> 00:09:08,050
Well, let's just loop through my commands for a second, and

147
00:09:08,050 --> 00:09:12,660
you'll see we've now got 10.0.0.5 and 10.0.0.10.

148
00:09:12,660 --> 00:09:17,280
So we can create a comma‑separated list and just retrieve

149
00:09:17,280 --> 00:09:19,540
the current value and append to it.

150
00:09:19,540 --> 00:09:24,410
So that's how we can create a connection from a non‑domain machine to

151
00:09:24,410 --> 00:09:33,000
a domain joined machine simply by adding in those trusted host entries into both sides of the environment.