Hey i am working on an issue within in source initiated Event Collection Environment. The Collector is a 2008R2 Server (Domain Controller) I configured Listeners, receiving Server and Accounts to be member of Event Collectors Group by GPO. Then i created my Source initiated Subscription on my DC07 (W2K8R2) Instantly the other 2K8R2 started with transfering their Events..... but the 2008s not?!?!? They are able to reach the Server and to conenct to winrm (Tried by: winrm id /r:dc07.my-domain.local) So i dived into the Eventlog (Eventlog-ForwardingPlugin) and there i found a Event 107 A subscription policy contains invalid configuration. Description of policy is dc07.my-domain.local. The subscription is streight forward created by GUI, so it might be, there Need to be set something to match W2K8/Vista requirements... Also the Description in the Event Looks starnge to me, because i did not use a description.... So, here is the configuration.xml.... <?xml version="1.0" encoding="UTF-8"?> <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> <SubscriptionId>ServersCollection</SubscriptionId> <SubscriptionType>SourceInitiated</SubscriptionType> <Description></Description> <Enabled>true</Enabled> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> <ConfigurationMode>MinLatency</ConfigurationMode> <Delivery Mode="Push"> <Batching> <MaxLatencyTime>30000</MaxLatencyTime> </Batching> <PushSettings> <Heartbeat Interval="3600000"/> </PushSettings> </Delivery> <Query> <![CDATA[ <QueryList><Query Id="0"><Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select><Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select></Query></QueryList> ]]> </Query> <ReadExistingEvents>false</ReadExistingEvents> <TransportName>HTTP</TransportName> <ContentFormat>RenderedText</ContentFormat> <Locale Language="en-US"/> <LogFile>ForwardedEvents</LogFile> <PublisherName>Microsoft-Windows-EventCollector</PublisherName> <AllowedSourceNonDomainComputers> <AllowedIssuerCAList> </AllowedIssuerCAList> </AllowedSourceNonDomainComputers> <AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;S-1-5-21-507921405-1708537768-1630373619-4618)(A;;GA;;;S-1-5-21-507921405-1708537768-1630373619-5117)(A;;GA;;;S-1-5-21-507921405-1708537768-1630373619-6121)S:</AllowedSourceDomainComputers> </Subscription> Thanks for any hint! Best regards Chris

Hi, For Event Subscription in Windows Server 2008, it seems a little different with Windows Server 2008 R2. I dont find the official documents, however I found some partners posting: In order to forward events from a 2008 Server that is not R2, you will need to make a few changes. The first change is the default listening port, it needs to be changed from TCP 80 to TCP 5985. Additionally you may need to start the Windows Event Collector Service. net start wecsvc winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port=5985} For more information please refer to following MS articles: Configure Computers to Forward and Collect Events http://technet.microsoft.com/en-us/library/cc748890.aspx Windows Mangement Framework Release Notes http://download.microsoft.com/download/C/E/C/CEC0CAC9-7234-4092-8928-E892B69BB1FC/Windows%20Mangement%20Framework%20Release%20Notes%20en-US.rtf Hope this helps! TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Lawrence TechNet Community Support

Hi, we updated all our Systems to WinRM 2 prior Initial Configuration so all their Ports are set to 5985. In Addition i added 5985 as port to the Serverstring in GPO. Chris p.s. i double checked the listener (on 2008), it is set to 5985 C:\Users\administrator.MY-DOMAIN\Desktop>winrm e winrm/config/listener Listener [Source="GPO"] Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 192.168.2.7, ::1, fe80::100:7f:fffe%13, fe80::5efe 192.168.2.7%12

Hi, Could you please refer to the link as below for reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx If it fails to works, please capture a screenshot for direct view. Meanwhile, please compare the GP result on a working Windows Server 2008 R2 with the problematic Windows Server 2008 to check the questionable ones. Thanks for your time. Best regards, Kevin NiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, i followed the readme again, and did some Screens (still not running)... https://skydrive.live.com/redir?page=view&resid=343837301D54C801!6013&authkey=!AE2oVyUUgTaCbpY best regards C_loki

Hi, Could you please refer to the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870971(v=vs.85).aspx Meanwhile, I suggest we submit the request MSDN forum as well: http://social.msdn.microsoft.com/Forums/en-US/categories Thanks. Kevin NiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Kevin, the subscription and complete config has been created without programming (also i do not have the skill nor Tools to do so). So i guess MSDN or the recommended link will not help... ;-) Best regards c_loki

Hi, Please run command winrm enumerate winrm/config/listener on 08. If the port is 80, please change the port on 08 R2 to 80 for test. Thanks. Kevin NiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, i realized, that the Server, where i did the Screens was an r2, so it seems not to be an issue with 2008 and r2..... The only running System ist the second Domain Controller... I checked the config on the 2008 too and there the listener port is 5985... i attached the Screen at the bottom https://skydrive.live.com/redir?page=view&resid=343837301D54C801!6013&authkey=!AE2oVyUUgTaCbpY Thanks c_loki

after that i disabled all policies and reseted winrm. Still the same error 107 there.... i tried several things and finally verfied the complete gpresult to realize, there is an other older policy with wrong values... Corrected that an reenabled my new policies, now i got an error, that my Server does not Support ws-management.... Now i moved the collection to a member Server of the Domain ..... voila running.... Step 1 completed, now i would like to know, whats wrong with the dc07..... Thanks for Support c_loki p.s. recreated the listener, wec, winrm, ... on dc again, now it is also running...