The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.
Checking WinRM config showed something strange:
winrm enumerate winrm/config/listener
Address = *
Transport = HTTP
Port = 5985
Enabled = true
URLPrefix = wsman
ListeningOn = null
So WinRM was actually configured but wasn’t listening on any network interface. Why?
For those who still use NTFRS – as of KB823230 ntrfsutl can be used to force Sysvol replication:
ntfrsutl forcerepl DST_DC_NAME /r "domain system volume (sysvol share)" /p SRC_DC_FQDN
The replication path will be SRC_DC_FQDN > DST_DC_NAME
In fact ntfrsutl connects to DST_DC_NAME and “tells” NTFRS to pull Sysvol changes from its inbound partner SRC_DC_FQDN.