AD cmdlets not working over PSSession

Servers involved use WinServer 2012 R2
PowerShell v3 is what I use on all machines

A virtual machine is setup with Windows Server 2012 R2 and has Active Directory installed. The ADUC on this server is not a DC but it connects to a DC that also sits on WinServer 2012 R2.

When I sign into my File-Share server directly and open PowerShell, I am able to successfully run AD cmdlets such as Get-ADUser or Get-ADComputer, etc.

I do not want to sign into the server every time to run these AD cmdlets, instead I'd like to enter a PSSession with my File-Share server from my laptop. The laptop uses Win7 and has PowerShell v3 installed.

However my problem, seen in the screenshot attached, is that after entering into a PSSession with my File-Share server those same commands that work when directly sign into the File-Share server no longer work. I get the error displayed in red shown in screenshot. I can't not figure out why any ideas?

WinRM servcies and Active Directory Web Services are both showing enabled and this is by default with Server 2012 anyways.. what am I missing here?! Thanks-

Error below for your copy/paste convenience

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the
Active Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

PSSession-Error.gif
ryanmavesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SubsunCommented:
0
footechCommented:
0
ryanmavesAuthor Commented:
Thank you for the suggestions. I have been looking them both over.

Each link has provided me with more clues to getting this resolved. I wanted to share this interesting bit.

If I have an open session on my laptop with the File-Share server and then run this command Enable-PSRemoting from the PowerShell console that is within my File-Share server. I can then go back to my laptop that has the session and run Get-ADComputer and it works..!  However!!

The command will work from my laptop through the PSSession exactly how I want it to, but at the same time it kills the session after the command executes...?!! Then if I try to go into the session again it says that the session is "broken". I create a new session and my AD cmdlets no longer work again remotely. But again, if I go to my server PowerShell console and run Enable-PSRemoting, then return to laptop console my command will work again... but only one time before killing the session. Weird?

(from FILE-SHARE console)
PS C:\> Enable-PSRemoting

WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote
Management (WinRM) service.
 This includes:
    1. Starting or restarting (if already started) the WinRM service
    2. Setting the WinRM service startup type to Automatic
    3. Creating a listener to accept requests on any IP address
    4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only).

Do you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a
WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.

(Then I go to laptop console and run one AD command and it works however kills my session and if I take a look here is what I see)

(from laptop console checking out what session I have available)
PS C:\scripts> Get-PSSession

 Id Name            ComputerName    State         ConfigurationName     Availability
 -- ----            ------------    -----         -----------------     ------------
  2 Session2        FILE-SHARE         Broken        Microsoft.PowerShell          None
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

SubsunCommented:
Are you connecting session with  with CredSSP?
0
ryanmavesAuthor Commented:
@Subsun

Hm, I guess I can give that a try. Reading up on the second-hop article and really that's not my situation though. I'm PSSession as Client A to Server A. I'm not going any further than Server A.

But let me give it a go anyways just to be sure okay standby!
Thanks!
0
SubsunCommented:
I thought you are connecting from Win7 -> File-Share server -> DC
0
ryanmavesAuthor Commented:
@Subsun

Hey you're right because my File-Share is not the DC. Touche indeed, now I'm really getting excited. Working on this CredSSP now (keep getting interrupted with other task) standby!
0
ryanmavesAuthor Commented:
@Subsun

Running into a problem trying to use this CredSSP. (perhaps this is a symptom of my overall issue?)

So first thing I need to do is setup CredSSP

-Laptop administrative console-
PS C:\ > Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -force

(returns the following error)
Enable-WSManCredSSP : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770"
Machine="My-Laptop.mydomain.com"><f:Message>The client cannot connect to the destination specified in the request. Verify that the
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". </f:Message></f:WSManFault>
At line:1 char:1
+ Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -for ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.String[]:String[]) [Enable-WSManCredSSP], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.EnableWSManCredSSPCommand

(Verified settings on File-Share)
-File-Share server console results-

PS C:\> Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
PS C:\> winrm qc
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\> Enable-WSManCredSSP -Role Server

CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
authentication on the server, the server will have access to the user name and password of the client computer if the
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):


cfg               : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth
lang              : en-US
Basic             : false
Kerberos          : true
Negotiate         : true
Certificate       : false
CredSSP           : true
CbtHardeningLevel : Relaxed

PS C:\>
0
SubsunCommented:
Is there any firewall in between? May be windows firewall?
0
ryanmavesAuthor Commented:
@Subsun

Okay got that CredSSP figured out, but no joy on resolving the original issue.

FYI, I wrongly assumed WinRM was enabled on my laptop (Win7) box. After running "winrm quickconfig -force" then it was automatically configured and I could then complete the "Enable-WSManCredSSP" client and server setup. Both CredSSP settings ring true for my laptop (client) and File-Share (server). Then I entered a pssession using my credentials and it successfully joined the pssession with my given credentials. I then tested some AD cmdlets and the exact same error is coming up still.

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active
Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
0
ryanmavesAuthor Commented:
I want to mention some other information that may provide additional clues.

I am the local admin for a (practice) that is part of a larger organization. I do not have access to the actual DC server itself nor do I have access to the entire domain. I only have permissions to manage the OU's assigned to my company within the domain. Hence, I have Active Directory installed on a VM at the local office and it gets it's directory information from the real DC.

Not sure how that would play into this whole scenario seeing as how I can sign into my File-Share server (with the ADUC installed and connected to the DC ADUC) and run command successfully from that box.

Just thinking this is worth a mention in case you get an "Aha!" moment from it or something.

Thanks!
0
SubsunCommented:
What if you try.. Get-ADUser -Filter * -Server DC.domain.com
0
ryanmavesAuthor Commented:
Good idea.

I ran that command from my laptop console (while still connected to pssession including CredSSP) and getting the same error as always here.

So I though let me run this command from my FIle-Share server just to be sure it even works and yes from File-Share server it does work to point directory to the DC.domain.com server. But still same issue from my laptop console...
0
ryanmavesAuthor Commented:
Along with your logic I thought maybe I'll just create a PSSession with the main DC instead of my server that is using the ADUC piggy backed off the DC. Looks like an access denied if I try it this way. However, I don't know how relevant this is seeing as how I can manage my OU's from my File-Share server. Although, this may be a clue so I wanted to document it.

-from my laptop console-

PS C:\scripts> Enter-PSSession DC.domain.com -Credential myname@domain.com
Enter-PSSession : Connecting to remote server DC.domain.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession DC.domain.com -Credential myname@domain.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (DC.domain.com:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
0
SubsunCommented:
After entering session,  Are you getting any error when you run command Import-Module ActiveDirectory
0
ryanmavesAuthor Commented:
No. All the modules import just fine while in PSSession via my laptop console.
0
ryanmavesAuthor Commented:
Okay I have stumbled upon something that I assumed was already in place.

ADWS (Active Directory Web Services) is indeed NOT started!!

Get-Service adws shows status is stopped

Start-Service adws returns the following error (and I even ran Start-Service adws directory from File-Share server console still same error..

Start-Service : Service 'Active Directory Web Services (adws)' cannot be started due to the following error: Cannot start service adws
on computer '.'.
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandExc
   eption
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
0
ryanmavesAuthor Commented:
Within services.msc of the File-Share server I have changed the ADWS to Automatic and Started it up.

Unfortunately this still did not resolve issue and reporting same error..

I did find some interesting information out though. Apparently the DC I'm connecting to may actually be Server 2008 R2....

I need to clear up some details with (corporate IT). They are the guys who have the higher level access and can actually manage the DC server itself. Let me check with them and share what we have covered and get back to you ASAP!

Thanks so far
0
footechCommented:
Particularly if the File-Share server that is a DC is 2008 R2, you may just want to install the RSAT tools on your local workstation.  You may want to do that regardless of the former.  Unless there's some feature in the 2012 tools that you're needing.
0
ryanmavesAuthor Commented:
I've confirmed the DC is Server 2012 and my File-Share with ADUC connects to that DC and my laptop uses Windows 7.

DC = Server 2012

File-Share with ADUC = Server 2012 but is not a DC itself instead it connects to the DC's AD

Laptop = Windows 7

PowerShell v3 for everything

Problem = unable to use AD cmdlets through a PSSession through my laptop to File-Share server to manage ADUC OU's that I have rights to manage.

What I can do = I can successfully use cmdlets that are related to the File-Share server itself such as Get-Process or Get-Service. That works fine. I'm also able to use AD cmdlets successfully if I run them straight from the File-Share server console, it works no issue.

What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.

Hope that helps bring you up to speed
0
footechCommented:
I would just install the RSAT tools on your workstation.  I don't think you'll need any of the new AD cmdlets that are available through Server 2012.

What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.
I can't even imagine what's going on here that would result in a broken session, or why running Enable-PSRemoting would allow it to work temporarily.

To use the 2012 server, I suggest you try this if you haven't already.
Enter-PSSession -ComputerName File-Share.mydomain.com -Credential (Get-Credential) -Authentication Credssp

Open in new window

Then you can try the AD cmdlets.

Also try
$t = New-PSSession -ComputerName File-Share.mydomain.com ` 
        -Authentication Credssp ` 
        -Credential (Get-Credential)            
Invoke-Command -Session $t {Import-Module ActiveDirectory}            
Import-PSSession -Session $t -Module ActiveDirectory

Open in new window

And then try the AD cmdlets in your local session using implicit remoting.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryanmavesAuthor Commented:
@footech

Hey, so I have installed RSAT tools on my laptop. I never considered that, I always thought if I keep the AD on a VM server then my other colleagues can have access as well. But with your suggestion I realized this is just a lightweight AD and so my colleagues can all install RSAT tools if needed.

Good news, with RSAT tools local to my laptop my AD cmdlets are working from my laptop and managing ADUC like I want.

Really I'm not sure if it was a combination of everything to this point or not. I took a lot of steps thusfar working with @Subsun, he had a lot of good suggestions too.

I don't know how do I divide the points fairly. I think you both made big contributions to a solution here?

Thanks EE!
0
footechCommented:
Installing the RSAT tools locally doesn't depend on CredSSP.

I wouldn't award points based on effort alone, but if a post helped you to understand the situation then it's fine to split points as you see fit.  The majority of points should go to the post that directly explains or led to your implemented solution.

Not really the case here, but in some cases, a direct answer to your question may not be the best solution, in which case you might actually accept the post with the direct answer as the solution, but awarding less points to it than a post with an alternate/superior answer which is accepted as an assist.  For example:
Question: How do I X?
Post 1: To do X, follow these steps... - accepted solution 200 pts.
Post 2: You can do X, but a better way is to do Y, because.... and here's how you do it.. - assisted solution 300 pts.
0
SubsunCommented:
FYI, I couldn't reproduce the issue in my lab, for me the remote session works fine with Credssp.
0
ryanmavesAuthor Commented:
Thank you both for helping me to the end!

Feels like a work-around but it is a solution never-the-less and it has me on track for now. Wish I knew the technical reason behind why I couldn't use PSSession though.

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.