[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

AD cmdlets not working over PSSession

Posted on 2014-08-05
25
Medium Priority
?
4,035 Views
Last Modified: 2014-08-12
Servers involved use WinServer 2012 R2
PowerShell v3 is what I use on all machines

A virtual machine is setup with Windows Server 2012 R2 and has Active Directory installed. The ADUC on this server is not a DC but it connects to a DC that also sits on WinServer 2012 R2.

When I sign into my File-Share server directly and open PowerShell, I am able to successfully run AD cmdlets such as Get-ADUser or Get-ADComputer, etc.

I do not want to sign into the server every time to run these AD cmdlets, instead I'd like to enter a PSSession with my File-Share server from my laptop. The laptop uses Win7 and has PowerShell v3 installed.

However my problem, seen in the screenshot attached, is that after entering into a PSSession with my File-Share server those same commands that work when directly sign into the File-Share server no longer work. I get the error displayed in red shown in screenshot. I can't not figure out why any ideas?

WinRM servcies and Active Directory Web Services are both showing enabled and this is by default with Server 2012 anyways.. what am I missing here?! Thanks-

Error below for your copy/paste convenience

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the
Active Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

PSSession-Error.gif
0
Comment
Question by:ryanmaves
  • 14
  • 7
  • 4
25 Comments
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 40242254
0
 
LVL 41

Assisted Solution

by:footech
footech earned 1600 total points
ID: 40242278
0
 

Author Comment

by:ryanmaves
ID: 40242650
Thank you for the suggestions. I have been looking them both over.

Each link has provided me with more clues to getting this resolved. I wanted to share this interesting bit.

If I have an open session on my laptop with the File-Share server and then run this command Enable-PSRemoting from the PowerShell console that is within my File-Share server. I can then go back to my laptop that has the session and run Get-ADComputer and it works..!  However!!

The command will work from my laptop through the PSSession exactly how I want it to, but at the same time it kills the session after the command executes...?!! Then if I try to go into the session again it says that the session is "broken". I create a new session and my AD cmdlets no longer work again remotely. But again, if I go to my server PowerShell console and run Enable-PSRemoting, then return to laptop console my command will work again... but only one time before killing the session. Weird?

(from FILE-SHARE console)
PS C:\> Enable-PSRemoting

WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote
Management (WinRM) service.
 This includes:
    1. Starting or restarting (if already started) the WinRM service
    2. Setting the WinRM service startup type to Automatic
    3. Creating a listener to accept requests on any IP address
    4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only).

Do you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a
WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.

(Then I go to laptop console and run one AD command and it works however kills my session and if I take a look here is what I see)

(from laptop console checking out what session I have available)
PS C:\scripts> Get-PSSession

 Id Name            ComputerName    State         ConfigurationName     Availability
 -- ----            ------------    -----         -----------------     ------------
  2 Session2        FILE-SHARE         Broken        Microsoft.PowerShell          None
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 40

Expert Comment

by:Subsun
ID: 40242725
Are you connecting session with  with CredSSP?
0
 

Author Comment

by:ryanmaves
ID: 40244088
@Subsun

Hm, I guess I can give that a try. Reading up on the second-hop article and really that's not my situation though. I'm PSSession as Client A to Server A. I'm not going any further than Server A.

But let me give it a go anyways just to be sure okay standby!
Thanks!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40244103
I thought you are connecting from Win7 -> File-Share server -> DC
0
 

Author Comment

by:ryanmaves
ID: 40244142
@Subsun

Hey you're right because my File-Share is not the DC. Touche indeed, now I'm really getting excited. Working on this CredSSP now (keep getting interrupted with other task) standby!
0
 

Author Comment

by:ryanmaves
ID: 40244373
@Subsun

Running into a problem trying to use this CredSSP. (perhaps this is a symptom of my overall issue?)

So first thing I need to do is setup CredSSP

-Laptop administrative console-
PS C:\ > Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -force

(returns the following error)
Enable-WSManCredSSP : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770"
Machine="My-Laptop.mydomain.com"><f:Message>The client cannot connect to the destination specified in the request. Verify that the
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". </f:Message></f:WSManFault>
At line:1 char:1
+ Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -for ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.String[]:String[]) [Enable-WSManCredSSP], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.EnableWSManCredSSPCommand

(Verified settings on File-Share)
-File-Share server console results-

PS C:\> Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
PS C:\> winrm qc
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\> Enable-WSManCredSSP -Role Server

CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
authentication on the server, the server will have access to the user name and password of the client computer if the
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):


cfg               : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth
lang              : en-US
Basic             : false
Kerberos          : true
Negotiate         : true
Certificate       : false
CredSSP           : true
CbtHardeningLevel : Relaxed

PS C:\>
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40244410
Is there any firewall in between? May be windows firewall?
0
 

Assisted Solution

by:ryanmaves
ryanmaves earned 0 total points
ID: 40244710
@Subsun

Okay got that CredSSP figured out, but no joy on resolving the original issue.

FYI, I wrongly assumed WinRM was enabled on my laptop (Win7) box. After running "winrm quickconfig -force" then it was automatically configured and I could then complete the "Enable-WSManCredSSP" client and server setup. Both CredSSP settings ring true for my laptop (client) and File-Share (server). Then I entered a pssession using my credentials and it successfully joined the pssession with my given credentials. I then tested some AD cmdlets and the exact same error is coming up still.

Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active
Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
0
 

Author Comment

by:ryanmaves
ID: 40244723
I want to mention some other information that may provide additional clues.

I am the local admin for a (practice) that is part of a larger organization. I do not have access to the actual DC server itself nor do I have access to the entire domain. I only have permissions to manage the OU's assigned to my company within the domain. Hence, I have Active Directory installed on a VM at the local office and it gets it's directory information from the real DC.

Not sure how that would play into this whole scenario seeing as how I can sign into my File-Share server (with the ADUC installed and connected to the DC ADUC) and run command successfully from that box.

Just thinking this is worth a mention in case you get an "Aha!" moment from it or something.

Thanks!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40244775
What if you try.. Get-ADUser -Filter * -Server DC.domain.com
0
 

Author Comment

by:ryanmaves
ID: 40244883
Good idea.

I ran that command from my laptop console (while still connected to pssession including CredSSP) and getting the same error as always here.

So I though let me run this command from my FIle-Share server just to be sure it even works and yes from File-Share server it does work to point directory to the DC.domain.com server. But still same issue from my laptop console...
0
 

Author Comment

by:ryanmaves
ID: 40244918
Along with your logic I thought maybe I'll just create a PSSession with the main DC instead of my server that is using the ADUC piggy backed off the DC. Looks like an access denied if I try it this way. However, I don't know how relevant this is seeing as how I can manage my OU's from my File-Share server. Although, this may be a clue so I wanted to document it.

-from my laptop console-

PS C:\scripts> Enter-PSSession DC.domain.com -Credential myname@domain.com
Enter-PSSession : Connecting to remote server DC.domain.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession DC.domain.com -Credential myname@domain.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (DC.domain.com:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40244981
After entering session,  Are you getting any error when you run command Import-Module ActiveDirectory
0
 

Author Comment

by:ryanmaves
ID: 40244991
No. All the modules import just fine while in PSSession via my laptop console.
0
 

Assisted Solution

by:ryanmaves
ryanmaves earned 0 total points
ID: 40245100
Okay I have stumbled upon something that I assumed was already in place.

ADWS (Active Directory Web Services) is indeed NOT started!!

Get-Service adws shows status is stopped

Start-Service adws returns the following error (and I even ran Start-Service adws directory from File-Share server console still same error..

Start-Service : Service 'Active Directory Web Services (adws)' cannot be started due to the following error: Cannot start service adws
on computer '.'.
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandExc
   eption
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
0
 

Author Comment

by:ryanmaves
ID: 40245123
Within services.msc of the File-Share server I have changed the ADWS to Automatic and Started it up.

Unfortunately this still did not resolve issue and reporting same error..

I did find some interesting information out though. Apparently the DC I'm connecting to may actually be Server 2008 R2....

I need to clear up some details with (corporate IT). They are the guys who have the higher level access and can actually manage the DC server itself. Let me check with them and share what we have covered and get back to you ASAP!

Thanks so far
0
 
LVL 41

Expert Comment

by:footech
ID: 40245154
Particularly if the File-Share server that is a DC is 2008 R2, you may just want to install the RSAT tools on your local workstation.  You may want to do that regardless of the former.  Unless there's some feature in the 2012 tools that you're needing.
0
 

Author Comment

by:ryanmaves
ID: 40246436
I've confirmed the DC is Server 2012 and my File-Share with ADUC connects to that DC and my laptop uses Windows 7.

DC = Server 2012

File-Share with ADUC = Server 2012 but is not a DC itself instead it connects to the DC's AD

Laptop = Windows 7

PowerShell v3 for everything

Problem = unable to use AD cmdlets through a PSSession through my laptop to File-Share server to manage ADUC OU's that I have rights to manage.

What I can do = I can successfully use cmdlets that are related to the File-Share server itself such as Get-Process or Get-Service. That works fine. I'm also able to use AD cmdlets successfully if I run them straight from the File-Share server console, it works no issue.

What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.

Hope that helps bring you up to speed
0
 
LVL 41

Accepted Solution

by:
footech earned 1600 total points
ID: 40246788
I would just install the RSAT tools on your workstation.  I don't think you'll need any of the new AD cmdlets that are available through Server 2012.

What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.
I can't even imagine what's going on here that would result in a broken session, or why running Enable-PSRemoting would allow it to work temporarily.

To use the 2012 server, I suggest you try this if you haven't already.
Enter-PSSession -ComputerName File-Share.mydomain.com -Credential (Get-Credential) -Authentication Credssp

Open in new window

Then you can try the AD cmdlets.

Also try
$t = New-PSSession -ComputerName File-Share.mydomain.com ` 
        -Authentication Credssp ` 
        -Credential (Get-Credential)            
Invoke-Command -Session $t {Import-Module ActiveDirectory}            
Import-PSSession -Session $t -Module ActiveDirectory

Open in new window

And then try the AD cmdlets in your local session using implicit remoting.
0
 

Author Comment

by:ryanmaves
ID: 40246965
@footech

Hey, so I have installed RSAT tools on my laptop. I never considered that, I always thought if I keep the AD on a VM server then my other colleagues can have access as well. But with your suggestion I realized this is just a lightweight AD and so my colleagues can all install RSAT tools if needed.

Good news, with RSAT tools local to my laptop my AD cmdlets are working from my laptop and managing ADUC like I want.

Really I'm not sure if it was a combination of everything to this point or not. I took a lot of steps thusfar working with @Subsun, he had a lot of good suggestions too.

I don't know how do I divide the points fairly. I think you both made big contributions to a solution here?

Thanks EE!
0
 
LVL 41

Expert Comment

by:footech
ID: 40247028
Installing the RSAT tools locally doesn't depend on CredSSP.

I wouldn't award points based on effort alone, but if a post helped you to understand the situation then it's fine to split points as you see fit.  The majority of points should go to the post that directly explains or led to your implemented solution.

Not really the case here, but in some cases, a direct answer to your question may not be the best solution, in which case you might actually accept the post with the direct answer as the solution, but awarding less points to it than a post with an alternate/superior answer which is accepted as an assist.  For example:
Question: How do I X?
Post 1: To do X, follow these steps... - accepted solution 200 pts.
Post 2: You can do X, but a better way is to do Y, because.... and here's how you do it.. - assisted solution 300 pts.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40248656
FYI, I couldn't reproduce the issue in my lab, for me the remote session works fine with Credssp.
0
 

Author Closing Comment

by:ryanmaves
ID: 40255175
Thank you both for helping me to the end!

Feels like a work-around but it is a solution never-the-less and it has me on track for now. Wish I knew the technical reason behind why I couldn't use PSSession though.

Thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question