ryanmaves
asked on
AD cmdlets not working over PSSession
Servers involved use WinServer 2012 R2
PowerShell v3 is what I use on all machines
A virtual machine is setup with Windows Server 2012 R2 and has Active Directory installed. The ADUC on this server is not a DC but it connects to a DC that also sits on WinServer 2012 R2.
When I sign into my File-Share server directly and open PowerShell, I am able to successfully run AD cmdlets such as Get-ADUser or Get-ADComputer, etc.
I do not want to sign into the server every time to run these AD cmdlets, instead I'd like to enter a PSSession with my File-Share server from my laptop. The laptop uses Win7 and has PowerShell v3 installed.
However my problem, seen in the screenshot attached, is that after entering into a PSSession with my File-Share server those same commands that work when directly sign into the File-Share server no longer work. I get the error displayed in red shown in screenshot. I can't not figure out why any ideas?
WinRM servcies and Active Directory Web Services are both showing enabled and this is by default with Server 2012 anyways.. what am I missing here?! Thanks-
Error below for your copy/paste convenience
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the
Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Mi
PowerShell v3 is what I use on all machines
A virtual machine is setup with Windows Server 2012 R2 and has Active Directory installed. The ADUC on this server is not a DC but it connects to a DC that also sits on WinServer 2012 R2.
When I sign into my File-Share server directly and open PowerShell, I am able to successfully run AD cmdlets such as Get-ADUser or Get-ADComputer, etc.
I do not want to sign into the server every time to run these AD cmdlets, instead I'd like to enter a PSSession with my File-Share server from my laptop. The laptop uses Win7 and has PowerShell v3 installed.
However my problem, seen in the screenshot attached, is that after entering into a PSSession with my File-Share server those same commands that work when directly sign into the File-Share server no longer work. I get the error displayed in red shown in screenshot. I can't not figure out why any ideas?
WinRM servcies and Active Directory Web Services are both showing enabled and this is by default with Server 2012 anyways.. what am I missing here?! Thanks-
Error below for your copy/paste convenience
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the
Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADComputer], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Mi
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you connecting session with with CredSSP?
ASKER
@Subsun
Hm, I guess I can give that a try. Reading up on the second-hop article and really that's not my situation though. I'm PSSession as Client A to Server A. I'm not going any further than Server A.
But let me give it a go anyways just to be sure okay standby!
Thanks!
Hm, I guess I can give that a try. Reading up on the second-hop article and really that's not my situation though. I'm PSSession as Client A to Server A. I'm not going any further than Server A.
But let me give it a go anyways just to be sure okay standby!
Thanks!
I thought you are connecting from Win7 -> File-Share server -> DC
ASKER
@Subsun
Hey you're right because my File-Share is not the DC. Touche indeed, now I'm really getting excited. Working on this CredSSP now (keep getting interrupted with other task) standby!
Hey you're right because my File-Share is not the DC. Touche indeed, now I'm really getting excited. Working on this CredSSP now (keep getting interrupted with other task) standby!
ASKER
@Subsun
Running into a problem trying to use this CredSSP. (perhaps this is a symptom of my overall issue?)
So first thing I need to do is setup CredSSP
-Laptop administrative console-
PS C:\ > Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -force
(returns the following error)
Enable-WSManCredSSP : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770"
Machine="My-Laptop.mydomai
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". </f:Message></f:WSManFault
At line:1 char:1
+ Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -for ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.String[]:String[])
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan
(Verified settings on File-Share)
-File-Share server console results-
PS C:\> Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
PS C:\> winrm qc
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\> Enable-WSManCredSSP -Role Server
CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
authentication on the server, the server will have access to the user name and password of the client computer if the
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):
cfg : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth
lang : en-US
Basic : false
Kerberos : true
Negotiate : true
Certificate : false
CredSSP : true
CbtHardeningLevel : Relaxed
PS C:\>
Running into a problem trying to use this CredSSP. (perhaps this is a symptom of my overall issue?)
So first thing I need to do is setup CredSSP
-Laptop administrative console-
PS C:\ > Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -force
(returns the following error)
Enable-WSManCredSSP : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770"
Machine="My-Laptop.mydomai
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". </f:Message></f:WSManFault
At line:1 char:1
+ Enable-WSManCredSSP -Role Client -DelegateComputer File-Share.mydomain.com -for ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.String[]:String[])
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan
(Verified settings on File-Share)
-File-Share server console results-
PS C:\> Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
PS C:\> winrm qc
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\> Enable-WSManCredSSP -Role Server
CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
authentication on the server, the server will have access to the user name and password of the client computer if the
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):
cfg : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth
lang : en-US
Basic : false
Kerberos : true
Negotiate : true
Certificate : false
CredSSP : true
CbtHardeningLevel : Relaxed
PS C:\>
Is there any firewall in between? May be windows firewall?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to mention some other information that may provide additional clues.
I am the local admin for a (practice) that is part of a larger organization. I do not have access to the actual DC server itself nor do I have access to the entire domain. I only have permissions to manage the OU's assigned to my company within the domain. Hence, I have Active Directory installed on a VM at the local office and it gets it's directory information from the real DC.
Not sure how that would play into this whole scenario seeing as how I can sign into my File-Share server (with the ADUC installed and connected to the DC ADUC) and run command successfully from that box.
Just thinking this is worth a mention in case you get an "Aha!" moment from it or something.
Thanks!
I am the local admin for a (practice) that is part of a larger organization. I do not have access to the actual DC server itself nor do I have access to the entire domain. I only have permissions to manage the OU's assigned to my company within the domain. Hence, I have Active Directory installed on a VM at the local office and it gets it's directory information from the real DC.
Not sure how that would play into this whole scenario seeing as how I can sign into my File-Share server (with the ADUC installed and connected to the DC ADUC) and run command successfully from that box.
Just thinking this is worth a mention in case you get an "Aha!" moment from it or something.
Thanks!
What if you try.. Get-ADUser -Filter * -Server DC.domain.com
ASKER
Good idea.
I ran that command from my laptop console (while still connected to pssession including CredSSP) and getting the same error as always here.
So I though let me run this command from my FIle-Share server just to be sure it even works and yes from File-Share server it does work to point directory to the DC.domain.com server. But still same issue from my laptop console...
I ran that command from my laptop console (while still connected to pssession including CredSSP) and getting the same error as always here.
So I though let me run this command from my FIle-Share server just to be sure it even works and yes from File-Share server it does work to point directory to the DC.domain.com server. But still same issue from my laptop console...
ASKER
Along with your logic I thought maybe I'll just create a PSSession with the main DC instead of my server that is using the ADUC piggy backed off the DC. Looks like an access denied if I try it this way. However, I don't know how relevant this is seeing as how I can manage my OU's from my File-Share server. Although, this may be a clue so I wanted to document it.
-from my laptop console-
PS C:\scripts> Enter-PSSession DC.domain.com -Credential myname@domain.com
Enter-PSSession : Connecting to remote server DC.domain.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooti
At line:1 char:1
+ Enter-PSSession DC.domain.com -Credential myname@domain.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DC.domain.com:String) [Enter-PSSession], PSRemotingTransportExcepti
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
-from my laptop console-
PS C:\scripts> Enter-PSSession DC.domain.com -Credential myname@domain.com
Enter-PSSession : Connecting to remote server DC.domain.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooti
At line:1 char:1
+ Enter-PSSession DC.domain.com -Credential myname@domain.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DC.domain.com:String) [Enter-PSSession], PSRemotingTransportExcepti
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
After entering session, Are you getting any error when you run command Import-Module ActiveDirectory
ASKER
No. All the modules import just fine while in PSSession via my laptop console.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Within services.msc of the File-Share server I have changed the ADWS to Automatic and Started it up.
Unfortunately this still did not resolve issue and reporting same error..
I did find some interesting information out though. Apparently the DC I'm connecting to may actually be Server 2008 R2....
I need to clear up some details with (corporate IT). They are the guys who have the higher level access and can actually manage the DC server itself. Let me check with them and share what we have covered and get back to you ASAP!
Thanks so far
Unfortunately this still did not resolve issue and reporting same error..
I did find some interesting information out though. Apparently the DC I'm connecting to may actually be Server 2008 R2....
I need to clear up some details with (corporate IT). They are the guys who have the higher level access and can actually manage the DC server itself. Let me check with them and share what we have covered and get back to you ASAP!
Thanks so far
Particularly if the File-Share server that is a DC is 2008 R2, you may just want to install the RSAT tools on your local workstation. You may want to do that regardless of the former. Unless there's some feature in the 2012 tools that you're needing.
ASKER
I've confirmed the DC is Server 2012 and my File-Share with ADUC connects to that DC and my laptop uses Windows 7.
DC = Server 2012
File-Share with ADUC = Server 2012 but is not a DC itself instead it connects to the DC's AD
Laptop = Windows 7
PowerShell v3 for everything
Problem = unable to use AD cmdlets through a PSSession through my laptop to File-Share server to manage ADUC OU's that I have rights to manage.
What I can do = I can successfully use cmdlets that are related to the File-Share server itself such as Get-Process or Get-Service. That works fine. I'm also able to use AD cmdlets successfully if I run them straight from the File-Share server console, it works no issue.
What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.
Hope that helps bring you up to speed
DC = Server 2012
File-Share with ADUC = Server 2012 but is not a DC itself instead it connects to the DC's AD
Laptop = Windows 7
PowerShell v3 for everything
Problem = unable to use AD cmdlets through a PSSession through my laptop to File-Share server to manage ADUC OU's that I have rights to manage.
What I can do = I can successfully use cmdlets that are related to the File-Share server itself such as Get-Process or Get-Service. That works fine. I'm also able to use AD cmdlets successfully if I run them straight from the File-Share server console, it works no issue.
What's strange = If I start a PSSession on laptop to File-Share. Then go to File-Share console and run Enable-PSRemoting. Then go back to laptop console I can actually run an AD cmdlet successfully however it immediately ends the session and the session is then labeled "broken" and a new PSSession no longer works with AD cmdlets.
Hope that helps bring you up to speed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@footech
Hey, so I have installed RSAT tools on my laptop. I never considered that, I always thought if I keep the AD on a VM server then my other colleagues can have access as well. But with your suggestion I realized this is just a lightweight AD and so my colleagues can all install RSAT tools if needed.
Good news, with RSAT tools local to my laptop my AD cmdlets are working from my laptop and managing ADUC like I want.
Really I'm not sure if it was a combination of everything to this point or not. I took a lot of steps thusfar working with @Subsun, he had a lot of good suggestions too.
I don't know how do I divide the points fairly. I think you both made big contributions to a solution here?
Thanks EE!
Hey, so I have installed RSAT tools on my laptop. I never considered that, I always thought if I keep the AD on a VM server then my other colleagues can have access as well. But with your suggestion I realized this is just a lightweight AD and so my colleagues can all install RSAT tools if needed.
Good news, with RSAT tools local to my laptop my AD cmdlets are working from my laptop and managing ADUC like I want.
Really I'm not sure if it was a combination of everything to this point or not. I took a lot of steps thusfar working with @Subsun, he had a lot of good suggestions too.
I don't know how do I divide the points fairly. I think you both made big contributions to a solution here?
Thanks EE!
Installing the RSAT tools locally doesn't depend on CredSSP.
I wouldn't award points based on effort alone, but if a post helped you to understand the situation then it's fine to split points as you see fit. The majority of points should go to the post that directly explains or led to your implemented solution.
Not really the case here, but in some cases, a direct answer to your question may not be the best solution, in which case you might actually accept the post with the direct answer as the solution, but awarding less points to it than a post with an alternate/superior answer which is accepted as an assist. For example:
Question: How do I X?
Post 1: To do X, follow these steps... - accepted solution 200 pts.
Post 2: You can do X, but a better way is to do Y, because.... and here's how you do it.. - assisted solution 300 pts.
I wouldn't award points based on effort alone, but if a post helped you to understand the situation then it's fine to split points as you see fit. The majority of points should go to the post that directly explains or led to your implemented solution.
Not really the case here, but in some cases, a direct answer to your question may not be the best solution, in which case you might actually accept the post with the direct answer as the solution, but awarding less points to it than a post with an alternate/superior answer which is accepted as an assist. For example:
Question: How do I X?
Post 1: To do X, follow these steps... - accepted solution 200 pts.
Post 2: You can do X, but a better way is to do Y, because.... and here's how you do it.. - assisted solution 300 pts.
FYI, I couldn't reproduce the issue in my lab, for me the remote session works fine with Credssp.
ASKER
Thank you both for helping me to the end!
Feels like a work-around but it is a solution never-the-less and it has me on track for now. Wish I knew the technical reason behind why I couldn't use PSSession though.
Thanks!
Feels like a work-around but it is a solution never-the-less and it has me on track for now. Wish I knew the technical reason behind why I couldn't use PSSession though.
Thanks!
ASKER
Each link has provided me with more clues to getting this resolved. I wanted to share this interesting bit.
If I have an open session on my laptop with the File-Share server and then run this command Enable-PSRemoting from the PowerShell console that is within my File-Share server. I can then go back to my laptop that has the session and run Get-ADComputer and it works..! However!!
The command will work from my laptop through the PSSession exactly how I want it to, but at the same time it kills the session after the command executes...?!! Then if I try to go into the session again it says that the session is "broken". I create a new session and my AD cmdlets no longer work again remotely. But again, if I go to my server PowerShell console and run Enable-PSRemoting, then return to laptop console my command will work again... but only one time before killing the session. Weird?
(from FILE-SHARE console)
PS C:\> Enable-PSRemoting
WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote
Management (WinRM) service.
This includes:
1. Starting or restarting (if already started) the WinRM service
2. Setting the WinRM service startup type to Automatic
3. Creating a listener to accept requests on any IP address
4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only).
Do you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a
WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
(Then I go to laptop console and run one AD command and it works however kills my session and if I take a look here is what I see)
(from laptop console checking out what session I have available)
PS C:\scripts> Get-PSSession
Id Name ComputerName State ConfigurationName Availability
-- ---- ------------ ----- ----------------- ------------
2 Session2 FILE-SHARE Broken Microsoft.PowerShell None