Trying to join a Windows Server 2016 to a domain using PowerShell.
However, PowerShell fails on Get-ADDomain with :
Get-ADDomain -Identity customer.com.au -Credential $domainCred
Error :
Get-ADDomain : Unable to contact the server. This may be because this
server does not exist, it is currently down, or it does not have the
Active Directory Web Services running. At line:1 char:1
+ Get-ADDomain -Identity customer.com.au -Credential $domainCred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (customer.com.au:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain
Get-ADDomainController -Discover -Service ADWS -DomainName customer.com.au
Domain : customer.com.au
Forest : customer.com.au
HostName : {CUSTOMERSVRDC06.customer.com.au}
IPv4Address : 10.20.104.86
IPv6Address :
Name : CUSTOMERSVRDC06
Site : customer-main-site
So, AD Web Services are running on a server in that domain. I can resolve the domain.
And I can even promote this server manually via Server Manager just fine, with the same credentials.
Anybody got an idea what’s wrong with AD PowerShell?
Cheers
David
Turns out there was a port still missing on the network side.
They opened up the firewall for now and it works. I suspect a random high port.
Sounds like you cannot reach the ADWS. That is common with corporate networks if firewall or policies are not designed to allow it. Regardless, you can achieve this with below options too.
Use the -Server param on Get-AD~ Cmdlets and specify a DC to query. You said you know at least 1 DC with ADWS on and reachable.
Use Invoke-Command or other PSRemoting features to remote into a DC and run those commands as if you were logged on locally on the DC. Doesn't need ADWS to be available on the Network.
You can also use PSexec with Invoke-Expression to run your code on the target machine.
Related
When I run the following, using the . I get a list of processes:
get-process -ComputerName .
When I use localhost I get the following error:
get-process -ComputerName localhost
get-process : Couldn't connect to remote machine.
At line:1 char:1
+ get-process -ComputerName localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Process], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetProcessComm
and
I'm using VS Code and running the following version of PS:
What are the possible reasons for this?
If I run the following it comes back with LAPTOP-E####### which is obviously not localhost - would csName usually be set as localhost or am I looking in the wrong part of ComputerInfo ?
Get-ComputerInfo | Select-Object csName
As per the comments you have to enable the Remote Registry Windows service for localhost to work, because it is treated as a remote machine and the underlying .NET method used in the original cmdlet reads the performance counters from the registry. This is not an issue in newer versions of PowerShell because the -ComputerName parameter doesn't exist in the PowerShell Core version of the cmdlet.
For anyone considering enabling the Remote Registry service, please be warned there are a number of security implications to consider when allowing remote access to a computer's registry. A lot of corporate users may find that this service is disabled via GPO. If you need process information from remote machines, it is better to use WinRM via Invoke-Command.
Generally if you want to refer to the local machine in a script it is best to use the PowerShell environment variable $env:COMPUTERNAME.
So far, I've tried opening port 9389 and ADWS is running on the remote server... and no luck...
The command:
$credential = Get-Credential # Feed it the Foreign Dommain\Username + Password
Get-ADUser 'someUser' -Server some.remote.server.com -Credential $credential
Here's the error:
Get-ADUser : Unable to contact the server. This may be because this server does
not exist, it is currently dow does not have the Active Directory Web Services
running.
At line:1 char:1
+ Get-ADUser 'someUser' -Server some.remote.server.com -Credential $credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (e313681:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
I can ping this machine and remote to it, but I can't query it with PowerShell.
I've checked that ADWS is running on the domain controller... out of ideas here - did I miss a port or something?
Really hope you got this problem solved after over 2.5 years. Got here through Google as I was looking for my own problem. Just dropping the information here for others that might hit this page.
Powershell is using ADWS and the port being used is 9389.
In the end for me it was the Windows Firewall blocking this port. For anyone in the same situation, check %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log for drops to the IP of the AD controller you are trying to connect to.
I have two Windows 7 Pro systems, one host system and one in a VM one the host system. I am trying to create a New PSSession on the host system to control the guest, both of which run Powershell 4.0.
As we have a DHCP setup in the office the first thing I do is establish the IP adress of each. Then I run the code below on both machines -
Set-Item wsman:\localhost\client\trustedhosts "$relevantIP" -Force
I then test that the systems are ready using WSMan on the host -
Test-WSMan $remoteIP
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
All this works perfectly well. At this point I used to create a new PSSession using the following
$credObject =
$Host.ui.PromptForCredential(
"Need credentials",
"Please enter password for the following IP $remoteIP",
$remoteUsername,
""
)
$remoteSession = New-PSSession -ComputerName $remoteIP -Credential $credObject
New-PSSession : [10.141.114.91] Connecting to remote server
10.141.114.91 failed with the following error message : The WinRM client cannot process the request. Default authentication may be used
with an IP address under the following conditions: the transport is
HTTPS or the destination is in the TrustedHosts list, and explicit
credentials are provided. Use winrm.cmd to configure TrustedHosts.
Note that computers in the TrustedHosts list might not be
authenticated. For more information on how to set TrustedHosts run
the following command: winrm help config. For more information, see
the about_Remote_Troubleshooting Help topic. At line:1 char:18
+ $remoteSession = New-PSSession -ComputerName "10.141.114.91" -Credential "SESA40 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession],
PSRemotingTransportException
+ FullyQualifiedErrorId : CannotUseIPAddress,PSSessionOpenFailed
I have no idea why it has started doing this when trying to connect to the VM from the host system. I can create a new PSSession on the host machine from within the guest but no longer the other way around.
The error message says that "Default
authentication may be used with an IP address under the following conditions: ... the destination is in the TrustedHosts list and explicit credentials are provided." I have already added the correspoding IP to each WSMan TrustedHosts fields and provide explicit credentials.
Any help would be greatly appreciated as I am scratching my head trying to think of what could be wrong.
Update
After following the suggestion of one commentor I tried using different authentification methods.
$remoteSession = New-PSSession -ComputerName "10.141.114.91" -Credential "Test" -ErrorAction Stop -Authentication Basic
The WinRM client cannot process the request. Unencrypted traffic is currently
disabled in the client configuration. Change the client configuration and try the request again.
So I ran set-item WSMan:\localhost\Client\allowunencrypted $true on both machines. Now trying to get a PSSession gives the error
Get-PSSession -ComputerName "10.141.114.91" -Credential "Test" -Authentication Basic
The WinRM client cannot process the request. If the authentication scheme is
different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.
** Update 2 **
In case anyone has the same problem and comes across this - my problem turned out to be a combination of a network fault and then with my playing around somehow creating a list of IP addresses for wsman:\localhost\client\trustedhosts which missed a comma between IP's.
I've created a new VM in Windows Azure to use to act as a host to learn a bit of Powershell Remoting. After the VM was created I RDP'd onto the box and enabled remoting via the following command:
Enable-PSRemoting
I confirmed both prompts with 'a' replies and it finished without errors. If I run
Get-PSSessionConfiguration
I can see that three endpoints (?) have been set up. In the Azure portal I can see that the Powershell port is open - both 5986 is open as a public and private port.
I've added the public IP address of the machine to my hosts file, but when I try the following:
Enter-PSSession -ComputerName AZURESERVERNAME
I get an error:
Enter-PSSession : Connecting to remote server AZURESERVERNAME failed
with the following error message : A specified logon session does not
exist. It may already have been terminated. For more information, see
the about_Remote_Troubleshooting Help topic. At line:1 char:1
+ Enter-PSSession -ComputerName AZURESERVERNAME
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (AZURESERVERNAME:String) [Enter-PSSession],
PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I've also tried setting all hosts as trused as follows:
cd wsman::localhost\client
Set-Item .\TrustedHosts *
Restart-Service WinRM
But that doesn't seemed to have helped either.
Is there anything else I need to do to get this working?
Thanks
OK, figured this out thanks to the awesome Secrets of Powershell Remoting ebook. Looks like you must add the machine directly to the TrustedHosts via IP address:
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value '11.22.33.44'
Then use that IP address and specify credentials in the Enter-PSSession:
Enter-PSSession -ComputerName 11.22.33.44 -Credential 11.22.33.44\username
You should then get a prompt for your password and voila! :)
I've successfully created a SharePoint farm in Azure using the scripts from Automated-Deployment-of-SharePoint-2013-with-Windows-Azure-PowerShell
On that page there are steps that configure PowerShell to work with Azure
Set-ExecutionPolicy ByPass
Enable-PSRemoting
Enable-WSManCredSSP -role client -delegatecomputer "*.cloudapp.net"
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain"
Set-ItemProperty $regKey -Name WSMan -Value "WSMAN/*.cloudapp.net"
Get-AzureSubscription -ExtendedDetails
You may also need to do this
Run GPEdit.msc You must also enable delegating of fresh credentials
using group policy editor on your client machine. Computer
Configuration -> Administrative Templates -> System -> Credentials
Delegation and then change the state of "Allow Delegating Fresh
Credentials with NTLM-only server authentication" to "Enabled." Its
default state will say, "Not configured."
In the Add Servers sections add the following.
WSMAN/*.cloudapp.net
I can not remote into any machine to save my life! I have tried everything I can find. If anyone could troubleshoot or guide me, I'd appreciate it as this would be a great tool to add on my domain.
SETUP:
Client machine inside domain
Server machine inside or outside domain - Virtualized and utilized for WSUS Computername: wsustest
CLIENT SERVER MACHINE physical- computername: epizzi-pc
STEPS:
enable-pssremoting done! on all machines
trustedhosts configured with * or client machine added
Firewalls with public profile off just in case
Enter-PSSession -ComputerName wsustest -Credential wsustest\administrator
Enter-PSSession -ComputerName epizzi-pc -Credential epizzi-pc\administrador
Enter-PSSession : Connecting to remote server epizzi-pc failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311
occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName epizzi-pc -Credential epizzi-pc\administrador
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (epizzi-pc:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Enter-PSSession -ComputerName wsustest -UseSSL -Credential wsustest\administrator
*Enter-PSSession : Connecting to remote server wsustest failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is
valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName wsustest -UseSSL -Credential wsustest\administrato ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (wsustest:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed*
ERRORs:
I was receiving the same problem when remoting to a server and found this blog post very helpful - http://jeffgraves.me/2013/10/14/powershell-remoting/
For my specific case I did the following:
On the Local machine
winrm quickconfig (although this was already configured)
winrm s winrm/config/client '#{TrustedHosts="myservername.domain"}'
On the Remote machine
enable-psremoting -force
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell -Force
I got around this problem by using a fully qualified logon. Instead of "netbiosdomain\accountname", I used fqdn\accountname, as in Microsoft.com\myaccount in the get-credential prompt. May not work for everyone, but it's worth a shot.
This is how I do it. I use this on my scripts.
# This is only done once
Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File
c:\Windows\temp\securepass.txt
# Setup credentials
$SecureString = Get-Content c:\Windows\temp\securepass.txt | ConvertTo-SecureString
$mycredentials = New-Object -TypeName System.Management.Automation.PSCredential
-ArgumentList "yourDomain\userID",$SecureString
# Open remote session:
$MyRSession = New-PSSession -ComputerName Computer1 -Credential $mycredentials
-Authentication default
# Use remote session:
Enter-PSSession $MyRSession
Get rid of -UseSSL. I enabled PSRemoting and had problems with using that. I guess I could look at it later but for now it doesn't matter.
If there is no trust between the client and server computers, you have to enable basic authentication on the server side. Do this by toggling the correct properties on the WSMAN: drive on the server. You'll obviously have to do this interactively on the console or via remote desktop, due to the chicken and egg problem :) Also, this may come into play too:
http://www.nivot.org/blog/post/2009/10/30/PowerShell20EnablingRemotingWithVirtualXPModeOnWindows7
I was getting that same error currently no logon servers available.
The issue was resolved by using instead of Domain\Username as credentials the user UPN or Username#Domain.
I have achieved a remote session with Enter-pssession command, had to follow these exact parameters
$creds = get-credential (the -credential parameter in enter-pssession does not work properly, thus u must previously enter the object at another variable)
Enter-pssession -computername wsustest -authentication Default -credentials $creds
i Also had to set both client and remote server in the trusted hosts wsman: space
another solution which surely wouldve worked but i havent tried, wouldve been setting https: which is harder to do.
thx to all, your comments certainly led to the solution!