How can i write a powershell script that opens and runs cmdlets on a 64bit remote powershell executable.
I am having a tough time finding any resources, examples or tutorials that show how to write a powershell script that connects to a remote server, opens up the 64-bit Powershell.exe and runs cmdlets from it. I will be running this script from a 32-bit machine. If anyone has any examples or ideas ?
Update:
I have found that i can on the remote machine first execute a trusted host command and enable remote-ps
Enable-PSRemoting
cd wsman:
cd localhost\client
set-item trustedhosts *
After doing this, my attempt to connect to my server
Enter-PSSession servername
gives this error
The following error occured while using Kerberos authentication: The network path was not found.
If a 64-bit machine has PowerShell remoting configured, the default PowerShell endpoint will be 64-bit. There is also an x86 endpoint registered, but that is not the default.
In regards to the updated question, what type of environment are you in? Workgroup or domain?
If you are in a domain, things are a bit simpler. If both sides have enabled PowerShell remoting (via Enable-PSRemoting), You should be able to Enter-PSSession servername as you attempted. Do you have administrative rights on the remote machine?
Since Kerberos was failing you can specify other authentication types using the -Authentication parameter. Valid options are NTLM, CredSSP, and Kerberos. The default is Negotiate, which might use Kerberos or NTLM.
You can specify specific credentials with the -Credential parameter.
In regards to the Kerberos error, you might want to check if the host has the proper SPN's registered.
Don Jones and Tobias Weltner authored a great guide to PowerShell Remoting - Found Here It walks through a number of the configuration scenarios for PowerShell Remoting.
Related
Scenario: Windows service with Powershell host embedded into it. Single runspace is allocated at startup. Multi-dll solution.
Requirement: Need to access .NET classes inside running service. From a local Powershell instance using
Enter-PSHostProcess -Name MyService
...gives me exactly what I want since I can access the .NET classes.
[MyNameSpace.MyClass]::CallStaticFunction()
Question: How can this Powershell behavior be made available to remote endpoints using Enter-PSSession to a custom endpoint? From the Register-PSSessionConfiguration we can specify a dll but this will spawn up a process and won't connect to a running instance. Not interested in writing proxy via HTTPS, or named pipes, but using the native functionality offered in Powershell for .NET support.
Is it possible to extend this via PSSessions? Or would we just have to first do Enter-PSSession or Invoke-Command?
Reviewing the sources it appears that Enter-PSHostProcess and Enter-PSSession are very independent mechanisms. Enter-PSHostProcess communicates via named pipes, while Enter-PSSession uses WinRM (which is effectively uses http(s) over ports 5985/5986. I don't think you need either Enter-PSSession or Invoke-Command if you want interactive access to a local service process through Enter-PSHostProcess.
You may have already done this, but to try this out I started up both Powershell.exe and Powershell_ise.exe, then from the former used this command to connect to the later:
get-process Powershell_ise | Enter-PSHostProcess
and the prompt changed to include the PID of the ISE. Just to be sure static methods worked as you are expecting, I killed the ISE from the Powershell.exe command line using the command:
[System.Environment]::exit(0)
Powershell creates the named pipe this connects to using the default security descriptor for the thread, which typically allows access only to LocalSystem, Administrators, and the account the process is running under. My test worked because both processes were running under the same account (I didn't need administrator priv.)
To be clear however, Enter-PSHostProcess makes no provision for connecting to processes on another machine. It might be possible to double-hop, connecting to the machine first using Enter-PSSession, then connecting to the process using Enter-PSHostProcess.
Salam every body
I need help to learn how
to Install,Configure and Manage dns using only powershell on Windows 2008?
This should get you started.
Installing DNS Server Role via Powershell
Open an elevated Powershell window and enter the following commands.
Import-Module Servermanager
Add-WindowsFeature 'DNS' -restart
For a more general guide about installing server roles via powershell, take a look at this page: Adding Server Roles and Features
On that page, just CTRL+F for Powershell.
Configuring DNS Server Role via Powershell
Since configuration is a very general topic, here's the link to the documentation:
Domain Name System (DNS) Server Cmdlets
You can list all the available commands with Get-Command –Module DnsServer
I am trying to run a powershell invoke-command on a vmware image I have:
invoke-command -computer [vmware host] -scriptBlock { commands }
This does not work because my client where I run the command is on a domain and the vm image is in a workgroup (mixed domains)
After some research, I have added the vmware host to trusted hosts (Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value [vmware host]) and if I supply credentials (administrator/password) the command works.
My question is: Is there a way to make it work without explicitly supplying the credentials e.g. either opening up the vmware host to all kinds of access or then somehow saving the credentials permanently on my client computer so that I don't need to supply them in a call using the "invoke-command -credential argument". I don't have the flexibility of adding the "-credential" argument as this code is maintained by other team.
I know I could add trust between the domains (to use kerberos) but that option is not available to me.
This is about all you can do. Use PSDefaultParameters.
http://technet.microsoft.com/en-us/library/hh847819.aspx
$PSDefaultParameterValues = #{
"Enter-PSSession:Credential" = $cred
"Invoke-Command:Credential" = $cred
}
This is possible using certificate-based authentication. You would authenticate with a client certificate that gets mapped to an account.
I admit I have not gotten around to it. I'd love to do this, but we only have about 9 Windows servers in the DMZ and it's just not worth the effort for me right now.
These links look promising:
How to use WSMan config provider for certificate authentication
WinRM with non-domain joined machine using Certs
If you do manage to get this working, I would very much like to hear about your experience.
I've recently upgraded a number of servers from 2003 to 2008R2. Since the upgrade I've started to see the following error:
[servername] Connecting to remote server failed with the following error message : The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
The error is seemingly random. The script will work and then fail. The command to create the session is in a loop (create session, remove session) and is called numerous times as part of a set of deployment scripts. When the script fails, it fails at different points.
I've checked the event log on the local workstation (win7) destination server (win2008R2) but there are no errors that I can see.
This is the lines that randomly fails:
$session = New-PSSession -ComputerName $serverName -Credential $credential
I did not see this issue on Win2003. The scripts have not changed. I'm assuming the problem is on the destination server but cannot find any errors or logs to look at. It will work once and then fail so my deployment scripts will sometimes succeed and then fail at different points.
Any guidance on tracking down this problem would be much appreciated.
You can get this error when trying to connect to localhost with an account that's not an administrator.
It used to be possible to use accounts that weren't an administrator, but a Windows Update in January 2019 disabled the functionality for security reasons. From the patch notes:
By default, PowerShell remoting only works with administrator accounts, but can be configured to work with non-administrator accounts. Starting with this release, you cannot configure PowerShell remote endpoints to work with non-administrator accounts. When attempting to use a non-administrator account, the following error will appear:“New-PSSession: [computerName] Connecting to remote server localhost failed with the following error message: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.”
You need to be setting the WSMan TrustedHosts. If you want, you can set it to everything using wildcards (*).
You can do it via PowerShell: Set-Item WSMan:\localhost\Client\TrustedHosts -Value *.
Keep in mind that you also need to enable the Windows Remote service. Use the native winrm qc command for this. Enable-PSRemoting -Force might do it as well.
You can also use the PSExec Tools from Sysinternals. Keep in mind that these tools will likely be blocked by your EndPoint Security, so don't forget to white list it.
Is there a specific reason you migrate your old OSes to a newer, but still EOL OS? You can do a lot via PowerShell in 2008R2, but it's still pretty limited. IMO, Using PowerShell is best starting from 2012R2 and onwards.
Are you hitting the number of processes limit by creating pssessions that are crashing and leaving processes open?
Default limit is 15. I'd agree with the above comment and not use sessions, instead use invoke-command like:
invoke-command -scriptblock $scriptBlock -ArgumentList $args -computername $compName -Credential $encodedRemoteCredentials
to Check your limit:
PS C:\aws> ls WSMan:\localhost\Shell
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Shell
Name Value
---- ----
MaxProcessesPerShell 15
As a quick and dirty test - next time your pssession version of your script fails, increase the maxProcessesPerShell limit using set-item cmdlet to 50 and retry. If the script no longer fails, you know that's the issue (and should consider moving to invoke-command!).
I'm having an amazing amount of trouble starting and stopping a service on my remote server from my msbuild script.
SC.EXE and the ServiceController MSBuild task don't provide switches to allow a username/password so they won't authenticate, so I'm using RemoteService.exe from www.intelliadmin.com
-Authenticating with \xx.xx.xx.xxx
-Authentication complete
-Stopping service
-Error: Access Denied
The user account details I'm specifying are for a local admin on the server, so whats up?! I'm tearing my hair out!
Update:
OK here's a bit more background. I have an an XP machine in the office running the CI server. The build script connects a VPN to the datacentre, where I have a Server 2008 machine. Neither of them are on a domain.
Often, you can connect to the IPC$ "pseudo-share" on the machine to help establish the credentials before running commands like SC.EXE. Use a command like:
C:\> net use \\xx.xx.xx.xx\ipc$ * /user:username
The * tells it to prompt you for the password.
I've disabled UAC and now it seems to work.
If I understand your scenario correctly, it could help running the script with a domain account which is administrator on your remote machine (or better: has the right to start and stop the service).
Quick followup question - can you use the "runas" command from an MSBuild script? If so, wouldn't you be able to simply impersonate another user with runas /user:dsfsdf /password:dfdf sc.exe ... (or similiar - I haven't researched the command-line options)?