none
Remote powershell attach agent failure RRS feed

  • Question

  • Is anyone able to help with this;

     

    I have manually installed the DPM agent onto a machine and am now trying to attach it to the DPM server. I want to be able to do this remotely through powershell so eventually I can have the agents install and attach themselves automatically as part of an MDT build sequence.

    Running the powershell command on the DPM server itself works fine:

    attach-productionserver.ps1 DPMServer.domain.com LAPTOP.domain.com USERNAME PASSWORD DOMAIN

    However when I try to do it remotely it fails:

    enter-pssession DPMServer.domain.com

    add-pssnapin microsoft.dataprotectionmanager.powershell

    attach-productionserver.ps1 DPMServer.domain.com LAPTOP.domain.com USERNAME PASSWORD DOMAIN

    Fails with error: The server LAPTOP.domain.com could not be found in active directory.

    Any help greatly appreciated!

     


    MCITP Windows 7 Enterprise Administrator
    Tuesday, December 20, 2011 5:17 PM

Answers

  • Hi Reue,

    I got this resolved.

    When you connect to a remote PowerShell session, the normal authentication method doesn't allow you to connect from that session to a remote server. Not only you can't get Domain information but if you try to access a remote share you gona get an error as well. In order for this to work we need to use CredSSP Authentication.

    Snippet from the ref link below:

    "Caution: Credential Security Service Provider (CredSSP) authentication, in which the user's credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the network session."

    Ref: http://technet.microsoft.com/en-us/library/dd347668.aspx

    Note: You might need to run the command below on the DPM server in order to allow CredSSP authentication

    Enable-WSManCredSSP -role server
    

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Thursday, December 29, 2011 6:34 AM

All replies

  • Did you try connecting to the DPM server before running the attach command?

    After you run the add-pssnapin, run this command:

    connect-dpmserver (&hostname)
    
    

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Thursday, December 22, 2011 12:56 AM
  • I tried that however am still having the same issue:

    Note: I am able to attach the laptop by using powershell from on the DPM server itself:

     


    MCITP Windows 7 Enterprise Administrator
    • Edited by DunkG Thursday, December 22, 2011 11:32 AM
    Thursday, December 22, 2011 11:27 AM
  • Ok... so the problem is that the new PSSession doesn't know about a domain controller and that's why we are getting that error.

    Here is the output of the domain controller when I ran this command on my remote server

    PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()
    
    
    Forest                  : <DOMAIN>
    DomainControllers       : {<DOMAIN_CONTROLLER>.<DOMAIN>, }
    Children                : {}
    DomainMode              : Windows2008R2Domain
    Parent                  :
    PdcRoleOwner            : <DOMAIN_CONTROLLER>.<DOMAIN>
    RidRoleOwner            : <DOMAIN_CONTROLLER>.<DOMAIN>
    InfrastructureRoleOwner : <DOMAIN_CONTROLLER>.<DOMAIN>
    Name                    : <DOMAIN>
    

    Below is when I run the same command after entering a PSSession

    [<DPM_Server>]: PS C:\>  [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()
    
    
    Forest                  : <DOMAIN>
    DomainControllers       :
    Children                :
    DomainMode              : Windows2008R2Domain
    Parent                  :
    PdcRoleOwner            :
    RidRoleOwner            :
    InfrastructureRoleOwner :
    Name                    : <DOMAIN>
    

    Note that DomainControllers entry is blank so when we run the attach command we don't know where to go to query AD.

    Let me check how to fix that....

     

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Thursday, December 22, 2011 10:49 PM
  • Ok... so the problem is that the new PSSession doesn't know about a domain controller and that's why we are getting that error.

    Here is the output of the domain controller when I ran this command on my remote server

    PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()
    
    
    Forest                  : <DOMAIN>
    DomainControllers       : {<DOMAIN_CONTROLLER>.<DOMAIN>, }
    Children                : {}
    DomainMode              : Windows2008R2Domain
    Parent                  :
    PdcRoleOwner            : <DOMAIN_CONTROLLER>.<DOMAIN>
    RidRoleOwner            : <DOMAIN_CONTROLLER>.<DOMAIN>
    InfrastructureRoleOwner : <DOMAIN_CONTROLLER>.<DOMAIN>
    Name                    : <DOMAIN>
    

    Below is when I run the same command after entering a PSSession

    [<DPM_Server>]: PS C:\>  [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()
    
    
    Forest                  : <DOMAIN>
    DomainControllers       :
    Children                :
    DomainMode              : Windows2008R2Domain
    Parent                  :
    PdcRoleOwner            :
    RidRoleOwner            :
    InfrastructureRoleOwner :
    Name                    : <DOMAIN>
    

    Note that DomainControllers entry is blank so when we run the attach command we don't know where to go to query AD.

    Let me check how to fix that....

     

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Hi Wilson, Did you have any luck with this?
    MCITP Windows 7 Enterprise Administrator
    Wednesday, December 28, 2011 1:50 PM
  • Hi Reue,

    I got this resolved.

    When you connect to a remote PowerShell session, the normal authentication method doesn't allow you to connect from that session to a remote server. Not only you can't get Domain information but if you try to access a remote share you gona get an error as well. In order for this to work we need to use CredSSP Authentication.

    Snippet from the ref link below:

    "Caution: Credential Security Service Provider (CredSSP) authentication, in which the user's credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the network session."

    Ref: http://technet.microsoft.com/en-us/library/dd347668.aspx

    Note: You might need to run the command below on the DPM server in order to allow CredSSP authentication

    Enable-WSManCredSSP -role server
    

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Thursday, December 29, 2011 6:34 AM
  • Thanks, that worked perfectly!
    MCITP Windows 7 Enterprise Administrator
    Thursday, December 29, 2011 3:23 PM