none
Unable to run SetDpmServer on remote machine using powershell RRS feed

  • Question

  • If I call SetDPMServer on a computer that I want to protect, it works successfully. (I run the command by logging directly into that computer).

    If I try and run the same command using power-shell and Invoke-Command, I get an error (script below) : 

     

    Configuring dpm server settings and firewall settings for dpm server =[xxxxxxx]
    SetDpmServer failed with errorcode =0x80070005, error says: Access is denied.

    where xxxxx is the name of the DPM server

    Here is the powershell script I am attempting to use

     

     

    $dpmServerName = "dpmServerX"
    
    Invoke-Command	-ComputerName serverToProtectY `
    				-ArgumentList $dpmServerName `
    				-ScriptBlock {`
    					param($serverName) `
    					$cmd = "C:\Program Files\Microsoft Data Protection Manager\DPM\bin\SetDpmServer.exe";`
    					& $cmd -dpmServerName $serverName;`
    				}
    


    I am not sure whats going on here

    Additional note: I am unable to run the command even using PSExec

     


    http://blog.aggregatedIntelligence.com/
    Wednesday, January 25, 2012 6:08 PM

Answers

  • Hi,

    From computer you are running the PowerShell script (Computer A), Get-WSManCredSSP should return you this:

    The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*
    This computer is not configured to receive credentials from a remote client computer.

    For the setting to be shown like that, you need to run Enable-WSManCredSSP -role client -DelegateComputer *

    From destination computer (Computer B) where setdpmserver.exe will be executed, Get-WSManCredSSP should return this

    The machine is not configured to allow delegating fresh credentials.
    This computer is configured to receive credentials from a remote client computer.

    For the setting to be shown like that, you need to run Enable-WSManCredSSP -role server


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, March 7, 2012 9:31 PM
    Moderator

All replies

  • Hi,

     

    Try to start PowerShell using run as admin then execute your script OR you could schedule a job to run the powershell script and use an account with admins privileges.

     

    Regards,


    Cordialement, Oussema FEKIH Note : Si ma réponse vous a été utile, ou apporté une résolution; merci de Voter ou de la marquer comme Utile. Best Regards, Oussema FEKIH If my reply has helped you or made a resolution, thank you to vote it as helpful or mark it as answer.
    Tuesday, January 31, 2012 8:57 AM
  • Hi there.

    This is what is going on....

    You run the invoke-command from computerA to computerB.

    On computerB you run the setdpmserver.exe command which will cause a remote connection to computerC (in this case, computerC is the DPM Server).

    ComputerB doesn't know how to pass on (or passthrough) the credentials you are using on computerA to computerC.

    To resolve this behavior you need to enable CredSSP for multi-hop authentication.

    This is what you should do...

    From ComputerA you need to enable CredSSP client authentication. For that you run this command

    Enable-WSManCredSSP -role client -DelegateComputer *
    

    on ComputerB you will need to enable CredSSP so it can pass the credentials from computerA to computerC. For that you run the command above on computerB as well.

    Now you need to tell the invoke-command that you want to use a passthrough credentials and for that your invoke-command will be something like this:

    $dpmServerName = "dpmServerX"
    
    Invoke-Command	 -ComputerName <computer_name> `
    				-ArgumentList $dpmServerName `
    				-authentication credssp `
    				-Credential  <domain\username> `
    				-ScriptBlock {`
    					param($serverName) `
    					$cmd = "C:\Program Files\Microsoft Data Protection Manager\DPM\bin\SetDpmServer.exe";`
    					& $cmd  -dpmServerName $serverName;`
    
    				}
    
    

     

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Friday, February 3, 2012 10:17 AM
    Moderator
  • Hi Wilson,

    Ran the Enable command on both the machines (the one from where I am executing the script and the one where the script is remotely executed to set the dpm server). I then ran the updated invoke-command with the credentials, etc.

    It failed! with the following error

    [remoteServerName] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. T
    he authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in the serv
    ice configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mecha
    nisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify that the client
     computer and the destination computer are joined to a domain. To use Basic, specify the computer name as the remote destination,
     specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by server:     Nego
    tiate Kerberos For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken


    http://blog.aggregatedIntelligence.com/

    Saturday, February 25, 2012 5:43 PM
  • Looking at the log file on the client machine here is the error message I see:

    Where [DPMServer] is the name of the DPM Server

    12B4 1880 02/25 18:26:55.169 10 setdpmserver.cpp(620) NORMAL Configuring production server for DPM server =[DPMServer]
    12B4 1880 02/25 18:26:55.169 10 setdpmserver.cpp(686) NORMAL Finding domain\machine format for DPMserver =[DPMServer]
    12B4 1880 02/25 18:26:55.185 03 machinename.cpp(472) WARNING Failed: Hr: = [0x80070005] : F: lVal : (UINT)DsRoleGetPrimaryDomainInformation(ssFqdn.PeekStr(), DsRolePrimaryDomainInfoBasic, (LPBYTE *)(&domainInfo))
    12B4 1880 02/25 18:26:55.185 03 machinename.cpp(480) WARNING Failed: Hr: = [0x80070005] GetMachineNameInDomainFormat returned
    12B4 1880 02/25 18:26:55.185 10 setdpmserver.cpp(687) WARNING Failed: Hr: = [0x80070005] : F: lVal : CMachineName::GetMachineNameInDomainFormat(dpmserverNameInFqdn, dpmserverNameInDomainFormat)
    12B4 1880 02/25 18:26:55.185 10 setdpmserver.cpp(822) WARNING Failed: Hr: = [0x80070005] SetDpmServer failed, error says: [Access is denied.
    12B4 1880 02/25 18:26:55.185 10 setdpmserver.cpp(822) WARNING ]


    http://blog.aggregatedIntelligence.com/


    Saturday, February 25, 2012 6:32 PM
  • Can you share the output from the following command? (run on both DPM server and on the remote server)

    Get-WSManCredSSP


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Tuesday, March 6, 2012 2:54 AM
    Moderator
  • Wilson,

    I get the following output from 3 of the following computers: (the computer where I am unable to successfully run SetDPMServer remotely has a slightly different output)

    The computers are:

    1. the DPM Server

    The machine is not configured to allow delegating fresh credentials.
    This computer is not configured to receive credentials from a remote client computer.

    2. the client where I am able to run SetDPMServer remotely and successfully set the DPM server and

    The machine is not configured to allow delegating fresh credentials.
    This computer is not configured to receive credentials from a remote client computer.

    3. the client where I am unable to successfully run SetDpmServer remotely.

    The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*
    This computer is not configured to receive credentials from a remote client computer.



    http://blog.aggregatedIntelligence.com/



    Tuesday, March 6, 2012 3:04 PM
  • Hi,

    From computer you are running the PowerShell script (Computer A), Get-WSManCredSSP should return you this:

    The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*
    This computer is not configured to receive credentials from a remote client computer.

    For the setting to be shown like that, you need to run Enable-WSManCredSSP -role client -DelegateComputer *

    From destination computer (Computer B) where setdpmserver.exe will be executed, Get-WSManCredSSP should return this

    The machine is not configured to allow delegating fresh credentials.
    This computer is configured to receive credentials from a remote client computer.

    For the setting to be shown like that, you need to run Enable-WSManCredSSP -role server


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, March 7, 2012 9:31 PM
    Moderator