none
Powershell AD cmdlets receive "Internal Error" after Upgrade to AD Server2012R2

    General discussion

  • Hi,

    We've recently moved and upgraded our AD from Server 2003 (with W2K3 functional level ) to Server2012R2 (and W2K12R2 Functional level). The upgrade was completed successfully.

    However, a user has reported that since the upgrade that when he runs get-adgroupmember groupname, or get-ADPrincipalGroupMembership  Powershell throws the following error:

    get-adgroupmember : The server was unable to process the request due to an internal error.  For more information about
    the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
    <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
    turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
    At line:1 char:1
    + get-adgroupmember -server kozel gr-admins
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (gr-admins:ADGroup) [Get-ADGroupMember], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    I get the same error on my own domain user account, but if I elevate to my domain administrator account and run it from my desktop, the command runs successfully.

    I've googled around, but havn't found anything conclusive, other than restarting ADWS which didn't work.

    Does anyone know what might be causing this?

    Many Thanks

    Mark

    Friday, June 20, 2014 1:09 PM

All replies

  • Can you turn on "IncludeExceptionDetailInFaults" as suggested so we can get the full exception

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, June 20, 2014 1:28 PM
  • Hi,

    Checkout the below thread on similar issue,
    http://social.technet.microsoft.com/Forums/en-US/f8eb3d11-6a79-4c0b-a59a-8c90b65557cf/active-directory-powershell-internal-error?forum=winserverpowershell

    Regards,

    Gopi

    www.jijitechnologies.com

    Hi Gopi, I've read that thread. It is the one that mentions restarting ADWS which I mentioned in my original post didn't resolve the issue.
    Friday, June 20, 2014 1:54 PM
  • Can you turn on "IncludeExceptionDetailInFaults" as suggested so we can get the full exception

    I've tried this, but not having done it before, I struggled to find a guide that explains how to do this specifically for Active Directory Web Services? MSDN gives you an example below (I used the None section at the end of the article), where you are supposed to replace the sample text with your own values, but it isn't clear what they should be for ADWS.

    http://msdn.microsoft.com/en-us/library/system.servicemodel.servicebehaviorattribute.includeexceptiondetailinfaults(v=vs.110).aspx

    So I stopped the ADWS service, edited the Microsoft.ActiveDirectory.WebServices.exe.config file as I thought it should be, restarted the ADWS service, and ran my powershell command again, but it still returns the generic error, so I may not have done it correctly.

    Shall i post my config here so someone more knowledgeable than me can check it?

    Friday, June 20, 2014 2:31 PM
  • Can you turn on "IncludeExceptionDetailInFaults" as suggested so we can get the full exception

    I've tried this, but not having done it before, I struggled to find a guide that explains how to do this specifically for Active Directory Web Services? MSDN gives you an example below (I used the None section at the end of the article), where you are supposed to replace the sample text with your own values, but it isn't clear what they should be for ADWS.

    http://msdn.microsoft.com/en-us/library/system.servicemodel.servicebehaviorattribute.includeexceptiondetailinfaults(v=vs.110).aspx

    So I stopped the ADWS service, edited the Microsoft.ActiveDirectory.WebServices.exe.config file as I thought it should be, restarted the ADWS service, and ran my powershell command again, but it still returns the generic error, so I may not have done it correctly.

    Shall i post my config here so someone more knowledgeable than me can check it?

    See the following link: http://webactivedirectory.com/active-directory/diagnose-active-directory-management-gateway-service-admgs-errors/

    add this to the <appSettings> section:

    <add key=”DebugLevel” value=”Info” />
    <add key=”DebugLogFile” value=”c:\windows\debug\adws.log” />
    


    Friday, June 20, 2014 2:58 PM
  • Can you turn on "IncludeExceptionDetailInFaults" as suggested so we can get the full exception

    I've tried this, but not having done it before, I struggled to find a guide that explains how to do this specifically for Active Directory Web Services? MSDN gives you an example below (I used the None section at the end of the article), where you are supposed to replace the sample text with your own values, but it isn't clear what they should be for ADWS.

    http://msdn.microsoft.com/en-us/library/system.servicemodel.servicebehaviorattribute.includeexceptiondetailinfaults(v=vs.110).aspx

    So I stopped the ADWS service, edited the Microsoft.ActiveDirectory.WebServices.exe.config file as I thought it should be, restarted the ADWS service, and ran my powershell command again, but it still returns the generic error, so I may not have done it correctly.

    Shall i post my config here so someone more knowledgeable than me can check it?


    See the following link: http://webactivedirectory.com/active-directory/diagnose-active-directory-management-gateway-service-admgs-errors/

    add this to the <appSettings> section:

    <add key=”DebugLevel” value=”Info” />
    <add key=”DebugLogFile” value=”c:\windows\debug\adws.log” />


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, June 20, 2014 2:59 PM
  • See the following link: http://webactivedirectory.com/active-directory/diagnose-active-directory-management-gateway-service-admgs-errors/

    add this to the <appSettings> section:

    <add key=”DebugLevel” value=”Info” />
    <add key=”DebugLogFile” value=”c:\windows\debug\adws.log” />

    We also found this article and tried this!!

    On running the Powershell command using domain administrator privileges, the query appears in the log correctly.

    However when we ran the Powershell command using domain user privileges we see the Internal error, but absolutely nothing is recorded in the debug log, which suggests the query is not getting that far. Its like ADWS is rejecting the domain user for some reason.

    We checked the security ACLs on the object(s) we are testing, and it has Authenticated Users read, so one would assume a domain user should be able to run this query, and in fact they could before we upgraded from AD 2003 to AD2012R2 so something has changed.

    We are a bit stumped as to what?



    • Edited by markey165 Friday, June 20, 2014 3:11 PM
    Friday, June 20, 2014 3:09 PM
    1. See the following link: http://webactivedirectory.com/active-directory/diagnose-active-directory-management-gateway-service-admgs-errors/
    2. add this to the <appSettings> section:
    3. <add key=”DebugLevel” value=”Info” /> <add key=”DebugLogFile” value=”c:\windows\debug\adws.log” />
    4. We also found this article and tried this!!
    5. On running the Powershell command using domain administrator privileges, the query appears in the log correctly.
    6. However when we ran the Powershell command using domain user privileges we see the Internal error, but absolutely nothing is recorded in the debug log, which suggests the query is not getting that far. Its like ADWS is rejecting the domain user for some reason.
    7. We checked the security ACLs on the object(s) we are testing, and it has Authenticated Users read, so one would assume a domain user should be able to run this query, and in fact they could before we upgraded from AD 2003 to AD2012R2 so something has changed.
    8. We are a bit stumped as to what?


    1. Did you restart the ADWS service after that you modified the config file?
    2. Dose the group you running the command against contains any foreignsecurityprincipals?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, June 20, 2014 3:15 PM
    1. Did you restart the ADWS service after that you modified the config file?
    2. Dose the group you running the command against contains any foreignsecurityprincipals?

    Yes I restarted ADWS after modifying the config file (see my post above, where i mentioned this ;) )

    Also I've just checked my test group, and no, there are no foreignsecurityprincipals.

    Could this be related to certificates do you think? We don't have a CA in our domain. We've seen a few warnings in the DC event logs, which suggest 2012R2 is looking for one, but they are just warnings, which I read were safe to ignore. I'm not sure if this would cause this Powershell error perhaps?

    Unfortunately, as the error is generic, we can't see what the actual error is!

    Friday, June 20, 2014 3:33 PM
  • ADWS dosen't need certificates, however it needs certificates for SSL (but that is optional) - Dose the command work for another group, try with one without members and one with just one member?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, June 20, 2014 3:35 PM
  • ADWS dosen't need certificates, however it needs certificates for SSL (but that is optional) - Dose the command work for another group, try with one without members and one with just one member?

    Hi Enfo,

    Ok so i tested with the Built in groups "Account Operators" (which has 1 member) and "Print Operators" (which is empty). Both groups have authenticated users 'Read' permissions.

    If i run it as my domain administrator account....it works for both groups

    If i run it as my domain user account......same error for both groups :(

    Any more ideas?

    Sunday, June 22, 2014 10:59 PM
  • Is the Active Directory Management Gateway Service (ADMGS) still present in the environment?


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, June 23, 2014 12:06 AM
  • Is the Active Directory Management Gateway Service (ADMGS) still present in the environment?

    ADMGS is the Server 2003 implementation of ADWS right? If so the answer here would be no. All DCs are now running 2012R2 and Domain and Forest functional levels are now 2012R2.

    It appears the issue is a result of having moved our AD from DCs running 2003 to DCs running 2012R2, as this wasn't an issue beforehand.

    Monday, June 23, 2014 11:24 AM
  • Yes that's correct. Just wanted to rule out as a potential issue. I'm actuelly out of ideas - very strange that the log file dosen't contain any info even with verbose logging.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, June 23, 2014 11:25 AM
  • Yes that's correct. Just wanted to rule out as a potential issue. I'm actuelly out of ideas - very strange that the log file dosen't contain any info even with verbose logging.

    Thanks for your help. Always good to sanity check what we've tried so far. We're out of ideas too. Any advice as to what route we can take to help resolve this?

    As to the logging, as mentioned above, we're pretty sure we've done it correctly, but there is no documentation on how to set this up for ADWS specifically. Its quite possible we've not configured the logging entirely correctly. Is it worth me posting the config file, if you're familiar with the syntax? Or should we escalate this elsewhere?

    • Edited by markey165 Monday, June 23, 2014 2:31 PM
    Monday, June 23, 2014 2:28 PM
  • Hi,

    I think you could post the issue to powershell forums:

    http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell

    Regards.


    Vivian Wang

    Tuesday, June 24, 2014 9:43 AM
    Moderator
  • Hi,

    I think you could post the issue to powershell forums:

    http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell

    Regards.


    Vivian Wang

    Hi Vivian, 

    Already ahead of you. I had already posted there, but the ideas are even less there than they are here. I think this is because the issue is more of an AD problem than a Powershell problem.

    Thursday, July 3, 2014 2:29 PM