AD module remoting problems

This topic contains 3 replies, has 2 voices, and was last updated by  Oliver Adams 4 years ago.

  • Author
    Posts
  • #9396

    Oliver Adams
    Participant

    I have a windows server 2003 domain controller and a 2008 r2 dfs server. I am trying to run a script to update a computers description in AD.So far I have

    $Session = New-PSSession -Computername Server01 -Credential $Cred
    Invoke-Command -Session $Session -Scriptblock {

    $env:adps_loaddefaultdrive = 0
    Import-Module Active Directory
    Get-ADuser -Filter *

    }

    I get the message Unable to connect to the server.This may be because the server does not exist, it is currently down or it does not have AD web services running. I have checked and the web service is running. Server01 is the DFS server which has the ad module installed. I have not managed to get the module installed on the server 2003 DC. Do I need to connect to a domain controller to do this? I can run the commands on server01 and get the perfect results. I thought if I can run them there, they should run remotely?

  • #9410

    Don Jones
    Keymaster

    You can't install the ActiveDirectory module on 2003. However, the module needs to talk to a Web service, which does not come with 2003. http://www.microsoft.com/en-us/download/details.aspx?id=2852 has to be installed on at least one DC in order for the AD cmdlets to function.

  • #9411

    Don Jones
    Keymaster

    I should also point out that what you're doing won't work by default even if 2003 has the gateway installed.

    You're remoting to Server01, which gets your credential. That credential can't go any further than Server01 by default ("one hop"). In other words, when it does connect to your DC ("second hop"), it will be connecting anonymously, which probably won't work in your domain. You have two choices for enabling the credential to be delegated further: CredSSP, which I don't believe is supported on 2003, and Kerberos delegation, which must be configured in the domain.

    Unfortunately, PowerShell works less well in environments with the really old OS versions. Especially when you get into Remoting, the shell relies heavily on newer tech.

    Instead of using the MS AD cmdlets, consider using the Quest AD cmdlets, or the [ADSI] type accelerator. In addition, you're going to have to run the commands either on YOUR machine or on the DC (via Invoke-Command, if it is PowerShell v2 installed and Remoting enabled) so that you don't engage the delegation problem.

  • #9594

    Oliver Adams
    Participant

    Just remembered I hadn't answered on this one. I have changed the script and it works great now thanks. I downloaded the Quest cmdlets and it works like a charm. Thanks again for such a fantastic detailed and fast reply.

You must be logged in to reply to this topic.