Recently I had a problem with some of my PowerShell functions that call Enable-CsComputer in that things didn’t get enabled as we expected them to. I’m not sure if it was a timing issue or a replication problem but it showed up when a client tried to add a custom domain. My PowerShell script run on the Lync SQL Server so the network administrator decided that since he could manually fix the problem by running Enable-CsComputer on the Front End server that my scripts needed to do the same thing.
So I set about figuring out how to remotely execute something on the FE. As it turns out there are a few ways of doing this but I quickly ran into problems. First I tried using New-PSSession and Get-PSSession to open up a remote session on the FE but that ran into some credential issues – it would popup a login window. That approach wouldn’t work as you can’t have login windows when the function is called from a web service like I need to do. It also had a problems in that when you import the Lync module for the remote session not all of the Lync cmdlets are exposed. In fact it turned out to be a very small subset and Enable-CsComputer wasn’t one of the cmdlets.
I was told that that was to be expected as Enable-CsComputer isn’t supposed to be run remotely. It is a local command only. Ok, what does that mean to me? It meant that I somehow had to find a way to run it as a local command on the FE. So it was back to the drawing board. I ended up solving my problem using Invoke-Command though even that had a few hurdles that I had to get over. I still had the credentials issue but that was easily fixed (or so I thought) as shown in the code below. I’ll get back the the credentials stuff in a moment but first this is the code I ended up with.
# Remoting variables
$remoteUserName = “GotSpeechGuy\Administrator”
$remotePassword = “P@ssw0rd”
$remoteFE = “GotSpeechGuyFE01″
$pass = ConvertTo-SecureString $remotePassword -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential($remoteUserName, $pass)
Invoke-Command -ComputerName $remoteFE -Authentication CredSSP -Credential $cred -ScriptBlock { C:\hosting\EnableComputer.ps1 }
All the EnableComputer.ps1 did was load the Lync module then call Enable-CsComputer. Loading the Lync module is easy done like this -
Import-Module ‘C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1′
During testing I put a Get-CsSipDomain in the script and that worked fine returning a list of the Sip domains. I thought “Cool this is going to work”. But when I put the Enable-CsComputerin the script and tried to invoke it I got this error:
WARNING: Enable-CsComputer failed.
WARNING: Detailed results can be found at
“C:\Users\Administrator.UBERUSEE\AppData\Local\Temp\Enable-CsComputer-8d3bf7e0-9b09-4989-a656-334a9485543c.html”.
Command execution failed: An error occurred when add “RTCUniversalServerAdmins” to “RTC Local Administrators”. + CategoryInfo : InvalidOperation: (:) [Enable-CsComputer], DeploymentException + FullyQualifiedErrorId : ProcessingFailed,Microsoft.Rtc.Management.Deployment.ActivateMachineCmdlet
Checking the .html error page showed me this:
Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain “GotSpeechGuy.com”: “An operations error occurred. “
More research showed that when running the cmdlets remotely you only get the local admin context on the remote computer. A lot of the Lync cmdlets access AD or another computer and when that happens you get the dreaded 2-hop authentication problem.
Luckily for me Invoke-Commandhas an –Authentication parameter which I set to CredSSP but that left a few more steps to complete the process as I still needed to enable CredSSP on the servers. That was pretty straight forward as all it took was to delegate the users credentials from the client to the server.
On the FE I ran these commands:
Enable-WsManCredSSP –Role Server
Enable-WsManCredSSP –Role Server
Enable-WsManCredSSP –DelegateComputer * -Role Client
Then on the SQL Server where the PowerShell scripts reside I ran this:
Enable-WsManCredSSP –Role Client –DelegateComputer *
After going through the steps to enable CredSSP everything started working as it should and we haven’t encountered the problems with Enable-CsComputersince.
I would like to publicly think the guys at Microsoft and my fellow Lync MVPs who helped me sort al this out. It was a long difficult process bringing all of the pieces together but with their help I got it working.
If you have any questions please feel free to ping me.
Good work. Theres a little write error in ast line: Enable-WsManCredSSP –Role Client –DelgateComputer *
I think you meant DelegateComputer not DelgateComputer.
Good catch Mac. Thanks. I have corrected the spelling.
I’m building a WebService to expose some functionality (provisioning Lync and Exchange) in a Hosted datacenter. So I’m connecting remotely from a machine inside the same domain to LYNCFE.
Either via PowerShell (New-PsSession > Enter-PsSession > Import-Module Lync > Get-CsAdUser) or via my application (PowerShell Automation in .NET) I receive this error:
Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain “GotSpeechGuy.com”: “An operations error occurred.
I’ve noticed that this is the same error you were receiving so I’ve done all the steps you’ve described, and other (enabling PS remoting, and configuring the WinRM).
By the way, when I try to Import-Module ActiveDirectory it says a yellow warning (but only from the remote machine – same domain -, because in the Lync FE, I mean locally, it’s fine).
Do you have any idea where it can be wrong?
First cehck the rights that you are runnign under.
Also I don’r reccomend the remote session as it only exposes a limited subset of the Lync cmdlets.
Try running your web service on one of the Lync boxes. I run mine on the SQL server.
Hi,
I am creating a script in ASP.NET C# to invoke cmdlets from Lync Server.
I want just list a user : Get-CsUSer and when i run the script i received the follow error code:
Active Directory error “-2147016672″ occurred while searching for domain controllers in domain .
I run my script from my local machine developer (it is remote) to the server. The script is :
Runspace remoteRunspace = null;
openRunspace(“servidor:5985/wsman”, “http://schemas.microsoft.com/powershell/Microsoft.PowerShell”,
@”\user”, “senha”, ref remoteRunspace);
using (PowerShell powershell = PowerShell.Create())
{
powershell.Runspace = remoteRunspace;
powershell.AddScript(“Import-Module Lync”); //funciona
powershell.Invoke();
Pipeline pipeline = remoteRunspace.CreatePipeline();
string remoteScript = “Get-CsUser -Identity mmiranda”;
pipeline.Commands.AddScript(remoteScript);
Collection results = pipeline.Invoke();
remoteRunspace.Close();
return results;
}
public static void openRunspace(string uri, string schema, string username, string livePass, ref Runspace remoteRunspace)
{
System.Security.SecureString password = new System.Security.SecureString();
foreach (char c in livePass.ToCharArray())
{
password.AppendChar(c);
}
PSCredential psc = new PSCredential(username, password);
WSManConnectionInfo rri = new WSManConnectionInfo(new Uri(uri), schema, psc);
//rri.AuthenticationMechanism = AuthenticationMechanism.Default;
//rri.AuthenticationMechanism = AuthenticationMechanism.Kerberos;
//rri.AuthenticationMechanism = AuthenticationMechanism.Basic;
//rri.NoEncryption = true;
rri.ProxyAuthentication = AuthenticationMechanism.Negotiate;
remoteRunspace = RunspaceFactory.CreateRunspace(rri);
remoteRunspace.Open();
}
i don’t know what to do anymore.
Help me.
My e-mail gersonczjr@hotmail.com
I did all you said after the “Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain” and not work.
thx
How are you logging in to the remote server? Possibly a rights issue. Have you tried remoting into the server via RDP? if you do that can you run the script from the console?
FYI – this is how I call PowerShell from C#. But I have it running on the Lync SQL server and I don’t run the PowerShell remotely – it runs on the server.
Hi Marshall, i can log in mstsc with the user specified in openRunspace()
The error start at the line : Pipeline pipeline = remoteRunspace.CreatePipeline();
string remoteScript = “Get-CsUser -Identity mmiranda”;
pipeline.Commands.AddScript(remoteScript);
Collection results = pipeline.Invoke(); (error)
Assume that i execute the script in my local machine with visual studio 2010 and trying access Lync Server powershell.
Thanks
Hi, i forgot to put the result from command :Enable-WsManCredSSP -Role Client -DelegateComputer *
cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang : en-US
Basic : true
Digest : true
Kerberos : true
Negotiate : true
Certificate : true
CredSSP : true
Dear,
Thanks for all those explanations, howerver, I have troubles enabling this on my laptop : when I type :
enable-wsmancredssp -role client -delegatecomputer *
on my Win7Pro laptop, it returns an error message… It says it cannot connect to the specified destination.
Any idea ?
For information, the script I want to run from my laptop is to enable/disable Lync users.
Thanks in advance.
Dear,
Thanks for all those explanations, howerver, I have troubles enabling this on my laptop : when I type :
enable-wsmancredssp -role client -delegatecomputer *
on my Win7Pro laptop, it returns an error message… It says it cannot connect to the specified destination.
Any idea ?
For information, the script I want to run from my laptop is to enable/disable Lync users.
Thanks in advance.
Sounds like you got it working?
hi marshall , I want to install-csadserverschema from another server remotely , what should be the best way , I tried your way but tells me access denied , when I tried invoke with computer name and asked me for the password and it worked I think there is an issue for the password part
I haven’t tried or encountered that. Have you looked at this – http://technet.microsoft.com/en-us/library/gg398681(v=ocs.14).aspx