Remote PowerShell and Lync

Recently I had a problem with some of my PowerShell functions that call Enable-CsComputer in that things didn’t get enabled as we expected them to. I’m not sure if it was a timing issue or a replication problem but it showed up when a client tried to add a custom domain. My PowerShell script run on the Lync SQL Server so the network administrator decided that since he could manually fix the problem by running Enable-CsComputer on the Front End server that my scripts needed to do the same thing.

So I set about figuring out how to remotely execute something on the FE. As it turns out there are a few ways of doing this but I quickly ran into problems. First I tried using New-PSSession and Get-PSSession to open up a remote session on the FE but that ran into some credential issues – it would popup a login window. That approach wouldn’t work as you can’t have login windows when the function is called from a web service like I need to do. It also had a problems in that when you import the Lync module for the remote session not all of the Lync cmdlets are exposed. In fact it turned out to be a very small subset and Enable-CsComputer wasn’t one of the cmdlets.

I was told that that was to be expected as Enable-CsComputer isn’t supposed to be run remotely. It is a local command only. Ok, what does that mean to me? It meant that I somehow had to find a way to run it as a local command on the FE. So it was back to the drawing board. I ended up solving my problem using Invoke-Command though even that had a few hurdles that I had to get over. I still had the credentials issue but that was easily fixed (or so I thought) as shown in the code below. I’ll get back the the credentials stuff in a moment but first this is the code I ended up with.

# Remoting variables
$remoteUserName = “GotSpeechGuy\Administrator”
$remotePassword = “P@ssw0rd”
$remoteFE = “GotSpeechGuyFE01″

$pass = ConvertTo-SecureString $remotePassword -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential($remoteUserName, $pass)

Invoke-Command -ComputerName $remoteFE -Authentication CredSSP -Credential $cred -ScriptBlock { C:\hosting\EnableComputer.ps1 }

All the EnableComputer.ps1 did was load the Lync module then call Enable-CsComputer. Loading the Lync module is easy done like this -

Import-Module ‘C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1′

During testing I put a Get-CsSipDomain in the script and that worked fine returning a list of the Sip domains. I thought “Cool this is going to work”. But when I put the Enable-CsComputerin the script and tried to invoke it I got this error:

WARNING: Enable-CsComputer failed.

WARNING: Detailed results can be found at

“C:\Users\Administrator.UBERUSEE\AppData\Local\Temp\Enable-CsComputer-8d3bf7e0-9b09-4989-a656-334a9485543c.html”.

Command execution failed: An error occurred when add “RTCUniversalServerAdmins” to “RTC Local Administrators”.    + CategoryInfo          : InvalidOperation: (:) [Enable-CsComputer], DeploymentException    + FullyQualifiedErrorId : ProcessingFailed,Microsoft.Rtc.Management.Deployment.ActivateMachineCmdlet

Checking the .html error page showed me this:

Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain “GotSpeechGuy.com”: “An operations error occurred. “

More research showed that when running the cmdlets remotely you only get the local admin context on the remote computer. A lot of the Lync cmdlets access AD or another computer and when that happens you get the dreaded 2-hop authentication problem.

Luckily for me Invoke-Commandhas an –Authentication  parameter which I set to CredSSP but that left a few more steps to complete the process as I still needed to enable CredSSP on the servers. That was pretty straight forward as all it took was to delegate the users credentials from the client to the server.

On the FE I ran these commands:

Enable-WsManCredSSP –Role Server

Enable-WsManCredSSP –Role Server

Enable-WsManCredSSP –DelegateComputer * -Role Client

Then on the SQL Server where the PowerShell scripts reside I ran this:

Enable-WsManCredSSP –Role Client –DelegateComputer *

After going through the steps to enable CredSSP everything started working as it should and we haven’t encountered the problems with Enable-CsComputersince.

I would like to publicly think the guys at Microsoft and my fellow Lync MVPs who helped me sort al this out. It was a long difficult process bringing all of the pieces together but with their help I got it working.

If you have any questions please feel free to ping me.

About these ads

15 thoughts on “Remote PowerShell and Lync

  1. Good work. Theres a little write error in ast line: Enable-WsManCredSSP –Role Client –DelgateComputer *

    I think you meant DelegateComputer not DelgateComputer.

  2. I’m building a WebService to expose some functionality (provisioning Lync and Exchange) in a Hosted datacenter. So I’m connecting remotely from a machine inside the same domain to LYNCFE.

    Either via PowerShell (New-PsSession > Enter-PsSession > Import-Module Lync > Get-CsAdUser) or via my application (PowerShell Automation in .NET) I receive this error:

    Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain “GotSpeechGuy.com”: “An operations error occurred.

    I’ve noticed that this is the same error you were receiving so I’ve done all the steps you’ve described, and other (enabling PS remoting, and configuring the WinRM).

    By the way, when I try to Import-Module ActiveDirectory it says a yellow warning (but only from the remote machine – same domain -, because in the Lync FE, I mean locally, it’s fine).

    Do you have any idea where it can be wrong?

  3. First cehck the rights that you are runnign under.

    Also I don’r reccomend the remote session as it only exposes a limited subset of the Lync cmdlets.

    Try running your web service on one of the Lync boxes. I run mine on the SQL server.

  4. Hi,

    I am creating a script in ASP.NET C# to invoke cmdlets from Lync Server.

    I want just list a user : Get-CsUSer and when i run the script i received the follow error code:

    Active Directory error “-2147016672″ occurred while searching for domain controllers in domain .

    I run my script from my local machine developer (it is remote) to the server. The script is :

    Runspace remoteRunspace = null;
    openRunspace(“servidor:5985/wsman”, “http://schemas.microsoft.com/powershell/Microsoft.PowerShell”,
    @”\user”, “senha”, ref remoteRunspace);

    using (PowerShell powershell = PowerShell.Create())
    {
    powershell.Runspace = remoteRunspace;

    powershell.AddScript(“Import-Module Lync”); //funciona
    powershell.Invoke();

    Pipeline pipeline = remoteRunspace.CreatePipeline();
    string remoteScript = “Get-CsUser -Identity mmiranda”;
    pipeline.Commands.AddScript(remoteScript);

    Collection results = pipeline.Invoke();

    remoteRunspace.Close();

    return results;

    }

    public static void openRunspace(string uri, string schema, string username, string livePass, ref Runspace remoteRunspace)
    {
    System.Security.SecureString password = new System.Security.SecureString();
    foreach (char c in livePass.ToCharArray())
    {
    password.AppendChar(c);
    }
    PSCredential psc = new PSCredential(username, password);
    WSManConnectionInfo rri = new WSManConnectionInfo(new Uri(uri), schema, psc);
    //rri.AuthenticationMechanism = AuthenticationMechanism.Default;
    //rri.AuthenticationMechanism = AuthenticationMechanism.Kerberos;
    //rri.AuthenticationMechanism = AuthenticationMechanism.Basic;
    //rri.NoEncryption = true;
    rri.ProxyAuthentication = AuthenticationMechanism.Negotiate;
    remoteRunspace = RunspaceFactory.CreateRunspace(rri);
    remoteRunspace.Open();

    }

    i don’t know what to do anymore.

    Help me.

    My e-mail gersonczjr@hotmail.com
    I did all you said after the “Error: Active Directory error “-2147016672″ occurred while searching for domain controllers in domain” and not work.

    thx

  5. How are you logging in to the remote server? Possibly a rights issue. Have you tried remoting into the server via RDP? if you do that can you run the script from the console?

    FYI – this is how I call PowerShell from C#. But I have it running on the Lync SQL server and I don’t run the PowerShell remotely – it runs on the server.

    • Hi Marshall, i can log in mstsc with the user specified in openRunspace()
      The error start at the line : Pipeline pipeline = remoteRunspace.CreatePipeline();
      string remoteScript = “Get-CsUser -Identity mmiranda”;
      pipeline.Commands.AddScript(remoteScript);

      Collection results = pipeline.Invoke(); (error)
      Assume that i execute the script in my local machine with visual studio 2010 and trying access Lync Server powershell.
      Thanks

  6. Dear,

    Thanks for all those explanations, howerver, I have troubles enabling this on my laptop : when I type :

    enable-wsmancredssp -role client -delegatecomputer *

    on my Win7Pro laptop, it returns an error message… It says it cannot connect to the specified destination.

    Any idea ?

    For information, the script I want to run from my laptop is to enable/disable Lync users.

    Thanks in advance. ;-)

  7. Dear,

    Thanks for all those explanations, howerver, I have troubles enabling this on my laptop : when I type :

    enable-wsmancredssp -role client -delegatecomputer *

    on my Win7Pro laptop, it returns an error message… It says it cannot connect to the specified destination.

    Any idea ?

    For information, the script I want to run from my laptop is to enable/disable Lync users.

    Thanks in advance.

  8. hi marshall , I want to install-csadserverschema from another server remotely , what should be the best way , I tried your way but tells me access denied , when I tried invoke with computer name and asked me for the password and it worked I think there is an issue for the password part

  9. hey
    i use powershell v3 from win7 , i installed ocscore.msi and try to import-module Lync
    but i get error : the assembly ‘microsoft.rtc.management’ was not loaded because no assembly was found
    why it didn’t work??? any idea?

  10. Roni, I apologize for missing your comment.

    Are you sure that it loaded correctly?

    Try this –
    Import-Module ‘C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1′

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s