I've created a small cluster of 2 win servers in a domain and another for the remote executions.
I am able to run Get-NlbClusterNode locally on each of the servers.
I can establish remote session with the 2 nodes and have all the permissions in place.
I can run Get-NlbClusterNode command remotely if only one of the servers is in the cluster, but when both are in the cluster I get:
PS C:\Windows\system32> Invoke-Command -ComputerName 10.10.10.9 -ScriptBlock { Get-NlbClusterNode } -credential $Creds
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : PermissionDenied: (Microsoft.Netwo...tNlbClusterNode:GetNlbClusterNode) [Get-NlbClusterN
ode], UnauthorizedAccessException
+ FullyQualifiedErrorId : Access denied.,Microsoft.NetworkLoadBalancingClusters.PowerShell.GetNlbClusterNode
+ PSComputerName : 10.10.10.9
Is this the so called powershell double hop issue? How could be this fixed?
Thank you
Related
Does anyone know how to install an MSIX package into a Docker container?
Currently my Dockerfile does the following:
Install PFX certificate to "Trusted Root Certification Authorities", which is specified by "Cert:\LocalMachine\Root" in the PowerShell command.
Copy MSIX package from network drive.
Install MSIX as an app. (Fails)
Remove local copy of MSIX package.
Dockerfile:
RUN powershell $pwd = ConvertTo-SecureString -String 'CeRtPaSsWoRd' -AsPlainText -Force; Import-PfxCertificate -Password $pwd -FilePath "R:/app-stream-cert.pfx" -CertStoreLocation Cert:\LocalMachine\Root \
&& copy "R:/mcre-22-r2-x64.msix" "C:/" \
&& powershell Add-AppPackage -path "C:/mcre-22-r2-x64.msix" \
&& del "C:/mcre-22-r2-x64.msix"
I have this error:
Add-AppPackage : Deployment failed with HRESULT: 0x80073D19, An error occurred
because a user was logged off.
error 0x80073D0A: Failed to install package
AnsysInc.mcre-22-r2_22.2.0.0_x64__13gfg92hgbc9g because the firewall service
is not running. Ensure that the firewall service is enabled and started.
NOTE: For additional information, look for [ActivityId]
b9bbd738-fed5-0000-fec9-bdb9d5fed801 in the Event Log or use the command line
Get-AppPackageLog -ActivityID b9bbd738-fed5-0000-fec9-bdb9d5fed801
At line:1 char:1
+ Add-AppPackage -path C:/mcre-22-r2-x64.msix
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (C:\mcre-22-r2-x64.msix:String) [A
dd-AppxPackage], Exception
+ FullyQualifiedErrorId : DeploymentError,Microsoft.Windows.Appx.PackageMa
nager.Commands.AddAppxPackageCommand
I've tried enabling firewall service in the container and on the host machine using powershell Start-Service -Name mpssvc. I'm able to enable firewall service on the host, but not in the container. Some posts indicate that Windows Docker containers share firewall service with their host. However my 0x80073D0A error still persists.
Environment info:
Docker engine version 20.10.21
Base image mcr.microsoft.com/windows:20H2
Host OS Win 10 Pro 10.0.19044.2251
I am running a fresh mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019
The first thing I try to do is install Print-Server but gives me an error (It is the first time I am installing a windows feature with powershell):
add-WindowsFeature -Name Print-Server
add-WindowsFeature : The request to add or remove features on the specified server failed.
Installation of one or more roles, role services, or features failed.
The source files could not be found.
Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source
location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f081f
At line:1 char:1
+ add-WindowsFeature -Name Print-Services -IncludeAllSubFeature
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (#{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature], Exception
+ FullyQualifiedErrorId : DISMAPI_Error__Failed_To_Enable_Updates,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand
I have tried to mount my host WinSxS inside the container and use the sources folder , but I get the same error.
Install-WindowsFeature -Name Print-Server -Source c:\sources
I have also tried online with Enable-WindowsOptionalFeature but gives me this error :
PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName Print-Server
Enable-WindowsOptionalFeature : Feature name Print-Server is unknown.
At line:1 char:1
+ Enable-WindowsOptionalFeature -Online -FeatureName Print-Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Enable-WindowsOptionalFeature], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.EnableWindowsOptionalFeatureCommand
Looking at other questions this part seams to be working for other people. I am running windows 10 enterprise 2004.
Does someone know what can I do ?
From here:
The mcr.microsoft.com/windows image should be the targeted base image.
Other Windows container base images (such as Nano Server and Windows
Server Core) do not carry the Printing Server Role.
I have this script:
Invoke-WUJob -ComputerName comp-1,comp-2,comp-3 -Script {ipmo PSWindowsUpdate; Get-WUInstall -Install -AcceptAll | Out-File C:\PSWindowsUpdate.log } -Confirm:$false -Verbose –RunNow
and after execution I get this:
Invoke-WUJob : PSWindowsUpdate module missing on destination machine
At line:1 char:1
+ Invoke-WUJob -ComputerName 1002-hk-ws-001,1002-hk-ws-002,1002-hk-ws-0 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Invoke-WUJob], Exception
+ FullyQualifiedErrorId : ModuleMissing,PSWindowsUpdate.InvokeWUJob
I used these commands below on every PC to install to PSWindowsUpdate and setup winrm and it still does not work:
winrm quickconfig -q
winrm set winrm/config/client ‘#{TrustedHosts="comp1,comp2,comp3"}’
Set-ExecutionPolicy RemoteSigned
Install-Module PSWindowsUpdate -Scope CurrentUser -Force
Any ideas?
the windows update cannot use remotely, maybe the hardening, you could work with a schedule task Register-ScheduledJob -scriptblock { get-windowsupdate -acceptall}
I am going to assume that you are in a workgroup mode, vs Domain joined machines by virtue of what you said you did on each host.
You have to be an admin on the target to run this.
about_Remote_Requirements
Unless you make additional configs.
You Don’t Have to Be An Administrator to Run Remote PowerShell Commands
Thus, you need to pass credentials in your code, if you are not already running your PowerShell session with admin creds for the remote targets. This is really PowerShell remoting 101 and a well-documented use case.
Your error is saying the module is not on the remote host or can't be found.
Windows updates are a machine-level thing. So, the import should be to the AllUsers PowerShell profile not some individual user of the machines. There is extra work to get PSRemoting working on workgroup systems. For domain-joined, hosts, you can enable it using GPO. No need for extra steps.
See the steps here:
Enable PowerShell Remoting on a standalone (workgroup) computer
Running code on remote systems will always run in the user context that you started, regardless of who is on the remote target.
Ok so now I'am getting a different error :
Invoke-WUJob : You can not find requested file . (Error HRESULT: 0x80070002)
At line:1 char:1
+ Invoke-WUJob -ComputerName 1002-ski-ws-003,1002-ski-nb-002 -Script {i ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-WUJob], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,PSWindowsUpdate.InvokeWUJob
I've installed everything on remote machines to : Windows\System32\WindowsPowerShell\v1.0\Modules\PSWindowsUpdate but it looks like it still does not see the module ?
My test agent and controller are communicating well. But, when agent machine has restarted the agent is going to offline. And it is coming "online" only when I remotely login into the machine.
To automate this, I tried PowerShell script. When I run my PS code on agent machine directly it is working fine and agent process is starting and it is communicating with the controller.
When I try to run from other machine, it is able to start the process QTAgentProcessUI.exe. But failing to launch the agent UI. When I look in to the Event Viewer logs, it is showing
(QTDCAgent32.exe, PID 3780, Thread 1) DataCollectionAgentProcess: Failed to get agent process proxy: System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: Access is denied.
How can we start agent process "C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\QTAgentProcessUI.exe" on remote test agent machine with PowerShell by overcoming the access denied issues with port 6910?
In my investigation, I found that the Post 6910 is closed.
I am able to find out a work around.
I created a VBS script and calling the PowerShell file in it. Then I created a scheduled task in Task Scheduler.
When I trigger this schudled task from other machine, it is working like a charm. It is able to start the agent process.
The credentials which I am using below is an administrator on that machine.
$Username = 'xxxxxx'
$Password = 'xxxxx'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
$s = New-PSSession -ComputerName "domain\machine1" -Credential $credentials
Invoke-Command -Session $s -Command {
C:\Users\Administrator\Desktop\StartTestAgent.ps1
}
I am creating a session farm for UPD's and seem to be at a loss when it comes to creating the share for the cluster. I double check all my steps from this link
https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/rds-storage-spaces-direct-deployment
The very last cmdlet is where it fails when building the share.
PS C:\Windows\system32> New-SmbShare -Name UpdStorage -Path C:\ClusterStorage\Volume1\Data
New-SmbShare : The resources must be online on the same node for this operation
At line:1 char:1
+ New-SmbShare -Name UpdStorage -Path C:\ClusterStorage\Volume1\Data
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_SMBShare:ROOT/Microsoft/Windows/SMB/MSFT_SMBShare) [New-SmbShare], CimException
+ FullyQualifiedErrorId : Windows System Error -2147018963,New-SmbShare
When I go to share the folder manually I recieve this error.
The error occured while trying to share Data. The resource must be online on the same node for the operation.
The shared resource was not created at this time.
I have confirmed that both nodes are online, I have attempted this on both nodes to recieve the same error as well. I have added the "SYSTEM" account to full control and inherited all the way down and that has not helped. Anyone have any idea's? This is on a 2016 Server in Azure.
In Failover Cluster Manager, which node is the owner of the CSV? Log on to that node and run the cmdlet there.