1

So I have been attempting to create an automated deployment process using powershell that will create VMs and configure them to our specs once up and running. The VMs are a pretty vanilla setup of server 2012.

I have been able to create VMs automatically and I have sorted out our build but I am stuck at joining the machines to the domain.

The VM’s obtain an IP and sit not connected to the domain and I can not open a powershell session

to them at all. The local admin credentials are provided in the answer file and I can log in using RDP.

The error I get is:

Connecting to remote server System.Net.IPHostEntry failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while
using Kerberos authentication: There are currently no log-on servers available to service the log-on request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

  • CategoryInfo : OpenError: (System.String:String) , PSRemotingTransportException
  • FullyQualifiedErrorId : ConnectionAttemptFailed
  • PSComputerName : [localhost]

I have attempted to add my host in the trustedhosts list and it claims to have completed correctly but I get the same error.

Setting up HTTPS on the server seems a bit extreme for a build process.

I have disabled the firewalls on both hosts.

Any Help would be greatly appreciated.

3 Spice ups
2

By default, WinRM between non-domain joined systems does not work. The reason is simple - the ‘client’ is not a member of the server’s domain (and forest) thus can not use Kerberos to get a ticket to enable access to the server.

Assuming you just want to get to the server and don’t want to go futher (ie do a ‘double hop’), then supplying credentials should work OK. Like this:

 $Username   = "Server\Administrator"
 $PasswordSS = ConvertTo-SecureString 'serverpassword' -AsPlainText -Force
 $Cred       = New-Object System.management.Automation.PSCredential $Username,$PasswordSS

 Invoke-Command -ComputerName DC1 -ScriptBlock { <what you want to do on the remote machine>} -Credential $Cred
1 Spice up
3

I get the same error when I modify your script like so.

$Username = “win-rkhj8eeao20\Administrator”
$PasswordSS = ConvertTo-SecureString ‘localadminpassword’ -AsPlainText -Force
$Cred = New-Object System.management.Automation.PSCredential $Username,$PasswordSS

Invoke-Command -ComputerName win-rkhj8eeao20 -ScriptBlock { Add-Computer -DomainName domain.lan -Credential domain\myuser} -Credential $Cred

4 
param(
[Parameter(Mandatory=$true)]
        [System.Management.Automation.PSCredential] $localcred
)
Enter-PSSession -ComputerName win-rkhj8eeao20 -Credential $localcred

Broke it down to the most simple expression I could and I get the error below.

Enter-PSSession : Connecting to remote server win-rkhj8eeao20 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311
occurred while using Kerberos authentication: There are currently no log-on servers available to service the log-on request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:5 char:1

  • Enter-PSSession -ComputerName win-rkhj8eeao20 -Credential $localcred
  • CategoryInfo : InvalidArgument: (win-rkhj8eeao20:String) [Enter-PSSession], PSRemotingTransportException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed
5

Is win-rkhj8eeao20 resolvable from a DNS perspective?

6

Yes no problems there

PS C:\WINDOWS\system32> nslookup win-rkhj8eeao20
Server: .an.lan
Address: 10.1..**

Name: win-rkhj8eeao20.an.lan
Address: 10.1..*

7

On the Invoke-Command you could try adding the -Authentication parameter:

Invoke-Command -ComputerName DC1 -ScriptBlock { <what you want to do on the remote machine>} -Credential $Cred -Authentication Basic
8

Update I got the machine added to the domain without noticing by running the command below. it did not reboot however. I am just redeploying a few VMs to test this again but it did come back with the error below.

Add-Computer -ComputerName win-rkhj8eeao20 -DomainName a*****n.lan -OUPath "OU=Servers,DC=a*****n,DC=lan" –LocalCredential administrator -Credential a*****n\Myuser -Restart

Add-Computer : Unable to cast COM object of type ‘System.__ComObject’ to interface type ‘System.Management.IWbemServices’. This operation failed because the QueryInterface call on the COM
component for the interface with IID ‘{9556DC99-828C-11CF-A37E-00AA003240C7}’ failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA).
At line:1 char:1

  • Add-Computer -ComputerName win-rkhj8eeao20 -DomainName artesian.lan -OUPath "OU= …
  • CategoryInfo : NotSpecified: (:slight_smile: [Add-Computer], InvalidCastException
  • FullyQualifiedErrorId : System.InvalidCastException,Microsoft.PowerShell.Commands.AddComputerCommand
1 Spice up
9

I think the problem here is the traditional Double hop problem. You probably need to setup CredSSP.

Here’s how to do that:

10

Would that be because I am remotely providing the credentials to add the machine to the domain?

I have checked and the add-computer script does work but does not reboot the machine.

I am struggling to do anything else though.

11

“-authentication basic” has no effect

Thanks for your help so far guys.

12

If it’s working, you could Sleep 5 seconds, then issue a Restart-Computer cmdlet?

13

Just what I thought :slight_smile:

That produces the following error

Restart-Computer -ComputerName win-qbn9alq7mr5 -force -Credential win-qbn9alq7mr5\administrator
Restart-Computer : Failed to restart the computer win-qbn9alq7mr5 with the following error message: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA).
At line:1 char:1

  • Restart-Computer -ComputerName win-qbn9alq7mr5 -force -Credential win-qbn9alq7mr …
  • CategoryInfo : OperationStopped: (win-qbn9alq7mr5:String) [Restart-Computer], InvalidOperationException
  • FullyQualifiedErrorId : RestartcomputerFailed,Microsoft.PowerShell.Commands.RestartComputerCommand

I think that if I can get the add-computer to run cleanly this may run after.

1 Spice up
14

So without -restart, Add-Computer runs without error. However I receive the RPC unavailable error after that. Grrr.

I would love to get this working but reaching the point where it might be easier to do this with a runonce script.

15

Brainwave!

It’s a VM so I just restart the VM!

I think I am there…

1 Spice up