question

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 asked JamesHamil-MSFT answered

syntax error

Hi All

i am using the below syntax. i am connected to server01 and trying to execute the below syntax.
i.e i am connected to server01 and remoting it to server02 and executing.
when i directly run on server02 i dont see any issue but facing issue with remoting. i have also installed dns module on server01
I am using Account01 and when prompted for credentials i am giving it.
i am getting error Failed to get the zone information for mydomain.com mydc01

azure-active-directorywindows-server-powershellwindows-server-2019windows-server-2016windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

I think you'll find that you're encountering the "Second Hop" problem. You can't use the credentials passed from local machine to SERVER02 when your Get-DnsServerResourceRecord tries to connect to MYDC01. The cmdlet uses WMI/CIM and it's probably being denied permission. The reason, I'm guessing, is probably an error "5" or "1722".

 # create session from local machine (machine #1) to SERVER02 (machine #2)
 $session = New-PSSession -ComputerName server02 -Credential Account01
 # Run Invoke-Command on SERVER02 (machine #2)
 Invoke-Command -Session $session -ScriptBlock {
     try {
         Write-Host $env:COMPUTERNAME;
         # Try connecting to MYDC01 (machine #3) from Server02 (machine #2)
         $dnsrecords = Get-DnsServerResourceRecord -ZoneName mydomain.com -ComputerName mydc01 -ErrorAction Stop | 
             Where-Object { $_.RecordType -eq "A" -Or $_.RecordType -eq "CNAME" } | 
                 ConvertTo-Json
         Write-Host $dnsrecords
         # Note: $dnsrecords never returned to SERVER02!
     }
     catch {
         $_  # return $Error[0] to Server02
     }
 }
 # remove session with SERVER02 (machine #2)
 Remove-PSSession -session $session
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

This looks just like the problem posted by @MdaKhmm-4292 with the subject "unable to fetch the information" (unable-to-fetch-the-information.html)

I'll ask for the same information I did in that topic:

How about posting the error message? The FullyQualifiedErrorId might be telling you what the problem is.

Change line 9 in your script to just "$<underbar>" instead of "Failed".




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered RichMatheisen-8856 commented

line 9 can i use in this format
return "Failed: $Error[0]"

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

True, but "Failed: " doesn't add any information. Also, in the case of a "Catch" block "$<underbar>" is the same as "Error[0]".

Also, you haven't used "ErrorAction STOP" on the Get-DnsServerResourceRecord cmdlet. Your catch block won't be run in the case of a non-terminating error -- and the Invoke-Command won't receive the DNS data you expect, or the "Failed" string.

0 Votes 0 ·
GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered

please help in editing the syntax

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered RichMatheisen-8856 commented

i am using domain admin account but still i am getting the below error

$session = New-PSSession -ComputerName server02 -Credential account1
Invoke-Command -Session $session -ScriptBlock {
try {
Write-Host $env:COMPUTERNAME;
$dnsrecords = Get-DnsServerResourceRecord -ZoneName mydomain.com -ComputerName mydc01 -ErrorAction Stop | Where-Object { $.RecordType -eq "A" -Or $.RecordType -eq "CNAME" } | ConvertTo-Json
Write-Host $dnsrecords
}
catch {
$_
}
}
Remove-PSSession -session $session
server02
Get-DnsServerResourceRecord : Failed to get the zone information for mydomain.com on server mydc01.
At line:4 char:15
+ ... nsrecords = Get-DnsServerResourceRecord -ZoneName mydomain.com ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (mydomain.com:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well, there's your answer: WIN32 5. Error 5 is Permission denied.

Use what ever account you want but you cannot reuse that credential to connect to another machine. That's not the way Kerberos works.

ps-remoting-second-hop

Why aren't you just using Invoke-Command mydc01 -credential (Get-Credential) -ScriptBlock {...}? Why use Server2?



0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @GlennMaxwell-2309 , did you see the follow up from Rich? Try using Invoke-Command mydc01 -credential (Get-Credential) -ScriptBlock .

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.