Invoke-Command -ComputerName ‘RemoteComputer1’ -ScriptBlock {
$ComputerSite = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
$ComputerSite.Name
}
When I run this code above on a remote system I get the following error:
Exception calling “GetComputerSite” with “0” argument(s): "An operations error
occurred.
Would anyone know why this is happening?
Thanks
The only way I can recreate this same error, is when I run it against a member server. When run against a Domain Controller it returns the expected results. Replace ‘RemoteComputer1’ with the name of one of your DCs, and test again.
Edit: To test running .NET via Invoke-Command on your ‘RemoteComputer1’ computer, you can always test something that isn’t dependent on Active Directory. Swap out the value you’re assigning to the -Scriptblock parameter with this: {[Guid]::NewGuid()}. Chances are, that it’ll work just fine against ‘RemoteComputer1’.
Well when I run that .Net method locally it runs fine just not with the invoke-command.
Isn’t that a bit odd?
BTW, I am not trying to run this against a server, just a Win 7 system.
Run the .NET example interactively, via Enter-PSSession (or, RDP if necessary), on your Windows 7 system. Does it work? If not, what’s the error? Windows 7 shipped with PowerShell 2.0, which had a lower version dependency on .NET. Perhaps my example doesn’t even run on Windows 7 – I didn’t try; however, I did try on Server 2008 with PowerShell 2.0 and it worked.
Again, your AD .NET example ran for me inside Invoke-Command against a DC (2012 R2), but not a member server, and the Guid example ran against both a DC and member server. You’ll have to continue to test. Perhaps find another .NET example to test to see if you can get results.
I tested this in my environment and found it to be a double-hop authentication issue. If you run invoke command and specify the -Credential and -Authentication Credssp parameters (as long as you have Credssp enabled in your environment) it will work. What’s happening is the call to the .NET class that you’re making needs to contact a domain controller if it is not a domain controller itself. In contacting a domain controller it is initiating a “second hop” and unless you use Credssp to allow remote computers to delegate your credentials to other remote computers this connection will be attempted without any credentials, hence the error. Simple visualization:
PC -(Cred)-> RemotePC -(NOCRED)-> DC [Without Credssp]
PC -(Cred)-> RemotePC -(Cred)-> DC [With Credssp]
Of course it works fine if you run Invoke-Command against a DC as the DC has all of the AD information locally, therefore it does not have to query another remote computer for the information. I’ve found similar situations where I may have an admin machine with RSAT installed and try to run AD cmdlets on that admin machine through a PSSession from my own computer.
To solve this, enable Credssp in your environment. Alternatively you can query a registry value from a remote machine to get the cached AD site name:
Invoke-Command -ComputerName PC -ScriptBlock {Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\Netlogon\Parameters -Name DynamicSiteName}
AWESOME!! Thanks Peter
I will try this out.