Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, February 13, 2019 10:47 AM
Hi
I am trying to establish the failover relation ship between two windows servers (w1 and w2 which are 2012 version) with power shell commands like
Add-DhcpServerv4Failover -ComputerName "dhcpserver.contoso.com" -Name "SFO-SIN-Failover" -PartnerServer 10.0.0.99 -ScopeId 10.10.10.0,10.20.20.0 -LoadBalancePercent 70 -MaxClientLeadTime 2:00:00 -AutoStateTransition $True -StateSwitchInterval 2:00:00
but this command will be executed on one of windows server from an external linux machine(external remote), where winrm being the interface between the linux and windows. This winrm will carry the command from linux and gets executed on w1 at that time it is trying to communicate to another windows server w2 to cross check failover already exists or not but it is unable to communicate w2 stack trace gives me permission denied
<S S="Error">Add-DhcpServerv4Failover :** Failed to verify if a failover relationship by the**_x000D__x000A_</S>
<S S="Error">name SFO-SIN-Failover exists on server 10.0.0.99._x000D__x000A_</S>
<S S="Error">At line:1 char:74_x000D__x000A_</S>
<S S="Error">+ if (-not(Get-DhcpServerv4Failover | ? { $_.Name -eq "MSDHCP0037Peer"})){ _x000D__x000A_</S>
<S S="Error">Add-Dhc ..._x000D__x000A_</S>
<S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S>_x000D__x000A_</S>
<S S="Error">
<S S="Error">+ CategoryInfo : PermissionDenied: (MSDHCP0037Peer:root/Microsoft _x000D__x000A_</S>
<S S="Error">/...erverv4Failover) [Add-DhcpServerv4Failover], CimException_x000D__x000A_</S>
<S S="Error">+ FullyQualifiedErrorId : WIN32 5,Add-DhcpServerv4Failover_x000D__x000A_</S>
<S S="Error">_x000D__x000A_</S>
It says permission denied can i know what are the permissions for the user to establish the failover relation ship, the issue is it is unable to communicate the peer server to cross check when i sent request from linux server (linux-->server1-->server2) how to add permission to user to perform communication.
Reference: Posted same issue in the below link
Thanks TejaShetty
All replies (21)
Wednesday, February 13, 2019 10:54 AM
What permission does the currently used account have on both servers? If it is administrator on both of them then it is supposed to be sufficient. Do you have other logs from the event viewer? They may provide us more details.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
Wednesday, February 13, 2019 10:58 AM
AS has been posted in your other threads, you cannot access a third system remotely with WinRM. To do so requires CredSSP. Unix does not support this at this time from what I have seen.
To understand what this issue is search for "second hop restriction".
Also DSC would likely be a good solution but it, also, is not yet available on Unix systems.
\(ツ)_/
Wednesday, February 13, 2019 11:59 AM
Hi
Yes it is administrator on both the servers.Do you have other logs from the event viewer>No i cannot see any event logs related to this when i execute the command
Thanks
Wednesday, February 13, 2019 12:13 PM
In this case, jrv comment shall be the one explaining the behavior. To confirm it, try to do the same from a Windows machine as the source. If it works then it shall be what jrv mentioned.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
Wednesday, February 13, 2019 1:12 PM
Hi jrv,
Thanks for reponse.
Communication flow: Linuxwindows server1(w1)windows server2(w2)
I can pass credentials of w2 from linux to w1 along with command,can i use those credentials and create session for w2 on w1 and can i involve this session value/variable for the command which need to communicate to w2 from w1 can we have any such type of prototypes? I am not sure about this idea i am new to powershell flow if any can you please share references prototypes similar to this
Thanks TejaShetty
Wednesday, February 13, 2019 1:24 PM
It is difficult for us to answer given that the source machine is a Linux one. For isolation and confirming that it is related to the fact that you are using a Linux box, you can refer to what we advised above.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
Wednesday, February 13, 2019 2:05 PM
Hi Ahmed,
I am trying to execute the command from windows server as source but when i am creating session it is giving below error
PS C:\Users\Administrator> $s = New-PSSession -ComputerName WIN-OLG45F1PVSF,WIN-F1UIM4KSAVE
New-PSSession : [WIN-F1UIM4KSAVE] Connecting to remote server WIN-F1UIM4KSAVE failed with the following error message
: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:6
- $s = New-PSSession -ComputerName WIN-OLG45F1PVSF,WIN-F1UIM4KSAVE
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException+ FullyQualifiedErrorId : ServerNotTrusted,PSSessionOpenFailed
Do we need to any pre setup steps for remote connecting of windows servers Thanks
Wednesday, February 13, 2019 2:17 PM
It is a different error message now. Have you tried the following: https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
Wednesday, February 13, 2019 3:07 PM
Hi Ahmed,
I have fixed the remote ps session connection issue thanks for reference,
I have tried windows server as source, trying to establish the failover remotely from other windows server still i can see same issue
[10.0.0.92]: PS C:\Users\Administrator\Documents> Add-DhcpServerv4Failover -Name "microsoftfailover" -PartnerServer 10.0.0.91 -ScopeId 10.0.0.0 -LoadBalancePercent "50" -MaxClientLeadTime 0:0:30:0 -AutoStateTransition $True -StateSwitchInterval 0:0:0:2 -SharedSecret "abc123" -Force
Failed to verify if a failover relationship by the name microsoftfailover exists on server 10.0.0.91.
+ CategoryInfo : PermissionDenied: (microsoftee:root/Microsoft/...erverv4Failover) [Add-DhcpServerv4Failo
ver], CimException
+ FullyQualifiedErrorId : WIN32 5,Add-DhcpServerv4Failover
[10.0.0.92]: PS C:\Users\Administrator\Documents>
I have tried the below fix also still same issue
1) On the "client" : Enable-WSManCredSSP -Role Client -DelegateComputer xxxxx (where xxxxx is the "server1")
2) On the "server 1" : Enable-WSManCredSSP -Role Server
Thanks
Wednesday, February 13, 2019 5:24 PM
I will repeat that you cannot connect to a third host in a remote session using Kerberos authentication. The results between Linux and Windows will likely be different. This is a security restriction.
Please search for the "second hop restriction" and read the articles you find.
\(ツ)_/
Monday, February 18, 2019 11:26 AM
Hi Jrv
Thanks for suggestion, To isolate the issue i have used all the windows servers (Server A, Server B Server C ) no UNIX involved here it is purely windows server combinations, just trying whether the second hop restriction is working fine if all are windows servers, but still i am getting the same issue permission denied.
Thanks Teja
Monday, February 18, 2019 12:05 PM
The second hop restriction prevents you from doing this. You cannot bypass this restriction with Windows or with Unix. You can only use CredSSP to set the correct authentication method that allocates fresh credentials in the remote connection.
\(ツ)_/
Monday, February 18, 2019 12:28 PM
This blog may help you with your issue...
Hth
This posting is provided AS IS without warranty of any kind
Monday, February 18, 2019 1:36 PM
Hi cthivierge,
Thanks for reference,I have few things to be clarify, to support the Resource-Based-Kerberos constrained delegation technique does the all the servers which involve this flow need to be domain-controller?Is it mininum requirement to establish the technique
Thanks Teja
Monday, February 18, 2019 1:50 PM
DCs are set to allow delegation by default. The user account must also be allowed for delegation to use it.
Only DC are enabled for delegation.
The safe way to do this is with CredSSP. It does not require unsafe delegation settings on non-DC systems. Using delegation was the recommended practice before PowerShell remoting.
For overall security I recommend that you do not use any of these methods. Redesign your systems to use DSC. DSC is a service that runs on all systems and can modify and access all network resources that permit access.
You can use the Gateway server from Unix to set up the DSC configurations that you want to deploy. This does not require delegation. You can also use a scheduled task/job running under your Windows Admin account to do this.
\(ツ)_/
Tuesday, February 19, 2019 11:48 AM
Hi Jrv
I have tried the CredSSP technique on windows servers but still it is not working.I have performed following steps on the windows server of versions: windows server 2012r2 with windows7 os which is of non-domain servers (general)
1)On windows server A (client) I have enabled PSSession for server B by adding the server B into server A trusthosts list,
the control switched to server B as below
PS C:\Users\Administrator.WIN-O24OMMU47LH> Enter-PSSession -ComputerName 10.3.10.3
[10.3.10.3]: PS C:\Users\Administrator.WIN-OLG45F1PVSF\Documents>
I have run the following command on the Client(server A)
Enable-WSManCredSSP -Role Client -DelegateComputer 10.3.10.3(where 10.3.10.3 is server B)
2)On the server B I have execute the command
Enable-WSManCredSSP -Role Server
3)Now on the server A(client console which is session to server B ) I have executed the dhcp failover command for server B and server C
PS C:\Users\Administrator.WIN-O24OMMU47LH> Enter-PSSession -ComputerName 10.3.10.3
[10.3.10.3]: PS C:\Users\Administrator.WIN-OLG45F1PVSF\Documents> Add-DhcpServerv4Failover -Name "microsoft" -PartnerServer "10.3.10.8" -ScopeId 10.3.10.0 -LoadBalancePercent "50" -MaxClientLeadTime 0:0:30:0 -AutoStateTransition $True -StateSwitchInterval 0:0:0:2 -SharedSecret "abc123" -Force
Failed to verify if a failover relationship by the name microsoft exists on server 10.3.10.8
+ CategoryInfo : PermissionDenied: (microsoft:root/Microsoft/...erverv4Failover) [Add-DhcpServerv4Failover], CimException
+ FullyQualifiedErrorId : WIN32 5,Add-DhcpServerv4Failover
Do we need any other things to set up with credssp to make it work
I have one more point to clarify here, I am not executing any command directly on server C. I am just executing dhcp-failover relation between server B and server C on server B (through server A from remote session). Is it really making double-hop case?
Thanks
Tuesday, February 19, 2019 12:25 PM
Ok. Now post that error in the cluster forum to get help with understanding why the cluster or the command are failing. At least you ae not getting access denied.
\(ツ)_/
Tuesday, February 19, 2019 1:01 PM
Hi Jrv
can you Please check the total error message
PS C:\Users\Administrator.WIN-O24OMMU47LH> Enter-PSSession -ComputerName 10.3.10.3
[10.3.10.3]: PS C:\Users\Administrator.WIN-OLG45F1PVSF\Documents> Add-DhcpServerv4Failover -Name "microsoft" -PartnerServer "10.3.10.8" -ScopeId 10.3.10.0 -LoadBalancePercent "50" -MaxClientLeadTime 0:0:30:0 -AutoStateTransition $True -StateSwitchInterval 0:0:0:2 -SharedSecret "abc123" -Force
Failed to verify if a failover relationship by the name microsoft exists on server 10.3.10.8
+ CategoryInfo : PermissionDenied: (microsoft:root/Microsoft/...erverv4Failover) [Add-DhcpServerv4Failover], CimException
+ FullyQualifiedErrorId : WIN32 5,Add-DhcpServerv4Failover
Yes i am still getting the PermissionDenied issueThanks
Tuesday, February 19, 2019 1:09 PM
Yes. The name apparently doesn't exist as a server.
Failed to verify if a failover relationship by the name microsoft exists
The permission denied seems to be because the name you are trying to create does not exist.
Again. Post in the cluster forum.
\(ツ)_/
Tuesday, February 19, 2019 2:07 PM
Hi Jrv,
The issue is same as of from starting
<S S="Error">Add-DhcpServerv4Failover :** Failed to verify if a failover relationship by the**_x000D__x000A_</S>
<S S="Error">name SFO-SIN-Failover exists on server 10.0.0.99._x000D__x000A_</S>
<S S="Error">At line:1 char:74_x000D__x000A_</S>
<S S="Error">+ if (-not(Get-DhcpServerv4Failover | ? { $_.Name -eq "MSDHCP0037Peer"})){ _x000D__x000A_</S>
<S S="Error">Add-Dhc ..._x000D__x000A_</S>
<S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S>_x000D__x000A_</S>
<S S="Error">
<S S="Error">+ CategoryInfo : PermissionDenied: (MSDHCP0037Peer:root/Microsoft _x000D__x000A_</S>
<S S="Error">/...erverv4Failover) [Add-DhcpServerv4Failover], CimException_x000D__x000A_</S>
<S S="Error">+ FullyQualifiedErrorId : WIN32 5,Add-DhcpServerv4Failover_x000D__x000A_</S>
<S S="Error">_x000D__x000A_</S>
No change after applying credssp technique the command
Add-DhcpServerv4Failover -Name "microsoft" -PartnerServer "10.3.10.8" -ScopeId 10.3.10.0 -LoadBalancePercent "50" -MaxClientLeadTime 0:0:30:0 -AutoStateTransition $True -StateSwitchInterval 0:0:0:2 -SharedSecret "abc123" -Force internally communicates to partner server and checks the same name if exists or not if exists it throws exception and if not it proceed to create but the first step i.e connecting to partner server itself is not happening hence it is saying failed to verify
Thanks
Tuesday, February 19, 2019 2:55 PM
You need to fix your cluster as it cannot communicate between members.
Post In cluster forum to get assistance.
\(ツ)_/