OK, this one I'm not filing as a bug, because I know it's just my own unfamiliarity with PowerShell through remote sessions, but maybe someone can point me in the right direction...
I have a server in my environment that is not a DC but has all the AD tools installed in order to remotely manage AD. Let's call it ADUTIL. On ADUTIL, I have a PowerShell script that I use for provisioning new OU and user structure for new clients... Prompts for a few variables, and then runs based on the results by creating an appropriate OU structure, groups, users, and group memberships, etc. This script runs flawlessly from a PowerShell session directly on ADUTIL server and runs its commands against server ADDC.
Now, I have a WAC server... let's call it WACUTIL. Using WACUTIL, I connect to ADUTIL and click on PowerShell extension. I login, I switch to my Scripts directory, run my script, but instead of working, the script generates errors like:
New-ADOrganizationalUnit : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
Like I said, I think this is probably just my lack of understanding here, so maybe just a quick link or guidance would be helpful. Anybody have any suggestions?
Unfortunately the Active Directory cmdlets don’t work in a remote PowerShell session, which is what WAC uses for the console on the machine you are managing.
Outside of WAC, if you open your local PowerShell console to connect like this:
Then try the same script you were using in WAC, you should see the same errors.
The root cause of the AD cmdlets throwing this error in a remote session is referred to as the “double-hop” problem.
You are on LAPTOP, connected to ADUTL. When you run a AD cmdlet, that cmdlet is making a remote call to the DC (the second “hop”), which requires authentication. In this example, in the default configuration, there is no way for your credentials to get from LAPTOP to DC.
Understood.... so I need a means of gathering the credentials and passing them through, providing the commands I'm using can support this. I think I saw a few other forum posts elsewhere discussing this, so I'll see what I can find based on that. Thanks for the response!