Weird problem with get-addomaincontroller

  • 264 Views
  • Last Post 31 July 2019
kurtbuff posted this 14 June 2019

All,
Found a cool script that uses "get-addomaincontroller -filter *", and I'm getting an error using it.
Can anyone here give me a starting place to start the hunt? I've looked in the Windows\WinRM logs, and don't see anything that looks relevant. I've done both a "winrm quickconfig" and "enable-psremoting", and that seems to have taken, so I'm at a loss as to where to go from here.

get-addomaincontroller -filter *
get-addomaincontroller : Directory object not found
At line:1 char:1
+ get-addomaincontroller -filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

I'm pretty baffled, because I've run it on all 4 of my DCs ( 3 x 2012 R2 and 1 x 2016).
If I run the the cmdlet against named DCs, I get back data, no problems.
I suspect (but am really not sure!) it has something to do with wsman on the DC in our UK office, and here's why - the script I'm running is from here: https://itconnect.uw.edu/wares/msinf/other-help/lmcompatibilitylevel/using-get-ntlmv1logonevents-ps1/
(Thanks to Eric Kool-Brown and Brian Arkills for this!)
Running it with "-Target DCs" emits the error below, but running it against individual DCs works, except against our UK DC. When running it against our UK DC, whether from my laptop or on the DC itself, I get the following:
.\Get-NtlmV1LogonEvents.ps1 -NumEvents 10 -Target DCs
Get-ADDomainController : Directory object not found
At C:\Batchfiles\Get-NtlmV1LogonEvents.ps1:93 char:10
+         $dcs = Get-ADDomainController -Filter * | select -expand host ...
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController
Querying security log for NTLM V1 events (ID 4624) on DCs
Invoke-Command : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\Batchfiles\Get-NtlmV1LogonEvents.ps1:97 char:32
+         Invoke-Command -ComputerName $dcs -ScriptBlock $remoteScript  ...
+                                      ~~~~
    + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand


Kurt

Order By: Standard | Newest | Votes
bdesmond posted this 14 June 2019

I’d probably turn up tracing on the ADWS instance you’re targeting and see what it’s doing. First hit I got was this -

https://dirteam.com/tomek/2010/04/10/ad-ws-diagnostic-logging/. You might need to futz with permissions on the folder path to make sure the service can write to it.

 

Thanks,

Brian

 

 

show

kurtbuff posted this 14 June 2019

Thanks.
I will pursue this and get back to the list with results - but I have to conquer a firewall problem first.
Kurt


show

kurtbuff posted this 18 June 2019

Well that was less than satisfactory.
I turned up debugging per the article, including restarting the service, and get absolutely no results.in the log file.
I'll have to do some more searching.
Kurt


show

kurtbuff posted this 31 July 2019

A quick followup, but not a resolution yet...
After working on a number of other things that were more urgent, I finally got back to this problem.
It's looking like a problem with our networking, and I'm mostly suspicious of our Riverbeds.
I used Test-WinRM from DC to DC across our WAN links, and running it both ways between our AU and US offices had no problems. On the other hand, I cannot get it to work with our UK office to or from either the AU and US offices. The packet capture I took at the US firewall shows huge amounts of retransmits and out of order packets during the few moments I was doing the test.
Further, using Test-WinRM from another machine in the UK office against the UK DC also works
I don't know why other things work, such as RDP to the DC in the UK (and any other machine) as well as accessing and copying to/from UNC shares, etc,, but it seems pretty clear that there's a problem with something over there.
Kurt


show

kool posted this 31 July 2019

Hi Kurt,

 

You’ve definitely got a challenging situation. Firewalls and MS RPC are a problem unless the rules are correct.

 

One thing I’d verify is the ability to do the DNS lookups needed to find DCs. I don’t believe that WSMAN is usable until after a DC name is located through DNS. You might try “nltest /dsgetdc:<domain-name>” or “nltest /dclist:<domain-name>”

to ensure that a basic DNS lookup works. For the <domain-name> argument try both the full DNS name of the domain and the NetBIOS name of the domain.

 

    Eric

 

show

kurtbuff posted this 31 July 2019

The firewall rules are WFO between office (not best practice, of course, but it's hard to convince management to tighten them up.
So, name resolution is almost certainly not the problem - and I do get name resolution just fine, and can ping back and forth by name between all DCs.
I think there's something weird going on between our firewall/switch/Riverbed that's mangling packets - probably the Riverbed trying to be "helpful".
Kurt


show

Close