PowerShell script exchange
Post Reply
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Andys scripting corner - Orchestrator/ExternalSQL/vcenter

Post by Andreas Neufert »

Hi,

a customer had problems with Remote Powershell and external SQL Server.
Soution:
Using CredSSP together with invoke-command.

Same customer uses VMware orchestrator for automation.
VMware Orechstrator do not support CredSSP.
Solution:
Passing Credentials to CredSSP

Some Veeam commands need a connection to vcenter Server.
Together with Remote Powershell you see the error:
Failed to login to "vcenter.demolab.an.veeam.de" by SOAP, port 443, user "vcenter\Administrator", proxy srv: port:0
+ CategoryInfo : InvalidOperation: (Veeam.Backup.Po...FindVBRViEntity:FindVBRViEntity) [Find-VBRViEntity], Exception
+ FullyQualifiedErrorId : Backup,Veeam.Backup.PowerShell.Command.FindVBRViEntity

Solution:
You need to enhance the MaxMemoryPerShell on Veeam B&R Server.
set-item wsman:localhost\Shell\MaxMemorPerShellMB 512
See also: http://forums.veeam.com/viewtopic.php?f=2&t=8269


Thank you to Marc Seitz, Tom Sightler and Seth Bartlett. They found the solutions that I used here in the example script all together.


Example script:

Code: Select all

# To activate CredSSP on a Client:    
# enable-wsmancredssp -role client -delegatecomputer backup, backup.demolab.an.veeam.de, vcenter, vcenter.demolab.an.veeam.de
#
#
# If you see the following error:
# If you use a separate SQL Server, please add them as well.
#Failed to login to "vcenter.demolab.an.veeam.de" by SOAP, port 443, user "vcenter\Administrator", proxy srv: port:0
# + CategoryInfo          : InvalidOperation: (Veeam.Backup.Po...FindVBRViEntity:FindVBRViEntity) [Find-VBRViEntity], Exception
# + FullyQualifiedErrorId : Backup,Veeam.Backup.PowerShell.Command.FindVBRViEntity
# You need to enhance the MaxMemoryPerShell on Veeam B&R Server.
# set-item wsman:localhost\Shell\MaxMemorPerShellMB 512
#
#
#If you see: Warning: You should update your PowerShell to PowerSehll 2.0 version. => Ignore it.
#
#invoke-command are not able to pass variables or output back. So you do not see any output in this example.


#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512
$backupserver = "backup.demolab.an.veeam.de"
$username = "demolab\Administrator"
$password = convertto-securestring -string "Sumsi1!" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Password
$session = New-PSSession $backupserver #-authentication CredSSP -Credential $credentials

invoke-command -session $session -scriptblock{


Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue
$vcenter = "vcenter.demolab.an.veeam.de" #Your Hostname or IP Address of ESX(i) or VCenter (see B&R console for correct name)
$searchstring = "AD"  #Search String. Here as example VM AD
$vcenterobject = Get-VBRServer -Name $vcenter
$searchobject = Find-VBRViEntity -Server $vcenterobject  -Name $searchstring
}
Remove-PSSession $session
CU Andy
tsightler
VP, Product Management
Posts: 6009
Liked: 2843 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Andys scripting corner - Orechstator/ExternalSQL/vcenter

Post by tsightler » 1 person likes this post

Another option instead of using CredSSP, is to use the legacy delegation method. This is pretty safe and easy to configure, and saves you from having to mess with CredSSP at all. To do this you simply must enable "Delegation" on the computers you are PS remoting to.

1. Start "Active Directory Users and Computers"
2. Locate the computer you will be remoting to (the Veeam server) and select properties.
3. Select the "Delegation" tab
4. Select "Trust the computer for delagation to specified services only"
5. Choose the account that will be running the PowerShell script, and select the SQL service on the server providing the Veeam database

This account will now be trusted for delegation to the SQL server only from the Veeam server, and you can use standard kerberos authentication rather than CredSSP for remote Powershell.

I'll admit that CredSSP is probably the "correct, modern" way to do this, but it can be an absolute pain to enable and configure all of the required options, while this requires only a simple change via the Users and Computers GUI, and perhaps a reboot of the Veeam server (it will take effect without a reboot, but seems to take some time).
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Andys scripting corner - Orechstator/ExternalSQL/vcenter

Post by Andreas Neufert »

Thank you Tom,

this is great stuff.

CU Andy
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Andys scripting corner - Orchestrator/ExternalSQL/vcente

Post by Andreas Neufert »

If you try this without Domain Membership of all Servers, please find here an example script.
In the comments you find all needed settings for setting up WinRM/WSMAN.
Please test if you can run custom scripts on all servers localy before you try this remote.

Code: Select all

#On the BRE/SQL Server
#enable-wsmancredssp -role server
#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512

#On the Client
#winrm quickconfig
#enable-wsmancredssp -role client -delegatecomputer backup, backup.demoinfra.an.veeam.de
#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512
#
#gpedit.msc
#Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication
#Enable and add SPN and FQDN of the Servers in the list,like this:
#WSMAN/Servername               (without #)
#WSMAN/servername.domain.tld    (without #)
#
#PS with Administrative rights "gpupdate /force"

write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Loading Input"
$backupserver = "backup"
$username = "demoinfra\Administrator"
$password = convertto-securestring -string "Sumsi1!" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Password
$session = New-PSSession $backupserver -authentication CredSSP -Credential $credentials

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Connectiong to Backup Server and processing commands..."

invoke-command -session $session -scriptblock{


$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Connected to Backup Server (Timestamps are now on loacl time of backup server)"

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Loading Veeam Powershell Snapin"
Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue

$JobName = "replicatest"

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Starting Job:" $JobName
$JobObject = Get-VBRJob | where {$_.Name -eq $JobName}
Start-VBRJob $JobObject



}
Remove-PSSession $session
$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Job finished"
Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests