Andys scripting corner - Orchestrator/ExternalSQL/vcenter

PowerShell script exchange

Andys scripting corner - Orchestrator/ExternalSQL/vcenter

Veeam Logoby Andreas Neufert » Wed Aug 08, 2012 9:20 am

Hi,

a customer had problems with Remote Powershell and external SQL Server.
Soution:
Using CredSSP together with invoke-command.

Same customer uses VMware orchestrator for automation.
VMware Orechstrator do not support CredSSP.
Solution:
Passing Credentials to CredSSP

Some Veeam commands need a connection to vcenter Server.
Together with Remote Powershell you see the error:
Failed to login to "vcenter.demolab.an.veeam.de" by SOAP, port 443, user "vcenter\Administrator", proxy srv: port:0
+ CategoryInfo : InvalidOperation: (Veeam.Backup.Po...FindVBRViEntity:FindVBRViEntity) [Find-VBRViEntity], Exception
+ FullyQualifiedErrorId : Backup,Veeam.Backup.PowerShell.Command.FindVBRViEntity

Solution:
You need to enhance the MaxMemoryPerShell on Veeam B&R Server.
set-item wsman:localhost\Shell\MaxMemorPerShellMB 512
See also: viewtopic.php?f=2&t=8269


Thank you to Marc Seitz, Tom Sightler and Seth Bartlett. They found the solutions that I used here in the example script all together.


Example script:
Code: Select all
# To activate CredSSP on a Client:   
# enable-wsmancredssp -role client -delegatecomputer backup, backup.demolab.an.veeam.de, vcenter, vcenter.demolab.an.veeam.de
#
#
# If you see the following error:
# If you use a separate SQL Server, please add them as well.
#Failed to login to "vcenter.demolab.an.veeam.de" by SOAP, port 443, user "vcenter\Administrator", proxy srv: port:0
# + CategoryInfo          : InvalidOperation: (Veeam.Backup.Po...FindVBRViEntity:FindVBRViEntity) [Find-VBRViEntity], Exception
# + FullyQualifiedErrorId : Backup,Veeam.Backup.PowerShell.Command.FindVBRViEntity
# You need to enhance the MaxMemoryPerShell on Veeam B&R Server.
# set-item wsman:localhost\Shell\MaxMemorPerShellMB 512
#
#
#If you see: Warning: You should update your PowerShell to PowerSehll 2.0 version. => Ignore it.
#
#invoke-command are not able to pass variables or output back. So you do not see any output in this example.


#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512
$backupserver = "backup.demolab.an.veeam.de"
$username = "demolab\Administrator"
$password = convertto-securestring -string "Sumsi1!" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Password
$session = New-PSSession $backupserver #-authentication CredSSP -Credential $credentials

invoke-command -session $session -scriptblock{


Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue
$vcenter = "vcenter.demolab.an.veeam.de" #Your Hostname or IP Address of ESX(i) or VCenter (see B&R console for correct name)
$searchstring = "AD"  #Search String. Here as example VM AD
$vcenterobject = Get-VBRServer -Name $vcenter
$searchobject = Find-VBRViEntity -Server $vcenterobject  -Name $searchstring
}
Remove-PSSession $session


CU Andy
Andreas Neufert
Veeam Software
 
Posts: 2201
Liked: 360 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Andys scripting corner - Orechstator/ExternalSQL/vcenter

Veeam Logoby tsightler » Wed Aug 08, 2012 4:30 pm 1 person likes this post

Another option instead of using CredSSP, is to use the legacy delegation method. This is pretty safe and easy to configure, and saves you from having to mess with CredSSP at all. To do this you simply must enable "Delegation" on the computers you are PS remoting to.

1. Start "Active Directory Users and Computers"
2. Locate the computer you will be remoting to (the Veeam server) and select properties.
3. Select the "Delegation" tab
4. Select "Trust the computer for delagation to specified services only"
5. Choose the account that will be running the PowerShell script, and select the SQL service on the server providing the Veeam database

This account will now be trusted for delegation to the SQL server only from the Veeam server, and you can use standard kerberos authentication rather than CredSSP for remote Powershell.

I'll admit that CredSSP is probably the "correct, modern" way to do this, but it can be an absolute pain to enable and configure all of the required options, while this requires only a simple change via the Users and Computers GUI, and perhaps a reboot of the Veeam server (it will take effect without a reboot, but seems to take some time).
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Andys scripting corner - Orechstator/ExternalSQL/vcenter

Veeam Logoby Andreas Neufert » Wed Aug 08, 2012 7:18 pm

Thank you Tom,

this is great stuff.

CU Andy
Andreas Neufert
Veeam Software
 
Posts: 2201
Liked: 360 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Andys scripting corner - Orchestrator/ExternalSQL/vcente

Veeam Logoby Andreas Neufert » Mon Feb 24, 2014 1:15 pm

If you try this without Domain Membership of all Servers, please find here an example script.
In the comments you find all needed settings for setting up WinRM/WSMAN.
Please test if you can run custom scripts on all servers localy before you try this remote.

Code: Select all
#On the BRE/SQL Server
#enable-wsmancredssp -role server
#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512

#On the Client
#winrm quickconfig
#enable-wsmancredssp -role client -delegatecomputer backup, backup.demoinfra.an.veeam.de
#set-item wsman:localhost\Shell\MaxMemoryPerShellMB 512
#
#gpedit.msc
#Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication
#Enable and add SPN and FQDN of the Servers in the list,like this:
#WSMAN/Servername               (without #)
#WSMAN/servername.domain.tld    (without #)
#
#PS with Administrative rights "gpupdate /force"

write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
write-host " "
$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Loading Input"
$backupserver = "backup"
$username = "demoinfra\Administrator"
$password = convertto-securestring -string "Sumsi1!" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Password
$session = New-PSSession $backupserver -authentication CredSSP -Credential $credentials

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Connectiong to Backup Server and processing commands..."

invoke-command -session $session -scriptblock{


$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Connected to Backup Server (Timestamps are now on loacl time of backup server)"

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Loading Veeam Powershell Snapin"
Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue

$JobName = "replicatest"

$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Starting Job:" $JobName
$JobObject = Get-VBRJob | where {$_.Name -eq $JobName}
Start-VBRJob $JobObject



}
Remove-PSSession $session
$actualtime = get-date
$actualtimeformated =$actualtime.ToUniversalTime()
Write-host $actualtime "Information: Job finished"
Andreas Neufert
Veeam Software
 
Posts: 2201
Liked: 360 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM


Return to PowerShell



Who is online

Users browsing this forum: No registered users and 5 guests