3

Im trying to run the following 

$secpasswd = 'Test'
$secpasswd = ConvertTo-SecureString $secpasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('domain2\nick', $secpasswd)

[scriptblock]$CheckDNS = {
Get-DnsServerResourceRecord -Name 'computername' -ZoneName domain2.local -ComputerName domain2dC.domain2.local }

invoke-command -scriptblock $CheckDNS -Credential $mycreds -ComputerName domain2managementbox.domain2.local

This should be running Get-DnsServerResourceRecord module on the target machine however im getting the following error:

Failed to get the zone information for domain2.local on server domain2managementbox.domain2.local.
+ CategoryInfo          : PermissionDenied: (dgtest.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord

When I run the command on the box itself it works fine and I have the correct permissions.

Thanks

NickBuckley
  • 77
  • 1
  • 1
  • 9

1 Answers1

5

You're attempting to "double hop" with your credentials (from your client machine, to "domain2managementbox.domain2.local" and then again to "domain2dC.domain2.local". This is not permitted using the default kerberos authentication.

Run Enable-WSManCredSSP -Role Client -DelegateComputer domain2managementbox.domain2.local -Force on your client machine.

Run on Enable-WSMaCredSSP -Role Server –Force on "domain2managementbox.domain2.local"

... and then use -CredSSP as an additional authentication parameter for Invoke-Command.

Robin
  • 1,602
  • 3
  • 16
  • 24
  • 1
    I found that I could use Resolve-DnsName to query various records. See https://stackoverflow.com/a/75414495/1703887 – csrowell Feb 10 '23 at 17:48