0

I have the following batch script on a Windows 2008 R2 server:

@echo off
djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt
echo %ERRORLEVEL%

If I run the script on the server itself, either through command prompt or PowerShell, it works perfectly fine and returns "0".

The problem is that I need to execute it from a remote computer, so I do the following (an example just for testing):

Invoke-Command -ComputerName remotehost -ScriptBlock {.\script.cmd}

The output is "-1073740940", which is probably error code C0000374, which could have something to do with heap corruption.

This seems to be a problem with the djoin command itself. I can comment out djoin and run other binaries, like ping, with no issues using the same Invoke-Command.

Keeping in mind that the script works perfectly fine when executed from PowerShell on the target computer, what issues could the act of remoting be introducing?

In both cases, the script is executed with the same privileges using my account, which is a member of Domain Admins. I doubt that it's a permissions issue and have no idea where else to look.

[edit]

Gave up on the whole thing. This is either a bug in djoin or some obscure problem in the interaction between djoin and PS remoting.

I managed to run djoin directly on the client, using 'runas /netonly ...' to provide domain credentials. It's a very messy solution (and I have yet to figure out how to get the exit status of a process started by runas), but gets the job done.

Improve this question
5
  • Does Invoke-Command -Computer remotehost -ScriptBlock { djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt; $LASTEXITCODE } do anything different? In other words: Why do you need the batch file? Commented Mar 29, 2012 at 13:28
  • That fails in exactly the same manner. The batch file came about when I ran out of all other ideas of how to run djoin.exe. The thing is that running "djoin.exe /?", for example, works perfectly fine and I do get the usage output. But this command is used to prestage computer accounts in active directory, and this is the main operation that fails. Commented Mar 29, 2012 at 14:28
  • Ok, but then it's not the batch file that's the problem but rather the environment around PowerShell remoting which somehow prevents djoin from doing what it should do. Commented Mar 29, 2012 at 14:45
  • @VokinLoksar, did u find out what the problem was? i am running into the same issue and cant seem to find out whats wrong.. Commented Sep 13, 2013 at 5:58
  • Nope. Still using 'runas /netonly "/user:$user" $cmd' where $cmd is the djoin command string. Commented Sep 13, 2013 at 12:04

1 Answer 1

Reset to default
1

This is almost certainly a classic "double-hop" authentication issue. Remember that when you use PowerShell Remoting you're using up one of those hops. Anything you execute on that remote machine that accesses a third remote machine is unlikely to work if it requires authentication.

To get around that, you can use an authentication method which allows you to Delegate Credentials such as CredSSP. It's a bit more involved than simply changing your authentication type as you have to make changes on the client side and the server side of the transaction. Refer to this blog post on MSDN, PowerShell Remoting and the “Double-Hop” Problem and this "Hey, Scripting Guy!" post, Enable PowerShell "Second-Hop" Functionality with CredSSP.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.