4

Problem

In Powershell after executing the following command ...

Get-WmiObject Win32_ComputerSystem -Credential second.nl\administrator -ComputerName srv02.second.nl

... the following exception is thrown ...

Get-WmiObject : A security package specific error occurred. (Exception from HRESULT: 0x80070721)
At line:1 char:1
+ Get-WmiObject Win32_ComputerSystem -Credential second.nl\administrator -ComputerNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], COMException
    + FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

Scenario

  • Server srv01 in AD domain first.nl
  • Server srv02 in AD domain second.nl

When srv01 executes the command mentioned earlier. It results in the exception 80070721.

Workaround

Appending the DNS suffix (second.nl used by srv02) in the Advanced TCP/IP Settings on svr01 resolves this problem.

Advanced TCP/IP Settings

Question(s)

  • Why does the WMI query work when appending the DNS suffix second.nl to srv01?
Charlie Vieillard
  • 141
  • 1
  • 8
  • You might check GPEDIT.msc settings of `Local Computer Policy` -> `Windows Settings` -> `Security Settings` -> `Local Policies` -> `Security Options`, and then ensure the `Network security: LAN Manager authentication level` is set to `Send NTLMv2 response only`. If that works, let me know and I'll post as an answer with the source I found it. – Vomit IT - Chunky Mess Style Dec 05 '15 at 04:49
  • Thanks for your comment. This setting should happen on de requesting server I suppose? – Charlie Vieillard Dec 05 '15 at 07:20
  • Yes, I believe it'd be set on the requesting server so on `mp01.publiek.lan` see if that's what it is set to. – Vomit IT - Chunky Mess Style Dec 05 '15 at 14:18
  • The requesting server is the one executing the WMI query (requesting) for information from the target server. But I will definitely give your information a go tomorrow. I'll report back asap. Updated the questions code so it matches the information (hostnames/domain names) form the example. – Charlie Vieillard Dec 06 '15 at 10:07
  • 1
    Here's a small read on the topic (https://technet.microsoft.com/en-us/library/jj852207.aspx), I think the client and the server (or requesting and target) just need to agree on what to use algorithm wise. I would think the server you're getting the information from is where you'd want to check but perhaps check both. This should be something simple enough to eliminate as the cause at least so I'm not 100% certain that's the case so just suggesting to give it a check in case it is. – Vomit IT - Chunky Mess Style Dec 06 '15 at 10:28
  • I'm guessing this is a domain/dns issue, how are the 2 domains configured? Is there some kind of trust between `first.nl` and `second.nl`? – doenoe Aug 10 '17 at 09:11
  • Sometimes this can have nothing to do with DNS. If the time on the member server is not synchronized with its domain, you can get this same error. – Slogmeister Extraordinaire Jun 05 '20 at 13:20

0 Answers0