How to onboard On-premise Windows Servers on Azure Arc on scale using PowerShell (PSSession)

Bishnu Baliyase 110 Reputation points
2024-04-08T07:59:34.7366667+00:00

We are planning to onboard our on-premises Windows Server (lowest version is 2012 R2) to Azure Arc on a scale (Approx. 400 Servers).

We downloaded PS script from Azure Arc and ran from one of the servers to other remote servers using PS Session to automate the installation.

We encountered with below errors:

"New-PSSession : [ABCDSERVER001] Connecting to remote server ABCDSERVER001 failed  with the following error message : WinRM cannot process the request. The  following error with errorcode 0x80090322 occurred while using Negotiate  authentication: An unknown security error occurred.  

Possible causes are:  

-The user name or password specified are invalid.  

-Kerberos is used when no authentication method and no user name are  specified.  

-Kerberos accepts domain user names, but not local user names.  

-The Service Principal Name (SPN) for the remote computer name and port does  not exist.  

-The client and remote computers are in different domains and there is no  trust between the two domains. After checking for the above issues, try the following:  

-Check the Event Viewer for events related to authentication.  

-Change the authentication method; add the destination computer to the WinRM  TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.   

-For more information about WinRM configuration, run the following command:  winrm help config. For more information, see the about_Remote_Troubleshooting  Help topic. At line:3 char:11 + $SESSION= New-PSSession -Computer 'ABCDSERVER001' -Cred $credential +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:Re     moteRunspace) [New-PSSession], PSRemotingTransportException     + FullyQualifiedErrorId : -2144108387,PSSessionOpenFailed"

What We can NOT do:

  1. We can not do installation using SCCM /Group Policy.
  2. We do not have Domain Admin rights.
  3. We can not use PSExcec.

What we verified:

  1. Username and credentials are correct.
  2. Using domain credentials (not local credentials).
  3. All servers are in same domain.
  4. SPN of the remote server.

User's image

Any help on this would be greatly appreciated.

Please also help with any alternate method to on-board Azure Arc without much involvement of existing AD /SCCM.

Thanks in Advance

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
322 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,155 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,881 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,068 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan La Pietra (CSA) 0 Reputation points Microsoft Employee
    2024-04-22T08:20:03.73+00:00

    I think the Powershell script is recommended for a small number of machines.

    You can enable Azure Arc-enabled servers for one or a small number of Windows or Linux machines in your environment by performing a set of steps manually. Or you can use an automated method by running a template script that we provide. This script automates the download and installation of both agents. https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

    0 comments