Ran into a weird issue where I was getting access denied when trying to query nodes remotely in powershell. The query was working fine against Windows 2003 cluster names and worked locally when ran on a Windows 2008 cluster node, it just didn’t work remotely.
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k3-01 | Select-Object Name
Name ---- Server-2k3-01 Server-2k3-02
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 Get-WmiObject : Access denied At line:1 char:5 + gwmi <<<< -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01
I also tried the query outside of powershell to eliminate that form the equation with the same results and it still failed. So why the difference? Well looking around on the target, I noticed this event in the event log:
Log Name: Application Source: Microsoft-Windows-WMI Date: 9/5/2008 10:17:52 AM Event ID: 5605 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Server-2k8-01 Description: Access to the root\mscluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again.
Doing a little research I ran across this article explaining the event and what needs to happen to run the query properly:
In VBScript that means adding: authenticationLevel=pktPrivacy to your query. In Powershell (I’m using 2.0) you just add the authentication switch to get it to work. Now the query works on downlevel as well as 2k8:
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 -Authentication PacketPrivacy | Select-Object Name
Server-2k8-01 Server-2k8-02 Server-2k8-03 Server-2k8-04 Server-2k8-05
You can do a whole bunch of cool stuff with powershell check it out! Here’s just a little query to tell me each node and ‘t state:
PS C:\Debuggers> gwmi -q "Select * from MSCluster_Node" -namespace root\mscluster -computername TK5-CLUS-01 -Authentication PacketPrivacy | Select-Object Name,State | Format-Table -au
Name State ---- ----- tk5-clus-01 0 tk5-clus-02 0 tk5-clus-03 0 tk5-clus-04 1 tk5-clus-05 0 tk5-clus-06 0