Skip to main content
Dynamics 365 general forum

[TROUBLESHOOTING | ON-PREMISES ] CRM PowerShell commands failing

editSubscribe (0) ShareShare
Posted on by

PowerShell commands towards CRM are dependent on a proper Setup of the Deployment Role and its Deployment Web Service.

These commands are normally used to  perform administrative tasks such as create, import, enable and disable organizations. 

These are also used during the setup of Server-Side-Sync configuration:



Deployment Web Service

Deployment Web service is installed when we install the Deployment Role: 

We can define its endpoint on Deployment manager:


On Split installations with Frontends and Backends separated, most customers will install Deployment Role together with the Frontend Role.A low amount of customer will install it on Backend Role machines. On the latest context, customers need to change the Deployment Web Service target Machine as it is different from all the rest.


When we defined the URL as above, PowerShell commands will make these sample calls:


When Server-side-Sync configuration commands fail, its normal that the problem is not on the command but on the Deployment Web Service state.

Sample SSS command:

$CertificateScriptWithCommand = ".\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount contoso\CRMAsyncService -storeFindType FindBySubjectDistinguishedName" Invoke-Expression -command $CertificateScriptWithCommand

When an error occurs when executing the above command, with messages such as 503,502,404, SSL/TLS, error occurred on a send, it is normally caused by a deployment Web service misconfiguration.

The engineer can then quickly ignore SSS setup and test a more generic CRM powershell command and confirm the issue is the same:

Add-PSSnapin microsoft.crm.powershell

Get-CrmSetting TraceSettings

Once that is confirmed, the topic is mostly tied to a skill belonging to a Platform Infra skill, but anyone can attempt to resolve it with this Article.

Frequent issues

1. "An unexpected error occurred on a send"

Get-CrmSetting : The underlying connection was closed: An unexpected error occurred on a send. At line:1 char:1

+ Get-CrmSetting TraceSettings

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidArgument: (Microsoft.Crm.P...rmSettingCmdlet:GetCrmSettingCmdlet) [Get-CrmSetting

   ], WebException

    + FullyQualifiedErrorId : CRM Deployment Cmdlet Error,Microsoft.Crm.PowerShell.GetCrmSettingCmdlet

This normally means that the defined URL for Deployment Web Service does contain a Webserver but does not accept our request, either because the binding/port does not exist or something else.

Solution: Here you need to confirm that the URL defined on Deployment Web service is a valid machine with Deployment Role , and that the binding and protocol (http/https) are correctly matching between the URL and the machine IIS. Default https port is 443.



2. "Could not establish trust relationship for the SSL/TLS secure channel.""

Get-CrmSetting : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. At line:1 char:1

This normally means that the defined URL for Deployment Web Service contains a string that is not included on the Certificate that is setup on Deployment IIS HTTPS binding certificate.

Sample: If i use a wildcard certificate like *.contoso.lab , and then I define the Deployment Web service URL as VMCRM90 only, my certificate does not include such name and give the above error.

Solution: We always need to define a URL that matches the certificate. In this case i would have to define Deployment Web Service URL as VMCRM90.contoso.lab. On scenarios customer is not using a wildcard certificate, but a SAN certificate, customer would have to generate a new one that contains this machine name, or a DNS that customer creates pointing to this machine.

3. "The remote server returned an error: (503) Server Unavailable"

Get-CrmSetting : The remote server returned an error: (503) Server Unavailable. At line:1 char:1

This normally means that the Deployment Web Service AppPool is stopped.


4. "Unable to connect to the remote server"

Get-CrmSetting : Unable to connect to the remote server At line:1 char:1

This normally means the website is stopped:


5. "The remote server returned an error: (404) Not Found."

Get-CrmSetting : The remote server returned an error: (404) Not Found. At line:1 char:1

This normally means that the account that runs the APPPool for the Deployment Service, doesn't have enough privileges to generate the resources that are needed.


Please check deployment web service account requirements: 

6. "Deployment Web Service URL is not available."

Get-CrmSetting : Deployment Web Service URL is not available. This can be specified using the DwsServerUrl parameter. At line:1 char:1

This most often happens when you try to run the PowerShell commands and you are not a local admin (the PowerShell commands should be run with a PowerShell window as Administrator) and you do not have enough permissions on the Dynamics Deployment.

This can be easily fixed if you run the commands with a Dynamics Deployment Administrator + local admin. How to find a deployment admin :


Please check permissions required to be a deployment admin: 

Helpful resources

Quick Links

What Motivates a Super User?

We know many of you visit the Dynamics 365 Community and Power Platform…

Demystifying Copilot with Georg Glantschnig…

Industry experts answer burning questions directly from our amazing Community…

Setting Up Knowledge Sources for Copilot…

Look at how configuring a comprehensive knowledge base is crucial…


Andre Arnaud de Calavon Profile Picture

Andre Arnaud de Cal... 283,066 Super User

Martin Dráb Profile Picture

Martin Dráb 222,585 Super User

nmaenpaa Profile Picture

nmaenpaa 101,138

Product updates

Dynamics 365 release plans