Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, February 28, 2011

How to use AD Schema snap-in to manage an AD LDS Schema

You will need to be logged in as an administrator (or elevate your privilege level) to complete this task.
First you need to register your Schema snap in before we can use it.

Click Start. Type cmd and press Enter.

Type regsvr32 schmmgmt.dll and press Enter.

Click OK when prompted.

image

Type Exit and press Enter.

Click Start, type MMC and press Enter.

Click File and then click Add\Remove Snap-ins

Click Active Directory Schema and then click Add

Click OK
image

Right click Active Directory Schema and then click Change Active Directory Domain Controller…

image

Click Type a Directory Server name[:port]here;


Type the DNS name, NetBIOS name, or IP address of the server hosting the AD LDS instance.  In this example, the server name is MCT-1.

image

Now click on the enter you just made in the Change Directory Server window and then click OK.

You can now view the classes and attributes of your AD LDS instance.

image

Friday, February 25, 2011

Does Windows Server 2008 R2 allow you to rejoin a disjoin client to the domain with the same SID?

To test this theory, I created a Snapshot in Hyper-V of a Windows 7 Client. Once I completed this I had Active Directory reset the password to the client. Next I applied the snapshot that I just took to create a disjointed account.

When an attempt to log in is made, this is the error:
image

The question from class is if I put this client in a workgroup, and then back in a domain, will it have the same SID?

First off, I went into Active Directory and recorded the SID for the clients computer object.
image

Next I logged in as the local administrator on the client and first put the client in a workgroup, and then back in the domain.  One thing that I did notice during this process.  Even though the computer could not create a secure channel to the domain controller, when I took it off the network, the computers object was disabled.

image

Once the client was joined to the network, its account re-enabled.
Also, the SID was reused.

image

On a side note.  This client was used previously to test the ability for a standard user to add a client to the domain without Domain Administrator credentials.  In that process, the users SID was recorded in the computer objects ms-DS-CreatorSID.  Even thought I rejoined the client to the network using a Domain Admin account, the original user who added this client to the domain still has their SID listed in the ms-DS-CreatorSID attribute of the clients account.

Thursday, February 24, 2011

How to reallocate RAM resources in Hyper-V

It never fails.  I need to start up a new VM only to find out that I do not have enough RAM (see the error below).

image

From the last line of the error, you can see “Fail to create partition: Insufficient resources exist to complete the requested service.”  Ok, but I really need to start this VM.  We cannot dynamically change the amount of RAM that is allocated to a VM while it is running. 

One option that we have is to take a VM that is in a Paused state, and change it to a saved state.  Since the VM was already paused, you were not using its functionality anyway.  Right click the paused VM and click Save

image

If this cleared up enough resources, you can now start that other VM.

Should I need to run both VMs, I will still need to shut the paused virtual machine down and reallocate less resources from it while it is offline.

Wednesday, February 23, 2011

How many users can the internal Windows database support in AD RMS

According to Microsoft documentation, the internal windows database can be used to support Active Directory Rights Management Services (AD RMS).  However, Microsoft recommends the use of the internal database for a test lab only.  For a production environment, you need to utilized an external database.  I have not been able to find exact figures on the number of users it can support.  Considering a test environment usually has less users than a production environment, this should not be an issue.
Reference: http://technet.microsoft.com/en-us/library/dd772659(WS.10).aspx

Tuesday, February 22, 2011

Install Wireless Networking on Server 2008 R2

Recently I installed a couple of new servers in my test lab.  They had both wired and wireless NICs installed on them.  I configured the wired NIC without any issues.  The wireless takes a few extra steps.
To get wireless functionality on a server, you need to enable the Wireless feature.
On your Server 2008 R2 server, open Server Manager.  You can do this in your Administrative Tools or by clicking the icon in the quick launch bar image.

Once the Server Manager has open, click Features.

With Features open, click Add Features to the right.

Once the Select Features window opens scroll to the bottom of the list and check that feature called Wireless LAN Service.

Click Next
image

Click Install.

Click Close.

Close Server Manager.

Click Start.

Right click Network and select Properties.

In the upper right corner of the Network and Sharing Center, click Change Adapter Settings.

If your wireless adapter is Disabled, right click it and select Enable.

Right click your wireless adapter can click Connect/Disconnect.
image

Select your wireless network and continue the configuration according to the security policy of your organization.

Monday, February 21, 2011

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure:

Log into the server in question

Open a command prompt.

Type dsdbutil and press Enter

Type List Instances and press Enter.

You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

image

Friday, February 18, 2011

Set up Active Directory Recycle Bin for AD LDS

You can expand the functionality of the AD Recycle Bin to your Active Directory Lightweight Directory Services (AD LDS) deployments.  This example assumes that we have an AD LDS instance called ‘App1’. It will be on a server called ‘MCT-1’ in a domain called ‘MCTNET.com’. We can attach to it on port 53414.  The application partition is ‘CN=App1,DC=MCTNET,DC=COM

On the server hosting the AD LDS instance, open PowerShell.

First verify that your Forest functional level is Windows Server 2008 R2.

Type Get AD-Forest and press enter.  You can see from the results below that we are at the correct forest functional level.
image

Open a command prompt with administrative credentials.
Change your directory to c:\Windows\Adam.

Type Ldifde.exe –i –f MS-ADAM-Upgrade-2.ldf –s MCT-1:53414 –b administrator MCTNET Pa$$w0rd –j . –$ adamschema.cat

For your environment replace:
 MCT-1 with the name of your server.
53414 with the port number of the AD LDS instance you are turning the AD Recycle bin on.
MCTNET with your domain name
Change Pa$$w0rd to the password for the account being used.
image

This will upgrade the schema of your AD LDS. 

We will now be able to recover objects that are deleted from AD LDS from this point forward.  Any objects there were deleted prior to the the AD Recycle Bin being applied to your AD LDS instance will not be recoverable.  Also, you will not be able to recover objects from other instances of AD LDS until you run the above procedure on them.

In my AD LDS instance, I deleted two user objects; Barney and Bert. We now need to bind to the AD LDS instance to fid our deleted objects. 

For a command prompt with elevated privileges, type LDP and press Enter.

In the LDP window, click Options \ Controls


From the Load Predefined drop down box, select Return deleted objects.

image

Click OK to close the Controls window.

In the LDP window, click Connection \ Connect…

Provide the server name and the port to connect to the AD LDP Instance.

Click OK

image

Click View \ Tree.

In the Tree View window, enter the BaseDN of the AD LDS instance.  In our case it is CN=App1,DC=MCTNET,CD=COM

Click OK

image

In the LDP window, click Connection \ Bind

Click OK to close the BIND window.

In the LDP Window, expand your AD LDS instance.

image

Double click CN=Deleted Objects,CN=App1,DC=MCTNET,DC=COM

You will now see the objects that are being held in the Active Directory Recycle Bin.

image

Right click the object that you want to recover and select Modify.

image

In the Attribute: field, click isDeleted

In the Operation section, select Delete

Click Enter.

image

In the Attribute type distinguishedName.

In the Values field, type the Distinguished Name of the object that you want to recover.  In our case, it is CN=Barney,CN=App1,DC=MCTNET,DC=COM.

In the Operation area, select Replace

At the bottom left of the Modify window, check Extended.

Click Run

image

Click Close

If you look in the LDP window, you will see something similar to this:

image

If you open your AD LDS instance in the ADSI Editor, you will see that your object, Barney, has been restored.

image

Thursday, February 17, 2011

How to configure start up delays for Virtual Machines in Hyper-V

In any medium to large network environment, there are undoubtedly certain servers that need to be fully online before others.  Generally the IT staff would have some type of restart procedure that will bring these servers back up in the correct order should they ever go down for some reason.  When working with virtualized machines, you still have this same capability using Hyper-V.

To configure a startup delay, open the Hyper-V Manager.

Right click the VM that you want to configure the delay on and click Settings.

Click on Automatic Start Action.

You need to select Automatically start if it was running when the service stopped or Always start this virtual machine automatically

You than need to specify the number of seconds until the VM starts.
image

You may have to take some time with a stop watch to get an idea of how long to make the delay.

Wednesday, February 16, 2011

Backup and Restore AD LDS with DSDBUTIL.exe

Active Directory Lightweight Directory Services allow you to create a directory service that allows applications to have access to user accounts, groups, and authentication similar to Active Directory Domain Services.  The big advantage here is that the schema of the directory service will not be bound by the rules of an Active Directory database.  Exchange 2007/2010, for example, use an instance of AD LDS on the Edge Transport Server to provide for user authentication from the internet.  Because your Active Directory database is not exposed to the internet, this is more secure.

Applications will handle most of the dirty work should they require AD LDS.  You may want to make sure the database is being backed up and also have a restore plan in place.  Should the database become corrupt, the application that uses that database will fail.  This document will walk you through backing up and restoring an instance of AD LDS using the dsdbutil.exe command.

First off, we have an AD LDS instance called ContosoApplication.
image

Log into the server that is hosting the AD LDS instance with an account that has permissions to back up the AD LDS data.

Click Start, type cmd and press Enter.

Type dsdbutil and press enter.

Now type activate instance instance name; and press Enter in our example, the instance name is ContosoApp1.  The instance name was created when the instance was itself created.
image

Now type ifm and press Enter

Type Create full location; where location; is the path and file name you wish to use for the backup. In this example, I used create full ContosoApp1Backup and pressed Enter.
image

Type quit and press Enter.  Do this again to exit dsdbutil

Since a path was not specified for the backup location, it was stored at c:\Users\Administrator\ContosoApp1Backup since this was the account we were using during the backup.  In reality, you would use another location.  If you open this folder you will see the database file adamntds.dit.

Let's now simulate some type of database corruption. I deleted the two user accounts of Jerry and Bert from the AD LDS instance using the ADSI Editor.
image

We are now going to restore the lost objects from our AD LDS instance.

Click Start. Type Services.msc and press Enter.
We need to stop the service that is running the instance of AD LDS we are about to restore.  Find ContosoApp1 in the list of services.  Right click it and select Stop.
image

We now need to delete the current instance and log files of the AD LDS instance you wish to recover.  If the files are stored in the default location, they will be at %ProgramFiles%\Microsoft Adam\instance_name\data\adamntds.dit.  For our example we need to type del “c:\Program Files\Micarosoft Adam\ContosoApp1\data\*.*” and press Enter.

Type Y and press Enter.

image

Next we need to copy the backed up data to this location.


xcopy /os C:\Users\Administrator\ContosoApp1Backup\adamntds.dit “%ProgramFiles%\Microsoft Adam\ContosoApp1\data\adamntds.dit”

Type F

image

Click Start. Type Services.msc and press Enter.

Right click ContosoApp1  and select Start

Going back to ADSI Editor and doing a refresh, we see that our lost objects have been restored.

image

Monday, February 14, 2011

Can you use a non Microsoft DHCP and DNS Server with WDS?

Windows Deployment Services relies on both DNS and DHCP for its functionality.
DNS is used to help located the WDS server in your network. DHCP is used to hand out IP addresses to your clients and the address of a DNS server so they can locate resources, in this case WDS, and communicate with it.

According to Microsoft’s documentation, you can utilize non Microsoft products to provide DNS and DHCP services to your WDS environment. Something to note is that you must select the following two options during the WDS configuration:

If the non-Microsoft DHCP server is located on the same server as WDS, you will need to configure the server to listen on port 67 and also to add Option 60 to your DHCP scopes.

If the DHCP server is installed on a different subnet, you will need to configure your router to forward broadcast packets to both the DHCP and the WDS server. You will also need to route traffic from UDP port 4011 from the client to the WDS server.

http://technet.microsoft.com/en-us/library/cc771670(WS.10).aspx

Friday, February 11, 2011

Change Server Core’s Background

Many Network Administrators prefer to manage the roles and features of Server Core remotely using a graphical interface provided by RSAT.  However, you may be at an organization that requires you to either be at a Server Core console, or to Remote Desktop into the server itself. If you have one or two Server Cores, this may not be a big deal.  But what if you have 5, 10, or more?  While working with a software development company I noticed that the screen background and text color was used to denote the set of code being used.  I thought this would be a good idea to flag which Core you were working on.

To change the background color:

Expand HKEY_Current_User\Control Panel\Color.

You will see the Background setting is at 29 95 122. These are the RGB values (Red, Green, Blue) for the background color.  The number determines the brightness of each color component for each pixel.  Setting a value to 0 turns it off.  Setting it to 255 makes it as bright as possible.

Double click Background and enter the values that you want.  In this example, I selected 0 22 200.

Click OK

Now close the Registry Editor

Log off and then log back on.  You will see the blue is now more intense.
image
(Before)
image
(After)

You may want to script this one out if multiple users need to have the same background.  If you log in as another user, you will have to repeat this process.

Thursday, February 10, 2011

What cmdlets are imported with new PowerShell Modules

I call PowerShell the “never ending beast.”  I do not say that in a bad way, but in a good way.  PowerShell is designed to be continually added to.  One way this is accomplished is through the addition of modules.   Modules can come from Microsoft, or you.  They are a collections of new cmdlets, functions, and scripts that allow you to add functionality to PowerShell.  The question is, what cmdlets are added when I import a module?

To determine the modules that are available on the client/server you are on, type Get-Modules –ListAvailable and press Enter.

image

The list returned will vary depending on what is installed on the client/server you are working on.  When you run the Import-Module command, you only know that command completed.  To see what was imported, use the –verbose switch.

For example, type Get-Module AppLocker –Verbose and press Enter. The output is listed below.

image

Here you can see each cmdlet that is imported into your session and is available for use.

Wednesday, February 9, 2011

What is the limit on the number of Group Policy Objects that can be applied to an object?

According to Microsoft, the limit of the number of GPOs that you can apply to an object is 999.  The article listed below did not give a limit on the total number of GPOs that you can have, but only a limit on how many that can be applied to a single object.


Reference: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_GPO

Tuesday, February 8, 2011

How much does the ImageX /Compress Maximum setting save you on disk space?

Compression is a funny thing.  You cannot accurately predict the exact compression ratio without knowing what the files are and the algorithms being used.  Some files, like MP3s are already compressed.  Text files compress a lot, JPG files do not. By using the /Compress Maximum switch in the ImageX command line will put a lot of work on the capturing of the image, and less on the transfer of that image. 

For this reason, I make sure that I am absolutely satisfied with the image that I am about to make.  We are going to have an upfront cost of more time to create the image, but we will make it up if this image is going to be sent across the network many times.

I decided to do an experiment with a new Windows 7 Home Premium edition client that I just picked up at the store today.  I only ran the basic configuration and loaded the Anti-virus software.  Only imaging the C: drive and using the default compression, the image file size was 20,949,078 KB. The size of the image file after making a new image with the maximum compression option set was 10,263,386 KB.  That was a reduction of 10,685,692 KB or 51%.  That can be a huge savings in network bandwidth.

For a Thick Image (one that contains software as well as an OS), you may have to start the image capture and come back in the morning.  But again, we are making an investment now, to enjoy a greater return on that invest later.

Monday, February 7, 2011

How to alter the Kerberos time synchronization tolerance

Kerberos is a time sensitive authentication system.  This is good.  The time tolerance helps to prevent a replay attack.  You can make this tolerance more or less stricter then the default of 5 minutes.  Network packets for Kerberos authentication that have a time stamp within the tolerance value, as compared to the domain controllers clock, is considered valid.

For a local computer, you would open the local security policy.

For a domain joined computer, open a GPO that applies to the client.

For a Domain Controller, open the Default Domain Policy GPO.

Expand: Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies

Open Maximum tolerance for computer clock synchronization

image

Check Define this policy setting.

Enter in the number of minutes you will allow clocks to be out of sync and click OK

Friday, February 4, 2011

How many VMs can Hyper-V support?

In Windows Server 2008 R2, Hyper-V can support up to 384 virtual machines (VMs) as long as the number of virtual processors assigned to those VMs do not exceed 512.  These numbers change a bit if you are running Hyper-V in a Failover Cluster.  You can only support 64 VMs per node of the cluster.  Since all business critical applications and services need to have a fault-tolerant solution, you will more than likely be running your VMs on a Failover Cluster.  So, for the production environment, I would say 64 VMs is the limit.

Thursday, February 3, 2011

Mount an image with ImageX

ImageX is a versatile tool that helps us work with Windows Image files (.wim). One of the neat things that you can do with ImageX is to mount an image file and then be able to copy and paste files and folders into it using Windows Explore.  You can obtain a copy of ImageX when you download the Windows Automated Installation Kit (WAIK) and install the WAIK on your system. Once WAIK is installed and you have an image file to work with, follow this procedure.

First create a folder on your hard drive to mount the image in. For this demonstration, I created a folder called ImageMount on my D: drive.

Click Start \ All Programs \ Microsoft Windows AIK \ Windows PE Tools Command Prompt.
image
This will launch a special command prompt that is aware of the tools that were installed with the WAIK.
You will need to know the location where you stored an image file. Our image is stored at D:\Data.wim  The folder we will be mounting this image in is D:\ImageMount.  The folder that we mount the image in will act like the root of a hard drive so we can open it up just as if it was another hard drive on our system, and be able to browse the files and folders in it.

In the Windows PE Tools Command Prompt window, type Imagex /mountrw d:\data.wim 1 d:\ImageMount and press Enter. The number 1 is used for selecting which image in the .wim file to mount.  .wim image files can contain more than one image. The image below shows what you should see.
image
You can now open the ImageMount folder to see the contents of the image.  Since we mounted the image using the /mountrw switch, we have read/write access to the image.  If you only wanted to open the image with read access, use the /mount switch.

At this point you can add and remove files and folders from them image.  A word of caution when deleting objects from the image.  You cannot use the recycle bin to get them back.  This is a non-reversible deletion. Once you are done, close Windows Explorer.

When the time comes to dismount the image so you can use it, follow this procedure:
In the Windows PE Tools Command Prompt windows type imagex /unmount /commit d:\ImageMount and press Enter.
image
In the above command, if you omit the /commit switch, any changes that you made will be discarded and the .wim will retain its original state.

Wednesday, February 2, 2011

Disable SMB signing

It never fails.  Once ever couple of months I have a delegate in my class that has to keep a Windows NT4 box running.  There is nothing wrong with that.  Many applications build on Windows NT4 are solid.  Why upgrade and incur cost when no upgrade is really required?  That is generally the reason why Windows NT4 is being used.  Another reason is the vender went out of business, but the application that is required is really good and paid for.

Two things to take note of.  If these Windows NT4 clients are going to be authenticating on a Windows Sever 2008 DC, then you may have a problem.  For WinNT 4.0 SP2 and earlier, SMB signing was not supported.  For WinNT4.0 SP3 and earlier, secure channel was not supported.
SMB signing helps to prevent Man-in-the-middle attacks. 

To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.

In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit.

In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

In the details pane, double-click Microsoft network server: Digitally sign communications (always).

Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK.
image

Secure Channel is a way to transfer data that is resistant to interception and tampering.
To disable this functionality:
Open GPMC by clicking Start, click Run, type gpmc.msc, and then click OK.

In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.

In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK
image

It is not advisable to do either of these procedures unless you absolutely have to.  This will lower your security posture and place you at higher risks of attack.  I recommend that your NT4 systems be isolated in a small network of there own to help protect your other network assets.

Tuesday, February 1, 2011

Configure the Default VM Paths in VMM

You can configure Virtual Machine Manager with the default paths for new VMs on each host the VMM manages.

To do this, first created a folder on each host that will store the VM files.

Next open System Center Virtual Machine Manager

If not already visible, go to the Host screen by clicking Go \ Hosts on the menu bar.

Right click the host that you want to configure the default path on and select Properties.

Click the Placement tab.

Click Add.

Browse to the folder you created and click OK.

Click OK again.