Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, October 31, 2011

Use GPO Preferences to populate built–in groups on your clients.

If you need to populate users or domain group in the built-in groups on your clients, you have 2 choices.  You can use restricted groups.  The problem with restricted groups is that they will remove any existing members of that group and prevent you from adding anymore without using Group Policy.  Another option is to your GPO preferences.

Create a GPO to hold this GPO preference.

Edit the policy and expand Computer Configuration / Preferences / Control Panel Settings.

Click Local Users and Groups and then right mouse click it.

Select New –> Local Group


In the Action drop down list, ensure Update is selected.  The Update action will not remove the group if it already exists.  If it does not exist, the group will be created.

In the Group Name field, type the name of the group that you want to add members to.

Under Members, click Add.


Click OK when completed.

image

Apply this policy to the appropriate portion of Active Directory.

Refresh the GPO’s on your client and examine the local built-in group.  Your users should now be members of that group.
image

Friday, October 28, 2011

DFSR Migration for RODC is stuck

During a DFSR sysvol migration on Windows Server 2008, problems can occur with the migration of Read Only Domain Controllers.

See the image below.

image

The RODC is stuck trying to move to the Prepared state.  First go to the RODC and type Repadmin /SyncAll /AeD.

 

On the PDC Emulator, run dfsrmig /GetMigrationState.

If the migration completed, continue on.  If not type dfsrmig /CreateGlobalObjects. This will manually create the global objects for DFS replication.

On the PDC Emulator, run dfsrmig /GetMigrationState. You should be ready to move on to the next step in the migration process.

Thursday, October 27, 2011

Delete a DNS zone with PowerShell

When it comes time to remove a zone from a DNS server, you can accomplish this task with PowerShell

 

We are going to remove a zone called Test.Contoso.com.

 

Log into your DNS server with an account that has the permissions to delete the zone.

 

Open PowerShell and type the following command.

 

Get-WMIObject –NameSpace “Root\MicrosoftDNS” –Class MicrosoftDNS_Zone | Where-Object {$_.Name –eq “Test.Contoso.Com”} | Remove-WMIObject

 

You may need to close and then reopen the DNS console to see the zone completely removed.

Wednesday, October 26, 2011

Utilizing Windows Server 2008 R2 Bare Metal Recovery

A new feature of Server 2008 R2 allows you to recover a server from a completely failed hard drive.  The Image restore capability is a combination of using Windows Server Backup and Windows Recovery Environment (WinRE).

Windows Server Backup is utilized to create the image where WinRE is used to apply the image.

To create the image, first install Windows Server Backup feature on your server.
Open Server Manager
Click Features.
Click Add Features
Scroll down the list and click Windows Server Backup Features and then click Install/Next until the installation completes.

Next, create a bare metal recovery image
Open Windows Server Backup
Create a backup.  In this example, we are clicking Backup Once.
image
Make sure Different options is selected and then click Next.
image

For this demonstration, we are going to select Custom. Full Server will also work.  By using Custom, we can select Bare Metal recovery and take the minimum data required.
image

In the Select Items for Backup window, click Add Items.
image

Check Bare metal recovery.  The rest of the required items will auto-check.  Click OK.
image

At the Select Items for Backup window, click Next.

At the Select Destination Type window, select what is appropriate for your environment.  I am select Remote Shared Folder.
image

On the Specify Remote Folder window, provide a UNC path to the share where this data will be stored.
In the Access control area, select what is appropriate for your environment.
Click Next.
image

If prompted, provide appropriate credentials.
image

On the Confirmation window, click Backup.
image
Wait for the backup to complete.
image


Once the backup was completed, I rebooted this server using Windows PE.  Utilizing the Diskpart command, I formatted the C: drive to simulate a new hard drive to replace the existing one.

Use the installation media for Server 2008 R2 to boot the server.
At the first screen, select the language that you want to use and click Next.
image

Click Repair your computer.
image

At the System Recovery Options window, select Restore your computer using a system image that you created and click Next.
image

At the Re-image Your Computer warning, click Cancel.
image

In the Select a system image backup, click Next.

In the Select the location of the backup for the computer you want to restore, click Advanced.
image

At the next prompt, click Search for a system image on the network.
image

At the Are you sure you want to connect to the network prompt, click Yes.
image

Provide the UNC path to the share where the backup image is stored and click OK.
image


Provide credentials in the form of domain\useraccount that has access to this backup. Click OK.
image

Select the image that you want to use and click Next.
image

If you have problems reading the above image, click Refresh and try again.

Select the Date/Time of the image and click Next.
image

On the Choose additional restore options windows, click Next.
Click Finish.
Click Yes at the warning.

The restore will now begin.
image

Once completed, the default options reboot the server.  At this point, the restore is completed.

Tuesday, October 25, 2011

How to handle attributes with hyphens in PowerShell

Some attributes that you can pull from Active Directory may have a hyphen in them.  That makes them a bit difficult to work with in PowerShell.  When PowerShell sees the hyphen, it assumes that you just put a cmdlet in the wrong place.  To handle a hyphenated attribute, you need to rename that property.  For this example, I am going to use the msDS-ResultantPSO.  Take a look at the code below.

$UserList = Get-AdUser -filter * -property msDS-ResultantPSO | Select name, @{Name="ResultantPSO";Expression={$_."msDS-ResultantPSO"}}


The @ symbol tells us we are about to rename a property.  In the first section inside double quotes, we declare the new name of the property.  In the Expression portion, we tell PowerShell what attribute we want to rename.  Notice we use the $_. to tell PowerShell to look at the current object passed to it for this attribute.  From here on out, this property is now referred to as msDsResultantPSO.  This is now an attribute that PowerShell can use.

Monday, October 24, 2011

Commands for Server Core

Below is a list of commands that I picked up from TechNet Magazine.  Remember that SCONFIG now replaces some of these in Server Core 2008 R2.

Here are links to more information on SCONFIG

How to open the firewall

How to add a users to the Local Administrators group

How to move a Server Core 2008 R2 from a domain to a workgroup

Add Server Core to a domain

Setting IP Addresses

Change Windows Update settings

Rename Server Core

Enable Remote Desktop on Server Core

 

 

Control desk.cpl - View or set display settings.
Control intl.cpl - View or set regional and language options, including formats and the keyboard layout.
Control sysdm.cpl - View or set system properties.
Control timedate.cpl - View or set the date, time, and time zone.
Cscript slmgr.vbs –ato - Activate the operating system.
DiskRaid.exe - Configure software RAID.
ipconfig /all - List information about the computer’s IP address configuration.
NetDom RenameComputer - Set the server’s name and domain membership.
OCList.exe - List roles, role services, and features.
OCSetup.exe - Add or remove roles, role services, and features.
PNPUtil.exe - Install or update hardware device drivers.
Sc query type=driver - List installed device drivers.
Scregedit.wsf - Configure the operating system. Use the /cli parameter to list available configuration areas.
ServerWerOptin.exe - Configure Windows Error Reporting.
SystemInfo - List the system configuration details.
WEVUtil.exe - View and search event logs.
Wmic datafile where name=“FullFilePath” get version - List a file’s version.
Wmic nicconfig index=9 call enabledhcp - Set the computer to use dynamic IP addressing rather than static IP addressing.
Wmic nicconfig index=9 call enablestatic(“IPAddress”), (“SubnetMask”) - Set a computer’s static IP address and network mask.
Wmic nicconfig index=9 call setgateways(“GatewayIPAddress”) - Set or change the default gateway.
Wmic product get name /value “ - List installed MSI applications by name.
Wmic product where name=“Name” call uninstall - Uninstall an MSI application.
Wmic qfe list - List installed updates and hotfixes.
Wusa.exe PatchName.msu /quiet - Apply an update or hotfix to the operating system.

Friday, October 21, 2011

What happens to the FSMO roles on a DC if it is demoted to a member server?

To test this out, I used NETDOM QUERY FSMO to make sure that all the FSMO roles were on the server that I was about to demote to a member server.

image

When DCPromo was executed, the FSMO roles were transferred to another DC.

image

Thursday, October 20, 2011

How to prioritize which Domain Controller clients attempt to bind to first.

When a client boots on your network, it needs to bind to a domain controller for authentication and to receive Group Policy.  It is always a best practice to have at least DCs per AD site.  Both DCs will allow for a client to bind to them.  If you want one DC to be preferred over the other, you simply need to change one property in DNS.

 

On one of your DCs, open the DNS console.

Expand Forward Lookup Zones

Expand <Domain name>.  In this case Contoso.com

Expand _Sites

Expand <Site name.  In this case Default-First-Site-Name.

Expand _TCP

Double click the resource record of the server that you do not want as the primary domain controller for this site.

 

image

Change the priority to something other than zero.  Zero is the highest priority.  This will tell clients to attempt to bind to the other DC before attempting to bind to this one.

 

image

Wednesday, October 19, 2011

Determine what is stored in the Global Catalog with DSQuery

It is rare these days that I use a DS command, but in this case it worked out well.  Use the command below do return the attributes that are currently stored on in the Global Catalog in your domain.  This command was executed with administrative level permissions on a Domain Controller.  Replace YourDomain with the correct LDAP information.

dsquery * "cn=Schema,cn=Configuration,dc=YourDomain,dc=com" -filter "(&(objectCategory=AttributeSchema)(IsMemberOfPartialAttributeSet=TRUE))" -attr LDAPDisplayName -limit 0
 
The resulting list are the attributes in Active Directory that are also in the Global Catalog.

Tuesday, October 18, 2011

List the PSO associated with a user account with PowerShell

 

 

PSO’s (Password Setting Objects) is another name for Fine Grain Password Policy.  A PSO allows an organization to have different password policies based on a security group.  That means that unlike in an Windows 2003 domain where all password meet the same rules, in a 2008 domain you can have multiple rules for your passwords.

 

The code below allows you two obtain a list of all user accounts that have a PSO assigned to and that PSO is.  It is designed to be used as a function or dot sourced into PowerShell.

 

<#
.
SYNOPSIS
Returns a list of user names and there PSO.
.
DESCRIPTION
Returns a list of user names and the Resultant
PSO that is currently in effect on that user.

.
EXAMPLE
Get-PSOUsers

Returns a list to the pipeline of the username and the
PSO currently in effect on the user account.
.
EXAMPLE
Get-PSOUsers | Sort-Object PSO

Returns a list of users with assigned PSO's, sorted
by the PSO.

Name PSO
---- ---
John Yokim CN=IT PSO,CN=Password Settings C...
Ofer Daliot CN=IT PSO,CN=Password Settings C...
Dave Barnett CN=IT PSO,CN=Password Settings C...
Neville Burdan CN=IT PSO,CN=Password Settings C...
#>


function Get-PSOUsers
{
Import-Module ActiveDirectory -Cmdlet Get-ADUser

# Get a list of user accounts and also pull the # attribute msDs-ResultantPSO. Also, rename the # msDs-ResultantPSO so it can be processed.
$UserList = Get-AdUser -filter * -property msDS-ResultantPSO | Select name, @{Name="ResultantPSO";Expression={$_."msDS-ResultantPSO"}}

# Create the object to hold the output of this function.
$UserObj = @()

# Loop through each user object and filter # out those do not have a value in the # msDs-ResultantPSO field.
foreach ($User in $UserList)
{


if ($User.ResultantPSO -Like "*Password*")
{
# If there is a value in the msDS-ResultantPSO
# than add it to the output.
$UObj = New-Object PSObject
$UObj | Add-Member NoteProperty -Name Name -Value $User.Name
$UObj | Add-Member NoteProperty -Name PSO -Value $User.ResultantPSO
$UserObj += $UObj
}


}

Monday, October 17, 2011

How to create a new VM from a snapshot

In Hyper-V R1, we had the option to export out a VM and then later import it back in again.  For many in testing environments, this created large export files when only the VM with a specific snapshot was needed.  With Hyper-V R2 we can now create a new VM from a snapshot of another one.  This is advantageous because now you can create an entire new VM without all the extra files from other snapshots that you may not want.  Take a look at my screen shot below of my snapshot tree.

image
Let’s say that I want to create a new VM from this one. Apply the snapshot that you want to use as the base for the new VM. Right click the VM and select Export.  Give it a location and click Export.

One thing that I do not like about this process is that you will not see any progress bars or other indicators to let you know when the export is finished.  Your VMs will not be able to start until the export is completed.  If you look in the destination that you specified, you will see a new folder containing the name of the VM that you are exporting.  Open this folder.
image
When the Config.xml file is created, the export is completed.

On the Hyper-v Manager, click Import Virtual Machine.
Select the folder and click Import.
You will now have a new VM that does not have any snapshots, but it will boot to the snapshot image you exported.  This is not the base for this VM.

Friday, October 14, 2011

Add Roles and Features to Windows 8 Server Core

 
This demo is tested on Windows 8 Server Developer Preview
Server Core has been something that many Network Administrators shy away from due to the text based interface. Windows gain much of their market share by the graphical interface and pulled market share from Novel and Unix in the 90’s. Why did Microsoft go back? Well, look at it from my perspective:
 
  • Fewer updates mean less reboots.
  • Without the extra code needed to generate the GUI, you have fewer vulnerabilities.
  • Best of all, fewer resources required for the OS means more resources available to the applications.
 
In Windows Server Core 2008 R1, we had to execute many command lines and scripts to do basic tasks. With the R2 version, the sconfig menu driven interface relieved us of much of the memorizations of NETSH and scripts. We still needed to manually install roles and features through the text environment. We had the ability to manages those roles and features from a full installation of Windows Server or a Vista/Win7 client with RSAT installed, but still have to do the installation at the command prompt.
 
With Windows Server 8 Developer Preview, we no longer have to do this. Once you join the server core to the domain, go to your DC our server that you are using for server management.
 
Step 1: Configure Server Core for remote management.
 
On the server core, type sconfig and press Enter.
Select option 4) Configure Remote Management
Select option 1) Enable Remote Management
Confirm your selection.
 
Step 2: Add the server to a full Windows 8 installation’s Server Manager.
 
Click Manage and then select Add Servers
clip_image001

Type part of the servers name in the blank field under All Machines.

Click the Search image icon.
Select the name of the server and then click the image to add the server to the list.

Click Finish.
image


Step 3: Add Roles and Features.

On the Server Manager Dashboard, click Add Roles.

image

Click Next twice.

Select the Server Core from the list of available servers and click Next.
image

Select the Roles that you want to install and click Next
image

Select the Features that you and click Next.

You will now need to do the initial configuration of the roles and features that you selected and tell the Server Manager to Install.

If you receive a failure of the installation, it may mean that Server Core needs to reboot.
Once the installation completed, and if necessary a reboot finishes, click Finish.

Click All Servers, select the server core and scroll to the bottom on the page.

You can now see the installed role.
image

Thursday, October 13, 2011

Installing Windows 8 Server

 

This procedure is tested on the Developer Preview.

Windows 8 Developer Preview has now been out for a few weeks.  I’ve given it a try on a touch device and thought that it work well.  I let my class try it out and they gave it positive comments.  Windows 8 Server Developer Preview is also out, but it is only available for MSDN subscribers.  Well this week we did an extra server installation exercise using Windows 8.  Following are a few of the screen shots from the installation

 

This installation is from a CD onto a virtual machine.

First up came the “What language do you speak” screen.

image

So far nothing different from Windows 2008 R2.  Click Install.

image

image

Here is a hint at what is to come. Notice the Full and Server Core is still present.  The new one is Features On Demand.  Full Installation is selected for this demo.

image

The usual license agreement.

image

Since this is a fresh installation, we are going to select Custom.

image

Still nothing new (Except the color)  Click Drive options and format the drive.

image

 

Once formatted, you can see Windows carved a little bit out for itself.

Click Next

image

This installation does not take to long.

image

Let Windows restart. (It may reboot twice)

image

Provide the local Administrator password for the server.

image

image

The new logon screen.

image

Provide your credentials

image

Finally, you arrive at the Dashboard of the Server Manager.

image

 

Not a whole lot to relearn at this point.  Testing will continue as I try to look at the management of this first look at the future of Windows.