Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Thursday, March 19, 2015

Active Directory Module Cmdlets will not Work

On PowerShell.com today, I noticed an IT pro that was not able to get the Get-ADGroupMember cmdlet to work, but was able to utilized an [ADSI] query.  He recently acquired his first Windows Server 2008 R2 Domain Controllers.  My first thoughts went to the Active Directory Web Services. This is service is what the Active Directory Module for PowerShell uses and must be running on at least one of your Domain Controllers.  When I shut down this service and then attempted to access a groups membership, I received the following:

PS C:\> Get-ADGroupMember -Identity "Domain Admins"

 

Get-ADGroupMember : Unable to find a default server with Active Directory Web Services running.

At line:1 char:1

+ Get-ADGroupMember -Identity "Domain Admins"

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : ResourceUnavailable: (Domain Admins:ADGroup) [Get-ADGroupMember], ADServerDownException

    + FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

 

He did not provide the full error message, but the last line matched what he provided.  Since it appears that the Service is not running, I asked him to go to each DC to verify it and if so, start it.

A good safety for you is to make sure that multiple Domain Controllers are running this service so that any scheduled tasks that rely on it will always be able to access the Active Directory database.  To get an idea who which on your Domain Controllers are running this service, try this command:

1

2

3

Get-ADDomainController |

    Select-Object -ExpandProperty Name |

    ForEach-Object {Get-Service -Name ADWS -ComputerName $_}

Wednesday, March 18, 2015

Playing with the ISE Profile

Since PowerShell 3 and 4, I’ve been teaching more of my PowerShell classes using the ISE rather than using the shell.  This is because the Intellisense really helps my students learn PowerShell.  One thing that I did not like about the ISE is that the cmdlet Start-Transcript could not be used in the ISE.  Now with PowerShell V5, you can. 

For those who have taken my PowerShell classes know that I have transcripts starting automatically in my Shell profile.  Well, time to do the same thing in the ISE.  My goal is to provide my students with a transcript of my activates from the ISE for their review after class.  First off, I need to create a profile for the ISE.

I can do this by Simply creating the correct profile file in my WindowPowerShell directory in my profile.

1

2

if (!(test-path $profile ))

{new-item -type file -path $profile -force} 

Here is the result:

     Directory: C:\Users\JASON\Documents\WindowsPowerShell

 

 

Mode                LastWriteTime         Length Name                                          

----                -------------         ------ ----                                          

-a----        3/15/2015   5:27 PM              0 Microsoft.PowerShellISE_profile.ps1    

 

image

Next I open the Microsoft.PowerShellISE_Profile.ps1 file and add in my transcript naming code.

1

2

3

4

5

6

7

8

9

10

11

12

13

# -- Automate PowerShell Transcription --

# Create a filename based on a time stamp.

$Filename = "$(Get-Date -Format "yyyy-MM-dd hh-mm-ss").txt"

$HD = $Env:HomeDrive

$HP = $Env:HomePath

$Path = "$($HD)$($HP)\Documents\WindowsPowerShell\ISE Transcripts"

# Turn on PowerShell transcripting.

Start-Transcript -Path "$Path\$Filename" -IncludeInvocationHeader

 

# Remove all trascript files older that 100 days.

Get-ChildItem -Path $Path |

    Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-100)} |

    Remove-Item

This code is very simple.  It creates a custom Date-Time stamped transcript file.  This helps if I have multiple ISE sessions open.  It also deletes old transcripts that are over 100 days old.  Close the ISE and open it.  You should be good to go.

Just remember, these transcript log files will get big, fast.  You may need to adjust the auto delete from 100 days to something less.  In line 12, the value –100 is the one to change.

Tuesday, March 17, 2015

Start-DscConfiguration : The directory name is invalid.

I’ve been teaching PowerShell since version 1.  On occasion, I have to follow my own advice.  Here is the nifty little error that I received while playing around with DSC.

Start-DscConfiguration : The directory name is invalid.

At line:1 char:1

+ Start-DscConfiguration -Wait -Path C:\MyFaxConfig\LON-SVR1.mof -Verbo ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Start-DscConfiguration], IOException

    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.DesiredStateConfiguration.Commands.StartDscConfigurationCommand

Well, this is a pleasant one. Actually it is very simple.  Here is what I typed:

Start-DscConfiguration -Wait -Path C:\MyFaxConfig\LON-SVR1.mof -Verbose

Anybody???  After a lot of internet searches that came up with nothing, I turned to the help files.  Here is the example from the help file for Start-DscConfiguration:

Start-DscConfiguration -Path "C:\DSC\Configurations\" -Wait –Verbose 

In my version, I added the MOF file in the path.  That is not what the Path parameter is used for. Here is what I found for the Path parameter in the help file:

Specifies a file path of a folder that contains configuration settings files. The cmdlet publishes and applies this configuration to computers specified by the ComputerName parameter.


In other words, it will apply all configurations in that folder, not a specific one.  My bad.

Monday, March 16, 2015

The PowerShell proivder MSFT_RoleResource does not contain the corresponding MOF file

image

Doing some work on getting a very basic DSC example ready for my PowerShell class this week.  Funny thing is, I did this entire demonstration on a flight last week and was just trying to polish it up.  While doing it again, this bug pops out of no where.  I found out on PowerShell.org a post by Dave Wyatt with a response by Don Jones to in install KB2883200.  Since I was testing in isolated VMs, I just downloaded the MSU from Microsoft and pasted it onto the Source VMs desktop and installed it.  Well, that one was already installed.  But it was not installed on the target server.  After installing it on both servers in this test, still no go.  I then installed KB3037315 and then KB2894179.  That did the trick!!! 

KB3037315 I understand.  It contains an update to DSC.  KB2894179 however is concerned with the OOBE Wizard in Windows 8.1.  No idea why that third update worked, but I wanted to put it out on the net in case someone bumps into this.  My test VMs are not completely up to date so had they been, chances are I would not have bumped into this issue.

Thank you Dave and Don for the hints that I needed!

Tuesday, March 3, 2015

The Annoying Subnetting Question–Think Big Bang Theory

Yesterday on Day 1 of a 20411 Administering Windows Server 2012 class we had a question pop up on the DNS chapter.  Right off the bat I knew this question came for a brain dump web site.  Let’s just get my position out in public right off the bat.  I expect those who are going to take the exam to take the time to learn the technology.  If you do use a practice exam to prep, use it as a learning tool.  Do not just memorize the exam.  It will not do you or anybody else any good. 

From the perspective of others in the class, it was like watching the Big Bang Theory unfold in front of them.  We dove into this problem to try and find the correct answer the proper way using research.

Let’s first take a look at the question and then we will learn from it by finding the answers to all of the questions that do not have the answers for.

You work as an Administrator at iCompany.com. The iComapny.com network consists of a single domain named iComapny.com. All servers in the iComapny.com domain have Windows Server 2012 R2 installed. The iComapny.com network uses the network ID 192.168.1.0/26 and has a single DNS server named iCompany_DNS03.iCompany_DNS03 has a standard Primary DNS zone.

Which of the following options is the correct reverse lookup zone for the iComapny.com network?

A. 192.168.1-0.in.addr.arpa

B. 192.168.1.26.in-addr.arpa

C. 26.1.168.192.in-addr.arpa

D. 1.168.192-26.in-addr.arpa

E. 0.1.168.192.in-addr.arpa

Remember that I am not against the use of practice exams as long as you take the time to understand why an answer was right and why the other ones were wrong.

We eliminated the “noise” in this question an reworded it as follows.

You have an Network ID of 192.168.1.0/26.  What is the correct reverse lookup zone?

Much simpler.

We eliminated A and B because the syntax was just wrong. The IP address in a reverse lookup zone is written with its octets reversed. We then looked at the TechNet article Adding a Reverse Lookup Zone. On table 6.3 where we see that a subnetted reverse lookup zone is scoped using a Class B or Class C network. This allowed us to eliminate C. We then used the document RFC 2317: Classless IN-ADDR.ARPR Delegation to determine what would the proper syntax for a delegated classless reverse lookup zone would look like. This allowed us to eliminate D for two reasons. The first is that D is an attempt to perform this as a delegated reverse zone. There is nothing in the text of the problem for this type of a reverse lookup zone. Also, the syntax of D for a delegated reverse lookup zone was not correct to begin with. Look at the –26.  This was not correct. In conclusion, we went with E. for our answer.

Remember, memorizing a practice exam is not recommended. In the end, you still need to perform the job. If you do go that route, use it as a study guide, not a memorization tool. At 3 AM on a Sunday Morning after working all weekend with little to no sleep on a problem, the memorization of a test will not help you. Knowing the technology will. I know this from actual experience. Had I not taken the time to know my technology, I most likely would not have been successful when the heat was on.

References

RFC 2317: Classless IN-ADDR.ARPR Delegation

Adding a Reverse Lookup Zone