Monthly Archive

Categories

Windows Server 2012 R2

New PowerShell console on Server Core

Server Core is great for reducing the footprint of your VMs – Nano server is smaller but it can’t be a domain controller

 

One draw back to server core is that you only get a single console. If you hang that for any reason you have to either try and open another one (Hyper-V console greys out CTRL-DEL-ALT) or open a few when you logon to the machine.

 

You still get a cmd.exe console instead of PowerShell – that should be changed. Its 10 years since PowerShell came along! So run Powershell to open  Powershell in the default console.

 

"Start-Process -FilePath powershell.exe -Verb RunAS" > new-powershell.ps1

Will create a simple script to open a new elevated Powershell console .

 

Run it as many times as you want. Perform your work in the new Powershell console and if it hangs – just shut it down. Keep the default console for just opening new PowerShell consoles and then you’ll always be able to keep working.

Don’t reinvent the wheel

Way back when I used to take Microsoft certification exams there were often questions of the form “Perform task X with the minimum of administrative effort” Most, if nor all, of the possible answers would be correct but the correct answer was the one that achieved the goal with the minimum amount of work.

 

Many, if not most, administrators don’t seem to follow that model.

 

This was brought home to me when I saw a forum discussion about collecting event log information from a bunch of remote servers on a regular basis.

 

You could set up a scheduled task/job that runs a script against the remote servers – collects the  log information and populates an Excel spreadsheet

OR

You could enable event log forwarding and just interrogate the combined logs as needed.

 

The second option is the easier to MAINTAIN and will cost you less effort in the long run.

 

When you start to solve a problem – stop and search for a bit to see if there is a solution already available in Windows server. Bet you’ll be surprised by what you find

Create a reverse lookup zone

I needed to create a DNS reverse lookup zone for my test environment. With Windows Server 2012 R2 I’ve got cmdlets available for managing DNS servers – the DnsServer module. You need to install the DNS role or the DNS RSAT tools to get access to the module.

 

To create a new reverse lookup zone

Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId '10.10.54.0/24' -ReplicationScope Domain

 

Use the netorkId to define the subnet the zone spans. Setting DynamicUpdate to Secure ensures I have an AD integrated zone and I’ve set the replication scope to the domain.

 

Doesn’t get any easier

Quick update check

Want to check on any updates that haven’t been fully applied in your environment.

 

Run this on your WSUS server (2012 R2)

£> Get-WsusUpdate -Classification All -Status Any -Approval AnyExceptDeclined |
where InstalledOrNotApplicablePercentage -ne 100

 

You can modify the filters:

 

Classification = one of All, Critical, Security, WSUS

 

Status = one of NoStatus, InstalledOrNotApplicable, InstalledOrNotApplicableOrNoStatus, Failed, Needed, FailedOrNeeded, Any

 

Approval = one of Approved, Unapproved, AnyExceptDeclined, Declined

Error handling for DNS lookups

Interesting question on the forum regarding the Resolve-DNSname cmdlet. This is part of the DNSclient module introduced with Windows 8.

 

If the DNS record is found everything is good

£> Resolve-DnsName W12R2DSC -Server server02 | ft -a

Name                   Type TTL  Section IPAddress
----                   ---- ---  ------- ---------
W12R2DSC.Manticore.org A    1200 Answer  10.10.54.204

 

If the record isn’t found you get an error

£> Resolve-DnsName W12R2DSC3 -Server server02
Resolve-DnsName : W12R2DSC3 : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName W12R2DSC3 -Server server02
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (W12R2DSC3:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

 

If you want to gracefully handle that error you use try-catch

 

$computer = 'W12R2DSC3'
try {
Resolve-DnsName $computer -Server server02 -ErrorAction Stop
}
catch {
  Write-Warning -Message "Record not found for $computer"
}

PowerShell and messaging

This article - http://powershell.org/wp/2015/07/07/rabbitmq-and-powershell/ – reminded me that Windows server comes with a built-in messaging system – MSMQ.

 

There is a PowerShell module for MSMQ - https://technet.microsoft.com/en-us/library/hh405007(v=vs.85).aspx

 

Since reading the RabbitMQ article I think that Rabbit is more useful in a heterogeneous environment but MSMQ would work very nicely in a Windows only environment.

 

I’ve not looked at MSMQ for a long time and not seen much on using it through PowerShell so I think its time to remedy that – I’ll put together a short series on using MSMQ through PowerShell to complement the RabbitMQ information

IPAM: 1 Installation and configuration

IPAM stands for IP Address Management. It’s a feature in Windows Server 2012 R2 that enables you manage your DHCP and DNS servers as a whole rather than at the individual service or server level.

 

Installation of IPAM follows the standard approach for any Windows feature. Note that you can install IPAM on a Domain Controller but it won’t configure. IPAM is designed to be installed on a member server.

Full details on deploying IPAM server are available from here https://technet.microsoft.com/en-us/library/hh831353.aspx

 

I’m not going to run through the full deployment and configuration – just point out some issues and where you can use PowerShell to make things easier.

 

Once the IPAM feature is installed you have to provision the IPAM server. There isn’t a separate MMC for IPAM admin – you use Server Manager.  Provisioning an IPAM server can be done manually or by GPO.  Manual seemed best for lab/experiment/initial set up as can't swap from GPO to manual. You can use Windows Internal Database (WID) or SQL Server – I used WID.

 

You then need to configure your DHCP servers, DNS servers and domain controllers. This involves a number of group membership changes, firewall rule changes and a registry setting.

 

Create a group called IPAMUG and add the IPAN server into it.

New-ADGroup -Name IPAMUG -DisplayName IPAMUG -SamAccountName IPAMUG    -Description 'IPAM management group' -GroupCategory Security -GroupScope Universal

Add-ADGroupMember -Identity IPAMUG -Members (Get-ADComputer -Identity W12R2SUS)

 

Add IPAMUG to a number of groups

Add-ADGroupMember -Identity 'Event Log Readers' -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity 'DHCP Users' -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity 'DNSAdmins' -Members (Get-ADGroup -Identity IPAMUG)

 

I also found I had to add the IPAM server to the domain Administrators group to get the DNS data to come through.

 

Modify some firewall rules

$cs = New-CimSession -ComputerName W12R2SCDC01

Enable-NetFirewallRule  -DisplayName 'Remote Service Management (RPC)' -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName 'Remote Service Management (NP-In)' -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName 'Remote Service Management (RPC-EPMAP)' -CimSession $cs -PassThru

Get-NetFirewallRule -DisplayGroup 'Remote Service Management' -CimSession $cs |
ft  DisplayName, Enabled, Direction,Profile –a

 

There are a bunch of firewall rules that need setting. You can find the full list in the TechNet documentation.

For DHCP servers create an audit share

 

New-SmbShare -Name dhcpaudit -Path 'C:\Windows\System32\dhcp' -ReadAccess 'manticore\IPAMUG'
Set-SmbShare -Name dhcpaudit -Description 'DHCP audit share for IPAM' -Force

## restart DHCP service
Get-Service -Name DHCPServer | Restart-Service -PassThru

 

Enable event log monitoring on the DNS servers

$csd = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server' -Name CustomSD |
select -ExpandProperty CustomSD
$ipamsid = (Get-ADComputer -Identity W12R2SUS | select -ExpandProperty SID).value
$csd = $csd + "(A;;0x1;;;$ipamsid)"
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server' -Name CustomSD -Value $csd –PassThru

 

I also had to manually add the IPAMUG group into the security permissions for the DNS servers. Didin’t seem to be a way to automate that bit.

 

IPAM has a PowerShell module – IpamServer – which contains lots of cmdlets:

Add-IpamAddress
Add-IpamAddressSpace
Add-IpamBlock
Add-IpamCustomField
Add-IpamCustomFieldAssociation
Add-IpamCustomValue
Add-IpamDiscoveryDomain
Add-IpamRange
Add-IpamServerInventory
Add-IpamSubnet
Disable-IpamCapability
Enable-IpamCapability
Export-IpamAddress
Export-IpamRange
Export-IpamSubnet
Find-IpamFreeAddress
Get-IpamAddress
Get-IpamAddressSpace
Get-IpamAddressUtilizationThreshold
Get-IpamBlock
Get-IpamCapability
Get-IpamConfiguration
Get-IpamConfigurationEvent
Get-IpamCustomField
Get-IpamCustomFieldAssociation
Get-IpamDatabase
Get-IpamDhcpConfigurationEvent
Get-IpamDiscoveryDomain
Get-IpamIpAddressAuditEvent
Get-IpamRange
Get-IpamServerInventory
Get-IpamSubnet
Import-IpamAddress
Import-IpamRange
Import-IpamSubnet
Invoke-IpamGpoProvisioning
Invoke-IpamServerProvisioning
Move-IpamDatabase
Remove-IpamAddress
Remove-IpamAddressSpace
Remove-IpamBlock
Remove-IpamConfigurationEvent
Remove-IpamCustomField
Remove-IpamCustomFieldAssociation
Remove-IpamCustomValue
Remove-IpamDhcpConfigurationEvent
Remove-IpamDiscoveryDomain
Remove-IpamIpAddressAuditEvent
Remove-IpamRange
Remove-IpamServerInventory
Remove-IpamSubnet
Rename-IpamCustomField
Rename-IpamCustomValue
Set-IpamAddress
Set-IpamAddressSpace
Set-IpamAddressUtilizationThreshold
Set-IpamBlock
Set-IpamConfiguration
Set-IpamCustomFieldAssociation
Set-IpamDatabase
Set-IpamDiscoveryDomain
Set-IpamRange
Set-IpamServerInventory
Set-IpamSubnet
Update-IpamServer

Now I’ve got my IPAM server up and running its time to see what I can do with it

DHCP scope lease time

I wanted to reduce the lease time on a DHCP scope

 

$lt = New-TimeSpan -Hours 12
Set-DhcpServerv4Scope -ScopeId 10.10.54.0 -LeaseDuration $lt

 

You could even make it a one liner if you wished

 

Set-DhcpServerv4Scope -ScopeId 10.10.54.0 –LeaseDuration (New-TimeSpan -Hours 12)

Merry Christmas from the PowerShell team

The PowerShell team have produced wave 9 of the DSc resource kit – just in time for Christmas - http://blogs.msdn.com/b/powershell/archive/2014/12/17/another-holiday-present-from-the-powershell-team-dsc-reskit-wave-9.aspx

This wave contains a number of new resources and some updates to existing resources including the Exchange resource.

You can download the latest version of the resource kit from  https://gallery.technet.microsoft.com/DSC-Resource-Kit-All-c449312d

The team’s blog post states that you should check for the GA update (which is minimum requirement for running the DSC res kit) by testing to see if KB2883200 is installed. This won’t work if you’ve built you system using Windows media that incorporates the update.

A better test is to look at the build number. It should be 9400 or higher. You can see this by using $psversiontable

£> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      4.0
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.34014
BuildVersion                   6.3.9600.17400
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion      2.2

The version is  6.3.9600.17400  where 6.3 = Windows 2012 R2 and 9600 = the build

You can also use WMI

£> Get-CimInstance -ClassName Win32_Operatingsystem | Format-List BuildNumber, Version

BuildNumber : 9600
Version     : 6.3.9600

Unavailable modules

Another question on the powershell.org forum centred on modules not available on down level versions of Windows – in this case the SmbShare module.

A large number of modules were introduced with Windows server 2012 (many are also available on Windows 8). Over 60% of this new functionality is created using CDXML. A WMI class is created to do the work. Calls to the class are wrapped in XML and the subsequent file can be published as a PowerShell module.

These are easy to spot as they have a .CDXML extension.

If you are having problems with a module that doesn’t appear to be on Windows Server 2008 R2 or earlier – check the file extension in the module folder on a Windows Server 2012 (R2) system– if its CDXML the WMI class almost certainly won’t be available on the earlier versions of Windows.