PowerShell 005 – Install-ADDSForest

Setting Up a Lab

DCPromo has come a long way in the past 13 + years. Windows Server all up is so incredibly different, more powerful, more intuitive, more manageable. It is simply a great operating system to work with. I have a very specific scenario that I want to talk about here. That is setting up a lab.

There are many ways to do this, and they all have their benefits. I want to start simply. The first machine in the lab, setup as the forest root, your first DC.

The Scenario

This is not simply building a new lab. This is the re-building process that many of us go through every couple of months to get a clear setup to test with. Building the lab manually is a powerful experience especially when you are being introduced to a new OS. In this case I’m running Windows Server 2012 R2. I want to walk through the creation process manually to see if anything noticeable has changed. In this case I have already installed the Active Directory Domain Services Role and now it needs to be configured. This is the DCPromo process we have used for years. The task is initiated from within Server Manager.

After you install the AD DS role you will notice a flag informing you that you now need to ‘promote’ this server to function as a Domain Controller.

Click ‘Promote this server to a domain controller’ and the ‘Deployment Configuration’ Wizard will start.

The purpose of this post is not to walk through the configuration of the domain. In summary you can add a new DC to a domain, add a new domain or create a new forest. I’m going to create a new forest.

After walking through basic configuration, naming your domain, DC options, functional levels, NetBIOS naming, paths to files etc. etc. etc. You will come to a page in the wizard called ‘Review Options’. Along the way there are lots of links to additional information. If you are new to AD or new to Windows Server 2012 R2, take the time to read this information. It will save you time in the future.

Notice the ‘View script’ button in the bottom of the dialog. Hmmm… what could that be?

A simple PowerShell script to configure your first DC. You don’t need to, or want to, run the wizard every time you need to rebuild your lab. Simply save this script as a .ps1 file. Save it in a place that you will keep to use every time you build out a new lab.

I am going to cancel the wizard after I save the script. I want to execute this DC Promotion in PowerShell. I like to use the PowerShell ISE for multiple reasons but when working with scripts you have both the scripting windows right along with the console. Makes things very easy.

You can hit F5 or click the green arrow or get into the ‘Debug’ menu for more options. For the quick and dirty I’m just clicking the green arrow. Provide your SafeModeAdministratorPassword and off it goes.

You may get some messages and warning along the way. PowerShell seems to provide great feedback to help you understand what is going on.

The server will reboot and your DC is setup.

Save the script, store it. You will find many others. I will explore Desired State Configuration (DSC) in the future to really fully leverage PowerShell to manage deployment and configuration of components across your enterprise. I have a long way to go before I’m ready for that! Just getting my feet wet with DSC at this point.

Enjoy!

Group Policy 001: Intro to the GPMC

Tools

There are multiple tools you use when working with Group Policy. The two primary tools have not changed much since Windows Server 2003 R2. The primary reason is they just work great, do what they are supposed to do and focus on key scenarios. This is a quick overview of the Group Policy Management Console or the GPMC, the first of the two primary tools. A follow-up post will explore the editor or the GPME. 

Group Policy Management Console

The Group Policy Management Console or GPMC is the primary tool for managing Group Policy. This is where you create, link, secure, delegate control, report on, monitor status and more. It is a common tool for network administrators and desktop administrators alike and provides for a lot of scenarios. 

GPMC

In the GPMC you will see all domains and sites defined in your forest. Group Policy is primarily a domain specific technology. Keeping your management within a domain makes things easier but being able to apply policy across the enterprise, regardless of which domain a user or computer happens to be in is a very powerful feature.

The tool itself likes to focus its attention on the domain controller that holds the PDC emulator role. Some of us old people actually had to work with actual PDCs. In tools like GPMC if you choose to focus the attention on a different Domain Controller in your enterprise it is an easy change. Simply access the action menu from the Domain you are focused on and choose 'Change Domain Controller..."

Change DC

Create Group Policy Objects

One important aspect to managing Group Policy is where the data is actually stored. This is important because GP is not the most forgiving of technologies. You want to know where you are placing a GPO and who/what it is affecting. There is a container under the Domain node in the GPMC called "Group Policy Objects". This container is where all GPOs are stored if they are 'linked' or not. I like to create my GPOs in this container and manage linking and delegating during my configuration process. To create a GPO;

1. Right click on the "Group Policy Objects" node and select 'New'
2. Give the GPO a Name 
3. Choose to start from scratch or pick a 'Source Starter GPO' (Starter GPOs will have to be another post)
4. Click OK

New GPO

Select the GPO you created in the list under the 'Group Policy Objects' container. The right hand side of the screen will contain the majority of information you need related to this GPO. The 'Scope' tab shows effectively which users and which computers may be affected by this GPO. I say may simply because there are additional caveats to cover in other posts. It will show which OUs the GPO is linked, what security groups will be affected by thsi GPO and even any WMI filters that will more granularly control application of the GPO.

The 'Details' tab shows version information, ownership, versioning and the GUID that references this GPO. This will be very important in other advanced scenarios. 

The 'Settings' tab shows the native Microsoft settings configured in this Group Policy object. The 'Delegation' tab show which users will have access to this GPO for management purposes. 

And the last tab, 'Status' is the newest piece of functionality here and it will show you the replication status of this GPO across other domain controller.

GPO Details

There is a lot more to cover in the GPMC but for this overview that is a good start. Let's look at editing a Group Policy Object in a follow-up post.

PowerShell 004 - Copy-VMFile

Working between Host and Guest Virtual Machines

I'm spending my Saturday watching a Virtual Academy session on Hyper-V. I am becoming a big fan of the Microsoft Virtual Academy (http://www.microsoftvirtualacademy.com). This session however is not great. I'm sticking in there optimistic that it will get better. It feels like I am watching a marketing person try to convince the audience how smart they are. I'm sure they are smart, I just want to learn more about Hyper-V. And I don't want to watch you read off of slides. Last critical piece, I promise! Showing a dialog box and talking about each and every button is not a demo! phew...

While listening in I am building up a new lab from scratch. Starting off with a Windows Server 2012 R2 DC. And as typically happens I forget everything I know about Hyper-V networking. I build a lab, get it setup, working great and then forget it for a few months. When it is time to build a new lab I forget it. It is a bit of a mental block for some reason. 

But this time I actually learned something cool, interesting and helpful. Believe it or not, it is a PowerShell cmdlet! Who would have thunk it?

Hyper-V in Windows 8.1 and Windows Server 2012 R2 is pretty amazing. Having Hyper-V on the client since Windows 8 has single handedly changed how I get things done. Its not always simple, but it is accessible and so much better than it used to be. 

Copy-VMFile

This is quick. I came across this cmdlet while reading a 'What's New in Hyper-V on Server 2012 R2' type article. I came across the Guest Services piece in Integration Services. A blurb from John Savill on windowsitpro.com mentioned a new cmdlet that I had not seen before.

A quick trip through help;

PS C:\psStuff> Get-Help Copy-VMFile -Full

And I found an easy way to move data from my machine to the VM using Guest Services. As you know -Full provides comprehensive help information as well as examples. This cmdlet only had one example but it was enough for me.

PS C:\psStuff> Copy-VMFile dc1 -SourcePath "c:\psstuff\test.txt" -DestinationPath "C:\From Host" -CreateFullPath -fileSource host

Easy peasy, as my daughters say! So if you are using Internal or Private Switches with Hyper-V to keep your test labs isolated and you want an easy way to move files over to those VMs, well there you go!

Enjoy!

PowerShell 003 - Get-ADObject

Get-ADObject

There are many reasons to have to quickly search Active Directory for something specific. There are also scripts, tools, examples, and guidance enough to choke on. It can get a bit overwhelming to wade through all of that stuff. One of the long time Active Directory MVPs created a tool called ADFind which is awesome! You can find it on http://www.joeware.net. You can learn ADSI and VBScripting. You can go to http://technet.microsoft.com and search through ScriptCenter for samples and examples. There is some great stuff to be found. 

Of course, I want to do this in PowerShell, specifically. Even in PowerShell there are multiple ways to go about this. Where to start? where to start? Oh yeah...

Get-Help

How do I find all of the AD commands? Get-Help may be able to help, it usually is.

PS c:\> Get-Help *comman*

Get-Command looks promising. First step is to look at the help content for the Get-Command cmdlet. You already know how to get that (Hint "Get-Help Get-Command -Full").

Of course get started with searching for cmdlets or if you already know where to start just read the help on that cmdlet. You can use the Get-Command cmdlet to begin narrowing down what you are looking for. 

PS C:\> Get-Command -Module *activedi*

Find all the commands that have *activedi* in them. Want to know how many cmdlets are in the ActiveDirectory module?

PS C:\> Get-Command -Module *activedi* |Measure

There are lots, 135 from my list. I just want the 'get' commands. (We'll come back to the 'Measure' switch later)

PS C:\> Get-Command -Module *activedi* -verb Get

There are only 41 of those. A bit easier to look through. Let's take a look at Get-ADObject.

Time to learn.

PS c:\> Get-Help Get-ADObject -Full

There is a lot to read but it is well worth the time. Play around with the parameters. 

Get-ADObject

The scenario that brought this up today was specific to something that we do at Specops Software. With our Self-Service Password Reset product we store the challenge response data securely in Active Directory. It creates a very thin solution that is super efficient. We have a reporting component to the tool that allows admins to look at how many users are enrolled, how many users are you licensed for and general health and well-being of the system. It is great. But what if you can't or don't want that much high-fidelity? What if you just want a quick look at the system. In this case we wanted to quickly look at a domain and find out how many users have enrolled in the Password Reset environment. We want to do this with the Get-ADObject cmdlet in PowerShell.

So, here is another really helpful tip for working with PowerShell. Run the following.

PS c:\> Show-Command Get-ADObject 

This will open a dialog for the Get-ADObject command.

Each tab in the dialog represent a parameter set. these are all the parameters that work together. More on that later but to be clear you can't just choose any parameter or switch to go with any other ones. It is a bit more particular than that.

If a field has an asterick that means it is mandatory so you must fill it in.  

For my example I'm just using the -Filter parameter. Enter your filter into the field in the command dialog box and click run. It will write the PowerShell command to the console and execute it. This is a fantastic way to figure out how to use certain cmdlets and ensure you get their syntax down properly.

My filter looked like this 'name -eq "specops-spp-pwdreset"'. When I clicked run it wrote the following to the console windows.

 PS c:\> Get-ADObject -Filter 'name -eq "Specops-spp-pwdreset"'

It then looked at AD and returned all of the objects it found that met the filter. It wrote all of those objects to the screen. Not what you want I imagine. Now we go back to the 'Measure' switch from earlier. My friend and colleague, Darren shared this one with me. It was new to me and crazy helpful. Simply pipe to the 'Measure' switch and it just returns the number of objects returned by the cmdlet. 

PS c:\> Get-ADObject -Filter 'name -eq "Specops-spp-pwdreset"' |Measure

Great stuff. yet another quick, repeatable solution to a real problem. There are surely other ways to get to this data but this one worked for us!

PSV 001 - Get-EventLog - Video

VLOG Entry 001

Trying to supplement some of my blog content with some videos. These are intended to reinforce the posts. They are as much for me as they are for you! I may occasionally create the video first then a blog post, but most likely you will see a quick post that is followed by a video.

Either way I hope you like them. I'm really enjoyed PowerShell over the years and lately as I dove in to learn at a much deeper level I realized that it is truly an environment that every systems administrator and software company should embrace.

I will learn along the way, make blunders, do stupid things but all along I will be learning. I will be introducing Specops specific scenarios and solutions as I get to them. But there is a lot of basic PowerShell information to share up front.

Here you go, enjoy the video.

PowerShell 002 - Test-Connection

Another common day-in-the-life type post. We have all been there. If we are systems engineers, developers, hobbyists, tinkers or the like we find ourselves troubleshooting network issues. And the first thing we do? Anyone? PING. Right? We all head to PING or IPConfig or some basic tool and we ‘PING’ something to begin figuring out why we can’t connect or why our connection is wonky. Yes ‘wonky’ is a real word and completely acceptable.

OK, but wait. PING? Isn’t that a command my Grandfather taught me? That is so old school. I’m modern, cool, wicked smaht (as we say in Boston), there has to be something better than PING. PathPing, Tracert etc. etc. not bad, interesting command line tools but still old-school. I want PowerShell, how can I do this in PowerShell?

Get-Help

I may try to use this as a bit of a theme. Introduce a little bit about the PowerShell help system in every post. It is so very cool and well worth the time. ‘Teach a man to fish’ and all that!

So the goal here is to navigate through and look at issue with your network connection. Open up the PowerShell ISE or Console, your choice (choose ISE) and enter;

PS C:\> get-help network

Hit Enter and you will get a list of far too many options. OK, time to narrow down. How about

;

PS C:\> get-help connection

Still too many results. VPNClient stuff, SMBShare stuff, Hyper-V, lots of interesting things but not what I want. Wait, I can use wildcards can’t I! Wildcards are your savior when trying to figure out things in PowerShell. Enter this;

PS C:\> get-help *connect*

The list is still too long but take a look at some of the info in the ‘synopsis’ column. A quick scan and you will see  “…ICMP echo… blah blah” that sounds an awful lot like PING. Let’s check it out. The cmdlet is called Test-Connection. Now go to the source, type the following and read through the output.

PS C:\> Get-Help Test-Connection -Full

Take a look at the –ComputerName parameter. The syntax of the parameter looks like this

-ComputerName <String[]>

The square brackets after String tell you that you can have multiple inputs, separated by a comma so this will work great!

PS C:\> Test-Connection -ComputerName srv1, file01

Test-Connection

One benefit to this cmdlet over PING is that it is machine independent. It can easily work with multiple machines at a time and provide heuristics about connections between two remote hosts. From the Help file you can see all of the available parameters, and since you used the –Full switch some practical examples of how to use the cmdlet are shown at the bottom.

Let’s keep this introduction to Test-Connection simple. We will only cover a few of the parameters, -ComputerName, -Count and –Source.

-ComputerName

This is a positional parameter and it is required. This means you must state what host you wish to test with (I almost said PING <g>), but if you place the computer name immediately after Test-Connection you do not need to specify the parameter name. For a best practice leave it in there. It makes reading PS info much easier later as you begin sharing with colleagues, friends, family and whoever is still listening to you J. These two statements are the same…

PS C:\> Test-Connection -ComputerName srv1

PS C:\> Test-Connection srv1

If you need to test the connection to multiple machines at a time simply separate the machines names with a comma.

PS C:\> Test-Connection -ComputerName srv1, file01 

-Count

This switch simply tells the cmdlet how many echo requests to send. Similar to PING it defaults to 4 but if you are looking at a connection and need to keep it going as you do something you can crank this up.

PS C:\> Test-Connection -ComputerName srv1 -Count 10

-Source

This one IMO is very powerful. This allows you to sit at your computer and very simply test a connection between two remote systems. Imagine you are troubleshooting an n tiered app and some performance issues. You can use this to quickly determine ICMP issues or network latency issues between any two nodes in your application design. Quickly finding where a slowness is occurring can help you narrow down where to dig deeper.

PS C:\> Test-Connection -ComputerName srv1, file01 -Count 5 -Source dc1

This cmdlet with PING srv1 and file01 5 times from dc1.

Source Destination IPV4Address    IPV6Address Bytes Time(ms)

------ ----------- -----------    ----------- ----- --------

DC1    file01      192.168.137.1              32    0      

DC1    srv1        192.168.137.11             32    0      

DC1    file01      192.168.137.1              32    0      

DC1    srv1        192.168.137.11             32    0      

DC1    file01      192.168.137.1              32    0      

DC1    srv1        192.168.137.11             32    0      

Look deeper into the help files. If you are into WMI and building really powerful scripts and automation, this cmdlet returns a WMI object called Win32_PingStatus object that you can use for some amazing things.

As always, Enjoy!

PowerShell 001 - My Favorite cmdlet (Today)

OK, maybe not my favorite, and maybe I need to get out more but the more I learn about PowerShell the more excited I get. It is actually fun, not kidding, it is reminiscent of that feeling I had 30 years ago troubleshooting my first BBS or first code. And also, right now at this moment, I have two favorites. These are subject to change!

Get-Help

After listening to Jeffrey Snover –Microsoft Distinguished Engineer and God Father of PowerShell, Don Jones, author or ‘PowerShell in a Month of Lunches’, and other PowerShell MVPs the most important aspect of PowerShell is the help system and you need to learn how to use it. In using the help system and simply playing around, you will easily figure out how to perform tasks simply and more efficiently. So… learn the help system.

Here is a good start. Open the PowerShell Console ‘as administrator’. Important. Run the PowerShell Apps (Console or ISE) as Administrator to get the most bang for your buck. Run the following command

PS c:\ Update-help

The system begins with no help information. You have to update the help system to get started.

Next choose a command you want to work with. As a segue into the next cmdlet we'll use Get-EventLog. Try the following.

PS c:\ Get-Help Get-EventLog –Full

Make sure to use the –Full switch as it will ensure all of the interesting info is present. Look around, learn the cmdlet, play a bit and see what you find.

What I find, is how to solve my problem of the moment, how to troubleshoot issues related to deployment, or pretty much anything else my imagination can come up with.

Get-EventLog

By using the Help system you will begin to better understand PS syntax, positional parameters, mandatory parameters, what can be piped into other cmdlets, what can’t and lots more. When learning the Get-EventLog cmdlet and playing around I began thinking of one of the most basic troubleshooting tasks we perform typically manually.

How often, when troubleshooting do we open the event viewer to look for issues and hints to what is happening? Often, very often. Then you switch to another machine and look at the event logs over there, in event viewer. Next you go back to the first machine because you can’t remember what you read in the first place… fun times! No more. I’ll share these parameters one at a time so show how powerful this actually is.

-LogName

PS c:\ Get-EventLog –LogName <string>

The –LogName parameter is what is called positional and mandatory, and it takes a string. The string is the name of the Windows Log. You don’t even have to use –LogName as long as you explicitly call out the name of the actual log you are looking for so in this example I could have written;

PS c:\ Get-EventLog Application

I’m going to leave the –LogName parameter in my examples to make sure they are as explicit as possible.

-ComputerName

Pretty self-explanatory. This allows you to explicitly call out the name of the machine(s) you want to query for their event logs.

PS c:\ Get-EventLog –LogName Application –ComputerName srv1

Now my command will reach across the wire to a machine called srv1 and grab the contents of the Application log! Awesome!

-Newest

OK, so no one wants to grab the entire contents of the windows log and output that to a screen. It is way too noisy. The –Newest parameter allows you to specific how many of the most recent events you want to grab.

PS c:\ Get-EventLog –LogName Application –ComputerName srv1 –Newest 20

I know, the line is getting longer but look how intuitive this is. Amazing.

-Source

Source essentially specifies where the events actually come from. So in my environment I want to see if anything interesting is happening wrt Specops Product. Srv1 is my Specops Deploy Server in this case.

PS c:\ Get-EventLog –LogName Application –ComputerName srv1 –Newest 20 –Source *Spec*Depl*

Did I forget to tell you the –Source parameter (and –Message and others) take Wildcards? What? That is amazing! Why yes it is. So when I run this command I don’t leave my desk, I grab all pertinent events from remote system on the fly to help troubleshoot and get to know my environment. That above command may wrap by the way… but you get it.

Here is the console output.

Console Output Get-EventLog

Play around with this. Use Get-Help, learn the syntax. It is fun and has a huge impact on how much time you spend on repetitive tasks. And it is so much more intuitive than VBScript or Kix or any other attempt at providing a shell or automation to Windows. There is so much more you can do, pipe results to a file or a web page!, run against multiple machines at a time, format the output, only output errors, or warnings, endless possibilities.

Enjoy Playing!