There is a special type of WMI class called "association class". This type of class binds two normal, related classes together. A typical example is association class for NIC-related classes. For each NIC in a system, there are two WMI classes for it: Win32_NetworkAdapter & Win32_NetworkAdapterConfiguration. The former mainly includes NIC hardware info, such as speed, MAC, media connection status, etc; the later mainly includes configuration info on a NIC, such as IP, DHCP, DNS, etc. More than often, you need to obtain info from both classes, and that's where association class comes to help.
Still using NIC as our example, windows defines an association class called Win32_NetworkAdapterSetting, through which you can access info from both above-mentioned classes. An association class include two members, one called element, the other called setting. Not surprisingly, element links to a Win32_NetworkAdapter object (because it is the element) and setting links to a Win32_NetworkAdapterConfiguration object (because it is the setting stuff). Below is how you use it:
$ac = Get-WmiObject -Class win32_NetworkAdapterSetting #gets all NIC info
$connectedAdapters = $ac | where {([wmi]$_.element).netConnectionStatus -eq 2}
$connectedAdapters | foreach {([wmi]$_.setting)|select caption, dhcpEnabled,IPaddress,dnsServerSearchOrder }
Search This Blog
Apr 3, 2012
Mar 8, 2012
[Powershell] Try-Catch fails to catch an exception?
I was running a script that does WMI query and found that my try-catch-final statement seemed not working. The exception was still shown on console instead of handled by my catch block.
It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.
There are two ways to make it work. One is to make all exception terminating by below assignment:
$ErrorActionPreference = "Stop"; #Make all errors terminating
Remember to reset the preference at the end of your script as this is global.
$ErrorActionPreference = "Continue"
Or right after get-WMIobject statement, check the value of $?
if ($?){
#processing block
}
else {
throw $error[0].exception
}
It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.
There are two ways to make it work. One is to make all exception terminating by below assignment:
$ErrorActionPreference = "Stop"; #Make all errors terminating
Remember to reset the preference at the end of your script as this is global.
$ErrorActionPreference = "Continue"
Or right after get-WMIobject statement, check the value of $?
if ($?){
#processing block
}
else {
throw $error[0].exception
}
Retrieving Terminal Server Configuration Settings Using Powershell
It was quite easy for Windows 2003 TS servers with Win32_TerminalServiceSetting WMI class, there are tons of documents on the Net. It took me some time, however, to find out that MS change the class considerably for Windows 2008.
It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.
In short, you get info with below commands (w2k3 and w2k8 respectively):
gwmi Win32_TerminalServiceSetting -computername -namespace root/cimv2/TerminalServices -authentication 6
or
gwmi Win32_TerminalServiceSetting -computername [-namespace root/cimv2]
It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.
In short, you get info with below commands (w2k3 and w2k8 respectively):
gwmi Win32_TerminalServiceSetting -computername
or
gwmi Win32_TerminalServiceSetting -computername
Feb 23, 2012
Enable LDAP over SSL Using Certificate Generated From A Different Machine
The procedure is pretty simple and well documented in KB 321051, so there is nothing special here. However the tricky part is you have to submit the request from the same DC in order to make LDAPS work because this way ensures you have the private key for the certificate.
In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.
A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.
In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.
A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.
Jan 22, 2012
Attempt to remove glue record on delegated zone crashes DNS console
- Windows 2008 R2
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes
There are a few other people had same issue, seems to be a bug as far as I see it.
Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.
Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes
There are a few other people had same issue, seems to be a bug as far as I see it.
Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.
Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.
Dec 19, 2011
Largest Delta? What is it?
[
Short version: typically you don't have to pay attention to this stat. As long as number of "fails" is zero, AD replication is healthy.
Note: When you have replication fails and subsequently remedy the problem, the number of "fails" in "replsummary" report is not going to change to zeros right away. The report of this command is a snapshot of history, so it takes a bit time for all fails to disappear.
]
Repadmin /replsummary result is simple, but yet somewhat confusing. A few notes:
Short version: typically you don't have to pay attention to this stat. As long as number of "fails" is zero, AD replication is healthy.
Note: When you have replication fails and subsequently remedy the problem, the number of "fails" in "replsummary" report is not going to change to zeros right away. The report of this command is a snapshot of history, so it takes a bit time for all fails to disappear.
]
Repadmin /replsummary result is simple, but yet somewhat confusing. A few notes:
- If you don't specify /bysrc or /bydest, it will list status for both directions. You want to pay attention to Destination DSA as AD replication is pull-based.
- Most critical column is "fails". If there is no fails, obviously you don't have much to worry about
- Most confusing column is "largest delta". It's common misunderstanding (on the Net at least) that value in this column should be less then 1hr. However, depending on how large your AD environment is, and how frequent changes happen in a particular Naming Context, value in this column could be very large (days)
- Microsoft's official interpretation for "largest delta": longest replication gap amongst all replication links for a particular DC", which is not really helpful. I personally had hard time to understand this interpretation itself.
- This value is for the particular DC, among all its replication partners, the longest time that it hasn't replicated anything against whatever NC. This value has to be read together with /showrepl command against that DC.
Nov 1, 2011
How to troubleshoot account lockout issue
[Note] Event ID applicable to Windows 2003 DC only, but it shouldn't be too difficult to find related W2k8 event IDs.
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus
- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds
- Failure code in event ID 675(This is corresponding kerberos error code, full list here) - 0x18: original wrong password
- 0x12: this will be logged after the fact that account has already been locked
- 2 being interactive
- 3 network
- 5 service
- 10 Remote interactive
Oct 26, 2011
Oct 18, 2011
Time service commands
Determine current time source
Config a manual time source
w32tm /query /source
w32tm /config /manualpeerlist:peers /syncfromflags:manual /update
Replace "peers" with a list of time servers, delimited by space, enclosed with double quotes.
Ignore KBs that manually set registry entries
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
What you should specify in [peers] value: worth reading:
Detect time difference
w32tm /stripchart /computer:TimeServerName /samples:n /dataonly
Set server to use domain hierarchy
w32tm /config /syncfromflags:domhier /update
After change time settings, it's normally required to restart time service
Note: If there is time difference, it takes time for the system to bring the delta down slowly depending on how much correction can be made in one step. The change is gradual.
[Addition, Jun 13, 2012] When workstations and member servers have trouble synchronizing time with domain, you should check the hierarchy all the way up to forest PDC. I was seeing "The computer did not resync because no time data was available." error, plus time source being "Local CMOS" or "free running OS" etc., in child domain, but the root cause turned out to be forest root PDC wasn't working properly.
[Addition, Jun 13, 2012] When workstations and member servers have trouble synchronizing time with domain, you should check the hierarchy all the way up to forest PDC. I was seeing "The computer did not resync because no time data was available." error, plus time source being "Local CMOS" or "free running OS" etc., in child domain, but the root cause turned out to be forest root PDC wasn't working properly.
Oct 5, 2011
Token Size vs. Paged Pool - draft
This is mostly a complete copy from microsoft.com
When users access a resource using Windows authentication and authorization (for example logging on to a workstation or accessing a file share), an “access token” is built to represent that user.
The number of SIDs (representing group membership, etc) in that token largely determines how much kernel memory space (Paged Pool) is required to store each copy of the token.
These allocations follow a “stair-step” pattern, as follows:
At approximately 84 SIDs, allocation jumps from 4KB to 8KB.
At approximately 177 SIDs, allocation jumps from 8KB to 12KB.
At approximately 270 SIDs, allocation jumps from 12KB to 16KB.
At approximately 363 SIDs, allocation jumps from 16KB to 20KB and so on.
When users access a resource using Windows authentication and authorization (for example logging on to a workstation or accessing a file share), an “access token” is built to represent that user.
The number of SIDs (representing group membership, etc) in that token largely determines how much kernel memory space (Paged Pool) is required to store each copy of the token.
These allocations follow a “stair-step” pattern, as follows:
At approximately 84 SIDs, allocation jumps from 4KB to 8KB.
At approximately 177 SIDs, allocation jumps from 8KB to 12KB.
At approximately 270 SIDs, allocation jumps from 12KB to 16KB.
At approximately 363 SIDs, allocation jumps from 16KB to 20KB and so on.
Sep 21, 2011
Programer's Font On Windows 7
I've been looking for a font on Windows 7 that's good for scripting. The two main requirements are:
- It has to be fixed width (monospace) (of course!);
- It can easily let you tell the difference between a 0 (zero) and an O (as in Oops!)
Jul 18, 2011
2011 Microsoft Scripting Game - Advanced Leader Board
I was recently in the Scripting Guy 2011 game advanced group and placed 32nd overall. Not too bad :-) considering I didn't have enough time to finish all scripts (I've done 8 out of 10), neither did I have time to polish my scripts which costed quite a few points :-(. Nevertheless it's a great experience. I learned a lot new PowerShell techniques along the way!
2011 Advanced Group Final Leader Board
2011 Advanced Group Final Leader Board
Apr 20, 2011
Using System Namespace In Powershell
There are many cool pre-defined constants, functions, methods, and etc. in System object. One would normally learn individual ones through sample scripts, but really should browse the MSDN page to explore what System namespace has to offer. Go to a class/structure/enumeration that you are interested, then pay special attention to those static members.
A few examples:
[System.DateTime]::Today versus [System.DateTime]::Now
[System.String]::Empty
[System.Console]:: almost everything are static, not surprisingly
[System.Math]::PI
There are also a bunch of other namespaces, please see .Net Framework Libraries
A few examples:
[System.DateTime]::Today versus [System.DateTime]::Now
[System.String]::Empty
[System.Console]:: almost everything are static, not surprisingly
[System.Math]::PI
There are also a bunch of other namespaces, please see .Net Framework Libraries
Dec 14, 2010
Local Admin Account vs. account lockout
You can't really lock out an admin account - as long as you type in the correct password on *local console*, the system will unlock it automatically. This makes sense - legit users need a way to get into the system when all other credentials are failing - completely locking out all users surely won't make happy customers.
However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.
passprop /adminlockout
This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.
However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.
passprop /adminlockout
This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.
LDAP search can't find secondary email addresses
You can search primary address using filter like (mail=JohnDoe@foo.com), but similar filter (proxyAddresses=johnDoe@foo.com) won't return anything. This is because attribute "proxyAddresses" holds not only smtp addresses, but also other types, e.g. RightFax, X.25, as well. To search secondary smtp addresses, you need to define a filter like this
(proxyAddresses=smtp:johnDoe@foo.com)
(proxyAddresses=smtp:johnDoe@foo.com)
Subscribe to:
Posts (Atom)