[Powershell] Try-Catch fails to catch an exception?

I was running a script that does WMI query and found that my try-catch-final statement seemed not working. The exception was still shown on console instead of handled by my catch block.

It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.

There are two ways to make it work. One is to make all exception terminating by below assignment:

$ErrorActionPreference = "Stop"; #Make all errors terminating


Remember to reset the preference at the end of your script as this is global.


$ErrorActionPreference = "Continue"


Or right after get-WMIobject statement, check the value of $?


if ($?){ 
        #processing block
}
else {
       throw $error[0].exception
}

Retrieving Terminal Server Configuration Settings Using Powershell

It was quite easy for Windows 2003 TS servers with Win32_TerminalServiceSetting WMI class, there are tons of documents on the Net. It took me some time, however, to find out that MS change the class considerably for Windows 2008.

It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.

In short, you get info with below commands (w2k3 and w2k8 respectively):

gwmi Win32_TerminalServiceSetting -computername -namespace root/cimv2/TerminalServices -authentication 6

or

gwmi Win32_TerminalServiceSetting -computername [-namespace root/cimv2]

Enable LDAP over SSL Using Certificate Generated From A Different Machine

The procedure is pretty simple and well documented in KB 321051, so there is nothing special here. However the tricky part is you have to submit the request from the same DC in order to make LDAPS work because this way ensures you have the private key for the certificate.

In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.

A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.

Attempt to remove glue record on delegated zone crashes DNS console

- Windows 2008 R2
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes

There are a few other people had same issue, seems to be a bug as far as I see it.

Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.

Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.

Largest Delta? What is it?

[
Short version: typically you don't have to pay attention to this stat. As long as number of "fails" is zero, AD replication is healthy.
Note: When you have replication fails and subsequently remedy the problem, the number of "fails" in "replsummary" report is not going to change to zeros right away. The report of this command is a snapshot of history, so it takes a bit time for all fails to disappear.
]

Repadmin /replsummary result is simple, but yet somewhat confusing. A few notes:

• If you don't specify /bysrc or /bydest, it will list status for both directions. You want to pay attention to Destination DSA as AD replication is pull-based.
• Most critical column is "fails". If there is no fails, obviously you don't have much to worry about
• Most confusing column is "largest delta". It's common misunderstanding (on the Net at least) that value in this column should be less then 1hr. However, depending on how large your AD environment is, and how frequent changes happen in a particular Naming Context, value in this column could be very large (days)
• Microsoft's official interpretation for "largest delta": longest replication gap amongst all replication links for a particular DC", which is not really helpful. I personally had hard time to understand this interpretation itself.
• This value is for the particular DC, among all its replication partners, the longest time that it hasn't replicated anything against whatever NC. This value has to be read together with /showrepl command against that DC.

Read on for example:

How to troubleshoot account lockout issue

[Note] Event ID applicable to Windows 2003 DC only, but it shouldn't be too difficult to find related W2k8 event IDs.
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.

- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt

- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus

- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds

- Failure code in event ID 675(This is corresponding kerberos error code, full list here)

• 0x18: original wrong password
• 0x12: this will be logged after the fact that account has already been locked

- Logon type in event ID 675 ( full list here)

• 2 being interactive
• 3 network
• 5 service
• 10 Remote interactive

Powershell: Predefined Variables

Also called Automatic Variables.

Get-help about_automatic_variable

Time service commands

Determine current time source

w32tm /query /source

Config a manual time source

w32tm /config /manualpeerlist:peers /syncfromflags:manual /update 

Replace "peers" with a list of time servers, delimited by space, enclosed with double quotes.
Ignore KBs that manually set registry entries

Config a manual time source as the top time source in forest

w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

What you should specify in [peers] value: worth reading:

http://support.microsoft.com/kb/875424

Detect time difference

w32tm /stripchart /computer:TimeServerName /samples:n /dataonly

Set server to use domain hierarchy

w32tm /config /syncfromflags:domhier /update

After change time settings, it's normally required to restart time service

Note: If there is time difference, it takes time for the  system to bring the delta down slowly depending on how much correction can be made in one step. The change is gradual.


[Addition， Jun 13, 2012] When workstations and member servers have trouble synchronizing time with domain, you should check the hierarchy all the way up to forest PDC. I was seeing "The computer did not resync because no time data was available." error, plus time source being "Local CMOS" or "free running OS" etc., in child domain, but the root cause turned out to be forest root PDC wasn't working properly.

Token Size vs. Paged Pool - draft

This is mostly a complete copy from microsoft.com

When users access a resource using Windows authentication and authorization (for example logging on to a workstation or accessing a file share), an “access token” is built to represent that user.
      The number of SIDs (representing group membership, etc) in that token largely determines how much kernel memory space (Paged Pool) is required to store each copy of the token.
      These allocations follow a “stair-step” pattern, as follows:
      At approximately 84 SIDs, allocation jumps from 4KB to 8KB.
      At approximately 177 SIDs, allocation jumps from 8KB to 12KB.
      At approximately 270 SIDs, allocation jumps from 12KB to 16KB.
      At approximately 363 SIDs, allocation jumps from 16KB to 20KB and so on.

Programer's Font On Windows 7

I've been looking for a font on Windows 7 that's good for scripting. The two main requirements are:

1. It has to be fixed width (monospace) (of course!);
2. It can easily let you tell the difference between a 0 (zero) and an O (as in Oops!)

There are a lot nice fonts but filtered by above two criteria and native to Windows 7, it comes down to Consolas.

2011 Microsoft Scripting Game - Advanced Leader Board

I was recently in the Scripting Guy 2011 game advanced group and placed 32nd overall. Not too bad :-) considering I didn't have enough time to finish all scripts (I've done 8 out of 10), neither did I have time to polish my scripts which costed quite a few points :-(. Nevertheless it's a great experience. I learned a lot new PowerShell techniques along the way!

2011 Advanced Group Final Leader Board

Using System Namespace In Powershell

There are many cool pre-defined constants, functions, methods, and etc. in System object. One would normally learn individual ones through sample scripts, but really should browse the MSDN page to explore what System namespace has to offer. Go to a class/structure/enumeration that you are interested, then pay special attention to those static members.

A few examples:

[System.DateTime]::Today  versus [System.DateTime]::Now
[System.String]::Empty
[System.Console]:: almost everything are static, not surprisingly
[System.Math]::PI

There are also a bunch of other namespaces, please see .Net Framework Libraries

Local Admin Account vs. account lockout

You can't really lock out an admin account - as long as you type in the correct password on *local console*, the system will unlock it automatically. This makes sense - legit users need a way to get into the system when all other credentials are failing - completely locking out all users surely won't make happy customers.

However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.

        passprop /adminlockout

This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.

LDAP search can't find secondary email addresses

You can search primary address using filter like (mail=JohnDoe@foo.com), but similar filter (proxyAddresses=johnDoe@foo.com) won't return anything. This is because attribute "proxyAddresses" holds not only smtp addresses, but also other types, e.g. RightFax, X.25, as well. To search secondary smtp addresses, you need to define a filter like this

(proxyAddresses=smtp:johnDoe@foo.com)

Java JDNI Authentication Against AD

Keep in mind that some of the mechanisms require the user's password stored in reversible format and password be reset.

JNDI, Active Directory and Authentication (Part 1) (Kerberos)
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300

JNDI, Active Directory & Authentication (part 2) (SSL)
http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50

How LDAP Error Codes Map to JNDI Exceptions

LDAP Status Code Meaning Exception or Action
0 Success Report success.
1 Operations error NamingException
2 Protocol error CommunicationException
3 Time limit exceeded. TimeLimitExceededException
4 Size limit exceeded. SizeLimitExceededException
5 Compared false. Used by DirContext.search(). Does not generate an exception.
6 Compared true. Used by DirContext.search(). Does not generate an exception.
7 Authentication method not supported. AuthenticationNotSupportedException
8 Strong authentication required. AuthenticationNotSupportedException
9 Partial results being returned. If the environment property "java.naming.referral" is set to "ignore" or the contents of the error do not contain a referral, throw a PartialResultException. Otherwise, use contents to build a referral.

What Certificate Authorities You (Are Forced to )Trust and Why

In our real life, any identity issuing agency gets their power from government that people elected. You can't just claim you can/want to issue identity certificates because nobody is going to trust what you issue.

Then why the heck that there are so many "trusted" root CAs in our operating systems that we didn't endorse? In other words we are forced to trust some companies that we didn't elect. How did those CAs get their "trusted" status?

The answer is that it's Microsoft who decides what CAs it wants to add into its Windows trusted list. They have a program called "Microsoft Root Certificate Program". As long as you meet MS' requirements, you can apply and (hopefully) get the same status as big guys as VeriSign, Thawte, etc.

Not surprisingly, you can expect that other main stream OSes/browsers have same kind of programs.

Some may argue that why should Microsoft make the choice on their behalf. Well, if you decided to use Windows, you, intentionally or unintentionally, decide to trust whatever Microsoft put on the system anyway, don't you? We can only trust that Microsoft's verification program will do their job.

Want to know who is in the list being trusted? Please see KB931125

Access denied when open a network drive

When openning a network drive, what is the difference between double clicking the driver letter versus typing the letter in address bar then enter? No really you would think.

I was troubleshooting a ticket where a user got "Access Denied" by double clicking in the meantime using address bar worked just fine. Needless to say, permissions are all correct on the netwokr share. It's just how you access it. The issue follows the user so I looked up and down in the user's properties in AD and group policies but failed to find anything.

It turned out it was caused by a little file, autorun.inf, under the root of that network drive. By double clicking the system tried to run it and it required something that this user didn't have permission to. Removing the file resolved the issue!

AD limitations and scalability

This topic describes Active Directory scalability and other limitations, as well as recommendations that apply when you are designing or implementing an Active Directory infrastructure. These limitations include the following:


Maximum Number of Objects
Maximum Number of Security Identifiers
Maximum Number of entries in Discretionary and Security Access Control Lists
Group Memberships for Security Principals
FQDN Length Limitations
File Name and Path Length Limitations
Additional Name Length Limitations
Maximum Number of GPOs Applied
Trust Limitations
Maximum Number of Accounts per LDAP Transaction
Recommended Maximum Number of Users in a Group
Recommended Maximum Number of Domains in a Forest
Recommended Maximum Number of Domain Controllers in a Domain
Recommended Maximum Kerberos Settings
Maximum Number of Objects

MIT Kerberos 5 FAQ

Account lockout-related event logs

Event ID
Description
528
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.

I am now Windows 2008 certified!

Passed 70-649 two weeks ago, which gave me three certificates:

MCTS: Active Directory
MCTS: Network
MCTS: Application Infrastructure

Two more exams to get my MCITP: Enterprise Admin

Update (Jun 12): Passed 70-747. One more exam (70-680) to get my MCITP:Enterprise Admin
Update (Sep 23): Passed 70-680. Now I am MCITP: Enterprise Admin!

Suggested Thresholds for Essential Counters

This is excerpted from an MS article for w2k resource kit. Most of the numbers should still be applicable to newer version of OSes.

Resource
Object/Counter
Threshold
Comments

Disk
PhysicalDisk\% Disk Time
90%

Disk
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\Disk
Depends on manufacturer's specifications
Check the disk's specified transfer rate to verify that the logged rate doesn't exceed specifications.(1)

Account Logon vs. Logon/Logoff events in security log

Ever confused by the "Account Logon" events and "Logon/Logoff" events in your Security Log? Read on.

[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************

One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?

The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.

Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.

Backup and restore TCP/IP stack config using command line

netsh -c interface dump > ipconfig.txt
netsh -f ipconfig.txt

Windows 2008 Self-Learning Notes #1