jfrmilner's Tech Blog

jfrmilner Blog statistics for 2011

jfrmilner — Sun, 01 Jan 2012 11:43:04 +0000

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 5,800 times in 2011. If it were a NYC subway train, it would take about 5 trips to carry that many people.

Click here to see the complete report.

Reformatting Telephone numbers to the E.164 format with PowerShell

jfrmilner — Wed, 28 Sep 2011 17:28:38 +0000

This month we have a new Avaya phone system being implemented for one of my customers and one of the prerequisites to get full functionality is to have all telephone numbers in the popular E.164 format. This would be a pretty simple task if the data was in a consistent format but unfortunately this was not the case, let’s take a look at the state of the data*:

*For security reasons I have recreated the data in my test lab with random names, area codes and telephone numbers etc.

First I will store a collection of Users in a variable named $users, throughout this post I will use the Quest AD cmdlets. This is mainly because they are backwards compatible with 2003 based domains but if you are lucky enough to be 2008 you should be able to convert the commands to Microsoft’s AD Module with little effort.

$users = Get-QADUser -Description "E164 Sample Accounts"

And now display just the name and telephoneNumber properties:

$users | Select-Object Name, telephoneNumber | Format-Table -AutoSize

Name              telephoneNumber
----              ---------------
Georgina.Stewart  554861
Georgina.Stewart1 01234 12 34 56 (only call on Tues)
Eden.Morris       01234-55(4487)
Sarah.Patel       559642
Marley.Adams      550998
Mya.Lewis         (01234) 127075
Sophia.Baker      (55)2912
Filip.Rogers      (55)8996
Noah.Mason        (Part Time)-(01234) 897740
Isabel.Webb       (01234) 036428
Steven.Matthews   (01234) 957823
Courtney.Walker   (01234) 679860
Rayyan.Mitchell   07123 530656
Mary.Graham       07123  822057
Maisy.Barnes      07123 364461
Arabella.Thompson +441234844048
Macy.Adams
Grace.Robinson    (01234) 538794
Summer.Stevens    Call me before 11AM 550997
Frederick.Taylor  01234588239

As you can see we have quite a mix bag here. One of the first things to notice is that the telephoneNumber property has not been strictly used for just numbers and as such it is difficult to see any format patterns, let’s strip all non-digit characters away and take another look:

$users | Select-Object Name, @{name="telephoneNumberDigitsOnly";expression={$_.telephoneNumber -replace "\D"}} | Format-Table –AutoSize

The above line uses a replace with a single argument so this is effectively a remove. The replace uses a regular expression of Non-Digit contained within a calculated property.

Name              telephoneNumberDigitsOnly
----              -------------------------
Georgina.Stewart  554861
Georgina.Stewart1 01234123456
Eden.Morris       01234554487
Sarah.Patel       559642
Marley.Adams      550998
Mya.Lewis         01234127075
Sophia.Baker      552912
Filip.Rogers      558996
Noah.Mason        01234897740
Isabel.Webb       01234036428
Steven.Matthews   01234957823
Courtney.Walker   01234679860
Rayyan.Mitchell   07123530656
Mary.Graham       07123822057
Maisy.Barnes      07123364461
Arabella.Thompson 441234844048
Macy.Adams
Grace.Robinson    01234538794
Summer.Stevens    11550997
Frederick.Taylor  01234588239

Now that looks better with the exception of Summer.Stevens, it’s expected that some accounts will need manual effort so I will need to filter for those as well. We can see from the above table that there are two common number formats (1,2), blanks (3), numbers already in E.164 format and finally we’ll need a catch all(5) for everything else:

Starting with “55” followed by four numbers
Starting with “01 or 07” followed by nine numbers
Blank/Null values
E.164 formatted numbers (No change required)
Neither of the above formats, for example Summer.Stevens

The next step is to create regular expressions to match these four values as the fifth will be a catch for non-matched values, like so:

“^(01|07)\d{9}”
“^55\d{4}”
“^$”
“^44\d{10}”

Now let’s put all of this together and get a feel for how things will look:

foreach ($user in $users) {
	switch -regex ($user | % { $user.telephoneNumber -replace "\D" } ) {
	"^(01|07)\d{9}"		{ Add-Member -InputObject $user -Name "E164Number" -MemberType NoteProperty -Value ([regex]::matches(($user.telephoneNumber -replace "\D"),"^(01|07)\d{9}")[0].Value -replace '^0','+44') ; continue }
	"^55\d{4}"			{ Add-Member -InputObject $user -Name "E164Number" -MemberType NoteProperty -Value ([regex]::matches(($user.telephoneNumber -replace "\D"),"^55\d{4}")[0].Value -replace '^55','+44123455') ; continue }
	"^$"				{ Write-Warning "Blank" ; continue } #Empty
	"^44\d{10}"			{ if ($user.telephoneNumber -match "^\+\d{12}") { Write-Warning "E.164: $($user.sAMAccountName), $($user.telephoneNumber)" } else { Write-Warning "No Match: $($user.sAMAccountName), `"$($user.telephoneNumber)`""} ; continue}
	default 			{ Write-Warning "No Match: $($user.sAMAccountName), `"$($user.telephoneNumber)`"" }
	}
}

As you can see from the above script block I have used a foreach loop that then uses a switch statement. The switch then checks to see if it can match one of the regular expressions patterns from the previous step and if successful adds a new note property named “E164Number” else it will display a warning. Let’s give it a try:

WARNING: E.164: Arabella.Thompson, +441234844048
WARNING: Blank
WARNING: No Match: Summer.Stevens, "Call me before 11AM 550997"

As predicted we have a few warnings, now let’s have a look at the projected telephone numbers:

$users | Select-Object Name, telephoneNumber, E164Number | Format-Table -AutoSize

Name              telephoneNumber                     E164Number
----              ---------------                     ----------
Georgina.Stewart  554861                              +441234554861
Georgina.Stewart1 01234 12 34 56 (only call on Tues)  +441234123456
Eden.Morris       01234-55(4487)                      +441234554487
Sarah.Patel       559642                              +441234559642
Marley.Adams      550998                              +441234550998
Mya.Lewis         (01234) 127075                      +441234127075
Sophia.Baker      (55)2912                            +441234552912
Filip.Rogers      (55)8996                            +441234558996
Noah.Mason        (Part Time)-(01234) 897740          +441234897740
Isabel.Webb       (01234) 036428                      +441234036428
Steven.Matthews   (01234) 957823                      +441234957823
Courtney.Walker   (01234) 679860                      +441234679860
Rayyan.Mitchell   07123 530656                        +447123530656
Mary.Graham       07123  822057                       +447123822057
Maisy.Barnes      07123 364461                        +447123364461
Arabella.Thompson +441234844048
Macy.Adams
Grace.Robinson    (01234) 538794                      +441234538794
Summer.Stevens    Call me before 11AM 550997
Frederick.Taylor  01234588239                         +441234588239

Very nice. Now to make this permanent we need to push the E164Number property into the telephoneNumber property on each of these users:

Backup first:

$users | Export-Csv C:\Support\MyBackup.csv -NoTypeInformation

Once the blackup task has been completed we can now go ahead and apply the new number. Notice that I used an if statement to check that there actually is a value in the E164Number property first and if there isn’t then it will skip that user.

 $users | ForEach-Object { if ($_.E164Number) {Set-QADUser -Identity $_ -PhoneNumber $_.E164Number}}

Now to confirm the results:

$users | Get-QADuser | Select-Object Name, telephoneNumber | Format-Table -AutoSize

Name              telephoneNumber
----              ---------------
Georgina.Stewart  +441234554861
Georgina.Stewart1 +441234123456
Eden.Morris       +441234554487
Sarah.Patel       +441234559642
Marley.Adams      +441234550998
Mya.Lewis         +441234127075
Sophia.Baker      +441234552912
Filip.Rogers      +441234558996
Noah.Mason        +441234897740
Isabel.Webb       +441234036428
Steven.Matthews   +441234957823
Courtney.Walker   +441234679860
Rayyan.Mitchell   +447123530656
Mary.Graham       +447123822057
Maisy.Barnes      +447123364461
Arabella.Thompson +441234844048
Macy.Adams
Grace.Robinson    +441234538794
Summer.Stevens    Call me before 11AM 550997
Frederick.Taylor  +441234588239

Excellent, the majority of users now have an E164 formatted phone number.

All that’s left now is to identify users that still do not conform to this format so that they can be contacted, this can be achieved by using a Where-Object with another regular expression like so:

$users | Get-QADUser | Where-Object { $_.telephoneNumber -notmatch "^\+\d{12}" } | Select-Object name, email

Name           Email
----           -----
Macy.Adams     Macy.Adams@jfrmilner.lab
Summer.Stevens Summer.Stevens@jfrmilner.lab

Well that wraps up this post; I think you’ll agree it’s a nice real world example of using PowerShell with regular expressions to solve formatting issues.

Thanks for reading and until next time.

Regards,

jfrmilner

Checking for “Dead” paths on HBAs with PowerCLI

jfrmilner — Sat, 27 Aug 2011 15:28:52 +0000

This week I have been tasked with assisting a storage engineer while he replaces a couple of Fibre Channel switches. My task was simple, check the HBAs for any “Dead” paths (See below screen shot for an example) across all the ESX hosts every hour for a weekend. We have a fair few VMHosts so this gave me the opportunity to use PowerCLI (Think PowerShell with a VMware snapin).

It didn’t take long at all to knock up a little script that can report on path states, this is what I came up with:

$VMHosts = Get-VMHost  | ? { $_.ConnectionState -eq "Connected" } | Sort-Object -Property Name
$results= @()

foreach ($VMHost in $VMHosts) {
Get-VMHostStorage -RescanAllHba -VMHost $VMHost | Out-Null
[ARRAY]$HBAs = $VMHost | Get-VMHostHba -Type "FibreChannel"

	foreach ($HBA in $HBAs) {
    $pathState = $HBA | Get-ScsiLun | Get-ScsiLunPath | Group-Object -Property state
    $pathStateActive = $pathState | ? { $_.Name -eq "Active"}
    $pathStateDead = $pathState | ? { $_.Name -eq "Dead"}
    $pathStateStandby = $pathState | ? { $_.Name -eq "Standby"}
    $results += "{0},{1},{2},{3},{4},{5}" -f $VMHost.Name, $HBA.Device, $VMHost.Parent, [INT]$pathStateActive.Count, [INT]$pathStateDead.Count, [INT]$pathStateStandby.Count
    }

}
ConvertFrom-Csv -Header "VMHost","HBA","Cluster","Active","Dead","Standby" -InputObject $results | Ft -AutoSize

The output is pretty simple but does the job:

VMHost                            HBA    Cluster        Active Dead Standby
------                            ---    -------        ------ ---- -------
d1-vmesx-001.*************.uk    vmhba2 Cluster05      40     0    24
d1-vmesx-001.*************.uk    vmhba3 Cluster05      40     0    24
d2-vmesx-001.****************.uk vmhba2 Cluster02      98     0    80
d2-vmesx-001.****************.uk vmhba3 Cluster02      96     0    80
d2-vmesx-011.****************.uk vmhba2 Cluster03      76     0    88
d2-vmesx-011.****************.uk vmhba3 Cluster03      75     0    85
d2-vmesx-012.****************.uk vmhba2 Cluster03      76     0    88
d2-vmesx-012.****************.uk vmhba3 Cluster03      75     0    85
d2-vmesx-013.****************.uk vmhba1 Cluster03      83     0    85
d2-vmesx-013.****************.uk vmhba2 Cluster03      83     0    85
d2-vmesx-014.****************.uk vmhba1 Cluster03      83     0    85
d2-vmesx-014.****************.uk vmhba2 Cluster03      83     0    85
d2-vmesx-015.****************.uk vmhba1 Cluster03      83     0    85
d2-vmesx-015.****************.uk vmhba2 Cluster03      83     0    85
d2-vmesx-016.****************.uk vmhba1 Cluster03      83     0    85
d2-vmesx-016.****************.uk vmhba2 Cluster03      83     0    85
d2-vmesx-017.****************.uk vmhba1 MSCS Cluster01 44     0    308
d2-vmesx-017.****************.uk vmhba2 MSCS Cluster01 44     0    308
d2-vmesx-018.****************.uk vmhba1 MSCS Cluster01 44     0    308
d2-vmesx-018.****************.uk vmhba2 MSCS Cluster01 44     0    308
d2-vmesx-019.****************.uk vmhba1 Cluster04      68     0    52
d2-vmesx-019.****************.uk vmhba2 Cluster04      68     0    52
d2-vmesx-021.****************.uk vmhba1 Cluster04      68     0    52
d2-vmesx-021.****************.uk vmhba2 Cluster04      68     0    52

If you wanted to work with this information further then I would suggest creating a custom object and populating the properties with Add-Member instead of doing the format string method above, I just did that as it’s quick. Well this is my first PowerCLI script, I hope to share some more.

Bye for now.

jfrmilner

Enable VT and install the Hyper-V Role with PowerShell Remoting

jfrmilner — Sun, 07 Aug 2011 14:53:55 +0000

I had a situation where I needed to enable the Virtualisation Technology (VT) across a bunch of Dell servers and then install the Hyper-V role. It turned out to be much simpler than I originally thought thanks in part to PowerShell remoting and Dells omconfig.

Dell give you the option to change BIOS configuration from the command line, for example to enable the CPU VT:


omconfig chassis biossetup attribute=cpuvt setting=enabled

In addition to the above I would also need to install the Hyper-V role:

Import-Module ServerManager ; Add-WindowsFeature Hyper-V

This can be combined into a PowerShell remote command like so ($allServers is an array of all the server host names I want to execute the command against):

icm -ComputerName $allServers -ScriptBlock { omconfig chassis biossetup attribute=cpuvt setting=enabled ; Import-Module ServerManager ; Add-WindowsFeature Hyper-V }

Next I needed to create a software virtual switch, for this I used a script from

http://blogs.technet.com/b/virtualization/archive/2008/05/26/hyper-v-wmi-using-powershell-scripts-part-5.aspx :

$VirtualSwitchService = get-wmiobject -class "Msvm_VirtualSwitchManagementService" -namespace "root\virtualization"
$ReturnObject = $VirtualSwitchService.CreateSwitch([guid]::NewGuid().ToString(), "DELL NETWORK TEAM - Virtual Network", "1024","")

#Create New Virtual Switch
$CreatedSwitch = [WMI]$ReturnObject.CreatedVirtualSwitch

#Create Internal Switch Port
$ReturnObject = $VirtualSwitchService.CreateSwitchPort($CreatedSwitch, [guid]::NewGuid().ToString(), "InternalSwitchPort", "")
$InternalSwitchPort = [WMI]$ReturnObject.CreatedSwitchPort

#Create External Switch Port
$ReturnObject = $VirtualSwitchService.CreateSwitchPort($CreatedSwitch, [guid]::NewGuid().ToString(), "ExternalSwitchPort", "")
$ExternalSwitchPort = [WMI]$ReturnObject.CreatedSwitchPort

$ExternalNic = get-wmiobject -namespace "root\virtualization" -Query "Select * From Msvm_ExternalEthernetPort WHERE IsBound=False" | ? { $_.Name -eq 'BASP Virtual Adapter'}

#Call SetupSwitch
$Job = $VirtualSwitchService.SetupSwitch($ExternalSwitchPort, $InternalSwitchPort, $ExternalNic, [guid]::NewGuid().ToString(), "InternalEthernetPort")
while (([WMI]$Job.Job.JobState -eq 2) -or ([WMI]$Job.Job.JobState -eq 3) -or ([WMI]$Job.Job.JobState -eq 4)) {Start-Sleep -m 100}
[WMI]$Job.Job

And finally reboot them all (they actually reboot twice as part of the Hypervisor installtion):

icm -ComputerName $allServers -ScriptBlock { Restart-Computer -Force }

With the above I managed to enable and install Hyper-V across 70 severs simultaneously with less than a couple of hours of effort, nice!

Kind Regards,

jfrmilner

Audit Share Permissions PowerShell Script

jfrmilner — Mon, 02 May 2011 13:09:00 +0000

This month I find myself in the need for a quick way to do a simple audit on share permissions on a bunch of files servers. As always I wanted to use PowerShell Remoting (with the code executing on the local server) to accomplish this as enumerating shares is a slow process at the best of times and over the wire this would have been painfully slow.

Before writing a script I always see if anyone has done this already and in this case yes, I stumbled upon http://www.peetersonline.nl/index.php/powershell/listing-share-permissions-for-remote-shares

The only thing missing for my requirements was the need to have both the share name and server name adding to the object, this obviously is very minor and only required a couple of alterations, for example:

function Get-SharePermissions
{
	param([string]$computername,[string]$sharename)
	$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername
	ForEach ($ShareS in ($ShareSec | Where {$_.Name -eq $sharename}))
	{
		$SecurityDescriptor = $ShareS.GetSecurityDescriptor()
		$Global:myCol = @()
		ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
		{
			$myObj = "" | Select ID, AccessMask, AceType
			$myObj.ID = $DACL.Trustee.Name
			$myObj | Add-Member -MemberType NoteProperty -Name Server -Value $computername
			$myObj | Add-Member -MemberType NoteProperty -Name Share -Value $sharename
			Switch ($DACL.AccessMask)
			{
				2032127 {$AccessMask = "FullControl"}
				1179785 {$AccessMask = "Read"}
				1180063 {$AccessMask = "Read, Write"}
				1179817 {$AccessMask = "ReadAndExecute"}
				-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
				1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
				1180095 {$AccessMask = "ReadAndExecute, Write"}
				268435456 {$AccessMask = "FullControl (Sub Only)"}
				default {$AccessMask = $DACL.AccessMask}
			}
			$myObj.AccessMask = $AccessMask
			Switch ($DACL.AceType)
			{
				0 {$AceType = "Allow"}
				1 {$AceType = "Deny"}
				2 {$AceType = "Audit"}
			}
			$myObj.AceType = $AceType
			Clear-Variable AccessMask -ErrorAction SilentlyContinue
			Clear-Variable AceType -ErrorAction SilentlyContinue
			$myCol += $myObj
		}
	}
	Return $myCol
}

Get-SharePermissions -computername $ENV:COMPUTERNAME -sharename $args[0]

Like previous post on my blog I will use PowerShell remoting with a variable for the Servers ($allServers) and having saved the above code (C:\Scripts\Get-SharePermissions.ps1):


icm $allServers -FilePath C:\Scripts\Get-SharePermissions.ps1 -ArgumentList Wallpaper$

And the results:

Thanks for reading and I hope you find this useful. Also special thanks to the orginal author of this excellent script Hugo Peeters @ http://www.peetersonline.nl/

Regards,

jfrmilner

Get Folder Size PowerShell Script

jfrmilner — Mon, 02 May 2011 12:17:59 +0000

One of my clients was experiencing slow logon times after enabling roaming profiles and this was tracked down to large profiles. I needed to write a quick script that would tell me the folder size across a bunch of file servers.

I decided to create a function for this task named Get-FolderSize and this is the code:

function Get-FolderSize {
param ( [Parameter(Mandatory=$true)] [System.String]${Path}	)

$objFSO = New-Object -com  Scripting.FileSystemObject
$folders = (dir $path | ? {$_.PSIsContainer -eq $True})
foreach ($folder in $folders)
    {
    $folder | Add-Member -MemberType NoteProperty -Name "SizeMB" -Value (($objFSO.GetFolder($folder.FullName).Size) / 1MB) -PassThru
    }

}
Get-FolderSize $args[0]

To use this code on a local machine simply execute the above function and call it, for example Get-FolderSize D:\FileData. Now as previously mentioned I wanted to be able to check a large bunch of File Servers and to do that I would first need to create a variable to hold my servers, for example $allServers, then save the above code to the executing server for example C:\Scripts\Get-FolderSize.ps1. This finally allowed me to run the following command:

$folders = icm $allServers -FilePath C:\Scripts\Get-FolderSize.ps1 -ArgumentList "E:\Profiles"

Now to see the top 10 worst offenders with a filter to show only two decimal places:

 $folders | sort -Property SizeMB -Descending | select fullname,@{n='SizeMBN2';e={"{0:N2}" -f $_.SizeMB}} | select -First 10

Well as you can see from the below screen my client has some profiles to clean up but at least now they know which ones.

Thanks for reading and I hope you find this useful.

Regards,

jfrmilner

Audit NTFS Permissions PowerShell Script

jfrmilner — Sun, 01 May 2011 19:23:57 +0000

This month I find myself in the need for a quick way to do a simple audit of NTFS permissions on a bunch of files servers. As always I wanted to use PowerShell Remoting (with the code executing on the local server) to accomplish this as enumerating permissions is a slow process at the best of times and over the wire this would have been painfully slow.

Now I know that you can use some of the *CACLS executables to do this but if you’ve ever used these tools you will know they seem to default to information overload. All I wanted to do is get the permissions of a path and then check for any inheritance breaks on all its child folders, and be able to export to CSV.

This is the code that I came up with:

function Get-PathPermissions {

param ( [Parameter(Mandatory=$true)] [System.String]${Path}	)

	begin {
	$root = Get-Item $Path
	($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
	}
	process {
	$containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
	if ($containers -eq $null) {break}
		foreach ($container in $containers)
		{
		(Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
		}
	}
}
Get-PathPermissions $args[0]

To use this code on a local machine simply execute the above function and call it, for example Get-PathPermissions D:\FileData. Now as previously mentioned I wanted to be able to audit a large bunch of File Servers and to do that I would first need to create a variable to hold my servers, for example $allServers, then save the above code to the executing server for example C:\Scripts\Get-PathPermissions.ps1. This finally allowed me to run the following command:


icm $allServers -FilePath C:\Scripts\Get-PathPermissions.ps1 -ArgumentList "E:\WallPaper" | Export-Csv C:\PermissionsAudit.csv –NoTypeInformation

The output (C:\PermissionsAudit.csv) can now be manipulated in Excel, for example:

As you can see this provides very simple and easy to read output that can ease auditing NTFS permissions in bulk.

Thanks for reading and I hope you find this useful.

Regards,

jfrmilner

Convert DCs to RODCs in bulk using PowerShell (Part 3 of 3)

jfrmilner — Mon, 06 Dec 2010 21:13:41 +0000

Part 3 of 3

First Post (Part 1 of 3)

Previous Post (Part 2 of 3)

Step 7 – Force a restart of the Servers

I now need to be sure that the servers are online. A quick way to test that a bunch of systems are online after a reboot it to use the Test-Connection cmdlet, for example to single ping the first ten servers that I demoted:

Test-Connection $Servers[0..9] -Count 1

After confirming the servers were back online I restarted them again, this oddly was necessary to freshen up the systems as they seemed a little flaky on the first restart after a demotion. Instead of using the Restart-Computer cmdlet I used the old shutdown.exe command as I found it more reliable dealing with unhappy servers, the command I used was:

$Servers[0..9] | % {  shutdown /r /m \\$($_) }

After the second restart I tested that PowerShell remoting with CredSSP authentication was again working using the same command as before:

icm $Servers { $ENV:ComputerName } -Authentication CredSSP -Credential $Cred

Step 8 – ReDCPROMO to RODC

Completing all the previous steps I was now ready to promote all the member servers to RODCs.

Much like the command used for step 6 here is the command I used to promote the first 10 servers.

icm $Servers[0..9] { dcpromo.exe /unattend:C:\SUPPORT\DCPROMORODCAnswerFile.txt | Tee-Object -filepath C:\SUPPORT\DCPROMORODCResultFile.txt } -Authentication CredSSP -Credential $Cred

Again the output for this command is both seen on the console and saved to the file C:\SUPPORT\DCPROMORODCResultFile.txt local to each server. Due to the IFM cache of AD the whole promotion completed very quickly, with some completing in only a few minutes.

You should now find the RODCs returned to the ‘Domain Controllers’ OU but now the DC Type will show Read-only.

Step 9 – Replicate the Passwords for the User and Computer Objects to the local RODC responsible for authentication

Now that all the DCs had been converted to RODCs I wanted to be sure that I pre-cached all the computer accounts and user account passwords local to that site using the groups created in Step 1. The command line tool RepAdmin can be used for such a task with the /rodcpwdrepl switch, this will first check the computer/user object is allowed to be cached and if confirmed will then add the password hash to the RODCs cache. Interestingly you can only add single user or computer account to the RODC cache using ADUC and not groups or as I needed all accounts contained within an OU.

I achieved this using the help of the Microsoft AD module. As mentioned before the AD Site Name in this company also matches up with the name of the OU holding the objects for that AD Site, so with that in mind I checked what the local site code was and then used that to construct the Distinguished Name of the OU, I then enumerated all users/computers and passed this onto the RepAdmin tool.

Here is the example of populating the RODC cache with User accounts:

icm $Servers[0..9] { import-module ActiveDirectory ; $siteCode = [DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().name  ; Get-ADUser -SearchBase "OU=Staff,OU=Users,OU=$($siteCode),OU=Schools,DC=domain1,DC=sch,DC=uk" -filter * | % { Repadmin /rodcpwdrepl D1-$($siteCode)-001 D1-DC-001 $_.DistinguishedName }} -Authentication CredSSP -Credential $Cred

And finally here is the example of populating the RODC cache with Computer Accounts:

icm $Servers[0..9] { import-module ActiveDirectory ; $siteCode = [DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().name  ; Get-ADComputer -SearchBase "OU=$($siteCode),OU=Schools,DC=domain1,DC=sch,DC=uk" -filter * | % { Repadmin /rodcpwdrepl D1-$($siteCode)-001 D1-DC-001 $_.DistinguishedName }} -Authentication CredSSP -Credential $Cred

You can easily confirm which accounts are cached on your server by selecting the properties on the RODC, selecting the “Password Replication Policy” tab, clicking the Advanced button and confirming that “Accounts Whose Password are stored on this Read-only Domain Controller” is selected from the drop down box.

I used this process to successfully convert over 150 full DCs to RODCs and I found it an excellent example of how PowerShell remoting can save you significant amounts of time and making a repetitive task like this a breeze!

A couple of final thoughts:

1. Be sure to monitor your replication over the coming days and get familiar with the repadmin command line utility.

2. It would be wise to remove the IFM caches from your local disks as soon as you are ready and be sure not to use them after the tombstone lifetime.

Thanks for reading.

Regards,

jfrmilner

This post is provided “AS IS” with no warranties or guarantees, and confers no rights.

[/sourcecode]

Convert DCs to RODCs in bulk using PowerShell (Part 2 of 3)

jfrmilner — Tue, 30 Nov 2010 14:49:27 +0000

Part 2 of 3

Previous Post (Part 1 of 3)

Final Post (Part 3 of 3)

Step 4 – Enable CredSSP (multihop-authentication)

Before I could start using DCPROMO I needed to enable multihop-authentication using CredSSP. Now I will not explain this in detail, instead I would like to refer you to the excellent post by Ravikanth Chaganti – http://www.ravichaganti.com/blog/?p=1230

As this will need to be allowed in bulk then I suggest you use the GPO :
Computer Configuration/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service/Allow CredSSP authentication

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. Once enabled this policy sets the WinRM service to accept CredSSP authentication from a remote client.

The management client will also need to be configured to allow credentials to be passed onto remote clients. In my case I only wanted to allow this on my management server so I used this command on that system:


Enable-WSManCredSSP -Role Client -DelegateComputer *.domain1.sch.uk

This command once enabled basically allows me to pass my credentials onto any system in the domain that has the WinRM service configured to accept CredSSP authentication.

I recommend that you give this a test run before moving onto the next step.
Create a variable $Cred and store the account you’re going to be using for the DCPROMO commands, for example:


$Cred = Get-Credential DOMAIN1\DomainAdmin

Then use Invoke-Command to echo back the server name(s) of each remote system:

icm $Servers { $ENV:ComputerName } -Authentication CredSSP -Credential $Cred

Step 5 – Create DCPROMO demote and RODC promote answer files using a word replace template method

The idea of this is quite simple, first create a DCPROMO demote and a RODC promotion answer files from a test/lab server and use these as templates. The template will be loaded into RAM and if necessary a word replace will be performed creating the unique answer file needed, the file will then be saved onto the target server. This was the code used to create the two answer files:


$SiteCodes| % {
$DCPROMODemote = gc 'C:\Scripts\DCPROMODemoteTemplate.txt'
$DCPROMODemote | Out-File "\\D1-$($_)-001\C$\Support\DCPROMODemote.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMODemote.txt"
$DCPROMORODCTemplate = gc 'C:\Scripts\DCPROMO-RODC-Template.txt'
$DCPROMORODCAnswerFile = $DCPROMORODCTemplate -replace '',$($_)
$DCPROMORODCAnswerFile | Out-File "\\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt"
}

Next the answer file used for the DCPROMO demotion, no word replacement was necessary.


; DCPROMO unattend file - Auth jfrmilner
; Usage:
;   dcpromo.exe /unattend:C:\SUPPORT\DCPROMODemote.txt
;
[DCInstall]
; Demotion
RetainDcMetadata=No
IsLastDCInDomain=No
AdministratorPassword=passwordgoeshere
RebootOnCompletion=Yes

This was the template answer file used for the DCPROMO RODC promotion. All text that matched ‘’ was replaced with the Site Code passed from the pipeline, for example if the first value in the $SiteCode variable was ‘AFCPS’ then the line ‘PasswordReplicationAllowed=”DOMAIN1\-Laptops”’ would be changed to ‘PasswordReplicationAllowed=”DOMAIN1\AFCPS-Laptops”’.


; DCPROMO unattend file - Auth jfrmilner
; Usage:
;   dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=domain1.sch.uk
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="DOMAIN1\Denied RODC Password Replication Group"
PasswordReplicationAllowed="DOMAIN1\Allowed RODC Password Replication Group"
PasswordReplicationAllowed="DOMAIN1\-Laptops"
PasswordReplicationAllowed="DOMAIN1\-Pupils"
PasswordReplicationAllowed="DOMAIN1\-Staff"
PasswordReplicationAllowed="DOMAIN1\-Workstations"
; D1-RODC-Admins will include the Service Desk Global Group
DelegatedAdmin="DOMAIN1\D1-RODC-Admins"
SiteName=
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=domain1.sch.uk
UserName=DOMAIN1\DomainAdmin
Password= passwordgoeshere
ReplicationSourcePath="C:\Support\IFM_RODC"
ReplicationSourceDC=D1-DC-001.domain1.sch.uk
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword= passwordgoeshere
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
RebootOnCompletion=Yes

I should point out that the passwords in these files are stored in clear text when they are created. The passwords are removed from each file after they have been used as answer files for the DCPROMO tasks, with this in mind you should consider carefully which account you use and not to create these files until you are ready to use them.

Step 6 – DCPROMO demote the DC to a Member Server

Before I began to demote servers I created a new OU titled ‘DCPROMO Holding’, this OU also had a GPO linked that would enable PowerShell remoting. By default a demoted server would be returned to the Computer OU and because of this would have all GPO’s removed.

With all the prerequisites out of the way I could now start demoting Domain Controllers back to Member Servers.
I did about ten servers at a time and I suggest you do the same. I did this by using the Range operator, for example say $Servers was a 100 item array, writing $Servers[0..9] would select the first 10 and $Servers[10..19] would be the next ten etc..

This is the code I used for the first 10:


icm $Servers[0..9] { dcpromo.exe /unattend:C:\SUPPORT\DCPROMODEMOTE.txt | Tee-Object -filepath C:\SUPPORT\DCPROMODEMOTEResultFile.txt } -Authentication CredSSP -Credential $Cred

Note the Tee-Object cmdlet, this allows the output of the promotion to appear on the console and also a text file. It would not be difficult to parse the text file for detailed information or collect the data and concatenate this information into a single report.

All went to plan, the computer objects for all ten systems were returned to the Computers OU. Checking this OU is actually the quickest way to get an overall feel of the success of the bulk demotion. I then moved the computer objects from the Computers OU to the ‘DCPROMO Holding’ OU.

Thanks for reading. I will post the final part over the course of the week so please check back.

Regards,

jfrmilner

; DCPROMO unattend file – Auth jfrmilner

; Usage:

; dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt

;

[DCInstall]

; Read-Only Replica DC promotion

ReplicaOrNewDomain=ReadOnlyReplica

ReplicaDomainDNSName=domain1.sch.uk

; RODC Password Replication Policy

PasswordReplicationDenied=”BUILTIN\Administrators”

PasswordReplicationDenied=”BUILTIN\Server Operators”

PasswordReplicationDenied=”BUILTIN\Backup Operators”

PasswordReplicationDenied=”BUILTIN\Account Operators”

PasswordReplicationDenied=”DOMAIN1\Denied RODC Password Replication Group”

PasswordReplicationAllowed=”DOMAIN1\Allowed RODC Password Replication Group”

PasswordReplicationAllowed=”DOMAIN1\-Laptops”

PasswordReplicationAllowed=”DOMAIN1\-Pupils”

PasswordReplicationAllowed=”DOMAIN1\-Staff”

PasswordReplicationAllowed=”DOMAIN1\-Workstations”

; D1-RODC-Admins will include the Service Desk Global Group

DelegatedAdmin=”DOMAIN1\D1-RODC-Admins”

SiteName=

InstallDNS=Yes

ConfirmGc=Yes

CreateDNSDelegation=No

UserDomain=domain1.sch.uk

UserName=DOMAIN1\DomainAdmin

Password= passwordgoeshere

ReplicationSourcePath=”C:\Support\IFM_RODC”

ReplicationSourceDC=D1-DC-001.domain1.sch.uk

DatabasePath=”C:\Windows\NTDS”

LogPath=”C:\Windows\NTDS”

SYSVOLPath=”C:\Windows\SYSVOL”

SafeModeAdminPassword= passwordgoeshere

; Run-time flags (optional)

; CriticalReplicationOnly=Yes

RebootOnCompletion=Yes

Convert DCs to RODCs in bulk using PowerShell (Part 1 of 3)

jfrmilner — Mon, 29 Nov 2010 18:31:23 +0000

Part 1 of 3

Next Post (Part 2 of 3)

Final Post (Part 3 of 3)

Scenario: This month presented me with an interesting issue that I would like to share. In effort to provide Role Based Accounts (RBA) to both 1st and 2nd Line Support it became clear that 2nd Line needed to locally administer DCs as they also acted as File Servers at some sites, but being a member of Domain Admins was overkill and as such went against Least Privilege best practices. The solution to this issue was to convert all non-dedicated DCs or FSMO Role holders to Read Only Domain Controllers (RODCs). RODCs run as member servers with a local Security Accounts Manager (SAM) and run AD as an isolated service; this allowed me to configure dedicated local administration. This was achieved by adding the 2nd Line role based account group to the BUILTIN\Administrators group on each local RODC. There are other benefits to RODCs but I’ll not cover those in this post.

Now the issue is that this particular Domain has over 150 DCs that need to be converted to RODCs with the majority being on slow WAN links. I needed to find a way to do this with minimum network traffic, in a consistent manor (to keep the Change Manager happy) and quickly. This was how I did it:

Summary of steps to perform:
1. Sort all Computer and User Objects into Groups that will be used for Password Replication Policies.
2. Set the DNS Server options on each DC NIC to point back to the Core DCs in Head Office.
3. Use the “Install From Media” option of NTDSUTIL to create two local cache copies of the Active Directory. One will be for RODCs and the other will be for Full DCs, the latter could be used for Roll Back scenarios should I wish to restore the DC to its original state.
4. Enable CredSSP used for multihop authentication.
5. Create DCPROMO demote and RODC promote answer files using a word replace template method.
6. DCPROMO demote the DC to a Member Server.
7. Force a restart of the Servers.
8. ReDCPROMO to RODC.
9. Replicate the Passwords for the User and Computer Objects to the local RODC responsible for authentication.

Step 1 – Sort all Computer and User Objects into Groups that will be used for Password Replication Policies

Luckily this step was particularly straight forward for me due to the fact that we use a five letter code for each customer and this code is used to reference the Site, Parent OU and is also used to prefix the Computer Objects. All I needed to do was create an array of all the Site Codes and store it in a variable called $siteCode, then pass that through to a foreach loop that collected all the Computer Objects for that OU and then added them to a Group following a simple pattern match.

This is the code that I used for the first batch of ten (Please note that I used the free Quest AD cmdlets for this and some of the other steps and as such they will need to be installed for this to work):


$siteCodes[0..9] | % {
$siteCode = $($_)
#Sort Computer Membership
$Comps = Get-QADComputer -OU domain1.sch.uk/Schools/$siteCode | ? { $_.memberof.count -ne 1 }
$Comps | ? { $_.Name -match "$($siteCode)W" } | % { Add-QADGroupMember -Identity "$($siteCode)-Workstations" -Member $_.DN }
$Comps | ? { $_.Name -match "$($siteCode)L" } | % { Add-QADGroupMember -Identity "$($siteCode)-Laptops" -Member $_.DN }
}

I also used the below code to list any Computer Objects that were not a member of a single Group, which for me mainly highlighted incorrectly named systems.


$siteCodes[0..9] | % {
$siteCode = $($_)
#Check for Problem Systems
Get-QADComputer -OU domain1.sch.uk/Schools/$siteCode | select name,@{name='MemberShipCount';expression={$_.memberof.count}} | ? { $_.Membershipcount -ne 1 }
}

Step 2 – Set the DNS Server options on each DC NIC to point back to the Full DCs in Head Office.

If you’re going to DCPROMO demote a Server from a DC to a Member Server you will need to be sure that the Server does not reference itself as a DNS Server. I needed to find the teamed NIC that is configured with the DNS registered IP Address of that Server and reconfigure the DNS Search Order. I did this by using PowerShell Remoting to first collect the IP Address from DNS that references the Servers host name and then that information to find the NIC with that configured, and then use a WMI method to set this NICs DNS Search Order to an Array using a couple of DNS Server from Head Office.


#Set DNS
icm $Servers -ScriptBlock {  $DNSArray = '10.10.10.10','10.10.10.11' ; (Get-WmiObject -class win32_networkadapterconfiguration | ? { $_.IPAddress -eq ( ([System.Net.Dns]::GetHostEntry($ENV:ComputerName).AddressList | ? { $_.AddressFamily -eq 'InterNetwork' }).IPAddressToString ) } ).SetDNSServerSearchOrder($DNSArray) }

To Check my configuration Changes:


#Audit DNS
icm $Servers -ScriptBlock { Get-WmiObject -class win32_networkadapterconfiguration | ? { $_.IPAddress -eq ( ([System.Net.Dns]::GetHostEntry($ENV:ComputerName).AddressList | ? { $_.AddressFamily -eq 'InterNetwork' }).IPAddressToString )} } | select __SERVER,IPAddress,DNSServerSearchOrder

Step 3 – Use the “Install From Media” (IFM) option of NTDSUTIL to create two local cache copies of the Active Directory.
One will be for RODCs and the other will be for Full DCs, the latter could be used for Roll Back scenarios should I wish to restore the DC to its original state.

To begin with I needed to increase the amount of memory that a PowerShell remoting session can use from the default 150MB to 1GB due to the memory hungry IFM process. This setting can be restored as soon as you have finished creating your IFM snapshots. Using the Group Policy Management Console (GPMC) I edited the policy that manages Remoting and edited the setting Computer Configuration/Administrative Templates/Windows Components/Windows Remote Shell/ Specify maximum amount of memory in MB per Shell, this option should look like Figure1.

RODC-GPOMaxMemPerShellMB

The next step is to create the actual IFM snapshots using NTDSUTIL. This again was achieved using PowerShell Remoting; here is the code I used:


icm $Servers -ScriptBlock { ntdsutil "Activate Instance NTDS" ifm "Create SYSVOL Full C:\Support\IFM_Full" q q >> C:\Support\IFM_Full.log }
icm $Servers -ScriptBlock { ntdsutil "Activate Instance NTDS" ifm "Create SYSVOL RODC C:\Support\IFM_RODC" q q >> C:\Support\IFM_RODC.log }

Thanks for reading. I will post the remaining two parts over the course of the week so please check back.

Regards,

jfrmilner