Tagged: PowerShell

MCTS 70-646 Plan server management strategies

Plan server management strategies

Server Manager Console

Displays the roles and features that are installed on that particular computer.


servermanagercmd is the command line version of server manager but Microsoft are pushing Windows PowerShell and the ServerManager module instead.

Microsoft Management Console

Microsoft Management Snap-ins are available for all roles and features that are installed; some roles will require Remote Server Administration Toolkit (RSAT) to be installed e.g. Active Directory users and computers etc.

Emergency Management Services (EMS)

EMS allows you to connect to a system via serial using telnet or similar (Hyper terminal). EMS can be used when a computer has frozen or locked up on start up or shutdown; may be a runaway process has made the computer unresponsive.

EMS must be enabled before you need to use it, ideally before it is deployed into production. EMS is enabled using BCDEDIT.

Remote Desktop

Remote Desktop allows members of the administrators and remote desktop users group to remotely connect; this doesn’t apply to domain controllers though, only administrators can connect remotely.

Remote desktop for administration allows two concurrent connections. If the computer you’re connecting to has Remote Desktop Services installed then use /admin to connect to an administrative session; if Remote Desktop Services is not installed then /admin is not needed.

You must be a member of the local administrators group to connect to an administrative session.

More information here

PowerShell Remoting

PowerShell remoting improves classic remoting functionality; classic remoting uses remoting built into the cmdlets, the remoting technology is generally (RPC) Remote Procedure Call and (DCOM) Distributed COM. Classic remoting also uses transparent authentication i.e. it uses the credentials used to run the PowerShell code.

You can identity classic remoting cmdlets using

Get-Help * -Parameter ComputerName

Alternatively you can use:

Get-Command Where-Object {$_.Parameters.Keys -contains ‘ComputerName’ -and $_.Parameters.Keys -notcontains ‘Sessions’}

The alternative command will filter out Windows PowerShell remoting cmdlets.

Windows PowerShell remoting uses the WinRM service to execute PowerShell code in a separate session on the remote system; Windows PowerShell remoting is enabled by running Enable-PSRemoting from an elevated prompt. Enable-PSRemoting starts the WinRM service if it is not running, sets up a listener on TCP 5985 and creates a firewall exception for inbound connections.

Windows PowerShell remoting uses Kerberos Authentication by default but if you’re using a peer-to-peer network or connecting to hosts outside of your trusted domain you’ll need to define a trusted host or connect via HTTPS.

Trusted hosts can be added to the trustedhosts file using

Set-Item wsman:\localhost\client\trustedhosts * -Force

Windows PowerShell remoting uses either invoke-command, Enter-PSSession or New-PSSession; New-PSSession allows you to use implicit remoting with the help of Enter-PSSession whereas invoke-command is explicit remoting.

Remote Administration Tools for Non-Administrators

In general non-administrators should be provided with MMC console snapins to administer servers rather than giving non-administrators remote desktop access.

Another method would be Telnet; Telnet is ideal for low bandwidth connections. Telnet Server can be configured by running tlntadmn.exe once the feature has been installed.

Windows Event Logs

More on Windows Event logs can be found here.

Creating websites in IIS 7 / 7.5 using PowerShell

Script available in GitHub here – https://github.com/heathen1878/InteractiveWebsiteCreation

The main reason I created this script was to speed up the time it took to create a website; from creating the folder structure, anonymous user account, assigning NTFS permissions and finally creating the IIS configuration.

The script end to end will:

  • Check whether IIS is installed
  • Check whether the web administration module is available
  • Prompt for a website / domain name, IP address, anonymous user account name and password and web root i.e. the drive letter where website folder structure should be created
  • Set the anonymous authentication mechanism of IIS to use the application pool identity
  • Create a anonymous user account for the site and application pool (there is the option to specify a pre-existing user account)
  • Create a folder structure
    • [drive letter]:\[domains]\
    • [drive letter]:\[domains]\[website name]
    • [drive letter]:\[domains]\[website name]\[wwwroot]
    • [drive letter]:\[domains]\[website name]\[logs]
  • Assign NTFS permissions to the folder structure created above
    • Set List contents on [drive letter]:\[domains]\[website name] for the anonymous user account
    • Set Read and Execute on [drive letter]:\[domains]\[website name]\wwwroot for the anonymous user account
  • Create an application pool within IIS
    • Configure the application pool process model identity
  • Create a website within IIS
    • Configure the website to use the application pool created above
    • Configure the website bindings (IP, Port and host header(s)
    • Confgure the website logging location

All the above steps are validated in some form by using

  • Regex
  • Web Administration snapin / module functionality
  • PowerShell cmdlets
  • Custom PowerShell functions

The following improvements are required: (In my opinion)

  • Resetting the root drive permissions (one time run) to remove all NTFS permissions except for Administrators and SYSTEM. Standalone PowerShell script here
  • Configure the W3C logging fields; i generally select date, time, client IP, Server IP, URI stem, URI query, protocol status, bytes sent, bytes received, user agent, cookie and referrer.

An alternative way to set the logging would be to execute this command from a command prompt:

appcmd.exe set config  -section:system.applicationHost/log /centralW3CLogFile.logExtFileFlags:”Date, Time, ClientIP, ServerIP, UriStem, UriQuery, HttpStatus, BytesSent, BytesRecv, UserAgent, Cookie, Referer”  /commit:apphost