No They Did Not – IT Rant

IT manager says training such as OS server training is not necessary as technology can be self taught from reading online on an IT pro spare time.

I believe training is most important to any IT professionals, the IT industry is knowledge-driven, IT professionals often maintain multiple certifications, including advanced credentials. IT professionals must embrace an attitude of lifelong learning to keep up with changing (and new) concepts, skills, and technologies.

Certifications, along with their associated preparation activities, are a great way to sharpen existing skills and take them to the next level. They’re also a good way to learn new skills in areas where you may have only limited hands-on experience.

The case of winrm that was configured properly but never worked

On 2 win2012-r2 servers (not core, and not DC, actually fresh install with all patching done) on the same subnet, I have configured winrm and psremoting but I still cannot do a remote session.

I have tried:

winrm qc
Enable-psremoting
Winrm e winrm/config/listener
PS C:\Windows\system32> winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.81.1.153, 127.0.0.1, ::1, fe80::5efe:10.81.1.153%13, fe80::f1f9:11cd:8c30:39a9%12

Telnet to 5985 OK

Get-pssessionconfiguration -> v4

Set-Item wsman:\localhost\Client\TrustedHosts -value  *

so when I tried to identify or use etsn I get the following:

etsn
Connecting to remote server 10.81.1.153 failed with the following error message : The WinRM client cannot
process the request. Default authentication may be used with an IP address under the following conditions: the
transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use
winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more
information on how to set TrustedHosts run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ etsn 10.81.1.153
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (10.81.1.153:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed



    winrm id -r:10.81.1.152 WSManFault Message = The WinRM client cannot process the request. Default authentication may be used with an IP address under t he following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authen ticated. For more information on how to set TrustedHosts run the following command: winrm help config.



Error number: -2144108101 0x803381BB The WinRM client cannot process the request. Default authentication may be used with an IP address under the following c onditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For m ore information on how to set TrustedHosts run the following command: winrm help config.

Even checking all settings

PS C:\Windows\system32> winrm get wmicimv2/Win32_Service?Name=WinRM
Win32_Service
    AcceptPause = false
    AcceptStop = true
    Caption = Windows Remote Management (WS-Management)
    CheckPoint = 0
    CreationClassName = Win32_Service
    Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
 WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service l
istens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a lis
tener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se
rvice provides access to WMI data and enables event collection. Event collection and subscription to events require that
 the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i
s preconfigured to share a port with IIS on the same machine.  The WinRM service reserves the /wsman URL prefix. To prev
ent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract = false
    DisplayName = Windows Remote Management (WS-Management)
    ErrorControl = Normal
    ExitCode = 0
    InstallDate = null
    Name = WinRM
    PathName = C:\Windows\System32\svchost.exe -k NetworkService
    ProcessId = 868
    ServiceSpecificExitCode = 0
    ServiceType = Share Process
    Started = true
    StartMode = Auto
    StartName = NT AUTHORITY\NetworkService
    State = Running
    Status = OK
    SystemCreationClassName = Win32_ComputerSystem
    SystemName = server
    TagId = 0
    WaitHint = 0

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter = * [Source="GPO"]
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30

again, both servers ping 152 amd 153, nslookup forward, reverse work fine. telnet to winrm port works, winrm services are up…only winrm doesn’t

I am running out of ideas, any suggestion is welcome…thanks!

From the 2 above systems, I am able to enter a pssession to a other fresh windows 2012 install. Still those 2 systems cannot accept sessions. Compare the global configuration elements, the only difference is the listening IP of the listeners settings. The rest is exactly the same – GPO for winrm works.

winrm get winrm/config - identical
winrm get winrm/config/client - identical
winrm get winrm/config/service - identical
winrm enumerate winrm/config/resource - identical
winrm enumerate winrm/config/listener - IPs are different
winrm enumerate winrm/config/plugin - identical
winrm enumerate winrm/config/service/certmapping - identical (Empty)

test-wsman from and to each servers do return information without errors.

> Test-WSMan 10.81.1.153


wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0



> Test-WSMan 10.81.1.152


wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

In fact I never solved this. Nothing I tried worked and all settings from winrm/wsman seemed proper.

I eventually used a fresh install from a newer built – SW_DVD9_Windows_Svr_Std_and_DataCtr_2012_R2_64Bit_English_-4_MLF_X19-82891 – and it seemed solving the issue – same GPOs and default settings.

If you can think of anything, please let me know!

WSUS on Windows Server 2012 Core from scratch

Core is always the way to do it.

>_

I don’t know anything about WSUS as I’m more a ConfigMgr guy but I wanted to evaluate a few things about WSUS a.k.a Update Services on Windows Server 2012:

  • Can it run on a Core version?
  • Can it be managed on Core version?

The short answer is YES, it can run on a Core version as it’s a built-in role. YES, it can be managed on Core version but you should rather stick to Microsoft piece of advice “install it on core, manage it from a Windows 8 box with RSAT” (Remote Server Administration Tools). If you don’t have a Windows 8, you can also switch the server to the Minimal shell configuration that will allow you to launch MMC based snap-ins.

So here’s my scenario. I want to build a VM running a Core version of Windows server 2012, install Updates Services, configure it and push updates…

View original post 2,794 more words

Formation PowerShell (TP)

>_

En cherchant une cas concret pour des travaux pratiques lors d’une formation PowerShell dispensée à quelques collègues, je suis tombé sur une pépite.

Cette idée était tellement sympa et stimulante qu’il m’a paru impossible de ne pas la partager avec la communauté francophone.

J’ai fait de cet exercice sur la gestion des modes d’alimentation un petit cookbook illustré d’environs une trentaine de pages, disponible ici .

Voici le code qui accompagne ce petit cookbook. Il est disponible sur ce lien

C’est pas tout! Une occasion unique s’offre à vous 😀
Vous pouvez apprendre PowerShell DSC (Desired State Configuration) le 25 et 26 février en live sur la Microsoft Virtual Academy.
C’est ​Jeffrey Snover et Jason Helmick qui dispensent ces 2 cours.

Pour ce faire, il faut:

  • un compte Microsoft que vous pouvez créer sur https://login.live.com/ (en bas, ‘créer un compte maintenant’) si vous n’en avez pas
  • s’inscrire aux 2 cours…

View original post 42 more words

Comparer l’appartenance des groupes AD entre 2 comptes

Ce document décrit le script qui permet de comparer 2 comptes AD afin de calquer les appartenances.

Pre-requis
exécution des scripts powershell
droit de modification de comptes AD

Le script

Param(
<pre>    $sourceacc, 
    $destacc, 
    [switch]$noconfirm 
) 
 
# Checks if both accounts are provided as an argument, otherwise prompts for input 
if (-not $sourceacc) { $sourceacc = read-host "Please input source user name, the user the rights will be read from" } 
if (-not $destacc) { $destacc = read-host "Please input destination user name, the user which will be added to the groups of the source user" } 
 
# Retrieves the group membership for both accounts 
$sourcemember = get-aduser -filter {samaccountname -eq $sourceacc} -property memberof | select memberof 
$destmember = get-aduser -filter {samaccountname -eq $destacc} -property memberof | select memberof 
 
# Checks if accounts have group membership, if no group membership is found for either account script will exit 
if ($sourcemember -eq $null) {"Source user not found";return} 
if ($destmember -eq $null) {"Destination user not found";return} 
 
# Checks for differences, if no differences are found script will prompt and exit 
if (-not (compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'})) {write-host "No difference between $sourceacc & $destacc groupmembership found. $destacc will not be added to any additional groups.";return} 
 
# Routine that changes group membership and displays output to prompt 
compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} | 
    select -expand inputobject | foreach {write-host "$destacc will be added to:"([regex]::split($_,'^CN=|,OU=.+$'))[1]} 
 
# If no confirmation parameter is set no confirmation is required, otherwise script will prompt for confirmation 
if ($noconfirm)    { 
    compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} |  
        select -expand inputobject | foreach {add-adgroupmember "$_" $destacc} 
} 
 
else { 
    do{ 
        $UserInput = Read-Host "Are you sure you wish to add $destacc to these groups?`n[Y]es, [N]o or e[X]it" 
        if (("Y","yes","n","no","X","exit") -notcontains $UserInput) { 
            $UserInput = $null 
            Write-Warning "Please input correct value" 
        } 
        if (("X","exit","N","no") -contains $UserInput) { 
            Write-Host "No changes made, exiting..." 
            exit 
        }      
        if (("Y","yes") -contains $UserInput) { 
            compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} |  
                select -expand inputobject | foreach {add-adgroupmember "$_" $destacc} 
        } 
    } 
    until ($UserInput -ne $null) 
}

Utilisation du script

activer le module ActiveDirectory

Import-Module activedirectory

lancer le script

.\Compare-ADuserAddGroup.ps1
Please input source user name, the user the rights will be read from: user1
Please input destination user name, the user which will be added to the groups of the source user: user2
pruban will be added to: Group ABC 1
pruban will be added to: Group ABC 2
pruban will be added to: Group ABC 36dfa920
pruban will be added to: Group ABC 43
pruban will be added to: Group ABC 42
pruban will be added to: Group ABC 45
pruban will be added to: Group ABC 543
pruban will be added to: Group ABC 45
pruban will be added to: Group ABC 34

Are you sure you wish to add user2 to these groups?
[Y]es, [N]o or e[X]it: Y

source:http://gallery.technet.microsoft.com/scriptcenter/Compare-group-membership-36dfa920

Configurer et Utiliser la poubelle AD

La poubelle AD est une fonctionnalite de DS depuis 2008R2 (peut etre 2012?). Ceci permet de restorer des objets sans perdre les attributs – comme avec adrestore de sysinternals.

Activer la poubelle AD

Enable-ADOptionalFeature –Identity ‘Recycle Bin Feature’ –Scope  ForestOrConfigurationSet –Target ‘domain.local’
WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=domain,DC=local' is an irreversible action!
You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=domain,DC=local' if you proceed.

Confirm
Are you sure you want to perform this action?
Performing operation &quot;Enable&quot; on Target &quot;Recycle Bin Feature&quot;.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is &quot;Y&quot;):

Configurer la poubelle

Trouver la valeur de retention courante:

dsquery * &quot; cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=domain,dc=local&quot; -scope base -attr tombstonelifetime
tombstonelifetime
180

Pour modifier cette valeur, il faut utiliser ADSIedit (dans le contexte Configuration aka LDAP://DC.domain.local/Configuration) et naviguer vers CN=Services,CN=Windows NT, CN=Directory Service tombstonelifetime.

Ces objets sont conservés dans un container de la base AD secret. Et comme l’idee est de pouvoir les restorer voyons comme on peut faire.

Le container des objets se trouve en ici:

 Get-ADDomain | select DeletedObjectsContainer DeletedObjectsContainer
-----------------------
CN=Deleted Objects,DC=domain,DC=local 

Lister les objets effacés
On doit utiliser la commande get-adobject avec le parametre -IncludeDeletedObjects

 get-adobject -filter 'objectclass -eq "user1" -AND IsDeleted -eq $True' -IncludeDeletedObjects -properties IsDeleted,LastKnownParent

Deleted           : True
DistinguishedName : CN=zzz_user1\0ADEL:1a354486-8aeb-4f5f-8d72-33aab18125bf,CN=Deleted Objects,DC=domain,DC=local
IsDeleted         : True
LastKnownParent   : OU=Désactivés,OU=cie,DC=domain,DC=local
Name              : zzz_user1
DEL:1a354486-8aeb-4f5f-8d72-33aab18125bf
ObjectClass       : user
ObjectGUID        : 1a354486-8aeb-4f5f-8d72-33aab18125bf

On peut aussi lister un utilisateur en particulier en utilisant les paramètres de filtrage

get-adobject -filter 'Name -like "*user2*" -AND IsDeleted -eq $True' -IncludeDeletedObjects -Properties samaccountname

Deleted           : True
DistinguishedName : CN=zzz_user2\0ADEL:3bea71e0-e5c0-41a
a-9b18-85abaaff4667,CN=Deleted Objects,DC=domain,DC=local
Name              : zzz_user2
DEL:3bea71e0-e5c0-41aa-9b18-85abaaff4667
ObjectClass       : user
ObjectGUID        : 3bea71e0-e5c0-41aa-9b18-85abaaff4667
samaccountname    : user2

Restorer un objet effacé

Une fois trouver en listant avec get-adobject, la commande restore-adobject peut faire un test ou restorer l’object directement.

Pour faire un test, on utilise -WhatIf

get-adobject -filter 'Name -like "*user2*"' -IncludeDeletedObjects | Restore-ADObject -WhatIf
WhatIf : Opération « Restore » en cours sur la cible « CN=zzz_user2\0ADEL:3bea71e0-e5c0-41aa-9b18-85abaaff4667,CN=Deleted Objects,DC=domain,DC=local ».

Pour restorer, on utilise -PassThru

get-adobject -filter 'Name -like "*user2*"' -IncludeDeletedObjects | Restore-ADObject -PassThru

DistinguishedName   Name                ObjectClass         ObjectGUID
-----------------   ----                -----------         ----------
cn=user2 ... zzz_user2 ... user                3bea71e0-e5c0-41...

On vérifie si le compte a ete restore

 get-aduser -filter 'Name -like "*user2*"'
DistinguishedName : CN=zzz_user2
Nicol,OU=Désactivés,OU=user,DC=domain,DC=local
Enabled           : False
GivenName         : zzz_user2
Name              : zzz_user2
ObjectClass       : user
ObjectGUID        : 3bea71e0-e5c0-41aa-9b18-85abaaff4667
SamAccountName    : user2
SID               : S-1-5-21-1069915444-1557172909-2421692447-1258
Surname           : user2
UserPrincipalName : user2@domain.local

Si on ne veut pas que les objets soient restores au même endroit, on peut utiliser l’option -TargetPath “DN path”

HP/Comware IRF Configuration

This client is updating its HP based network infrastructure from the Procurve line to the Comware line (HP E-series is it? oh well let’s call it Comware!). To be more accurate it is going to be mix between the cheaper Procurve series and the E series.

I am reusing the content summarized here.
IRF (Intelligent Resilient Framework) is a (Comware) HP technology that allows multiple switches to act as a stacked switch, without the requirement of any special stacking modules or cables.
Switches that are interconnected with IRF allow for a simplified topology and management, multi-switch link aggregation, and 1:N redundancy to protect against switch failure.

Let’s start with the configuration of the new Core made up 2 HP Comware 5500. I suppose there will be more to follow as I configure those.

!When you begin configuring IRF, the switches should NOT be cabled together!

Switch Assignment

By default, all switches out of the box are numbered as switch 1 in relation to IRF. To configure IRF, each switch will need to have their own member number. This can be done with the following commands.

system-view
irf member 1 renumber 2
save
quit
reboot

We first enter system-view which allows for configuration of the switch. The second command will renumber the switch to number two. You will need to repeat this step for any additional switches incrementing the switch number. We then save the configuration and reboot. Renumbering does NOT take effect until the switch has been rebooted.

Stacking Switches

We now need to choose the ports that you wish to use to connect the switches with. Here I am create a 20GB LAG, we will use ports ten 1/1/1 and ten 1/1/2 .
On Switch 1

system-view
int ten 1/1/1
shut
int ten 1/1/2
shut
quit

irf-port 1/1
port group int ten 1/1/1
quit

irf-port 1/2
port group int ten 1/1/2
quit

int ten 1/1/1
undo shut
int ten 1/1/2
undo shut
quit

save

irf-portconfiguration active

Switch 2

system-view
int ten 2/1/1
shut
int ten 2/1/2
shut
quit

irf-port 2/1
port group int ten 2/1/1
quit

irf-port 2/2
port group int ten 2/1/2
quit

int ten 2/1/1
undo shut
int ten 2/1/2
undo shut
quit

save

irf-portconfiguration active

The slave switch then restarts!

The first thing that needs to be done is to shutdown the interfaces we would like to add to the IRF group. Next we great new IRF ports. Each interface will be assigned to an IRF port. You can configure this 1 interface for each IRF port or you can use multiple interfaces for each IRF port for even more redundancy. Once all prots have been assigned to an IRF port, we can then enable the interfaces again. We then use the irf-portconfiguration active command to activate the new IRF configuration and save the configuration.

Notice that on switch 2, the interfaces now begin with 2 instead of 1. This is based on the switch number we chose when we renumbered the switch in the first phase.

Cabling/Connecting

When connecting the switches after configuration, you must connect The interfaces in IRF port 1 to the interfaces in IRF port 2 on the second switch. This is critical. If you connect IRF port 1 to IRF port 1 on the second switch, IRF will not function.

Additional information and more detailed configuration information can be found in the IRF Configuration Guide.

Verify the configuration

Just a couple of command to help visualize the setup from the cli

>dis irf
Switch Role Priority CPU-Mac Description
*+1 Master 1 7848-5952-8fbb TT-SWCR-1-Master
2 Slave 1 7848-5962-15c3 -----
--------------------------------------------------

* indicates the device is the master.
+ indicates the device through which the user logs in.

The Bridge MAC of the IRF is: 7848-5952-8f88
Auto upgrade : yes
Mac persistent : 6 min
Domain ID : 0

>dis irf configuration
MemberID NewID IRF-Port1 IRF-Port2
1 1 Ten-GigabitEthernet1/1/1 Ten-GigabitEthernet1/1/2
2 2 Ten-GigabitEthernet2/1/1 Ten-GigabitEthernet2/1/2

>dis irf topology
Topology Info
-------------------------------------------------------------------------
IRF-Port1 IRF-Port2
Switch Link neighbor Link neighbor Belong To
1 UP 2 UP 2 7848-5952-8fbb
2 UP 1 UP 1 7848-5952-8fbb

>dis irf-port load-sharing mode irf-port
irf-port1/1 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port1/2 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port2/1 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port2/2 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

While the stack now acts as one switch, you can still connect to the slave using this command:

irf switch-to member #