Richard Siddaway's Blog

PowerShell User Group 2009

Two meetings are planned for early 2009.

January 21st – Microsoft Reading

– Webcast with Jeffrey Snover

February 10th – Microsoft Cardinal Place London

- After the Powershell event in the afternoon

- Jonathan Noble will be speaking

More details on both events to follow.

Happy New Year to everyone in PowerShell land.

CTP3 – Write-EventLog

Last of the new event log cmdlets is Write-EventLog.  I showed how to write to the event log here http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!275.entry.  This is still valid for PowerShell v1 or v2.  In v2 we can make life a bit simpler by using Write-EventLog.  Like the other EventLog cmdlets it only works with the classic event logs and it has a –computername parameter so you can write to logs on remote machines.

To write an entry into the log:

Write-EventLog -LogName Scripts -Source PSscripts -Message "Test from write-eventlog"  `

-EntryType Information -EventId 1111

We need to give the log name and a source.  If you aren’t sure about the sources available for a log use the script in the previous post to discover them.  A message and entry type must be given and an eventid (can be arbitrary in your own log).

The entry can be viewed with Get-EventLog

That finishes our look at event logs in CTP3. Next time we will start looking at another aspect of CTP3.

CTP3 – New-EventLog

I have shown how to create an event log using simple .NET code a couple of times including http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!278.entry.  CTP 3 brings us a cmdlet that we can use to perform this act. 

New-EventLog is used as follows.

New-EventLog -LogName TestLog -Source TestSource

All we provide is the name of the log and a Source to register.  A source is a handle (or route) that applications use to write to the event log.  We can view the details of our event log.

PS> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  25,600      0 OverwriteAsNeeded         156 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded       1,106 OSession
   2,048      9 OverwriteOlder              2 Scripts
  20,480      0 OverwriteAsNeeded         296 Security
  20,480      0 OverwriteAsNeeded         573 System
     512      7 OverwriteOlder              0 TestLog
  15,360      0 OverwriteAsNeeded         908 Windows PowerShell

Note the default size, retention days and Overflow action.

One potential issue is how do we view the sources for an event log.  The following script will do this.  Its interesting to run this against the Application log!

param ([string]$log)
cls
Write-Host   $log -ForegroundColor Green
$filt = "LogFileName = '" + $log + "'"
Get-WmiObject -Class Win32_NTEventLogFile -Filter $filt | Select -ExpandProperty Sources

If you want to be able to control how applications write to a log then we can add a source for a particular application.

New-EventLog -LogName TestLog -Source "Source2"

Exactly the same as before but because the log exists we just create a new source.

PowerGUI – PowerShell Help

I have mentioned PowerGUI many times – I especially like the editor.  There is a large, and growing, library of PowerGUI powerpacks (additional functionality) available for download from www.powergui.org.

I have just added the PowerShell Help powerpack to my system.  Written by Kirk Munro (PowerShell MVP) it gives many views into the PowerShell help system.  I may even drop my own help utility in favour of using this. It can be downloaded from http://www.powergui.org/entry.jspa?externalID=801&categoryID=55  - - highly recommended.

CTP3 – Remove-EventLog

Remove-EventLog is a new cmdlet in CTP3.  It brings the following parameters:

ComputerName
LogName
Source
Verbose
Debug
ErrorAction
WarningAction
ErrorVariable
WarningVariable
OutVariable
OutBuffer
WhatIf
Confirm

The Source is how applications write to the event log – it is possible to just remove one or more sources rather than the whole event log.

To remove an event log

Remove-EventLog -LogName test23

Assuming you have the correct privileges the removal happens.  This is one cmdlet where I would very strongly recommend using the –whatif and –confirm parameters

CTP3 – Clear-EventLog

Continuing our tour around the event log cmdlets we come to Clear-EventLog.  This does exactly what it says – it clears the entries out of one or more logs. Note that it does not backup the entries in anyway – it is just a clear.

We can clear a single log

Clear-EventLog -LogName "Windows PowerShell"

or we can work with multiple logs – for instance based on the number of records

Get-EventLog -List | Where{$_.Entries.Count -gt 5000} | Foreach {Clear-EventLog -LogName $_.Log}

We need administrator access on Vista and later. The usual –whatif and –confirm parameters are available.  This cmdlet also has a –computername parameter for working with remote machines

CTP3 – Limit-EventLog

If we look at the event logs that are present on our system we will see how the logs are configured in terms of maximum size, retention days and the action to take in the event of the log becoming full (overflow).

PS> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  25,600      0 OverwriteAsNeeded       8,871 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded       1,083 OSession
     512      7 OverwriteOlder              2 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      38,517 System
     512      7 OverwriteOlder              0 test23
  15,360      0 OverwriteAsNeeded       1,000 Windows PowerShell

We can use the Limit-EventLog cmdlet to control these settings.

Limit-EventLog -LogName Scripts -MaximumSize 2mb -RetentionDays 9 -OverflowAction OverWriteOlder

Note that the maximum size is translated to KB (and must be divisable by 64KB).  The overflow actions are limited to

• DoNotOverwrite
• OverwriteAsNeeded
• OverwriteOlder

This cmdlet has a computername parameter so we can work remotely – there is a los a whatif and confirm parameter.  Remember the need for Administrator privileges to make the changes.

CTP3 – Show-EventLog

Show-EventLog is a very straight forward cmdlet with a minimum of parameters.  Outside of the common parameters it can only take a computer name.  As it says in the name the cmdlet opens Event Viewer on the local or remote machine (remember need for admin privileges on Vista and later so start PowerShell using Run as Administrator).  The computername parameter accepts a name, an IP Address or a FQDN.

Show-EventLog -ComputerName pcrs2
Show-EventLog -ComputerName 192.168.86.17
Show-EventLog -ComputerName pcrs2.somedomain.com

The PowerShell prompt is returned as soon as event viewer is opened.

CTP3 – Get-EventLog

No doubt there will be a mass of posts on the new features in CTP3 over the next weeks and months.  What I want to try and do is concentrate on those features that are of most benefit to administrators. I am going to start with functionality to work with event logs.  I have blogged a number of times about writing scripts to go beyond the get-eventlog of PowerShell version 1 – most of that functionality is now available as cmdlets.  We now have a number of cmdlets for working with event logs:

Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog

We’ll start by looking at what is new in get-eventlog and then look at the others.  Get-Eventlog brings a bunch of new parameters:

* LogName
ComputerName
* Newest
After
Before
UserName
InstanceId
Index
EntryType
Source
Message
AsBaseObject
* List
* AsString

Parameters marked * are present in PowerShell v1

Note - I have deliberately left off the common parameters -  -verbose etc etc.

One of the most obvious additions is the computername parameter – we can now work with logs on remote computers.  We don’t need PowerShell remoting enabled for this.

Get-EventLog -List -ComputerName pcrs2

After and before allow us to view the log between two time bounds -

$d1 = (Get-Date).AddDays(-5)
$d2 = (Get-Date).AddDays(-2)
Get-EventLog -LogName system -After $d1 -Before $d2

Index enables us to access a particular entry.  InstanceId means we can pick out a particular type of entry – note that instanceid is not necessarily the same as eventid.

Using Entrytype means we can select by the type of entry ie

Error
Warning
Information
SuccessAudit
FailureAudit

such as

Get-EventLog -LogName system -EntryType Error

With the source parameter we can filter based on the source used to write to the event log and –message allows us to select based on the message contents.

These new parameters enable us to interrogate the event logs in a much simpler manner – all of this can be performed in V1 but we need to pipe into where to perform the filtering – now we can do it in one pass in the cmdlet.  Add this to the capability of accessing the logs on remote computers and we can really start to integrate the data across our server logs – for instance we can easily check the logs on a number of domain controllers for logins in a certain time frame.

Sites and SiteLinks

In my series on System.DirectoryServices.ActiveDirectory I was going to cover creating sites and sitelinks – Rolf has just covered this material so I will point you there instead.

http://www.powershell-ag.de/ps/Blog/tabid/73/EntryID/1123/Default.aspx

Problem

Looks like there is a problem with my main blog on Spaces.Live.com.   I am trying to find out what has happened to it.  Hopefully normal service will be resumed soon.

Early Christmas present – PowerShell CTP3

Like all good boys and girls I make sure I’m asleep nice and early on Christmas Eve so Father Christmas isn’t disturbed on his rounds.  This year his alarm clock must have gone off early as he delivered a present overnight – PowerShell V2 CTP3 has arrived!!!!

It can be downloaded from

http://www.microsoft.com/downloads/details.aspx?familyid=c913aeab-d7b4-4bb1-a958-ee6d7fe307bc&displaylang=en&tm

if you want to try the remoting features (or the background jobs) you will need to download Win-RM CTP3 from

https://connect.microsoft.com/Downloads/Downloads.aspx?SiteID=200

Note:   Win-RM CTP3 only works on Vista SP1 and Windows 2008

Enjoy

S.DS.AD - SiteLinks

SiteLinks are used to control replication between Active Directory Sites.  We have already seen how to find the current site and how to view the domain controllers in that site.  How do we know what sites our site is replicating with – follow the sitelinks.

$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
$site.SiteLinks

For each sitelink we will see

Name                         : DEFAULTIPSITELINK
TransportType                : Rpc
Sites                        : {Site1, Default-First-Site-Name}
Cost                         : 100
ReplicationInterval          : 03:00:00
ReciprocalReplicationEnabled : False
NotificationEnabled          : False
DataCompressionEnabled       : True
InterSiteReplicationSchedule :

The replication interval is shown as HH:MM:SS. We will discover how set this using PowerShell later.

S.DS.AD - sites

Sites are the foundation of the physical topology of Active Directory. While there has been a lot posted about working with users and groups i.e. the data in Active Directory there hasn’t been as much posted about working with the physical structure. 

System.DirectoryServices.ActiveDirectory.ActiveDirectorySite gives us one way to access to the site information.

Finding the site our computer is in just needs us to use a static method

$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()

This has a number of interesting properties

AdjacentSites
BridgeheadServers
Domains
InterSiteTopologyGenerator
IntraSiteReplicationSchedule
Location
Name
Options
PreferredRpcBridgeheadServers
PreferredSmtpBridgeheadServers
Servers
SiteLinks
Subnets

The servers property lists our domain controllers in the site. If we want to find which domain controllers in our site are also global catalog servers

$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
$site.Servers | Format-Table Name, Domain, @{Label="GC";Expression={$_.IsGlobalCatalog()}} -auto

We take the servers property and use a format-table to display the machine name, the domain (sites are defined at the forest level and can contain multiple domains) and then use a calculated field to determine if a DC is a GC.

S.DS.AD – netlogon service 2

Last time I said that I wanted to improve the way the data was displayed when we interrogated the netlogon service on our domain controllers. One way we could do it is to use Add-Member to add the data to an object

$a = @()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
$dcs = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($context)
foreach ($dc in $dcs){
    $s = Get-Service -ComputerName $dc.Name -Name netlogon
    $o = New-Object -TypeName psobject
    $o | Add-Member -MemberType Noteproperty  -Name Name -Value $dc.Name -Force
    $o | Add-Member -MemberType NoteProperty  -Name Status -Value $s.Status -Force
    $a += $o
}
$a | Format-Table -AutoSize

Start by creating an empty array.  We then get our domain controllers as before and iterate through them.  We then create a new object – in this case its a PowerShell object – and use Add-Member to add the properties of the object.  The object is then added to the array.

This technique could be extended to add any number of properties including the current time on the DC that we looked at previously or the status of other services or the replication status.

Format-table is used to display the data. 

A useful technique for pulling data together from multiple objects.

S.DS.AD – netlogon service

The netlogon service has to be running on your domain controller for authentication to work and for the Active Directory connectivity to happen.  How can we check that this is running on all of our DCs?

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
$dcs = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($context)
foreach ($dc in $dcs){
    $s = Get-Service -ComputerName $dc.Name -Name netlogon
    Write-Host "$dc.Name   the netlogon service is $($s.Status)"
}

Get all of the domain controllers in the domain as before.  We then loop through them using get-service to test the service for the individual machines. 

The output is a bit messy so next time we’ll look at tidying that up.

S.DS.AD - Replication

We can us e what we have learnt about domain controllers to enables to have a way to examine the replication between domain controllers.

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
$dcs = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($context)
foreach ($dc in $dcs){
    $dc.Name
    $dc.GetAllReplicationNeighbors() | Format-List PartitionName, SourceServer, LastAttemptedSync, LastSyncMessage
}

We derive our list of domain controllers as previously.  This time though we iterate through the list of domain controllers. Foreach domain controller we get the replication partners and then we display the partitions that are being replicated, the source server, the last time synchronisation was attempted and the message. If the message reads anything but “The operation completed successfully.” then you need to investigate.

S.DS.AD – Domain Controllers

We saw one method of accessing domain controllers when we were looking at the domain class - http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1932.entry

If we want to work directly with a domain controller we can create an object for the domain controller like this

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::DirectoryServer
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, DC02.Manticore.org
$dc = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($context)
$dc

In a similar way to working with a forest (or a domain though I didn’t list it) we set the context by defining the object type – in this case a directory server ie a domain controller and the FQDN of the domain controller. We then use the GetDomainController static method – notice we are using a lot of static methods in these examples – of the DomainController class.

Things we can do with domain controllers include

CheckReplicationConsistency
EnableGlobalCatalog
GetAllReplicationNeighbors
GetDirectoryEntry
GetDirectorySearcher
GetHashCode
GetReplicationConnectionFailures
GetReplicationCursors
GetReplicationMetadata
GetReplicationNeighbors
GetReplicationOperationInformation
IsGlobalCatalog
MoveToAnotherSite
SeizeRoleOwnership
SyncReplicaFromAllServers
SyncReplicaFromServer
TransferRoleOwnership
TriggerSyncReplicaFromNeighbors

Some of these don’t work in Windows 2008 especially the TransferRoleOwnership method.

The domain controller class has a number of interesting properties including

CurrentTime
Domain
Forest
HighestCommittedUsn
InboundConnections
IPAddress
Name
OSVersion
OutboundConnections
Partitions
Roles
SiteName
SyncFromAllServersCallback

The current time property allows us to check for time issues – remember that Kerberos doesn’t like time differences between machines that are greater than a defined limit – 5 minutes by default.  Lets see how we can check this.

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
[System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($context) | Format-Table Name, CurrentTime

Create the context for the domain and then use the FindAll() static method of the DomainController class. We can then pipe that into a format-table that displays the DC name and its current time

PowerShell in Practice – Chapter 7

Chapter 7 – scripts for working with your desktop machines (and servers) – is now available under the Manning Early Access Program - http://www.manning.com/siddaway/

Enjoy

For want of a cable

Had to buy a new printer this weekend.  Found a very good deal on a combined printer, copier, scanner – ideal for what I need for home use.

Couldn’t believe there wasn’t a USB cable in the box.  Come on guys a printer that doesn’t hook up to the computer ain’t much use.  What was worse was that no where on the box did it say that there wasn’t a cable so of course I didn’t discover this until I was home.  Guess what I didn’t have a spare of in the house?  Yep a USB cable to run the printer.

Another trip into town this afternoon to get the cable.

Those of you who know me well will be able to guess the sort of comments I was making about the manufacturers :-)

Seriously, it should be plainly stated on the OUTSIDE what extras are needed to hook any peripheral up to a computer.