 © Rakhesh Sasidharan
|
Posted: May 13th, 2017 | Tags: powershell, windows updates, wmi | Category: PowerShell, Windows | § Was reading about the WannaCrypt attacks. If you have the MS17-010 bulletin patches installed in your estate, you are safe. I wanted to quickly scan our estate to see if the servers are patches with this. Not my job really, but I wanted to do it anyways.
The security bulletin page lists the actual patch numbers for each version of Windows. We only have Server 2008 – 2016 so that’s all I was interested in.
Here’s a list of the Server name, internal version, and the patch they should have.
- Server 2008 | 6.0.6002 | KB4012598
- Server 2008 R2 | 6.1.7600 | KB4012215 or KB4012212
- Server 2012 | 6.2.9200 | KB4012214 or KB4012217
- Server 2012 R2 | 6.3.9600 | KB4012213 or KB4012216
- Server 2016 | 10.0.14393 | KB4013429
One thing to bear in mind is that it’s possible a server doesn’t have the exact patch installed, but is still not at any risk. That is because since October 2016 Windows patches are cumulative. So if you don’t have the particular March 2017 patch installed, but do have the April 2017 one, you are good to go. The numbers above are from March 2017 – so you will have to update them with patch numbers of subsequent months too to be thorough.
Another thing – I had one server in my entire estate where the patch above was actually installed but turned up as a false positive in my script. Not sure why. I know it isn’t a script issue. For some reason that patch wasn’t being returned as part of the “Win32_QuickFixEngineering” output. Am assuming it wasn’t installed that way on this particular server.
Without further ado, here’s the script I wrote:
|
|
Get-ADComputer -SearchBase "OU=Servers,DC=myDomain,DC=com" -Filter * | ?{ Test-Connection $_.Name -Quiet -Count 1 } | %{ $Computer = $_.Name $WinVer = (Get-WmiObject Win32_OperatingSystem -CN $Computer).Version switch ($WinVer) { '6.0.6002' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012598'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 | Missing KB4012598 "} } '6.1.7600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012215' or HotFixID='KB4012212'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 R2 | Missing KB4012212 or KB4012215 "} } '6.2.9200' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012214' or HotFixID='KB4012217'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 | Missing KB4012214 or KB4012217 "} } '6.3.9600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012213' or HotFixID='KB4012216'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 R2 | Missing KB4012213 or KB4012216 "} } '10.0.14393' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4013429'" | Measure-Object).Count -eq 0) { "$Computer | Server 2016 | Missing KB4013429 "} } } } |
That’s all. Nothing fancy.
Turns out I was mistaken in my previous post. A few minutes after enabling inheritance, I noticed it was disabled again. So that means the groups must be protected by AD.
I knew of the AdminSDHolder object and how it provides a template set of permissions that are applied to protected accounts (i.e. members of groups that are protected). I also knew that there were some groups that are protected by default. What I didn’t know, however, what that the defaults can be changed.
Initially I did a Compare-Object -ReferenceObject (Get-ADPrincipalGroupMembership User1) -DifferenceObject (Get-ADPrincipalGroupMembership User2) -IncludeEqual to compare the memberships of two random accounts that seemed to be protected. These were accounts with totally different roles & group memberships so the idea was to see if they had any common groups (none!) and failing that to see if the groups they were in had any common ancestors (none again!)
Then I Googled a bit :o) and came across a solution.
Before moving on to that though, as a note to myself:
- The
AdminSDHolder object is at CN=AdminSDHolder,CN=System,DC=domain,DC=com. Find that via ADSI Edit (replace the domain part accordingly).
- Right click the object and its Security tab lists the template permissions that will be applied to members of protected groups. You can make changes here.
- SDProp is a process that runs every 60 minutes on the DC holding the PDC Emulator role. The period can be changed via the registry key
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency. (If it doesn’t exist, add it. DWORD).
- SDProp can be run manually if required.
So back to my issue. Turns out if a group as its adminCount attribute set to 1 then it will be protected. So I ran the following against the OU containing my admin account groups:
|
|
Get-ADGroup -SearchBase "OU=Admin Accounts,DC=domain,DC=com" -Filter 'adminCount -eq 1' | ft Name |
Bingo! Most of my admin groups were protected, so most admin accounts were protected. All I have to do now is either un-protect these groups (my preferred solution), or change the template to delegate permissions there.
Update: Simply un-protecting a group does not un-protect all its members (this is by design). The member objects too have their adminCount attribute set to 1, so apart from fun-protecting the groups we must un-protect the members too.
|
|
Get-ADGroup -SearchBase "OU=Admin Accounts,DC=myDomain,DC=com" -Filter 'adminCount -eq 1' | Set-ADGroup -Clear adminCount Get-ADUser -SearchBase "OU=Admin Accounts,DC=myDomain,DC=com" -Filter 'adminCount -eq 1' | Set-ADUser -Clear adminCount |
Update 2: Found this good post with lots more details. How to run the process manually, what are the default protected groups, etc. Read that post in conjunction with this one and you are set!
Update 3: You can unprotect the following default groups via dsHeuristics: 1) Account Operators, 2) Backup Operators, 3) Server Operators, 4) Print Operators. But that still leaves groups such as Administrators (built-in), Domain Admins, Enterprise Admins, Domain Controllers, Schema Admins, Read-Only Domain Controllers, and the user Administrator (built-in). There’s no way to un-protect members of these.
Something I hadn’t realized about adminCount. This attribute does not mean a group/ user will be protected. Instead, what it means is that if a group/ user is protected, and its ACLs have changed and are now reset to default, then the adminCount attribute will be set. So yes, adminCount will let you find groups/ users that are protected; but merely setting adminCount on a group/ user does not protect it. I learnt this the hard way while I was testing my changes. Set adminCount to 1 for a group and saw that nothing was happening.
Also, it is possible that a protected user/ group does not have adminCount set. This is because adminCount is only set if there is a difference in the ACLs between the user/ group and the AdminSDHolder object. If there’s no difference, a protected object will not have the adminCount attribute set. :)
Today I cracked a problem which had troubled us for a while but which I never really sat down and actually tried to troubleshoot. We had an OU with 3rd level admin accounts that no one else had rights to but wanted to delegate certain password related tasks to our Service Desk admins. Basically let them reset password, unlock the account, and enable/ disable.
Here’s some screenshots for the delegation wizard. Password reset is a common task and can be seen in the screenshot itself. Enable/ Disable can be delegated by giving rights to the userAccountControl attribute. Only force password change rights (i.e. no reset password) can be given via the pwdLastSet attribute. And unlock can be given via the lockoutTime attribute.
Problem was that in my case in spite of doing all this the delegated accounts had no rights!
Snooping around a bit I realized that all the admin accounts within the OU had inheritance disabled and so weren’t getting the delegated permissions from the OU (not sure why; and no these weren’t protected group members).
Of course, enabling is easy. But I wanted to see if I could get a list of all the accounts in there with their inheritance status. Time for PowerShell. :)
The Get-ACL cmdlet can list access control lists. It can work with AD objects via the AD: drive. Needs a distinguished name, that’s all. So all you have to do is (Get-ADUser <accountname>).DistinguishedName) – prefix an AD: to this, and pass it to Get-ACL. Something like this:
|
|
Get-ACL AD:$((Get-ADUser rakhesh).DistinguishedName) |
The default result is useless. If you pipe and expand the Access property you will get a list of ACLs.
|
|
Get-ACL AD:$((Get-ADUser rakhesh).DistinguishedName)| select -Expand Access |
The result is a series of entries like these:
|
|
ActiveDirectoryRights : ReadProperty, WriteProperty InheritanceType : All ObjectType : bf967a0a-0de6-11d0-a285-00aa003049e2 InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent AccessControlType : Allow IdentityReference : DOMAIN\User IsInherited : True InheritanceFlags : ContainerInherit PropagationFlags : None |
The attribute names referred to by the GUIDs can be found in the AD Technical Specs.
Of interest to us is the AreAccessRulesProtected property. If this is True then inheritance is disabled; if False inheritance is enabled. So it’s straight forward to make a list of accounts and their inheritance status:
|
|
Get-ADUser -SearchBase "OU=Admin Accounts,DC=myDomain,DC=com" -Filter * | ft samAccountName,@{Name="InheritBlocked"; Expr={(Get-Acl AD:$((Get-ADUser $_.samAccountname).DistinguishedName)).AreAccessRulesProtected}} |
So that’s it. Next step would be to enable inheritance on the accounts. I won’t be doing this now (as it’s bed time!) but one can do it manually or script it via the SetAccessRuleProtection method. This method takes two parameters (enable/ disable inheritance; and if disable then should we add/ remove existing ACEs). Only the first parameter is of significance in my case, but I have to pass the second parameter too anyways – SetAccessRuleProtection($False,$True).
Update: Here’s what I rolled out at work today to make the change.
|
|
Get-ADUser -SearchBase "OU=Admin Accounts,DC=myDomain,DC=com" -Filter * | %{ $ACL = Get-ACL AD:$($_.DistinguishedName); $ACL.SetAccessRuleProtection($false,$true); Set-Acl –AclObject $ACL AD:$($_.DistinguishedName); } |
Update 2: Didn’t realize I had many users in the built-in protected groups (these are protected even though their adminCount is 0 – I hadn’t realized that). To unprotect these one must set the dsHeuristics flag. The built-in protected groups are 1) Account Operators, 2) Server Operators, 3) Print Operators, and 4) Backup Operators. See this post on instructions (actually, see the post below for even better instructions).
Update 3: Found this amazing page that goes into a hell of details on this topic. Be sure to read this before modifying dsHeuristics.
Posted: June 29th, 2016 | Tags: group policy, powershell | Category: PowerShell | § Must have seen this recent Windows update that broke GPOs which were missing the Read permission for the “Authenticated Users” group. Solution is to get a list of these GPOs and add the “Authenticated Users” group to them. Here’s a one liner that gets you such a list –
|
|
Get-GPO -All | %{ $GPO = $_.DisplayName; $Perms = (Get-GPPermissions $GPO -All).Trustee.Name; if (!($Perms.Contains("Authenticated Users"))) { "$GPO" } } > GPOs.txt |
This puts it into a file called GPOs.txt in the current directory. Remove/ Modify that last re-direct as needed.
So here’s the situation. We have a bunch of HP rack enclosures. Some blade servers were moved from one rack to another but the person doing the move forgot to note down the new location. I knew the iLO IP address but didn’t know which enclosure it was in. Rather than login to each enclosure OA, expand the device bays and iLO info and find the blade I was interested in, I wrote this batch file that makes use of SSH/ PLINK to quickly find the enclosure the blade was in.
|
|
@echo off FOR %%I IN (R1E1-OA1,R1E2-OA1,R2E1-OA1,R2E2-OA1) DO ( echo Checking %%I echo y | PLINK.EXE admin@%%I -pw <password> "show ebipa" | findstr "<iLO-Address>" ) |
Put this in a batch file in the same folder as PLINK and run it.
Note that this does depend on SSH access being allowed to your enclosures.
Update: An alternative way if you want to use PowerShell for the looping –
|
|
"R1E1-OA1","R1E2-OA1","R2E1-OA1","R2E2-OA1"| %{ $EncName = $_; Write-Host -ForegroundColor Yellow "Checking $EncName"; .\PLINK.EXE -ssh $EncName -l admin -pw <passwd> "show ebipa" | ?{ $_ -match "<iLO Address>" } } |
Posted: May 17th, 2016 | Tags: powershell, remoting, security, winrm | Category: PowerShell | § Just some links I found on PowerShell remoting security –
Had a request to use SolarWinds to highlight servers in a pending reboot status. Here’s what I did.
Sorry, this is currently broken. After implementing this I realized I need to enable PowerShell remoting on all servers for it to work, else the script just returns the result from the SolarWinds server. Will update this post after I fix it at my workplace. If you come across this post before that, all you need to do is enable PowerShell remoting across all your servers and change the script execution to “Remote Host”.
SolarWinds has a built in application monitor called “Windows Update Monitoring”. It does a lot more than what I want so I disabled all the components I am not interested in. (I could have also just created a new application monitor, I know, just was lazy).
The part I am interested in is the PowerShell Monitor component. By default it checks for the reboot required status by checking a registry key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired. Here’s the default script –
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$Error.Clear(); $regpath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"; $res = Test-Path $regpath; if ($Error.Count -ne 0) { Write-Host "Message: $($Error[0])"; exit 1; } if ($res) { write-host "Message: Reboot required." write-host "Statistic: 1" exit 0 } else { write-host "Message: Reboot not required." write-host "Statistic: 0" exit 0 } |
Inspired by this blog post which monitors three more registry keys and also queries ConfigMgr, I replaced the default PowerShell script with the following –
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$res = $false if (Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" -EA Ignore) { $res = $true } if (Get-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -EA Ignore) { $res = $true } if (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -EA Ignore) { $res = $true } try { $util = [wmiclass]"\\.\root\ccm\clientsdk:CCM_ClientUtilities" $status = $util.DetermineIfRebootPending() if (($status -ne $null) -and $status.RebootPending) { $res = $true } } catch { } if ($res) { write-host "Message: Reboot required." write-host "Statistic: 1" exit 0 } else { write-host "Message: Reboot not required." write-host "Statistic: 0" exit 0 } |
Then I added the application monitor to all my Windows servers. The result is that I can see the following information on every node –
Following this I created alerts to send me an email whenever the status of the above component (“Machine restart status …”) went down for any node. And I also created a SolarWinds report to capture all nodes for which the above component was down.
Then I assigned this to a schedule to run once in a month after our patching window to email me a list of nodes that require reboots.
Posted: May 8th, 2016 | Tags: powershell, solarwinds, winrm | Category: Infrastructure, Windows | § Added the Exchange 2010 Database Availability Group application monitor to couple of our Exchange 2010 servers and got the following error –
Clicking “More” gives the following –
This is because Solarwinds is trying to run a PowerShell script on the remote server and the script is unable to run due to authentication errors. That’s because Solarwinds is trying to connect to the server using its IP address, and so instead of using Kerberos authentication it resorts to Negotiate authentication (which is disabled). The error message too says the same but you can verify it for yourself from the Solarwinds server too. Try the following command –
|
|
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<yourexchsvr>/PowerShell -Authentication Negotiate -Credential (get-credential) |
This is what’s happening behind the scenes and as you will see it fails. Now replace “Negotiate” with “Kerberos” and it succeeds –
|
|
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<yourexchsvr>/PowerShell -Authentication Kerberos -Credential (get-credential) |
So, how to fix this? Logon to the remote server and launch IIS Manager. It’s under “Administrative Tools” and may not be there by default (my server only had “Internet Information Services (IIS) 6.0 Manager”), in which case add it via Server Manager/ PowerShell –
|
|
> Import-Module ServerManager > Add-WindowsFeature -Name RSAT-Web-Server |
Then open IIS Manager, go to Sites > PowerShell and double click “Authentication”.
Select “Windows Authentication” and click “Enable”.
Now Solarwinds will work.
Posted: May 2nd, 2016 | Tags: dns, powershell, server 2012 | Category: PowerShell | § I had to create multiple A DNS records of the format below –
|
|
10.240.187.21 for svr01 10.240.187.22 for svr02 ... 10.240.187.29 for svr09 |
Just 9 records, I could create them manually, but I thought let’s try and create en-mass using PowerShell. If you are on Windows Server 2012 and above, you have PowerShell cmdlets for DNS.
So I did the following –
|
|
1..9 | %{ $num = $_; Add-DnsServerResourceRecord -ComputerName dnssvr -ZoneName myzone.com -A -CreatePtr -IPv4Address "10.240.187.2$num" -Name "svr0$num" } |
To confirm they are created, the following helps –
|
|
1..9 | %{ $num = $_; Get-DnsServerResourceRecord -ComputerName dnssvr -Name "svr0$num" -ZoneName myzone.com -RRType A } |
Nice!
Posted: April 25th, 2016 | Tags: dhcp, get-service, powershell, services | Category: PowerShell, Windows | § Use PowerShell –
|
|
Get-DomainController | ft Name,@{Name="DHCP Service"; Expression={(Get-Service -ComputerName $_.Name | ?{ $_.Name -eq "DHCPServer" }).Status}} |
Result is a table of DC names and the status of the “DHCP Server” service. If the service isn’t installed (i.e. the feature isn’t enabled) you get a blank.
Posted: August 23rd, 2015 | Tags: exchange 2010, outlook, powershell | Category: Exchange | § As part of troubleshooting something I needed to quickly find what Outlook rules the user had for deleting messages. So I came up with this one-liner.
|
|
Get-InboxRule -Mailbox mev | ?{ ($_.Enabled -eq "True") -and ($_.DeleteMessage -eq "True") } | fl Name,Description |
The result is a list of rule names and a friendly description of what the rule does.
Run this from the EMS of course.
Posted: August 4th, 2015 | Tags: dns, powershell | Category: Infrastructure, Windows | § Here’s how I paused a zone on all the DNS servers hosting that zone:
|
|
Get-DnsServerResourceRecord -ComputerName SomeDnsServer -RRType NS -ZoneName "zone" | %{ Suspend-DnsServerZone -Name "zone" -ComputerName $_.RecordData.NameServer } |
This looks up the name servers for the zone and suspends the zone on each of those servers. If there are any servers that host this zone but aren’t specified as name servers for the zone (for example it could be an AD integrated zone but the NS records are incomplete) it misses out those servers. So it’s not a great script, there’s probably better ways to do this.
In my case the zone in question was being replicated to all DCs in the domain. So I got a list of all DCs in the domain and targeted those instead:
|
|
Get-ADDomainController -Filter * | %{ Suspend-DnsServerZone -Name "zone" -ComputerName $_.Name } |
Posted: July 22nd, 2015 | Tags: get-childitem, networking, powershell, registry | Category: Windows | § Was troubleshooting something in VMware, I ended up copying the actual files of a VM from one datastore to another and re-adding it to a host (because the original host was stuck entering into maintenance mode and I needed this VM to sort that out blah blah … doesn’t matter!). Problem is when I did the re-adding and vCenter asked me if I copied or moved the VM, I said I copied. This resulted in all the network interfaces getting new MAC addresses (among other changes) and suddenly my VM was without any of the previously configured static IPs!
Damn.
The old interfaces are still there just that they are hidden.
I used PowerShell/ WMI to list all the network interfaces on the server (this shows the hidden ones too).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
PS> gwmi Win32_NetworkAdapterConfiguration | ft SettingID,Description SettingID Description --------- ----------- {4AE6B55C-6DD6-427D-A5BB-13535D4BE926} WAN Miniport (SSTP) {FB474E6C-F93F-4848-945E-86780D2A9897} WAN Miniport (IKEv2) {66973E50-CF44-46A7-AD86-0F369D30ACA2} WAN Miniport (L2TP) {F93EB786-8968-43C5-BC58-54D87385060E} WAN Miniport (PPTP) {6A16EDEB-24DF-416A-B427-CED88EFCA006} WAN Miniport (PPPOE) {F4373218-ED19-4F3D-8DB4-982009ED86B7} WAN Miniport (IPv6) {5356FE17-48EE-4A7A-BECE-645E20060A52} WAN Miniport (Network Monitor) {53489EA2-6E0F-4878-8F1A-FE9C7A8F0A34} vmxnet3 Ethernet Adapter {A0C416B3-0452-49C9-982F-AD326BE3A2B0} vmxnet3 Ethernet Adapter {66513FCE-F1B9-480C-B278-3DD588D5D452} WAN Miniport (IP) {8BC53481-5F6B-4604-A9D5-DC374E0346B9} vmxnet3 Ethernet Adapter {DD2F4800-0DEB-4A98-A302-0777CB955DC1} RAS Async Adapter {4706324E-0A6F-4046-BE3B-89B9A9B6179F} vmxnet3 Ethernet Adapter {D2C0A263-2803-451B-8D67-6B05E1426A05} Intel(R) PRO/1000 MT Network Connection {BE34D609-3966-412C-B78F-051C05F8FB4C} vmxnet3 Ethernet Adapter {583D6099-F8A4-43AA-A0CE-7C5BB81EF7E1} vmxnet3 Ethernet Adapter #6 {E904141E-5567-482B-BE54-4DD7162EE3B6} vmxnet3 Ethernet Adapter #7 |
In the Network Connections GUI all I can see are the last two adapters, so everything else is hidden. If I just wanted to delete them I would have followed the instructions in this post. (When following the instructions in that post be sure to enter set devmgr_show_nonpresent_devices=1 on a line of its own).
The ones starting with “vmxnet3” are what’s of interest for me so let’s focus on that.
|
|
PS> gwmi Win32_NetworkAdapterConfiguration | ?{ $_.Description -match "^vmxnet3" } | ft SettingID,Description SettingID Description --------- ----------- {53489EA2-6E0F-4878-8F1A-FE9C7A8F0A34} vmxnet3 Ethernet Adapter {A0C416B3-0452-49C9-982F-AD326BE3A2B0} vmxnet3 Ethernet Adapter {8BC53481-5F6B-4604-A9D5-DC374E0346B9} vmxnet3 Ethernet Adapter {4706324E-0A6F-4046-BE3B-89B9A9B6179F} vmxnet3 Ethernet Adapter {BE34D609-3966-412C-B78F-051C05F8FB4C} vmxnet3 Ethernet Adapter {583D6099-F8A4-43AA-A0CE-7C5BB81EF7E1} vmxnet3 Ethernet Adapter #6 {E904141E-5567-482B-BE54-4DD7162EE3B6} vmxnet3 Ethernet Adapter #7 |
The reason I focused on SettingID is because if you check under HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces you’ll find entries with these GUIDs.
|
|
PS> Get-ChildItem "HKLM:\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces" | ft Name Name ---- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{4706324E-0A6F-4046-BE3B-89B9A9B6179F} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{53489EA2-6E0F-4878-8F1A-FE9C7A8F0A34} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{583D6099-F8A4-43AA-A0CE-7C5BB81EF7E1} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{8BC53481-5F6B-4604-A9D5-DC374E0346B9} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{A0C416B3-0452-49C9-982F-AD326BE3A2B0} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{BE34D609-3966-412C-B78F-051C05F8FB4C} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{D2C0A263-2803-451B-8D67-6B05E1426A05} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{E904141E-5567-482B-BE54-4DD7162EE3B6} |
With a bit of PowerShell you can enumerate these keys and the IP address assigned to it:
|
|
PS> Get-ChildItem "HKLM:\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces" | %{ $Name=$_.PSChildName; Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\$Name" } | ft PSChildName,IPAddress,SubnetMask PSChildName IPAddress SubnetMask ----------- --------- ---------- {4706324E-0A6F-4046-BE3B-89B9A9B6179F} {10.136.37.37} {255.255.255.0} {53489EA2-6E0F-4878-8F1A-FE9C7A8F0A34} {583D6099-F8A4-43AA-A0CE-7C5BB81EF7E1} {10.136.37.37} {255.255.255.0} {8BC53481-5F6B-4604-A9D5-DC374E0346B9} {10.136.37.36} {255.255.255.0} {A0C416B3-0452-49C9-982F-AD326BE3A2B0} {10.134.203.2} {255.255.255.0} {BE34D609-3966-412C-B78F-051C05F8FB4C} {D2C0A263-2803-451B-8D67-6B05E1426A05} {E904141E-5567-482B-BE54-4DD7162EE3B6} {} {} |
My PowerShell skills are getting worse by the day due to disuse so the above is not probably the most elegant way of doing this. :)
Anyways, by comparing the two outputs I was able to identify the missing IP as either 10.136.37.36 or 10.134.203.2. The latter was of a different network so it looked like an older hidden adapter. I set the former, and as expected the network started working. Yay!
Posted: July 16th, 2015 | Tags: esxi, powercli, powershell, ssh | Category: Virtualization | § I alluded to this in another post but couldn’t find it when I was searching my posts for the cmdlet. So here’s a separate post.
The Get-VMHostService is your friend when dealing with services on ESXi hosts. You can use it to view the services thus:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
PowerCLI> Get-VMHostService ESX02.rakhesh.local Key Label Policy Running Required --- ----- ------ ------- -------- DCUI Direct Console UI on True False TSM ESXi Shell off True False TSM-SSH SSH automatic True False lbtd lbtd on True False lsassd Local Security Authenticati... off False False lwiod I/O Redirector (Active Dire... off False False netlogond Network Login Server (Activ... off False False ntpd NTP Daemon on True False sfcbd-watchdog CIM Server on True False snmpd snmpd on False False vprobed vprobed off False False vpxa vpxa on True False xorg xorg on False False |
To start and stop services we use the Start-VMHostService and Stop-VMHostService but these take (an array of) HostService objects. HostService objects are what we get from the Get-VMHostService cmdlet above. Here’s how you stop the SSH & ESXi Shell services for instance:
|
|
PowerCLI> Get-VMHostService ESX02.rakhesh.local | ?{ $_.Key -match "TSM" } | Stop-VMHostService Perform operation? Perform operation Stop host service. on ESXi Shell? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Key Label Policy Running Required --- ----- ------ ------- -------- TSM ESXi Shell off False False Perform operation? Perform operation Stop host service. on SSH? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): TSM-SSH SSH automatic False False |
Since the cmdlet takes an array, you can give it HostService objects of multiple hosts. Here’s how I start SSH & ESXi Shell for all hosts:
|
|
PowerCLI> Get-VMHost | Get-VMHostService | ?{ $_.Key -match "TSM" } | Start-VMHostService Key Label Policy Running Required --- ----- ------ ------- -------- TSM ESXi Shell off True False TSM-SSH SSH off True False TSM ESXi Shell off True False TSM-SSH SSH automatic True False TSM ESXi Shell off True False TSM-SSH SSH automatic True False |
As an aside here’s a nice post on six different ways to enable SSH on a host. Good one!
Posted: July 4th, 2015 | Tags: esxi, powercli, powershell, vmware | Category: Virtualization | § Not an exhaustive post, I am still exploring this stuff.
To get a list of network adapters on a host:
|
|
PowerCLI C:\> Get-VMHostNetworkAdapter -VMHost "ESX03.rakhesh.local" Name Mac DhcpEnabled IP SubnetMask DeviceName ---- --- ----------- -- ---------- ---------- vmnic0 00:0c:29:e8:a9:11 False vmnic0 vmnic1 00:0c:29:e8:a9:1b False vmnic1 vmnic2 00:0c:29:e8:a9:25 False vmnic2 vmnic3 00:0c:29:e8:a9:2f False vmnic3 vmnic4 00:0c:29:e8:a9:39 False vmnic4 vmnic5 00:0c:29:e8:a9:43 False vmnic5 vmk0 00:0c:29:e8:a9:11 False 10.50.0.33 255.255.255.0 vmk0 vmk2 00:50:56:63:15:44 False 1.1.1.3 255.255.255.0 vmk2 vmk1 00:50:56:66:e0:ab True 10.50.0.206 255.255.255.0 vmk1 vmk3 00:50:56:65:b3:d6 True 10.50.0.211 255.255.255.0 vmk3 |
To get a list of virtual switches on a host, with the NICs assigned to these:
|
|
PowerCLI C:\> Get-VirtualSwitch -VMHost "ESX03.rakhesh.local" | ft Name,Mtu,Nic Name Mtu Nic ---- --- --- vSwitch0 1500 {vmnic1, vmnic0} vSwitch1 1500 {vmnic3, vmnic2} vSwitch2 1500 {vmnic5, vmnic4} |
To get a list of port groups on a host:
|
|
PowerCLI C:\> Get-VirtualPortGroup -VMHost "ESX03.rakhesh.local" | ft VirtualSwitchName,Name VirtualSwitchName Name ----------------- ---- vSwitch0 VM Network vSwitch0 Management Network vSwitch1 iSCSI Management Network vSwitch1 iSCSI Traffic 2 vSwitch1 iSCSI Traffic 1 vSwitch2 vMotion Network |
To get a list of port groups , the virtual switches they are mapped to, and the NICs that make up these switches:
|
|
PowerCLI C:\> Get-VirtualPortGroup -VMHost "ESX03.rakhesh.local" | ft VirtualSwitchName,Name,@{Name="Nic";Expression={(Get-VirtualSwitch -VMHost "ESX03.rakhesh. local" -Name $_.VirtualSwitchName).Nic}} VirtualSwitchName Name Nic ----------------- ---- --- vSwitch0 VM Network {vmnic1, vmnic0} vSwitch0 Management Network {vmnic1, vmnic0} vSwitch1 iSCSI Management Network {vmnic3, vmnic2} vSwitch1 iSCSI Traffic 2 {vmnic3, vmnic2} vSwitch1 iSCSI Traffic 1 {vmnic3, vmnic2} vSwitch2 vMotion Network {vmnic5, vmnic4} |
This essentially combines the first and third cmdlets above.
More later!
|