03 December 2012

Quick key performance couter view with PowerShell

Windows Server 2012 makes managing a group of servers remotely much simpler.  PowerShell gives easy access to the performance counters.  Here are a few handy commands to help you check out the basics.
Get-Counter
This give you a list of the local counters for the following

  • Network bytes per second
  • % CPU Time
  • % RAM Used
  • Cache Fault per second
  • % Disk Time
  • Current Disk Queue Length

You will notice that the counters are named and  are referenced by the server's name.  You can use these to further define the command.



You can narrow this down to say on % CPU and % RAM used with the following:
 Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use"
You can get this continuously per second with the following:
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -Continuous 
You can do the same but the the updates ever 5 seconds
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -Continuous -SampleInterval 5
Alternatively you can set how many counts you want to measure
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -SampleInterval 2 -MaxSamples 4
This forms a nice basis for expanding this to monitoring servers remotely
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -SampleInterval 2 -MaxSamples 4 -ComputerName "et-lab-hv01"
You can also use variables to clean things up a bit. First define and set the vairables
$counters = "\processor(_total)\% processor time", "\memory\% committed bytes in use"$servers = "et-lab-hv01","et-lab-hv02"
Then execute the command using the variables
Get-Counter -Counter $counters -ComputerName $servers -Continuous

For more information about this check out: http://technet.microsoft.com/library/hh849685.aspx

28 November 2012

Windows Server 2012 Core Management step by step

One of the barriers to entry for Windows Server 2008 R2 Core was the fact that managing it was a technical difficulty.  With Server 2012 things are much simpler.  I will take you through installing and adding management functionality.  Right up to the point where you are actually running the full GUI version

Lab Setup
My management machine is Windows Server Standard Full GUI with Hyper-V role enable
The test machine is a virtual machine on this host.
For the sake of keeping script and install paths simple i have built and have left the install ISO attached ot the virtual machines as it's D drive

Getting Up and Running
During the initial installation phase you will notice that the "Server Core Installation" is now the default.  Once the installation finishes and you set the password and log in your are presented with a single command shell.


Step 1 the "sconfig" utility
The easiest way to get your machine added to the network and the domain is to use sconfig from the command prompt.  Below is a screenshot of the sconfig utility.  It present a simple text base interface to perform the essential configuration. Such as joining the domain, changing the computer name, configure network interface.



By default you will notice that "Configure Remote Management" is enabled.  This is important as we will use this later.  Once the server is joined to the domain it can be managed remotely  without further need to interact with the machine directly.

Step 2 Server Manager
From the management server with the full gui or from a Windows 8 with the Remote Server Administration Tools (RSAT) installed you can perform most administrative tasks.  RSAT Download
 
The following steps are all performed on the management server

  • Open the server Manager
  • Form the Dashboard select option  3 "Add other servers to manage"
  • Specify the server's name and click find now
  • Select the server and click the  > button to add it to the servers list
  • Once added you can select All servers form server manager

You will now see the core machine listed
The status by default will be "Online - Performance counters not started"

  • Right Click the server and select computer management

This will fail and present you with the following error


To resolve this we will use some PowerShell commands to remotely set the firewall rules.

  • Right Click the server and select Windows PowerShell




The shell that opens is a remote shell on the windows Core machine.

Execute the follow commands


  • Enable-NetFirewallRule -displaygroup  "Remote Service Management"
  • Enable-NetFirewallRule -displaygroup  “Remote Event Log Management”
  • Enable-NetFirewallRule -displaygroup "COM+ Remote Administration"
  • Enable-NetFirewallRule -displaygroup "COM+ Network Access"
* Note * At this point the COM+ Rules may not be present. But as you will see it might come in handy later


Or you can string them all together
  • Enable-NetFirewallRule -displaygroup  "Remote Service Management",“Remote Event Log Management”,"COM+ Remote Administration","COM+ Network Access"

If you attempt to use computer management now it will succeed.
  • At this point you can also Right click the server and select "Start Performance Counters"
This will now change the server status to Online


Step 3 Adding and Removing Roles and Features
Since we will be adding and removing features it is a good idea to have a look at the Windows features in PowerShell  form time to time.

 Get-WindowsFeature

This will give you the list off all the installed and available Roles and Features



If you look at the Web Server role you will set that it is marked as Available.  This means that we can simply add the roles and features through the Server Manager GUI on our "Management Server"

If however you select a Role or feature that is indicated as Removed you will have to specify installation media to use.

For a list of what is available in the different versions check out http://fixmyitsystem.com/2012/11/attack-surface-comparison-for-server.html


Step 4 Converting Core to full GUI
Ideally all your servers should be core, but sometimes you will need roles and features or simply functionality that is only available in the GUI.  As an example you may have a software installer that cannot be installed or configured from the command-line.

To convert from Core to the full GUI you need to add two features.  You can do this from your management server's Add roles and Features.


  • Select Role-Based or feature based installation
  • Select the server form the list
  • Select Features
  • Select User Interfaces and Infrastructure
  • --> Graphical Management Tool and Infrastructure
  • --> Server Graphical Shell

The next screen will warn you that you need to specify an alternate source path.  Click on the "Specify Alternate Source Path Link


At this point thing get  "a little tricky"  you don't simply specify the ISO location but you have to specify the installation image location.  The installation image is a WIM file and the various installation flavours "See the first Image" are indexes in the image.

To get the info about this you can PowerShell it   Get-windowsimage –imagepath d:\sources\install.wim

The result is as follows

  • Index 1 =  Windows Server 2012 SERVERSTANDARDCORE
  • Index 2 =  Windows Server 2012 SERVERSTANDARD
  • Index 3 = Windows Server 2012 SERVERDATACENTERCORE
  • Index 4 = Windows Server 2012 SERVERDATACENTER


Roles and Features can inly be installed form an image that contains them so in this case you cannot choose the core version.  Therefore the path you need to specify is:

WIM:D:\sources\install.wim:2

Once the installation and reboot is complete you will now have the GUI tools available to you.   Adding these components above has also converted your Core install to Full GUI install.

Step 5 Convert Full GUI back to Core
If you check out the available feature with the Get-WindowsFeature PowerShell Command you will see that it now matches the server with GUI

You may need to have the full GUI to perform initial tasks such as install application and configure them.  But ultimately you want to keep your attack and patching surface as small as possible.  It is possible to reverse the steps we performed above to essentially take a Full GUI server back down to a Core server.

This process happens completely in PowerShell

  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart


There are few options here though.  If you know that you will ocassionally need the GUI you can un-install the GUI but leave the install files available.  To do this you un-install the GUI but you do not -Remove the files.


  • Uninstall-WindowsFeature Server-Gui-Shell
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart
Step 6 The in-between-er (Min GUI)


Another permutation here is a step between Core and Full.  It is called Min GUI or Minimal Server Interface In this configuration you have the Server Manager but you do not have the following:
  • Internet Explorer
  • Windows Explorer
  • Desktop
  • Start Screen
To get from Full GUI to Min Gui you execute the following
  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
To get from CORE to Min Gui you execute the following
  • Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source c:\mountdir\windows\winsxs
Conclusion
It is easy to move between the different levels of GUI available to the operating system.  It is of course always best to have as little as possible, but sometimes it is not always practical.  This article show how you can start in one place and end in another.  All it take are a few commands...



27 November 2012

Attack surface comparison for Server 2012 editions

With Windows Server 2012 Microsoft has done a great job with simplifying the features and capabilities of the server platform.  Essentially there are no longer any functional differences between Standard Edition and Data Centre Edition.

There are however  still a few options to consider.  The table below will cover the different deployment option and cover the default attack / patching surface for a default installation.

The different option we will compare are:

  • Full install with all the GUI components
  • Full install with GUI components removed with PowerShell (Full - GUI)
  • Core install
  • Windows Hyper-V Server 2012

The table below shows the various role option WRT installation.   the states are as follows

  • Installed : Role is installed and active
  • Available: Role is available and ready for installtion
  • Removed:  Role is available for installtion form external installation media
  • N/A : Role or feature is not available for the platform




Role  Version
---> Feature Full Full - GUI Core Hyper-V
Active Directory Certificate Services Available Available Available
--->  Certification Authority Available Available Available
--->  Certificate Enrollment Policy Web Service Available Available Available
--->  Certificate Enrollment Web Service Available Available Available
--->  Certification Authority Web Enrollment Available Available Available
--->  Network Device Enrollment Service Available Available Available
--->  Online Responder Available Available Available
Active Directory Domain Services Available Available Available
Active Directory Federation Services Available Available Removed
--->  Federation Service Available Available Removed
--->  AD FS 1.1 Web Agents Available Available Removed
--->  AD FS 1.1 Claims-aware Agent Available Available Removed
--->  AD FS 1.1 Windows Token-based Agent Available Available Removed
--->  Federation Service Proxy Available Available Removed
Active Directory Lightweight Directory Services Available Available Available
Active Directory Rights Management Services Available Available Available
--->  Active Directory Rights Management Server Available Available Available
--->  Identity Federation Support Available Available Removed
Application Server Available Available Removed
--->  .NET Framework 4.5 Available Available Removed
--->  COM+ Network Access Available Available Removed
--->  Distributed Transactions Available Available Removed
--->  WS-Atomic Transactions Available Available Removed
--->  Incoming Network Transactions Available Available Removed
--->  Outgoing Network Transactions Available Available Removed
--->  TCP Port Sharing Available Available Removed
--->  Web Server (IIS) Support Available Available Removed
--->  Windows Process Activation Service Support Available Available Removed
--->  HTTP Activation Available Available Removed
--->  Message Queuing Activation Available Available Removed
--->  Named Pipes Activation Available Available Removed
--->  TCP Activation Available Available Removed
DHCP Server Available Available Available
DNS Server Available Available Available
Fax Server Available Removed Removed
File And Storage Services Installed Installed Installed Installed
--->  File and iSCSI Services Available Available Available Available
--->  File Server Available Available Available Available
--->  BranchCache for Network Files Available Available Available
--->  Data Deduplication Available Available Available
--->  DFS Namespaces Available Available Available
--->  DFS Replication Available Available Available
--->  File Server Resource Manager Available Available Available
--->  File Server VSS Agent Service Available Available Available
--->  iSCSI Target Server Available Available Available
--->  iSCSI Target Storage Provider (VDS and V... Available Available Available
--->  Server for NFS Available Available Available
Storage Services Installed Installed Installed Installed
Hyper-V Available Available Available Installed
Network Policy and Access Services Available Available Removed
--->  Network Policy Server Available Available Removed
--->  Health Registration Authority Available Available Removed
--->  Host Credential Authorization Protocol Available Available Removed
Print and Document Services Available Available Available
--->  Print Server Available Available Available
--->  Distributed Scan Server Available Available Removed
--->  Internet Printing Available Available Removed
--->  LPD Service Available Available Available
Remote Access Available Available Available
--->  DirectAccess and VPN (RAS) Available Available Available
--->  Routing Available Available Available
Remote Desktop Services Available Available Available Available
--->  Remote Desktop Connection Broker Available Available Available
--->  Remote Desktop Gateway Available Available Removed
--->  Remote Desktop Licensing Available Available Available
--->  Remote Desktop Session Host Available Available Removed
--->  Remote Desktop Virtualization Host Available Available Available Available
--->  Remote Desktop Web Access Available Available Removed
Volume Activation Services Available Available Available
Web Server (IIS) Available Available Available
--->  Web Server Available Available Available
--->  Common HTTP Features Available Available Available
--->  Default Document Available Available Available
--->  Directory Browsing Available Available Available
--->  HTTP Errors Available Available Available
--->  Static Content Available Available Available
--->  HTTP Redirection Available Available Available
--->  WebDAV Publishing Available Available Available
--->  Health and Diagnostics Available Available Available
--->  HTTP Logging Available Available Available
--->  Custom Logging Available Available Available
--->  Logging Tools Available Available Available
--->  ODBC Logging Available Available Available
--->  Request Monitor Available Available Available
--->  Tracing Available Available Available
--->  Performance Available Available Available
--->  Static Content Compression Available Available Available
--->  Dynamic Content Compression Available Available Available
--->  Security Available Available Available
--->  Request Filtering Available Available Available
--->  Basic Authentication Available Available Available
--->  Centralized SSL Certificate Support Available Available Available
--->  Client Certificate Mapping Authentic... Available Available Available
--->  Digest Authentication Available Available Available
--->  IIS Client Certificate Mapping Authe... Available Available Available
--->  IP and Domain Restrictions Available Available Available
--->  URL Authorization Available Available Available
--->  Windows Authentication Available Available Available
--->  Application Development Available Available Available
--->  .NET Extensibility 3.5 Available Available Available
--->  .NET Extensibility 4.5 Available Available Available
--->  Application Initialization Available Available Available
--->  ASP Available Available Available
--->  ASP.NET 3.5 Available Available Available
--->  ASP.NET 4.5 Available Available Available
--->  CGI Available Available Available
--->  ISAPI Extensions Available Available Available
--->  ISAPI Filters Available Available Available
--->  Server Side Includes Available Available Available
--->  WebSocket Protocol Available Available Available
--->  FTP Server Available Available Available
--->  FTP Service Available Available Available
--->  FTP Extensibility Available Available Available
--->  IIS Hostable Web Core Available Available Available
--->  Management Tools Available Available Available
--->  IIS Management Console Available Available Removed
--->  IIS 6 Management Compatibility Available Available Available
--->  IIS 6 Metabase Compatibility Available Available Available
--->  IIS 6 Management Console Available Available Removed
--->  IIS 6 Scripting Tools Available Available Available
--->  IIS 6 WMI Compatibility Available Available Available
--->  IIS Management Scripts and Tools Available Available Available
--->  Management Service Available Available Available
Windows Deployment Services Available Available Removed
--->  Deployment Server Available Available Removed
--->  Transport Server Available Available Removed
Windows Server Update Services Available Available Available
--->  WID Database Available Available Available
--->  WSUS Services Available Available Available
--->  Database Available Available Available
.NET Framework 3.5 Features Available Available Available Available
--->  .NET Framework 3.5 (includes .NET 2.0 and 3.0) Removed Removed Removed Removed
--->  HTTP Activation Available Available Available
--->  Non-HTTP Activation Available Available Available
.NET Framework 4.5 Features Installed Installed Installed Installed
---> .NET Framework 4.5 Installed Installed Installed Installed
--->  ASP.NET 4.5 Available Available Available Available
---> WCF Services Installed Installed Installed
--->  HTTP Activation Available Available Available
--->  Message Queuing (MSMQ) Activation Available Available Available
--->  Named Pipe Activation Available Available Available
--->  TCP Activation Available Available Available
--->TCP Port Sharing Installed Installed Installed
Background Intelligent Transfer Service (BITS) Available Available Available Available
--->  IIS Server Extension Available Available Removed
--->  Compact Server Available Available Available Available
BitLocker Drive Encryption Available Available Available Available
BitLocker Network Unlock Available Available Removed
BranchCache Available Available Available
Client for NFS Available Available Available
Data Center Bridging Available Available Available Available
Enhanced Storage Available Available Available Available
Failover Clustering Available Available Available Available
Group Policy Management Available Available Available
Ink and Handwriting Services Available Available Removed
Internet Printing Client Available Available Removed
IP Address Management (IPAM) Server Available Available Removed
iSNS Server service Available Available Available
LPR Port Monitor Available Available Removed
Management OData IIS Extension Available Available Available
Media Foundation Available Available Available Available
Message Queuing Available Available Available
--->  Message Queuing Services Available Available Available
--->  Message Queuing Server Available Available Available
--->  Directory Service Integration Available Available Available
--->  HTTP Support Available Available Available
--->  Message Queuing Triggers Available Available Available
--->  Multicasting Support Available Available Available
--->  Routing Service Available Available Available
--->  Message Queuing DCOM Proxy Available Available Available
Multipath I/O Available Available Available Available
Network Load Balancing Available Available Available
Peer Name Resolution Protocol Available Available Available
Quality Windows Audio Video Experience Available Available Available
RAS Connection Manager Administration Kit (CMAK) Available Available Removed
Remote Assistance Available Available Removed
Remote Differential Compression Available Available Available
Remote Server Administration Tools Available Available Available Available
--->  Feature Administration Tools Available Available Available Available
--->  SMTP Server Tools Available Available Removed
--->  BitLocker Drive Encryption Administratio... Available Available Available Available
--->  BitLocker Drive Encryption Tools Available Available Removed
--->  BitLocker Recovery Password Viewer Available Available Removed
--->  BITS Server Extensions Tools Available Available Removed
--->  Failover Clustering Tools Available Available Available Available
--->  Failover Cluster Management Tools Available Available Removed
--->  Failover Cluster Module for Windows ... Available Available Available Available
--->  Failover Cluster Automation Server Available Available Available Available
--->  Failover Cluster Command Interface Available Available Available Available
--->  IP Address Management (IPAM) Client Available Available Removed
--->  Network Load Balancing Tools Available Available Removed
--->  SNMP Tools Available Available Removed
--->  Windows System Resource Manager RSAT [De... Available Available Removed
--->  WINS Server Tools Available Available Removed
--->  Role Administration Tools Available Available Available Available
--->  AD DS and AD LDS Tools Available Available Available
--->  Active Directory module for Windows ... Available Available Available
--->  AD DS Tools Available Available Available
--->  Active Directory Administrative ... Available Available Available
--->  AD DS Snap-Ins and Command-Line ... Available Available Available
--->  Server for NIS Tools [DEPRECATED] Available Available Removed
--->  AD LDS Snap-Ins and Command-Line Tools Available Available Available
--->  Hyper-V Management Tools Available Available Available Available
--->  Hyper-V GUI Management Tools Available Available Removed
--->  Hyper-V Module for Windows PowerShell Available Available Available Available
--->  Remote Desktop Services Tools Available Available Removed
--->  Remote Desktop Gateway Tools Available Available Removed
--->  Remote Desktop Licensing Diagnoser T... Available Available Removed
--->  Remote Desktop Licensing Tools Available Available Removed
--->  Windows Server Update Services Tools Available Available Available
--->  API and PowerShell cmdlets Available Available Available
--->  User Interface Management Console Available Available Removed
--->  Active Directory Certificate Services Tools Available Available Removed
--->  Certification Authority Management T... Available Available Removed
--->  Online Responder Tools Available Available Removed
--->  Active Directory Rights Management Servi... Available Available Removed
--->  DHCP Server Tools Available Available Removed
--->  DNS Server Tools Available Available Available
--->  Fax Server Tools Available Removed Removed
--->  File Services Tools Available Available Removed
--->  DFS Management Tools Available Available Removed
--->  File Server Resource Manager Tools Available Available Removed
--->  Services for Network File System Man... Available Available Removed
--->  Share and Storage Management Tool Available Available Removed
--->  Network Policy and Access Services Tools Available Available Removed
--->  Print and Document Services Tools Available Available Removed
--->  Remote Access Management Tools Available Available Available
--->  Remote Access GUI and Command-Line T... Available Removed Removed
--->  Remote Access module for Windows Pow... Available Available Available
--->  Volume Activation Tools Available Available Removed
--->  Windows Deployment Services Tools Available Available Removed
RPC over HTTP Proxy Available Available Available
Simple TCP/IP Services Available Available Removed
SMTP Server Available Available Removed
SNMP Service Available Available Available Available
--->  SNMP WMI Provider Available Available Available Available
Subsystem for UNIX-based Applications [Deprecated] Available Available Available
Telnet Client Available Available Available Available
Telnet Server Available Available Removed
TFTP Client Available Available Removed
User Interfaces and Infrastructure Installed Available Installed
---> Graphical Management Tools and Infrastructure Installed Available Removed
--->  Desktop Experience Available Removed Removed
---> Server Graphical Shell Installed Removed Removed
Windows Biometric Framework Available Available Removed
Windows Feedback Forwarder Available Available Available Available
Windows Identity Foundation 3.5 Available Available Removed
Windows Internal Database Available Available Available
Windows PowerShell Installed Installed Installed Installed
---> Windows PowerShell 3.0 Installed Installed Installed Installed
--->  Windows PowerShell 2.0 Engine Removed Removed Removed Available
---> Windows PowerShell ISE Installed Available Removed
--->  Windows PowerShell Web Access Available Available Available
Windows Process Activation Service Available Available Available
--->  Process Model Available Available Available
--->  .NET Environment 3.5 Available Available Available
--->  Configuration APIs Available Available Available
Windows Search Service Available Removed Removed
Windows Server Backup Available Available Available Available
Windows Server Migration Tools Available Available Available
Windows Standards-Based Storage Management Available Available Available Available
Windows System Resource Manager [Deprecated] Available Available Removed
Windows TIFF IFilter Available Available Removed
WinRM IIS Extension Available Available Available
WINS Server Available Available Available
Wireless LAN Service Available Available Removed
WoW64 Support Installed Installed Installed Available
XPS Viewer Available Available Removed
-->


Even though the remote management of the different deployments are very similar the actual footprint of the server can be very different.  With all the enhancements in management that came with Server 2012 you need a really good reason to use core as opposed to a full install. Keep in mind that a "removed" role or feature can be installed.  This is probably why core is the default installation choice.

Hyper-V server also show off just how thin it really is but it still packs a load of functionality into a very tidy (and free) package.