SVR333

SVR333
My name’s Mark Minasi, and I’m ancient
I started working with computers in 1973
Back then, it was all command line
Nowadays, we’ve got GUIs, and they’re cool…
But command line tools have some great
strengths
2
They run on low bandwidth remotely with the
Telnet service, Vista/Longhorn's remote shell
WinRS, or a tool like the psexec command (a
great CLI tool in itself)
They can be collected into text files and made into
batch files – the simplest kind of "program" I know
They can be easily documented and therefore are
more repeatable
Additionally, have you ever found yourself, well,
confounded by a new GUI? CLI tools tend not to
change due to “artistic whim”
3
Two new Microsoft OSes only support CLI for local
administration:
WinPE 2.0: extremely useful replacement for DOSbased repair floppies and deployment "starter disks"
Longhorn Server Core: pared-down version of
Longhorn focused on being a domain controller, DNS
server, DHCP and file server
You must know the CLI to locally operate and
maintain both OSes
4
I want to convince you that your time learning CLI stuff is
well spent
So I’ll work with tools in the system, some from Support
Tools, the Resource Kit and other places
I'm not going to squeeze every syntactic option out; I just
want to motivate you to try it and learn even more
Some will do mundane tasks, some more exotic – but
useful – tasks
5
Initial System Setup with the CLI
CLI Networking
Managing Users with the CLI
Active Directory CLI Management
File and Disk CLI Management
Controlling System and Events via CLI
Server Core-Specific Tips
Initial C:onfiguration
7
Set IP attribs:
netsh int ip set address local static 10.10.1.3
255.255.255.0 10.10.1.1 2
netsh int ip set address local source=dhcp
netsh int ip set dns local static 192.168.0.2
netsh int ip set dns local source=dhcp
netsh int ip add dns local 10.7.3.2 index=2
Same for WINS
8
See computer name with hostname
Change computer name with netdom:
netdom renamecomputer %computername%
/newname:newname
netdom renamecomputer %computername%
/newname:mypc21
(Cannot rename a domain controller)
9
Actually, Regedit works even in WinPE or Server
Core
Or use reg.exe:
reg /add hklm\software\acme\myeditor
That adds a key; this adds a value:
reg /add hklm\software\acme\myeditor /v autosave
/t REG_DWORD /d 0
reg /delete hklm\software\acme\myeditor /f
10
Vista and Longhorn offer a secure remote shell
command, winrs
winrs -r:remotesystem options command
Example:
winrs -r:10.71.0.197 -u:administrator
-p:swordfish ipconfig
Works most easily in a forest
Needs the Windows Remote Management service
running to work (type winrm quickconfig to
start it)
psexec is nice too, particularly with the -s option
11
There are a few "catch-all" commands in
Windows; this is one (repadmin, netdiag, dcdiag
are three others)
It will let you
Join or leave a domain
List FSMOs, PDC, DCs, OUs etc
Verify a secure channel with a domain
Reset a secure channel with a domain
In Support Tools for most OSes, built into Server
Core
12
Because many NETDOM commands involve
working both with a domain account and a local
account, and a machine as well as a domain, the
basic NETDOM syntax is
netdom command machinename
/domain:domainname /usero:acctname
/passwordo:password /userd:acctname
/passwordd:password [other settings]
13
Here, the command is "join" and the extra option is
"/reboot," which reboots on success:
netdom join mypc /domain:bigfirm.com
/usero:localadmin /passwordo:hithere
/userd:domainadmin /passwordd:H1there
/reboot
May work remotely unless firewalls stop it
14
dnscmd (in LH, Support Tools elsewhere)
Creates zones, resource records, etc; examples:
dnscmd 192.168.0.2 /zoneadd
bigfirm.com /primary /file
bigfirm.dns creates a zone
dnscmd 192.168.0.2 /config
bigfirm.com /AllowUpdate 1 makes it
dynamic
dnscmd 192.168.0.2 /recordadd
bigfirm.com @ NS
downtowndc.bigfirm.com adds an NS record
for downtowndc to the bigfirm.com zone
DCPROMO has been “scriptable” from the
beginning
dcpromo /answer:filename in 2000/2003
dcpromo /unattend:filename in LH
Writing the answer files is now essentially
automatic in Longhorn
Just run DCPROMO on a system and answer the
wizard’s questions to configure a DC as you’d like
it
But at the last page of the wizard, you’ll get the
option to “export configuration”
Result: an answer file
Use the GUI to get a DHCP server as you like it
Then open a command prompt and type
netsh dhcp server export dhcpbak.txt all
Then take dhcpbak.txt to your new Server Core
system
netsh dhcp server import dhcpbak.txt all
Alternatively, the DHCP snap-in works remotely
Consider that we’ve gotten enough commands to
configure a system from “vanilla” to “domain
controller”
Ever assembled a disaster recovery plan?
Put all of these commands into one big batch file
and now you’ve got a DR plan that runs itself:
Set up an IP stack
Name a system
Create DNS zones
Install Active Directory
Later, we’ll see account creation etc
19
ipconfig (but you probably already knew that) –
built in, does not remote
getmac /s systemname /u username /p password
shows MAC addresses -- /s, /u, /p only necessary
if remoting
ping ipaddress or hostname
tracert [-d] ipaddress or hostname
arp –a dumps the ARP cache
20
nslookup for DNS; pack it all into one command
line with –opts, as in
nslookup –type=mx minasi.com
nslookup –vc –type=mx minasi.com (tells
nslookup to use TCP)
see all of the –options with nslookup –all
KB 830578 offers nblookup, a WINS version of
nslookup with almost identical syntax and is quite
useful!
21
Nice port tester at KB 832919
portqry –n targetsystem [options]
Options:
-e n try port number n
-p tcp, -p udp, -p both protocol to use (tcp default)
-r n:m try range of ports from n to m
-o a,b,c,d… try list of specific ports
-i do not reverse-resolve IP addresses
22
portqry –n 10.0.0.2 –e 80 -i
check for a Web server or, better,
portqry –n 10.0.0.2 –o 80,443 -i
portqry –n 10.0.0.2 –r 130:139 –i
Scan TCP ports 130-139 on 10.0.0.2
23
C:\>ping -n 1 207.46.134.222
Pinging 207.46.134.222 with 32 bytes of data:
Request timed out.
C:\>portqry -n 207.46.134.222 -e 80 -i
Querying target system called: 207.46.134.222
TCP port 80 (http service): LISTENING
24
netdom verify pcname /domain:domainname
Good to verify that you're indeed logged in
netdom reset pcname /domain:domainname
[/server:servername]
Your system may be logged in, but by a distant
DC, which slows things down; this lets your
system search for a closer DC and even, with the
/server option, lets you specify a preferred DC
25
netdom query fsmo | workstation | server | dc | ou |
PDC | trust
example:
C:\>netdom query dc
List of domain controllers with
accounts in the domain:
DC1
DC2
The command completed successfully.
26
Enabling ping no longer in the GUI
netsh firewall set icmpsetting 8 enable
From an elevated command prompt, of course!
If Vista/LH work very slowly, turn off autotuning:
netsh interface tcp set global
autotuninglevel=disabled
Some public routers need this; un-do by changing
“disabled” to “normal”
A bit of “nothing but NET”
28
The original Microsoft network software worked
entirely from the CLI
The commands all started with NET
All built into the OS
All do not work remotely save for /domain
They’ve grown with time and are all still useful
29
The NET USER command
Creates, deletes user accounts locally and on the
domain
Resets passwords
net user username [password] [/domain] [/add]
30
net user newguy longpassword /domain
/add
(creates a new domain user named newguy with
password longpassword)
net user newguy newpasswd
(resets a password for a local user)
net user newguy newpasswd /domain
31
/active:yes|no
/comment:"text"
/homedir:path
/profilepath:path
/fullname:name string
/workstations:machinename,machinename…
/scriptpath:path inside Netlogon
32
Try /random, as in
net user joe /random /domain
Creates a random password for Joe and displays
it
To create a password that no one knows, use
">nul" as in
net user joe /random /domain >nul
btw, "net user" lists users; "net user /domain" lists
domain users
And of course /delete eradicates a user account
33
To create a local group:
net localgroup groupname /comment:text
/add|/delete [/domain]
/domain creates a domain local group
To add a user to a local group,
net localgroup groupname username /add
net localgroup all by itself lists the local groups
net groups works the same, but only on DCs and
creates global groups
34
net localgroup folks
net localgroup folks
net localgroup folks
net localgroup folks
club"
net localgroup folks
Create a new admin:
/add
susie /add
jack /add
/comment:"our
jack /delete
net user joe joepwd /add
net localgroup administrators joe /add
35
net share shows you your shares
Create a share like so:
net share sharename=drive:path [/remark:”remark
text”] [/grant:username,full|change|read]
[/grant:username,full|change|read]…
net share mytest=c:\test
/remark:"Playing with NET SHARE"
/grant:administrator,full
/grant:otherguy,change
NOTE /grant only works on servers
36
net share sharename /delete
net share sharename reveals settings and lists who’s
currently connected:
C:\>net share c$
Share name
Path
Remark
Maximum users
Users
Caching
C$
C:\
Default share
No limit
MARK
Manual caching
37
You probably already know this one:
net use * \\servername\sharename
(The * means "assign the next available drive
letter")
But you can add credentials with the /u: (or /user:)
option:
net use * \\s1\stuff
/u:joe@bigfirm.com swordfish
38
net use \\pcname\ipc$ /u:"" "" does a
null session logon
net use shows you your current drive mappings,
and your current persistence setting
net use * /d /y disconnects you from all of
your drive mappings
39
By default, mapping a drive makes Windows try to
re-map it when you next log on
Change that behavior with
net use /persistence:no|yes
For example, net use /persistence:no
changes the default behavior
You can also add /persistence to a drive mapping
NET USE to make just that one map persistent or
not
40
When referring to a server by its DNS name, as in
net use x: \\a.b.com\s1, then you must
use its actual host name
Using a CNAME in a NET USE will get you a fairly
unhelpful error message
41
If you're talking to a resource that's out of your
domain, you'll need the /user: option to connect to
its shares
That's irritating to have to do
Instead, just type net use
\\servername\sharename /savecred
You'll be prompted for credentials… and your XP
or later system will remember them in the future
Look in Control Panel / Users to manage this
… and remember it, come password-changing
day!
42
net start service, net continue, net stop
No net restart… net stop xx & net start xx
Note the “&” lets you stack commands in a line
net helpmsg number shows the text message
associated with an error number; example:
C:\>net helpmsg 1220
An attempt was made to establish a
session to a network server, but
there are already too many sessions
established to that server.
43
The XP and later CLI tools dsadd, dsmod, dsget,
dsquery, dsrm are a good, if uneven, set of
commands that contain more AD-specific things
All are built into Server 2003 and LH
I won’t cover these here because it’d take an hour
or so just to explain the ds* commands
In short, the tools are very good, but hard to
memorize
I have, however, written about them elsewhere
44
45
The “Swiss Army knife of replication”
Controls, as its name suggests, AD replication…
but that means a lot
Use /? to get help, /listhelp for syntax on writing
lists of DCs and, if ye be brave, matey, /experthelp
to see the undocumented stuff
Some examples:
46
repadmin /kcc dcname forces a topology and
replication partner check
repadmin /rebuildgc dcname causes a GC server
to dump and rebuild its global catalog
repadmin /bridgeheads dcname shows
bridgehead servers
repadmin /istg dcname shows inter-site topology
generator DCs
47
GUID-ing and de-GUIDing:
repadmin /dsaguid dcname GUID converts a DC's GUID
to the DC's "friendly name"
repadmin /showsig dcname is mostly useful because it
first shows you the GUID of the DC – it calls it the
"invocationID" – and THEN you can use the GUID like
so:
Understanding times:
repadmin /showtime [value] either shows the time in
AD's "days since 1601" format, or takes a number in AD
format and shows it in UTC
48
Revealing what each DC thinks it knows about its
replication partners:
repadmin /showutdvec dcname naming-context shows
up-to-date vectors for all DCs, from the point of view of
dcname
repadmin /showrepl dcname naming-context /verbose
shows the DC's replication partners and high-watermark
table
repadmin /replsummary dcname compiles a list of
success/fail statistics between a DC and its
partners
repadmin /queue dcname lists the items in the
outgoing queue for a given DC
49
repadmin /showchanges destdc GUID-ofsourceDC naming-context /verbose summarizes
everything that sourceDC hasn't yet replicated to
DestDC
50
repadmin /syncall /e [/P] dcname naming-context
/e – cross sites
/P – push changes
example:
repadmin /syncall /e /P dc1 dc=acme,dc=com
Or use repadmin /syncall /j dcname
/j: only sync to adjacent dcs
51
bigfirm.com: dc=bigfirm,dc=com
Configuration NC:
cn=configuration,dc=bigfirm,dc=com
Schema NC:
cn=schema,cn=configuration,dc=bigfirm,dc=com
No NC named: repadmin /syncall assumes the
configuration NC
dc=ForestDnsZones,DC=bigfirm,dc=com (will only
appear in the root)
dc=DomainDnsZones,dc=bigfirm,dc=com
52
In Support Tools
Netdiag is local, DCdiag can be remoted
Both run a battery of tests on your system's
network infrastructure (netdiag) and domain
controller functions (dcdiag)
Really just a set of "sanity test" examinations, but
still quite useful
Many writeups elsewhere, but in short…
53
del dcdiag.log
del repadmin.log
del netdiag.log
dcdiag /e /c /v /ferr:c:\dcdiagerrs.log /f:dcdiag.log
netdiag /v /l
repadmin /showrepl * /verbose /all /intersite >
repadmin.log
54
dsacls is a built-in XP/2003 command to view or
modify AD permissions … which means AD
delegation
Simplest form: dsacls dn-of-object shows the
current permission
Option /A says to add owner/audit info
Option /S restores to schema default
Add /T and it walks the entire tree downward
55
To change delegations:
/G <group/user>:<permissions> adds the permission to
the object’s ACL
/D <group/user>:<permissions> denies
/N says to replace any current ACL with the /G or /D
ACE specified
/R <group/user> removes all permissions for a given
group/user
56
Specify groups and users as either
group@domain, user@domain or domain\group
and domain\user
Permissions: many in the Help, most common are
GR (read), GE (execute), GW (write), GA (all – full
control)
Case seems to matter on the options
57
dsacls ou=marketing,dc=bigfirm,dc=com
Displays the ACLs on the Marketing OU – that is, the
people and groups that can access this OU and its
contents
dsacls ou=marketing,dc=bigfirm,dc=com /G
mpa@bigfirm.com:GA
Give the “MPA” group in Bigfirm full control of the
Marketing OU
dsacls ou=marketing,dc=bigfirm,dc=com /S
Reset Marketing’s permissions to out-of-the-box
58
Ever tried to find all of the delegations that
someone's got? It's hard usually…
But easy with dsrevoke.exe, from MS’s Web site
dsrevoke /remove domainname\username
dsrevoke /report domainname\username
dsrevoke /report
/root:ou=marketing,dc=bigfirm,dc=com
domainname\username
NOTE this requires NetBIOS names; UPNs do not
work!!!!
59
60
There's a whole slew of disk maintenance and
navigation commands that are documented in
many places and that are the bedrock for a lot of
CLI work; ex:
dir, cd, md, rd, del, erase, move, copy, xcopy, fdisk
(which became diskpart in XP), format, label, vol,
rename, verify [on|off]
61
Several tools let you do NTFS from the command
line
CACLS (built into the system)
ICACLS: cacls’s replacement in Vista, LH, 2003 SP2
XCACLS (somewhat more complete, built into Support
Tools)
SUBINACL (a Resource Kit tool that's powerful but
buggy, so go to www.microsoft.com/downloads to get an
updated one)
These are tougher syntax-wise, but I've written
columns on them all at the Windows IT Pro site
62
If you've got a command prompt open, then don't
bother with Explorer's Search; use DIR with /S
For example, to search the entirety of C: for
myfile.txt, type
dir c:\myfile.txt /s
To search in the folder "c:\files" and its subfolders,
type
dir c:\files\myfile.txt /s
63
64
shutdown [-s|-r|-l] [-t ss] [-f] [-a]
-s=shut down, -r=reboot, -l=log off
-t ss lets you specify seconds; without –t, it's 30
seconds
-f forces apps that are open to just plain close,
possibly losing data
-a says "there's a shutdown countdown in
progress, abort it"
65
whoami is a Support Tool that tells you what
context you're logged in as, as in "bigfirm\mark."
But add the /all option and you get your UPN, your
SID, your group memberships, the SIDs of the
groups, and your privileges
In Vista/LH, you even get your Windows integrity
level
66
Vista and later have "wevtutil;" example:
wevtutil qe application /c:2 /f:text
/rd:true
(Shows the two most recent events in the
Application log)
/c = # events to view
/f = output format (text or whatever)
/rd = Read from the most recent ("true") or from
the oldest ("false")
Also archives logs, allowing us to finally
automatically archive logs!
67
Ever wanted to create a batch file or something
similar and have it write to the Event Log?
Meet eventcreate, an XP-and-later built-in
command that works remotely
eventcreate /ID eventid /L logname /SO srcname
/T type /D description
logname=system, application, etc
type=error, warning or information
eventcreate /ID 833 /l system /t
information /d "Just saying hi"
68
We tend to look at the event log after something
happens
But with eventtriggers, a built-in command in XP
and 2003, you can cause a program to run when
something particular happens
eventtriggers /create /eid eventidnumber /tr
triggername /tk actiontotake /ru
usernametoruncommand /rp
passwordofthataccount
In Vista/LH, it’s the schtasks command, or just
right-click any event in the Event Log and choose
“Attach Task To This Event...”
69
eventtriggers /create /eid 64002 /tr
sysalert /tk "net send jack123
Something’s deleting system files!”
/ru jack123 /rp swordfish
eventtriggers or eventtriggers /query /v will list
the triggers
eventtriggers /delete /tid n deletes a given
eventtrigger, or … /delete /tid * deletes them all
70
What if you could tell your system to e-mail you
from a command line?
Then when event X happens, you could get your
system to send you an e-mail about it
Heck, if you've got an SMS phone, then you could
even have it text you
Answer: blat, from www.blat.net
(Vista and LH do not need blat, as they’ve got
SMTP-awareness through and through)
71
Command-line SMTP client; example:
blat - -body “Event ID 763 happened!”
–server mail.bigfirm.com –to
mark@mmco.com –f noone@bigfirm.com –
subject “Event 763 alert” –u joe –pw
swordfish
The "blat - -body" is no typo
72
The –u and –pw assume that your SMTP server
needs logons; BLAT supports GSSAPI so it can do
secure logons to Microsoft and other SMTP
servers
Free download
Even includes the source
You can pre-store most of the parameters in the
Registry
73
So you're setting up a test Web server, or an
internal-only Web server, and you want a
certificate for it… and don't want to buy one, or
don't want to have to set up a certificate server to
crank one lousy Web cert
The answer? Selfssl, a tool that will generate a
cert and install it, all in one line
It's in the IIS Resource Kit
74
selfssl /t /v:ndays /n:dn
n is name
t installs it
v how many days to leave valid
example:
selfssl /T /V:200
/n:cn=web2.minasi.com
Creates and installs a cert good for 200 days on
the web2.minasi.com Web server
75
Everything you’ve seen so far works on
Server Core, but there are a few items
that are SC-specific
Server Core and WinPE do not have the .NET
programming framework
Some command-line applications require the .NET
programming framework, so they won’t work on
those systems
77
Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr
olSet\Control\Terminal Server
Change fDenyTSConnections to 0
Reboot:
shutdown -r -t 0
Open the firewall:
netsh firewall set portopening tcp 3389 "Remote
Desktop"
78
Okay, to be honest, the command line isn't the
only way to control Server Core
You can also fire up most MMCs and remotely
control SC – only remotely!
To do that, you'll need to open the SC machine's
file and printer sharing ports, though, and to do
group policies:
gpedit.msc /gpcomputer:"computername"
You may have to NET USE to C$ on the SC box to
authenticate first, however
79
Server Core installs new devices silently if
possible
You can configure it to accept signed drivers via
group policies
You can "introduce" a new driver to Server Core
with pnputil:
pnputil -a c:\newdrivers\scan.inf
That adds the driver package to the "driver store"
in Vista or later systems
80
pnputil -e enumerates all installed driver
packages
pnputil -i package.inf installs a given package
pnputil -d c:\newdrivers\scan.inf
removes an existing package
driverquery lists all installed drivers
On WinPE, use peimg -- see my Newsletter #59
on my Web site www.minasi.com
81
Beyond Add/Remove Programs or Server
Manager…
ocsetup does the job
Note that servermanagercmd.exe does not work
on Server Core
On SC, do
ocsetup rolename
ex: ocsetup DNS-Server-Core-Role
Also DHCPServerCore, FRS-Infrastructure,
BitLocker
Of course, use dcpromo to make a DC
82
Case matters!
First, get the drive partitioned right
Again, no GUI, but once you install the SC role,
you have a new script “manage-bde.wsf”
Simplify it by typing cscript //h:cscript
Step One: enable the TPM chip
manage-bde –tpm –t –o password
“password” is the tpm password
Step Two: encrypt the drive
manage-bde –on c: -rp
Now C: is encrypted and a recovery password has
been shown on the screen
To use a USB stick, add –sk driveletter for
the drive with the USB stick
Check manage-bde /? to increase encryption etc.
Get the recovery password if you forgot it:
manage-bde –protectors –get c:
Decrypt the drive:
manage-bde –off c:
I have had to skip bezillions
of great commands due to
time, like
robocopy (RK)
delprof (RK)
sidhist.vbs (ST)
w32tm (OS)
netsh support of Windows
Firewall and IPsec (OS)
SC (RK, OS)
and many more – but I've
written about many of them
on the Windows IT Pro site.
Start looking for your own
command line gems!
85
I hope I've introduced you to some of the neat
things that the command line offers
Get comfy with some of these commands and you
can get a lot done quickly
I'm at help@minasi.com
www.minasi.com has my free online newsletter
and technical forum
Please don't forget the evals!
86