SVR333
SVR333 My name’s Mark Minasi, and I’m ancient I started working with computers in 1973 Back then, it was all command line Nowadays, we’ve got GUIs, and they’re cool… But command line tools have some great strengths 2 They run on low bandwidth remotely with the Telnet service, Vista/Longhorn's remote shell WinRS, or a tool like the psexec command (a great CLI tool in itself) They can be collected into text files and made into batch files – the simplest kind of "program" I know They can be easily documented and therefore are more repeatable Additionally, have you ever found yourself, well, confounded by a new GUI? CLI tools tend not to change due to “artistic whim” 3 Two new Microsoft OSes only support CLI for local administration: WinPE 2.0: extremely useful replacement for DOSbased repair floppies and deployment "starter disks" Longhorn Server Core: pared-down version of Longhorn focused on being a domain controller, DNS server, DHCP and file server You must know the CLI to locally operate and maintain both OSes 4 I want to convince you that your time learning CLI stuff is well spent So I’ll work with tools in the system, some from Support Tools, the Resource Kit and other places I'm not going to squeeze every syntactic option out; I just want to motivate you to try it and learn even more Some will do mundane tasks, some more exotic – but useful – tasks 5 Initial System Setup with the CLI CLI Networking Managing Users with the CLI Active Directory CLI Management File and Disk CLI Management Controlling System and Events via CLI Server Core-Specific Tips Initial C:onfiguration 7 Set IP attribs: netsh int ip set address local static 10.10.1.3 255.255.255.0 10.10.1.1 2 netsh int ip set address local source=dhcp netsh int ip set dns local static 192.168.0.2 netsh int ip set dns local source=dhcp netsh int ip add dns local 10.7.3.2 index=2 Same for WINS 8 See computer name with hostname Change computer name with netdom: netdom renamecomputer %computername% /newname:newname netdom renamecomputer %computername% /newname:mypc21 (Cannot rename a domain controller) 9 Actually, Regedit works even in WinPE or Server Core Or use reg.exe: reg /add hklm\software\acme\myeditor That adds a key; this adds a value: reg /add hklm\software\acme\myeditor /v autosave /t REG_DWORD /d 0 reg /delete hklm\software\acme\myeditor /f 10 Vista and Longhorn offer a secure remote shell command, winrs winrs -r:remotesystem options command Example: winrs -r:10.71.0.197 -u:administrator -p:swordfish ipconfig Works most easily in a forest Needs the Windows Remote Management service running to work (type winrm quickconfig to start it) psexec is nice too, particularly with the -s option 11 There are a few "catch-all" commands in Windows; this is one (repadmin, netdiag, dcdiag are three others) It will let you Join or leave a domain List FSMOs, PDC, DCs, OUs etc Verify a secure channel with a domain Reset a secure channel with a domain In Support Tools for most OSes, built into Server Core 12 Because many NETDOM commands involve working both with a domain account and a local account, and a machine as well as a domain, the basic NETDOM syntax is netdom command machinename /domain:domainname /usero:acctname /passwordo:password /userd:acctname /passwordd:password [other settings] 13 Here, the command is "join" and the extra option is "/reboot," which reboots on success: netdom join mypc /domain:bigfirm.com /usero:localadmin /passwordo:hithere /userd:domainadmin /passwordd:H1there /reboot May work remotely unless firewalls stop it 14 dnscmd (in LH, Support Tools elsewhere) Creates zones, resource records, etc; examples: dnscmd 192.168.0.2 /zoneadd bigfirm.com /primary /file bigfirm.dns creates a zone dnscmd 192.168.0.2 /config bigfirm.com /AllowUpdate 1 makes it dynamic dnscmd 192.168.0.2 /recordadd bigfirm.com @ NS downtowndc.bigfirm.com adds an NS record for downtowndc to the bigfirm.com zone DCPROMO has been “scriptable” from the beginning dcpromo /answer:filename in 2000/2003 dcpromo /unattend:filename in LH Writing the answer files is now essentially automatic in Longhorn Just run DCPROMO on a system and answer the wizard’s questions to configure a DC as you’d like it But at the last page of the wizard, you’ll get the option to “export configuration” Result: an answer file Use the GUI to get a DHCP server as you like it Then open a command prompt and type netsh dhcp server export dhcpbak.txt all Then take dhcpbak.txt to your new Server Core system netsh dhcp server import dhcpbak.txt all Alternatively, the DHCP snap-in works remotely Consider that we’ve gotten enough commands to configure a system from “vanilla” to “domain controller” Ever assembled a disaster recovery plan? Put all of these commands into one big batch file and now you’ve got a DR plan that runs itself: Set up an IP stack Name a system Create DNS zones Install Active Directory Later, we’ll see account creation etc 19 ipconfig (but you probably already knew that) – built in, does not remote getmac /s systemname /u username /p password shows MAC addresses -- /s, /u, /p only necessary if remoting ping ipaddress or hostname tracert [-d] ipaddress or hostname arp –a dumps the ARP cache 20 nslookup for DNS; pack it all into one command line with –opts, as in nslookup –type=mx minasi.com nslookup –vc –type=mx minasi.com (tells nslookup to use TCP) see all of the –options with nslookup –all KB 830578 offers nblookup, a WINS version of nslookup with almost identical syntax and is quite useful! 21 Nice port tester at KB 832919 portqry –n targetsystem [options] Options: -e n try port number n -p tcp, -p udp, -p both protocol to use (tcp default) -r n:m try range of ports from n to m -o a,b,c,d… try list of specific ports -i do not reverse-resolve IP addresses 22 portqry –n 10.0.0.2 –e 80 -i check for a Web server or, better, portqry –n 10.0.0.2 –o 80,443 -i portqry –n 10.0.0.2 –r 130:139 –i Scan TCP ports 130-139 on 10.0.0.2 23 C:\>ping -n 1 207.46.134.222 Pinging 207.46.134.222 with 32 bytes of data: Request timed out. C:\>portqry -n 207.46.134.222 -e 80 -i Querying target system called: 207.46.134.222 TCP port 80 (http service): LISTENING 24 netdom verify pcname /domain:domainname Good to verify that you're indeed logged in netdom reset pcname /domain:domainname [/server:servername] Your system may be logged in, but by a distant DC, which slows things down; this lets your system search for a closer DC and even, with the /server option, lets you specify a preferred DC 25 netdom query fsmo | workstation | server | dc | ou | PDC | trust example: C:\>netdom query dc List of domain controllers with accounts in the domain: DC1 DC2 The command completed successfully. 26 Enabling ping no longer in the GUI netsh firewall set icmpsetting 8 enable From an elevated command prompt, of course! If Vista/LH work very slowly, turn off autotuning: netsh interface tcp set global autotuninglevel=disabled Some public routers need this; un-do by changing “disabled” to “normal” A bit of “nothing but NET” 28 The original Microsoft network software worked entirely from the CLI The commands all started with NET All built into the OS All do not work remotely save for /domain They’ve grown with time and are all still useful 29 The NET USER command Creates, deletes user accounts locally and on the domain Resets passwords net user username [password] [/domain] [/add] 30 net user newguy longpassword /domain /add (creates a new domain user named newguy with password longpassword) net user newguy newpasswd (resets a password for a local user) net user newguy newpasswd /domain 31 /active:yes|no /comment:"text" /homedir:path /profilepath:path /fullname:name string /workstations:machinename,machinename… /scriptpath:path inside Netlogon 32 Try /random, as in net user joe /random /domain Creates a random password for Joe and displays it To create a password that no one knows, use ">nul" as in net user joe /random /domain >nul btw, "net user" lists users; "net user /domain" lists domain users And of course /delete eradicates a user account 33 To create a local group: net localgroup groupname /comment:text /add|/delete [/domain] /domain creates a domain local group To add a user to a local group, net localgroup groupname username /add net localgroup all by itself lists the local groups net groups works the same, but only on DCs and creates global groups 34 net localgroup folks net localgroup folks net localgroup folks net localgroup folks club" net localgroup folks Create a new admin: /add susie /add jack /add /comment:"our jack /delete net user joe joepwd /add net localgroup administrators joe /add 35 net share shows you your shares Create a share like so: net share sharename=drive:path [/remark:”remark text”] [/grant:username,full|change|read] [/grant:username,full|change|read]… net share mytest=c:\test /remark:"Playing with NET SHARE" /grant:administrator,full /grant:otherguy,change NOTE /grant only works on servers 36 net share sharename /delete net share sharename reveals settings and lists who’s currently connected: C:\>net share c$ Share name Path Remark Maximum users Users Caching C$ C:\ Default share No limit MARK Manual caching 37 You probably already know this one: net use * \\servername\sharename (The * means "assign the next available drive letter") But you can add credentials with the /u: (or /user:) option: net use * \\s1\stuff /u:[email protected] swordfish 38 net use \\pcname\ipc$ /u:"" "" does a null session logon net use shows you your current drive mappings, and your current persistence setting net use * /d /y disconnects you from all of your drive mappings 39 By default, mapping a drive makes Windows try to re-map it when you next log on Change that behavior with net use /persistence:no|yes For example, net use /persistence:no changes the default behavior You can also add /persistence to a drive mapping NET USE to make just that one map persistent or not 40 When referring to a server by its DNS name, as in net use x: \\a.b.com\s1, then you must use its actual host name Using a CNAME in a NET USE will get you a fairly unhelpful error message 41 If you're talking to a resource that's out of your domain, you'll need the /user: option to connect to its shares That's irritating to have to do Instead, just type net use \\servername\sharename /savecred You'll be prompted for credentials… and your XP or later system will remember them in the future Look in Control Panel / Users to manage this … and remember it, come password-changing day! 42 net start service, net continue, net stop No net restart… net stop xx & net start xx Note the “&” lets you stack commands in a line net helpmsg number shows the text message associated with an error number; example: C:\>net helpmsg 1220 An attempt was made to establish a session to a network server, but there are already too many sessions established to that server. 43 The XP and later CLI tools dsadd, dsmod, dsget, dsquery, dsrm are a good, if uneven, set of commands that contain more AD-specific things All are built into Server 2003 and LH I won’t cover these here because it’d take an hour or so just to explain the ds* commands In short, the tools are very good, but hard to memorize I have, however, written about them elsewhere 44 45 The “Swiss Army knife of replication” Controls, as its name suggests, AD replication… but that means a lot Use /? to get help, /listhelp for syntax on writing lists of DCs and, if ye be brave, matey, /experthelp to see the undocumented stuff Some examples: 46 repadmin /kcc dcname forces a topology and replication partner check repadmin /rebuildgc dcname causes a GC server to dump and rebuild its global catalog repadmin /bridgeheads dcname shows bridgehead servers repadmin /istg dcname shows inter-site topology generator DCs 47 GUID-ing and de-GUIDing: repadmin /dsaguid dcname GUID converts a DC's GUID to the DC's "friendly name" repadmin /showsig dcname is mostly useful because it first shows you the GUID of the DC – it calls it the "invocationID" – and THEN you can use the GUID like so: Understanding times: repadmin /showtime [value] either shows the time in AD's "days since 1601" format, or takes a number in AD format and shows it in UTC 48 Revealing what each DC thinks it knows about its replication partners: repadmin /showutdvec dcname naming-context shows up-to-date vectors for all DCs, from the point of view of dcname repadmin /showrepl dcname naming-context /verbose shows the DC's replication partners and high-watermark table repadmin /replsummary dcname compiles a list of success/fail statistics between a DC and its partners repadmin /queue dcname lists the items in the outgoing queue for a given DC 49 repadmin /showchanges destdc GUID-ofsourceDC naming-context /verbose summarizes everything that sourceDC hasn't yet replicated to DestDC 50 repadmin /syncall /e [/P] dcname naming-context /e – cross sites /P – push changes example: repadmin /syncall /e /P dc1 dc=acme,dc=com Or use repadmin /syncall /j dcname /j: only sync to adjacent dcs 51 bigfirm.com: dc=bigfirm,dc=com Configuration NC: cn=configuration,dc=bigfirm,dc=com Schema NC: cn=schema,cn=configuration,dc=bigfirm,dc=com No NC named: repadmin /syncall assumes the configuration NC dc=ForestDnsZones,DC=bigfirm,dc=com (will only appear in the root) dc=DomainDnsZones,dc=bigfirm,dc=com 52 In Support Tools Netdiag is local, DCdiag can be remoted Both run a battery of tests on your system's network infrastructure (netdiag) and domain controller functions (dcdiag) Really just a set of "sanity test" examinations, but still quite useful Many writeups elsewhere, but in short… 53 del dcdiag.log del repadmin.log del netdiag.log dcdiag /e /c /v /ferr:c:\dcdiagerrs.log /f:dcdiag.log netdiag /v /l repadmin /showrepl * /verbose /all /intersite > repadmin.log 54 dsacls is a built-in XP/2003 command to view or modify AD permissions … which means AD delegation Simplest form: dsacls dn-of-object shows the current permission Option /A says to add owner/audit info Option /S restores to schema default Add /T and it walks the entire tree downward 55 To change delegations: /G <group/user>:<permissions> adds the permission to the object’s ACL /D <group/user>:<permissions> denies /N says to replace any current ACL with the /G or /D ACE specified /R <group/user> removes all permissions for a given group/user 56 Specify groups and users as either group@domain, user@domain or domain\group and domain\user Permissions: many in the Help, most common are GR (read), GE (execute), GW (write), GA (all – full control) Case seems to matter on the options 57 dsacls ou=marketing,dc=bigfirm,dc=com Displays the ACLs on the Marketing OU – that is, the people and groups that can access this OU and its contents dsacls ou=marketing,dc=bigfirm,dc=com /G [email protected]:GA Give the “MPA” group in Bigfirm full control of the Marketing OU dsacls ou=marketing,dc=bigfirm,dc=com /S Reset Marketing’s permissions to out-of-the-box 58 Ever tried to find all of the delegations that someone's got? It's hard usually… But easy with dsrevoke.exe, from MS’s Web site dsrevoke /remove domainname\username dsrevoke /report domainname\username dsrevoke /report /root:ou=marketing,dc=bigfirm,dc=com domainname\username NOTE this requires NetBIOS names; UPNs do not work!!!! 59 60 There's a whole slew of disk maintenance and navigation commands that are documented in many places and that are the bedrock for a lot of CLI work; ex: dir, cd, md, rd, del, erase, move, copy, xcopy, fdisk (which became diskpart in XP), format, label, vol, rename, verify [on|off] 61 Several tools let you do NTFS from the command line CACLS (built into the system) ICACLS: cacls’s replacement in Vista, LH, 2003 SP2 XCACLS (somewhat more complete, built into Support Tools) SUBINACL (a Resource Kit tool that's powerful but buggy, so go to www.microsoft.com/downloads to get an updated one) These are tougher syntax-wise, but I've written columns on them all at the Windows IT Pro site 62 If you've got a command prompt open, then don't bother with Explorer's Search; use DIR with /S For example, to search the entirety of C: for myfile.txt, type dir c:\myfile.txt /s To search in the folder "c:\files" and its subfolders, type dir c:\files\myfile.txt /s 63 64 shutdown [-s|-r|-l] [-t ss] [-f] [-a] -s=shut down, -r=reboot, -l=log off -t ss lets you specify seconds; without –t, it's 30 seconds -f forces apps that are open to just plain close, possibly losing data -a says "there's a shutdown countdown in progress, abort it" 65 whoami is a Support Tool that tells you what context you're logged in as, as in "bigfirm\mark." But add the /all option and you get your UPN, your SID, your group memberships, the SIDs of the groups, and your privileges In Vista/LH, you even get your Windows integrity level 66 Vista and later have "wevtutil;" example: wevtutil qe application /c:2 /f:text /rd:true (Shows the two most recent events in the Application log) /c = # events to view /f = output format (text or whatever) /rd = Read from the most recent ("true") or from the oldest ("false") Also archives logs, allowing us to finally automatically archive logs! 67 Ever wanted to create a batch file or something similar and have it write to the Event Log? Meet eventcreate, an XP-and-later built-in command that works remotely eventcreate /ID eventid /L logname /SO srcname /T type /D description logname=system, application, etc type=error, warning or information eventcreate /ID 833 /l system /t information /d "Just saying hi" 68 We tend to look at the event log after something happens But with eventtriggers, a built-in command in XP and 2003, you can cause a program to run when something particular happens eventtriggers /create /eid eventidnumber /tr triggername /tk actiontotake /ru usernametoruncommand /rp passwordofthataccount In Vista/LH, it’s the schtasks command, or just right-click any event in the Event Log and choose “Attach Task To This Event...” 69 eventtriggers /create /eid 64002 /tr sysalert /tk "net send jack123 Something’s deleting system files!” /ru jack123 /rp swordfish eventtriggers or eventtriggers /query /v will list the triggers eventtriggers /delete /tid n deletes a given eventtrigger, or … /delete /tid * deletes them all 70 What if you could tell your system to e-mail you from a command line? Then when event X happens, you could get your system to send you an e-mail about it Heck, if you've got an SMS phone, then you could even have it text you Answer: blat, from www.blat.net (Vista and LH do not need blat, as they’ve got SMTP-awareness through and through) 71 Command-line SMTP client; example: blat - -body “Event ID 763 happened!” –server mail.bigfirm.com –to [email protected] –f [email protected] – subject “Event 763 alert” –u joe –pw swordfish The "blat - -body" is no typo 72 The –u and –pw assume that your SMTP server needs logons; BLAT supports GSSAPI so it can do secure logons to Microsoft and other SMTP servers Free download Even includes the source You can pre-store most of the parameters in the Registry 73 So you're setting up a test Web server, or an internal-only Web server, and you want a certificate for it… and don't want to buy one, or don't want to have to set up a certificate server to crank one lousy Web cert The answer? Selfssl, a tool that will generate a cert and install it, all in one line It's in the IIS Resource Kit 74 selfssl /t /v:ndays /n:dn n is name t installs it v how many days to leave valid example: selfssl /T /V:200 /n:cn=web2.minasi.com Creates and installs a cert good for 200 days on the web2.minasi.com Web server 75 Everything you’ve seen so far works on Server Core, but there are a few items that are SC-specific Server Core and WinPE do not have the .NET programming framework Some command-line applications require the .NET programming framework, so they won’t work on those systems 77 Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr olSet\Control\Terminal Server Change fDenyTSConnections to 0 Reboot: shutdown -r -t 0 Open the firewall: netsh firewall set portopening tcp 3389 "Remote Desktop" 78 Okay, to be honest, the command line isn't the only way to control Server Core You can also fire up most MMCs and remotely control SC – only remotely! To do that, you'll need to open the SC machine's file and printer sharing ports, though, and to do group policies: gpedit.msc /gpcomputer:"computername" You may have to NET USE to C$ on the SC box to authenticate first, however 79 Server Core installs new devices silently if possible You can configure it to accept signed drivers via group policies You can "introduce" a new driver to Server Core with pnputil: pnputil -a c:\newdrivers\scan.inf That adds the driver package to the "driver store" in Vista or later systems 80 pnputil -e enumerates all installed driver packages pnputil -i package.inf installs a given package pnputil -d c:\newdrivers\scan.inf removes an existing package driverquery lists all installed drivers On WinPE, use peimg -- see my Newsletter #59 on my Web site www.minasi.com 81 Beyond Add/Remove Programs or Server Manager… ocsetup does the job Note that servermanagercmd.exe does not work on Server Core On SC, do ocsetup rolename ex: ocsetup DNS-Server-Core-Role Also DHCPServerCore, FRS-Infrastructure, BitLocker Of course, use dcpromo to make a DC 82 Case matters! First, get the drive partitioned right Again, no GUI, but once you install the SC role, you have a new script “manage-bde.wsf” Simplify it by typing cscript //h:cscript Step One: enable the TPM chip manage-bde –tpm –t –o password “password” is the tpm password Step Two: encrypt the drive manage-bde –on c: -rp Now C: is encrypted and a recovery password has been shown on the screen To use a USB stick, add –sk driveletter for the drive with the USB stick Check manage-bde /? to increase encryption etc. Get the recovery password if you forgot it: manage-bde –protectors –get c: Decrypt the drive: manage-bde –off c: I have had to skip bezillions of great commands due to time, like robocopy (RK) delprof (RK) sidhist.vbs (ST) w32tm (OS) netsh support of Windows Firewall and IPsec (OS) SC (RK, OS) and many more – but I've written about many of them on the Windows IT Pro site. Start looking for your own command line gems! 85 I hope I've introduced you to some of the neat things that the command line offers Get comfy with some of these commands and you can get a lot done quickly I'm at [email protected] www.minasi.com has my free online newsletter and technical forum Please don't forget the evals! 86
© Copyright 2024