Browsing Category: "Scripting"

The Scripting Games March On

Scripting April 13th, 2011

We are entering the final stretch of the Scripting Games.  There are only two more events to be published and one more week of entries.

In my time judging for the Games, I’ve written a few blog posts about some of the common issues I’ve found in the entries.  You can see all my Scripting Games related posts here.

Taking a WinDump

Scripting, Servers April 4th, 2011

I’ve had to troubleshoot a number of network related issues recently.  I love WireShark, but I don’t want to install it on every server.  I’m still a bit hesitant on installing the WinPcap drivers on servers as well, but when you need to grab network traffic on the Windows platform, it is one of the easier ways.

(Yes.. I know I should have a monitoring box on a span port that I could do this off of, but it becomes a bit more complicated in a virtual environment.)

So, I’ve compromised a bit.  I’ve been using the WinPcap drivers and WinDump from the command line to create the network captures.  Then I can use WireShark on my desktop to analyze the traffic.

The command line I used for WinDump was something like:

C:\WinDump.exe -n -s 0 -vvv -w mynetworkcapture.pcap

The “–n” skips the DNS resolution (which makes it a bit more consistent to read through).The “–s 0” captures the full packet.  “-vvv” captures additional packet details.  And last, but not least, “-w mynetworkcapture.pcap” is the file name (and relative path) to where the capture could be saved.

There are many, many other options, but this got me a quick grab of traffic that let me isolate my problem in WireShark and get to the resolution I needed.

OCS 2007 R2 Certificates

Scripting, Servers March 16th, 2011


Some of our internal certificates for OCS were coming due for replacement.  I did a simple web search for “Find all certificates for Office Communication Server 2007 R2” and I got very little help..

And of course, OCS does not support wildcard certs Sad smile (but does take wildcards in Subject Alternative Names (SAN).. go figure..)

So for those who just want a reference of what certs are used where.. (Subject Name (SN) and Common Name (CN) are used somewhat interchangeably.. Common Name is the most import item to OCS)

Outcome (it’s not pretty folks…):

I give you (working from the outside in):

  1. Edge Server

    1. Description:
      1. The first cert needed is a Web Conferencing Edge Server. 
      2. SAN Required – No.
      3. These are public facing certs, so you’ll likely want to get these from a cert provider.
      4. Even if you are issuing them yoursefl, you’ll notice that these cert requests are generated offline, as the edge server is usually in a restricted portion of the DMZ without direct access to your internal CA.
    2. Example:
      1. SN:
    3. Command:
      1. To create the cert request: LcsCmd /cert /action:request /friendlyname:”Web Conference Edge” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webedge.req” /L
      2. To import the response: LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:DP /L
    4. Description:
      1. The second cert required is for Audio/Video Authentication Edge Server.
      2. SAN Required – No.
      3. This is used for internal communication to the rest of the OCS infrastructure.
      4. If you are using an internal cert, you will have to install the certs on the cert chain as well to make them trusted on this server.
    5. Example:
      1. SN:
    6. Command:
      1. LcsCmd /cert /action:request /friendlyname:”AV Edge” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\avedge.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:MR /L
    7. Description:
      1. The third cert is required for the Internal Edge. 
      2. SAN Required – No.
      3. This is for encrypting and decrypting traffic between external clients and the “next hop” server (usually the director or pool).
      4. This can be an internally issued cert.
    8. Example:
      1. SN:
    9. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Internal Edge” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\internaledge.req” /L

      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:INTERNAL /L

    10. Description:
      1. The fourth cert required covers the Access Edge.
      2. SAN Required: Possible, if there are additional domains covered for external access.
      3. This is for the default address.
    11. Example:
      1. SN:
      2. SAN:
    12. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Access Edge” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /, /fileName:”C:\CertHold\accessedge.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\accessedge.cer” /assign /Components:AP /L

  2. Reverse Proxy

    1. Description:
      1. The Reverse Proxy provides a way for external users to access content, expand address lists, and otherwise do things require more access.
      2. SAN Required – Maybe.
    2. Example:
      1. SN:
    3. Command:
      1. LcsCmd /cert /action:request /friendlyname:”Web Proxy External” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webproxyext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /L
  3. CWA Server

    1. Description:
      1. The CWA certificate supports IM, PSTN call in, desktop sharing, etc..
      2. SAN Required – Yes.
      3. Note – The DNS name might be behind a reverse proxy.. in that case, you might need two certs (an internal and a public cert).
    2. Example:
      1. SN:
      2. SAN:,,
    3. Command:
      1. LcsCmd /cert /action:request /online:false /friendlyname:”CWA” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:,, /fileName:”C:\CertHold\CWAext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CWAResponse.cer” /assign:true /L
  4. Director

    1. Description:
      1. SN set to the FQDN of the director.
      2. SAN Required – Yes, set to the SIP DNS for each domain. 
    2. Example:
      1. SN:
      2. SAN:
    3. Command:
      1. LcsCmd /Cert /Action:request /online:true /assign:true /\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:”MOR-Director SIP”/ /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:* /L
  5. Mediation Server

    1. Description:
      1. The Mediation Server coordinates enterprise voice traffic
      2. SAN Required – No.
    2. Example:
      1. SN:
    3. Command:
      1. LcsCmd /cert /action:request /online:true /friendlyname:Mediation Server / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\mediation.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L
  6. Front End Server

    1. Description:
      1. SN set to the FQDN of the enterprise pool name or server. 

      2. SAN Required – Yes, set to any alternative DNS names for the pool and server. 
    2. Example:
      1. SN:
      2. SAN:,,
    3. Command:
      1. LcsCmd /Cert /Action:request /online:true /assign:true /\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:“MOR-FE Front End SIP” / /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:*, /L
  7. Group Chat

    1. Description:

      1. The Group Chat cert should reference the DNS for the Group Chat server.
      2. SAN required – Maybe, if you have multiple DNS entries for group chat.
    2. Example:
      1. SN:
      2. SAN:
    3. Command:
      1. LcsCmd /cert /action:request /online:true /friendlyname:”Group Chat Server” / /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /, /enableClientEKU:TRUE /fileName:”C:\CertHold\groupchat.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L

2011 Scripting Games Are Coming!

Scripting March 10th, 2011

2011 Scripting Games

Grab this badge here!

The 2011 Scripting Games start on April 4th.

This year is the first year that all the scripts must be in PowerShell.

If you are not familiar with the Scripting Games, they are two weeks of real world inspired challenges that allow you to demonstrate your scripting chops.  Every day a new challenge (or event) is revealed.  There are two categories, Beginner and Expert, so there are challenges for everyone, no matter how experienced.

After each event is revealed, competitors can submit their scripts to the Scripting Games PoshCode repository, where an internationally recognized judges will score every submission (guess what.. I’m a judge this year..).  After the event closes, an “Expert Solution” will be provided as a sample of the event could be solved, including an explanation on how they got there.

If you are new to scripting, this is a great way to get started, no pressure, with real examples and solutions from recognized experts.

If you really want to find out more about how the even runs, take a look at last year’s events and solutions.. 

Or check out the 2011 Scripting Games Study Guide.

This is a great opportunity to flex your scripting might or start building your scripting muscles..

Hope to see you there!

Starting Performance Monitoring

Automation, Scripting, Servers December 30th, 2009

Previously, I’ve been in control of the environment that I have been monitoring, so I was able to integrate that performance monitoring into PolyMon.  Now that I have a slightly different scenario, I’ve had to modify my performance monitoring strategy.

I’ve mainly been concerned about general server performance, as well as IIS and SQL performance (Basic, IIS, SQL 2005, IIS and SQL 2005), so I’ve been using counter sets that mirror that.

Then I wrapped a couple of calls to logman.exe, which is the command line interface to PerfMon counters.

To create the counter, I used

logman create counter BlackBox -v mmddhhmm -cf Counters.txt -si 00:10 -f bincirc -o “c:\Perflogs\Blackbox_%computername%” -max 250

which creates a counter named “BlackBox” (like a flight recorder).

The command also:

  • reads in the counters from a text file (see my examples above). 
  • sets the sample interval to be every 10 minutes (“-si”).
  • sets the log file is a binary circular file (set by the ‘”-f”), which would be a maximum of 250 MB (set by “–max”)
  • sets the log file location and name (using the computer name environmental variable to append the computer name to the log file) and the “-v” option also adds the month, day, hour, and minute of the start of the log to the file name.

After creating the counter, I used

to start the capture of the counter information.

Finally, I have another command to stop the capture, so when there is an issue or after a specified period of monitoring, I can grab the log file and feed it to PAL or load it in PerfMon (on Server 2008 or greater – as PerfMon got some nice feature bumps with the more recent releases) and analyze it there or export it to a CSV file to slice into it with Excel.

Have Fun!


Runas Radio Shows –

Technet Article – Taking Your Server’s Pulse

PAL – Performance Analysis Of Logs

More PowerShell on the Thirsty Developer

Scripting June 7th, 2009

Larry Clarkin asked me back on the Thirsty Developer to continue talking about development and PowerShell.  We talked about creating cmdlets, hosting PowerShell, and a bit about Version 2.  Check it out here.

Are you following the PowerShell Twitterers?

Automation, Scripting December 26th, 2008

If you are interested in PowerShell and are on Twitter, I’ve compiled a (continuously expanding) list of Twitterers who often have PowerShell related content.

To make it a bit easier, I’ve written a script that will parse that list, compare it to whom you currently follow, and follow anyone you are missing.

The script (Add-PoShTwitterFriend) can be found here.

The list of PowerShell Twitterers can be found here.   If you are into PowerShell and on Twitter but not on the list, let me know (@stevenmurawski), I know I’m missing some people.


UPDATED…. Thanks to a tip from Jeffery Hicks, I updated the Add-PoshTwitterFriend script so it should run more smoothly

The Most Compelling Feature of PowerShell

Automation, Scripting December 22nd, 2008

I’m often asked why I like PowerShell so much. There are a number of reasons, but what I find most compelling about PowerShell is that it is an enabling technology.  With PowerShell, I am in charge of my admin might.  There is nowhere my shell cannot reach…  (ok.. maybe I’ve watched a few too many Conan movies).  The point is that I don’t have to rely on an outside party to customize their management experience to my environment.

With applications that support PowerShell, my general Active Directory environment, and those applications and datastores that can be coerced into working with PowerShell, PowerShell provides me a way to create the management tools that I need, specific to my environment.

  • My custom .NET based application with a SQL backend doesn’t keep user information syncronized with my Active Directory.. No problem, schedule a PowerShell script to run and verify the information.
  • Want to take a look at the door access control system users and find the users whose Active Directory accounts are disabled? Not a problem for PowerShell.
  • Have fifty new user accounts that need to be added to both those applications and Active Directory and need mailboxes enabled? PowerShell to the rescue.
  • Need to retrieve a photo that is stored as a BLOB in a database and save it to your local filesystem. Easy, with a bit of PowerShell.
  • Want to read through an XML Configuration file, find a few elements and verify them against machine settings or other configurations? Can do! XML is a breeze to work with in PowerShell.

PowerShell allows me to create and define my own administrative tasks through the creation of scripts, functions, and cmdlets, which empowers me as an administrator to get my job done in as efficient a manner as possible.  I can also modularize my tasks (which makes them easier to share).  By isolating the tasks into reusable bits of PowerShell, I can quickly respond to a changing environment, creating custom workflows as needed.

If I’m having trouble with my task, I can turn to the PowerShell chat room on, ask a question in the forums at PowerShellCommunity.Org, or turn to one of the numerous books, blog entries, or script samples from for inspiration.

Then, once I’ve solved a problem, I can share the solution with others via a community site like

You’re Not Where You Think You Are…

Scripting December 18th, 2008

I was writing a quick script to get the Group Policy Health status (using the free Get-SDMGPHealth cmdlet from SDM Software) from computers in various OU’s in my domain.

One option for output from the Get-SDMGPHealth cmdlet is as an XML Document, which is a type of object.  One of the methods (actions an object can take) on the XML Document is the Save() method.  The Save() method does exactly what it says.. it saves the XML Document object as an XML file.

I was using the PowerShell Plus script editor and the interactive console showed my working directory as “C:\documents and settings\myaccount\”.  I ran the script and did a directory listing (I was saving the output with a file name of  “computer name”.xml), but did not see any output.  I ran it again and again, but nothing was writing to the current directory.

I remembered a post that Joel “Jaykul” Bennet wrote about the “Current Directory” problem in PowerShell.  Joel posts an interesting explanation of this issue, as well as a great solution to this problem by modifying the PowerShell prompt function. 

Scenarios where this issue can be a problem is when you are providing a relative path to a .NET method call (which will resolve the full path by using what it sees the Current Directory as).  If you want to avoid all of this, you could pass in full paths (the Resolve-Path cmdlet comes to mind).

Now, you will know where you are! 🙂

Mapping Out your Active Directory – Now in Color!

Scripting December 15th, 2008

Recently, I posted a script that would map out various Active Directory objects using Doug Finke’s Show-Netmap script and the .NetMap research project from Microsoft.

Doug Finke was recently a featured guest on the Powerscripting Podcast and was talking about using .NetMap with PowerShell.  I was able to be in the Ustream audience during that show and asked if Doug was aware of what was happening with the .NetMap project, since the Codeplex project was unavailable.  One possible explanation was that a developer had left Microsoft and perhaps there were some intellectual property issues.

Well, I found out some of what happened.  One of the developers did, indeed, leave Microsoft to join Telligent, but the project has resurfaced under the name NodeXL.  All of the goodness that was .NetMap is now NodeXL and available on Codeplex.

I’ve modified the Show-Netmap script to Show-NodeXLMap, and updated the Get-ADMapObject script to the Show-ADObject script.  Both the Show-NodeXLMap and Show-ADObject scripts now support adding color to the maps.


./Show-ADObject -ShowADClasses #Lists out all the available Classes or types you can map out

./Show-ADObject -ADClass group, organizationalunit, contact -Colorize #Maps out the groups, contacts, and OU’s.  Groups will have one color, contacts a second color and OU’s a third.  The color key will print out to the console.

./Show-ADObject group, organizationalunit, contact -MapLayout Grid

I’ll be updating and re-posting my Group Association script to support the new NodeXL project and colored objects.

You can download all the necessary files (except the Quest AD Cmdlets) here.

If you are interested in this type of network mapping, check out Doug’s other examples.