Sunday, May 30, 2010

Making Windows PowerShell your own

Previously we looked at some of the different ways one can extend Windows PowerShell. Now we'll learn some basic for actually using these methods.

You may notice that I've skipped creating snap-ins here, as that requires developer skills. Also, we will cover modules and advanced functions in detail in a future article.


Functions are one of the elementary building blocks of Windows PowerShell, and they can vary in complexity from a single line to full-blown modules. Still, the basic format and components remain the same.

The most basic syntax is:
function <> { <> }

The standard format contains four basic constructs, which are Param and three script-blocks or clauses -- Begin, Process and End.

  • Param -- Defines parameters for the function. If not provided, the function will use groups the parameters passed to the function in a variable called $args.
  • Begin (script-block) -- Begin is used for function setup. This code is only called the first time a function is initialized.
  • Process (script-block) -- Process is used in a pipeline and is processed for every item in the pipeline. You reference the current item using "$_".
  • End (script-block) -- End is ... well, the end. Just like Begin, it is only processed once, but instead of during initialization it is processed right before the code is completed. It is also the default block, which means if you do not specify any code blocks it implies that all the code is the end block.

Example of syntax:
Function <>

# Script Blocks

    Note: Notice the {} on the end of each script block. The code is placed in between. For example: Process { Write-Host "Processing element $_" }

For more details try Get-Help about_functions.


I almost didn't want to mention these, but I decided it would be a disservice to the reader not to. Filters are not used very often in Windows PowerShell and are really not needed. This is just like a function but all the code is run as "Process".

Again, for more details try Get-Help about_functions.


A script in its simplest form is one or more Windows PowerShell commands saved in a .ps1 file. There is the famous "Hello World" example in PowerShell, which is very much like a batch file except it can support the same constructs as a function. In actuality, you can simply remove the function {} from a function and save it in a file to have a script:

Begin{"Initializing Script with Parameter $Name"}
Process{" You just passed $_ to me"}
End{" Jobs done… lets cleanup"}

For more details, try Get-Help about_scripts.


A profile is basically just a Windows PowerShell script that is processed every time PowerShell is started. This is similar to autoexec.bat from back in the old days. We've covered profiles in Windows PowerShell before, so I won't rehash it again here. I will let you in on a little known fact though: PowerShell has a built-in variable with all the profile locations wrapped up nicely for you. This can be used to create and edit your profile:

  • $Profile -- This is the built-in variable that contains information about profile location. It contains four useful properties discussed below.
  • $Profile.AllUsersAllHosts -- Contains the location of the All Users profile (Global) for all PowerShell hosts.
  • $Profile.AllUsersCurrentHost -- Contains the location of the All Users profile (Global) for the current PowerShell host.
  • $Profile.CurrentUserAllHosts -- Contains the location of the Current User profile for all PowerShell hosts.
  • $Profile.CurrentUserCurrentHost -- Contains the location of the Current User profile for the current PowerShell host.

To wrap up, these are just a few ways you can customize and extend Windows PowerShell for your own use. By using functions, scripts, and creating a custom profile, you can start down the road to nirvana when it comes to an automation environment.

How to customize your Windows PowerShell environment

One of Windows PowerShell's strongest traits is its extensibility. The scripting engine can be customized in many ways and extended to include functionality not available by default. Once you understand the basic terms and cmdlets, personalizing PowerShell is the next step.

Controlling your PowerShell environment

With scripting environments, there is no such thing as one size fits all. But users can control what Windows PowerShell does at start up with the following:

  • Profile
    A profile is a script that runs when PowerShell starts up. (I like to think of it like an autoexec.bat for PowerShell, which may be old school but it's still applicable.)

    There are two types of profiles, and they can be stored in two locations:

    1. System profiles -- Apply to all PowerShell sessions
    2. Host-specific profiles -- Only apply to a specific host (i.e. PS+).
  • Global
    Located in $PShome, which is in System32 of the system ( C:windowssystem32WindowsPowerShellv1.0), this profile applies to all PowerShell sessions launched on the host.
  • User
    This user-specific profile is the last profile to load. It is located in $Env:UserProfileDocumentsWindowsPowerShellprofile.ps1.

PowerShell also lets you create custom hosts with their own profiles, but that is beyond the scope of this series and delves deep into the developer space.

More PowerShell lessons from the Scripting School

What makes Windows PowerShell unique?

The terms and commands you absolutely need to know

Extending PowerShell's functionality

Although most scripting environments include a process for extensibility, these methods are often convoluted and reserved for more experienced users. Windows PowerShell, however, offers several levels of extensibility that even the most novice users can use.

  • Function
    Functions are the easiest to add -- simply wrap a command in a function block (function {command}) -- and let the user create cmdlets of their own that can be loaded via a profile and are accessible on demand.
  • Snap-in
    Snap-ins are the primary method for adding binary cmdlets to a PowerShell session in version 1.0. Compiled code delivered by an application provider like Citrix, Vmware or Exchange, snap-ins are controlled by two cmdlets: Get-PSSnapin and Add-PSSnapin.
  • Module
    Introduced in Powershell 2.0, modules provide a bridge between functions (admin-centric) and snap-ins (developer-centric). Modules can be loaded on-demand and can contain binary cmdlets, functions and scripts, which are managed with the following:

    • Get-Module -- Gets currently loaded modules
    • Import-Module -- Imports a module
    • Remove-Module -- Removes a module from the current session
    • New-Module -- Creates a module that lives in memory only.

Overall, there is plenty of room for growth in Windows PowerShell -- for everyone from the novice admin to the most experienced developer. Check out the following cmdlets for more information:

  • Get-Help about_profiles
  • Get-Help about_functions
  • Get-Help about_PSSnapin
  • Get-Help about_modules

Windows scripting for beginners,289142,sid68_gci1077544_mem1,00.html

Many people find the idea of administrative scripting intriguing, but also intimidating. This is especially the case if you're not sure what you can accomplish with a script that you can't accomplish from a GUI. You may fear that the learning curve will be excessive, and if you've decided that scripting is too arcane to bother with, you're not alone.

However, scripting is a lot simpler than it looks. If you begin at the beginning, you can save yourself substantial time and effort.

My new column will help you learn to script in small steps. In today's premiere column, I'll explain when to script a task, and I will introduce some basic concepts you'll find useful. Next month we'll explore some more advanced concepts: procedures and operations, and I will expand on the basic concept of objects. I'll refer to these columns in later columns as we develop working scripts.

Once I've introduced the concepts, this column will look at how to use VBScript to perform common tasks by first introducing the task to accomplish and then walking you through the code. The tasks I'll illustrate are based on real tasks, so I encourage you to send me questions, with a couple of caveats: This column can't provide scripts for every occasion, and I can't provide extensive debugging support through e-mail.

I encourage you to think of this column as a serialized book that can respond to your questions. If you need something clarified, ask. You're probably not the only person with that question. You can e-mail your questions to

Why Script?
The main reason to script is to automate repetitive tasks such as changing a password for a user. Scripting tasks let you perform them quickly and consistently and even allow you to delegate tasks to inexperienced administrators. If you're only going to perform a task once, then scripting it doesn't usually make any sense -- by the time you've scripted it, you could be done.

Scripting can also provide functionality that's not available through the graphical interface. The operating system can do many things that the GUI doesn't support, just because including everything in a dialog box would clutter the GUI into an unreadable mess. Actually, though, those features are available -- you just have to make them accessible.

Command-line tools found in the OS or as part of the Resource Kit are an alternative to scripting, but they're not as flexible as the more modular VBScript. You don't have to choose between existing command-line tools and the ones you create; however, it's possible to call on existing programs from a script.

I'm going to begin by defining some key terms. I will also cover scripting hosts, how to interpret scripts and the kinds of data types you will use.

Beginner's guide to scripting

Objects, properties and methods
Scripting hosts and the interpreter
How are scripts interpreted?
Data types you'll use

Objects, properties and methods

Objects are at the core of most scripts. Objects represent parts of the operating system, or user accounts, or parts of the computer, or... you get the idea -- they're a way of representing anything that you can manipulate with the script.

Objects are nouns. Adjectives describe nouns; properties describe objects. Object properties may be a printer's name, a network card's IP address or whether DHCP is enabled for a particular network card. In the same vein, verbs manipulate nouns; and methods manipulate objects. Methods are less common; relatively few objects have true methods -- but one method could be telling a computer to reboot. "Reboot" would be the method.

We'll talk more about kinds of objects and where they come from in next month's column (the second half of defining terms). But, for now, walk away with this: Your scripts will often deal with objects, and to manipulate those objects you will change or read their properties. And, less frequently, you will use object methods to take some action.

Scripting hosts and the interpreter

You get to objects through the scripting host. A scripting host is the operating environment for a script. Windows doesn't understand VBScript -- it needs an interpreter.

When Windows encounters a file with a recognized scripting extension, the OS passes the script to the scripting host. The scripting host interprets the script, then passes the script's message to Windows for execution. A scripting host doesn't understand all scripts; it understands only the ones written in languages -- script engines -- that the host supports.

Windows has two scripting hosts: Microsoft Internet Explorer (MSIE) and Windows Scripting Host (WSH). This column will focus on WSH and the VBScript script engine.

How are scripts interpreted?

Each line in a script is a statement that tells the computer what to do next.

Executable statements, the statements that have some result, usually have a simple verb-object form. A conditional statement would outline the conditions under which the verb-object combination applies.

Nonexecutable portions of a script are called comments; they're preceded with the word "Rem" or an apostrophe. Comments document the script for future reference. You can also add Rem or an apostrophe to the beginning of an executable line to disable that line for debugging purposes.

The scripting host interprets lines of code from left to right and top to bottom, so you can, for example, gather information in line 10 of the script, then manipulate that information in line 30. Procedures, collections of statements that run only when the script calls them, are the exception to this rule. They don't run until and unless they're called, and then they execute immediately, regardless of their physical position in the script.

Data types you'll use

VBScript recognizes four types of data: numbers, strings, dates and times, and Boolean statements. Numbers are, well, numbers such as 2 or 9458. Strings are any combination of characters enclosed within quotation marks. Date and time information must be within octothorps (#) and follow VBScript's conventions for date and time information. Boolean statements are either TRUE or FALSE, as in x

VBScript sees all four of these data types as subsets of a larger data type, called type variant, which can contain any kind of data. This means that you don't have to tell VBScript what type of data you're feeding it. (It will try to guess, so sometimes you will need to be specific. I'll talk about how to specify the data type -- for example, telling VBScript to interpret "45" as text, not a number -- next month.) Groups of like data are called arrays.

You could hard-code the data you're working with into a script, but to make it easier, VBScript supports a structure called a variable, which can be populated by any data type required. Variables can, and often do, change value in the course of a script. Another structure that abstracts the interface to the data is called a constant. Unlike variables, constants always represent the same data, such as a button saying "No."

Beginner's guide to scripting: Summary

If you're new to scripting, I've probably hit you with enough information for now.

In my next column, I'll finish explaining the background you will need to create working scripts of your own.

Windows PowerShell and VBScript compared,289142,sid68_gci1246283_mem1,00.html

I first wrote about Windows PowerShell, Microsoft's new shell interface for managing Windows from the command line, in my October 2006 column. Historically, Microsoft has not supported managing Windows from the command line. Yes, Windows has always had a set of command-line tools, and tools like VBScript have been available, but when it comes to performing complex tasks, or tasks not previously anticipated by the system designers, Windows' command line performance couldn't compare to its graphical performance.

Why? For starters, the command line was inconsistent. For example, performing a task with one tool didn't guarantee that the knowledge could be applied elsewhere since the syntax and structure were not fixed.

How PowerShell differs from other languages
But Microsoft eventually developed a shell language that was more flexible than its predecessors. This language, called Windows PowerShell, is more succinct than the interpreted languages people had been using for administrative scripting. It also adds support for .NET.

With Windows PowerShell, you can access many different kinds of objects in the OS. It also has many objects and commands built into it, and once you gain expertise in using it, you can add more if you find it lacking. And since it is a shell, users can test out commands on the fly in a way that is not possible with VBScript.

We've been discussing VBScript for two years, but now that Microsoft has finally released Windows PowerShell, it's time to download PowerShell and see what this more flexible tool can do. Make sure you choose the right version. Also, if you don't already have .NET 2.0 installed on your computer, you'll need to get that as well.

Now that you have access to PowerShell, let's take a closer look at how it works.

About Cmdlets: PowerShell's core instructions
Cmdlets are the core instructions built into PowerShell, aggregated collections of functions that you're likely to want that have been given an easy-to-use title.

Two points to remember
  • PowerShell has a long list of flexible functions called cmdlets that you can use to manipulate the system.
  • These cmdlets follow the same syntax, making PowerShell a quick learn as compared to the command prompt.

Once PowerShell is installed, start it. You'll open a new command window that looks a bit like the regular command line. Forget about "Hello, World"-- the first thing you're going to do with PowerShell is get the status of all the services on your computer.

In VBScript, this is not difficult but takes a bit of typing and talking to Windows Management Instrumentation (WMI). From the Windows command prompt, close the command prompt and open the Services tool because the command prompt doesn't supply this kind of information. In PowerShell, enumerating all the services on the local computer looks like:


Note: How did I know that? I typed Get-Command. On its own, this cmdlet returns a list of all cmdlets and a short look at their syntax. In combination with any cmdlet, Get-command gets you help for that cmdlet.

Type that, and you'll spit out a list of the services on your computer, their status, and their display names, like this partial list:

Stopped  AppMgmt            Application Management
Stopped aspnet_state ASP.NET State Service
Running Ati HotKey Poller Ati HotKey Poller
Running AudioSrv Windows Audio
Running BITS Background Intelligent Transfer Ser...
Running Browser Computer Browser

This works because PowerShell anticipates that it would be good to be able to see a list of services and their status, and so creates a cmdlet (a built-in function, in VBScript) that creates this list. But it doesn't stop there.

I have VMware currently running my computer. Frankly I don't need all its services to be on, since I'm not running any virtual machines, and I'd like to save the memory. So let's find and stop all the VMware-based services. To find them, I'll use the command below, which tells Get-Services to return only the services beginning with VM.

Get-Service vm*

Note: As you can see, PowerShell takes wildcards -- a big improvement over VBScript!

That command returns this output:

Status   Name               DisplayName
------ ---- -----------
Running VMAuthdService VMware Authorization Service
Running VMnetDHCP VMware DHCP Service
Running vmount2 VMware Virtual Mount Manager Extended
Running VMware NAT Service VMware NAT Service

While it seems I managed to avoid any non-VMware services, what if I'm not sure that I got all the VMware-related services? I'll use the command below to search by display name, since "VMware" appears in every display name.

Get-Service -displayname *VMware*

I receive the same output -- indicating that I've found all such services.

Now let's stop these services. This calls for a new cmdlet: Stop-Service. I could use Stop-service on its own, but I can also combine it with the command I used to find all the VMware-based services, by separating the two halves of the command with the pipe operator. Note that I'm performing one command—"get-service"— then sending its output, through the pipe operator, to "stop-service".

get-service -displayname *VMware* | stop-service

PowerShell shows the progress as these services stops, then returns to the prompt. Now, when I run Get-Service all those services are stopped. And if I want to start my VMs again, I enter:

get-service -displayname *VMware* | start-service

As you can see, with PowerShell you can create a simple one-line command to do something that would take multiple commands in VBScript.

Windows PowerShell: What you absolutely need to know,289483,sid68_gci1513245,00.html?ShortReg=1&mboxConv=searchWindowsServer_RegActivate_Submit&

Now that you are convinced that Windows PowerShell is the best thing since slice bread -- you are convinced, right? -- let's take some time to tackle the hurdle that slows most people down: discovery. In other words, how do you find what you need without lengthy Google/Bing searches?

The challenge with any new technology involves learning how to learn it. Every technology has its own concepts and terminology that make it unique, and understanding these concepts is generally the biggest obstacle you'll face.

The creators of Windows PowerShell truly understood this and added some built-in cmdlets to help with learning PowerShell. I will go over the top five such cmdlets in this article.

Before we get to that though, let's look at some of the basic PowerShell terminology for those who are really new to it.

  • Cmdlets -- These are the foundation of Windows PowerShell as well as the source of most confusion. They are like both intrinsic and native commands, but they are also neither. I find it easiest to just think of them as small little snack packs of code that are available regardless of location.
  • Functions -- These are very similar to cmdlets except they are generated on the fly using the key work "function".

    Example: function foo {"I'm Foo"}

  • Parameters -- Named value passed to a cmdlet or function.
  • Objects -- Item(s) returned from cmdlets/functions. Objects have both properties and methods. Speaking of which…
  • Properties -- Attributes that are used to describe an object.
  • Methods -- Actions performed by an object.
  • Variables -- These are objects used to store data.
  • Pipelines -- This refers to the concept of passing object(s) from one command to another. This is done by using the pipeline operator "|" .
  • Aliases -- Gives users the ability to provide abbreviations for cmdlets.
  • ScriptBlock -- A block of code wrapped in "{" and "}" .

    Example: {Write-Host "This is a ScriptBlock"}

Now let's start the breakdown of important cmdlets. The characters in parenthesis are the aliases for each cmdlet:

  • Get-Help (help:) -- As you learn Windows PowerShell, this cmdlet will be your bread and butter. As you can guess, it provides help for cmdlets or PowerShell concepts.

    If you want to know more about something, you can start by simply passing it to Get-Help. This will provide you with a direct response or give you a list of help files that apply (PowerShell 2.0-only.) Get-Help has three parameters that control the amount of data returned: Detail, Full, and Example.

    Syntax: Get-help
    Example: Get-Help Get-Member

  • Get-Member (gm:) -- This is arguably PowerShell's most important cmdlet. It allows you to "discover" what properties and methods a given object has. After all, you can't do very much with properties if you don't know they are there.

    Syntax: | get-member
    Example: Get-ChildItem | Get-Member

  • Get-Command (gcm:) -- By now I am sure you are seeing the pattern. Get-Command simply gets you commands. These commands can be cmdlets, functions, aliases, and applications.

    Syntax: Get-Command –commandtype
    Example: Get-Command –commandtype cmdlet

  • Foreach-Object (%:) -- This cmdlet is used to process items in a pipeline. For each object in the pipeline it will process script, block inserting the current object in place of "$_".

    Syntax: | foreach-object
    Example: Get-Childitem | foreach-object {Write-Host "Found: " $_.fullname}

  • Where-Object (?:) -- This is similar to Foreach-Object, but instead of simply processing the script block it uses the script block as a sort of filter. If the result of the script block is $true, the object is passed on. If the result is $false, the current object is dropped.

    Syntax: | where-object
    Example: Get-ChildItem | where-object {$_.Length –gt 10mb}

Again, these are only a few cmdlets, but I think they do a good job of getting one started learning Windows PowerShell. Now you can go out there and conquer the world given your new PowerShell skills.

Inside the new PowerShell 2.0 commands for Active Directory,289483,sid68_gci1513245,00.html?ShortReg=1&mboxConv=searchWindowsServer_RegActivate_Submit&

In this two-part article we will look at the different vendors that provide AD cmdlets and how they work.

Microsoft Active Directory is one of those things that almost every admin has to work with to some degree, ranging from full AD management to simple consumption of Active Directory. Whatever your experience is with AD, there is a PowerShell cmdlet for you. These cmdlets are provided by two major vendors: Microsoft and Quest Software.

The different scopes of
AD management

Object management

Objects are the foundation and purpose of Active Directory and are where AD stores the data you provide. There are different types of objects, but the three basic objects most admins deal with are:

· User - an object that stores information about a user
· Computer - an object that stores information about a computer
· Group - an object that stores a relationship between groups of objects

Some examples of object management include searching Active Directory for an object, adding users, setting passwords, deleting computers, and adding a member to a group.


Infrastructure refers to the things that make Active Directory work. Below is a list of some of the components of AD that comprise its infrastructure:

· Forest - A collection of trees (a group of one or more domains). These domains must maintain a single configuration and schema.
· Domain - A collection of objects that share a common namespace and authentication realm.
· Site - A collection of computers that share a common subnet defined by an Active Directory object.
· Domain controller (DC) - The principle authority for the domain, responsible for authentication and access to domain resources.
· Partitions - A logical segmentation of a group of objects. The three main partitions in Active Directory are domain, configuration and schema.

Some examples of Active Directory management include finding a DC, setting an operation master role, creating a site, forcing replication, and checking replication.

Before we start down the rabbit hole of Active Directory PowerShell cmdlets, it's important to understand the different scopes of management that admins often encounter when it comes to AD. These can be broken into two basic categories: object management and infrastructure (see the sidebar to the right for a detailed explanation of each).

With those fundamentals of AD management understood, we can take a detailed look at the Microsoft Active Directory cmdlets that ship with Windows 7 and Server 2008 R2, including what is required to run them, how they work, and some examples to get you on your way.

Before we dive directly into the cmdlets, it is important to know the initial requirements that must be met in order to manage Active Directory with Windows PowerShell. First, you need to have at least one domain controller with Active Directory Web Service (AD WS) or Active Directory Management Gateway Services (AD MGS). Both of these services do basically the same thing, with the only difference being that AD Web Services ships with Windows Server 2008 R2, while AD MGS is an update for Windows 2003 and 2008 domain controllers. This is very important because the Active Directory cmdlets use AD WS/AD MGS to communicate with the domain.

Second, you must have a Windows 7 or Windows Server 2008 R2 client because the DC Locator process was updated to discover AD Web Services and has not been back-ported to older clients.

Here is the process flow for Active Directory PowerShell cmdlet queries:

[Client] cmdlet -> AD WS -> Query
DC -> AD WS -> cmdlet.

The cmdlet/client sends the query to AD Web Services, which does a domain query using its own protocol. The DC formulates the response and sends it back to the "client" via AD Web Services and this is all wrapped up in a Web Services protocol.

While we don't have the time or space to cover all of the cmdlets offered by Microsoft (we are talking a small book's worth of material here), we can take a look at a few of the key ones for both Active Directory management categories.

Object management cmdlets for Active Directory

Get-ADUser - gets a specific user object or does a search for user objects that match the query

# Get the user account for a user with sAMAccountName of bsonposh
Get-ADUser bsonposh

# Get all the users that have the last name Shell using friendly filter
Get-ADUser -Filter "sn -eq 'shell'"

# Get all the users that have the last name Shell using LDAP filter
Get-ADUser -LDAPFilter "(sn=shell)"

For more examples:
Get-help Get-ADUser –example

Get-ADComputer - gets a specific computer object or does a search for computer objects that match the query

# Get all the computers in a given OU
Get-ADComputer -SearchBase "OU=XenDesktop,DC=Dev,DC=Lab"
-filter *

# Get all the computers without a given DNS suffix
Get-ADComputer -filter "dnsHostName -notlike

# Find computers logged in over the last 30 days
$lastLogon = (get-date).adddays(-30).ToFileTime()
Get-ADComputer -filter {lastLogonTimestamp -gt

For more examples:
Get-help Get-ADComputer -example

Get-ADGroup - gets a specific group object or does a search for group objects that match the query

# List all the Universal Groups
Get-ADGroup -Filter {GroupScope -eq 'Universal'}

# Get the group members
Get-ADGroup "domain Admins" -Properties member | select
-ExpandProperty member

# This is even easier if you use Get-ADGroupMember
Get-ADGroupMember "Domain Admins"

# Find empty groups
Get-ADGroup -Filter {Member -notlike '*'}

For more examples:
Get-help Get-ADGroup -example

Infrastructure cmdlets for Active Directory

Get-ADForest - returns the current forest

# Get the current forest

# Get the forest for the current user
Get-ADForest -Current LoggedOnUser

# Get the forest for the current computer
Get-ADForest -Current LocalComputer

For more examples:
Get-help Get-ADForest -example

Get-ADDomain - returns the current domain

# Get the current domain

# Get a specific domain
Get-ADDomain dev.lab

# Get the user domain
Get-ADDomain –Current LoggedOnUser

For more examples:
Get-help Get-ADDomain -example

Get-ADDomainController - returns a domain controller object that matches the parameters passed

# Get the current domain controller for the user session

# Get the read-only domain controllers
Get-ADDomainController -Filter {isReadOnly -eq $true}

# Find DCs hosting Active Directory Web Services
Get-ADDomainController -Service ADWS –Discover

Note: The following parameters require the –discover parameter as
well: Service, SiteName, DomainName, NextClosestSite, AvoidSelf,
and ForceDiscover

For more examples:
Get-help Get-ADDomainController-example

Get-ADRootDSE - This returns the RootDSE by discovery or by defined server. You can think of the RootDSE as an entry point into the directory that provides cursory information regarding the directory that resides on the target or discovered server.

# Discover the RootDSE

# Get the RootDSE on a specific Server (DC)
Get-ADRootDSE –server Core.Dev.Lab

For more examples:
Get-help Get-ADRootDSE -example

Here is a list of all the PowerShell cmdlets provided with the Active Directory module:

  • Add-ADComputerServiceAccount

  • Add-ADDomainControllerPasswordReplicationPolicy

  • Add-ADFineGrainedPasswordPolicySubject

  • Add-ADGroupMember

  • Add-ADPrincipalGroupMembership

  • Clear-ADAccountExpiration

  • Disable-ADAccount

  • Disable-ADOptionalFeature

  • Enable-ADAccount

  • Enable-ADOptionalFeature

  • Get-ADAccountAuthorizationGroup

  • Get-ADAccountResultantPasswordReplicationPolicy

  • Get-ADComputer

  • Get-ADComputerServiceAccount

  • Get-ADDefaultDomainPasswordPolicy

  • Get-ADDomain

  • Get-ADDomainController

  • Get-ADDomainControllerPasswordReplicationPolicy

  • Get-ADDomainControllerPasswordReplicationPolicyUsage

  • Get-ADFineGrainedPasswordPolicy

  • Get-ADFineGrainedPasswordPolicySubject

  • Get-ADForest

  • Get-ADGroup

  • Get-ADGroupMember

  • Get-ADObject

  • Get-ADOptionalFeature

  • Get-ADOrganizationalUnit

  • Get-ADPrincipalGroupMembership

  • Get-ADRootDSE

  • Get-ADServiceAccount

  • Get-ADUser

  • Get-ADUserResultantPasswordPolicy

  • Install-ADServiceAccount

  • Move-ADDirectoryServer

  • Move-ADDirectoryServerOperationMasterRole

  • Move-ADObject

  • New-ADComputer

  • New-ADFineGrainedPasswordPolicy

  • New-ADGroup

  • New-ADObject

  • New-ADOrganizationalUnit

  • New-ADServiceAccount

  • New-ADUser

  • Remove-ADComputer

  • Remove-ADComputerServiceAccount

  • Remove-ADDomainControllerPasswordReplicationPolicy

  • Remove-ADFineGrainedPasswordPolicy

  • Remove-ADFineGrainedPasswordPolicySubject

  • Remove-ADGroup

  • Remove-ADGroupMember

  • Remove-ADObject

  • Remove-ADOrganizationalUnit

  • Remove-ADPrincipalGroupMembership

  • Remove-ADServiceAccount

  • Remove-ADUser

  • Rename-ADObject

  • Reset-ADServiceAccountPassword

  • Restore-ADObject

  • Search-ADAccount

  • Set-ADAccountControl

  • Set-ADAccountExpiration

  • Set-ADAccountPassword

  • Set-ADComputer

  • Set-ADDefaultDomainPasswordPolicy

  • Set-ADDomain

  • Set-ADDomainMode

  • Set-ADFineGrainedPasswordPolicy

  • Set-ADForest

  • Set-ADForestMode

  • Set-ADGroup

  • Set-ADObject

  • Set-ADOrganizationalUnit

  • Set-ADServiceAccount

  • Set-ADUser

  • Uninstall-ADServiceAccount

  • Unlock-ADAccount

Saturday, May 29, 2010

Understanding the new Windows Server 2008 Network Policy Server

Although I was familiar with all the concepts and terms regarding the Microsoft Network Access Protection (NAP) and the Cisco NAC technologies, what actually prompted me to take a look at the new Windows Server 2008 Network Policy Server was unrelated to either of those. My interest in the Windows 2008 Network Policy Server (NPS) was to be able to use RADIUS on a Windows 2008 System. Specifically, I wanted to use a Windows 2008 Server to allow me to authenticate PCs using 802.1x and users logging into network devices like Cisco routers.

Traditionally, if I wanted to perform one of these tasks with Windows 2000 or 2003 Server, I would use the Microsoft Internet Authentication Service (IAS). In the past, has offered a number of articles on using IAS. For example, Wireless Networking in Windows 2003 and Setting up Windows 2000 RADIUS to authenticate wireless 802.1x clients. However, in Windows Server 2008, you will quickly find out that IAS has been replaced with the Network Policy Server (NPS).

So what is NPS and how can it help me?

What is Windows Server 2008 Network Policy Server?

NPS is not just a replacement for IAS, it does what IAS did and much more. While many of us may be just looking to do the same thing that IAS did in Windows 2003, when you install NPS, you will find that you have opened up yourself to a lot of new functionality.

Here is what NPS does that is the SAME as what IAS offered:

  • Routing of LAN and WAN traffic.
  • Allow access to local resources through VPN or dial-up connections.
  • Creating and enforcing network access through VPN or dial-up connections.

For example, NPS can provide these functions:

  • VPN Services
  • Dial-up Services
  • 802.11 protected access
  • Routing & Remote Access (RRAS)
  • Offer Authentication through Windows Active Directory
  • Control network access with policies

What NPS does that is new are all the functions related to Network Access Protection (NAP). For example – System Health Validators, Remediation Server Groups, Health Polices, and more.

For a detailed step-by-step example of how to use NPS to perform Network Access Protection (NAP), please see Brian Posey’s series An Introduction to Network Access Protection - Part 1 to Part 7

How do I install NPS?

NPS is a Windows 2008 Server Component. That means that you install it by “Adding a Component”, like this:

Figure 1:
Adding the NPS Component

Next, choose the Network Policy and Access Services, like this:

Figure 2:
Choosing the NPS Role

You will be given a screen full of overview information on NPS, like this:

Figure 3:
Overview screen on NPS

Now, choose the services for this role that you want to install. Note that if you choose either the Health Registration Authority or the Host Credential Authorization protocol, you will be prompted to install more roles for your server (like IIS web server). Both of these services are related to either Microsoft’s NAP or Cisco’s NAC.

To go into this list a little further, the Network Policy Service is actually the RADIUS server that you are used to seeing with IAS. The RRAS services are the second piece that has traditionally been included with IAS. With these being broken out, you can selectively install what you choose.

Figure 4:
Selecting the NPS installation options

After you make your choices and click Next, you will see this final confirmation screen where you can click Install.

Figure 5:
NPS Installation Confirmation Screen

At the conclusion of the install, look for a screen like this:

Figure 6:
NPS Installation Completed

Now, let’s move on to how you manage your new Network Policy Server…

How do I manage NPS?

If you are looking to perform the traditional IAS functions, the easiest way to manage your new network policy server (NPS) services is to use the Windows 2008 Server Manager. Inside Server Manager, you will see Roles and inside roles, you will find Network Policy and Access Services, like this:

Figure 7:
NPS Services in Server Manager

As you can see, there are 3 services associated with NPS, the network policy server (named IAS), the remote access connection manager (RasMan), and the routing and remote access service (named RemoteAccess). For those who use IAS, the names of these services will seem familiar.

To configure and manage the separate Network Policy Server (NPS) service, there is a new Windows 2008 Server administrative tool, called Network Policy Server.

Figure 8:
Starting the NPS Management Tool

Once loaded, here is what it looks like:

Figure 9:
The NPS Management Tool

As you can see, the RADIUS Clients and Servers section is familiar, as is the Polices section. What looks new is that the old IAS “Remote Access Logging” has been renamed “Accounting” and the Network Access Protection folder is new.

Still, it isn’t just that pieces of the interface and name of IAS are new, what is truly different is the Network Access Protection functionality that NPS provides.

Network Policy Server Architecture

There are a number of parts to the Network Policy Server architecture. Below is a graphic originally published at Microsoft TechNet in an article titled “Network Policy Server Infrastructure”.

Figure 10:
NPS Architecture (Source: Microsoft)

As you can see from the graphic, the NPS server that we installed in this article is just one of the many pieces of the total NPS Infrastructure. Not all of these pieces are required. The pieces of this infrastructure that are required are based on the function that you are trying to perform.

For example, in my introduction, I talked about how I would like to use NPS to authenticate Cisco networking devices using RADIUS. To do that, all I would need is this NPS RADIUS Server and the Network Policy Server (NPS). The Cisco router (or other network device) would be the NPS RADIUS Client. The NPS RADIUS Server is what accepts the request for user credential authentication from the network device. The NPS RADIUS Server usually checks with the Network Policy Server to see if it is accepting authentication requests from the RADIUS Client and, if the policy is met, the credentials are sent, usually to the Windows Active Directory (AD) to be validated. If they are validated, the authentication accepted request is sent back to the NPS RADIUS Client (the network device, such as a Cisco router, in my example).


When combined with the Microsoft NAP client, Microsoft calls Network Policy Server a “system health policy enforcement platform”. Still, I just think of NPS as an AAA server (authentication, authorization, and accounting). If you just need the traditional RADIUS server, you won’t see much difference when using NPS. However, I encourage you to take a look at how NPS can help you with a total Network Access Protection (NAP) solution for your company. By allowing only computers that have up to date patches, anti-virus definitions, and firewall settings to access your network, the entire company will be more secure.

For more information on the Windows 2008 Server Network Policy Server and Network Access Protection (NAP), see the following links:

Microsoft Windows Server 2008 – Hyper-V solution overview

What is Hyper-V?

Vir·tu·al·i·za·tion the act of isolating or unbinding one computing resource from others. Server Virtualization is the solution of hosting an entire computer environment within the operating system of another computer. Windows Server 2008 includes native support for virtual computers through the Hyper-V role. Hyper-V is Microsoft's new server virtualization technology and it allows the virtualization of multiple Windows- and none Windows operating systems on a single server and fully leverage the power of x64 computing. Hyper-V follows a hypervisor model, which means that it does not run on top of an operating system. Instead it loads at boot time and creates a layer of virtualization between the physical server hardware and the operating systems it hosts. In Hyper-V, the parent partition, which is the main Operating System, runs Windows Server 2008. Virtual computers then run in one or more child partitions. The release of Windows Server 2008 Hyper-V is scheduled for the second half of 2008.

The rise of the Hypervisor

Hyper-V includes a hypervisor, a very thin software layer that is less than 1 megabyte in size and separates the processor and all the parent and child partitions. The hypervisor supports all of the partitions on the host computer and provides strong security separation between the parent and child partitions. Because the hypervisor does not contain third party code or device drivers, it presents a very small attack surface, and driver failure cannot bring down all of the partitions. This type of hypervisor is called a Microkernelized hypervisor.

Server Core

The Hyper-V can be a full role within Windows Server 2008 or can be enabled as a role within Server Core. The Server Core installation is an option that you can use for installing Windows Server 2008. A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance requirements and the attack surface for those server roles. The Server Core installation option requires initial configuration at a command prompt and does not include the traditional full graphical user interface. Once you have configured the server, you can manage it locally at a command prompt or remotely using a Terminal Server connection. You can also manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use.

Virtualization Management

Server Manager

Server Manager is a new tool available with Windows Server 2008 that guides information technology administrators through the process of installing, configuring, and managing server roles and features that are part of Windows Server 2008. The Hyper-V role can be enabled and configured within Server Manager.

Hyper-V Manager

With Hyper-V Manager, local or remote Hyper-V Servers and their corresponding virtual machines can be managed. Configuration options include New Virtual Machine, New Virtual Hard Disk, Edit Virtual Hard Disk, Virtual Machine, Virtual Machine Settings, Virtual Network Manager. It’s a nice but basic Management Console for the normal administration tasks in a Small-Medium sized Hyper-V infrastructure.

Hyper-V Manager
(Click image to enlarge)

System Center Virtual Machine Manager

System Center Virtual Machine Manager 2007 (SCVMM) is a server application in the Microsoft System Center family of products. SCVMM provides management of physical and Virtual machines, consolidation of underutilized physical servers and rapid provisioning of new Virtual Machines. The current release of SCVMM manages only Microsoft Virtual Server. The upcoming SCVMM releases, scheduled when Hyper-V is released, supports the management of Hyper-V hosts and guests and also Citrix XenServer and VMware ESX v3 hosts.

Some features of SCVMM:

  • Enables fast provisioning of new virtual machines
  • Minimizes guesswork in deployment through customized host ratings based on criteria that you set
  • Allows conversion of physical servers to virtual machines (P2V)
  • Allows conversion of VMware virtual machines (V2V)
  • Virtual Machine Manager provides a library to manage all the building blocks of the virtual data center. Building blocks such as virtual hard disks (VHDs),ISO images, post deployment customization scripts, hardware configurations and templates.
  • Speeds creation of new virtual machines by using templates
  • Takes advantage of datacenter investments in Storage Area Network (SAN) storage
  • Provides a rich management and scripting environment through the Windows PowerShell - Virtual Machine Manager command shell
  • Provides reporting by integrating with System Center Operations Manager 2007
  • Self Service Portal, a web interface to allow an end user to create and use their own VMs.

Server Virtualization Management Pack

The Server Virtualization Management Pack provides enterprise wide monitoring of Microsoft virtual environments. The management pack monitors the health and availability of virtual machines deployed on hosts running Microsoft Virtual Server and Hyper-V and the health and availability of the hosts. The management pack also monitors the components of System Center Virtual Machine Manager 2007 (VMM), including the VMM server, database server, hosts, library servers, and self-service portals, and provides reporting for VMM. Server Virtualization Management Pack for System Center Operations Manager 2007 provides:

  • Discovery and monitoring of all Hyper-V and Virtual Machine Manager components
  • Alert on job and component status change
  • Reports for managing and maintaining a virtualized environment
  • Virtualization environment diagram view

Hyper-V system requirements

  • CPU, Hyper-V requires specific processor enhancements from either Intel or AMD. Intel VT is integral to the Intel vPro range.
  • Hardware Data Execution Prevention (DEP) which Intel describes as eXecuted Disable (XD) and AMD describes as No eXecute (NS) it is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data.
  • 64 bits environment, Virtualization is a prime candidate for the expanded memory and processing facilities that 64-bit platforms offer. To ensure these expanded facilities are available, Hyper-V only runs on x64-bit editions of Windows Server 2008.
  • Approved hardware, Hyper-V requires hardware that is on the Windows server catalog of tested hardware. Microsoft hardware approval is particularly important in Hyper-V because the Windows Hypervisor layer interfaces directly between the hardware and the parent and child partitions. Rigorous testing of third party device drivers also helps to enhance parent partition stability. Although Hyper-V is running fine on my laptop this device isn’t the most suitable candidate for the server virtualization role.
  • Physical Memory on the host computer is the main limiting factor that sets the number of virtual computers that can run simultaneously. The virtual computers share this physical memory with the parent partition. Memory requirements are typically 512MB for the parent partition, plus the allocated memory for each child partition and a further 32MB overhead for each child partition. Therefore, a child partition that has 256MB allocated virtual RAM requires a host that has at least (512+(256+32)) = 800MB.

There is a utility called SecurAble, available: which checks the virtualization hardware requirements of your machine. The interface looks like this:

SecureAble Interface

Hyper-V Architecture

Let’s unpack this diagram:

Hyper-V Architecture
(Click image to enlarge)

Parent and Child Partitions

In Hyper-V one VM is that parent partition while others are child partitions. A partition is a basic unit of isolation supported by the hypervisor. The parent partition, also known as root partition, is the partition that creates and managed child partitions and it has a virtualization stacks to control child partitions. This parent partition owns all resources not owned by the hypervisor and is responsible for Power management, PnP, management of hardware failure events and loading and booting the Hypervisor. In the parent partition, running in kernel mode, there is a Windows Server 2008 guest OS. Within Citrix XenServer, the parent partitioning is called ‘Domain 0’. As mentioned earlier this OS can run as role within Server Core or can be a full installation of Windows Server 2008.

Virtualization Service Provider and Client

Running within the guest OS is the Virtualization Service Provider (VSP) this is a component that runs within the parent partition. This partition owns the hardware. The VSP talks to the device drivers and is offering hardware services to whoever requests them. Running in kernel mode within an ‘Enlightened client’ is the Virtualization Service Client (VSC). This is a client component that runs within a child partition and consumes services. There is one pair of VSP/VSC pair for each device type. Microsoft is providing VSP/VSC pairs for storage, networking, video and input devices for Hyper-V. Third-party Independent Hardware Vendors (IHV) will provide additional VSP/VSC pairs to support additional hardware.

HyperCall Adapter

The Hypercall adapter is a thin layer of software that translates the Citrix XenServer-specific virtualization function calls to Microsoft Hyper-V hypercalls. This results in improved performance for the virtual machine running Linux and better operability when VMs are used in a mixed Hyper-V and Citrix XenServer environment.


The Hyper-V architecture also includes a virtual machine bus, or VMbus, for communication between the parent and child partitions, Virtualization Service Providers, and Virtualization Service Clients. On virtualization-optimized processors, these components provide an emulated environment with similar performance characteristics to a dedicated physical computer.

Synthetic and emulated devices:

Synthetic devices are designed to have the lowest overhead for devices. These devices package requests and forward them to a driver in the root over VMBUS which then forwards them to the device after any needed processing. Emulated devices on the other hand emulate a real piece of hardware. Both types of devices are important because to support operating systems that do not have “Integration Components” installed emulated devices drivers are needed. The Synthetic devices are important because they help reduce the CPU overhead when accessing a device. Synthetic device drivers are included in the Integration Components.

Integration Components

Integrations components (ICs) are sets of drivers and services that help your Virtual Machines have more consistent state and perform better by enabling the guest to use synthetic devices. Some ICs that come with Hyper-V are VMBUS (transport for Synthetic devices), Time Sync (used to keep VM clocks in sync with the root partition sometimes called the host), Video Driver, Network Driver and Storage Driver. Windows Server 2008 will come with the integration components pre-installed. For other operating systems, like Windows Server 2003 are Linux you can install ICs.


Hyper-V can host two categories of operating systems, Enlightened- and unenlightened operating systems. Enlightened operating systems work directly with Hyper-V and enjoy performance benefits with respect to device access and management benefits. Windows Server 2008 and specific Linux distributions from Citrix XenServer and Novell are planned. Unenlightened operating systems include other Linux distributions, older versions of Windows Server and other x86 operating systems.

Enlightenments are enhancements made to the operating system to help reduce the performance cost on certain operating system functions like memory management. Windows Server 2008 is fully enlightened which means it takes advantage of all possible enlightenments. Other operating systems have varying degree of support.


Paravirtualization is a technique to allow Virtual Machines to understand it is being virtualized and to co-operate with the system to ensure the best performance. For example Citrix XenServer uses paravirtualized drivers for storage and network devices which drastically improve performance over emulated drivers. Enlightments is the Microsoft name for paravirtualization.

Hyper-V enhancements

  • High Availability. Hyper-V includes support for host-to-host connectivity and enables you to cluster all virtual machines running on a host through Windows Clustering (up to 16 nodes). Enterprise or datacenter editions of Windows Server 2008 are needed.
  • Quick migration. Hyper-V enables you to rapidly migrate a running virtual machined across Hyper-V hosts with minimal downtime, leveraging familiar high-availability capabilities of Windows Server 2008 and System Center management tools.

    Quick Migration isn’t the same as VMware vMotion or Citrix XenServer XenMotion. With Quick Migrate there is (small) downtime of the Virtual Machine. The downtime depends on the amount of memory the Virtual Machine is consuming. The Quick Migrate process is: The VM state is saved, the VM is moved to an other Hyper-V machine and the VM state is restored.

    A Quick migrate of a VM using 1 GB memory takes approximately 4 seconds. The VHD file needs to be stored on a shared storage and you need the same processor architecture across the nodes.
  • Server Core role. Hyper-V is now available as a role in a Server Core installation of Windows Server 2008.
  • Integrated into Server Manager. Hyper-V is now integrated into Server Manager by default and customers can now enable the role within Server Manager.
  • VHD tools. Hyper-V includes support for VHD tools to enable compaction, expansion and inspection of VHDs created with Hyper-V.
  • Improved access control with AzMan. Hyper-V now includes support for Authorization Manager (AzMan) to enable Role-Based Access Control models for better administration of the Hyper-V environment with increased security.
  • Host characteristics: 16 logical processors, 2TB memory, SAS/SATA/discs and FibreChannel support.
  • Guest characteristics: 32-bit (x86) and 64-bit (x64) child partitions, 64Gb memory support within VMs, 4 core SMP VMs, max 4 NIC’s.
  • Live Backups with VSS, Volume Shadow Copy Services (VSS) enables the functionality to take Live Backups of running virtual machines.
  • Resource Management, CPU, disk and network can be managed using Windows Server Resource Manager (WSRM).
  • System Center Virtual Machine Manager (SCVMM) integration.
  • Snapshots, 10 level deep

Virtual Machine disk controllers and types

There are two types of disk controllers that you can configure your Hyper-V virtual machines to use: SCSI and IDE. There are two IDE controllers and four SCSI controllers available. Each IDE controller can have two devices. Each SCSI controller can support up to 255 devices. Both SCSI and IDE can support pass-through, Fixed, Dynamic, Sparse, and Delta drives. The difference lies in how the controllers are actually implemented.

  • (dynamic / Fixed) Virtual Hard Drive (VHD) - This is a file stored in NTFS that looks like hard drive to the VM
  • Delta VHD - This stores all changes relative to a base VHD.
  • Pass-through drive are physical disks are exclusively assigned to the Virtual Machine.


Linux Integration Components

When installed into a virtual machine running a supported Linux operating system, the Linux Integration components provide the following functionality:

  • Driver support for synthetic devices: The Linux integration components include support for both the synthetic network controller and synthetic storage controller that have been developed specifically for Hyper-V. These components take advantage of the new high-speed bus, VMbus, which was developed specifically for Hyper-V.
  • Hypercall adapter: The Hypercall adapter is a thin layer of software that translates the Xen-specific virtualization function calls to Microsoft Hyper-V hypercalls. This results in improved performance for the virtual machine running Linux.

The Linux Integration Components for WS08 Hyper-V are currently (feb. 2008) in Beta and available through MS Connect. Linux integration components are available for SUSE Linux Enterprise Server 10 SP1 x86 and x64 Editions. These integration components enable Xen-enabled Linux to take advantage of the VSP/VSC architecture and provide improved performance.


Working with Citrix XenServer, an adapter is developed to map XenServer hypercall API to Hyper-V hypercall API. Disk and network drivers are developed to integrate with the new I/O architecture. Microsoft is working with Novell for interoperability and joint support for Windows Server and Novell SUSE Linux Enterprise Server v10.

Virtual Hard Disk (VHD)

The Microsoft Virtual Hard Disk (VHD) file format is an integral part of the Microsoft commitment to Virtualization. VHD is the runtime container for Windows. It combines the OS, application and state in one single file. VHD files specify a virtual machine hard disk that can reside on a native host file system encapsulated within a single file. The VHD format is used by Microsoft Virtual PC , Virtual Server and Windows Server 2008 Hyper-V. The ability to directly modify a virtual machine’s hard disk from a host server supports many interesting applications that may be of interest to customers, such as:

  • Moving files between a VHD and the host file system
  • Back and Recovery
  • AntiVirus and Security
  • Image management and patching
  • Disk conversion
  • Life-cycle management and provisioning

Microsoft Partners such as Citrix Systems are adopting the VHD file format in their Application and Desktop delivery solutions such as Citrix XenDesktop.


Microsoft has released several versions of Windows Server 2008. The versions which include Hyper-V will be released in the second half of 2008. Customers can choose to buy Windows Server 2008 with or without Hyper-V. Hyper-V can be included in Standard, Enterprise and Datacenter editions in x86 and x64 versions. The price difference between Windows Server 2008 with or without Hyper-V is $28 (in Euro’s that very cheap!). There are many, many benefits using Server Virtualization technology, one of which can be saving on Microsoft Licensing costs. These articles explain the different licensing models when Virtualization is being used.

Windows Server 2008 -Virtualization with Hyper-V: Overview

Key Features of Hyper-V

New 64-bit micro-kernelized hypervisor architecture enables Hyper-V to provide a broad array of device support methods and improved performance and security.

Broad support for simultaneously running different types of operating systems, including 32-bit and 64-bit systems across different server platforms, such as Windows, Linux, and others.

Ability to support up to four multiple processors in a virtual machine environment enables you to take full advantage of multi-threaded applications in a virtual machine.

Hyper-V includes new virtual switch capabilities. This means virtual machines can be easily configured to run with Windows Network Load Balancing (NLB) Service to balance load across virtual machines on different servers.

With the new virtual service provider/virtual service client (VSP/VSC) architecture, Hyper-V provides improved access and utilization of core resources, such as disk, networking, and video.

Hyper-V enables you to rapidly migrate a running virtual machine from one physical host system to another with minimal downtime, leveraging familiar high-availability capabilities of Windows Server and System Center management tools.

Hyper-V provides the ability to take snapshots of a running virtual machine so you can easily revert to a previous state, and improve the overall backup and recoverability solution.

With support for multiple processors and cores at the host level and improved memory access within virtual machines, you can now vertically scale your virtualization environment to support a large number of virtual machines within a given host and continue to leverage quick migration for scalability across multiple hosts.

Standards-based Windows Management Instrumentation (WMI) interfaces and APIs in Hyper-V enable independent software vendors and developers to quickly build custom tools, utilities, and enhancements for the virtualization platform.

Note: Microsoft believes that most customers now expect virtualization capabilities in their server OS. However, based on customer demand, Windows Server 2008 will be able to be licensed without Hyper-V. To learn more, please visit the Licensing without Hyper-V page.

Windows Server 2008 Core OCList and OCSetup CLI tools

As Windows Server 2008 CORE does not have any graphical interface, you must use only command line tools so without ServerManagerCMD, the tools to use in Windows Server 2008 CORE to view, add, and remove roles are OCLIST and OCSETUP.

What are Roles?

Before I demonstrate how to use OCLIST and OCSETUP to administer server Roles, let’s first take a step back and answer what are Server Roles? I want to do this because the concept of Server Roles is new in Windows Server 2008.

Examples of Roles for your server are:

  • DNS
  • DHCP
  • File Services
  • Telnet Client
  • Print Services
  • (and more)

It is easy to add these roles in the Windows Server 2008 GUI, as in Figure 1, below.

Figure 1
: Adding Roles with the Windows Server 2008 GUI

However, how are you going to view, add, and remove these roles when you are at the Windows Server 2008 CORE command prompt (with no GUI interface available)? How would you do it? Let’s find out...

What are OCLIST.exe & OCSETUP.exe?

Just as the concept of “Roles” is new in Windows Server 2008, you are offered a couple of new CLI tools to manage those Roles in Windows Server 2008 CORE.

Those tools are OCLIST.exe & OCSETUP.exe

With OCLIST, you can query the installed roles on your Windows Server 2008 CORE server by simply typing OCLIST at the command prompt, like this:

Figure 2:
Showing installed Roles with OCLIST.exe

In Figure 2, the oclist command was run right after the Windows Server 2008 CORE server was installed. As you can see, there are a number of roles available but not installed. To install these roles, we use OCSETUP.

With OCSETUP.exe, you can do the following:

  • Install & uninstall new Server 2008 CORE Roles
  • Perform logging on the install of those roles
  • Perform quiet or unattended installations
  • Supply parameters to the installation routine
  • And choose not to restart the server after an installation, even if it is required for the install to be complete

If you run OCSETUP.exe without any parameters, you will see a help screen, like this:

Figure 3
: OCSETUP Help Screen shown when run with no parameters

How do I install a Windows Server 2008 CORE Role with OCSETUP?

To install a Windows Server 2008 CORE Role with OCSETUP, let’s look at an example. Let’s say that we wanted to install the Windows Server DHCP Role / Component. As we saw from the OCLIST output, above, the Windows Server DHCP role was not installed by default.

To install DHCP on our CORE server with OCSETUP, we do the following:

start /w ocsetup DHCPServerCore

Let’s examine this command line string, step by step:

  1. Optionally, we use the start command because it will open up a new CMD prompt window that we can use to monitor the progress of the install. Plus it frees our current CMD prompt window so that we can continue to do other things while the installation is happening
  2. If we used the start command, we also use the /w (or /WAIT) switch with the start command so that the command prompt will wait for the command that is executed to terminate before closing the window. This way, we can see what happens with the installation.
  3. Of course, we use the OCSETUP command
  4. With the OCSETUP command, we specify what component we want to install. Each of the components has its own, specific, name. You can view the available component names in the output of the OCLIST command. In our case, we specified the name of the DHCP component, DHCPServerCore.

When you run this command, you won’t see ANY output, at all (unless you mistyped it). So, here is what a successful install looks like:

Figure 4
: Results of DHCP Server Core Install with OCSETUP

That’s right, no real output. So how do you know if it was successfully installed? Easy, run OCLIST, like this:

Figure 5
: Verifying a successful install using OCLIST

As you can see, the DHCPServerCore was successfully installed.

However, is the DHCP server fully functional at this point? No.

To get our DHCP server fully functioning, we need to configure a scope using the netsh command or using the MMC DHCP snap-in from a remote system.

Next, we need to set the DHCP service to start automatically using sc config dhcpserver start=auto then start the service manually for the first time with net start dhcpserver.

What other common Windows Server 2008 CORE Roles can I install?

Some other common Core server roles are:

  • DNS Server – DNS-Server-Core-Role
  • File Server – FRS-Infrastructure
  • Print Server – Printing-ServerCore-Role

For example, here is an install of the DNS Server Core Role:

Figure 6
: Installation of the Windows Server 2008 Core DNS Server Role

You would then need to configure the DNS Server zones using the dnscmd CLI utility or remotely using the DNS MMC Snap-in.

Say that you did want to Uninstall the DNS Server role, you would run the same command with the /uninstall switch, like this:

Figure 7
: Uninstall of the Windows Server 2008 Core DNS Server Role

As with this uninstall, some installs or uninstalls that are done will require you to reboot your Windows Server 2008 Core server. When that happens, you will see a pop-up message, like this:

Figure 8
: Message that the Core server must be restarted before the changes take effect

What else do I need to know?

One important thing to note is this - if you want to make a Windows Server 2008 CORE system a Windows Active Directory domain controller (DC), then you should NOT use OCSETUP. Instead, you should use DCPromo to install or uninstall Windows Active Directory.


If you are using or plan on using Windows Server 2008 CORE, the OCLIST and OCSETUP command line utilities are necessary for any administrator to understand. With OCLIST, you can query the Windows Server 2008 CORE roles and components that are installed. With OCSETUP, you can add & remove the same Core Server Roles. When using Windows Server 2008 CORE, you must use these commands for Role administration as there aren’t any GUI tools available on the server. Additionally, the ServerManagerCM CLI utility, available in normal (non-core) versions of Windows Server 2008, is not available in Windows CORE. Once these Roles are installed, they will still need to be started and configured using either local command line utilities or remote Windows MMC administrative tools.