PowerShell has provided useful improvements in our ability to manage networking. Windows Server has some features built in such as DHCP failover, DNS, and AD, you manage these with cmdlets. Windows Server 2016 includes comprehensive cmdlets that replaces the host of arcane and incompatible configuration and troubleshooting console applications.

The focus of this chapter is the core networking services contained in Windows Server 2016. These services include DHCP, DNS, Active Directory, and Certificate Services. The recipes in this chapter look at how to manage these features using PowerShell. We also note the few remaining things you cannot do with a PowerShell cmdlet.

In the New ways to do old things recipe, you look at some of the Windows console applications that you might have used for network troubleshooting and their updated PowerShell equivalents. You should find that everything you could do with a console application you can also do with a native cmdlet and more. This...

Networking IT pros have used a small set of console applications for decades to carry out basic troubleshooting activities. These help you to manage all manner of networking components. Tools such as Ipconfig, Tracert, and NSlookup are used by IT pros all over the world. The network shell (netsh) is another veritable treasure chest of tools to configure and manage your networking components.

The latest versions of PowerShell within the latest versions of the Windows operating system provide a wealth of new network-focused cmdlets that overlap with those old command-line tools. These tools represent new ways of doing old things.

Naturally, you shouldn't just use the new commands because you can. This recipe shows you that the new commands are often better and can be sufficiently different as compared to the older console (and a lot more useful). This recipe helps you to re-equip your networking tool belt!

Most IT pros are very familiar with setting and using the Windows Control Panel, and more lately the Windows Settings to configure a system's IP configuration (IP address, subnet mask, default gateway and DNS server) and to change a statically configured system to one that gets its configuration from DHCP. Savvy admins also were able to use the network shell, Netsh.exe to set the IP configuration details. In this recipe, we show how you do it with PowerShell and native cmdlets.

In some cases, you may need to switch your server's IP address from static, as you did in the Configuring IP addressing recipe, back to DHCP. You might need to do this to re-purpose a server. You may have given it a static IP address to perform a role, but you plan to re-purpose this server and want to configure the server to obtain IP configuration from DHCP.

$IPType = 'IPv4'$Adapter = Get-NetAdapter | ? {$_.Status -eq 'up' }$Interface = $Adapter | 
         Get-NetIPInterface -AddressFamily $IPType$IfIndex = $Interface.ifIndex$IfAlias = $Interface.InterfacealiasGet-NetIPAddress -InterfaceIndex $Ifindex `
                       -AddressFamily $IPType

Set...

At the heart of mostof the corporate and organizational networks is Active Directory (AD). You use AD as an authentication and authorization platform. AD first debuted with Windows 2000. Microsoft improved it with each successive release of Windows Server.

In the early days of AD, you promoted a server computer to act as a domain controller by using the  DCPromo.exe utility. In Server 2016, this command no longer exists. Instead of DCPromo, you could either use Server Manager or PowerShell.

This recipe shows how you use PowerShell to upgrade systems to be domain controllers. This recipe creates two servers (DC1 and a replica DC, DC2) in the Reskit.Org domain. After you complete this recipe, your forest has only one domain, but you could easily extend this recipe to create multi-domain forests.

DNS configuration using PowerShell is straightforward. You first add the DNS service. Then you create the zones you need and finally you create the resource records for those zones.

When you install an AD, as you did in the Installing domain controllers recipe, the AD installation process also installs the DNS service on the DC and configures both the necessary forward lookup zone and the AD-related resource records.

This recipe looks at the actions you may need to take once your DC is up and running. You can create new zones (for example, a reverse look zone), add an additional A and Mx records for mail, and set Extended DNS (EDNS). You also should test the DNS Server to ensure it is all up and working.

$PasswordSS = ConvertTo-SecureString `
              -String 'Pa$$w0rd' `...

Installing and authorizing a DHCP server is easy and straightforward. You can use the GUI, Server Manager to achieve this. Server Manager, though, is a GUI layered on top of PowerShell. The GUI gathers the details, and PowerShell does the rest. In this recipe, you carry out the installation and basic configuration using just the native cmdlets.

Install-WindowsFeature -Name DHCP `                         -IncludeManagementTools

Add-DHCPServerSecurityGroup -Verbose

Set-ItemProperty `
         -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 `  -Name ConfigurationState `     -Value 2

Add-DhcpServerInDC -DnsName DC1.Reskit.Org

Restart-Service -Name DHCPServer...

In the previous recipe, Installing and authorizing a DHCP server, you installed and authorized a DHCP server. But before that server can begin to provide IP address configuration information to DHCP clients, you need to create a scope and options. The scope is the set of DHCP addresses DHCP can give out, while the options are specific configuration options your DHCP server provides along with an IP address.

Add-DhcpServerV4Scope -Name 'Reskit' `                        -StartRange   10.10.10.150 `                        -EndRange     10.10.10.199 `                        -SubnetMask   255.255.255.0 `                        -ComputerName DC1.Reskit.Org

Get-DhcpServerv4Scope -ComputerName DC1.Reskit.Org

Set-DhcpServerV4OptionValue -DnsDomain...

The basic installation and configuration of a single DHCP server, as shown in the two previous recipes, is straightforward. However, a single DHCP server represents a single point of failure. A standard solution to this shortcoming is to implement DHCP failover and load balancing. Microsoft added this to DHCP with Windows 2012. The feature and indeed DHCP is unchanged in Server 2016.

Install-WindowsFeature -Name DHCP,RSAT-DHCP `                         -ComputerName DC2.Reskit.Org

      Invoke-Command -ComputerName DC2...

In most organizations, you find a requirement for X.509 digital certificates. The organization might need an SSL certificate for a website, a server certificate for Skype for Business, or a code signing certificate as the basis for signing PowerShell scripts. Building a PKI for your organization is often an exercise in defense in depth.

A very simple design would be to make your DC an AD Certificate Services (ADCS) CA server. But that is not best practice. At a minimum, you need a single offline root CA, with a subordinate issuing CA. If you are more paranoid or have a bigger attack surface, you could consider an intermediate CA that, like the root, is offline with a third level CA that issues certificates. The richness and complexity of modern CA architecture are beyond the scope of this book.

This recipe creates a two-level CA architecture for the Reskit.org network. The root CA is root: a workgroup machine that you should keep offline. The second CA...

Your active directory, as created in the Installing domain controllers and DNS recipe authenticates users and computers. AD also makes use of group membership to simplify authorization. In this recipe, you add, remove, and update users and computers. You also create and remove groups and manage group membership as well as manage organizational units. This recipe uses the cmdlets in the ActiveDirectory module. You can use a more automated approach to adding users by following the Adding users to the Active Directory using a CSV file recipe.

$Password = 'Pa$$w0rd'$PasswordSS = ConvertTo-SecureString `
                      -String $Password `
                      -AsPlainText -Force$NewUserHT = @{}$NewUserHT.AccountPassword = $PasswordSS$NewUserHT.Enabled = $true$NewUserHT.PasswordNeverExpires...

As mentioned several times in this book, https://www.spiceworks.com/ has a busy PowerShell support forum (accessible at https://community.spiceworks.com/programming/powershell). A frequently asked (and answered) question is: How do I add multiple users using an input file? This recipe does just that. You start with a simple CSV file containing the details of the users you wish to add. This script uses a CSV file and adds the users contained in the CSV.

$Users = Import-CSV -Path C:\FooUsers.Csv

ForEach ($User in $Users) { $Prop = @{} $Prop.GivenName = $User.Firstname $Prop.Initials = $User.Initials $Prop.Surname = $User.Lastname $Prop.UserPrincipalName = 
       $User.UserPrincipalName+"@reskit.org" $Prop.Displayname = $User.firstname...

In this recipe, you generate a report on the users in your AD. Because the range of things you might wish to report on, the first step in this recipe defines a function: Get-ReskitUser. This function collects a range of information from the AD and returns it as a custom object. This approach allows you to customize this recipe further, for example reaching into Exchange, SharePoint, or Skype for Business and add additional properties to the object generated that Get-Reskituser returns. The recipe uses the Get-ReskitUser function and creates a report on aspects of the users in AD.

Expired computers, computers that have not logged on recently, can be something you need to investigate. A client computer that has not logged on to the domain for, say, a month, could have been stolen. Such a computer could also be an under-used asset that is a candidate for redeployment. If it's a server that has not logged in for a month, it could indicate a computer that is non-functioning and one you should investigate.

This recipe is a variation on the Report on AD Users recipe.

$RKReport = ''$RkReport += "*** Reskit.Org AD Unused 
                      + "Computer Report`n"$RKReport += "*** Generated [$(Get-Date)]`n"$RKReport += "***********************************`n`n"

$RkReport += "*** Machines not logged on in past 14 days`n"$FortnightAgo = (Get-Date).AddDays(-14)$RKReport += Get-ADComputer...

When you add a user to a group (and the user re-logs on), the user acquires additional permissions and rights. That may be a good thing! Group membership enables the user to perform job-related duties. However, adding the user to the Enterprise Admins group, for example, provides that user with rights over most of your forest. A user who acquires the membership to such high privilege groups may not have benign intentions and could represent a serious risk. The report you generate using this recipe shows the privileged users and any changes that someone has made to the group membership.

$PUsers = @()

# Enterprise Admins$Members = Get-ADGroupMember `
                    -Identity 'Enterprise Admins' -Recursive |Sort-Object -Property Name$PUsers += foreach...