Thursday, 26 June 2008

PowerGUI / Exchange 2003

I've used the PowerGUI script editor as my editor of choice ever since I started using Powershell, but I never really got the PowerGUI thing.

Recently at the UK Powershell User Group we had the brilliant opportunity to visit Quest in the UK and be presented to by Dmitry Sotnikov about PowerGUI and the AD cmdlets. Before going I figured I'd better get to grips with PowerGUI so spent some time watching the online tutorial videos and started playing around with it.

Doing this combined with what I picked up from the Quest visit it started to dawn on me how useful this could be. It had frustrated me for a while that although there is great support for Powershell in Exchange 2007 there wasn't anything native for Exchange 2003, which is what we use in our environment.; so I thought why not try and make a PowerGUI powerpack for it.

There's a fair bit on the web about using WMI to manage Exchange 2003, in particular a very helpful article from Dmitry.

So with a little bit of playing I have posted version 0.1 to the PowerGUI powerpack library. With a bit of work I think it could be improved a lot (I have no actions or links yet, just script nodes), but I'd be interested in any feedback so leave me a comment if you've used it. I know there's a lot of uptake with Exchange 2007 now, but I'm sure there's plenty of 2003 sites still out there.

Even while putting the powerpack together I discovered things I could manage with Powershell so easily which would be really tricky to do through the Exchange Management GUI - my favourite is Get-DisconnectedMailboxes.

Quite often I need to find mailboxes which have had the AD account deleted and are waiting to expire from Exchange - not easy to do when the AD record has gone so you don't know which database they were on (we have over Exchang
e 40 databases). With the below Powershell WMI script it is dead easy to get a list of all disconnected mailboxes and which database they are in by using the DataDiscoveredAbsentInDS property:

Get-Wmiobject -namespace root\MicrosoftExchangeV2 -class Exchange_Mailbox -computer $computer | where { $_.DateDiscoveredAbsentInDS -like '2*' } | sort-object MailboxDisplayName | select-object MailboxDisplayName,Servername,StorageGroupName,StoreName,Size,DateDiscoveredAbsentInDS}

PowerGUI then displays the results in a really nice view!

I think I'll be using PowerGUI a lot from now on...........

Monday, 16 June 2008

HP Lights-Out Authentication With Active Directory

OK, so its not exactly scripting, but I just spent a bunch of time getting this working in our lab environment before a production rollout. Hit a number of not very obvious gotchas so thought I would put the information out there to assist anyone else trying to get the same thing working.

If you're not familiar with it then the HP Lights-Out management processor is typically a built-in (it used to be a seperate PCI card) component in Proliant servers which enables remote management of the physical machine independent of the OS. For instance, you can effectively access the power button or the console of the machine on a server in a remote office which has become unresponsive. Full details here. The feature which usually impresses people the most is the ability to view the console as the machine is booting up - remember those times when you rebooted a remote server and it didn't come back up because it was waiting for an F1 key press which you couldn't press!

We are looking at deploying this to all of our AD DC's, which are typically the only server at branch offices and can involve long and costly trips for engineers should the server need maintenance. One requirement we have for the project is auditing and accountability, i.e. if an engineer has used the tool to power off a DC we may need to know who did it. Consequently we examined in the lab how to use the authentication that HP Lights-Out provides against Active Directory.

First of all here are the requirements for what you will need:

  • HP servers with iLo enabled management processors. For advanced features like Remote Control you need an advanced license which typically can be purchased for around £80 per machine.
  • LDAP directory, we're using Active Directory. You will need admin accounts which belong to a group which iLo can use.
  • ilo wants to authenticate over SSL so you will need to enable your Active Directory to respond to LDAP requests on SSL which it does not do by default. (detailed info to follow)
  • HP Directories Support management software - download from the Proilant driver page.
  • A brick wall to bash you head against when you try to figure out the (undocumented) format to specify the login name as.

Get the latest Proliant support pack (currently 8.0) onto your server, there are some OS iLo updates in there. Update iLo itself to the latest firmware release. Patch the iLo card into your network, give it a DNS name and network settings - Tip: make sure the DNS server settings are correct (obvious, but I had it incorrect which led to some headscratching later on)

Active Directory

Download and ingest the Integrating HP Proliant Lights-Out processors with Microsoft Active Directory guide. Note there is an option to extend your AD schema to get some extra features, this blog post is around the schema-free integration.

You will need to enable SSL over LDAP on your DC's. There's a KB which makes it look very simple and in the main it is. Two tips from the field:

  1. You may need to reboot a DC before it will pick up the certificate.
  2. Add the Domain Controllers group to the CERTSVC_DCOM_ACCESS group as detailed in this KB article.

HP Lights-Out Directories Migration Utility

Run this tool as per the ilo AD guide - note: maybe it's just me, but it is not intuitve at all, you should be able to figure it out though. Essentially it will configure most of the settings you need, its just not obvious what to put in there sometimes.

A key gotcha later on is the naming context so make sure you populate the Directory User Context with the path to where you admin accounts and the 'ilo-admins' group which contains them lie.

Directory testing

Login to iLo via the webpage at its configured IP address and the local iLo Administrator account (you may want to keep this as an emergency account if directory login is not working). Navigate to Administration, Security, Directory and you should see settings you specified during the migration utility. Check these settings are what you expect and then use the very useful Test Directory Settings link at the bottom.

Obviously, this will test all the settings you have input and tell you anything which is incorrect. The key point here is that you have to input a username and password to use for the testing, what it does not tell you is that it is expecting the username in the format of the DN, e.g. CN=test admin,OU=admin accounts,dc=testdomain,dc=com (of course this is not in the iLo AD guide!)

Once you have successfully passed all of the tests you can then logout and log back in with an AD admin account. If you have correctly populated your directory search context you can use either:

  • test admin (note the space) or
  • CN=test admin
otherwise you will have to specify the full path, i.e. CN=test admin,OU=admin accounts,dc=testdomain,dc=com .

Final note:

If you specify a search context of some newgroup posts alledge that you can then login as test.admin, i.e. the accountname , but I couldn't get this to work.

Monday, 9 June 2008

Do I need all the transaction log files Exchange creates? Part 2

Back in April I posted about what to do if the disk your Exchange transaction log files reside on runs out of space. This was all done through the eseutil utility.

If you are not comfortable with this tool or would simply prefer a GUI-based way to do it, its possible to acheive the same result through the Exchange Troubleshooting Assistant (2003 or 2007).

There is a great post here which documents how to do it.

Something tells me I may well need to use this again sometime in the future.......

Friday, 6 June 2008

Compare-Object gotcha

A while back I used Compare-Object to examine differences between two AD groups. Unsuccessfully. The results appeared to come back inconsistently with known matches showing incorrect, double-entries etc.

At that point I unfortunately ran out of time to look into it any further. However, I have just read a great post from Dimitry which probably explains why it happens.

Its to do with SyncWindow parameter - basically Powershell by default only looks at items + or - 5 elements away. You can use -
SyncWindow to extend this to what you need.

Tuesday, 3 June 2008

Powerscripting Podcast

Found this the other day - great resource for what's going on in the Powershell World. New episodes weekly which is excellent, I like regular content.

Available through iTunes as well which is v. handy, easier than manual download of MP3s.

Currently working through the back catalogue which has some great tips on learning Powershell.