Home > Sample chapters

Installing and Configuring Windows Server 2012 Training Guide: Network Administration

Lesson 3: Managing networking using Windows PowerShell

Managing network settings and services is a core task for administrators of Windows Server–based networks. Examples of network configuration tasks include configuring interfaces, IP addresses, default gateways, routes and metrics; configuring ISATAP and Teredo for IPv4/v6 interoperability; and similar tasks. Examples of network service tasks include configuring DHCP scopes, options, and reservations; creating different types of DNS zones; configuring DNS root hints and forwarders; creating resource records; and similar tasks.

In previous versions of Windows Server, such tasks usually had to be performed using a combination of GUI tools and various command-line utilities. But with the significantly increased Windows PowerShell capabilities built into Windows Server 2012, you can now perform most network administration tasks from the Windows PowerShell command line or by running Windows PowerShell scripts. This lesson demonstrates how to identify network components that have Windows PowerShell support and how to perform some common network-administration tasks using Windows PowerShell.

Identifying networking cmdlets

In Windows Server 2012, there are now hundreds of Windows PowerShell cmdlets that can be used to view, configure, and monitor different networking components and services in the platform. The tasks you can perform using these cmdlets range from the common (such as configuring static IP addresses or DHCP reservations for servers) to more specialized (such as configuring quality-of-service parameters) to settings related to virtual environments (such as configuring the Hyper-V extensible switch). There is obviously too much to learn here in a single lesson or even a single book, and some tasks might be performed only occasionally or even not at all by many administrators. So let’s begin with a more practical approach to the problem of administering a Windows Server 2012 networking environment using Windows PowerShell by asking a simple question: How can you find the right cmdlet (if there is a cmdlet) to perform a particular networking task?

Using Get-Command

You could start by using the Get-Command cmdlet to search for all Windows PowerShell cmdlets and functions that have the string “net” in their names. This generates a lot of output, however, as shown here:

PS C:\> Get-Command *net*

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Add-NetIPHttpsCertBinding                          NetworkTransition
Function        Add-NetLbfoTeamMember                              NetLbfo
Function        Add-NetLbfoTeamNic                                 NetLbfo
Function        Add-NetSwitchTeamMember                            NetSwitchTeam
Function        Copy-NetFirewallRule                               NetSecurity
Function        Copy-NetIPsecMainModeCryptoSet                     NetSecurity
Function        Copy-NetIPsecMainModeRule                          NetSecurity
Function        Copy-NetIPsecPhase1AuthSet                         NetSecurity
Function        Copy-NetIPsecPhase2AuthSet                         NetSecurity
Function        Copy-NetIPsecQuickModeCryptoSet                    NetSecurity
Function        Copy-NetIPsecRule                                  NetSecurity
Function        Disable-NetAdapter                                 NetAdapter
Function        Disable-NetAdapterBinding                          NetAdapter
Function        Disable-NetAdapterChecksumOffload                  NetAdapter
Function        Disable-NetAdapterEncapsulatedPacketTaskOffload    NetAdapter
Function        Disable-NetAdapterIPsecOffload                     NetAdapter
...

From the preceding output, you can see there are several Windows PowerShell modules that perform network-related actions. To see this more clearly, the following commands take the preceding output, sort it by module name, and remove duplicates:

PS C:\> Get-Command *net* | Sort-Object ModuleName | Format-Table ModuleName `
-HideTableHeaders | Out-String | Out-File c:\data\test.txt
PS C:\> Get-Content C:\data\test.txt | Get-Unique


ActiveDirectory
BranchCache
DnsServer
MsDtc
NetAdapter
NetConnection
NetLbfo
NetQos
NetSecurity
NetSwitchTeam
NetTCPIP
NetworkTransition
NFS
SmbShare

To investigate the NetTCPIP module further, you can use the –Module parameter of Get-Command to list all cmdlets and functions contained in this module:

PS C:\> Get-Command -Module NetTCPIP | Sort-Object Name | Format-Table Name

Name
----
Get-NetIPAddress
Get-NetIPConfiguration
Get-NetIPInterface
Get-NetIPv4Protocol
Get-NetIPv6Protocol
Get-NetNeighbor
Get-NetOffloadGlobalSetting
Get-NetPrefixPolicy
Get-NetRoute
Get-NetTCPConnection
Get-NetTCPSetting
Get-NetTransportFilter
Get-NetUDPEndpoint
Get-NetUDPSetting
New-NetIPAddress
New-NetNeighbor
New-NetRoute
New-NetTransportFilter
Remove-NetIPAddress
Remove-NetNeighbor
Remove-NetRoute
Remove-NetTransportFilter
Set-NetIPAddress
Set-NetIPInterface
Set-NetIPv4Protocol
Set-NetIPv6Protocol
Set-NetNeighbor
Set-NetOffloadGlobalSetting
Set-NetRoute
Set-NetTCPSetting
Set-NetUDPSetting

Using Show-Command

At this point, you can begin using Get-Help to learn about the syntax of NetTCPIP cmdlets you’re interested in and to see some examples of their usage. Unfortunately for administrators who are not that familiar with Windows PowerShell, the syntax displayed when you use Get-Help with a cmdlet can appear daunting. For example, consider a scenario where you have a web server running Windows Server 2012 and you want to add a second IP address to a network adapter on the server.

You might guess from the output of Get-Command –Module NetTCPIP shown previously that New-NetIPAddress is the cmdlet you use to perform this task, and you would be correct. But to the Windows PowerShell beginner, the syntax from Get-Help New-NetIPAddress might look quite confusing:

Parameter Set: ByInterfaceAlias
New-NetIPAddress -InterfaceAlias <String> [-AddressFamily <AddressFamily> ] [-AsJob]
[-CimSession <CimSession[]> ] [-DefaultGateway <String> ] [-IPv4Address <String> ]
[-IPv6Address <String> ] [-PassThru] [-PreferredLifetime <TimeSpan> ]
[-PrefixLength <Byte> ] [-PrefixOrigin <PrefixOrigin> ] [-SkipAsSource <Boolean> ]
[-Store <Store> ] [-SuffixOrigin <SuffixOrigin> ] [-ThrottleLimit <Int32> ]
[-Type <Type> ] [-ValidLifetime <TimeSpan> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ByIfIndexOrIfAlias
New-NetIPAddress [-AddressFamily <AddressFamily> ] [-AsJob]
[-CimSession <CimSession[]> ] [-DefaultGateway <String> ] [-InterfaceAlias <String> ]
[-InterfaceIndex <UInt32> ] [-IPv4Address <String> ] [-IPv6Address <String> ]
[-PassThru] [-PreferredLifetime <TimeSpan> ] [-PrefixLength <Byte> ]
[-PrefixOrigin <PrefixOrigin> ] [-SkipAsSource <Boolean> ] [-Store <Store> ]
[-SuffixOrigin <SuffixOrigin> ] [-ThrottleLimit <Int32> ] [-Type <Type> ]
[-ValidLifetime <TimeSpan> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Fortunately, the new Show-Command cmdlet in Windows Server 2012 can help make the syntax of Windows PowerShell cmdlets easier to understand and use. Start typing the following command:

PS C:\> Show-Command New-NetIPAddress

When you run the preceding command, the properties page shown in Figure 6-6 opens to show you the different parameters you can use with the New-NetIPAddress cmdlet. Parameters such as InterfaceAlias and IPAddress that are marked with an asterisk are mandatory; those not marked this way are optional.

Figure 6-6

Figure 6-6 The Show-Command properties page for the New-NetIPAddress cmdlet.

Clearly, to add a new IP address you first need to know the alias or index of the network interface to which you want to add the address. To find the interfaces on the system, you could use Get-Command *interface* to find all cmdlets that include “interface” in their name. Of the eight cmdlets displayed when you run this command, the cmdlet Get-NetIPInterface is the one you are looking for, and running this cmdlet displays a list of all interfaces on the server:

PS C:\> Get-NetIPInterface

ifIndex InterfaceAlias             AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp
------- --------------             ------------- ------------ --------------- ----
12      Ethernet                   IPv6                  1500               5 Disabled
14      Teredo Tunneling Pseudo... IPv6                  1280              50 Disabled
13      isatap.{4B8DC8AE-DE20-4... IPv6                  1280              50 Disabled
1       Loopback Pseudo-Interfa.   IPv6            4294967295              50 Disabled
12      Ethernet                   IPv4                  1500               5 Disabled
1       Loopback Pseudo-Interfa.   IPv4            4294967295              50 Disabled

From the preceding command output, you can see that the interface you are looking for is identified by the alias “Ethernet.” To view the existing TCP/IP configuration of this interface, you can use the –InterfaceAlias with the Get-NetIPAddress cmdlet as follows:

PS C:\> Get-NetIPAddress -InterfaceAlias Ethernet



IPAddress         : fe80::cf8:11a1:2e3:d9bc%12
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv6
Type              : Unicast
PrefixLength      : 64
PrefixOrigin      : WellKnown
SuffixOrigin      : Link
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

IPAddress         : 172.16.11.236
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

The preceding command output shows that the Ethernet interface currently has 172.16.11.236/24 as its IPv4 address and Classless Inter-Domain Routing (CIDR) prefix.

Returning to the open properties page displayed by Show-Command New-NetIPAddress, you can add a second IP address to the interface by specifying the parameter values shown in Figure 6-7.

Figure 6-7

Figure 6-7 Adding the address 172.16.11.237/24 to the interface named Ethernet.

If you click Copy in the properties page shown in Figure 6-7, the command is copied to the clipboard. The resulting command looks like this:

New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.11.237 `
-AddressFamily IPv4 -PrefixLength 24

If you click Run, the command executes. By using –InterfaceAlias with the Get-NetIPAddress cmdlet again, you can verify that the command accomplished the desired result:

PS C:\> Get-NetIPAddress -InterfaceAlias Ethernet



IPAddress         : fe80::cf8:11a1:2e3:d9bc%12
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv6
Type              : Unicast
PrefixLength      : 64
PrefixOrigin      : WellKnown
SuffixOrigin      : Link
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

IPAddress         : 172.16.11.237
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

IPAddress         : 172.16.11.236
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

Opening the Advanced TCP/IP Settings for the interface from the Network Connections folder confirms the result. (See Figure 6-8.)

Figure 6-8

Figure 6-8 The Advanced TCP/IP Settings dialog box confirms that the second IP address was successfully added to the interface.

Examples of network-administration tasks

The best way to learn how to use Windows PowerShell to administer network settings and services on Windows Server 2012 is to experiment with performing different tasks in a test environment. The following sections provide some examples of what you can do in this area, and the practice and suggested-practice exercises included in this chapter present you with further challenges for learning these skills.

Display network adapters with 100-Mbps link speed

You can use the Get-NetAdapter cmdlet to display all network adapters on the server that have a link speed of 100 megabits per second (Mbps) like this:

PS C:\> Get-NetAdapter | Where-Object -FilterScript {$_.LinkSpeed -eq "100 Mbps"}

Name        InterfaceDescription       ifIndex Status  MacAddress         LinkSpeed
----         --------------------      ------- ------  ----------         ---------
Ethernet 2  Broadcom NetXtreme Gig...  13 Up           A4-BA-DB-0A-96-0C  100 Mbps
Ethernet    Broadcom NetXtreme Gig...  12 Up           A4-BA-DB-0A-96-0B  100 Mbps

The output of this command consists of objects that can be passed through the pipeline to other cmdlets. For example, you could pipe the output into the Set-NetIPInterface cmdlet to assign a metric value of 5 to all interfaces having a link speed of 100 Mbps as follows:

PS C:\> Get-NetAdapter | Where-Object -FilterScript {$_.LinkSpeed -eq "100 Mbps"} | `
Set-NetIPInterface -InterfaceMetric 5

Disable a binding on a network adapter

You can enable and disable bindings on a network adapter using Windows PowerShell. For example, start by using the Get-NetAdapterBinding cmdlet to display the bindings for the specified interface:

PS C:\> Get-NetAdapterBinding -InterfaceAlias "Ethernet 2"

Name    DisplayName                                        ComponentID  Enabled
----        -----------                                        -----------  -------
Ethernet 2  Hyper-V Extensible Virtual Switch                  vms_pp       False
Ethernet 2  Link-Layer Topology Discovery Responder            ms_rspndr    True
Ethernet 2  Link-Layer Topology Discovery Mapper I/O Driver    ms_lltdio    True
Ethernet 2  Microsoft Network Adapter Multiplexor Protocol     ms_implat    False
Ethernet 2  Client for Microsoft Networks                      ms_msclient  True
Ethernet 2  Windows Network Virtualization Filter driver       ms_netwnv    False
Ethernet 2  QoS Packet Scheduler                               ms_pacer     True
Ethernet 2  File and Printer Sharing for Microsoft Networks    ms_server    True
Ethernet 2  Internet Protocol Version 6 (TCP/IPv6)             ms_tcpip6    True
Ethernet 2  Internet Protocol Version 4 (TCP/IPv4)             ms_tcpip     True

To disable a specific binding such as QoS Packet Scheduler, you can use the DisableNetAdapterBinding cmdlet like this:

PS C:\> Disable-NetAdapterBinding -Name "Ethernet 2" -ComponentID ms_pacer

You can use the Enable-NetAdapterBinding cmdlet to re-enable the binding.

Disable a network adapter

You can disable a specific network adapter or even all network adapters using Windows PowerShell. For example, the following command disables the adapter named “Ethernet 2” with no confirmation prompt displayed:

PS C:\> Disable-NetAdapter -Name "Ethernet 2" -Confirm:$false

To disable all network adapters on the server, you can use this command:

PS C:\> Disable-NetAdapter -Name *

Note that all remote connectivity with the server will be lost if you do this.

To enable any network adapters that are disabled, you can use the Enable-NetAdapter cmdlet.

Creating a DHCP server scope

You can manage Windows Server 2012 DHCP servers using Windows PowerShell. Common DHCP server-management tasks include creating scopes, creating exclusion ranges, creating reservations, configuring scope and server options, and so on.

For example, let’s begin by viewing all the scopes currently configured on the DHCP server:

PS C:\> Get-DhcpServerv4Scope

ScopeId      SubnetMask      Name  State  StartRange   EndRange      LeaseDuration
-------      ----------      ----  -----  ----------   --------      -------------
172.16.11.0  255.255.255.0   test  Active 172.16.11.35 172.16.11.39  8.00:00:00

Note that there is currently only one active scope on the DHCP server. Now add a second scope for the IP address range 172.16.12.50 through 172.16.12.100. Leave the scope inactive until you finish configuring exclusions and reservations for it:

PS C:\> Add-DhcpServerv4Scope -EndRange 172.16.12.100 -Name test2 `
-StartRange 172.16.12.50 -SubnetMask 255.255.255.0 -State InActive

Note that in this cmdlet it doesn’t matter what order you specify the parameters in because you specified the end of the address range before specifying its beginning.

Running Get-DdhpServerv4Scope again indicates that adding the new scope was successful:

PS C:\> Get-DhcpServerv4Scope

ScopeId      SubnetMask      Name   State    StartRange    EndRange      LeaseDuration
-------      ----------      ----   -----    ----------    --------      -------------
172.16.11.0  255.255.255.0   test   Active   172.16.11.35  172.16.11.39  8.00:00:00
172.16.12.0  255.255.255.0   test2  Inactive 172.16.12.50  172.16.12.100 8.00:00:00

Now exclude the range 172.16.12.70 through 172.16.12.75 from the new scope:

PS C:\> Add-DhcpServerv4ExclusionRange -EndRange 172.16.12.75 -ScopeId 172.16.12.0 `
   -StartRange 172.16.12.70

Let’s also add a reservation for a file server:

PS C:\> Add-DhcpServerv4Reservation -ClientId EE-05-B0-DA-04-00`
-IPAddress 172.16.12.88 -ScopeId 172.16.12.0 -Description "file server"

Here EE-05-B0-DA-04-00 represents the MAC address of the file server’s network adapter.

Let’s also configure a default gateway address for the new scope by creating a scope option as follows:

PS C:\> Set-DhcpServerv4OptionValue -Router 172.16.12.1 -ScopeId 172.16.12.0

If you want to create a server option instead of a scope option, you could do this by omitting the –ScopeID parameter from the preceding command.

Now you’re done creating and configuring the new scope, so let’s finish by activating it:

PS C:\> Set-DhcpServerv4Scope -StateActive

Creating DNS resource records

You can manage Windows Server 2012 DNS servers using Windows PowerShell. Common DNS server-management tasks include adding resource records to zones, configuring forwarders, configuring root hints, and so on.

For example, let’s view a list of zones on a DNS server that is also a domain controller for the corp.contoso.com domain:

PS C:\> Get-DnsServerZone

ZoneName                 ZoneType  IsAutoCreated   IsDsIntegrated  IsRever...  IsSigned
--------                 --------  -------------   --------------  -------     --------
_msdcs.corp.contoso.com  Primary   False           True            False       True
0.in-addr.arpa           Primary   True            False           True        False
127.in-addr.arpa         Primary   True            False           True        False
255.in-addr.arpa         Primary   True            False           True        False
corp.contoso.com         Primary   False           True            False       False
TrustAnchors             Primary   False           True            False       False

To view a list of resource records of type A (address) in the corp.contoso.com zone, you can pipe the output of the Get-DnsServerResourceRecord cmdlet into the Where-Object cmdlet like this:

PS C:\> Get-DnsServerResourceRecord -ZoneName corp.contoso.com |`
 Where-Object {$_.RecordType -eq "A"}

HostName         RecordType Timestamp            TimeToLive      RecordData
--------         ---------- ---------            ----------      ----------
@                A          7/8/2012 12:00:00 PM 00:10:00        172.16.11.36
@                A          7/8/2012 1:00:00 PM  00:10:00        172.16.11.232
DomainDnsZones   A          7/8/2012 12:00:00 PM 00:10:00        172.16.11.36
DomainDnsZones   A          7/8/2012 12:00:00 PM 00:10:00        172.16.11.232
ForestDnsZones   A          7/8/2012 12:00:00 PM 00:10:00        172.16.11.36
ForestDnsZones   A          7/8/2012 12:00:00 PM 00:10:00        172.16.11.232
sea-srv-1        A          0                    01:00:00        172.16.11.232
SEA-SRV-5        A          0                    01:00:00        172.16.11.36

To add a new A resource record for a test server, you can use the Add-DnsServerResourceRecordA cmdlet like this:

PS C:\> Add-DnsServerResourceRecordA -IPv4Address 172.16.11.239 -Name SEA-TEST `
-ZoneName corp.contoso.com

You can also add other types of resource records—such as PTR, CN, or MX records—using the preceding cmdlet. And you can use the Remove-DnsServerResourceRecord cmdlet to remove resource records from a zone.

There are over 100 different cmdlets in the DnsServer module for Windows PowerShell in Windows Server 2012. Table 6-1 shows the cmdlets you can use to perform some common DNS administration tasks. You’ll get some hands-on experience with using some of these cmdlets in the practice exercises for this chapter.

Table 6-1 Common DNS server-administration tasks and Windows PowerShell cmdlets you can use to perform them.

TASK

CMDLET

Configure forwarders

Add-DnsServerForwarder

Create a stub zone

Add-DnsServerStubZone

Display the contents of the DNS server cache

Show-DnsServerCache

Clear the DNS server cache

Clear-DnsServerCache

Display full configuration details of the DNS server

Get-DnsServer

Display statistics for the DNS server

Get-DnsServerStatistics

Import root hints

Import-DnsServerRootHint

Configure the DNS server cache settings

Set-DnsServerCache

Configure DNS server scavenging

Set-DnsServerScavenging

Initiate scavenging

Start-DnsServerScavenging

Lesson summary

  • The Get-Command cmdlet can be of help in identifying possible cmdlets for performing a specific administration task.

  • The Show-Command cmdlet is useful for learning the syntax of other cmdlets.

  • The TCP/IP configuration of a network interface, including its IP address settings, can be viewed and configured using Windows PowerShell.

  • Network adapters can be identified, configured, managed, enabled, and disabled using Windows PowerShell.

  • DHCP server properties, scopes, exclusion ranges, reservations, and options can be displayed, configured, and managed using Windows PowerShell.

  • DNS server properties, zones, resource records, forwarders, cache settings, and replication can be displayed, configured, and managed using Windows PowerShell.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

  1. When you use Show-Command to open a properties page for a cmdlet, what does an asterisk (*) mean when you find one beside a parameter?

    1. The parameter is optional.

    2. The parameter is mandatory.

    3. The parameter does not apply to that cmdlet.

    4. The parameter can be specified only from the command line.

  2. Which cmdlet can you use to disable a binding on a network adapter?

    1. Get-NetAdapterBinding

    2. Remove-NetAdapterBinding

    3. Disable-NetAdapterBinding

    4. Disable-NetAdapter

  3. What action does the following command perform?

    Set-DhcpServerv4OptionValue -Router 10.10.0.1 -ScopeId 10.10.20.0
    1. Configures a DHCP server option that assigns the address 10.10.0.1 as the default gateway on any DHCP client whose IPv4 address is on the 10.10.20.0 subnet

    2. Configures a DHCP scope option that assigns the address 10.10.0.1 as the default gateway on any DHCP client whose IPv4 address is on the 10.10.20.0 subnet

    3. Configures a DHCP server option that assigns the address 10.10.0.1 to a router on the 10.10.20.0 subnet

    4. Configures a DHCP scope option that assigns the address 10.10.0.1 to a router on the 10.10.20.0 subnet