Installing and Configuring Windows Server 2012 Training Guide: Network Administration
- 11/15/2012
- Before you begin
- Lesson 1: Ensuring DHCP availability
- Lesson 2: Implementing DNSSEC
- Lesson 3: Managing networking using Windows PowerShell
- Lesson 4: Configuring IPv6/IPv4 interoperability
- Practice exercises
- Suggested practice exercises
- Answers
Lesson 3: Managing networking using Windows PowerShell
Managing network settings and services is a core task for administrators of Windows Server–based networks. Examples of network configuration tasks include configuring interfaces, IP addresses, default gateways, routes and metrics; configuring ISATAP and Teredo for IPv4/v6 interoperability; and similar tasks. Examples of network service tasks include configuring DHCP scopes, options, and reservations; creating different types of DNS zones; configuring DNS root hints and forwarders; creating resource records; and similar tasks.
In previous versions of Windows Server, such tasks usually had to be performed using a combination of GUI tools and various command-line utilities. But with the significantly increased Windows PowerShell capabilities built into Windows Server 2012, you can now perform most network administration tasks from the Windows PowerShell command line or by running Windows PowerShell scripts. This lesson demonstrates how to identify network components that have Windows PowerShell support and how to perform some common network-administration tasks using Windows PowerShell.
Identifying networking cmdlets
In Windows Server 2012, there are now hundreds of Windows PowerShell cmdlets that can be used to view, configure, and monitor different networking components and services in the platform. The tasks you can perform using these cmdlets range from the common (such as configuring static IP addresses or DHCP reservations for servers) to more specialized (such as configuring quality-of-service parameters) to settings related to virtual environments (such as configuring the Hyper-V extensible switch). There is obviously too much to learn here in a single lesson or even a single book, and some tasks might be performed only occasionally or even not at all by many administrators. So let’s begin with a more practical approach to the problem of administering a Windows Server 2012 networking environment using Windows PowerShell by asking a simple question: How can you find the right cmdlet (if there is a cmdlet) to perform a particular networking task?
Using Get-Command
You could start by using the Get-Command cmdlet to search for all Windows PowerShell cmdlets and functions that have the string “net” in their names. This generates a lot of output, however, as shown here:
PS C:\> Get-Command *net* CommandType Name ModuleName ----------- ---- ---------- Function Add-NetIPHttpsCertBinding NetworkTransition Function Add-NetLbfoTeamMember NetLbfo Function Add-NetLbfoTeamNic NetLbfo Function Add-NetSwitchTeamMember NetSwitchTeam Function Copy-NetFirewallRule NetSecurity Function Copy-NetIPsecMainModeCryptoSet NetSecurity Function Copy-NetIPsecMainModeRule NetSecurity Function Copy-NetIPsecPhase1AuthSet NetSecurity Function Copy-NetIPsecPhase2AuthSet NetSecurity Function Copy-NetIPsecQuickModeCryptoSet NetSecurity Function Copy-NetIPsecRule NetSecurity Function Disable-NetAdapter NetAdapter Function Disable-NetAdapterBinding NetAdapter Function Disable-NetAdapterChecksumOffload NetAdapter Function Disable-NetAdapterEncapsulatedPacketTaskOffload NetAdapter Function Disable-NetAdapterIPsecOffload NetAdapter ...
From the preceding output, you can see there are several Windows PowerShell modules that perform network-related actions. To see this more clearly, the following commands take the preceding output, sort it by module name, and remove duplicates:
PS C:\> Get-Command *net* | Sort-Object ModuleName | Format-Table ModuleName ` -HideTableHeaders | Out-String | Out-File c:\data\test.txt PS C:\> Get-Content C:\data\test.txt | Get-Unique ActiveDirectory BranchCache DnsServer MsDtc NetAdapter NetConnection NetLbfo NetQos NetSecurity NetSwitchTeam NetTCPIP NetworkTransition NFS SmbShare
To investigate the NetTCPIP module further, you can use the –Module parameter of Get-Command to list all cmdlets and functions contained in this module:
PS C:\> Get-Command -Module NetTCPIP | Sort-Object Name | Format-Table Name Name ---- Get-NetIPAddress Get-NetIPConfiguration Get-NetIPInterface Get-NetIPv4Protocol Get-NetIPv6Protocol Get-NetNeighbor Get-NetOffloadGlobalSetting Get-NetPrefixPolicy Get-NetRoute Get-NetTCPConnection Get-NetTCPSetting Get-NetTransportFilter Get-NetUDPEndpoint Get-NetUDPSetting New-NetIPAddress New-NetNeighbor New-NetRoute New-NetTransportFilter Remove-NetIPAddress Remove-NetNeighbor Remove-NetRoute Remove-NetTransportFilter Set-NetIPAddress Set-NetIPInterface Set-NetIPv4Protocol Set-NetIPv6Protocol Set-NetNeighbor Set-NetOffloadGlobalSetting Set-NetRoute Set-NetTCPSetting Set-NetUDPSetting
Using Show-Command
At this point, you can begin using Get-Help to learn about the syntax of NetTCPIP cmdlets you’re interested in and to see some examples of their usage. Unfortunately for administrators who are not that familiar with Windows PowerShell, the syntax displayed when you use Get-Help with a cmdlet can appear daunting. For example, consider a scenario where you have a web server running Windows Server 2012 and you want to add a second IP address to a network adapter on the server.
You might guess from the output of Get-Command –Module NetTCPIP shown previously that New-NetIPAddress is the cmdlet you use to perform this task, and you would be correct. But to the Windows PowerShell beginner, the syntax from Get-Help New-NetIPAddress might look quite confusing:
Parameter Set: ByInterfaceAlias New-NetIPAddress -InterfaceAlias <String> [-AddressFamily <AddressFamily> ] [-AsJob] [-CimSession <CimSession[]> ] [-DefaultGateway <String> ] [-IPv4Address <String> ] [-IPv6Address <String> ] [-PassThru] [-PreferredLifetime <TimeSpan> ] [-PrefixLength <Byte> ] [-PrefixOrigin <PrefixOrigin> ] [-SkipAsSource <Boolean> ] [-Store <Store> ] [-SuffixOrigin <SuffixOrigin> ] [-ThrottleLimit <Int32> ] [-Type <Type> ] [-ValidLifetime <TimeSpan> ] [-Confirm] [-WhatIf] [ <CommonParameters>] Parameter Set: ByIfIndexOrIfAlias New-NetIPAddress [-AddressFamily <AddressFamily> ] [-AsJob] [-CimSession <CimSession[]> ] [-DefaultGateway <String> ] [-InterfaceAlias <String> ] [-InterfaceIndex <UInt32> ] [-IPv4Address <String> ] [-IPv6Address <String> ] [-PassThru] [-PreferredLifetime <TimeSpan> ] [-PrefixLength <Byte> ] [-PrefixOrigin <PrefixOrigin> ] [-SkipAsSource <Boolean> ] [-Store <Store> ] [-SuffixOrigin <SuffixOrigin> ] [-ThrottleLimit <Int32> ] [-Type <Type> ] [-ValidLifetime <TimeSpan> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Fortunately, the new Show-Command cmdlet in Windows Server 2012 can help make the syntax of Windows PowerShell cmdlets easier to understand and use. Start typing the following command:
PS C:\> Show-Command New-NetIPAddress
When you run the preceding command, the properties page shown in Figure 6-6 opens to show you the different parameters you can use with the New-NetIPAddress cmdlet. Parameters such as InterfaceAlias and IPAddress that are marked with an asterisk are mandatory; those not marked this way are optional.
Figure 6-6 The Show-Command properties page for the New-NetIPAddress cmdlet.
Clearly, to add a new IP address you first need to know the alias or index of the network interface to which you want to add the address. To find the interfaces on the system, you could use Get-Command *interface* to find all cmdlets that include “interface” in their name. Of the eight cmdlets displayed when you run this command, the cmdlet Get-NetIPInterface is the one you are looking for, and running this cmdlet displays a list of all interfaces on the server:
PS C:\> Get-NetIPInterface ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ------- -------------- ------------- ------------ --------------- ---- 12 Ethernet IPv6 1500 5 Disabled 14 Teredo Tunneling Pseudo... IPv6 1280 50 Disabled 13 isatap.{4B8DC8AE-DE20-4... IPv6 1280 50 Disabled 1 Loopback Pseudo-Interfa. IPv6 4294967295 50 Disabled 12 Ethernet IPv4 1500 5 Disabled 1 Loopback Pseudo-Interfa. IPv4 4294967295 50 Disabled
From the preceding command output, you can see that the interface you are looking for is identified by the alias “Ethernet.” To view the existing TCP/IP configuration of this interface, you can use the –InterfaceAlias with the Get-NetIPAddress cmdlet as follows:
PS C:\> Get-NetIPAddress -InterfaceAlias Ethernet IPAddress : fe80::cf8:11a1:2e3:d9bc%12 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : WellKnown SuffixOrigin : Link AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 172.16.11.236 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore
The preceding command output shows that the Ethernet interface currently has 172.16.11.236/24 as its IPv4 address and Classless Inter-Domain Routing (CIDR) prefix.
Returning to the open properties page displayed by Show-Command New-NetIPAddress, you can add a second IP address to the interface by specifying the parameter values shown in Figure 6-7.
Figure 6-7 Adding the address 172.16.11.237/24 to the interface named Ethernet.
If you click Copy in the properties page shown in Figure 6-7, the command is copied to the clipboard. The resulting command looks like this:
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.11.237 ` -AddressFamily IPv4 -PrefixLength 24
If you click Run, the command executes. By using –InterfaceAlias with the Get-NetIPAddress cmdlet again, you can verify that the command accomplished the desired result:
PS C:\> Get-NetIPAddress -InterfaceAlias Ethernet IPAddress : fe80::cf8:11a1:2e3:d9bc%12 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : WellKnown SuffixOrigin : Link AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 172.16.11.237 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 172.16.11.236 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore
Opening the Advanced TCP/IP Settings for the interface from the Network Connections folder confirms the result. (See Figure 6-8.)
Figure 6-8 The Advanced TCP/IP Settings dialog box confirms that the second IP address was successfully added to the interface.
Examples of network-administration tasks
The best way to learn how to use Windows PowerShell to administer network settings and services on Windows Server 2012 is to experiment with performing different tasks in a test environment. The following sections provide some examples of what you can do in this area, and the practice and suggested-practice exercises included in this chapter present you with further challenges for learning these skills.
Display network adapters with 100-Mbps link speed
You can use the Get-NetAdapter cmdlet to display all network adapters on the server that have a link speed of 100 megabits per second (Mbps) like this:
PS C:\> Get-NetAdapter | Where-Object -FilterScript {$_.LinkSpeed -eq "100 Mbps"} Name InterfaceDescription ifIndex Status MacAddress LinkSpeed ---- -------------------- ------- ------ ---------- --------- Ethernet 2 Broadcom NetXtreme Gig... 13 Up A4-BA-DB-0A-96-0C 100 Mbps Ethernet Broadcom NetXtreme Gig... 12 Up A4-BA-DB-0A-96-0B 100 Mbps
The output of this command consists of objects that can be passed through the pipeline to other cmdlets. For example, you could pipe the output into the Set-NetIPInterface cmdlet to assign a metric value of 5 to all interfaces having a link speed of 100 Mbps as follows:
PS C:\> Get-NetAdapter | Where-Object -FilterScript {$_.LinkSpeed -eq "100 Mbps"} | ` Set-NetIPInterface -InterfaceMetric 5
Disable a binding on a network adapter
You can enable and disable bindings on a network adapter using Windows PowerShell. For example, start by using the Get-NetAdapterBinding cmdlet to display the bindings for the specified interface:
PS C:\> Get-NetAdapterBinding -InterfaceAlias "Ethernet 2" Name DisplayName ComponentID Enabled ---- ----------- ----------- ------- Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False Ethernet 2 Link-Layer Topology Discovery Responder ms_rspndr True Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True Ethernet 2 Microsoft Network Adapter Multiplexor Protocol ms_implat False Ethernet 2 Client for Microsoft Networks ms_msclient True Ethernet 2 Windows Network Virtualization Filter driver ms_netwnv False Ethernet 2 QoS Packet Scheduler ms_pacer True Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True
To disable a specific binding such as QoS Packet Scheduler, you can use the DisableNetAdapterBinding cmdlet like this:
PS C:\> Disable-NetAdapterBinding -Name "Ethernet 2" -ComponentID ms_pacer
You can use the Enable-NetAdapterBinding cmdlet to re-enable the binding.
Disable a network adapter
You can disable a specific network adapter or even all network adapters using Windows PowerShell. For example, the following command disables the adapter named “Ethernet 2” with no confirmation prompt displayed:
PS C:\> Disable-NetAdapter -Name "Ethernet 2" -Confirm:$false
To disable all network adapters on the server, you can use this command:
PS C:\> Disable-NetAdapter -Name *
Note that all remote connectivity with the server will be lost if you do this.
To enable any network adapters that are disabled, you can use the Enable-NetAdapter cmdlet.
Creating a DHCP server scope
You can manage Windows Server 2012 DHCP servers using Windows PowerShell. Common DHCP server-management tasks include creating scopes, creating exclusion ranges, creating reservations, configuring scope and server options, and so on.
For example, let’s begin by viewing all the scopes currently configured on the DHCP server:
PS C:\> Get-DhcpServerv4Scope ScopeId SubnetMask Name State StartRange EndRange LeaseDuration ------- ---------- ---- ----- ---------- -------- ------------- 172.16.11.0 255.255.255.0 test Active 172.16.11.35 172.16.11.39 8.00:00:00
Note that there is currently only one active scope on the DHCP server. Now add a second scope for the IP address range 172.16.12.50 through 172.16.12.100. Leave the scope inactive until you finish configuring exclusions and reservations for it:
PS C:\> Add-DhcpServerv4Scope -EndRange 172.16.12.100 -Name test2 ` -StartRange 172.16.12.50 -SubnetMask 255.255.255.0 -State InActive
Note that in this cmdlet it doesn’t matter what order you specify the parameters in because you specified the end of the address range before specifying its beginning.
Running Get-DdhpServerv4Scope again indicates that adding the new scope was successful:
PS C:\> Get-DhcpServerv4Scope ScopeId SubnetMask Name State StartRange EndRange LeaseDuration ------- ---------- ---- ----- ---------- -------- ------------- 172.16.11.0 255.255.255.0 test Active 172.16.11.35 172.16.11.39 8.00:00:00 172.16.12.0 255.255.255.0 test2 Inactive 172.16.12.50 172.16.12.100 8.00:00:00
Now exclude the range 172.16.12.70 through 172.16.12.75 from the new scope:
PS C:\> Add-DhcpServerv4ExclusionRange -EndRange 172.16.12.75 -ScopeId 172.16.12.0 ` -StartRange 172.16.12.70
Let’s also add a reservation for a file server:
PS C:\> Add-DhcpServerv4Reservation -ClientId EE-05-B0-DA-04-00` -IPAddress 172.16.12.88 -ScopeId 172.16.12.0 -Description "file server"
Here EE-05-B0-DA-04-00 represents the MAC address of the file server’s network adapter.
Let’s also configure a default gateway address for the new scope by creating a scope option as follows:
PS C:\> Set-DhcpServerv4OptionValue -Router 172.16.12.1 -ScopeId 172.16.12.0
If you want to create a server option instead of a scope option, you could do this by omitting the –ScopeID parameter from the preceding command.
Now you’re done creating and configuring the new scope, so let’s finish by activating it:
PS C:\> Set-DhcpServerv4Scope -StateActive
Creating DNS resource records
You can manage Windows Server 2012 DNS servers using Windows PowerShell. Common DNS server-management tasks include adding resource records to zones, configuring forwarders, configuring root hints, and so on.
For example, let’s view a list of zones on a DNS server that is also a domain controller for the corp.contoso.com domain:
PS C:\> Get-DnsServerZone ZoneName ZoneType IsAutoCreated IsDsIntegrated IsRever... IsSigned -------- -------- ------------- -------------- ------- -------- _msdcs.corp.contoso.com Primary False True False True 0.in-addr.arpa Primary True False True False 127.in-addr.arpa Primary True False True False 255.in-addr.arpa Primary True False True False corp.contoso.com Primary False True False False TrustAnchors Primary False True False False
To view a list of resource records of type A (address) in the corp.contoso.com zone, you can pipe the output of the Get-DnsServerResourceRecord cmdlet into the Where-Object cmdlet like this:
PS C:\> Get-DnsServerResourceRecord -ZoneName corp.contoso.com |` Where-Object {$_.RecordType -eq "A"} HostName RecordType Timestamp TimeToLive RecordData -------- ---------- --------- ---------- ---------- @ A 7/8/2012 12:00:00 PM 00:10:00 172.16.11.36 @ A 7/8/2012 1:00:00 PM 00:10:00 172.16.11.232 DomainDnsZones A 7/8/2012 12:00:00 PM 00:10:00 172.16.11.36 DomainDnsZones A 7/8/2012 12:00:00 PM 00:10:00 172.16.11.232 ForestDnsZones A 7/8/2012 12:00:00 PM 00:10:00 172.16.11.36 ForestDnsZones A 7/8/2012 12:00:00 PM 00:10:00 172.16.11.232 sea-srv-1 A 0 01:00:00 172.16.11.232 SEA-SRV-5 A 0 01:00:00 172.16.11.36
To add a new A resource record for a test server, you can use the Add-DnsServerResourceRecordA cmdlet like this:
PS C:\> Add-DnsServerResourceRecordA -IPv4Address 172.16.11.239 -Name SEA-TEST ` -ZoneName corp.contoso.com
You can also add other types of resource records—such as PTR, CN, or MX records—using the preceding cmdlet. And you can use the Remove-DnsServerResourceRecord cmdlet to remove resource records from a zone.
There are over 100 different cmdlets in the DnsServer module for Windows PowerShell in Windows Server 2012. Table 6-1 shows the cmdlets you can use to perform some common DNS administration tasks. You’ll get some hands-on experience with using some of these cmdlets in the practice exercises for this chapter.
Table 6-1 Common DNS server-administration tasks and Windows PowerShell cmdlets you can use to perform them.
TASK |
CMDLET |
Configure forwarders |
Add-DnsServerForwarder |
Create a stub zone |
Add-DnsServerStubZone |
Display the contents of the DNS server cache |
Show-DnsServerCache |
Clear the DNS server cache |
Clear-DnsServerCache |
Display full configuration details of the DNS server |
Get-DnsServer |
Display statistics for the DNS server |
Get-DnsServerStatistics |
Import root hints |
Import-DnsServerRootHint |
Configure the DNS server cache settings |
Set-DnsServerCache |
Configure DNS server scavenging |
Set-DnsServerScavenging |
Initiate scavenging |
Start-DnsServerScavenging |
Lesson summary
The Get-Command cmdlet can be of help in identifying possible cmdlets for performing a specific administration task.
The Show-Command cmdlet is useful for learning the syntax of other cmdlets.
The TCP/IP configuration of a network interface, including its IP address settings, can be viewed and configured using Windows PowerShell.
Network adapters can be identified, configured, managed, enabled, and disabled using Windows PowerShell.
DHCP server properties, scopes, exclusion ranges, reservations, and options can be displayed, configured, and managed using Windows PowerShell.
DNS server properties, zones, resource records, forwarders, cache settings, and replication can be displayed, configured, and managed using Windows PowerShell.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
When you use Show-Command to open a properties page for a cmdlet, what does an asterisk (*) mean when you find one beside a parameter?
The parameter is optional.
The parameter is mandatory.
The parameter does not apply to that cmdlet.
The parameter can be specified only from the command line.
Which cmdlet can you use to disable a binding on a network adapter?
Get-NetAdapterBinding
Remove-NetAdapterBinding
Disable-NetAdapterBinding
Disable-NetAdapter
What action does the following command perform?
Set-DhcpServerv4OptionValue -Router 10.10.0.1 -ScopeId 10.10.20.0
Configures a DHCP server option that assigns the address 10.10.0.1 as the default gateway on any DHCP client whose IPv4 address is on the 10.10.20.0 subnet
Configures a DHCP scope option that assigns the address 10.10.0.1 as the default gateway on any DHCP client whose IPv4 address is on the 10.10.20.0 subnet
Configures a DHCP server option that assigns the address 10.10.0.1 to a router on the 10.10.20.0 subnet
Configures a DHCP scope option that assigns the address 10.10.0.1 to a router on the 10.10.20.0 subnet