Category: Windows Server 2008

Checking Digital Signatures of a specific file against multiple servers

Scenario:  The other day an article was written by ARS Technica on a mail server attack that steals massive number of passwords. One of the symptoms is finding an unsigned OWAAuth.DLL and in some cases the file was located in a different directory.

Solution: Here is a quick way to check all of your Exchange servers to make sure all of your OWAAUTH.DLL files are signed and in the correct path:

#Build your Servers Variable
$Servers = Get-exchangeserver
#Build your Auth Variable
$Auth = $Servers |  %{Get-childitem -path "\$_c$program filesMicrosoftExchange Serverv15" -filter owaauth.dll -recurse | Get-authenticodeSignature}
#Export your Auth Variable to read it in Excel
$Auth | Export-csv C:tempAuth.csv

 

Use PowerShell to determine lastbootup time of a server or multiple servers

scenarios:  You want to quickly determine the bootup time for your Exchange Servers via Powershell.

Resolution: Run the following:

#For a Single Server:
Get-WmiObject win32_operatingsystem -computername ExSvr1 | select csname, @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}


#For Multiple Servers:
$1 = Get-ExchangeServer ExSvr*
$1 | %{Get-WmiObject win32_operatingsystem -computername $_.name | select csname, @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}}

Use PowerShell to search through multiple log files for specific text and export the results

Scenario:  You have multiple log/txt files you need to search through for specific text.  You would like to export/dump the text into another file.

Solution:  Run the following PowerShell Script.  Note the pattern contains the word you are looking for.  Unlike the “FIND” function in the command prompt, the PowerShell search does not require an exact case sensitive match.

#Look for any lines that has a text Pattern of "Fail" on it.
$1 = Get-ChildItem c:Temp*.log | Select-String -Pattern "Fail"

#For each line, export it to a csv.
$1 | Select line | Export-csv C:temptestline.csv

Disconnect RDP sessions via PowerShell

Scenario:  You are about to start maintenance on your servers and you want to remove any existing RDP session whether active of disconnected.  You want a quick way of doing this on all of your Exchange servers.

Solution:  Download the PSTerminalServices module from: https://psterminalservices.codeplex.com

Once download and installed, copy the PSTerminalServices folder from the install path into C:windowssystem32WindowsPowerShellv1.0.  Then run the following script in Exchange Powershell:

#Imports Terminal Services module
import-module psTerminalServices 

#Collect each Exchange Server in a variable
$Servers = Get-exchangeserver Ex2013*

#Now loop it to remove any existing TS Session.
$servers | %{
$Sessions = get-tssession -computername $_.name | where {($_.useraccount -like "domainname*")}
$sessions
$sessions | %{Stop-TSSession $_.sessionid -force}
}

 

 

Copy and then Rename files via PowerShell

Scenario:  You want to collect logs from various servers and place the copied logs into a single directory.  Due to the log names being the same on each server, we want avoid overwriting existing logs. We also want to know the server from where each log was copied from.

Solution:  The following will copy the IMAP logs from 4 servers into 1 local directory. Each file when copied to the directory will be renamed by prefixing the file with the server name.  It will also add the counter to the end of the file.

$Servers = "ExSvr1","ExSvr2","ExSvr3","ExSvr4"
$servers | %{$File = Get-ChildItem -Path "\$_c$Program FilesMicrosoftExchange ServerV15LoggingIMAP4" -Recurse;$i=1;Foreach ($f in $File) {Copy-Item $f.FullName ("C:TempIMAPPOP$_" + $f.BaseName + $i +".log");$i++}}
#End

 

 

 

Installing updates manually once approved via Configuration Manager and checking the install status for each server remotely

Scenario:  You use Microsoft System Center 2012 Configuration Manager to receive updates for Windows.  Once your updates are approved for installation, you can use the following script to perform a manual install. Once the manual install is kicked off from a remote machine, you can use additional PowerShell commands to determine the statuses for each update.

Here is a copy of the script we are using that is located on each one of our servers.  Reference to the script found here.

InstallUpdates.PS1

$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace rootCCMClientSDK 

$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}}) 

$InstallReturn = Invoke-WmiMethod -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace rootccmclientsdk 

$objCurrentPSProcess = [System.Diagnostics.Process]::GetCurrentProcess();

Stop-Process -Id $objCurrentPSProcess.ID;

 

To kick this script off remotely on your servers, you can use a similar PowerShell command such as:

Invoke-Command { powershell.exe -executionpolicy unrestricted C:updatesInstallUpdates.ps1} -ComputerName Win2012Svr1

OR, to run against multiple servers at once… Lets Loop It!

$Servers = Get-ExchangeServer Win2012Svr*

$Servers | %{Invoke-Command { powershell.exe -executionpolicy unrestricted C:updatesInstallUpdates.ps1} -ComputerName $_}

Instead of using Software Center to check the status of your updates via an RDP session to multiple servers,  lets use PowerShell again to invoke a command that will return the EvaluationState for each update:

Invoke-Command -computername Win2012Svr1 -scriptblock {Get-WmiObject -Class CCM_SoftwareUpdate -Namespace rootCCMC
lientSDK | Group EvaluationState}

OR against multiple servers, Lets loop it again!

$Servers = Get-ExchangeServer Win2012Svr*

$Servers  | %{Invoke-Command -computername $_ -scriptblock {Get-WmiObject -Class CCM_SoftwareUpdate -Namespace rootCCMClientSDK | Group EvaluationState}}

Below is what we determined each status represents.  Obviously there are some numerical codes missing, but these are the normal status codes we occasionally see:

0 = Not Started
5 = Downloading
6 = Waiting to Install
7 = Installing
8 = Requires Restart
13 = Failed

To restart the computers remotely, you can issue the following PowerShell Commands:

Restart-Computer Win2012Svr1 -force

or multiple servers:

$Servers = Get-ExchangeServer Win2012Svr*

$Servers  | Restart-computer -force

Happy updating!

 

 

 

 

 

 

Compare 2 powershell variable arrays and show values that do not match.

Scenario:  When performing a migration, we noticed a discrepancy in the  count of users that are in a distribution group compared to the count of users that have move requests (the move requests  were originally generated from that distribution group).  We have to determine which mailboxes are missing.

Resolution: Here is a quick way of comparing those 2 lists:

1. Pull the Distribution Group Members into a Variable:

$1 = Get-DistributionGroupMember Migration_710 | Select Alias

2. Pull the Move Requests that were batch into a second Variable:

$2 = Get-MoveRequest -batchname Migration_710 | Select Alias

3. Export both of those Aliases into a CSV file:

$1 | export-csv C:1.csv

$2 | export-csv C:2.csv

4. Import those csv back into new variables :

$file1 = Import-csv C:1.csv

$file2 = Import-csv C:2.csv

5. Compare the lists by running the following command.  The output should be the missing objects.

compare-object $file1 $file2

Commands to Create Mount Points from Unallocated Hard Drives

Scenario: You added new Hard Drives into your Windows Servers and you wish to  quickly partition these disks to be used as mount points. You can use the commands below to script it.

Commands:  We will be using DiskPart in order to accomplish this.

1. Open DiskPart: 

From a command prompt or powershell, type in diskpart and press enter.  A new DiskPart window should open up.

2. Determine the Disk Numbers of the newly installed disks:

List Disk 

3. Use the Disk Number  and use the commands below.  We are going to use Disk Number 3 as the newly installed disk. You can copy all the commands below at once and paste the commands into the DiskPart command window.

Select Disk 3
Create Partition Primary
Select partition 1
format  quick fs=ntfs Label=”MountPoint1″
Assign Mount=C:MountPoint1

 

Check the Total Physical Memory via Powershell

Scenario:  You add a bunch of memory to multiple servers and you want to check the amount on each server to verify it.

Powershell:

Check one Server in GB:   [math]::Round((Get-WmiObject -Class Win32_ComputerSystem  -computer ServerName).TotalPhysicalMemory/1GB)

Check one server in MB: [math]::Round((Get-WmiObject -Class Win32_ComputerSystem  -computer ServerName).TotalPhysicalMemory/1MB)

Check Multiple Exchange Servers:

$server = Get-exchangeservers

$server | %{ Write-Host $_; [math]::Round((Get-WmiObject -Class Win32_ComputerSystem  -computer $_).TotalPhysicalMemory/1GB)}

Exchange 2013 Backup Event ID’s in Order

Here are the Exchange 2013 Backup Event ID’s in order to assist troubleshooting your backup related problems.

  • Event ID 2021  – MSExchangeRepl –  Successfully collected metadata document in preparation for backup.
  • Event ID 2110  – MSExchangeRepl –  Successfully prepared for a full or a copy backup of database MDB01.
  • Event ID 2023  – MSExchangeRepl –  VSS writer successfully prepared for backup.
  • Event ID 2005  – ESE –  Shadow copy instance started.
  • Event ID 2025  – MSExchangeRepl –  VSS successfully prepared for a snapshot.
  • Event ID 2001  – ESE –  MDB01 shadow copy freeze started.
  • Event ID 2027  – MSExchangeRepl –  VSS writer instance has successfully frozen the databases.
  • Event ID 2003  – ESE –  MDB01 shadow copy freeze ended.
  • Event ID 2029  – MSExchangeRepl –  VSS writer instance has successfully thawed the databases.
  • Event ID 2035  – MSExchangeRepl –  VSS writer has successfully processed the post – snapshot event.
  • Event ID 2021  – MSExchangeRepl –  VSS writer has successfully collected the metadata document in preparation for backup.
  • Event ID 224  – ESE –  MDB01 deleting log files C:ExchVolsMDB01Log FilesE0000000001.log to C:ExchVolsMDB01Log FilesE000000002B.log.
  • Event ID 225  – ESE –  MDB01—no log files can be truncated; will be logged instead of Event ID 224 when circular logging is used.
  • Event ID 2046  – MSExchangeRepl –  VSS writer has successfully completed the backup of database MDB01.
  • Event ID 2006  – ESE –  MDB01 shadow copy completed successfully.
  • Event ID 2033  – MSExchangeRepl –  VSS writer has successfully processed the backup completion event.
  • Event ID 2037  – MSExchangeRepl –  VSS writer backup has been successfully shut down.