SVR333

My names Mark Minasi, and Im ancient I started working with computers in 1973 Back then, it was all command line Nowadays, weve got GUIs, and theyre cool But command line tools have some great strengths

They run on low bandwidth remotely with the Telnet service, Vista/Longhorn's remote shell WinRS, or a tool like the psexec command (a great CLI tool in itself) They can be collected into text files and made into batch files the simplest kind of "program" I know They can be easily documented and therefore are more repeatable Additionally, have you ever found yourself, well, confounded by a new GUI? CLI tools tend not to change due to artistic whim
3

Two new Microsoft OSes only support CLI for local administration:
WinPE 2.0: extremely useful replacement for DOSbased repair floppies and deployment "starter disks" Longhorn Server Core: pared-down version of Longhorn focused on being a domain controller, DNS server, DHCP and file server

You must know the CLI to locally operate and maintain both OSes

I want to convince you that your time learning CLI stuff is well spent So Ill work with tools in the system, some from Support Tools, the Resource Kit and other places I'm not going to squeeze every syntactic option out; I just want to motivate you to try it and learn even more Some will do mundane tasks, some more exotic but useful tasks

Initial System Setup with the CLI CLI Networking Managing Users with the CLI Active Directory CLI Management File and Disk CLI Management Controlling System and Events via CLI Server Core-Specific Tips

Initial C:onfiguration

Set IP attribs:
netsh int ip set address local static 10.10.1.3 255.255.255.0 10.10.1.1 2 netsh int ip set address local source=dhcp netsh int ip set dns local static 192.168.0.2 netsh int ip set dns local source=dhcp netsh int ip add dns local 10.7.3.2 index=2 Same for WINS

See computer name with hostname Change computer name with netdom: netdom renamecomputer %computername% /newname:newname netdom renamecomputer %computername% /newname:mypc21 (Cannot rename a domain controller)

Actually, Regedit works even in WinPE or Server Core Or use reg.exe: reg /add hklm\software\acme\myeditor That adds a key; this adds a value: reg /add hklm\software\acme\myeditor /v autosave /t REG_DWORD /d 0 reg /delete hklm\software\acme\myeditor /f

10

Vista and Longhorn offer a secure remote shell command, winrs winrs -r:remotesystem options command Example: winrs -r:10.71.0.197 -u:administrator -p:swordfish ipconfig Works most easily in a forest Needs the Windows Remote Management service running to work (type winrm quickconfig to start it) psexec is nice too, particularly with the -s option
11

There are a few "catch-all" commands in Windows; this is one (repadmin, netdiag, dcdiag are three others) It will let you
Join or leave a domain List FSMOs, PDC, DCs, OUs etc Verify a secure channel with a domain Reset a secure channel with a domain

In Support Tools for most OSes, built into Server Core

12

Because many NETDOM commands involve working both with a domain account and a local account, and a machine as well as a domain, the basic NETDOM syntax is netdom command machinename /domain:domainname /usero:acctname /passwordo:password /userd:acctname /passwordd:password [other settings]

13

Here, the command is "join" and the extra option is "/reboot," which reboots on success: netdom join mypc /domain:bigfirm.com /usero:localadmin /passwordo:hithere /userd:domainadmin /passwordd:H1there /reboot May work remotely unless firewalls stop it

14

dnscmd (in LH, Support Tools elsewhere) Creates zones, resource records, etc; examples: dnscmd 192.168.0.2 /zoneadd bigfirm.com /primary /file bigfirm.dns creates a zone dnscmd 192.168.0.2 /config bigfirm.com /AllowUpdate 1 makes it dynamic dnscmd 192.168.0.2 /recordadd bigfirm.com @ NS downtowndc.bigfirm.com adds an NS record for downtowndc to the bigfirm.com zone

DCPROMO has been scriptable from the beginning dcpromo /answer:filename in 2000/2003 dcpromo /unattend:filename in LH Writing the answer files is now essentially automatic in Longhorn Just run DCPROMO on a system and answer the wizards questions to configure a DC as youd like it But at the last page of the wizard, youll get the option to export configuration Result: an answer file

Use the GUI to get a DHCP server as you like it Then open a command prompt and type netsh dhcp server export dhcpbak.txt all Then take dhcpbak.txt to your new Server Core system netsh dhcp server import dhcpbak.txt all Alternatively, the DHCP snap-in works remotely

Consider that weve gotten enough commands to configure a system from vanilla to domain controller Ever assembled a disaster recovery plan? Put all of these commands into one big batch file and now youve got a DR plan that runs itself:
Set up an IP stack Name a system Create DNS zones Install Active Directory

Later, well see account creation etc

19

ipconfig (but you probably already knew that) built in, does not remote getmac /s systemname /u username /p password shows MAC addresses -- /s, /u, /p only necessary if remoting ping ipaddress or hostname tracert [-d] ipaddress or hostname arp a dumps the ARP cache

20

nslookup for DNS; pack it all into one command line with opts, as in
nslookup type=mx minasi.com nslookup vc type=mx minasi.com (tells nslookup to use TCP) see all of the options with nslookup all

KB 830578 offers nblookup, a WINS version of nslookup with almost identical syntax and is quite useful!

21

Nice port tester at KB 832919 portqry n targetsystem [options] Options:

-e n try port number n -p tcp, -p udp, -p both protocol to use (tcp default) -r n:m try range of ports from n to m -o a,b,c,d try list of specific ports -i do not reverse-resolve IP addresses

22

portqry n 10.0.0.2 e 80 -i check for a Web server or, better, portqry n 10.0.0.2 o 80,443 -i portqry n 10.0.0.2 r 130:139 i Scan TCP ports 130-139 on 10.0.0.2

23

C:\>ping -n 1 207.46.134.222 Pinging 207.46.134.222 with 32 bytes of data: Request timed out. C:\>portqry -n 207.46.134.222 -e 80 -i Querying target system called: 207.46.134.222 TCP port 80 (http service): LISTENING

24

netdom verify pcname /domain:domainname Good to verify that you're indeed logged in netdom reset pcname /domain:domainname [/server:servername] Your system may be logged in, but by a distant DC, which slows things down; this lets your system search for a closer DC and even, with the /server option, lets you specify a preferred DC

25

netdom query fsmo | workstation | server | dc | ou | PDC | trust example: C:\>netdom query dc List of domain controllers with accounts in the domain: DC1 DC2 The command completed successfully.

26

Enabling ping no longer in the GUI netsh firewall set icmpsetting 8 enable From an elevated command prompt, of course! If Vista/LH work very slowly, turn off autotuning: netsh interface tcp set global autotuninglevel=disabled Some public routers need this; un-do by changing disabled to normal

A bit of nothing but NET

28

The original Microsoft network software worked entirely from the CLI The commands all started with NET All built into the OS All do not work remotely save for /domain Theyve grown with time and are all still useful

29

The NET USER command Creates, deletes user accounts locally and on the domain Resets passwords net user username [password] [/domain] [/add]

30

net user newguy longpassword /domain /add (creates a new domain user named newguy with password longpassword) net user newguy newpasswd (resets a password for a local user) net user newguy newpasswd /domain

31

/active:yes|no /comment:"text" /homedir:path /profilepath:path /fullname:name string /workstations:machinename,machinename /scriptpath:path inside Netlogon

32

Try /random, as in net user joe /random /domain Creates a random password for Joe and displays it To create a password that no one knows, use ">nul" as in net user joe /random /domain >nul btw, "net user" lists users; "net user /domain" lists domain users And of course /delete eradicates a user account
33

To create a local group: net localgroup groupname /comment:text /add|/delete [/domain] /domain creates a domain local group To add a user to a local group, net localgroup groupname username /add net localgroup all by itself lists the local groups net groups works the same, but only on DCs and creates global groups

34

net localgroup folks net localgroup folks net localgroup folks net localgroup folks club" net localgroup folks Create a new admin:

/add susie /add jack /add /comment:"our

jack /delete

net user joe joepwd /add net localgroup administrators joe /add

35

net share shows you your shares Create a share like so: net share sharename=drive:path [/remark:remark text] [/grant:username,full|change|read] [/grant:username,full|change|read] net share mytest=c:\test /remark:"Playing with NET SHARE" /grant:administrator,full /grant:otherguy,change NOTE /grant only works on servers

36

net share sharename /delete net share sharename reveals settings and lists whos currently connected:

C:\>net share c$ Share name Path Remark Maximum users Users Caching

C$ C:\ Default share No limit MARK Manual caching

37

You probably already know this one: net use * \\servername\sharename (The * means "assign the next available drive letter") But you can add credentials with the /u: (or /user:) option: net use * \\s1\stuff /u:joe@bigfirm.com swordfish

38

net use \\pcname\ipc$ /u:"" "" does a null session logon net use shows you your current drive mappings, and your current persistence setting net use * /d /y disconnects you from all of your drive mappings

39

By default, mapping a drive makes Windows try to re-map it when you next log on Change that behavior with net use /persistence:no|yes For example, net use /persistence:no changes the default behavior You can also add /persistence to a drive mapping NET USE to make just that one map persistent or not

40

When referring to a server by its DNS name, as in net use x: \\a.b.com\s1, then you must use its actual host name Using a CNAME in a NET USE will get you a fairly unhelpful error message

41

If you're talking to a resource that's out of your domain, you'll need the /user: option to connect to its shares That's irritating to have to do Instead, just type net use \\servername\sharename /savecred You'll be prompted for credentials and your XP or later system will remember them in the future Look in Control Panel / Users to manage this and remember it, come password-changing day!
42

net start service, net continue, net stop No net restart net stop xx & net start xx Note the & lets you stack commands in a line net helpmsg number shows the text message associated with an error number; example: C:\>net helpmsg 1220 An attempt was made to establish a session to a network server, but there are already too many sessions established to that server.
43

The XP and later CLI tools dsadd, dsmod, dsget, dsquery, dsrm are a good, if uneven, set of commands that contain more AD-specific things All are built into Server 2003 and LH I wont cover these here because itd take an hour or so just to explain the ds* commands In short, the tools are very good, but hard to memorize I have, however, written about them elsewhere
44

45

The Swiss Army knife of replication Controls, as its name suggests, AD replication but that means a lot Use /? to get help, /listhelp for syntax on writing lists of DCs and, if ye be brave, matey, /experthelp to see the undocumented stuff Some examples:

46

repadmin /kcc dcname forces a topology and replication partner check repadmin /rebuildgc dcname causes a GC server to dump and rebuild its global catalog repadmin /bridgeheads dcname shows bridgehead servers repadmin /istg dcname shows inter-site topology generator DCs

47

GUID-ing and de-GUIDing:

repadmin /dsaguid dcname GUID converts a DC's GUID to the DC's "friendly name" repadmin /showsig dcname is mostly useful because it first shows you the GUID of the DC it calls it the "invocationID" and THEN you can use the GUID like so:

Understanding times:
repadmin /showtime [value] either shows the time in AD's "days since 1601" format, or takes a number in AD format and shows it in UTC

48

Revealing what each DC thinks it knows about its replication partners:

repadmin /showutdvec dcname naming-context shows up-to-date vectors for all DCs, from the point of view of dcname repadmin /showrepl dcname naming-context /verbose shows the DC's replication partners and high-watermark table

repadmin /replsummary dcname compiles a list of success/fail statistics between a DC and its partners repadmin /queue dcname lists the items in the outgoing queue for a given DC
49

repadmin /showchanges destdc GUID-ofsourceDC naming-context /verbose summarizes everything that sourceDC hasn't yet replicated to DestDC

50

repadmin /syncall /e [/P] dcname naming-context

/e cross sites /P push changes

example:
repadmin /syncall /e /P dc1 dc=acme,dc=com

Or use repadmin /syncall /j dcname

/j: only sync to adjacent dcs

51

bigfirm.com: dc=bigfirm,dc=com Configuration NC: cn=configuration,dc=bigfirm,dc=com Schema NC: cn=schema,cn=configuration,dc=bigfirm,dc=com No NC named: repadmin /syncall assumes the configuration NC dc=ForestDnsZones,DC=bigfirm,dc=com (will only appear in the root) dc=DomainDnsZones,dc=bigfirm,dc=com
52

In Support Tools Netdiag is local, DCdiag can be remoted Both run a battery of tests on your system's network infrastructure (netdiag) and domain controller functions (dcdiag) Really just a set of "sanity test" examinations, but still quite useful Many writeups elsewhere, but in short

53

del dcdiag.log del repadmin.log del netdiag.log dcdiag /e /c /v /ferr:c:\dcdiagerrs.log /f:dcdiag.log netdiag /v /l repadmin /showrepl * /verbose /all /intersite > repadmin.log

54

dsacls is a built-in XP/2003 command to view or modify AD permissions which means AD delegation Simplest form: dsacls dn-of-object shows the current permission Option /A says to add owner/audit info Option /S restores to schema default Add /T and it walks the entire tree downward

55

To change delegations:
/G <group/user>:<permissions> adds the permission to the objects ACL /D <group/user>:<permissions> denies /N says to replace any current ACL with the /G or /D ACE specified /R <group/user> removes all permissions for a given group/user

56

Specify groups and users as either group@domain, user@domain or domain\group and domain\user Permissions: many in the Help, most common are GR (read), GE (execute), GW (write), GA (all full control) Case seems to matter on the options

57

dsacls ou=marketing,dc=bigfirm,dc=com
Displays the ACLs on the Marketing OU that is, the people and groups that can access this OU and its contents

dsacls ou=marketing,dc=bigfirm,dc=com /G mpa@bigfirm.com:GA

Give the MPA group in Bigfirm full control of the Marketing OU

dsacls ou=marketing,dc=bigfirm,dc=com /S
Reset Marketings permissions to out-of-the-box

58

Ever tried to find all of the delegations that someone's got? It's hard usually But easy with dsrevoke.exe, from MSs Web site dsrevoke /remove domainname\username dsrevoke /report domainname\username dsrevoke /report /root:ou=marketing,dc=bigfirm,dc=com domainname\username NOTE this requires NetBIOS names; UPNs do not work!!!!
59

60

There's a whole slew of disk maintenance and navigation commands that are documented in many places and that are the bedrock for a lot of CLI work; ex: dir, cd, md, rd, del, erase, move, copy, xcopy, fdisk (which became diskpart in XP), format, label, vol, rename, verify [on|off]

61

Several tools let you do NTFS from the command line

CACLS (built into the system) ICACLS: caclss replacement in Vista, LH, 2003 SP2 XCACLS (somewhat more complete, built into Support Tools) SUBINACL (a Resource Kit tool that's powerful but buggy, so go to www.microsoft.com/downloads to get an updated one)

These are tougher syntax-wise, but I've written columns on them all at the Windows IT Pro site
62

If you've got a command prompt open, then don't bother with Explorer's Search; use DIR with /S For example, to search the entirety of C: for myfile.txt, type dir c:\myfile.txt /s To search in the folder "c:\files" and its subfolders, type dir c:\files\myfile.txt /s

63

64

shutdown [-s|-r|-l] [-t ss] [-f] [-a] -s=shut down, -r=reboot, -l=log off -t ss lets you specify seconds; without t, it's 30 seconds -f forces apps that are open to just plain close, possibly losing data -a says "there's a shutdown countdown in progress, abort it"

65

whoami is a Support Tool that tells you what context you're logged in as, as in "bigfirm\mark." But add the /all option and you get your UPN, your SID, your group memberships, the SIDs of the groups, and your privileges In Vista/LH, you even get your Windows integrity level

66

Vista and later have "wevtutil;" example: wevtutil qe application /c:2 /f:text /rd:true (Shows the two most recent events in the Application log) /c = # events to view /f = output format (text or whatever) /rd = Read from the most recent ("true") or from the oldest ("false") Also archives logs, allowing us to finally automatically archive logs!
67

Ever wanted to create a batch file or something similar and have it write to the Event Log? Meet eventcreate, an XP-and-later built-in command that works remotely eventcreate /ID eventid /L logname /SO srcname /T type /D description logname=system, application, etc type=error, warning or information eventcreate /ID 833 /l system /t information /d "Just saying hi"
68

We tend to look at the event log after something happens But with eventtriggers, a built-in command in XP and 2003, you can cause a program to run when something particular happens eventtriggers /create /eid eventidnumber /tr triggername /tk actiontotake /ru usernametoruncommand /rp passwordofthataccount In Vista/LH, its the schtasks command, or just right-click any event in the Event Log and choose Attach Task To This Event...
69

eventtriggers /create /eid 64002 /tr sysalert /tk "net send jack123 Somethings deleting system files! /ru jack123 /rp swordfish eventtriggers or eventtriggers /query /v will list the triggers eventtriggers /delete /tid n deletes a given eventtrigger, or /delete /tid * deletes them all

70

What if you could tell your system to e-mail you from a command line? Then when event X happens, you could get your system to send you an e-mail about it Heck, if you've got an SMS phone, then you could even have it text you Answer: blat, from www.blat.net (Vista and LH do not need blat, as theyve got SMTP-awareness through and through)

71

Command-line SMTP client; example: blat - -body Event ID 763 happened! server mail.bigfirm.com to mark@mmco.com f noone@bigfirm.com subject Event 763 alert u joe pw swordfish The "blat - -body" is no typo

72

The u and pw assume that your SMTP server needs logons; BLAT supports GSSAPI so it can do secure logons to Microsoft and other SMTP servers Free download Even includes the source You can pre-store most of the parameters in the Registry

73

So you're setting up a test Web server, or an internal-only Web server, and you want a certificate for it and don't want to buy one, or don't want to have to set up a certificate server to crank one lousy Web cert The answer? Selfssl, a tool that will generate a cert and install it, all in one line It's in the IIS Resource Kit

74

selfssl /t /v:ndays /n:dn n is name t installs it v how many days to leave valid example: selfssl /T /V:200 /n:cn=web2.minasi.com Creates and installs a cert good for 200 days on the web2.minasi.com Web server

75

Everything youve seen so far works on Server Core, but there are a few items that are SC-specific

Server Core and WinPE do not have the .NET programming framework Some command-line applications require the .NET programming framework, so they wont work on those systems

77

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr olSet\Control\Terminal Server Change fDenyTSConnections to 0 Reboot: shutdown -r -t 0 Open the firewall: netsh firewall set portopening tcp 3389 "Remote Desktop"

78

Okay, to be honest, the command line isn't the only way to control Server Core You can also fire up most MMCs and remotely control SC only remotely! To do that, you'll need to open the SC machine's file and printer sharing ports, though, and to do group policies: gpedit.msc /gpcomputer:"computername" You may have to NET USE to C$ on the SC box to authenticate first, however
79

Server Core installs new devices silently if possible You can configure it to accept signed drivers via group policies You can "introduce" a new driver to Server Core with pnputil: pnputil -a c:\newdrivers\scan.inf That adds the driver package to the "driver store" in Vista or later systems

80

pnputil -e enumerates all installed driver packages pnputil -i package.inf installs a given package pnputil -d c:\newdrivers\scan.inf removes an existing package driverquery lists all installed drivers On WinPE, use peimg -- see my Newsletter #59 on my Web site www.minasi.com

81

Beyond Add/Remove Programs or Server Manager ocsetup does the job Note that servermanagercmd.exe does not work on Server Core On SC, do ocsetup rolename ex: ocsetup DNS-Server-Core-Role Also DHCPServerCore, FRS-Infrastructure, BitLocker Of course, use dcpromo to make a DC 82 Case matters!

First, get the drive partitioned right Again, no GUI, but once you install the SC role, you have a new script manage-bde.wsf Simplify it by typing cscript //h:cscript Step One: enable the TPM chip manage-bde tpm t o password password is the tpm password Step Two: encrypt the drive manage-bde on c: -rp Now C: is encrypted and a recovery password has been shown on the screen

To use a USB stick, add sk driveletter for the drive with the USB stick Check manage-bde /? to increase encryption etc. Get the recovery password if you forgot it: manage-bde protectors get c: Decrypt the drive: manage-bde off c:

I have had to skip bezillions of great commands due to time, like robocopy (RK) delprof (RK) sidhist.vbs (ST) w32tm (OS)

netsh support of Windows Firewall and IPsec (OS) SC (RK, OS) and many more but I've written about many of them on the Windows IT Pro site. Start looking for your own command line gems!

85

I hope I've introduced you to some of the neat things that the command line offers Get comfy with some of these commands and you can get a lot done quickly I'm at help@minasi.com www.minasi.com has my free online newsletter and technical forum Please don't forget the evals!

86