Sunday, 21 October 2007

using Netsh with DHCP

You can use Netsh commands for Dynamic Host Configuration Protocol (DHCP) in batch files and other scripts to automate tasks. The following example batch file demonstrates how to use Netsh commands for DHCP to perform a variety of related tasks.

In the circumstance of this example procedure, DHCP-01 is a DHCP server with the IP address The procedure adds a new scope to DHCP-01 with the name MyScope, IP address, subnet mask, and comment NewScope. It then configures the scope with an address range ( through, an exclusion range ( through, and router IP addresses (DHCP option 003). The scope is then set to an active state.

For more information, see Setting up scopes, Setting up options, and DHCP options

For more information and a complete list of Netsh commands for DHCP, see Netsh commands for DHCP

In the following example procedure, lines that contain comments are preceded by "rem," for remark. Netsh ignores comments, i've also highlighted the commands for you.


rem one DHCP server:
rem (DHCP-01)

rem 1. Connect to (DHCP-01), and add the scope MyScope with IP address,
rem 1.1 subnet mask, and the comment NewScope.
netsh dhcp server add scope MyScope NewScope

rem 2. Connect to (DHCP-01 MyScope), and add IP address range to for distribution
rem 2.1 and the default ClientType of DHCP.
netsh dhcp server scope add iprange

rem 3. Connect to (DHCP-01 MyScope), and add IP exclusion range to
rem 3.1 and the default ClientType of DHCP.
netsh dhcp server scope add excluderange

rem 4. Connect to (DHCP-01 MyScope), and set the value of option code 003
rem 4.1 to list two router IP addresses (,
netsh dhcp server scope set optionvalue 003 IPADDRESS

rem 5. Connect to (DHCP-01 MyScope), and set the scope state to active.
netsh dhcp server scope set state 1

rem 6. End example batch file.

The following table lists the netsh dhcp commands that are used in this example procedure.

Command Description
Shifts the current DHCP command-line context to the server that is specified by either its name or IP address.

add scope
Adds a new scope to the specified DHCP server.

Switches the command context to the DHCP scope that is specified by its IP address.

add iprange
Adds a range of IP addresses to the current scope.

add excluderange
Adds a range of excluded addresses to the current scope.

set optionvalue
Sets an option value for the current scope.

set state
Sets or resets the state of the current scope to either an active or inactive state.

Here is a list of DHCP options i've not had chance to try them all but i'm sure you will fine them useful anyway

1 Subnet Mask.
2 Time Offset (deprecated).
3 Router.
4 Time Server.
5 Name Server.
6 Domain Name Server.
7 Log Server.
8 Quote Server.
9 LPR Server.
10 Impress Server.
11 Resource Location Server.
12 Host Name.
13 Boot File Size.
14 Merit Dump File.
15 Domain Name.
16 Swap Server.
17 Root Path.
18 Extensions Path.
19 IP Forwarding enable/disable.
20 Non-local Source Routing enable/disable.
21 Policy Filter.
22 Maximum Datagram Reassembly Size.
23 Default IP Time-to-live.
24 Path MTU Aging Timeout.
25 Path MTU Plateau Table.
26 Interface MTU.
27 All Subnets are Local.
28 Broadcast Address.
29 Perform Mask Discovery.
30 Mask supplier.
31 Perform router discovery.
32 Router solicitation address.
33 Static routing table.
34 Trailer encapsulation.
35 ARP cache timeout.
36 Ethernet encapsulation.
37 Default TCP TTL
38 TCP keepalive interval.
39 TCP keepalive garbage.
40 Network Information Service domain.
41 Network Information Servers.
42 NTP servers.
43 Vendor specific information.
44 NetBIOS over TCP/IP name server.
45 NetBIOS over TCP/IP Datagram Distribution Server.
46 NetBIOS over TCP/IP Node Type.
47 NetBIOS over TCP/IP Scope.
48 X Window System Font Server.
49 X Window System Display Manager.
50 Requested IP Address.
51 IP address lease time.
52 Option overload.
53 DHCP message type.
54 Server identifier.
55 Parameter request list.
56 Message.
57 Maximum DHCP message size.
58 Renew time value.
59 Rebinding time value.
60 Class-identifier.
61 Client-identifier.
62 NetWare/IP Domain Name.
63 NetWare/IP information.
64 Network Information Service+ Domain.
65 Network Information Service+ Servers.
66 TFTP server name.
67 Bootfile name.
68 Mobile IP Home Agent.
69 Simple Mail Transport Protocol Server.
70 Post Office Protocol Server.
71 Network News Transport Protocol Server.
72 Default World Wide Web Server.
73 Default Finger Server.
74 Default Internet Relay Chat Server.
75 StreetTalk Server.
76 StreetTalk Directory Assistance Server.
77 User Class Information.
78 SLP Directory Agent.
79 SLP Service Scope.
80 Rapid Commit.
81 FQDN, Fully Qualified Domain Name.
82 Relay Agent Information.
83 Internet Storage Name Service.

85 NDS servers.
86 NDS tree name.
87 NDS context.
88 BCMCS Controller Domain Name list.
89 BCMCS Controller IPv4 address list.
90 Authentication.
91 client-last-transaction-time.
92 associated-ip.
93 Client System Architecture Type.
94 Client Network Interface Identifier.
95 LDAP, Lightweight Directory Access Protocol.

97 Client Machine Identifier.
98 Open Group's User Authentication.
100 IEEE 1003.1 TZ String.
101 Reference to the TZ Database.
112 NetInfo Parent Server Address.
113 NetInfo Parent Server Tag.
114 URL.

116 Auto-Configure
117 Name Service Search.
118 Subnet Selection.
119 DNS domain search list.
120 SIP Servers DHCP Option.
121 Classless Static Route Option.
122 CCC, CableLabs Client Configuration.
123 GeoConf.
124 Vendor-Identifying Vendor Class.
125 Vendor-Identifying Vendor-Specific.

128 TFPT Server IP address.
129 Call Server IP address.
130 Discrimination string.
131 Remote statistics server IP address.
132 802.1P VLAN ID.
133 802.1Q L2 Priority.
134 Diffserv Code Point.
135 HTTP Proxy for phone-specific applications.

Saturday, 20 October 2007

To Promote or Demote a Server to a Domain controller

To Promote a Server to a Domain controller you will need to carry out the following:

Click Start, select RunThen Type DCPROMO.EXE Press Enter

You will then be presented with the Active Directory Installation Wizard Window:

Click Next.You will then be presented with the following window:

Select “Additional domain controller for and existing domain”
Click Next.

In the Network Credentials window enter the username and password for a Domain Admin in the domain you're trying to join. Also enter the full DNS domain name.
Click Next.

Note: This step might take some time because the computer is searching for the DNS server.
Although the wizard will let you get to the last window and begin to attempt to join the domain, if you enter the wrong username or password, because of the wrong credentials you'll get an error message:

If you enter the domain name in a wrong way you'll get an error message:

In the Additional Domain Controller window type or browse to select the domain to which you want to add the additional DC.

The location of the files is by default %systemroot%\NTDS, and you shouldn't change it unless you have performance issues in mind. Click Next.

The default location of the files is %systemroot%\SYSVOL, and you shouldn't change it .
This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers.

Click Next.
Enter the Restore Mode administrator's password. You will need this password if you ever need to restore the AD.

Click Next.
You will now be presented with a Summary Screen where you can review your details. If all looks correct click next.

The server will now go through the process of configuring and setting up AD. This can take some time so be patient. You should never click cancel when the server is going through this process, as it can cause serious problems on the server.

If all went well you'll see the final confirmation window.

Click Finish.

You must reboot in order for the AD to function properly.

Click Restart now.

Demoting a Domain Controller
Click Start, select and click on Run, type dcpromo, and then click OK.

This starts the Active Directory Installation Wizard. Click Next.

There is a check box in the Remove Active Directory screen.

If this computer is the last domain controller in the domain, click to select the check box. Otherwise, click Next.

In the next screen, set the password for the administrator account on the server after Active Directory is removed. Type the appropriate password in the Password and Confirm Password boxes, made note of this Password and then click Next.

In the Summary screen, review and confirm the options you selected, and then click Next.

The wizard begins the process of removing Active Directory from the server. After the process is finished, a message indicates that Active Directory was removed from the computer.

Click Finish to quit the wizard.
Restart the computer.

Wednesday, 3 October 2007

How am I going to manage this network?

When building a network there are some things you should take into account.
How many server do you have how many workstation, how many network devices, these can become quite hard to maintain in large numbers, and often you are fire fighting because you don’t know what is happening till its too late.

So lets look at some options to avoid that one you could look at the event log in the hope of seeing it before there is a problem… effective but bad for your eyes and you will most likely fall sleep looking at it, the more common approach is to use network monitoring service like SNMP most of us will use SNMP but what you might not have thought of is that you should be using SNMP version 3 as earlier version send the log in clear text and this is not good if the log is about a hacker, sadly only vista and window server 2008 have this native so you will have to get some 3rd party agents for now but don’t worry there are plenty of free ones, also remember SNMP can increase network traffic by 20% so get rid of those old hubs and switches for switches and make it 10/100/1000 for god sake we are in the 21st century after all, ideally layer 3 if you have a really large 300 plus devices in one site then you best to look at layer 4.

Also avoid using well known SNMP community like public and private as the hackers will try those names first. So now you have some system logs and because SNMP is common to Unix, Linux, Windows and Most network device you have some way of seeing all the events on your network, now there are some free tool and some paid tools that will help you make since of the logs but that is really up to you what you use, just make sure it a interface you can understand and is on a server so you can look at it remotely after all its good to work from home isn’t it.

Also think about the domain structure of your network when picking a solution, as some are not designed to work on multi domain environments, this may or may not be important to you, however this might be important at a later date, forward planning is always wise.

Next we need a patch management tool after all we don’t want to do all those up date by hand do we… so in the windows corner we have WSUS3 (Windows Server Update Service Version 3) and in the other corner we have SMS (System Management Server) and just to make it all fair we have ZEN works, personally I like ZEN best but that just my opinion.

Make sure where you have multiple sites, it’s important not to eat up all your site to site links with sending and deploying patches so try to have a local deployment server to each site in the same way you do for local authentication to the domain, after all you never know when you’ll need that bandwidth for playing LAN game of counter strike hehehe.

So we now have away of deploying patches to the server and workstation, what else do we need… well this is the part where common tasks come in, you know that thing we are supposed to do but never have time for what you call it again “System Maintains”

Yes this is where the real fun begins, every good administrator should have a pocket full of scripts for backup reboot and all manner of system jobs we don’t want to stay around for ourselves, sadly I’m not going to help you here as scripts will change from system to system so try to make sure you are running the same version OS at least.

Oh what the hell here have a script just for fun, you can run this to copy all the m4a aka iPod files to your hidden share on the server and deletes the files from the workstation I have this running on logon, this is good fun when you have those iPod or iTunes users that just won’t take a hint that they should use the company network for storing there music, takes awhile to run in the background because it finds all drives so if they have there iPod connected you will wipe it too “a little evil smile forms on my face as I type this”

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colFiles = objWMIService. _
ExecQuery("Select * from CIM_DataFile where Extension = 'm4a'")

For Each objFile in colFiles
strCopy = "\\fileserver\Media Archive$\" & objFile.FileName _
& "." & objFile.Extension

Remember this is only as good as your desktop usage policy… oh yes IT isn’t all fun and games, it was once but that’s all gone now… so put your law hat on and get ready for one more lesson, users the lovely people we are forced to answer the phone too are just like any other network component if not correctly configured will cause network storms, so your patch to the faulty OS is the desktop usage policy if applied correctly you will be able to stop even manager dead in their tracks when he asks for something you don’t want to give him, there are fair to much in it for me to detail here so for now know that you don’t have to start from scratch, just do what all good administrators do Google for one and mod it where needed.

Follow up on the making things easier comment get rid if you can of any hardware that is not standard so you can create standard builds for workstations and deploy them from the network, after all you wouldn’t want to get out of bed go all the way to the office and spend 2 hour reinstalling the OS just because that dweeb in accounting messed up his PC again because he found some naked woman site with a virus on it. You can use Microsoft RIS (Remote Install Service) there are other systems imaging tool so picking one that is best for you, as some can’t work on newer hard hardware so test them before committing to it.

And one last point get a VoIP office phone, welcome to not going to the office except for those dull office meetings.

Ok I'm off to play counter strike good luck with your networks and rememeber its them or us and there can be only one, so kick ass.