Thursday, February 28, 2013

Connecting a FortiGate unit to two ISPs for redundant Internet connections



Problem
Create a backup Internet connection with your FortiGate unit, so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection and when the primary Internet connection is restored, traffic automatically switches back to it.
Solution
Watch the video: http://docs.fortinet.com/cb/inst2.html
This solution describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to wan1 with a static IP and the backup ISP is connected to wan2 using DHCP.
To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet.

You can choose to reduce the amount of traffic when the wan2 interface is operating by adding fewer security polices for connections to the wan2 interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the wan2 interface.
Configuring the primary Internet connection to use wan1
1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface.
2 From a PC on the Internal network, log in to the FortiGate web‑based manager using admin and no password.
3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings:
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
4 Edit the internal interface and change the following settings:
Addressing mode
Manual
IP/Netmask
192.168.1.99/255.255.255.0
5 Go to Router > Static > Static Route and select Create New to add the following default route.

Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
6 Go to System > Network > DNS and add Primary and Secondary DNS servers.
7 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan1 interface.
Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
8 Select Enable NAT and Use Destination Interface Address.
9 Select OK to save the security policy.
Adding the backup Internet connection using wan2
1 Connect the wan2 interface to your backup ISP-supplied equipment.
2 Log in to the web‑based manager.
3 Go to System > Network > Interface and Edit the wan2 interface.
4 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear the checkbox for Override internal DNS.
5 Select OK to save the changes.
If everything is connected correctly, the wan2 interface should acquire an IP address from the ISP’s DHCP server. This can take a few minutes, you can select the Status link to refresh the display. Eventually, an Obtained IP/Netmask should appear. If the ISP’s DHCP server supplies DNS server IP addresses and a default gateway, they should also appear.
Make sure Retrieve Default Gateway from server is selected so that a default route is added to the routing table. Normally in a dual Internet configuration, you would not select Override internal DNS because you would not want the FortiGate unit to use the backup ISP’s DNS servers.
6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan2 interface.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan2
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
7 Select Enable NAT and Use Destination Interface Address.
8 Select OK to save the security policy.
Set the default route to wan1 to be the primary default route and add a ping server for wan1 and a ping server for wan2
As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup ISP’s DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to the Internet.
Because the wan2 default route is acquired from the ISP using DHCP, the distance of the wan2 default route must be changed by editing the wan2 interface.
1 Go to Router > Static > Static Route and Edit the wan1 default route, select Advanced and set the Distance to 10.
The distance may already be set to 10 so you may not actually have to change it.
2 Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or any number higher than 10).
3 To confirm which default route is now actually being used by the FortiGate unit, go to Router > Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active do not appear on the routing monitor. In this example, only the one static route should appear: the wan1 default route. Its distance should be 10. Connected routes for the connected interfaces should also appear.
If you edit the wan2 interface and set the distance to a lower value (say 5), the wan1 default route is removed from the router monitor and is replaced with the wan2 default route (because the wan2 route has the lower distance). You can also have both default routes appear in the router monitor by setting their distances to the same value (say 10). When both routes have the same distance, this is known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load balanced between them. For an example, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” .
4 Go to Router > Static > Settings and select Create New and add the wan1 ping server:
Interface
wan1
Ping Server
172.20.120.2
Detect Protocol
ICMP Ping
Ping Interval (seconds)
5
Failover Threshold
5
5 Select Create New and add the wan2 ping server. The wan2 ping server is optional for this configuration. However adding the wan2 ping server means the FortiGate unit will record even log messages when the wan2 ping server can’t reach its destination.
Interface
wan2
Ping Server
10.41.101.100
Detect Protocol
ICMP Ping
Ping Interval (seconds)
5
Failover Threshold
5
Results
If the wan1 ping server can connect to its ping server IP address the routing monitor appears as shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1 interface and the internal to wan1 security policy. You can verify this by viewing the routing monitor and by going to Policy > Policy > Policy and viewing the Count column for the internal to wan1 and internal to wan2 policies while connecting to the Internet. The internal to wan1 policy count should increase, while the internal to wan2 count should not.
If you change the network so that the wan1 ping server cannot connect to its ping server IP address, (for example, by physically disconnecting the cable from the wan1 interface), the default route should change to the wan2 interface (called default route failover):
An event log message similar to the following should also be recorded.
2011-08-24 10:16:39 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="wan1" status=down msg="Ping peer: (172.20.120.14->172.20.120.2 ping-down)"
With the wan2 link active, attempt to connect to the Internet from the Internal network. If you can connect, this confirms that the dual Internet connection configuration is correct. View the security policy count column for the internal to wan2 policy. The count should be increasing, indicating that this policy is accepting traffic.
When you restore the wan1 interface’s connection, the ping server should detect that network traffic is restored and the routing table should revert to including the wan1 default route. All new sessions will use the internal to wan1 security policy. Sessions that were established using the internal to wan2 security policy will continue to use this policy and the wan2 interface until they are terminated. However, all new sessions will use the internal to wan1 security policy.
Outgoing sessions and their responses that are in progress during a failover will have to be restarted after the failover, since responses to traffic sent out on one interface will not come back on another.

During a failover, incoming sessions received by a firewall VIP security policy from the wan1 interface before the failover may be sent out the wan2 interface after the failover. Outbound sessions initiated by the server and sent out the VIP security policy will have their source IP address modified according to the interface that sends the session to the Internet. If the wan1 link fails, outgoing VIP sessions automatically fail over to wan2. The source address of these sessions depends on the address defined in the firewall VIP.
If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting NAT/Route mode installations” to find the problem.
Changing this redundant Internet configuration to use ECMP
The basic redundant Internet connection scenario described in this section should be successful for many networks. However, to potentially improve default route failover performance and to reduce the number of fail overs for incoming connections when the primary ISP fails and re-connects you could implement Equal Cost Multipath (ECMP) routing.
You could implement a basic ECMP configuration of this redundant Internet connection scenario by setting the distances for both default routes to the same value and setting the priority of the default route to the primary ISP to a lower value than the priority of the default route to the backup ISP. The route with the lowest priority value is considered the best route. Use the following steps to modify the configuration.
Because the wan2 default route is acquired from the ISP using DHCP, the priority of the wan2 default route must be changed by editing the wan2 interface from the CLI.
1 Go to Router > Static > Static Route and Edit the wan1 default route.
2 Select Advanced and set the Distance to 10 and the Priority to 5
3 Enter the following CLI command to edit the distance and priority of the wan2 default route.
config system interface
edit wan2
set distance 10
set priority 20
end
Since the wan1 default route has the lowest priority it is considered the best route and all traffic heading from the private network for the Internet uses the wan1 interface.
When two different distances are used on the wan1 and wan2 default routes, traffic originating from the Internet can only be responded to by the interface with the default route with the lowest distance metric (wan1). If a user from the Internet has established a connection to the Internal network through the wan1 interface, the user would lose their connection if the wan1 connection to the Internet fails. After a brief interruption the user would automatically re-connect through the wan2 interface. When the wan1 Internet connection comes back, the user’s connection would be interrupted a second time because it would have to switch back to the wan1 interface since the wan2 interface would no longer be able to process traffic.
When ECMP is implemented, both interfaces are able to respond to traffic initiated from the Internet as the routing is based on the session tables. The user would still lose their connection when the wan1 Internet connection fails, but after connecting through the wan2 interface the user’s connection would be able to continue on the wan2 interface after the wan1 connection was restored resulting in only a single interruption.

A number of ECMP scenarios are available. For another, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” .

Thanks
R.karthikeyan
Posted by at No comments:
Labels:

Tuesday, February 26, 2013

Installing and enabling IIS and FTP on Windows Server 2008 R2


Hi previously I have posted about this topic but this time i am posting same things with screen shot.

1. Open Server Manager, go to Roles and click “Add Roles”
2. In the Add Role Wizard, select Web Server (IIS) role to install
3. Click Next until you reach Select Role Services page, leave the default and check FTP Server, FTP
Service and FTP Extensibility at the bottom. Click Next, follow the wizard and finish the role
installation.
4. Now open IIS Manager from Start > Administrative Tools, expand the server, right click Sites, and
click Add FTP Site, give it a site name and configure the physical path as needed.
5. Configure Binding and SSL. In our case, we’d like to bind to all unassigned IP addresses and do
not use SSL.
6. Enable Basic Authentication and configure authorization. In our case I’ll start with allowing All
users both Read and Write permission as long as all users on the server are password protected.
Click Finish to finish the configuration.
7. Open Windows Firewall with Advanced Security from Start > Administrative Tools, go to Inbound
Rules in the left pane, and create a new rule by clicking New Rule in the Action Pane, select Port
and click next.
8. Apply this rule to TCP port 21, and click Next
9. Keep the default configure for the rest of steps to Allow the connection and apply it to all
profiles, name the rule and finish the wizard.
10. Now the FTP should be up and running, test the connection to confirm and you’re good to go.
  • Open Server Manager, go to Roles and click “Add Roles”
1.png

  • In the Add Role Wizard, select Web Server (IIS) role to install
2.png

  • Click Next until you reach Select Role Services page, leave the default and check FTP Server, FTP Service and FTP Extensibility at the bottom. Click Next, follow the wizard and finish the role installation.
3.png

  • Now open IIS Manager from Start > Administrative Tools, expand the server, right click Sites, and click Add FTP Site, give it a site name and configure the physical path as needed.
4.png

  • Configure Binding and SSL. In our case, we’d like to bind to all unassigned IP addresses and do not use SSL.
5.png

  • Enable Basic Authentication and configure authorization. In our case I’ll start with allowing All users both Read and Write permission as long as all users on the server are password protected.
6.png

  • Click Finish to finish the configuration.

  • Open Windows Firewall with Advanced Security from Start > Administrative Tools, go to Inbound Rules in the left pane, and create a new rule by clicking New Rule in the Action Pane, select Port and click next.
7.png

  • Apply this rule to TCP port 21, and click Next
8.png

  • Keep the default configure for the rest of steps to Allow the connection and apply it to all profiles, name the rule and finish the wizard.
 Now the FTP should be up and running, please test the connection to confirm.



Thanks
R.karthikeyan
Posted by at No comments:
Labels: , ,

Create an IIS 7.5 FTP site (Windows Server 2008 R2)

Part 1:  Create a basic FTP site
  1. Create a new user for the FTP site
    1. Open Server Manager
    2. Go to Configuration > Local Users and Groups > User
    3. From the Actions pane select More Actions > New User...
    4. Enter the username and password that you want to use for this FTP site
    5. Uncheck – User must change password at next logon
    6. Check – User cannot change password
    7. Check – Password never expires
    8. Click Create and then the Close button.
    9. Open the user properties of the user you created above (double-click or right-click > Properties on the username in Server Manager)
    10. Go to the Remote Desktop Services Profile tab
    11. Check – Deny this user permissions to log on to Remote Desktop Session Host server
    12. Click OK
    13. Close Server Manager
  2. Launch Internet Information Services (IIS) Manager.  This is found by clicking the “Start button” > Administrative Tools > Internet Information Services (IIS) Manager.
  3. Expand the tree view (left pane in IIS Manager) under the Connections pane—click the ‘+’ next to the server name—and select Sites.
  4. From the Actions pane select “Add FTP Site…
  5. Complete the Add FTP Site wizard.
    1. FTP site name: The name you wish to give this FTP site
    2. Physical path: The location of your site or where you want the FTP site files to go
    3. Click Next
    4. Set the IP address that you want to use for FTP
    5. Select Allow SSL
    6. Choose the self-signed, server generated certificate from the SSL Certificate: drop-down list
    7. Click Next
    8. Check Basic authentication
    9. Change the Allow access to: drop-down to Specified users
    10. Enter the name of the user that you previously created in the text area below the drop-down list
    11. Check Read and Write from Permissions
    12. Click Finish
  6. You should now see the name of your FTP site under the main Sites pane
  7. Double-click on the FTP site that you setup from the main pane, or expand Sites from the tree view and select the FTP site that you setup
  8. Check folder permissions on the folder that you pointed the FTP site to
    1. Click Edit Permissions… under the Actions pane
    2. Click Security tab
    3. Make sure the user that you created above has modify rights to the folder
  9. At this point FTP is setup and working using the most basic configuration. 
Part 2:  User Isolation Note: There are five types of FTP User Isolation that IIS7.x supports.  In this KB article we will only cover two: “FTP Root Directory” which is the basic, default option and “User name directory (disable global virtual directories)” which is used for user isolation.  If you would like information on all five types of FTP User Isolation you can look here: http://learn.iis.net/page.aspx/305/configuring-ftp-75-user-isolation/#002
  1. With the FTP site that you created above selected in the IIS Manager, launch the FTP User Isolation module by clicking on the FTP User Isolation icon
  2. Change the isolation method from “FTP root directory” to “User name directory (disable global virtual directories)
  3. Click Apply under the Actions pane.
  4. Go back to the root of your FTP Site.
  5. Create a virtual directory named LocalUser.
    Note 1:     This is one of the rare cases where Windows requires case-sensitivity.  The virtual directory name must be LocalUser, with the capital “L” and “U”, or FTP user isolation will fail.
    Note 2:     The LocalUser folder only works for server level (local) usernames.  Domain level usernames are covered in later steps.
    1. Right-click on Test FTP Site from the tree view and select Add Virtual Directory…
    2. Alias: LocalUser (case-sensitive!)
    3. Physical path: C:\inetpub\ftproot
    4. Click OK
  6. Now create a second virtual directory (vdir) under the LocalUser vdir.
    1. Right-click on LocalUser from the tree view and select Add Virtual Directory…
    2. Alias: Use the name of the user that you created above for FTP
    3. Physical path: The actual path to where you want this user to be directed to
    4. Click OK
  7. Select the vdir in step 6 above from the tree view then Edit Permissions… from the Actions pane.
  8. Under the Security tab, give your FTP user “Modify” permissions to the folder then OK out of everything.
For a domain user, follow the steps below:
  1. In IIS Manager, create a new vdir under the root of your FTP Site named OW.
    Note 1:     When setting up user isolation for domain user names you must create a vdir using the domain’s nickname.  This directory acts in the same way LocalUser does but for domain level users.
    Note 2:      An Active Directory domain has two names: the domain name and the nickname.  The nickname is actually the “pre-Windows 2000 domain name” from when the domain names did not use a DNS/LDAP like naming structure.
    The post-Windows 2000 domain names are like an internet domain name, like orcsweb.com.  The pre-Windows 2000 domain name, or nickname, is just a single word with hostname like attributes.  In OrcsWeb’s case the nickname is OW, and the domain name is orcsweb.com.
    1. Right-click on your FTP Site from the tree view and select Add Virtual Directory…
    2. Alias: OW (all upper case)
    3. Physical path: C:\inetpub\ftproot
    4. Click OK
  2. Now create a second and third virtual directory (vdir) under the OW vdir.
    1. Right-click on the OW vdir from the tree view and select Add Virtual Directory…
    2. Alias: <your domain user name> (without the OW\ in front if it)
    3. Physical path: The path to your site
    4. Click OK
    5. Repeat for any other users as needed.
  3. Add the user to the NTFS permission on disk for the folders that you pointed the FTP users to
  4. Authorize the domain users in FTP.
    1. In IIS Manager, select your FTP Site and then the FTP Authorization Rules module
    2. Here is where you can authorize users to access the FTP site.  There are a couple of options you can choose: 1. Add the individual users or groups, 2. Allow all authenticated users.  By default we add individual users or a user group when setting up isolated users.
    3. Add any domains users to the existing rule (if there are any - or create a new one).
      1. Select the rule then Edit from the Actions pane
      2. After existing user enter a comma-space (“, “) then OW\ and the Active Directory user name.
      3. Click OK 



      Thanks
      R.karthikeyan
Posted by at No comments:
Labels: , ,

Saturday, February 23, 2013

Windows Server 2008 Administration Tasks done with PowerShell

1. Changing the local administrator password with PowerShell

Let’s assume you’re logged in as a domain administrator on a Windows 7 desktop that belongs to your domain. Now, let’s say you want to change the local admin password on a remote server in Chicago named CHI-WIN7-22. After an account password is used for some time, the chances of it getting exposed gets higher. That’s why you need to change your passwords from time to time.

The first thing to do to change the admin password in question is to create an ADSI object for the local administrator on that computer. That can be achieved by typing this in your PowerShell screen:
[ADSI]$Admin=”WinNT://CHI-WIN7-22/Administrator”
This will essentially retrieve the admin account on CHI-WIN7-22 and assign it to an ADSI object named $Admin. The WinNT monicker in that string is case-sensitive and is a common source of error, so take note of that. If you want to connect to another computer, just replace CHI-WIN7-22 with the name of the computer you want to connect to.

Naturally, you’ll want to know first how long the password has been in use to determine whether or not the time has come to change it. You can obtain that information from $Admin by typing in:
$Admin.PasswordAge
That will display the time elapsed since the password of that account was last changed. However, since the resulting value is expressed in seconds, I normally divide it by 86,400, which is the number of seconds in a day:
$Admin.PasswordAge.Value/86400
The result will then be the same time elapsed but expressed in days, which I find more meaningful. If you notice, we used the Value property here. That’s because the PasswordAge is actually stored as a collection, and so we need the value of that collection in order to return a number that we can perform a division operation on.

Finally, you can change the password by invoking the SetPassword method and then using the new password as the argument. For example, if you want the new password to be S3cre+WOrd, then type:
$Admin.SetPassword(“S3cre+WOrd”)
Note: After you hit enter, don’t expect any confirmation message because there won’t be any. Changes will take effect immediately. That’s because what we’re using here is a method, not a cmdlet. Which means, unlike with cmdlets, SetPassword has no support for a -whatif or a -confirm.
That’s all there is to it. Let me now show you the steps we’ve discussed here in theory on an actual PowerShell:

Change Password with PowerShell

2. Restarting or shutting down a server with PowerShell

Let’s now move on to the task of restarting or shutting down a server using PowerShell. Just like the first task, we’re still going to assume you’re logged in as a domain administrator on a Windows 7 machine that belongs to your domain.

For these tasks, we’ll be using a couple of WMI-based cmdlets, Restart-Computer and Stop-Computer. Although we won’t be showing them here, it’s worth mentioning that these cmdlets accept alternate credentials. Alternate credentials allow you to specify a user account other than the one you are already logged into so that you can perform actions that that (alternate) account has permissions for.
Another thing that’s nice about these cmdlets is that you’ll be able to make use of -whatif and -confirm. That means, if you want to do a restart or a shutdown, you’ll have a way of making  sure you’ll be doing it on the computer you intend to do it on. This can come in handy if you want to perform restarts or shutdowns on a number of computers. You can just pipe a list or group of computers to these cmdlets.

To restart a remote computer or computers, the basic syntax is:
Restart-Computer -ComputerName <string[ ]>,
wherein -ComputerName <string[ ]> is a string array that can be comprised of the name of a single computer or the names of multiple computers. Stop-Computer uses practically the same syntax. So for example, if you want to restart two computers named CHI-DC02 and CHI-FP01, the command would be:
Restart-Computer “CHI-DC02”, “CHI-FP01”
Here’s an actual PowerShell screenshot wherein we used the -whatif argument. You use a -whatif if you simply want to simulate what would happen if you would execute the command in question.

Restart Computer with PowerShell
That was pretty straightforward. Let’s now try a more sophisticated example. Let’s assume you have a list of computers in a file named servers.txt. You can use the Get-Content cmdlet to retrieve the contents of that text file, like this:

Get Content with PowerShell
So, if you have a bunch of computers that you want to restart on a regular basis, you can list down the names of those computers in a text file. Then each time you need to restart them, you simply use the Get-Content cmdlet. Here’s how we used Get-Content and Restart-Computer in a real-world scenario:



Restart Computers from Text File
First, we got the content from the text file using Get-Content. Then, because we wanted to prepare for the eventuality that some computers would be offline, we piped the list to a where statement for testing. In the where statement, we ran test-connection, which is basically a ping on each computer.

The -quiet returns either true or false, while -count 2 means each computer will only be pinged twice. Those computers that were successfully pinged twice, were then passed along the pipeline.
Next, we used a foreach. Specifically, the objective was that: for each name that came out of the ping test, a green-colored message would be written saying that that computer was “Restarting”. The $_ stands for the current object in the pipeline. Next, the Restart-Computer cmdlet was called to restart each computer that could be pinged. We also used the -force parameter to kick off anyone logged on.
Finally, we used -whatif again to see what would happen without having to actually restart those computers.

3. Restarting a service with PowerShell

Restart-Service is the cmdlet used for restarting a service. Although this cmdlet does not have a built-in mechanism to connect to a remote computer, PowerShell Remoting can be enabled so that you can execute it locally via remoting on the remote computer. This can come in handy when you want to restart a service on a group of computers.
To restart a service locally, simply say: Restart-Service “service”, wherein “service” is the name of the service you want to restart. On the other hand, if you want to restart a service on one or more remote machines, then you can use the Invoke-Command cmdlet and PowerShell Remoting.

In the PowerShell screenshot below, you see two instances wherein we executed the Restart-Service cmdlet to restart the service called wuauserv, which is the Windows Update service. In the first instance, Restart-Service is executed locally. But in the second instance, it is executed on a remote database server named CHI-DB01 with the help of the Invoke-Command.

Restart Service with PowerShell
By default, Restart-Service doesn’t write any objects in the pipeline unless you use -passthru. So the additional information you see at the bottom (Status, Name, etc.) is a result of using -passthru. If the service runs on multiple computers and you want to restart the service running there as well, just add more computer names in a comma-separated list.

Another way to do that same task is by using WMI. First, you create a WMI object:

Get WMIObject with PowerShell
gwmi is the alias for Get-WmiObject.

Let me show you first the methods of this object. To do that, we’ll pipe the object to Get-Member (alias is gm).


WMIObject Methods
If you notice, there is no method for restarting ther service. That means, we will have to stop the service using the StopService method and then start it again using the StartService method.
Here’s how you stop the service using the object’s StopService method. The parenthesis indicates it’s a method. If you get a ReturnValue of 0, that means the service stopped successfully. In case you get another value, you can research what that value means by reading the MSDN documentation for the Win32 service class.
Stop Service Method with PowerShell

To fire the service up again, you use the StartService method.

Startservice Method with PowerShell

You can verify by executing the get-service command for that computer. Get-service allows you to connect to a remote computer, so you can simply get that service from the target computer to verify if it is in fact running there.
Get Service with PowerShell

4. Terminating a Process with Powershell

Another task that’s commonly done on a server is terminating a process. To terminate a process, you use the Stop-Process cmdlet. Again, this can be executed locally or, if you want to stop a process on a remote system, you can use Stop-Process along with PowerShell Remoting.
There are two ways of terminating a process using the Stop-Process cmdlet.
The first one is pretty straightforward. You just run the Stop-Process command and then pass to it either the name of the process or its corresponding ID. In the screenshot below, the name of the process being killed is ‘Calc’ (which is really just the Windows Calculator). Note that Calc is running locally in this example.
Stop Process with PowerShell
The second involves using the Get-Process cmdlet to get one or more processes and then piping them to Stop-Process to kill all those processes at the same time. In the screenshot below, the process being killed is Notepad. Note that kill is an alias of Stop-Process. Again, just like Calc in the previous example, Notepad is running locally.
Get Process Kill with PowerShell
Let’s now move on to an example where we have a process running remotely. First, let’s fire up a process to kill. So here, we’re starting notepad on a remote computer named chi-fp01.
Fire Up a Process with PowerShell
Next, let’s check whether the process is actually running. For this purpose, we use ps, which is an alias for Get-Process.
Get Process Alias with PowerShell
Ok. Now that we have a remote process to kill, let’s go ahead and kill it. Like what we did in our discussion on Restarting a Service, we’ll use Invoke-Command and PowerShell Remoting to run the Stop-Process expression on the remote server chi-fp01.
See how the Get-Process alias (ps), which is running in the script block, pipes the process to the Stop-Process alias (kill).
Killing a Remote Process using Invoke Command with PowerShell

5. Creating a Disk Utilization Report with PowerShell

As admins, we often need to keep track of how much disk space is being used on our servers. We can accomplish this using WMI and the Win32_LogicalDisk class, which will give us information such as the Device ID, the size of the drive, free space, and a few other bits of information.
Using WMI, we can query local or remote computers. We can also perform those queries on either a single or multiple machines. In addition, we can: export the data we query to a CSV file or a database; create a text-based or an HTML-based report; or simply display the output to the screen.
Here’s a sample command using WMI on a local computer.
Get-WmiObject win32_logicaldisk -filter “drivetype=3” | Out-File c:\Reports\Disks.txt
We use the GetWmiObject cmdlet to return information from the Win32_LogicalDisk class. Then we employ the -filter to return only information related to drivetype=3, which stands for fixed logical disks like the c: drive. That means, information regarding USB drives and network drives are not to be included.The returned information is then piped to a text file named Disks.txt.
Here’s a similar example done in an actual PowerShell where we could see an actual output. Note that we are using aliases to shorten the command. Also, in this example, we specified that the output would include the device ID, disk size, the free space, and the system name.
Get WMIObject with PowerShell
While there’s certainly nothing wrong with that output, it sure could use a couple of improvements. For example, you might want to display the size and free space in Gigabytes instead of bytes. We can actually get a more elegant output by adding a few extra steps. Let me show you how.

For this purpose, we’re going to create a function named Get-DiskUtil. Although the succeeding example is going to show you how to do things interactively in the shell, you can actually put this function in a script file, load it into your profile, or load it to your other scripts so that you can use it again later on.
Here’s the function I’m talking about:
Get Diskutil Function with PowerShell
Let’s dissect that function now.
The function is going to take a computer name as its parameter and it will default to the local computer name.
Function Parameter with PowerShell
Now we use the Process script blocks that this computer name property can be piped-in to the function. If it gets a piped-in value ($_), then it’s going to set the computer name variable to that piped-in value. Otherwise, it will take the computer name that gets piped-in as a parameter.
Process Script Block with PowerShell
Next up is the GetWmiObject expression.
Get WMIObject inside a function in PowerShell
The output of that expression is piped to the Select-Object cmdlet (represented by its alias, Select). We then make use of a hashtable to create a custom property called Computername. This basically renames the SystemName of the current object ($_) to Computername. The DeviceID is passed along as is.
HashTables with PowerShell
We then deploy a couple more hashtables. The first one takes the Size property, divides it by 1GB, expresses the result into two decimal points, and renames the property to SizeGB. The second one takes the Freespace property and does practically the same thing to it.
Second set of Hashtables with PowerShell
Next, we create a new property called UsedGB, which doesn’t exist in WMI. It simply takes the difference between the Size and FreeSpace properties and divides the result by 1GB.
Creating a New Property with PowerShell
Finally, we also create another property called PerFree, which stands for “percent free”. This shows the free space as a fraction of total disk size expressed in percentage. And that completes the function.
Percent Free with PowerShell
Here’s the function in action wherein we passed to it the name of the computer, piped the output to Format-Table (or ft), and set the final output to auto-size using -auto.
Get Diskutil Function in PowerShell Action
While all this looks nice and pretty, there’s still a lot more that we can get from this function. So let’s say that on a weekly basis, you need to get a disk utilization report of all the servers in your environment. Here are a couple of different ways you can work with this data.
The first thing we’re going to do is to save the results of our expression to the variable $data. That’s so we don’t have to type in the command repeatedly. Next, we pipe the results to the where object, do the ping tests (pinging it twice when it can be pinged), and then pipe the computer name to our newly-created Get-DiskUtil function.
You’ll know that the command is done executing when you get the prompt back.
Using Get Diskutil Function in PowerShell
That would mean the data has already been stored in $data. You can then pipe the information in $data to sort by computername and then set it to auto-resize. You can also send that information to Out-Printer or Out-File.
Using the Output of the Get Diskutil Function in PowerShell
Similarly, if you want to load that information to a SQL database or an Excel spreadsheet, you can convert the data to a CSV file like this:
Export to CSV in PowerShell
Later on, if you import that CSV file, you will be able to obtain a snapshot of the disk utilization status of those disks right at the time the command is run.
Import CSV with PowerShell
Here’s a portion of that snapshot:
Snapshot of Disk Utilization
As a final example, let me show you how to create an HTML report that perhaps you will want to put on your Internet server to show disk utilization. So that, as an IT admin, you can go ahead and take a quick peek at your disk utilization status even while you’re outside the office.
So again, you start by taking $data and pipe it to Sort Computername. You then pipe the result to the ConvertTo-HTML cmdlet. You also give it a title and specify a CSS path. The CSS part is needed because ConverToHTML does not do any formatting. So if you want your report to look pretty you’ll need that CSS file. Finally, you need to send the output to a file.

I have uploaded CSS code below text box.you just copy it and save as .CSS format and give the path to your power shell script.

Output to HTML
Now that your file’s ready, you can then look at the file by using the start command.
Show HTML Report with PowerShell
Here’s a sample of that HTML report.

Remember that the values on this report are up-to-date.



Thanks
R.karthikeyan
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Share this

Labels

WINDOWS SERVER (22) Windows (20) IIS (15) Interview questions (10) TFS (9) Troubleshooting Tips (9) Fortigate Firewall (8) SQL (8) Backup (6) Team Foundation Server (6) Webserver (6) Windows Administration Task (6) Microsoft certification (5) Virtualization (5) ADDS (4) Active Directory (4) FTP (4) PHP (4) SQL 2012 (4) SQL Server (4) server (4) DBA (3) MSSQL (3) Networking (3) Offer (3) Webhosting (3) Windows 8 (3) 74-409 (2) Agile Methodology (2) Apache (2) CLI Commands (2) DNS (2) Dedicated server (2) Difference between Active and Passive Connection Mode (2) Fortinet (2) GPO (2) IIS8 (2) IPAddress (2) IPV6 (2) MVA (2) Microsoft News (2) NAT (2) Software Development (2) TFS2013 (2) Uncategorized Post (2) XAMPP (2) firewall Administration. (2) powershell (2) .htaccess (1) ALM (1) Agile vs Scrum Difference (1) Blogging TIPS (1) CPanel (1) Command for Administrator (1) DC (1) DHCP (1) Domain joining nano server (1) Exam 74-409 (1) Excel TIps (1) File server (1) Fortigate Firewall HA (1) Fortigate Firmware Upgrade (1) Free Exam 70-740 (1) Free Voucher (1) Generation2 VM (1) Group Policy (1) HP (1) HP ILO IP CHange (1) HP OA IP Change (1) HP Proliant Servers (1) HTTP to HTTPS (1) Hyper-V (1) IAS (1) IIS Server hardening (1) ILO (1) Install dll (1) MCSA 2016 (1) Microsoft Virtual Academy (1) Microsoft file sharing Port (1) Migration (1) MySQL (1) NPS (1) Nano server (1) Network Drive (1) OA (1) Plesk Panel (1) Ports (1) Ports for windows file sharing (1) RADIUS (1) RDP (1) Remote Desktop Connection (1) SCRUM (1) SQL ErrorLog (1) SQL TEMPDB (1) Second Shot (1) Server 2012 (1) Startup Parameters (1) TEMPDB Movement (1) TIPS (1) Team Foundation Server 2013 (1) Temp profile. (1) Troubleshooting DNS (1) URL Rewriting (1) VDOM (1) VPS (1) VSS (1) Virtual Labs (1) Visual Studio (1) Visual Studio 2012 (1) Visual Studio 2013 (1) Visual source safe (1) Waterfall Model vs Agile Methodology (1) Windows 2016 (1) Windows 7 (1) Windows Server 2012 (1) Windows command line (1) XP (1) certification path (1) exam (1) free online courses (1) protocols/ports for windows file sharing on a firewall (1) sql error (1) what features has been installed in your SQL Server (1) windows 2012 (1) windows Time Service (1) work item types difference (1)

E-Books

Blogger Gadgets