Active Administrator E-BOOK

Windows Server 2008 R2: Top Tips & Tricks Learn best practices for failover clusters, get Active Directory management tips and out how to master backup basics in this free guide!

Windows Server 2008 R2: Networking in Failover Clusters...... 1

Managing Active Directory Password Policies...... 4

Backup Basics in Windows Server 2008 R2...... 9

SPONSORED BY I got this many AD tasks done today.

Active Administrator 6

What about You?

Download a FREE of Active Administrator : WWW.SCRIPTLOGIC.COM/AA6 © 2011 ScriptLogic Corporation. All rights reserved. The ScriptLogic logo is a registered trademark of ScriptLogic Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ACTIVE ADMINISTRATOR E-BOOK

By JOHN MARLIN

Windows Server 2008 R2: Networking in Failover Clusters When failure isn’t an option, configuring failover clusters in Windows Server can ensure high availability.

he networking model in E Support for IPv6 nication or iSCSI—not both. Windows Server 2008 and E Support for locating cluster nodes When designing the network Windows Server 2008 R2 on separate, routed subnets infrastructure to connect your cluster T Failover Clustering provides E fine-grained control over nodes, it’s essential to avoid single more robust and reliable communica- network failure detection points of failure. There are many ways tion among all cluster nodes, which You’ll need to use network hardware you can accomplish this. You can greatly improves the efficiency and marked as “Certified for Windows connect your cluster nodes with dependability of failover clustering. Server 2008.” Any other component of multiple, distinct networks. You could There are also several new features, your failover cluster solution must also also connect your cluster nodes with including: be similarly certified. If you use iSCSI, one network built with teamed E More reliable communication your network adapters need to be network adapters, redundant switches, using TCP and UDP unicast dedicated for either network commu- redundant routers or similar hardware

1 ACTIVE ADMINISTRATOR E-BOOK

that remove single points of failure. a UDP broadcast health-checking sequence number. If any of the These architectural requirements mechanism to a UDP unicast commu- heartbeat sequences are dropped or differ from server clusters in Windows nication. It’s similar to a ping in that it not received, it’s considered a “missed” Server 2003, which required two uses a Request-Reply process, but it heartbeat. By default, if any five of distinct networks. includes more sophisticated features these sequences are missed, the node such as security and sequence is considered down or inactive. Cluster Communications numbering. You can change these settings to Windows Server 2008 Failover The default behavior has also increase the delay or threshold, but you Clustering now uses a virtual network changed in terms of how many replies can only work around any network adapter called Failover Clus- are needed before the node is problems. If there are any network ter Virtual Adapter to communicate considered unreachable, initiating a latency issues, this could get around it, between nodes in the cluster. You’ll Regroup to obtain a new view of the but it won’t fix the problem. So keep in also see this in under cluster membership. The cluster mind that making changes to the delay Network Adapters (select Show heartbeats let all nodes know which is or threshold settings isn’t considered a hidden devices). You’ll also see it when up and down. As a default, the settings troubleshooting technique. issuing the command / for this are controlled by: The heartbeats, by default, are going ALL. This network adapter handles all E SameSubnetDelay: heartbeat to use IPv6, as it’s a faster protocol packet routing over the proper frequency for nodes in the same than IPv4. If IPv6 has been disabled, networks for communication, joins subnet it will instead use IPv4. A failover and so on. E SameSubnetThreshold: threshold cluster will not mix and match IPv6 This adapter will have an APIPA of the delays for nodes in the same and IPv4. It will use one or the other, address defined in the address block subnet but not both at the same . 169.254.0.0/16. In IPv6, they’re E CrossSubnetDelay: heartbeat assigned with the fe80::/10 prefix. In frequency for nodes in different Cluster Creation some environments, when adapters subnets When you create a cluster in Windows have an APIPA address, those adapters E CrossSubnetThreshold: threshold of Server 2008 and Windows Server 2008 are disabled. If you disable the Cluster the delays for nodes in different subnets. R2, the cluster-networking driver Virtual Adapter, you’ll disable commu- These settings, and the method for detects and creates the networks nication between the nodes. changing them, are defined on the based on whether a default gateway is The goal is to sustain TCP/IP “Configure Heartbeat and DNS on the adapter. If it detects a default connectivity between two or more Settings in a Multi-Site Failover gateway, that network is set to allow systems, despite the failure of any Cluster” TechNet Library page. clients to connect and use it for cluster component in the network path. So There’s a “heartbeat” sent across with communications. there has to be an alternate physical a sequence number, say from Node1 to This lets cluster IP addresses and path. In other words, a network Node2. Node2 responds with the same client access points (network names) component failure (whether it’s an sequence number. Node1 again sends use the network. It also gives it a NIC, router, switch or hub) shouldn’t the same sequence number to Node2, metric value starting at 10,000. If a cause a communication breakdown. and Node2 returns it one last time. network doesn’t have a default Communication should continue in Node1 would then determine this gateway, it will be given a metric value a timely manner. There might be a heartbeat sequence complete and starting at 1,000. Then it will only be slower response, but communication the process again with another selected for Cluster Communications. will persist as long as there’s an alternate physical or link. This Name Metric really comes into play when you talk iSCSI Network 1000 about having nodes in separate sites or Backup Network 1100 subnets. Host Access 10000 <<-- has default gateway Another change in Windows Server CSV Network 1200 2008 Failover Clustering is the cluster heartbeat mechanism. While it still Live Migration Network 1300 uses port 3343, it has transitioned from

2 ACTIVE ADMINISTRATOR E-BOOK

Each network it detects increases the metric increment by 100. Name Metric One thing about the way it works iSCSI Network 1100 now is that there’s no more concept of Backup Network 1000 a “public” and “private” network. Host Access 10000 <<-- has default gateway Therefore, the old “Recommended CSV Network 800 Private ‘Heartbeat’ Configuration on a Live Migration Network 900 Cluster Server” article for clustering is invalid. Cluster communications are still going migrations will go over the network used The CSV cluster network is set for to go through all networks. for backups. When taking a backup of metric 800. Adding any new network In previous versions, you defined the VMs, the Cluster Shared Volumes that doesn’t have a default gateway which network you wanted to use for will go into a redirected mode access. would be higher. Now with properly cluster communications. As long as This is going to interfere with the ISCSI configured metrics, you can take that network was available, the cluster connections and could lead to disk backups or live migrate VMs without would use only that network. Windows failures. A data backup on the local drive any conflicts on the networks. Server 2008 and Windows Server 2008 of Node1 and a Live Migration would The last thing to mention is cluster R2 use all networks. If there’s an issue interfere with each other. validation. You can run some network with one network, it will automatically You need to reconfigure the validation tests to determine connec- switch between networks. networks to get everything you need. tivity issues, network configurations There’s an internal metric the Cluster For the Live Migration network, you and so on. You can run these tests at Network driver uses. It doesn’t use the can change this by bringing up the any time without affecting production. general TCPIP metric value. You can see properties of one of the VMs. On the The cluster validation tests include: the metric values with the following Live Migration tab, change it to the E Cluster Configuration Windows PowerShell command: LM Cluster network. For this, you only E List Cluster Network Information need to do it on a single VM because E Network Get-ClusterNetwork | FT Name, this is a global setting for all VMs. E List Network Binding Order Metric For the CSV network, you can only E Validate Cluster Network affect this change through Windows Configuration The metric values really come into PowerShell. To order the networks E Validate IP Configuration play when talking about having a from Low to High, use the following E Validate Multiple Subnet cluster with highly available virtual commands: Properties machines (VMs) and using Cluster E Validate Network Communication Shared Volumes. Get-ClusterNetwork “CSV Cluster” | You can find the details of the Cluster For example, say you want to run %{$_.Metric=800} Validation tests on the “Understanding this command with these networks Get-ClusterNetwork “LM Cluster” | Cluster Validation Tests” TechNet configured in the chart on page 2. %{$_.Metric=900} Library page. This will show you When using Cluster Shared Volumes, Get-ClusterNetwork “Backup exactly what the tests look for and it will use the lowest metric value Network” | %{$_.Metric=1000} what each test does. network for any CSV traffic or redi- Get-ClusterNetwork “ISCSI Storage rected mode access. When using the live Network” | %{$_.Metric=1100} John Marlin is a senior support escalation migration feature of failover clustering, engineer in the Commercial Technical it will use the second-lowest metric. Running the command to see Support Group. He has been with In the example, CSV traffic will go the metrics will now show in the Microsoft for more than 19 years, with the over the iSCSI Network and live chart above. last 14 years focusing on Cluster Servers.

3 ACTIVE ADMINISTRATOR E-BOOK

B Y DEREK MELBER

Managing Active Directory Password Policies So, you think you know how password policies work in Active Directory? Well, you might … or you might not. Find out how to manage Active Directory password policies in Windows Server 2008 and Windows Server 2008 R2.

ome things in life, like death With the technology of password default for every user in Active and taxes, are guaranteed. policies having existed for more Directory and every user located in the There are other things in life than 10 years now, you’d think this local Security Account Manager (SAM) Sthat you think are guaran- topic would be infinitely clear. on every server and desktop that joins teed, or at least you think you know However, based on my exposure to Active Directory. how they work—such as Active network administrators who are still E There can be only one password Directory password policies. Then, confused about how Active Direc- policy for domain users in a Windows there are things that you want to tory password policies work, that’s 2000 and Windows Server 2003 Active work, and when they come along, you not the case. Directory domain. feel you know how they work before E It’s not possible to configure the you even look at them—such as Basic Facts password policy for an organizational fine-grained password policies These basic facts have been the unit (OU) of users to be different than (FGPPs). I’m not going to discuss same in Active Directory domains that of other users in the domain or in death and taxes, but I am going to since , which was a different OU. clarify the misconceptions surrounding released 11 years ago: E The password policy settings can’t Active Directory password policies E The Default Domain Policy be extended to include additional and FGPPs. defines the password policies by settings without using a third-party

4 ACTIVE ADMINISTRATOR E-BOOK

tool or developing a custom password you’ll find the same Policy Setting Default Value policy solution. options for the Account Enforce password history 24 days E It’s not possible to configure a Policy. To find the pass- Maximum password age 42 days password policy for the root domain word policy settings, which Minimum password age 1 day and have it “funnel” down to the other are under the Account Minimum password length 7 domains in the Active Directory . Policy, open up the Password must meet complexity Enabled I still see administrators and following path of policy requirements organizations try to explain that they folders: Computer Store passwords using reversible Disabled have an environment different than Configuration\Policies\ encryption what is possible. With that said, I’d Windows Settings\Security Account lockout duration Not defined encourage all of the admins and Settings\Account Policies. Account lockout threshold 0 organizations that think they have a Once there, you’ll find Reset account lockout counter after Not defined different configuration for passwords three policy folders: Enforce user logon restrictions Enabled to “test” what they believe. Unless Password Policy, Account Maximum lifetime for service ticket 600 minutes you have a third-party product in Lockout Policy and Maximum lifetime for user ticket 10 days place or have Windows Server 2008 Kerberos Policy. native mode domains, you can’t have For each of these folders Maximum lifetime for user ticket renewal 7 hours anything but what I detailed here. and the settings contained Maximum tolerance for computer 5 minutes clock synchronization within them, there’s a Possible Settings in the default in Windows Server Table 1. Account Policy settings default values. Password Policy 2003, Windows Server When you edit a standard Group 2008 and Windows Server 2008 R2 Limitations of the Password Policy Object (GPO) from the Group freshly installed domains. The default Policy for Domain Users Policy Management Console (GPMC), settings are as shown in Table 1. To ensure you understand what I mean by domain users, let’s scope out where these users reside. Domain users are those users that are created and stored in the Active Directory database. This means all users stored on your domain controllers (DCs) fall under this definition. One easy way to see whom this entails would be to open up the Active Directory Users and Computers (ADUC) and do a search on all users for that domain. Every user that shows up on that search falls into this scope. The only way to control the password policy for domain users is to configure the aforementioned Account Policy in a GPO linked to the domain. That is the only way by default! Yes, it’s true the GPO that contains the default password policy settings is the Default Domain Policy, but this is just the default. You can easily create a new GPO, configure the Account Policy settings as you wish and ensure this GPO has the highest precedence in the GPMC. The result will be that this new GPO will control the Account Policy Figure 1. ADSIEDIT connection options. settings for all domain users.

5 ACTIVE ADMINISTRATOR E-BOOK

Default Password Policies When you install a new Active Directory domain within Windows Server 2008 or Windows Server 2008 R2, or upgrade a Windows 2000 or Windows Server 2003 domain to have Windows Server 2008 or Windows Server 2008 R2 DCs, you can config- ure the domain to be at the Windows Server 2008 Domain Functional Level. At this functional level, you have more capabilities for configurations within the domain, but that doesn’t mean that the default behavior changes. This is the case with the Account Policies for domain users. When you have a basic Active Directory domain that’s running at the Windows Server 2008 Domain Functional Level, the Account Policies for all domain users behave the exact same way they always have. A Windows Server 2008 or Windows Server 2008 R2 Active Directory domain, without FGPPs implemented, has the following characteristics for passwords affecting Figure 2. FGPP/PSO filter settings to see correct attributes for setting up permissions. domain users (see page 7).

Attribute Value Explanation Cn HRPasswordPolicy The name of the password policy object in Active Directory. Should be named after which user group it will affect. msDS-PasswordSettingsPrecedence 10 A reference number, compared to other precedence settings for other FGPPs, which will resolve a conflict if user is member of two groups and each group has an FGPP. Smaller numbers have higher precedence. msDS-PasswordReversibleEncryptionEnabled False Boolean value to define if passwords should be stored with reversible encryption. msDS-PasswordHistoryLength 24 Number of unique passwords user must input before reusing a password. msDS-PasswordComplexityEnabled True Defines if password complexity should be enabled or not. msDS-MinimumPasswordLength 15 Minimum number of characters in each user password. msDS-MinimumPasswordAge -864000000000 Minimum password age (one day). msDS-MaximumPasswordAge -36288000000000 Maximum password age (42 days). msDS-LockoutThreshold 30 Number of failed password attempts before user is locked out. msDS-LockoutObservationWindow -18000000000 Elapsed time to reset password lockout counter to maximum (in this case 30 minutes). msDS-LockoutDuration -18000000000 If the number of bad passwords is met in observation window time, this defines how long the account should remain locked out (30 minutes). Table 2. FGPP/PSO values to create a new object.

6 ACTIVE ADMINISTRATOR E-BOOK

FGPPs The preceding section was clear in stating that the default behavior of the Account Policies in a Windows Server 2008 and Windows Server 2008 R2 domain is exactly the same as it is in any other Active Directory domain before it. The difference comes when the Active Directory domain contains only Windows Server 2008 or Windows Server 2008 R2 DCs, and is moved to Windows Server 2008 Domain Functionality Level. When this occurs, it opens the door for FGPPs. Again, just to reiterate, without FGPPs configured, any Windows domain Figure 3. Multi-valued Distinguished Name With Security Principal Editor for FGPP/PSO. (including Windows Server 2008 R2 Time Unit Formula Example Time Value domains) acts the same as it always has. The reason you’d want to configure m minutes -60*(10^7) = 30 minutes -18000000000 - 600000000 FGPPs is to allow multiple password h hours -60*60* (10^7) = 10 hours -360000000000 policies in the same Active Directory -36000000000 domain. Yes, that’s correct. The same d days -24*60*60*(10^7) = 42 days -36288000000000 Active Directory domain can have -864000000000 multiple password policies. The result Table 3. The “18” data formatting for minutes, hours and days. could be the following: E IT employees have a minimum E The Default Domain Policy very similar to the list that was at the character limit of 20 defines the password policies by beginning of this article. The reason is E HR and finance employees have a default for every user in Active that the Account Policy and password minimum character limit of 15 Directory and every user located in policy, even for Windows Server 2008 E Standard employees have a the local SAM on every server and R2 domains, behave the exact same minimum character limit of 10 desktop that joins Active Directory. way as previous Windows 2000 and In order to configure FGPPs, you E There can be only one password 2003 domains by default. won’t be using —FGPPs policy for domain users using Group Policy. E It’s not possible to configure the password policy in a GPO linked to an OU to affect users in the OU differ- ently than other users in the domain or in a different OU. E The password policy settings can’t be extended to include additional settings without using a third-party tool or developing a custom password policy solution. E It’s not possible to configure a password policy for the root domain and have it “funnel” down to the other domains in the Active Directory tree. Notice that the bullet list here is Figure 4. HR group added to the HRPasswordPolicy FGPP/PSO.

7 ACTIVE ADMINISTRATOR E-BOOK

don’t use Group Policy. Instead, the Principal Editor dialog box, as shown implementation of FGPPs is done by in Figure 3 (p. 7). modifying the Active Directory You can enter a domain name, database. The database is altered by username or security group into the adding one or more additional Active editor. Select the correct button, then Directory objects, referred to as add in your object to the editor. I Password Settings Objects (PSOs). added the HR group, as shown in This might sound odd, and I must Figure 4 (p. 7). agree it is. If you decide to implement Verify that user in the HR group has FGPPs, you’ll have a mixture of the correct password policy by viewing Account Policy settings, via GPOs and the user account properties from FGPPs, in your environment. within ADUC, then looking at the To complete the configuration of msDS-ResultantPSO attribute. your FGPPs, you’ll need to complete the following steps: A New Path 1. Launch ADSIEDIT.MSC on The default password policy settings your DC. for a Windows Active Directory 2. Select the View toolbar menu domain haven’t changed for the past 11 option, then click on the Connect to years, and in a default Windows Server option. 2008 R2 domain they’re the same to 3. In the Connection Settings dialog begin with. The Default Domain Policy box click the OK button (see Figure 1, controls all domain user password p. 5). policies by default but can be altered by 4. Within ADSIEDIT, expand the another GPO linked to the domain view of your domain down to the with higher precedence. Once the CN=System, so you can see the domain is configured to be a Windows contents available under this node. Server 2008 Domain Functional Level 5. Right-click on the CN=Password domain, FGPPs can be used. Settings Container. You can use ADSIEDIT.MSC to 6. Select the option to Create | Object. create and configure one or more 7. Fill out the values for each entry; FGPP objects or PSOs, which will Table 2 (p. 6) is a guide. now allow you to have multiple Note that the values inputs for password policies in the same domain. minute/hour/day in Table 2 (p. 6) seem The FGPPs/PSOs will be associated very odd. This is due to the fact that with a domain name, user or group— they’re input in the “18” data type. The and have nothing to do with Group 18 data type follows an odd , Policy, which you’ve known password which can be seen in Table 3 (p. 7). policies to rely on for the past 11 years. In order to link the FGPP/PSO to Now you can obtain that segregation the correct user or group, you’ll need of password lengths for the different to configure an object attribute. In users in your single Active Directory order to see the correct object domain. attribute, ensure the FGPP/PSO in ADUC or ADSIEDIT is set properly, Derek Melber, MCSE, MVP, is an which can be seen in Figure 2 (p. 6). independent consultant and speaker, as well In the attribute list for your FGPP/ as the author of many IT books. He is PSO, scroll down to the msDS-PSO- president and CTO of BrainCore. and AppliesTo entry and double-click this is author of “Windows Group Policy attribute to see the Multi-valued Resource Kit” (Microsoft Press, 2008). You Distinguished Name With Security can reach Melber at [email protected].

8 ACTIVE ADMINISTRATOR E-BOOK

By Jeffery Hicks

Backup Basics in Windows Server 2008 R2

A free tool from Microsoft can make backing up data in Windows Server 2008 R2 efficient and almost hassle-free. Here’s how to use it effectively.

ack in the day, Microsoft’s Manager and add the Windows Server local or a dedicated disk. You free backup tool was the Backup Features (Figure 1, p. 10). I’m can’t back up data to tape, but given now venerable NTBackup. going to use the command-line tools the growth and widespread availabil- B However, that utility has sub-feature so that I can use Windows ity of inexpensive USB-attached gone to the great recycle bin in the sky. PowerShell, which I will explain in storage, this isn’t that much of a Windows Server 2008 offers a new set more detail later in this article. setback these days. of backup tools, and I want to show you You can also use command-line how easy it is to use them with the new tools, including ServerManagerCMD. Creating a Backup Job Windows Server 2008 R2. Be aware that exe, to install the feature: Windows Backup is intended to the new backup feature can’t manage provide a one-stop setup to protect backups created with NTBackup. C:\ servermanagercmd –install a server. You can enable a scheduled backup-features task to back up files and the system Installation state, or to provide for a bare-metal First off, we need to install the backup The next step is to identify restore. Microsoft assumes you’ll feature, as it’s not installed by default. locations for your backups. You can have one scheduled task for this Use the Add Features wizard in Server back up files to a network share, a purpose. I’m assuming that you’re

9 ACTIVE ADMINISTRATOR E-BOOK

Once selected, you’ll have a chance to confirm your backup settings. If anything is incorrect, use the Previous button to go back and correct the error. If all goes well, you should get a summary screen. The next day, you can check the Windows Server Backup node for results or errors. You can also use Windows Backup to run a one-time backup. Select the Backup Once option in the Actions pane. You can use the same settings as your scheduled job or pick something completely different. If you select the latter, the wizard runs again and you can enter new parameters. For example, you might want to copy files to a network share. Figure 1. The backup feature is not installed by default, so you must install it using the Remember, any existing backups to Add Features Wizard. the same folder will be overwritten. The backup will execute immedi- using the Windows Backup feature mends using a dedicated hard disk. ately. If this is a separate backup task because of limited budget and are Remember, this drive will be reformat- you’d like to do often, then you’ll after maximum protection given the ted and unavailable for anything else. want to take advantage of a scripted utility’s constraints. You can also use a volume or a solution from the command line or After you install the Windows network share. Pay close attention to Windows PowerShell. I’ll cover that Backup feature, expand the Storage the warnings and limitations. You procedure later. node in Server Manager and select might see a warning reminding you Windows Server Backup. In the that the disk will be reformatted. If Restoring Data Actions pane, select “Backup Sched- you don’t see all the disks, click the Windows Backup uses a time stamp as ule,” which will start the Backup Show All Available Disks button to version information. Using the Schedule Wizard. Then, click Next on refresh. When you select a new disk, task launches a wizard that’s the Getting Started screen. you’ll be warned. easy to follow. Select the appropriate During step two, specify what type of backup you want. Try doing a complete server backup. You can also create a custom backup and pick items such as selected files and system state. I’ll show you how to do a quick file backup later, but for now I’m assuming you want complete server protection. In the third step, specify when you want the backup task to run. Most of the time, a single backup should be sufficient, but you can run it more than once a day. If you’re backing up critical files, this might be a good . In step four, determine where to store the backup. Microsoft recom- Figure 2. Data recovery is easy with the Recovery Wizard.

10 ACTIVE ADMINISTRATOR E-BOOK

backup source. The Recovery Wizard @ off I don’t want to overwrite any will display a datetime control of all ::Demo-Backup.bat existing backups, so I’ll create a new available backups (see Figure 2, p. 10). ::demonstration script using folder that uses the computer name Select the appropriate one. Depending WBADMIN.EXE on a Windows and a datetime stamp as part of the on the type of backup, you may only Server 2008 R2 Server file name. The batch file has code to have once choice. handle that task. The main function Moving on, select what type of data rem backup share UNC of the script is to call WBADMIN. you want to recover. If you select set backupshare=\\mycompany- EXE to create a backup on the Files and Folders, you’ll be able to dc01\backup specified share. Look at syntax help if highlight the files you want to you want to tweak this step. I like recover. Unfortunately, selecting files rem files and folders to include this script because I can set up my from multiple directories is next to set include=c:\scripts,c:\files own scheduled task using the Task impossible. You can easily recover Scheduler. So, even though the everything or recover selected files rem define date time variables for backup wizard only lets me create from one directory. Keep that in building the folder name one scheduled task, I can create as mind when you set up the backup job. set m=%date:~4,2% many as I want using WBADMIN. When you recover files, you’ll need set d=%date:~7,2% EXE. I can also use this tool to create to specify the target folder, which can set y=%date:~10,4% system state backups, as well. be the original folder or an alternate set h=%time:~0,2% To see what backup jobs have location. You can also control what set min=%time:~3,2% executed, run this command: happens when you restore a current set sec=%time:~6,2% file if a current version exists. You can C:\> wbadmin get versions create a copy so that you have both rem defining a new folder like \\ versions; you can overwrite the mycompany-dc01\backup\ Pay attention to the version existing version; or you can skip RESEARCHDC\12152009_132532 identifier; you’ll need it to recover files restoring if an existing version is set newfolder=%backupshare%\%c using WBADMIN (you can also use detected. The recovery process omputername%\%m%%d%%y%_%h the Recovery Wizard). happens immediately. %%min%%sec% echo Creating %newfolder% Backing up with PowerShell Using WBADMIN.EXE The other command-line approach is If you installed the command backup %newfolder% to use Windows Backup PowerShell tools, then you have a few more cmdlets. To access them, you’ll first options. Open a command prompt rem run the backup need to load the Windows backup and look at help for WBADMIN. echo Backing up %include% to snap-in: EXE. You can use the tool to set up a %newfolder% scheduled backup, but I think the wbadmin start backup PS C:\> add-pssnapin Windows. GUI is much easier. I find this tool -backuptarget:%newfolder% ServerBackup more useful for creating one-time -include:%include% -quiet backup jobs. Run the following rem Clear variables To see which cmdlets are included, command to see syntax help: set backupshare= use Get-Command: set include= C:\> wbadmin start backup /? set m= PS C:\> get-command -pssnapin set d= windows.server backup I don’t have space to cover all the set y= options, but let me demonstrate how set h= Unfortunately, creating a backup you might use the command-line tool set min= job is a multistep process. While you to periodically back up files to a set sec= can type the necessary commands at network share: set newfolder= the prompt interactively, I think you’ll find it easier with a scripted approach. Here’s a PowerShell

11 ACTIVE ADMINISTRATOR E-BOOK

version of my original batch file: -Target $backupLocation the future. In the meantime, you can use the Recovery Wizard or WBAD- #requires -version 2.0 write-host “Backing up $files to MIN.EXE to restore files. #requires -pssnapin Windows. $backdir” -fore groundcolor Green ServerBackup $policy Your Turn Start-WBBackup -Policy $policy As you try your hand at these tools, #Demo-WBBackup.ps1 I’m sure you’ll realize there’s a great The PowerShell cmdlets are based deal more that Windows Backup $policy = New-WBPolicy around creating and executing a policy. brings to the party. As with any backup $files=new-WBFileSpec c:\ The policy includes the files or software, make sure you practice the scripts,c:\files volumes to include or exclude, as well restore process in a non-production Add-wbFileSpec -policy $policy as where to back up the files and a few setting. You don’t want to learn the -filespec $files assorted options. You can also create process when you have to recover for $backdir=(“\\mycompany-dc01\ system-state and bare-metal recovery real and your boss is breathing down backup\{0}\{1:MMd dyyyy_ jobs. In my demonstration, I’m simply your neck. Become familiar with the hhmmss}” -f backing up a few directories. The process so that when the time comes, $env:computername,(get-date)) Start-WBBackup cmdlet carries out you end up being the hero. the backup task. write-host “Creating $backdir” When you look at the list of Jeffery Hicks ([email protected]), -foregroundcolor Green Windows Backup cmdlets, you’ll MCSE, MCSA, MCT, is a Microsoft mkdir $backdir | out-null notice one glaring omission. There are MVP and author, trainer and consultant. no cmdlets for restoring data. I A 17-year IT veteran specializing in admin $backupLocation = New-WB- imagine the assumption is that you scripting and automation, Hicks is an BackupTarget -network $backdir wouldn’t want to automate this step, active blogger and conference presenter. although you can with WBADMIN. His latest book is “Windows PowerShell Add-WBBackupTarget -Policy $policy EXE. Perhaps cmdlets will be added in 2.0: TFM” (Sapien Press, 2009).

12