PowerShell & Containers Better Together

This is rare, me blogging. I always feel that someone else can always explain it better than me.

In the past few weeks, I have spoken to people about the importance of understanding and starting to work with containers. Containers as they relate to Docker, Hyper-V 2016 and so on.

Creating PowerShell Workflows is something that is becoming much easier for people now that the new version of the Microsoft Azure Portal has been out (Beginning of May 2o15 timeframe). The ability to graphically create workflows was done very well.

Also, creating PowerShell Sessions mainly used with JEA is getting a lot of traction. JEA helps secure and trim down the needs for access to all of the resources in your environment.

Assuming you are following the trail, Containers, Workflows, Sessions you should be able to see where I am headed. Lets look at workflows first.

In System Center Orchestrator / SMA (Service Management Automation) / Azure Automation you have the perfect opportunity to use container technologies! All of these are stale scripts, functions, compiled code that is waiting to be deployed and executed. The way I see it, Azure Automation is just an interface to Docker that is a container itself. When your workflow draft is merged to your source, the code gets compiled to a new container. Once you are ready to run the workflow, the container gets deployed. Sounds pretty simple! Once the life of the container is over, the management container is updated. Taking this just a little step further, we will want more than just stop and start information from the workflow, not to mention checkpoint data. Currently, my imagination takes me to Microsoft Azure EventHubs for status and notification. The scale and history time frames are already there to use the EventHub as a central feed. The possibility to push workflows down to on premise devices that support containers is not an issue. Storing the checkpoints is where things get a little fuzzy to me, since these containers may run on Hyper-V, would we not just take a production checkpoint combined with replication(?), I am just not sure about that at all. The idea of this post is not to have all of the information but to plant the seed, if not already out there. If you think about AzureStack running locally with little need for System Center while requiring Windows Server 2016 (Technical Preview 2), the thought of this may just be cold coffee.

[sorry no pictures, maybe I will add some later to give you a graphic view]

Now lets look over at PowerShell Sessions! Let me start at security, and just say that remote (heck, local for that matter) sessions running in a private runspace container kinda sounds like a good idea. All of the information needed to spin up a new PowerShell environment is provided in the PowerShell Session configuration. This means that the required modules and other items required should be able to auto load/pull into a container upon start. The number of supported concurrent sessions is provided so we know how many containers we can start up as they start being used. I do see some issues with built-in remoting security being transitioned over. Again, I don’t have all of the answers, I am just taking what we have and applying a new spin on it.

Hopefully I will blog again soon! Next up would be Azure Active Directory and Windows 10 joining, do you realize that on premise Active Directory was just moved form a permanent position to a contract position in your organization!

Posted in Uncategorized | Comments Off on PowerShell & Containers Better Together

Changing IT one Resource at a time – A Configuration Management Story

Anyone working in IT today needs to know and understand the impact that configuration management will have on them in the future. It may take many years for the work in that area to mature but with Microsoft with PowerShell DSC, Chef and Puppet working together I feel thing will move quickly.

In the past there were people working phone switchboards and many of us in IT are exactly that to the environments we serve. We build new systems, configure them and destroy old ones. Configuration Management does this on behalf of the requesting individual. Soon you will start to see more and more solutions that don’t need you to do anything.

I see a world where you have a LPU (Local Processing Unit) and RPU (Remote Processing Unit). The LPU would look much like a phone switch, filled with processor blades, storage blocks, and storage. These are common today but they still require a good degree of effort and management from IT.

I guess what I am trying to say is that in the near future there will be developers and services. The middle man is no longer needed in most environments. Learn configuration management and what DevOps means, so that you can be part of the process, or become something new entirely.

Posted in Uncategorized | Comments Off on Changing IT one Resource at a time – A Configuration Management Story

(Seed0) Why do I pay for internet access?

Think back to the birth of the internet, or the definition of the internet. A global system of interconnected computer networks. Process on that a few minutes.

Todays definition is closer to a series of interconnected service providers. How is it that I cannot talk directly to Twitter.com or Amazon.com? Why do I have to talk to my ISP then bounce around for a bit and then get to my destination?

But then I think about all of this infrastructure that is in place for me to access the internet, and then you see I need that to get from point A to point Y. Wait!! Why am I paying for that infrastructure I do not need, the internet needs me to have it to access it. Now that the internet has matured, it is not something that should cost the customer, but it should cost the provider. Would you pay every time you entered the mall?

Sites already pay a high price to send and receive data, why am I paying that price too. It sounds like double dipping to me. Any web site that is created already covers the cost to have users access it’s services and secure communications. What if I had to pay to validate an SSL certificate?

If I am sitting at home and pay to watch Netflix, why does the Xbox or PlayStation networks make me pay more when Netflix should pay Microsoft or Sony a small percentage for drawing in another customer. In this case, the creator of the Xbox or user community should be the one creating the applications to connect to those services. Consider the possibility that the PlayStation gave me a much better experience using Netflix and gained users of that device because of it, should they not be rewarded for signing up new customers?


Posted in Uncategorized | Comments Off on (Seed0) Why do I pay for internet access?

Automation, A Framework for Success – Part 1

Automation when I started in IT was mainly a tool for reaction. If something went wrong, you could quickly write a VBScript to correct something that might of affected hundreds to thousands of systems. As things like Group Policy, SCCM, Zenworks and others came along, you could do the same but it was a different approach. Though these are great tools, over the lifetime of a system or service there are bound to be issues that just were not envisioned during the implementation process. It could be that the operating system is now out of date, the disk/storage layout is no longer relevant, you need to scale, etc. With many of these things you could create a one time processes that would automate the migration to a new environment.

Today, many people look at the new tools like PowerShell DSC, Chef and Puppet and think, that it is just a new spin on what I already had in Group Policy and traditional scripting. I will admit that the shoe does fit if you think about it in that constrained view. What you may not see is that this framework is much more. Yes you can configure one server and keep it in a desired state just like you have in the past, but that is not the point! These new tools are designed for environments.

Think of an environment as a single server running a host of services or a datacenter connected to service providers around the world just running one service. The pieces of the puzzle are exactly the same. Basically what I am saying is, don’t think of a desired state as something that only applies to a single system or category or systems. Think of desired state as it also applies to the environment. The scope of an environment can be anything an application, datacenter, service, production, non-production.

Over the next few weeks, I will fill you in on how to better understand this concept and achieve it no matter what your current environment looks like.

This post will be updated as we progress.

Posted in Azure Automation, Chef, DSC, PowerShell, Puppet | Tagged , | Comments Off on Automation, A Framework for Success – Part 1

Updating Trusted Sites in a User Friendly Way

Everyone knows that when you edit trusted sites through Group Policy, you are locking down the configuration. Once that happens it seems like the entire internet needs to be come a trusted site for one reason for another.

This correct way of editing trusted sites is User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List noted here – http://blogs.msdn.com/b/microsoft_press/archive/2014/04/14/from-the-mvps-setting-internet-explorer-trusted-site-settings-via-group-policy-object-in-windows-server-2012-r2.aspx

But if you don’t want the to bog yourself down with every single site that any of your users plan to use, try doing it a differently, though it may not be fully supported.

If you use a Registry Group Policy Preference: User Configuration > Preferences > Windows Settings > Registry, you can add sites to the trusted sites list and still allow users to edit the list adding the other ones that are important to them.

Take this example of adding https://manage.windowsazure.com to Trusted Sites.


Adding sites in this way is a little more raw than using the other methods but you are better catering to your users needs. Also, consider that you have the ability to remove sites from this location that allows you to make sure that users are not able to add (or get removed upon refresh) certain sites though they still maintain some usability and control that makes them feel more comfortable with the management that you provide.




Posted in Group Policy | Tagged | Comments Off on Updating Trusted Sites in a User Friendly Way

Active Directory Administrative Center Search Carshing fixed

For those of us that were using the Active Directory Administrative Center on Windows 8.1 through the RSAT and connecting to an older domain like Windows 2008 R2 AD DS. Any time you would try to search the ADAC (Active Directory Administrative Center) would crash hard. This also broke the ability to run Get-ADUser like this.

Looking at the ADAC, you will now see the “Global Search” again and it will work. If your schema was more up to date, then it would not have been a issue.

Search example


With Windows 8.1 Update, all of this is working for me now!

Hopefully I was not the only one experiencing this.


Posted in PowerShell | Comments Off on Active Directory Administrative Center Search Carshing fixed

Snovers Puzzle Starting to Show with PowerShell V5 – SCCM

With PowerShell V5 Preview, we get things such as OneGet and Network Swtich Management. These are 2 things down different tracks that will meet each other as things come more obvious.

If you think about DSC and OneGet together, you have all of SCCM except a big feature for reporting. All reporting has ever been is a complex working of WMI. Look forward to say SCCM 2015 and here is what you will get.

SCCM Configuration Management – PowerShell DSC
SCCM Software and Updates Deployment – OneGet using SCCM Software Repo
SCCM Reporting – Cloud Service endpoint to upload Get-CIM*

This brings me to the data collection part and where I think all this could be going.

  • 1. No Client SCCM deployments. With PowerShell on the endpoints (Computers, Switches, Routers, Storage controllers, and so on) why do you need a SCCM client? Sum of these endpoints could be simple data pulls and pushes from a engine like SMA. Though a network switches does not have the software to automatically push into a web service, PowerShell combined with a managed Workflows can collect, test and do whatever is needed on the endpoint.
  • For Windows, data collection could be solely done using Scheduled task. In SCCM now, the MOF extensions to WMI are used to help format the data (from what I can tell – not an expert). Using PowerShell and the CIM cmdlets, it would be possible to create a local workflow that can capture, transform and upload the data to a collection point.
  • Service Discovery can be done at the beginning of the scheduled task just using a rest call as a locator, embedded in your internal or Microsoft Azure deployment. This endpoint would provide the client with needed collections, configuration changes and anything you can dream up.
  • Your OneGet repo can be secured and trusted by the client so that it’s would be available anywhere.
  • Customizations to the engine processes is easy enough for any knowledgeable PowerShell staff member.

You get the idea. Thanks for reading!

Posted in PowerShell | Comments Off on Snovers Puzzle Starting to Show with PowerShell V5 – SCCM

PowerShell DSC need for v5 offical or v6 – Pull Test

As a person that has enjoyed PowerShell since the early days just before the first release, in the latest few increments the tool has become an amazing asset. Features like Workflows and Desired State Configuration are such a change to the industry! Only a few of us small time developers could reach this kind of level in the past with huge VBScripts or little VB.Net programs. Now it is so easy to fan out and in that I cannot imagine a world without it.

DSC is a crowning feature but with it needs the ability have a pull server that can test all possible configurations on a server to create a resulting configuration. Since all resources in the pull servers catalog have a test that must be passed. Many of these configurations can be tested and stored to snapshot of the new systems configuration. Now with OneGet you can test a server or system for installed software which is a big thing.

Assume that I have a pull server and on this server I have configurations stored for a few hundred or thousand systems. If a cmdlet can be created to read all of the configurations for all of the existing servers, it would be able to compare that to any running system that it has access and build a desired state for future reference. It would be entirely possible for the Local Configuration Manager on a system to generate the basics like services, WindowsFeatures, OneGet  without the need of a pull server to tell it how to test other than request the results. There may be a special switch on a Configuration block to tag this as a testing collection. With testing configuration, the server could be inelegant and find the matching servers. This could be for AD, Exchange, Lync, Web and many more that have base configuration your server is set to identify allowing you to baby step your way up to a desired state with servers that are already running. Then you can take the next step to a fluid environment ready to handle anything.

Though something like this may be completely a 3rd party add-on, it will help the On-boarding process of DSC though it is growing rapidly.

Posted in Uncategorized | Comments Off on PowerShell DSC need for v5 offical or v6 – Pull Test

Windows PowerShell Best Practices by Ed Wilson, Microsoft Press

If you have been around Microsoft scripting and automation technologies for any amount of time you will recognize Ed Wilson as the center of the community. In this book he covers PowerShell in such a way that any beginner or expert will learn something new. While letting you feel like you are just learning best practices, the sidebars from many in the PowerShell community help give you some real world understanding of PowerShell and great ideas that will you with your own projects. I especially enjoyed the section “Handling missing WMI providers” because it never fails that while trying automate some process for a large company you run into computers that have some sort of WMI error that can keep you from finishing. Make sure to pay close attention to chapter 8 that covers how to design your script! If you design your script properly it helps you focus on the problem you are trying solve and get it fixed properly. Also, a well written script will allow you to share it easier with others so they can be more productive as well. This a foundational book on PowerShell for anyone that is just starting out or wanting make better, more supportable scripts. I think this is a great book for anyone using PowerShell.

Check it out yourself at http://shop.oreilly.com/product/0790145347268.do


Posted in PowerShell | Tagged | Comments Off on Windows PowerShell Best Practices by Ed Wilson, Microsoft Press

Windows Update Home Brew

Last night, was an odd occurrence, many of our servers were to skip a round of Windows Updates because in a few days we have a very large go-live of a new product. Management just did not want to take any chances that it would cause something to go wrong at the last minute. As one of the primary Active Directory administrators, I let them know that the Domain Controllers needed to be patched anyway. They only run MS software and it is critical to more than just a few applications. Other than that I did not want to explain to a different team why our security report all the sudden turned all shades of red. My real problem started when all of the updates in SCCM had their deadline move a month ahead and I could not depend on getting all that setup in time. I told them, I would just handle it.

Since I have to wake up at 2AM for the maintenance window, I did a quick Bing for Windows Update and PowerShell, knowing there has got to be something these days. What I find was an article by the Windows Scripting Guy about this script/module from the TechNet Repository bookmarked it and off to sleep.

When 2AM rolled around, I got the module and start looking around and found all sorts of goodness. There are 2 commands that I really found very useful to get my job done. Get-WUInstall which will start an install process and Invoke-WUInstall that will create a schedule task on the target system to run the Get-WUInstall. If you have a good background in the Windows Update process, you will know that the actual execution must be ran from the local system. Due to security, it is not possible to directly invoke the Windows Update process through a 2nd hop. After running a few quick test, I realize that I must have the Windows Update module on the remote system and have the ability to execute the PowerShell to get the job done. By 2:30, I had created the code below and my first Domain Controller was under way.

This is a pretty raw way to get it done but you must understand that there was a little crunch time here. The Start-Sleep is just making sure that I am not rebooting all of the Domain Controllers at the same time. After running this on one system, and confirming it worked, I just let it do its thing. It allowed me to update 32 Domain Controllers in 3 different states in about 45 minutes manually on the fly, right out of a dead sleep. But, if you needed to get many more systems done in the same way, it is completely possible.

After returning to bed and waking again a few hours later to start the day, I did a quick check of the PSWindowsUpdate.log file on all of the systems to confirm things were good. It was easy to delete the PSWU folder, remove the scheduled task and move the PSWindowsUpdate.log file to an archive location with standard PowerShell.

The module also contains the Get-WURebootStatus to let me know if there was a system that needed an extra reboot or had issues rebooting. Thanks Michal Gajda, this module is great!

One nice little thing to remember is the Invoke-WUInstall does not have the sole role of kicking off Windows Updates. With the Script parameter, you can really make it do whatever you want.

Posted in PowerShell | Comments Off on Windows Update Home Brew