Steven Datt

Category: Servers

  • Sync WSUS with Windows Update via Powershell

    This is a post I’ve been meaning to write for a while, and here I’ll explain some of the basic methods and commands to manage WSUS solely through Powershell. No one really wants to be logging onto machines unecessarily with RDP, and these have been personally useful to me when customers have had insane hoops to jump through in order to log in (password expiry policies, Workspaces with Pins and OTP, locked behind VPNs, for example)

    Synchronise WSUS with Windows Update:

    (Get-WSUSServer).GetSubscription().StartSynchronisation()

    Get the result of the last synchronisation:

    (Get-WSUSServer).GetSubscription().GetLastSynchronisation()

    These two are useful if you would prefer to power down WSUS servers outside of company patch windows (e.g. monthly patch cycles) to save on costs, as the Update DB on the server wont be up to date all of the time.

    Another useful command is to list all the computers managed by WSUS:

    Get-WsusComputer -All

    And to filter to specific instances, for example if you wanted to check if they were being managed: 

    Get-WsusComputer -NameIncludes "ComputerName"

    Finally, to clear out old machines that have either been decomissioned or no longer exist (especially useful if you still manage ASG instances or scaleset VMs with WSUS, though I would recommend you use Patch Management/Automation Accounts instead)  

    Get-WsusServer "computername" | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates

    That about wraps up basic admin tasks. You can get really in-depth with scripting for WSUS, although I personally haven’t gone that deep into it either. As above, we’ve moved on from managing static infrastructure and are now using Patch Management in AWS and Automation Accounts in Azure for Windows patch management. It really takes the pain away and gets rid of one extra VM to manage. 

    For a full listing of available commands, punch in:

    Get-Command -Module UpdateServices

    Or view these online on the MS Documentation page: https://docs.microsoft.com/en-us/powershell/module/updateservices

    Easy enough, right?

    Of course, you can use any of these commands in conjunction with Enter-PSSession, SSM in AWS or Cloud Shell in Azure to connect to a Powershell console on the VM/instance.

     

     

     

     

     

     

  • Domain controller migration

    This weekend I was running through a migration from Server 2008 Hyper-V host to ESXi and Server 2012 as the primary DC in a test environment. All the VMs were backed up and converted to VMDKs beforehand, and the install went off without a hitch.

    What I had done with the server, was to install 2012, and connect it to the domain (as a VM) and set it up as a secondary DC to replicate my AD over. Unfortunately, I had forgotten to demote the host DC before taking it offline, and was left with a problem. All the roles were on the root DC.

    Because of that, I had to go in and seize the roles from the primary DC before I could use any administrative tools on the 2012 server. Ideally you want to demote the primary DC first so it transfers all the roles to the other DC. In this case, I had to do something a little more long winded.

    1. First, open an administrative command prompt and enter the ntdsutil tool
    2. Type roles, then press enter
    3. Type connections. Press enter
    4. Enter connect to server and then the server name. This is the server you want to transfer the roles to
    5. Enter Q to go back to the previous menu (the Roles menu)
    6. Now you need to seize the roles from the primary DC. These are: pdc, rid master, schema master, infrastructure master

    There’s a handy script that’ll clear all the leftover metadata once you’ve done all of the above (it’s a lot easier than doing it all manually). It’s on a Technet in the script center – Metadata removal script. Copy the text out, and paste it into a notepad file. Save it as a .vbs file, then double click to run. It’ll scan the DCs in the domain and ask you which server it should remove metadata for.

    Now, you’ll be able to delete the server from Active Directory Sites & Services. Tip: delete the NTDS Settings first, then remove the server.