Remote powershell Management (1)

Remote powershell Management (1)
It is a good way to manage PS in windows. Powershell 2.0 and later can be said to have undergone qualitative changes. The addition of modules, the support for Ise and winrm remote management, today we will focus on remote management of a series of powershell applications at the enterprise level, it is also a collection of scripts and solutions I used to deploy an emergency solution this time. (I am using a domain environment. You can build a test on your own)
First, we need to install Powershell 2.0 and winrm 2.0 This is used as an additional patch for windowsupdate. you can install it through an optional patch.

Select and install the patch directly. If you want to install the patch for all servers, you can consider using WSUS Install this patch. (For more information about WSUS configuration, see win2k8 WSUS ).
One of the advantages of powershell is that the documentation is very detailed. We do not know how to use get-help to view help more. You can refer to some remote related documents: Get-help about_remote *, it is quite painful for me to use powershell 1.0 for remote connection. Every time I use WMI win32_process to create a remote process, 2.0 provides interactive sessions and easy-to-use invoke-command, and provides the-computername parameter for other commands, making it easier to manage.
Let's talk about Using WMI for remote calls. First, make sure that the firewall of the remote administration of the target machine (the machine to be managed) is enabled to allow incoming IP addresses.
Open windows advanced firewall-> inboundrules-> remote administration-> double-click to open the dialog box
Select "advanced" and select "all". Under "Scope", add the remote IP address (remote IP address) to the local subnet of localsubset and save the enabling rule.

In this way, we can allow the local subnet to access the Remote Management port of this machine (of course, you can assign only one IP address to access the Remote Management port firewall of the target machine according to yourself ).
To enable this policy in the domain environment, we can create a GPO
Edit the policy of the GPO object-> Computer Configuration-> management template-> network connection-> firewall-> domain-> Windows Firewall: Allow inbound remote administration exception policy,
Enable and select the IP address you want to add:
 
And then apply it to your ou or the whole site (I suggest you do a variety of tests and policies on the servers deployed in the domain, which will take effect immediately after the domain is entered, it will be more convenient for remote management .)
Let's talk about three commands:
Get-wmiobject (1.0 +)
Invoke-wmimethod (2.0)
Invoke-Command (2.0)
Check the corresponding help carefully. Get-help get-wmiobject-full
If WMI is called, 2.0 directly uses invoke-wmimethod
For example, we often use to update the lease policy. I remember one time, my mistake caused all ports 3389 of most machines to be closed and all remote connections to fail. I have updated the Group Policy, but it takes more than 90 minutes for the GPO to take effect. Some machines have to share the ADMIN $ and disable it. You cannot use ipvxec to remotely call the command. So I used WMI to actively update the Group Policy:

 

Code Function Gpupdateforce
{
Param
(
[String] [parameter (mandatory = $ True )]
[String] $ Remotecomputer
)
Invoke - Wmimethod - Class win32_process - Name create - Argumentlist " Gpupdate/Force "   - Enableallprivileges - Computername $ Remotecomputer
}

 

 

This method does not provide credential, that is, the domain account currently logged on by default. We can also use
$ Creq = Get-credential
Then, provide the corresponding creden。 in the way of invoke-wmimethod-credential $ req. For example:

 

Code Function Remotecall
{
Param
(
# # Called commands
[String] [parameter (mandatory = $ True )] $ Cmd ,
# # Remote Computer
[String] [parameter (mandatory = $ True )] $ Remotecomputer
)
$ Credential   = Get - Credential
# # You can use invoke-command
Invoke - Wmimethod - Class win32_process - Name create - Argumentlist $ Cmd   - Enableallprivileges - Computername $ Remotecomputer   - Credential $ Credential
}

 

 

If your account is not an administrator (it is troublesome to Use WMI wmimgmt. MSC to add permissions for the target machine. I don't provide scripts here, because it is quite complicated. I will have the opportunity to talk about the solution in the future. Dcomcnfg.exe sets the permission for remote rpc calls)
Wmimgmt. MSC:
 
Configure WMI namespace permissions.
Dcomcnfg. EXE:
 
Configure remote DCOM Permissions
Of course, we can directly use invoke-command and interactive session to simplify the WMI method. I will introduce it in the next article.

I used this method to actively update the Group Policy. At that time, I was worried that there may be more solutions. I am here to discuss the issue. After all, I am not a pro System Administrator, hey.
The current situation... At that time, some situations in the company caused a lot of pressure on the server, and 20 front-end servers need to be deployed immediately to load high-load requests. IIS must be installed and allProgramCodeYou must quickly create a site.
The first is Code Synchronization. In fact, such gadgets must be prepared in advance, such as configuring rsync. As it was an emergency, I temporarily wrote a Code Synchronization tool to introduce the powerful robocopy.

Code Synchronization:
Win2008 comes with this command. If it is 2003, you need to install resouces tools to use robocopy.
I used the more convenient invoke-command.

 

Code Function Codesync
{
  Param ([String] [parameter (mandatory = $ True )] $ Source , [String] [parameter (mandatory = $ True )] $ Target , [Bool] $ Mirror   =   $ False , [Int] $ Retrynum   =   5 , [Int] $ Retrysec   =   10 )
  If ( $ Mirror )
{
Invoke - Command - Scriptblock {robocopy.exe $ Source   $ Target   / E / ZB / Copyall / MIR / R: $ Retrynum   / W: $ Retrysec }
}
  Else
{
Invoke - Command - Scriptblock {robocopy.exe $ Source   $ Target   / E / ZB / Copyall / R: $ Retrynum   / W: $ Retrysec }
}
}
$ Line   = [Int] 1
Get - Content - Path " E: \ Desktop \ target.txt " | % {
  $ Arr   =   $ _ . Split (',')
  If ( $ Arr . Length -Ne   3 )
{
Write - Host " Line '"$ _'" parameter error at line $ line 'nparameter format: Source Target mirror "   - Foregroundcolor red
}
  Else
{
Codesync $ Arr [ 0 ] $ Arr [ 1 ] ( $ Arr [ 2 ] -EQ   " 1 " )
Write - Host " Task $ line Sync complete! "   - Foregroundcolor green
}
  $ Line ++
}
Read - Host " Press any key exit... "

 

This simple script allows you to read shared directories from a configuration file for synchronization.
File: // machine1 // C $/test/1, // machine2/C $/test/2, 0
Parameter 1 identifies the source
Parameter 2 identifies destination
Parameter 3: whether the flag is completely overwritten

In this way, I first synchronized the code to 20 different front-ends.
Install IIS:
Servermanagercmd.exe
Previously we provided the remotecall script, and thought of using the remotecall named servermanager.exe-install role "directly, so I successfully installed IIS.
Deploy IIS:
Here I took some detours. I tried to use root/webadministration to handle all this, but I found there were too few documents about IIS WMI, so that I basically did not find a proper call method. Later, I tried to use appcmd and achieved the following success:
The general idea is to use remotecall to call a local appcmd to deploy IIS.
First, I call
"C: \ windows \ system32 \ inetsrv \ appcmd.exe add site/Name: '" test' "/bindings: http: // *: 80/physicalpath:'" C: \ test \'""
Added site test and bound port 80 of all IP addresses. Path: C: \ test \
Note: Double quotation marks ("'") must be used to escape a string in powershell (the key on the left of 1.
Then
"C: \ windows \ system32 \ inetsrv \ appcmd.exe start site '" F-SQ '""
I opened the site, which is disabled by default.
"C: \ windows \ system32 \ inetsrv \ appcmd.exe Delete site '" Default web site '""
I deleted the default site of all machines
"C: \ windows \ system32 \ inetsrv \ appcmd.exe set config/section: httplogging/dontlog: true"
Local IIS logs are disabled.
"C: \ windows \ system32 \ inetsrv \ appcmd.exe add apppool/Name: '" test' "/queuelength: 50000/processmodel. username: '"test \ test'"/processmodel. password: '"% ^ & * (234'"/processmodel. loaduserprofile: '"true'"/processmodel. maxprocesses: 5
/Failure. loadbalancercapabilities: '"tcplevel'"/failure. rapidfailprotectionmaxcrashes: 50
/Processmodel. identitytype: '"specificuser '""
A new application pool is created to define the working thread, queue length, and custom domain account.
"C: \ windows \ system32 \ inetsrv \ appcmd.exe set site/site. Name: '" F-SQ' "/applicationdefaults. applicationpool: '" test '""
Finally, bind the site to the test application pool.

• it takes more than an hour to complete the entire process. If you want to add more than 100 front-end servers, it may take one minute to complete the task. So accumulation is also important!
the actual experience described in this article is expected to help you, in a Article , I will talk about the practical experience of pssession.