Windows Server Hacks by Mitch Tulloch

If you want to check services on a remote computer, VBScript can help. Using the WMI repository and ADSI, you can easily retrieve information on stopped or started services.

The script prompts for the NetBIOS name of the remote computer. Alternatively, you can get the service information for the local computer by typing in the local name as localhost. The script responds by displaying complete information for the services that are registered on the specified computer.

ComputerName = InputBox("Enter the name of the computer for which you " & _
"want service information")

winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//"& ComputerName &""

Set ServSet = GetObject( winmgmt1 ).InstancesOf ("Win32_service")

for each Serv in ServSet
GetObject("winmgmts:").InstancesOf ("win32_service")
WScript.Echo ""
WScript.Echo Serv.Description
WScript.Echo " Executable: ", Serv.PathName
WScript.Echo " Status: ", Serv.Status
WScript.Echo " State: ", Serv.State
WScript.Echo " Start Mode: ", Serv.StartMode
Wscript.Echo " Start Name: ", Serv.StartName
next

Running the hack

To run the script, open a command prompt, switch to the directory where the script is located, and type the following:

cscript.exe GetRemoteServices.vbs > services.txt

The reason for redirecting output to a text file is because the script generates a lot of output. A dialog box appears (see Figure 4-1), requesting the name of the remote machine. The machine name can be a FQDN, NetBIOS name, or IP address, as desired.

Figure 4-1. Getting information about services running on a remote machine

Here’s a sample of what the output of the script might look like if the target machine is running Windows Server 2003:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Notifies selected users and computers of administrative alerts. If the service is stopped,
programs that use administrative alerts will not receive them. If this service is 
disabled,
any services that explicitly depend on it will fail to start.
 Executable:  C:\WINDOWS\system32\svchost.exe -k LocalService
 Status:  OK
 State:  Stopped
 Start Mode:  Disabled
 Start Name:  NT AUTHORITY\LocalService

Provides support for application level protocol plug-ins and enables network/protocol 
connectivity. If this service is disabled, any services that explicitly depend on it will 
fail to start.
 Executable:  C:\WINDOWS\System32\alg.exe
 Status:  OK
 State:  Stopped
 Start Mode:  Manual
 Start Name:  NT AUTHORITY\LocalService

Processes installation, removal, and enumeration requests for Active Directory
IntelliMirror group policy programs. If the service is disabled, users will be unable to 
install, remove, or enumerate any IntelliMirror programs. If this service is disabled, 
any services that explicitly depend on it will fail to start.
 Executable:  C:\WINDOWS\system32\svchost.exe -k netsvcs
 Status:  OK
 State:  Stopped
 Start Mode:  Manual
 Start Name:  LocalSystem

Note that you can easily determine the start mode, service account, and state of each service from this output.

This VBScript changes the Server service start mode to Automatic and works remotely. This can be a big help to sites where the security folks have gone nuts and disabled the Server service or set it to Manual start mode.

In its current form, the script prompts for a remote computer name, connects, and changes the Server service’s start mode. The script could also be edited to run on the local computer and placed in a login script to hit a large number of computers at once.

strComputer = InputBox("Enter the name of the computer for which " & _
"you want to change the Start Mode for the Server service")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colService = objWMIService.ExecQuery _
("Select * from Win32_Service where DisplayName = 'Server'")
For Each objService in colService
errReturnCode = objService.Change( , , , , "Automatic") 
Next

("Select * from Win32_Service where DisplayName = 'w3svc'").

Services always run within the context of some user account. Usually, this account is built in, such as LocalSystem or NetworkService, but some services, such as IIS and those for Exchange, use special accounts called service accounts. To ensure these accounts are secure, you can change the password used by these accounts, which this script will allow you to do.

Dim Computer
Dim ComputerName
Dim ComputerDomain
Dim Service
Dim TargetService
Dim NewPassword
TargetService = "YourServicename"
ComputerDomain = "YourDomain"
ComputerName = "YourComputerName"
NewPassword = "YourPassword"
Set Computer = GetObject("WinNT://" & ComputerDomain & "/" & ComputerName & _ ",computer"
Set Service = Computer.GetObject("service", TargetService)
Service.SetPassword(NewPassword)
Service.SetInfo

TargetService = "YourServicename"
ComputerDomain = "YourDomain"
ComputerName = "YourComputerName"
NewPassword = "YourPassword"

TargetService = "Network Agent"
ComputerDomain = "MTIT"
ComputerName = "SRV14"
NewPassword = "Pa$$w0rd"

There are two parts of DDNS that you need to understand before we answer the question of when scavenging is necessary: DNS and DHCP.

There are three intervals you need to understand before you set up scavenging: Scavenging Period, No-refresh Interval, and Refresh Interval. These intervals are described in the DNS GUI. Just right-click on an Active Directory Integrated zone, select Properties, choose the General tab, and click the Aging button to see the screen shown in Figure 4-2.

Figure 4-2. Configuring DNS scavenging options

If you’re like me, your brain is twitching from the complex wording of the definitions. In order to understand this a little better (without needing the mental capacity to solve a Rubik’s Cube in two minutes), let’s break down what the definitions really mean:

Now, we’ll put this all together in an example that makes sense. In this scenario, the DNS client does not reregister during the Refresh Interval period. Keep in mind, we are using the default of seven days:

If the client had registered its record again, the No-refresh Interval would have started all over again. In the previous scenario, with the default settings of seven days, a record would have to be greater than 14 days old before DDNS would scavenge it. This might work if your DHCP lease times are eight days (the default). Otherwise, you might need to set the intervals closer to your DHCP lease times. Also, keep in mind the Scavenging Period runs only on the interval specified, which is also seven days by default.

Scavenging jobs will use processor time. However, the scavenging process is a low-priority thread of the DNS service. This ensures that scavenging does not use all the processing capacity, but it’s horrible if your DNS servers are used heavily. As a low-priority thread on a highly used DNS server, there’s a probability that the scavenging thread might never run. Also, if the server attempts to run the scavenging process during a time when the DNS server is highly used, it will miss the scheduled interval. It will not attempt to start running over and over but instead will wait until the next scheduled interval (remember the default of seven days). At the time of this writing, I haven’t found a setting that can be adjusted to change which hour the scavenging process starts.

As I mentioned earlier, the Scavenging Period setting applies only to an individual DNS server. Unlike the other settings, which are replicated by Active Directory, this setting is specific to the DNS server in question. With this in mind, not enabling this setting means that no servers are scavenging records. Aging of records is taking place (No-refresh, Refresh), but nothing else is going on. This is good for a variety of reasons. First, you don’t necessarily want all of your DNS servers to scavenge. You need only one server to scavenge. It’ll replicate the record deletes to the other DNS servers. This also allows for some other configuration options:

—Marcus Oh

Here are a few useful web sites that offer tools for troubleshooting DNS:

Here is a list of common problems and solutions that have been discussed in online newsgroups:

If the previous tips and tools do not help and you are using any version of Microsoft Windows (or DOS, for that matter), consider posting a query to the microsoft.public.win2000.dns newsgroup. This newsgroup can be obtained from news://news.microsoft.com. If you do post, you will need to provide some details of your particular issue, including most of all of the following:

Finally, here are two books you can use to learn more about troubleshooting DNS issues:

—Thomas Lee

To recreate a damaged WINS database on Windows NT, first go to Control Panel→Services and stop the Windows Internet Name Service. Then, create a folder named WINS_OLD and move the contents of the %SystemRoot%\System32\WINS folder to WINS_OLD. Finally, restart the Windows Internet Name Service. When you are positive that the new WINS database is functioning properly, delete the WINS_OLD directory.

To recreate a damaged WINS database on Windows Sever 2000/2003, first go to Control Panel→ Administrative Tools→Services and stop the Windows Internet Name Service. Then, create a folder named WINS_OLD and move the contents of the %SystemRoot%\System32\WINS folder to WINS_OLD. Finally, restart the Windows Internet Name Service. When you are positive that the new WINS database is functioning properly, delete the WINS_OLD directory.

Again, when you are positive that the new WINS database is functioning properly, delete the WINS_OLD directory.

—Rod Trent

Type the following code into Notepad (with Word Wrap disabled) and save it with a .vbs extension as ChangeWINS.vbs:

Option Explicit 
On Error Resume Next 

Dim objLocator, objService, NIC 
Dim strComputer, strUsername, strPassword 
Dim strWINS1, strWINS2 
Dim intErr 

strComputer = "." 
strUsername = "" 
strPassword = "" 

strWINS1 = "172.16.1.122" 
strWINS2 = "172.16.1.132" 

Set objLocator = CreateObject("WbemScripting.SWbemLocator") 
Set objService = objLocator.ConnectServer(strComputer, "root/cimv2", & strUsername, 
strPassword) 
objService.Security_.impersonationlevel = 3 

For Each NIC In objService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration 
Where IPEnabled=True") 
WScript.Echo "Nic Index: " & NIC.index 
WScript.Echo "Current Settings" 
WScript.Echo "Primary Wins Server: " & NIC.WINSPrimaryServer 
WScript.Echo "Secondary Wins Server: " & NIC.WINSSecondaryServer 
intErr = NIC.SetWinsServer(strWINS1, strWINS2) 
If intErr <> 0 Then Wscript.Echo "Error changing WINS" 
Next 
Set objService = Nothing 
Set objLocator = Nothing

To run this hack, you first have to customize it. For example, if your primary WINS server is 10.0.0.15 and your secondary server is 10.0.0.16, change these lines:

strWINS1 = "172.16.1.122" 
strWINS2 = "172.16.1.132"

to this:

strWINS1 = "10.0.0.15" 
strWINS2 = "10.0.0.16"

Then, create a shortcut to the script and double-click on the shortcut to run the script. This will refresh your computer’s WINS settings.

—Rod Trent

One approach to ensuring DHCP server availability is to install multiple DHCP servers and divide the list of available IP addresses on each subnet into multiple ranges, one per server. In the simplest case of two DHCP servers, configure each with the scopes that have matching start and end address. Next, for each one create mutually exclusive exclusion lists. For example, if your network is using class C nonsubnetted network 192.168.168.0/24, then, on both servers, you should create the scope with the start IP address 192.168.0.1 and the end IP address 192.168.168.254. Your choice of exclusion lists depends on whether you want both servers to share the load equally or whether one of them will be a primary choice for your DHCP clients. For example, to balance the load, you would configure the range 192.168.168.1-192.168.168.127 on the first server and 192.168.168.128-192.16.168.254 on the second.

In order for this configuration to work, you have to ensure that broadcasts from DHCP clients will reach both servers. Typically, this is done either by installing DHCP relay agents on the servers that reside on clients subnet or by configuring routers as BOOTP Relay Agents.

In addition to providing redundancy, you should also ensure regular backups of the DHCP database. Fortunately, the backup takes place automatically by default. Its behavior is determined by Registry entries that reside in the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters

The Registry entries contain the following values:

Windows also automatically backs up the content of the Registry key HKLM\SOFTWARE\Microsoft\DHCPServer\Configuration to the DHCPCFG file, which resides in the Backup folder.

Recovering the database involves restoring both the database files and the Registry settings. You should first stop the DHCP server and then copy the files and load the Registry hive (using REGEDT32.EXE) to their target location by overwriting the existing HKLM\SOFTWARE\Microsoft\DHCPServer\Configuration Registry key. After you have restored the database file, you should change the default of 0 conflict-detection attempts (from the Advanced tab of Server properties in the DHCP MMC console) to a nonzero value (5 is the maximum).

Another option is to use the NETSH command-line utility to back up and restore configuration of the DHCP server database. NETSH’s functionality is provided through a number of helper DLLs, each dealing with a particular type of Windows networking component. NETSH allows you to dump the configuration of the DHCP server (including all superscopes, scopes, exclusion ranges, and reservations) into a text file that later can be used to restore. Note, however, that NETSH does not back up information about existing leases, which are stored in the DHCP database.

To create the DHCP configuration dump file, execute the following command, where IPAddressOrName is the IP address or name of your DHCP server (note that this command can be executed remotely):

NETSH DHCP SERVER IPAddressOrName DUMP > C:\DHCPCfg.txt

To restore the DHCP server configuration settings using the same file, run this command:

NETSH EXEC C:\DHCPCfg.txt

—Marcin Policht

To use this script, type it into Notepad (with Word Wrap turned off) and save it with a .vbs extension as ChangeIP.vbs:

Option Explicit

Dim NetworkAdapter, AdapterConfiguration 'Objects
Dim IPAddress, SubnetMask, Gateway, DNS 'String Arrays
Dim RetVal 'Integers

For Each NetworkAdapter In
GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapter")
If NetworkAdapter.AdapterType = "Ethernet 802.3" Then
For Each AdapterConfiguration In GetObject("winmgmts:").InstancesOf
("Win32_NetworkAdapterConfiguration")
If UCase(AdapterConfiguration.ServiceName) = UCase(NetworkAdapter.ServiceName) Then
IPAddress = Array("192.168.0.10")
SubnetMask = Array("255.255.255.0")
Gateway = Array("192.168.0.1")
DNS = Array("35.8.2.41")

RetVal = AdapterConfiguration.EnableStatic(IPAddress, SubnetMask)
If Not RetVal = 0 Then
WScript.Echo "Failure assigning IP/Subnetmask."
End If
RetVal = AdapterConfiguration.SetGateways(Gateway)
If Not RetVal = 0 Then
WScript.Echo "Failure assigning Gateway."
End If
RetVal = AdapterConfiguration.SetDnsServerSearchOrder(DNS)
If Not RetVal = 0 Then
WScript.Echo "Failure assinging DNS search order."
End If
End If
Next
End If
Next

To run this hack, modify the IP information in the following lines, as required by your environment:

IPAddress = Array("192.168.0.10")
SubnetMask = Array("255.255.255.0")
Gateway = Array("192.168.0.1")
DNS = Array("35.8.2.41")

For example, to change the IP address of a machine to 172.16.44.3 with subnet mask 255.255.0.0 and default gateway 172.16.44.1, replace those lines with these:

IPAddress = Array("172.16.44.3")
SubnetMask = Array("255.255.0.0")
Gateway = Array("172.16.44.1")

Also, note this statement:

If NetworkAdapter.AdapterType = "Ethernet 802.3" Then

This is where the script checks the AdapterType, which in this script is listed as "Ethernet 802.3“. You should modify this line if you have a different networking environment.

Once these changes have been made to the script, create a shortcut to the script and double-click on the shortcut to run the script.

—Rod Trent

Type the script into Notepad (with Word Wrap disabled) and save it with a .vbs extension as Static2DHCP.vbs:

'All variables declared
Option Explicit

Dim oWSHShell
Dim sNIC, sMan
Dim iCount

Set oWSHShell = WScript.CreateObject("WScript.Shell")

' Set the DCHP service to autostart
oWSHShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\DHCP\Start", 2

' Get Network card
On Error Resume Next
iCount = 1
Do 
sNIC = oWSHShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\ " & _
"CurrentVersion\NetworkCards\" & iCount & "\ServiceName")
sMan = oWSHShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\ " & _
"CurrentVersion\NetworkCards\" & iCount & "\Manufacturer")
' Skip the Async and NDIS services
If sMan <> "Microsoft" And Err.Number = 0 Then
Call SetNIC
End If
iCount = iCount + 1
Loop Until Err.Number <> 0

' Clear the error
Err.Clear

' End of Script



Sub SetNIC
Dim iTest
' Set the NIC service to use DHCP
sNIC = "HKLM\SYSTEM\CurrentControlSet\Services\" & sNIC &"\Parameters\TCPIP\"
iTest = oWSHShell.RegRead(sNIC & "EnableDHCP")
If iTest = 0 Then
oWSHShell.RegWrite sNIC & "EnableDHCP", 1, "REG_DWORD"
oWSHShell.RegWrite sNIC & "IPAddress", "0.0.0.0", "REG_MULTI_SZ"
oWSHShell.RegWrite sNIC & "SubnetMask", "0.0.0.0", "REG_MULTI_SZ"
End If
End Sub

To run this hack, call the Static2DHCP.vbs script from a logon script and use Group Policy to assign this logon script to users’ machines. When a user next logs on to his machine, the machine’s TCP/IP settings will be changed from static to dynamic addressing. To lease an address from the DHCP server, the user’s machine needs to be rebooted, so you could also send out a message asking all users to reboot their machines using the method in [Hack #35] or some other approach. If you like, the logon script could also be combined with the SU utility from the Windows 2000 Server Resource Kit to perform a hands-off migration from static to dynamic addressing.

—Rod Trent

Type the script into Notepad (with Word Wrap disabled) and save it with a .vbs extension as ReleaseRenew.vbs:

On Error Resume Next
Dim AdapterConfig
Dim RetVal
Set AdapterConfig = GetObject("winmgmts:Win32_NetworkAdapterConfiguration")

'WMI release IP Address for all installed network adapters
RetVal = AdapterConfig.ReleaseDHCPLeaseAll

'if retval = 1 then display success. If 0 then failure
If RetVal = 1 Then
MsgBox "IP Address Release was successful."
Else
MsgBox "DHCP Release failed!"
End If

'WMI renew ip for all network adapters
RetVal = AdapterConfig.RenewDHCPLeaseAll

'if retval = 1 then display success. If 0 then failure
If RetVal = 1 Then
MsgBox "IP Address Renew was successful."
Else
MsgBox "DHCP Renew failed!"
End If

Set AdapterConfig = Nothing

Copy the script to users’ machines and create a shortcut to the script on their desktops. Then, when a user has IP address problems and can’t talk to the network, tell her to double-click on the shortcut to release and renew her address, and see if that fixes things. If not, escalate to the next level of troubleshooting!

—Rod Trent

Here’s how it works. First, you dump your network settings to a text file through the command line, as follows:

netsh -c interface dump > NetworkSettings.txt

This command stores your current network settings in a text file named NetworkSettings.txt. Now, let’s say you have to reconfigure your machine’s network settings to repurpose the machine or move it to a different part of the network. Then, later, if you need to restore your machine’s original network settings, you can simply type the following command and load back in the previously dumped settings:

netsh -f NetworkSettings.txt

Note that the destination filename is not important, so you can effectively create multiple configuration files. You can create and name one for each network configuration you need. For example, you can use Work.txt for the office, Home.txt for your home configuration, and something like Client.txt to hold the values for a network you are temporarily visiting.

—Rod Trent

Plan on a two-NIC environment. For instance, identify a private network for Windows network activity, such as domain-level functions, file sharing, or name resolution. Identify the second NIC as the public- or client-facing connection. While NLB supports both unicast and multicast routing, using two NICS lets you avoid the complexities of using multicast mode. However, if you do want to use multicast mode with NLB, then either use a VLAN for all NLB NIC connections (which prevents saturating your Layer 2 network switches) or use a hub (that’s right, a nonswitched hub) for all NLB NICs and allow the hub to make one connection to the Layer 2 switch front-ending your web farm. For security reasons, ensure also that the NLB NIC is stripped of all services, such as File and Print Sharing and the Microsoft network client.

However, if you want to go home from work early, don’t even try to run NLB on one NIC using multicast mode. The underlying technical challenge for Layer 2 switches and NLB is that the NLB-based NICs create a dummy MAC address and provide it to the MAC address table of the switch to which they are connected. NLB has to receive all traffic addresses to the NLB cluster for the software algorithm in use to make a decision on which node to send the traffic to. Some Layer 2 switches get confused at the same MAC address coming through different ports, and this can create the dreaded broadcast storm.

The scenario shown in Figure 4-3 illustrates Microsoft Network Load Balancing in use in a standard Microsoft n-tier highly available Internet configuration. The three front-end IIS web servers (the dark shaded area in Figure 4-3) all are running Windows 2000 Advanced Server and illustrate the redundancy and load balancing archived with an NLB solution. Each web server has its own internal or primary IP address of the form 10.0.0.x, which is a nonroutable address for security and management purposes, while the clustered or shared IP addresses are of the form 192.168.18.x. The firewall in front of the web farm is configured to perform a network translation of the actual hosted web site’s DNS name and IP address to the listening IP address 192.168.18.158 of NLB. In this case, equal load balancing is used, such that each web server will carry 33% of the load so that NLB will load-balance traffic based on an equal distribution of the incoming traffic. If one server goes down, the load will be distributed to the remaining two servers.

Figure 4-3. Using Network Load Balancing in an n-tier configuration

Other Microsoft high-availability technologies can also be seen in this example—for example, the use of a SQL Server cluster (the light-shaded area in Figure 4-3) providing backend database services for this solution. This illustrates the relationship between Microsoft Clustering Services (MSCS) and Microsoft Network Load Balancing (NLB): generally, they secure different tiers of highly available Microsoft solutions. In this case, NLB is used for the web tier, while clustering is used for the database tier.

These tips and the corresponding scenario should save you considerable time when implementing NLB web clusters using Windows 2000/2003. The main thing to remember, though, is to never fall for the one NIC multicast option when using Microsoft Network Load Balancing.