Small update to my DNS Synchronizer script

June 4, 2017 Kirill Nikolaev Leave a comment

I’ve just released a small improvement to my DNS Synchronizer script. The update includes:

Corrected the issue where sub-records of a record prevented that record to be synchronized.
Corrected the way how start and end times are formatted — now they both are formatted equally.
But the most significant one for the end-user, is that the script has been renamed to Sync-DNSZones, in accordance with PowerShell best practices.

If you execute the Get-Verb cmdlet w/o parameters, you’ll see that there is no “Synchronize” verb in the output — that’s why I renamed the script. Do not forget to rename “-NS” an “-REC” files accordingly.

PowerShell, Uncategorized

Function to test a date against different conditions

May 29, 2017 Kirill Nikolaev Leave a comment

Several weeks ago, my friend Rich Mawdsley asked our Windows Admins Slack team, how to tell if today is the second Tuesday in the month? As we found out, there is no built-in way in PowerShell to determine that. That’s why I present you today a function built specifically to test dates against different conditions. The function can tell you:

If the date is a certain weekday in a month. 4th Monday, Second Thursday, last Sunday etc.
If the date belongs to a certain quarter of a year.
If the date is a start or an end of a quarter.
If the date is the last day of a month etc.

Mind, that the output is boolean: the function will not tell you much about the date object, but only does it meet conditions or does it not. It returns $true if the date meets the conditions and $false in all other cases.

Here’s the code of the function, and, of course, you can always find the latest version at my GitHub:

function Test-DayProperties {

<# MIT License

    Copyright (c) 2017 Kirill Nikolaev

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
#>

<#
.SYNOPSIS
    Tests the given date against different conditions.

.DESCRIPTION
    The function helps you to detect if today is the third Tuesday in a month, if the date belongs to some quarter, if today is the last day of a month etc.

.PARAMETER Date
    The date object which you are testing. By default, the current date/time.

.PARAMETER DayOfWeek
    Use to test if the day is the defined day in a week (Mon, Tue, Wed etc).

.PARAMETER NumberInMonth
    Use to detect if the day is the specified number of the day type defined in the DayOfWeek parameter.

.PARAMETER EndOfMonth
    Use to detect if the given day is the last day of the month.

.PARAMETER Quarter
    Use to detect if the given day is belongs to the specified quarter.

.PARAMETER QuarterType
    Use to detect if the given day is the start or the end of the specified quarter.

.PARAMETER Last
    Use to detect if the given day is the last day of some kind in the given month. If the DayOfWeek parameter is omitted, the kind of day is extracted from the Date parameter, otherwise — DayOfWeek is used.

.EXAMPLE
    Test-DayProperties -DayOfWeek 2 -NumberInMonth 2
    Tests if the current day is the second Tuesday in this month.

.EXAMPLE
    Test-DayProperties -Date $Date -DayOfWeek 7 -Last
    Tests if the date in the $Date object is the last Sunday in the month.

.EXAMPLE
    Test-DayProperties -Last
    Tests if today is the last day of its kind in the month.

.EXAMPLE
    Test-DayProperties -EndOfMonth
    Tests if today is the last day of the month.

.EXAMPLE
    Test-DayProperties -Date $Date -Quarter 3 -QuarterType End
    Tests if the date in the $Date object is the end (the last day) of the 3rd quarter.

.EXAMPLE
    Test-DayProperties -QuarterType Start
    Tests if today is the beginning of a quarter.

.EXAMPLE
    Test-DayProperties $Date -Quarter 1
    Tests if the date in the $Date object belonngs to the 1st quarter.

.INPUTS
    [DateTime]

.OUTPUTS
    [boolean]

.NOTES
   Author: Kirill Nikolaev
   Twitter: @exchange12rocks

.LINK
    https://exchange12rocks.org/2017/05/29/function-to-test-a-date-against-different-conditions

.LINK
    https://github.com/exchange12rocks/PS/tree/master/Test-DayProperties

#>

#Requires -Version 3.0

    [CmdletBinding(
        DefaultParametersetName='Default'
    )]
    [OutputType([boolean])]
    Param (
        [Parameter(ParameterSetName='Default', Position = 0)]
        [Parameter(ParameterSetName='Quarter', Position = 0)]
        [Parameter(ParameterSetName='QuarterType', Position = 0)]
        [Parameter(ParameterSetName='EndOfMonth', Position = 0)]
        [Parameter(ParameterSetName='Last', Position = 0)]
        [ValidateNotNullorEmpty()]
        [DateTime]$Date = (Get-Date),

        [Parameter(ParameterSetName='Default', Mandatory)]
        [Parameter(ParameterSetName='Last')]
        [ValidateRange(1,7)]
        [int]$DayOfWeek,

        [Parameter(ParameterSetName='Default', Mandatory)]
        [ValidateRange(1,5)] # It's impossible to have more that 5 weeks in a month (on Earth)
        [int]$NumberInMonth,

        [Parameter(ParameterSetName='EndOfMonth')]
        [switch]$EndOfMonth,

        [Parameter(ParameterSetName='Quarter', Mandatory)]
        [Parameter(ParameterSetName='QuarterType')]
        [ValidateRange(1,4)]
        [int]$Quarter,

        [Parameter(ParameterSetName='QuarterType', Mandatory)]
        [ValidateSet('Start','End')]
        [string]$QuarterType,

        [Parameter(ParameterSetName='Last', Mandatory)]
        [switch]$Last

    )

    function GetLastDateOfCurrentMonth {

        Param (
            [ValidateNotNullorEmpty()]
            [DateTime]$Date = (Get-Date)
        )

        $result = $false

        if ($Date.Month -in @(1, 3, 5, 7, 8, 10, 12)) {
            $result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 31)
        }
        elseif ($Date.Month -in @(4, 6, 9, 11)) {
            $result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 30)
        }
        else { #February
            try {
                $result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 29)
            }
            catch {
                if ($Error[0].Exception.InnerException.HResult -eq -2146233086) {
                    $result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 28)
                }
            }
        }

        return $result
    }

    function GetDotNETDayOfWeek {
        Param (
            [ValidateRange(1,7)]
            [int]$DayOfWeek
        )

        if ($DayOfWeek -eq 7) {
            return 0
        }
        else {
            return $DayOfWeek
        }
    }

    $result = $false
       
    switch ($PSCmdlet.ParameterSetName) {
        'QuarterType' {
            if ($QuarterType -eq 'Start') {
                if ($Date.Day -eq 1 -and $Date.Month -in (1,4,7,10)) {
                    $result = $true
                    if ($Quarter) {
                        if ($Date.Month -ne (3*$Quarter-2)) {
                            $result = $false
                        }
                    }
                }
            }
            elseif ($QuarterType -eq 'End') {
                if (($Date.Month -in (3,6,9,12)) -and $Date.Day -eq ((GetLastDateOfCurrentMonth -Date $Date).Day)) {
                    $result = $true
                }
            }
        }
        'Quarter' {
            if ($Date.Month -in ((3*$Quarter-2)..(3*$Quarter))) {
                $result = $true
            }
        }
        'EndOfMonth' {
            if ($Date -eq (GetLastDateOfCurrentMonth -Date $Date)) {
                 $result = $true
            }
        }
        'Last' {
            $LastDateOfCurrentMonth = GetLastDateOfCurrentMonth -Date $Date
            $StartOfLast7Days = $LastDateOfCurrentMonth.AddDays(-6)
            if (!$DayOfWeek) {
                if ($Date -ge $StartOfLast7Days -and $Date -le $LastDateOfCurrentMonth) {
                    $result = $true
                }
            }
            elseif ($Date.DayOfWeek.value__ -eq (GetDotNETDayOfWeek -DayOfWeek $DayOfWeek) -and $Date -ge $StartOfLast7Days -and $Date -le $LastDateOfCurrentMonth) {
                $result = $true
            }
        }
        'Default' {
            $DaysToSubstract = (7*($NumberInMonth-1))
            if ((New-TimeSpan -Days $DaysToSubstract).Ticks -le $Date.Ticks) {
                if ($Date.DayOfWeek.value__ -eq (GetDotNETDayOfWeek -DayOfWeek $DayOfWeek) -and $Date.AddDays(-$DaysToSubstract).Month -eq $Date.Month -and $Date.Day -le (7*$NumberInMonth)) {
                    $result = $true
                }
            }
        }
        Default {
            $result = $false
        }
    }
    return $result
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

function Test-DayProperties {

<# MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE.

.SYNOPSIS

Tests the given date against different conditions.

.DESCRIPTION

The function helps you to detect if today is the third Tuesday in a month, if the date belongs to some quarter, if today is the last day of a month etc.

.PARAMETER Date

The date object which you are testing. By default, the current date/time.

.PARAMETER DayOfWeek

Use to test if the day is the defined day in a week (Mon, Tue, Wed etc).

.PARAMETER NumberInMonth

Use to detect if the day is the specified number of the day type defined in the DayOfWeek parameter.

.PARAMETER EndOfMonth

Use to detect if the given day is the last day of the month.

.PARAMETER Quarter

Use to detect if the given day is belongs to the specified quarter.

.PARAMETER QuarterType

Use to detect if the given day is the start or the end of the specified quarter.

.PARAMETER Last

Use to detect if the given day is the last day of some kind in the given month. If the DayOfWeek parameter is omitted, the kind of day is extracted from the Date parameter, otherwise — DayOfWeek is used.

.EXAMPLE

Test-DayProperties -DayOfWeek 2 -NumberInMonth 2

Tests if the current day is the second Tuesday in this month.

.EXAMPLE

Test-DayProperties -Date $Date -DayOfWeek 7 -Last

Tests if the date in the $Date object is the last Sunday in the month.

.EXAMPLE

Test-DayProperties -Last

Tests if today is the last day of its kind in the month.

.EXAMPLE

Test-DayProperties -EndOfMonth

Tests if today is the last day of the month.

.EXAMPLE

Test-DayProperties -Date $Date -Quarter 3 -QuarterType End

Tests if the date in the $Date object is the end (the last day) of the 3rd quarter.

.EXAMPLE

Test-DayProperties -QuarterType Start

Tests if today is the beginning of a quarter.

.EXAMPLE

Test-DayProperties $Date -Quarter 1

Tests if the date in the $Date object belonngs to the 1st quarter.

.INPUTS

[DateTime]

.OUTPUTS

[boolean]

.NOTES

Author: Kirill Nikolaev

Twitter: @exchange12rocks

.LINK

https://exchange12rocks.org/2017/05/29/function-to-test-a-date-against-different-conditions

.LINK

https://github.com/exchange12rocks/PS/tree/master/Test-DayProperties

#Requires -Version 3.0

[CmdletBinding(

DefaultParametersetName='Default'

)]

[OutputType([boolean])]

Param (

[Parameter(ParameterSetName='Default', Position = 0)]

[Parameter(ParameterSetName='Quarter', Position = 0)]

[Parameter(ParameterSetName='QuarterType', Position = 0)]

[Parameter(ParameterSetName='EndOfMonth', Position = 0)]

[Parameter(ParameterSetName='Last', Position = 0)]

[ValidateNotNullorEmpty()]

[DateTime]$Date = (Get-Date),

[Parameter(ParameterSetName='Default', Mandatory)]

[Parameter(ParameterSetName='Last')]

[ValidateRange(1,7)]

[int]$DayOfWeek,

[Parameter(ParameterSetName='Default', Mandatory)]

[ValidateRange(1,5)] # It's impossible to have more that 5 weeks in a month (on Earth)

[int]$NumberInMonth,

[Parameter(ParameterSetName='EndOfMonth')]

[switch]$EndOfMonth,

[Parameter(ParameterSetName='Quarter', Mandatory)]

[Parameter(ParameterSetName='QuarterType')]

[ValidateRange(1,4)]

[int]$Quarter,

[Parameter(ParameterSetName='QuarterType', Mandatory)]

[ValidateSet('Start','End')]

[string]$QuarterType,

[Parameter(ParameterSetName='Last', Mandatory)]

[switch]$Last

)

function GetLastDateOfCurrentMonth {

Param (

[ValidateNotNullorEmpty()]

[DateTime]$Date = (Get-Date)

)

$result = $false

if ($Date.Month -in @(1, 3, 5, 7, 8, 10, 12)) {

$result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 31)

}

elseif ($Date.Month -in @(4, 6, 9, 11)) {

$result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 30)

}

else { #February

try {

$result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 29)

}

catch {

if ($Error[0].Exception.InnerException.HResult -eq -2146233086) {

$result = New-Object -TypeName DateTime -ArgumentList @($Date.Year, $Date.Month, 28)

}

return $result

}

function GetDotNETDayOfWeek {

Param (

[ValidateRange(1,7)]

[int]$DayOfWeek

)

if ($DayOfWeek -eq 7) {

return 0

}

else {

return $DayOfWeek

}

$result = $false

switch ($PSCmdlet.ParameterSetName) {

'QuarterType' {

if ($QuarterType -eq 'Start') {

if ($Date.Day -eq 1 -and $Date.Month -in (1,4,7,10)) {

$result = $true

if ($Quarter) {

if ($Date.Month -ne (3*$Quarter-2)) {

$result = $false

}

elseif ($QuarterType -eq 'End') {

if (($Date.Month -in (3,6,9,12)) -and $Date.Day -eq ((GetLastDateOfCurrentMonth -Date $Date).Day)) {

$result = $true

}

'Quarter' {

if ($Date.Month -in ((3*$Quarter-2)..(3*$Quarter))) {

$result = $true

}

'EndOfMonth' {

if ($Date -eq (GetLastDateOfCurrentMonth -Date $Date)) {

$result = $true

}

'Last' {

$LastDateOfCurrentMonth = GetLastDateOfCurrentMonth -Date $Date

$StartOfLast7Days = $LastDateOfCurrentMonth.AddDays(-6)

if (!$DayOfWeek) {

if ($Date -ge $StartOfLast7Days -and $Date -le $LastDateOfCurrentMonth) {

$result = $true

}

elseif ($Date.DayOfWeek.value__ -eq (GetDotNETDayOfWeek -DayOfWeek $DayOfWeek) -and $Date -ge $StartOfLast7Days -and $Date -le $LastDateOfCurrentMonth) {

$result = $true

}

'Default' {

$DaysToSubstract = (7*($NumberInMonth-1))

if ((New-TimeSpan -Days $DaysToSubstract).Ticks -le $Date.Ticks) {

if ($Date.DayOfWeek.value__ -eq (GetDotNETDayOfWeek -DayOfWeek $DayOfWeek) -and $Date.AddDays(-$DaysToSubstract).Month -eq $Date.Month -and $Date.Day -le (7*$NumberInMonth)) {

$result = $true

}

Default {

$result = $false

}

return $result

}

The function covered with tests (you can see the results here), but not completely — I shall certainly improve this in the future. And yes, those tests have already helped me to fix several bugs before the official release 😉

BTW, If you haven’t written tests for your PowerShell code, I found this Introduction to testing with Pester by Jakub Jares very useful — you will start writing tests in Pester before the end of the lecture.

ADDS, PowerShell, Windows Server 2016

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 2 — Post-Config

April 11, 2017 Kirill Nikolaev 1 Comment

Previous part — Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

Introduction

In this post we will perform two configurations on our Active Directory Domain Services instance: We’ll define security tiers which later become cornerstones of our privilege delegation principles and we’ll tune domain-joining parameters. Also a quick tweak for the DNS service.

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

March 6, 2017 Kirill Nikolaev 3 Comments

Introduction

Up to this day, Active Directory Domain Services (AD DS) has been the core of the Windows infrastructure. With each release of Windows Server, AD DS receives new features while keeping great backward compatibility. Windows Server 2016 brings following enhancements to AD DS:

In this blog we shall install the corner stone of our future infrastructure: a highly-available AD DS instance of two domain controllers. Our AD DS layout is going to be quite simple: two writable domain controllers in a single site.

Building Highly-Available Windows Infrastructure: Command-line Style

March 6, 2017 Kirill Nikolaev Leave a comment

Several months ago Windows Server 2016 was released. With this release Microsoft has made two significant changes in Windows Server installation options:

Nano Server was introduced
Server with a GUI now includes desktop experience features (it is even called “Server with Desktop Experience”) and there is no supported way to remove them. This should force IT Administrators to deploy Server Core more broadly.

Looks like now is a good time to stop thinking about Windows Server as a GUI based system and pivot your management approach to be more command-line.
This post is the first in a series of how to build your own highly-available Windows infrastructure using just PowerShell and some other command-line tools. I plan to discuss the following components:

Active Directory Domain Services,
Active Directory Certificate Services,
Desired State Configuration,
Key Management Services,
DHCP,
SCDPM,
SCCM,
Exchange Server,
And, possibly, S4B Server, as well.

I am not able to deploy Hyper-V hosts yet, as all my infrastructure is purely virtual and the host machine, sadly, is running Windows Server 2012 R2 and currently it is impossible for me to upgrade it.

All PowerShell code will not use any hardcoded values. Instead, at the beginning of each post, I shall include a set of variables which will allow you to easily recreate the infrastructure in your environment w/o any change in the code.

The first part is already here! Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

ADDS, PowerShell, Windows

Huge refactoring of Synchronize-DNSZones.ps1

February 10, 2017 Kirill Nikolaev Leave a comment

Today I finished huge refactoring of my Synchronize-DNSZones script (see more about it here). The main reason to refactor was to introduce a support to synchronize zone-level records. To efficiently achieve this, I converted a huge pile of code into several smaller functions. I also improved code readability by PS 3.0 standards (apparently, it is also StrictMode-compatible now).
I improved error handling by introducing 3 new error events:
55 – DNS-zone creation is not yet supported. (And I don’t think I’ll ever support it)
72 – Function New-DnsRecord failed.
82 – Cannot import DNSClient PowerShell module.

I finally replaces unapproved verbs in function names to approved ones (see Get-Verb). I shall change the name of the script itself later.
Fixed an issue when Receive-DnsData sometimes returns empty response and.
Fixed typos and incorrect error handling and slightly enhanced comments.
And I also added forgotten definition of $SMTPCc variable.

In the future I plan to add ShouldProcess support (WhatIf).

Pull-requests / issues are welcome!

ADDS, Security, Windows

LAPS presentation

January 25, 2017 Kirill Nikolaev Leave a comment

Last December I was presenting at Moscow IT Pro UG about Microsoft LAPS. Finally, the record of the presentation is processed and available at YouTube:

Do not forget to enable English subtitles (they are NOT auto-translated :D)

You may find PPTX-file here.

After the presentation, I was asked a couple of questions:
Q: Does the GUI tool send the password in plain text over the network?
A: No, LDAP connection is encrypted with SASL. But if you are going to access the password attribute in your own scripts/tools, you may accidentally expose the password if you set LDAP_OPT_ENCRYPT = 0 or will use ldap_simple_bind w/o TLS/SSL.

Q: Why do we even need those local accounts? Why not to disable them completely?
A: In case a machine has lost its connection to AD (due to network configuration change, for example), you may want to bring it back on line w/o disruptive actions such as reboot, offline password reset etc. In case if you hope that the machine keeps your offline password hash, you may find yourself in a stressful situation, when you find out that it, in fact, does not.

Uncategorized

Google Glazier

January 24, 2017 Kirill Nikolaev Leave a comment

WOW, Google has just released a tool to automate the installation of the Microsoft Windows. The tool is written in Python and is called Glazier. OS images are built using text-based YAML config files which are easy to store in a source control system — in that case you can easily review change history and comments, rollback, compare etc.

All data are transferred via HTTPS, which enables you to deliver them anywhere, utilize CDN caches etc.

The tool is distributed by Apache 2.0 license, pull requests are welcome.

Uncategorized

Blogs to follow

December 27, 2016 Kirill Nikolaev Leave a comment

Today I want to share with you a list of blogs which I personally read and follow. Almost all of them are maintained by recognized individual IT professionals, many of them hold Microsoft MVP and similar awards.
I highly recommend you to add these blogs into your RSS/news-reader.

Of course I read a significant part of the TechNet/MSDN fleet too, but you, for sure, already know all the important ones, so I’ll leave them out for now.

If you have similar lists — share them with us in the comments.

SCDPM, Security, Windows

SCDPM in a tiered infrastructure

November 28, 2016 Kirill Nikolaev Leave a comment

When a company has a secure infrastructure, usually there are several tiers of resources managed by different administrators (or, at least, by same administrators but using different user accounts). For example, one may separate sensitive servers, like PKI Certification Authorities, Hyper-V hosts or file servers containing PII, and mark them as Tier 1 servers, while marking all other servers as Tier 2. Then he sets up permissions in a way that each tier has its own local administrators, and you may even forbid cross-tier logon completely (except network logon – network logon is useful and doesn’t pose a security threat).

In the ideal world you would have separate management solutions for each tier. But we all live in real world and, sometimes, it is impossible to find additional resources to support your infrastructure. In that case, it is more appropriate to designate your management servers, including backup ones, as Tier 1 – this way more secure servers will be able to access resources residing on less secure servers but not vice versa.

What does this mean for SCDPM? DPM wasn’t designed to backup resources from another security tier, but we can bent it to our will.
After you install an SCDPM agent on a server in Tier 2, then you must attach it to an SCDPM server in Tier 1. At this step, a user, which you are using to attach the agent, must be a local administrator at both the server and the client. Considering our tiered infrastructure, this is impossible, as one user cannot be a member of local administrators on machines from different tiers.
Fear not! We shall grant required permissions granularly in two steps:

Step 1

Basically we need to allow following permissions for Tier 1 admin at Tier 2 server’s WMI root and propagate them through the tree:

Enable
MethodExecute
RemoteAccess
ReadSecurity

You may choose to assign these permissions either via GUI, using wmimgmt.msc, or using PowerShell.
For PowerShell way you may use this fixed version of Set-WmiNamespaceSecurity.ps1 script. Original, written by Steeve Lee, suffers from a bug which does not allow to set inheritance flag and throws an error: “Invoke-WmiMethod : Invalid parameter”.
Run PowerShell script at the Tier 2 client as follows:
Set-WmiNamespaceSecurity.ps1 -namespace 'root' -operation 'add' -account 'EXAMPLE\tier1-admin' -permissions 'Enable','MethodExecute','RemoteAccess','ReadSecurity' -allowInherit $true

If you are going to set permissions with a GUI, here’s how it should looks like:

Step 2

This is counter-intuitive one: As we know, SCDPM server requests the time zone from an agent and saves it in the database. Sometimes, somehow, step 1 is not enough for remote non-admin user to request computer’s time zone. As a workaround, execute following WMI query at an SCDPM client: select * from Win32_TimeZone. After that, remote non-admin user will be able to request TimeZone instances for some time.
To utilize PowerShell for the task, execute this: Get-WmiObject -Query 'select * from Win32_TimeZone'

After these two steps, you should be able to add Tier 2 agent under protection of Tier 1 SCDPM server. When you have finished, you may safely remove those permissions by running the following command:
Set-WmiNamespaceSecurity.ps1 -namespace root -operation delete -account 'EXAMPLE\tier1-admin'

Microsoft Technologies and Stuff

Small update to my DNS Synchronizer script

Function to test a date against different conditions

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 2 — Post-Config

Introduction

In this article:

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

Introduction

In this article:

Building Highly-Available Windows Infrastructure: Command-line Style

Huge refactoring of Synchronize-DNSZones.ps1

LAPS presentation

Google Glazier

Blogs to follow

SCDPM in a tiered infrastructure

Step 1

Step 2