PowerShell behind a proxy

Since most of my work is done behind corporate firewalls, it’s unfortunate that PowerShell does not use the default proxy settings to connect to internet sources like online help or the PowerShell Gallery, but instead gives great errors like:

WARNING: Unable to download the list of available providers. Check your internet connection.

A real helpfull message… I can reach the site in my browser, so it’s just PowerShell who can’t reach the site using the proxy.

After some online searching I ifound the following WebRequest Class on MSDN, which has a DefaultWebProxy property. Let’s try to use it.

If you need to authenticate to the proxy, set UseDefaultCredentials to $True. And voila, I can reach the repository again!

Add the config to your $PROFILE, in order to use it in every PowerShell session and your good to go!

Desired State Configuration – part 2

Now the Pull server is up and running, the next step is to configure “A” server to use the newly created Pull server. For this the windows feature Windows PowerShell Desired State Configuration Service (DSC-Service) must be installed and the DSC localconfiguration must be configured to use the Pull server.

The service can be installed using “Add-WindowsFeature -Name DSC-Service”. Although we can manual install the windows feature, it also possible to use DSC to push the configuration from the Pull server to the target server. The following push configuration will install the Windows feature “DSC-Service” on server “A”:

Running the config “Install-DscConfiguration will result in a A.mof file

Now we can push the configuration (as a .mof file) to server “A”.

Doing this will install DSC on the remote server. The next step is to configure server “A” to use the Pull server as a configuration source. How to make the configuration is explained in this Technet article.

As you can see in the above example, there is no servername present in the configuration. Server “A” is configured to request a configuration with the name “cc53d975-c5d3-43ab-9f5c-124aedb976f0”. There is no database for the servername <-> GUID translation in DSC. When making configurations you need to document/keep track which GUID and servername are paired. I’ve seen examples of storing servername/GUID in an csv file, or stored in an AD attribute. Needles to say that each server needs an unique GUID.

Use Set-DscLocalConfigurationManager -ComputerName “A” -Path

To create an GUID you can use this example to create one.

And add the GUID to your Local configuration
To store the GUID in a field in the AD object, for example ExtensionAttribute1. This way it’s easy to keep a relation between the GUID and the servername. You could also create computer objects to represent non-domain joined computers. Replace the

The DSC configuration on server “A” is now configured to check every 15 minutes for a (new) configuration on the Pull server.

Create a new configuration with the GUID of the server and place it in the configuration folder on the Pullserver. The location is specified when creating the Pullserver. In the previous example when creating the Pullserver it was  specified as “$env:PROGRAMFILESWindowsPowerShellDscServiceConfiguration


DSC resources https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d


Desired State Configuration

Building infrastructures means building and connecting machines which are hosting services that support the business by making its jobs easier. From the early days on, infrastructure creates the baseline by hosting specific machines to do specific tasks. The infrastructure team installs and configures the OS and hands the machine over to the application developers who in their turn install and configure the application for the business.

So how to build and maintain the OS in a structured manner? There are enough methods to deploy an OS in a structured way, maintaining the configuration of the OS is somewhat more difficult. And checking if the installation and configuration isn’t drifting away from its intended state is difficult. Desired State Configuration (DSC) can maintain a configuration and detect a drift from the intented configuration.

DSC is Microsoft’s answer to maintain and keep configurations of OSes and applications. Microsoft states that DSC is gradually going to be the only means to manage windows servers and applications. DSC works with Microsoft Framework and Powershell.

Simplified  DSC says: “Hey server you are going to be a web server, take configuration “WEB_Main_v4″ and apply that configuration. Have fun!”

Configuration files have a basic markup: it starts with defining the configuration name, the node name and actual configuration. The configuration acts as a template, from which a specific configuration for a specific server will be build, which we can deploy to that specific server.

In this template the configuration is named “ServerConfig”. The configuration is for a server named Servername (which will be stored in the variable $NodeName). File is the configuration item which is being defined with parameters. Save the config as “aserver.ps1”

The configuration looks similar as a PowerShell function and in a way it is!
Knowledge of PowerShell is necessary when working with DSC

Run aserver.ps1 in Powershell. Once the configuration is loaded, the configuration is available as a command with the name of the config (like a function). Run “ServerConfig -OutputPath “.” -NodeName “A”” to create the .mof file. Use the command Start-DscConfiguration -Wait -Force -Path .ServerConfig -ServerName “A” to actually deploy the configuration to server “A”.

The Managed Object Format (MOF) was defined by the Distributed Management Task Force (DMTF). The purpose of the DMTF is to supervise standards that help enable cross-platform management. In other words, MOF is a cross-platform standard with public available specifications. You don’t need PowerShell to create a .mof file, PowerShell is just a tool to create such file. You could even create a .mof file on a Unix server to manage Windows Server of vice versa!

What DSC does is creating a .mof file based on the configuration. The content of the .mof file

Deploy the configuration to the server:

The above steps are simple. First create a configuration file, converted it to a .mof file and push it to a server.

In a development environment the manual way of working is fine, but in production it certainly is not. There are two methods of deploying configuration to servers, push (as above) and pull.

For the pull method, a pull server is needed. In this configuration a server asks a pull server for its configuration and reports back the result. The Pull server can be manual installed, but why not use DSC to deploy the Pull server. To do this, download the xPSDesiredStateConfiguration Module from Technet and install it. The Pull server can be published using SMB or http(s). Https is the most versatile option, change it when needed. I used the following configuration to deploy the pull server. For simplicity this configuration does not use SSL, so I do not have to create the certificate and trust chain.

Activate the configuration with Start-DscConfiguration .Pull_DscWebService use -verbose to view progress of each individual action.

Test the server by browsing to to configured website http://servername:8080/PSDSCPullServer.svc. If you get a response, the pull server is working.

Now lets add some configuration to deploy in part 2.

TunnelPortRanges and OverloadDefinitions

Just the other day, someone desired to add a tunnelport range to the TMG proxy, but did not know how to.
I found out I needed to set this straight in the TMG array configuration. Luckily there are some tools available which can make the required change in the TMG array configuration. But it is way more fun doing it yourself.
Actually it was quite simple!

First start a PowerShell session and connect to the TMG array configuration (also works with ISA).

Then “browse to the WebProxy TunnelportRanges” using [Tab] and “.”, add the configuration and save.

Check the current configuration.

You also check the “Change Tracking” in TMG to see if the TunnelPortRange has been added.


I got the question how I found out the correct input for the .AddRange. Although sometimes you got to keep your colleagues in the dark but this one is actually quite easy. It’s called the “OverloadDefinitions”, and it works most of the time:

Just add .overloaddefinitions after a method and it returns some info, some info is better than others. In this case it requires a text input, a number and another number. At least you know the correct input format and it is not hard to figure out the right context of this values.

Easy isn’t it?


…and then the other question of the day. How to remove a TunnelPortRange, because someone made a typing error.

Luckily there is a $a.ArrayPolicy.WebProxy.TunnelPortRanges.remove(“Name of range to remove”)and .save()it again to remove the TunnelPortRange.

Running “cleanmgr.exe” on server 2008

When running out of disk space on Server 2008 you might want to run “cleanmgr.exe”. But it’s not there on Server 2008.

When searching the internet for more info, all returned answers said I’d have to install the “Desktop experience” feature. But I certainly do not want to enable the “desktop experience” feature on a production server. I do not need Windows Mediaplayer, Photoviewer, etc.

I copied “cleanmgr.exe” from a server where the desktop experience feature was enabled to a server which did not have that feature enabled (to the %Systemroot%\System32 folder) and executed the .exe. Nothing happened. Then I searched for a missing .dll but none existed/worked.

Back tot the server with the “Desktop Experience’ feature enabled, ran “Process Explorer” to search for dependencies of “cleanmgr.exe”

runningcleanmanagerAnd there it is, %systemroot%\System32\en-US\Cleanmgr.exe.mui” among other *.mui’s. Copied “cleanmgr.exe.mui” to the other server (with the already existing “cleanmgr.exe”), started “cleanmgr.exe again, and guess what:


Finally, cleanmgr without installing the “Desktop Experience” feature on server 2008.

WSS v3 Backup retention script

After setting up STSADM.exe to backup my WSS v.3 sites the backup directory did grow daily.

I could not find any way to set some sort of retention on these backups, and got tired of deleting the backups and adjusting the spbrtoc.xml manually. So I wrote my own script.

As a real PowerShell addict this problem had to be solved with PowerShell. Here’s the script.

This script does:

  • queries the spbrtoc.xml and finds all backups
  • deletes old backup entries from spbrtoc.xml
  • deletes the old backup files from disc
  • saves the updated spbrtoc.xml.

The result:



Just schedule this script to run after the backup has been made and no more manual deletion of the backup files is needed.

As a real IT Pro, you can now put your feet on the table and drink a relaxing cup of coffee. (Well at least until your boss finds you in this way…)