Search This Blog

Wednesday, October 05, 2011

Running command on multiple computers

Just a quick note to show how to run a command  against multiple computers.

Have a file with a list of computer names (1 name per line).

net time example

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverlist.txt) DO net time \\%A>>c:\output_command_netime.txt

So the command above will run the net time command on each of the servers in the file serverlist.txt. Each server name is passed to the command through the variable %A.





The output in this command is redirected into a file called output_command_netime.txt. It must be said that the output is appended to the file, so if you this multiple times, be away it will just add to the existing file. Just delete/rename the file if you want a new file on next run.

More examples

examine the state of a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A query w32time>>c:\output_command_sc_query2.txt

start a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A start w32time>>c:\output_command_sc_start.txt

stop a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A stop w32time>>c:\output_command_sc_stop.txt


Tuesday, October 04, 2011

Cisco PIX

This posting is mainly for myself, so I have reference when I come back to configure this firewall. I am not a cisco person. This is not the whole story here, just highlights for me. Surprised smilePlease do not take any of this as golden as it is just notes for me and maybe incorrect at this time.

I had to configure a cisco pix the other day, it was setup for natting. Now I had to add ntp and dns access.

So I assumed I would have to setup an access list and assign it.

However in doing this I broke existing connectivity.

It appears that by setting up global natting the firewall then allows all access via this nat.

When I applied my access list to allow connectivity to the new service, it actually stopped existing access.

So by applying the access rule, it then stopped the default all access and only allowed access to the rules I had setup. So to get service back I had to either unbind the access-list which restored the all access or add the rules as and when (my preferred option).

setup named objects

name <ip> <name>

setup object-group

object-group <object group name>

  description <description>

  network-object host <name – as configured with name>

setup access-list (early versions of pix only allow numbered (id) access lists)

access-list <acl id> permit <protocol> any object-group <object group name> eq <port>

bind acl to interface

access-group <id> in interface inside

Global nat (apply to all traffic)

global (outside) 1 <start ext ip range>-<finish ext ip range> netmask

nat (inside) 1 0 0


Monday, October 03, 2011

IIS7–Self Signed Server Certificate

I had to create a self signed certificate to run on an exchange web access site.

After looking around I have found the following Microsoft tool

selfSSL7.exe (it  is for IIS7, there is an selfSSL for IIS 6).


This tool allows you create a certificate for a specified common name, something the GUI in IIS7 does not allow you to do (as it adds the server name).

I had issue running it on the server where IIS was installed, it kept moaning about .net framework issue. I was nervous about messing about on the server with .net so I put selfSSL7.exe on to another IIS7 server.

The command I ran was this, it was for (an example name), with a Key of length 2048, valid for 365 days. It is also exported the file to a pfx file, which would allow me to import to the correct server.

selfssl7 /N /K 2048 /V 365 /X /F .\ .pfx /W <password>

So on the correct server I opened IIS, clicked on the server, and open server certificates. Right clicked and imported the pfx file.

In addition I opened an mmc, with the certificates snap in and imported the certificate into the Trusted Root Certification Authorities. This just allows the server to trust the certificate.

I then jumped into the website bindings in IIS7, and set the https binding to use the new certificate.