Archive

Archive for February, 2012

Basic Web Server Change Management Process

February 19, 2012 1 comment

Most companies have external facing web interfaces – a web site that people can access via the Internet. This article is meant to explain the change management process of a simple external facing web server infrastructure for a small-to-mid-size business environment. The process is scalable up or down as the
need may be.

 

Design

The design involves a highly available web server architecture as seen below. There are three environments in this design: Development, Test and Production. There is often overlap in terminology between the Dev and Test environments and this can cause confusion. The Test environment is meant to test the entire deployment process. To that end, software developers do not work on code directly in the Test environment.

Note: The Test environment is NOT a development environment.

If a deployment doesn’t work in the Test environment, it is rolled back just as it would be in the Production environment and the software developers must determine the cause for the failed push before deploying again. The Test environment is as close a replica as possible to the Production environment. There is obviously more flexibility in the Test environment than in the Production environment, but it should be understood that the Test environment is a critical and sensitive part of the change management process.

Web Server Change Management Design

Simple design of web server change management architecture

 

Process

This is a step-by-step breakdown of the change management process for a highly available external facing web server infrastructure. It can be adapted and scaled up or down as needed.

1. Developers develop code
  a. Developers may need Windows Server on their workstation if they do not have a Development server environment.

2. Developers check code into the Change Management System (CMS)

3. Developers push code to the Test environment
  a. This tests the push process and allows developers to fully document the necessary deployment procedures for a push to the Production environment

4. Once code is tested and approved, a Change Request (CR) is created and submitted
  a. The CR contains detailed deployment and rollback instruction
  b. The CR contains the primary developer point-of-contact (PoC) for the deployment
  c. The developer PoC is responsible for testing the change deployed to the Production environment
  d. The CR is reviewed and approved by the Change Control Board (CCB)
    i. Most mid-to-large-size businesses have a CCB or similar entity for this process

5. Change is deployed
  a. Admins remove one server from cluster
  b. Admins deploy the change per instructions in the CR
  c. The developer PoC tests the change and approves or rejects it
    i. If the change is approved, add server back to cluster
      1. Repeat for second web server
    ii. If the change is rejected, the necessity of a rollback must be determined
      1. If a change must be rolled back, a post mortum and root cause analysis must be performed

 

Challenges (Opportunities)

This process requires removal of a web server from cluster for testing. This protects the customer from a bad web experience in the case of a failed deployment. It also protects the company from possible down time due to a failed deployment. Not all deployments will go as planned, and not all rollbacks will go as planned. In the event that a deployment fails AND a rollback process fails, both the customer and the business are protected from the potential down time and fallout it would cause. At least one web server will be fully operational during this entire process with the second server to be restored to full operation as soon as possible.

Since a web server is removed from the cluster for testing purposes, a couple considerations will have to be addressed.

  • The web site on the server will have to be tested using the server’s dedicated IP address, not the cluster address. That means IIS will have to be configured to listen on the server’s dedicated address as well as its NLB address if you are using Microsoft Network Load Balancing (NLB). If a separate device is being used for load balancing the web traffic, IIS should already be configured to listen on the server’s dedicated IP address; make sure network traffic can get to the server’s dedicated IP address through any necessary network devices.

  • The developer PoC may have to modify their hosts file on their local machine to get to the web site on the server’s dedicated IP address. A script can be used for this purpose and is perhaps the simplest option. It is not recommended to modify DNS for this purpose, although that is also an option. When using the server’s DNS name to reach the web site on the server’s dedicated IP address, IIS will have to be configured to listen for the server’s DNS name as a host header entry. This doesn’t work well for servers hosting several web sites on the same IP address.

  • Removing each server from cluster precludes the use of shared storage for web site code. This means a DFS share should not be used for hosting the web site code. In the event that a deployment fails, it will fail on both servers since the code is in a shared repository. This could mean bad customer experience, down time, loss of money, etc. The process is designed to specifically avoid this scenario, so a shared repository for storing web code is out of the question.

  • Server permissions should be configured appropriately in each environment. I will link to an article on server environments here when I get it posted.

 

Overview

The change management process is a critical part of any business practice. The process involves communication and buy-in from the necessary departments and personnel. At a minimum, this means the Infrastructure and Software Development departments must communicate regarding deployments. This relationship is critical to the shared goals of providing an excellent customer experience and of business continuity and growth.

Advertisements
Categories: Change Management

Script to Check or Set Remote Desktop Configuration

February 5, 2012 Leave a comment

This script can be used to audit and/or set the Remote Desktop configuration on all Windows servers from Windows 2003 thru Windows 2008 R2 and all Windows clients from Windows XP thru WIndows 7. The steps are as follows:

  1. Check current Remote Desktop setting and set the %RDCFG% variable.
  2. Review the current Remote Desktop setting.
  3. Query to change Remote Desktop setting based on the current configuration.
  4. Change Remote Desktop setting or exit script based on user choice
  5. Review Remote Desktop setting again to validate configuration change.

You can copy and paste the code below or you can download the script here.


@echo off
TITLE Check/Set Remote Desktop Configuration
COLOR 17

:RDCHK
FOR /F “skip=1 tokens=1″ %%g IN (‘wmic rdtoggle get allowtsconnections ^|find ” “‘) DO (set RDCFG=%%g)

:RDRVW
cls
echo.
echo Current Remote Desktop configuration
echo ————————————

:RDRVW
echo.
IF /I “%RDCFG%”==”1” (echo Remote Desktop connections are enabled.) ELSE (IF /I “%RDCFG%”==”0” (echo Remote Desktop connections are disabled.))
goto RDQRY

:RDQRY
echo.
IF /I “%RDCFG%”==”0” (goto RDCFG0) ELSE (IF /I “%RDCFG%”==”1” (goto RDCFG1))

:RDCFG0
SET RDENB=
SET /P RDENB=Enable Remote Desktop connections? [y/n/q to quit] %=%
IF /I “%RDENB%”==”y” (goto RDENB) ELSE (IF /I “%RDENB%”==”n” (goto END) ELSE (IF /I “%RDENB%”==”q” (goto END)))
IF /I NOT “%RDENB%”==”y” (IF /I NOT “%RDENB%”==”n” (IF /I NOT “%RDENB%”==”q” goto RDQRY0))

:RDCFG1
SET RDDIS=
SET /P RDDIS=Disable Remote Desktop connections? [y/n/q to quit] %=%
IF /I “%RDDIS%”==”y” (goto RDDIS) ELSE (IF /I “%RDDIS%”==”n” (goto END) ELSE (IF /I “%RDDIS%”==”q” (goto END)))
IF /I NOT “%RDDIS%”==”y” (IF /I NOT “%RDDIS%”==”n” (IF /I NOT “%RDDIS%”==”q” goto RDQRY0))

:RDQRY0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto RDRVW

:RDENB
echo.
echo Enabling Remote Desktop…
ping localhost -n 3 >NUL
wmic rdtoggle WHERE “ServerName=’%computername%'” CALL SetAllowTSConnections 1 >NUL
goto RDCHK

:RDDIS
echo.
echo Disabling Remote Desktop…
ping localhost -n 3 >NUL
wmic rdtoggle WHERE “ServerName=’%computername%'” CALL SetAllowTSConnections 0 >NUL
goto RDCHK

:END
echo.
echo Exiting script…
echo.
ping localhost -n 5 >NUL
EXIT

 

Notes:

The WMIC call to set the TS connections requires the WHERE clause to work. Since this script uses the ServerName property, you may replace %computername% with the name of a remote server. As long as your user account has permission to access and modify the server via WMI remotely you will be able to check or set the Remote Desktop configuration of the remote server.

 

These scripts have been tested and are fully functional on Windows Server 2008, Windows Server 2008 R2 and Windows 2003 Server. They are provided with no guarantee and I assume no responsibility for the use or misuse of these scripts or any issues resulting from their use.

Script to Check or Set Windows Firewall

February 4, 2012 Leave a comment

This script can be used to audit and/or set the Windows Firewall service on Windows 2003 Server and modify the firewall profile states on Windows 2008, Windows 2008 R2 and Windows 7. I will add Windows XP and Vista at a later date. The steps are as follows:

  1. Check operating system version and set the %OSVER% variable.
  2. If %OSVER% is not set, warn then exit the script.
  3. Review the current Windows Firewall service settings (all operating systems).
  4. Review the current Windows Firewall profile states(2008, 2008 R2 and Windows 7).
  5. Query to change the firewall settings; allow user to exit the script.
  6. If user chooses to change firewall settings, prompt to set Windows Firewall service.
  7. If operating system is NOT Windows 2003, prompt to set each firewall profile state.
  8. Review Windows Firewall settings again to validate configuration change.

You can copy and paste the code below or you can download the script here.


@echo off
TITLE Check/Set Windows Firewall Configuration
COLOR 17

:OSCHK
FOR /F “tokens=4-5 delims=, ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”2003” (set OSVER=%%g) ELSE (IF /I “%%g”==”2008” (IF “%%g%%h”==”2008R2” (set OSVER=%%g %%h) ELSE set OSVER=%%g)))
FOR /F “tokens=3 delims= ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”7” set OSVER=%%g)

IF /I “%OSVER%”==”” (goto OSWARN) ELSE (goto FWRVW)

:OSWARN
echo.
echo.
echo *************************************
echo WARNING
echo *************************************
echo.
echo This script is designed to run on the following
echo Windows operating systems only:
echo Servers – 2003, 2008, 2008 R2
echo Clients – Windows 7
echo.
goto END

:FWRVW
cls
echo.
echo Current firewall settings
echo ————————-

:SVCRVW
echo.
SET FWSVC1=
SET FWSVC2=
FOR /F “tokens=2 skip=2 delims=,” %%g IN (‘wmic service WHERE “DisplayName=’Windows Firewall'” get state /format:csv’) DO (set FWSVC1=%%g)
FOR /F “tokens=2 skip=2 delims=,” %%g IN (‘wmic service WHERE “DisplayName=’Windows Firewall'” get startmode /format:csv’) DO (set FWSVC2=%%g)
echo Service State: %FWSVC1%
echo Service Startup: %FWSVC2%

IF /I NOT “%OSVER%”==”2003” goto PRFRVW

:PRFRVW
echo.
FOR /F “tokens=2 delims= ” %%g IN (‘netsh advfirewall show domainprofile ^|find “State”‘) DO (set FWDOM=%%g)
FOR /F “tokens=2 delims= ” %%g IN (‘netsh advfirewall show privateprofile ^|find “State”‘) DO (set FWPRV=%%g)
FOR /F “tokens=2 delims= ” %%g IN (‘netsh advfirewall show publicprofile ^|find “State”‘) DO (set FWPUB=%%g)
echo Domain Profile: %FWDOM%
echo Private Profile: %FWPRV%
echo Public Profile: %FWPUB%

:FWQRY
echo.
SET FWQRY=
SET /P FWQRY=Do you need to change the firewall settings? (y/n/q to quit): %=%
echo.
IF /I “%FWQRY%”==”y” (goto FWSVC) ELSE (IF /I “%FWQRY%”==”n” (goto END) ELSE (IF /I “%FWQRY%”==”q” (goto END)))
IF /I NOT “%FWQRY%”==”y” (IF /I NOT “%FWQRY%”==”n” (IF /I NOT “%FWQRY%”==”q” goto FWQRY0))

:FWQRY0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto FWRVW

:FWSVC
cls
echo.
SET FWSVC=
echo Set Windows Firewall service startup type:
echo 1. Automatic
echo 2. Manual
echo 3. Disabled
SET /P FWSVC= %=%

IF /I “%FWSVC%”==”1” (goto SVCAUT) ELSE (IF /I “%FWSVC%”==”2” (goto SVCMAN) ELSE (IF /I “%FWSVC%”==”3” (goto SVCDIS)))
IF /I NOT “%FWSVC%”==”1” (IF /I NOT “%FWSVC%”==”2” (IF /I NOT “%FWSVC%”==”3” goto FWSVC0))

:FWSVC0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto FWSVC

:SVCAUT
wmic service WHERE “DisplayName=’Windows Firewall'” CALL ChangeStartMode Automatic >NUL
IF /I “%FWSVC1%”==”Stopped” (wmic service WHERE “DisplayName=’Windows Firewall'” CALL StartService >NUL)
IF /I NOT “%OSVER%”==”2003” (goto FWPRF) ELSE (goto FWRVW)

:SVCMAN
wmic service WHERE “DisplayName=’Windows Firewall'” CALL ChangeStartMode Manual >NUL
IF /I NOT “%OSVER%”==”2003” (goto FWPRF) ELSE (goto FWRVW)

:SVCDIS
wmic service WHERE “DisplayName=’Windows Firewall'” CALL ChangeStartMode Disabled >NUL
IF /I “%FWSVC1%”==”Running” (wmic service WHERE “DisplayName=’Windows Firewall'” CALL StopService >NUL)
IF /I NOT “%OSVER%”==”2003” (goto FWPRF) ELSE (goto FWRVW)

:FWPRF
IF /I NOT “%OSVER%”==”2003” (goto PRFDOM) ELSE (goto END)

:PRFDOM
cls
echo.
SET PRFDOM=
SET /P PRFDOM=Set Doman Profile on/off: (on/off/q to quit) %=%

IF /I “%PRFDOM%”==”on” (netsh advfirewall set domainprofile state on >NUL) ELSE (IF /I “%PRFDOM%”==”off” (netsh advfirewall set domainprofile state off >NUL) ELSE (IF /I “%PRFDOM%”==”q” (goto END)))
IF /I NOT “%PRFDOM%”==”on” (IF /I NOT “%PRFDOM%”==”off” (IF /I NOT “%PRFDOM%”==”q” goto PRFDOM0))
goto PRFPRV

:PRFDOM0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto PRFDOM

:PRFPRV
cls
echo.
SET PRFPRV=
SET /P PRFPRV=Set Private Profile on/off: (on/off/q to quit) %=%

IF /I “%PRFPRV%”==”on” (netsh advfirewall set privateprofile state on >NUL) ELSE (IF /I “%PRFPRV%”==”off” (netsh advfirewall set privateprofile state off >NUL) ELSE (IF /I “%PRFPRV%”==”q” (goto END)))
IF /I NOT “%PRFPRV%”==”on” (IF /I NOT “%PRFPRV%”==”off” (IF /I NOT “%PRFPRV%”==”q” goto PRFPRV0))
goto PRFPUB

:PRFPRV0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto PRFPRV

:PRFPUB
cls
echo.
SET PRFPUB=
SET /P PRFPUB=Set Public Profile on/off: (on/off/q to quit) %=%

IF /I “%PRFPUB%”==”on” (netsh advfirewall set publicprofile state on >NUL) ELSE (IF /I “%PRFPUB%”==”off” (netsh advfirewall set publicprofile state off >NUL) ELSE (IF /I “%PRFPUB%”==”q” (goto END)))
IF /I NOT “%PRFPUB%”==”on” (IF /I NOT “%PRFPUB%”==”off” (IF /I NOT “%PRFPUB%”==”q” goto PRFPUB0))
goto FWRVW

:PRFPUB0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto PRFPUB

:END
echo Exiting script…
echo.
ping localhost -n 5 >NUL
EXIT

 

Notes:

The script will only check/set the Windows Firewall service on Windows 2003 Server.

 

These scripts have been tested and are fully functional on Windows Server 2008, Windows Server 2008 R2 and Windows 2003 Server. They are provided with no guarantee and I assume no responsibility for the use or misuse of these scripts or any issues resulting from their use.

Script to Check or Set Time Zone

February 3, 2012 Leave a comment

This script can be used to audit and/or set the Time Zone on Windows 2003 Server, Windows 2008, Windows 2008 R2 and Windows 7.  I will add Windows XP and Vista at a later date. The steps are as follows:

  1. Check operating system version and set the %OSVER% variable.
  2. If %OSVER% is not set, warn then exit the script.
  3. Review the current system time zone setting.
  4. Query to change the time zone; allow user to exit the script.
  5. If user chooses to change the time zone, offer US time zones to select from.
  6. If user selects a time zone, run code based on %OSVER%.
  7. If user selects a different time zone, open date/time Control Panel to manually set.
  8. Review the time zone settings again to validate configuration change.

Windows 2008 requires the use of tzone.exe. You can download tzone.exe here.

You can copy and paste the code below or you can download the script here.


@echo off
TITLE Check/Set Time Zone Configuration
COLOR 17

:OSCHK
FOR /F “tokens=4-5 delims=, ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”2003” (set OSVER=%%g) ELSE (IF /I “%%g”==”2008” (IF “%%g%%h”==”2008R2” (set OSVER=%%g%%h) ELSE set OSVER=%%g)))
FOR /F “tokens=3 delims= ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”7” set OSVER=%%g)

IF /I “%OSVER%”==”” (goto OSWARN) ELSE (goto TZRVW)

:OSWARN
echo.
echo.
echo *************************************
echo WARNING
echo *************************************
echo.
echo This script is designed to run on the following
echo Windows operating systems only:
echo Servers – 2003, 2008, 2008 R2
echo Clients – Windows 7
echo.
goto END

:TZRVW
cls
echo.
echo The time zone on this machine is:
FOR /F “skip=1 tokens=*” %%g IN (‘wmic timezone get description ^|find ” “‘) Do (@echo %%g)
goto TZQRY

:TZQRY
echo.
SET TZQRY=
SET /P TZQRY=Do you need to change the Time Zone? (y/n/q to quit): %=%
echo.
IF /I “%TZQRY%”==”y” (goto TZSEL) ELSE (IF /I “%TZQRY%”==”n” (goto END) ELSE (IF /I “%TZQRY%”==”q” (goto END)))
IF /I NOT “%TZQRY%”==”y” (IF /I NOT “%TZQRY%”==”n” (IF /I NOT “%TZQRY%”==”q” goto TZQRY0))

:TZQRY0
echo.
echo You made an invalid entry – please try again.
echo.
pause
goto TZRVW

:TZSEL
cls
echo.
echo Which Time Zone should this machine have?
echo 1. Pacific Time
echo 2. Mountain Time
echo 3. Arizona
echo 4. Central Time
echo 5. Eastern Time
echo 6. Other

echo.
SET SYSTZ=
SET /P SYSTZ= %=%
IF /I “%SYSTZ%”==”1” (goto TZPAC) ELSE (IF /I “%SYSTZ%”==”2” (goto TZMTN) ELSE (IF /I “%SYSTZ%”==”3” (goto TZARZ) ELSE (IF /I “%SYSTZ%”==”4” (goto TZCEN) ELSE (IF /I “%SYSTZ%”==”5” (goto TZEAS) ELSE (IF /I “%SYSTZ%”==”6” (goto TZOTH))))))
IF /I NOT “%SYSTZ%”==”1” (IF /I NOT “%SYSTZ%”==”2” (IF /I NOT “%SYSTZ%”==”3” (IF /I NOT “%SYSTZ%”==”4” (IF /I NOT “%SYSTZ%”==”5” (IF /I NOT “%SYSTZ%”==”6” (goto TZSEL0))))))

:TZSEL0
echo.
echo You have made an invalid entry – please try again.
echo.
pause
goto TZSEL

:TZPAC
IF /I “%OSVER%”==”2003” (control timedate.cpl,,/Z Pacific Standard Time) ELSE (IF /I “%OSVER%”==”2008” (tzone -Zone Pacific Time) ELSE (IF /I “%OSVER%”==”2008R2” (tzutil /s “Pacific Standard Time”) ELSE (IF /I “%OSVER%”==”7” (tzutil /s “Pacific Standard Time”))))
goto TZRVW

:TZMTN
IF /I “%OSVER%”==”2003” (control timedate.cpl,,/Z Mountain Standard Time) ELSE (IF /I “%OSVER%”==”2008” (tzone -Zone Mountain Time) ELSE (IF /I “%OSVER%”==”2008R2” (tzutil /s “Mountain Standard Time”) ELSE (IF /I “%OSVER%”==”7” (tzutil /s “Mountain Standard Time”))))
goto TZRVW

:TZARZ
IF /I “%OSVER%”==”2003” (control timedate.cpl,,/Z US Mountain Standard Time) ELSE (IF /I “%OSVER%”==”2008” (tzone -Zone Arizona) ELSE (IF /I “%OSVER%”==”2008R2” (tzutil /s “US Mountain Standard Time”) ELSE (IF /I “%OSVER%”==”7” (tzutil /s “US Mountain Standard Time”))))
goto TZRVW

:TZCEN
IF /I “%OSVER%”==”2003” (control timedate.cpl,,/Z Central Standard Time) ELSE (IF /I “%OSVER%”==”2008” (tzone -Zone “Central Time (US & Canada)”) ELSE (IF /I “%OSVER%”==”2008R2” (tzutil /s “Central Standard Time”) ELSE (IF /I “%OSVER%”==”7” (tzutil /s “Central Standard Time”))))
goto TZRVW

:TZEAS
IF /I “%OSVER%”==”2003” (control timedate.cpl,,/Z Eastern Standard Time) ELSE (IF /I “%OSVER%”==”2008” (tzone -Zone Eastern Time) ELSE (IF /I “%OSVER%”==”2008R2” (tzutil /s “Eastern Standard Time”) ELSE (IF /I “%OSVER%”==”7” (tzutil /s “Eastern Standard Time”))))
goto TZRVW

:TZOTH
echo.
echo Control Panel will now open so you
echo can set the time zone manually.
start control timedate.cpl
echo.
pause
goto TZRVW

:END
echo Exiting script…
echo.
ping localhost -n 5 >NUL
EXIT

 

Notes:

Since each line of a batch file causes the whole file to be processed again until it reaches the next line, I put as much logic in a single line as possible. That means several nested IF statements where necessary.

The script will open the date/time Control Panel to modify the time zone on Windows 2003 Server.

Windows 2008 Server requires the use of tzone.exe to modify the time zone.

Windows 2008 R2 Server uses native tzutil.exe to modify the time zone.

 

These scripts have been tested and are fully functional on Windows Server 2008, Windows Server 2008 R2 and Windows 2003 Server. They are provided with no guarantee and I assume no responsibility for the use or misuse of these scripts or any issues resulting from their use.

Script to Find Operating System Version

February 2, 2012 2 comments

The code below will set a variable if the operating system is Windows 2003, Windows 2008, Windows 2008 R2 or Windows 7.  I will add Windows XP and Vista at a later date.

:OSCHK

FOR /F “tokens=4-5 delims=, ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”2003” (set OSVER=%%g) ELSE (IF /I “%%g”==”2008” (IF “%%g %%h”==”2008R2” (set OSVER=%%g%%h) ELSE set OSVER=%%g)))

FOR /F “tokens=3 delims= ” %%g IN (‘wmic os get caption ^|find /I “Windows”‘) DO (IF /I “%%g”==”7” set OSVER=%%g)

 

Notes:

Since each line of a batch file causes the whole file to be processed again until it reaches the next line, I put as much logic in a single line as possible. That means several nested IF statements where necessary.

The variable %OSVER% is set and can be used to process code in other parts of the script that depend on the operating system version. It is suggested to use another nested IF statement directly after this code that will take the script to the part of your file that runs code based on the operating system version.

 

These scripts have been tested and are fully functional on Windows Server 2008, Windows Server 2008 R2 and Windows 2003 Server. They are provided with no guarantee and I assume no responsibility for the use or misuse of these scripts or any issues resulting from their use.