I wrote this script to help me keep an eye on the servers in the environments that I work in. The intention with the script is to provide a real-time web based report on the current status of all servers in the environment. I also decided to employ CSS techniques to give a visual sign of the status. The result is a web page that lists all servers with the domain, operating system version, service pack information and IP address in a table. It also has a link that downloads an RDP configuration file for the server. This effectively allows you to open an RDP session to the server with just one click (very handy I thought). There is also a column that gives a visual indication of whether the server is online or offline. The background that surrounds the table is also indicative of the status, turning from green to orange when any server goes offline.
There are several aspects that can be customised to suit your needs, like providing a list of servers to be excluded from status checking (if you have planned extended downtime). There is an INI file that contains a number of custom settings which allow you to define a heading for the report, alternative domain specification, whether to copy the report to a web server etc. etc. I will go into more detail in the settings further down.
One new option that I have allowed for in this script is the encrypting of passwords. This is necessary if alternative credentials need to be supplied for calls to WMI or access to the web server when copying the report. The encryption is done prior to running the script using the OPENSSL utility. The resulting hash string is then placed in the INI file. The script uses OPENSSL to decrypt the password which it then uses to authenticate. This is not to be considered as a secure method of hiding the password, it is simply intended to hide it from plain view of prying eyes. If a more secure method is needed please contact me and I will throw some ideas around. It can be done, but quite a lot of thought will be needed to make it acceptable from a security perspective.
Another option I have decided to include is a check for VMWare. In some environments it can be useful to know whether the server is running as a virtual machine or on physical hardware.
There are other options that could be utilised, like checking if a service is running or extracting other data from WMI. I have also done one with a check for an open port, which could be useful for determining whether certain network services are active. I am open to any suggestions for other features, so drop me a line if you have any good ideas.
The script includes the following information in the report:
- Server Name
- DNS Domain
- Operating System
- Service Pack
- OS Version
- IP Address
- VMWare? (optional)
- RDP access link and status
- Host status
The script contains the batch file, an INI file, OPENSSL.EXE and a number of GIF and ASP files for the report and RDP link.
- DASHBOARD.CMD – this is the main script file.
- DASHBOARD.INI – this is the INI file that contains all the customisations.
- OPENSSL.EXE – used for encrypting and decrypting passwords.
- SED15.EXE – used for dealing with special characters in the encrypted password.
- RDP.ASPX – .NET file used to produce the RDP file.
- RDP.ASP – Non .NET file used to produce the RDP file.
- WEB.CONFIG – needed on IIS to get user credentials through the browser.
- RDP.GIF – icon for the RDP link.
- VM.GIF – icon displayed when server is a virtual machine.
- TICK.GIF – green tick icon used for service state (if this option is ever made available).
- CROSS.GIF – red cross icon used for service state (if this option is ever made available).
- EXCLUSIONS.TXT – file to list servers to be excluded from the global status.
Other files that are required:
- DSQUERY.EXE – for getting server info from Active Directory. Should be on any AD server.
- PING.EXE – for checking availability. Part of the Windows OS.
- NSLOOKUP.EXE – for retrieving IP addresses. Part of the Windows OS.
- WMIC.EXE – used for getting WMWare info. Part of the Windows OS.
- PORTQRY.EXE – required for checking whether the RDP port is listening. Included in the zip file.
The report is basically a table with all the data and links. At the top of the page there is a page title that can be customised in the INI file followed by a filter function, counter and date/time stamp. At the bottom is an indication of the script execution duration.
Some filter tips:
- offline – find all offline servers
- red – find all offline servers not in the exclusion list
- green – find all online servers
- orange – find all servers that have RDP offline
- 192.168.1 – find all servers in the 192.168.1.0 subnet
- vm. – find all servers hosted on VMWare
- iis – find all servers with ‘iis’ in the server name.
Here is an example of what the report looks like. Please note that the RDP links are generated by PHP, not ASP since this web server is not of the Microsoft variety. The links will also not connect to anything as they are private addresses and for reference only.
How it works
The first thing the script does is read the INI file. It sets variables for each setting that has been defined and assigns default values for those that haven’t.
DSQERY is then used to get a list of servers from AD. If a domain has been specified, it is used, otherwise the %dnsdomain% system variable is used. It’s worth noting that multiple domains can be specified, but only one username can be used. If no username is specified the %username% system variable is used. The domain name is automatically inserted in the authentication call for each domain.
In the same loop, DSQUERY is used again for each server to gather domain, OS version and SP level information. NSLOOKUP is then used to get an IP address. I use NSLOOKUP to ensure that I am not getting cached records. Any Windows AD infrastructure should also be heavily reliant on DNS too, so it’s the better tool to use.
The above process may take a while, depending on the number of servers and the speed of the network. It should also be noted that DSQUERY seems to be quite processor intensive (thanks Microsoft) so expect to see some high CPU usage.
Once all this information has been gathered the report is generated. The actual status is done while the report is being built.
WMIC is used to get the CSPRODUCT info to check if the server is a VMWare node. If alternative credentials are supplied in the INI file these are used in the call to WMIC.
PORTQRY is used to check the RDP port on the server. If the port is not listening the background of the cell is set to orange, otherwise it’s green.
PING is then used to check if the server is online. If it is then the background of the last cell in the row is set to green, otherwise it is set to red with the caption ‘Offline’.
Once the report has been completed, the time taken to run the queries is calculated and displayed at the bottom. If the ‘copytoweb’ option is specified the report and associated files are copied to the location specified in the INI file, using alternative credentials if supplied.
The script then returns to the beginning after a pause. This pause is set to be the number of minutes specified in the ‘runevery’ setting minus the time taken to run the report. If the report took longer then the ‘runevery’ setting then the report runs again immediately.
Running the script
Because the script loops constantly until forcibly stopped, I recommend running it as a service. For testing and debugging purposes it is fine to run from a command prompt, but the user would have to remain logged in for the script to function.
Instruction on how to set it up as a service can be found here.
The first thing that needs to be done is to define any custom settings in the INI file. The following is a breakdown of the settings:
- PageTitle – Custom Page Title for the report
- RunEvery – Run Script Every ??? Minutes. Must be an integer value.
- DomainList – Domain List in DN (distinguished name) format, surrounded in quotes and separated by spaces. For example: Example: “DC=my,DC=domain,DC=com” “DC=your,DC=domain,DC=com”
- CheckVM – Check if servers are VMWare nodes. Will accept yes or no.
- WMIAuth – Use credentials to authenticate for WMIC when doing VM Check. Will accept yes or no.
- WMIUser – User name to use for WMIC authentication when doing VM check (just user, no domain)
- PWHash – Use hashed password for WMIC authentication when doing VM check. Instructions for encrypting the password can be found below.
- ReportFile – Custom Report file. Default is default.htm. This is the file that is copied to the web server.
- Filter – Custom Filter to use. Use this if you need to apply a filter to the server list returned from DSQUERY. Use a minus sign(-) to exclude server names with the specified string, no minus sign to only include server names with the specified string.
- CopyToWeb – Copy report to web server? Will accept yes or no.
- WebUNC – UNC path to folder on web server, for example: \\mywebserver\webroot
- WebUser – User to authenticate as for web server (leave blank if using same account as script)
- WebPWHash – Use hashed password for Web server authentication
Once the settings are done, simply run the script.
Encrypting the password
If you need to include alternative credentials, you need to encrypt the password for inclusion in the INI file. To do this, I have included a small batch file to generate the hash. It uses the username, domain name and GUID of the computer to generate the hash, so this must be done on the same computer that will run the script. To create the hash, enter ENCPW at the command-line, enter the password that is needed for the account that will run the script and press enter. The hash will then be displayed. Copy the hash and insert it into the INI file.
CAUTION: When you enter the password it will be displayed on the screen. Be sure that there are no prying eyes in the area when you do this.