Der komplette Weg zum Senior Windows System Administrator

Ein umfassender, praxisorientierter Leitfaden für die Windows-Systemadministration. Beachte: „Senior“ bedeutet normalerweise 5-10 Jahre Berufserfahrung, aber dieser Guide zeigt dir alles Wichtige.

1. Active Directory – Das Herzstück

Active Directory Domain Services (AD DS)

Als Senior Windows Admin ist Active Directory dein tägliches Werkzeug. Du musst es komplett beherrschen.

Domain Controller einrichten

Voraussetzungen:

• Windows Server 2019/2022
• Statische IP-Adresse
• DNS korrekt konfiguriert
• Sinnvoller Hostname

Installation via PowerShell:

# Active Directory installieren
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Domain Controller promoten (neue Forest)
Install-ADDSForest `
    -DomainName "contoso.local" `
    -DomainNetbiosName "CONTOSO" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -InstallDns `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -Force

# Zusätzlichen DC hinzufügen (Redundanz!)
Install-ADDSDomainController `
    -DomainName "contoso.local" `
    -InstallDns `
    -Credential (Get-Credential) `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)

Organizational Units (OUs) Struktur

Eine saubere OU-Struktur ist essentiell für Group Policy Management:

# OU-Struktur erstellen
New-ADOrganizationalUnit -Name "CONTOSO" -Path "DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Computers,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Computers,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Users" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Departments" -Path "OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "IT" -Path "OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "HR" -Path "OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Service-Accounts" -Path "OU=CONTOSO,DC=contoso,DC=local"

Best Practice OU-Struktur:

Domain Root
├── CONTOSO (Company OU)
    ├── Computers
    │   ├── Workstations
    │   │   ├── Windows10
    │   │   └── Windows11
    │   ├── Servers
    │   │   ├── File-Servers
    │   │   ├── Web-Servers
    │   │   └── Database-Servers
    │   └── Laptops
    ├── Users
    │   ├── Departments
    │   │   ├── IT
    │   │   ├── HR
    │   │   ├── Finance
    │   │   └── Sales
    │   └── Admins (Protected)
    ├── Groups
    │   ├── Security-Groups
    │   └── Distribution-Groups
    └── Service-Accounts

User- und Group-Management

User erstellen (PowerShell – professioneller Weg):

# Einzelner User
New-ADUser `
    -Name "Max Mustermann" `
    -GivenName "Max" `
    -Surname "Mustermann" `
    -SamAccountName "mmustermann" `
    -UserPrincipalName "mmustermann@contoso.local" `
    -EmailAddress "max.mustermann@contoso.com" `
    -Path "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local" `
    -AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true `
    -Department "IT" `
    -Title "System Administrator" `
    -Company "Contoso GmbH" `
    -OfficePhone "+49 30 12345678" `
    -MobilePhone "+49 170 1234567"

# User aus CSV importieren (Bulk-Operations)
Import-Csv "C:\Users.csv" | ForEach-Object {
    New-ADUser `
        -Name "$($_.FirstName) $($_.LastName)" `
        -GivenName $_.FirstName `
        -Surname $_.LastName `
        -SamAccountName $_.Username `
        -UserPrincipalName "$($_.Username)@contoso.local" `
        -EmailAddress $_.Email `
        -Path $_.OUPath `
        -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force) `
        -Enabled $true `
        -ChangePasswordAtLogon $true
}

Group Management:

# Security Group erstellen
New-ADGroup `
    -Name "IT-Admins" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Security-Groups,OU=Groups,OU=CONTOSO,DC=contoso,DC=local" `
    -Description "IT Department Administrators"

# User zu Gruppe hinzufügen
Add-ADGroupMember -Identity "IT-Admins" -Members "mmustermann","jdoe"

# User aus Gruppe entfernen
Remove-ADGroupMember -Identity "IT-Admins" -Members "mmustermann" -Confirm:$false

# Gruppen-Mitgliedschaften anzeigen
Get-ADPrincipalGroupMembership -Identity "mmustermann" | Select-Object Name

# Alle Mitglieder einer Gruppe anzeigen
Get-ADGroupMember -Identity "IT-Admins" -Recursive | Select-Object Name,SamAccountName

Group Policy Objects (GPOs)

GPOs sind das mächtigste Werkzeug für zentrale Konfiguration.

GPO-Management Grundlagen:

# Neue GPO erstellen
New-GPO -Name "Workstation-Security-Policy"

# GPO mit OU verknüpfen
New-GPLink `
    -Name "Workstation-Security-Policy" `
    -Target "OU=Workstations,OU=Computers,OU=CONTOSO,DC=contoso,DC=local"

# GPO-Status prüfen
Get-GPOReport -Name "Workstation-Security-Policy" -ReportType Html -Path "C:\GPOReport.html"

# Alle GPOs auflisten
Get-GPO -All | Select-Object DisplayName,GpoStatus,CreationTime

# GPO Backup
Backup-GPO -Name "Workstation-Security-Policy" -Path "C:\GPO-Backups"

# GPO Restore
Restore-GPO -Name "Workstation-Security-Policy" -Path "C:\GPO-Backups"

Wichtige GPO-Settings (Beispiele):

1. Password Policy:

• Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy

Minimum password length: 12 characters
Password complexity: Enabled
Maximum password age: 90 days
Minimum password age: 1 day
Password history: 24 passwords

2. Account Lockout Policy:

Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 30 minutes

3. Windows Firewall:

# Via GPO Registry
Set-GPRegistryValue -Name "Workstation-Security-Policy" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" `
    -ValueName "EnableFirewall" `
    -Type DWord -Value 1

4. Software Deployment via GPO:

# MSI-Paket über GPO verteilen
# Computer Configuration → Policies → Software Settings → Software installation
# → New → Package → Wähle \\server\share\package.msi
# Deployment Type: Assigned (automatische Installation)

5. Drive Mapping (Netzlaufwerke):

User Configuration → Preferences → Windows Settings → Drive Maps
→ New → Mapped Drive
Drive Letter: H:
Location: \\fileserver\home\%username%
Reconnect: Enabled
Label: Home Directory

6. Folder Redirection (wichtig für Roaming Profiles):

User Configuration → Policies → Windows Settings → Folder Redirection
→ Documents → Properties
Setting: Basic - Redirect everyone's folder
Target folder location: \\fileserver\redirected\%username%\Documents

GPO Troubleshooting:

# GPO auf Client aktualisieren
gpupdate /force

# Resultant Set of Policy (RSoP) - Was wird wirklich angewendet?
gpresult /H C:\gpresult.html
gpresult /R  # Zusammenfassung in Console

# GPO-Verarbeitung tracen
gpresult /V  # Verbose output

Active Directory Replikation

Replikations-Status prüfen:

# Replikations-Status aller DCs
repadmin /replsummary

# Detaillierte Replikationsinformationen
repadmin /showrepl

# Erzwungene Replikation
repadmin /syncall /AdeP

# Replikations-Topologie anzeigen
repadmin /showvector DC=contoso,DC=local

# FSMO-Rollen anzeigen (wichtig!)
netdom query fsmo

# FSMO-Rollen verschieben (bei DC-Ausfall)
Move-ADDirectoryServerOperationMasterRole `
    -Identity "DC02" `
    -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

Die 5 FSMO-Rollen (Forest/Domain-weit):

1. Schema Master (Forest): Schema-Änderungen
2. Domain Naming Master (Forest): Domain hinzufügen/entfernen
3. PDC Emulator (Domain): Zeitserver, Password-Changes, Legacy-Support
4. RID Master (Domain): Vergibt RID-Pools für SIDs
5. Infrastructure Master (Domain): Cross-Domain Objekt-Referenzen

AD Backup und Recovery

# System State Backup (enthält AD)
wbadmin start systemstatebackup -backupTarget:E: -quiet

# AD authoritative Restore (nach Boot in DSRM)
# 1. Server in Directory Services Restore Mode booten (F8)
# 2. Anmelden mit DSRM-Password
# 3. Restore:
wbadmin start systemstaterecovery -version:12/01/2024-00:00

# Authoritative Restore für gelöschte Objekte
ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
quit
quit

# AD Recycle Bin aktivieren (ab Windows Server 2008 R2)
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" `
    -Scope ForestOrConfigurationSet `
    -Target "contoso.local"

# Gelöschte Objekte wiederherstellen
Get-ADObject -Filter {IsDeleted -eq $true -and Name -like "*Mustermann*"} `
    -IncludeDeletedObjects | Restore-ADObject

2. PowerShell – Deine Superpower

PowerShell Basics für Profis

Cmdlet-Struktur: Verb-Noun (Get-Service, Set-ExecutionPolicy)

Wichtige Konzepte:

# Pipeline (Output von einem Cmdlet als Input für nächstes)
Get-Process | Where-Object {$_.CPU -gt 10} | Sort-Object CPU -Descending

# Variablen
$computerName = "SERVER01"
$users = Get-ADUser -Filter *

# Arrays
$servers = @("SERVER01","SERVER02","SERVER03")
foreach ($server in $servers) {
    Test-Connection $server -Count 1
}

# Hash Tables
$serverInfo = @{
    Name = "SERVER01"
    IP = "192.168.1.100"
    Role = "File Server"
}

# Objekte erstellen
$server = [PSCustomObject]@{
    Name = "SERVER01"
    Status = "Online"
    LastBoot = (Get-Date)
}

Administrative PowerShell-Scripts

Remote Management (PowerShell Remoting):

# PSRemoting aktivieren (auf Ziel-Computer)
Enable-PSRemoting -Force

# Einzelner Remote-Befehl
Invoke-Command -ComputerName SERVER01 -ScriptBlock {
    Get-Service -Name Spooler
}

# Remote-Session (interaktiv)
Enter-PSSession -ComputerName SERVER01

# Befehle auf mehreren Computern
Invoke-Command -ComputerName SERVER01,SERVER02,SERVER03 -ScriptBlock {
    Get-EventLog -LogName System -Newest 10
}

# Mit Credentials
$cred = Get-Credential
Invoke-Command -ComputerName SERVER01 -Credential $cred -ScriptBlock {
    Restart-Service Spooler
}

Service-Management:

# Services anzeigen
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-Service -ComputerName SERVER01

# Service starten/stoppen
Start-Service -Name Spooler
Stop-Service -Name Spooler
Restart-Service -Name Spooler

# Service-Startup-Type ändern
Set-Service -Name Spooler -StartupType Automatic

# Service auf mehreren Servern neustarten
$servers = Get-Content "C:\servers.txt"
Invoke-Command -ComputerName $servers -ScriptBlock {
    Restart-Service W3SVC
}

Disk-Management:

# Disk-Informationen
Get-Disk
Get-Volume
Get-Partition

# Neue Disk initialisieren und formatieren
Initialize-Disk -Number 1 -PartitionStyle GPT
New-Partition -DiskNumber 1 -UseMaximumSize -DriveLetter E
Format-Volume -DriveLetter E -FileSystem NTFS -NewFileSystemLabel "Data"

# Disk-Space prüfen
Get-Volume | Select-Object DriveLetter,FileSystemLabel,
    @{N="Size(GB)";E={[math]::Round($_.Size/1GB,2)}},
    @{N="Free(GB)";E={[math]::Round($_.SizeRemaining/1GB,2)}},
    @{N="Free%";E={[math]::Round(($_.SizeRemaining/$_.Size)*100,2)}}

Event Log-Analyse:

# Event Logs auslesen
Get-EventLog -LogName System -Newest 100
Get-EventLog -LogName Application -EntryType Error -Newest 50

# Mit WinEvent (moderner, flexibler)
Get-WinEvent -LogName System -MaxEvents 100
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625  # Failed login attempts
    StartTime=(Get-Date).AddDays(-1)
}

# Event Logs von Remote-Servern
Invoke-Command -ComputerName SERVER01,SERVER02 -ScriptBlock {
    Get-EventLog -LogName System -EntryType Error -Newest 10
} | Select-Object PSComputerName,TimeGenerated,Source,Message

# Export zu HTML-Report
Get-EventLog -LogName System -EntryType Error -Newest 50 | 
    ConvertTo-Html | Out-File C:\ErrorLog.html

User-Management Scripts:

# Alle User einer OU anzeigen
Get-ADUser -Filter * -SearchBase "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local" -Properties *

# Disabled Accounts finden
Get-ADUser -Filter {Enabled -eq $false} | Select-Object Name,SamAccountName

# Inactive Accounts (90+ Tage nicht eingeloggt)
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $date -and Enabled -eq $true} -Properties LastLogonDate |
    Select-Object Name,SamAccountName,LastLogonDate

# Password läuft bald ab
Search-ADAccount -PasswordExpiring -TimeSpan "14.00:00:00" |
    Select-Object Name,PasswordExpireDate

# Bulk-Operations: Alle User in OU deaktivieren
Get-ADUser -Filter * -SearchBase "OU=Terminated,OU=Users,OU=CONTOSO,DC=contoso,DC=local" |
    Disable-ADAccount

# User-Report erstellen
Get-ADUser -Filter * -Properties * |
    Select-Object Name,SamAccountName,EmailAddress,Department,Title,Enabled,LastLogonDate |
    Export-Csv C:\UserReport.csv -NoTypeInformation

Monitoring-Script (Health Check):

# Server-Health-Check
function Get-ServerHealth {
    param([string]$ComputerName)
    
    $result = Invoke-Command -ComputerName $ComputerName -ScriptBlock {
        [PSCustomObject]@{
            ComputerName = $env:COMPUTERNAME
            Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
            CPU = (Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples.CookedValue
            MemoryUsed = [math]::Round((Get-Counter '\Memory\% Committed Bytes In Use').CounterSamples.CookedValue,2)
            DiskSpace = Get-Volume | Where-Object {$_.DriveLetter} | 
                Select-Object DriveLetter,
                    @{N="FreeSpace%";E={[math]::Round(($_.SizeRemaining/$_.Size)*100,2)}}
            FailedServices = (Get-Service | Where-Object {$_.StartType -eq 'Automatic' -and $_.Status -ne 'Running'}).Count
        }
    }
    return $result
}

# Alle Server prüfen
$servers = Get-Content "C:\servers.txt"
$healthReport = foreach ($server in $servers) {
    Get-ServerHealth -ComputerName $server
}
$healthReport | Export-Csv C:\ServerHealth.csv -NoTypeInformation

PowerShell Module und Best Practices

Wichtige Module:

# Installierte Module anzeigen
Get-Module -ListAvailable

# Wichtige Module:
Import-Module ActiveDirectory
Import-Module DnsServer
Import-Module GroupPolicy
Import-Module Hyper-V
Import-Module ServerManager

# Module aus PowerShell Gallery installieren
Install-Module -Name Az  # Azure Management
Install-Module -Name PSWindowsUpdate  # Windows Update Management
Install-Module -Name Posh-SSH  # SSH von PowerShell

# Module updaten
Update-Module -Name Az

Execution Policy:

# Aktuelle Policy anzeigen
Get-ExecutionPolicy

# Policy setzen (für Scripts)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# RemoteSigned = lokale Scripts OK, downloaded Scripts müssen signiert sein
# AllSigned = alle Scripts müssen signiert sein
# Unrestricted = alle Scripts erlaubt (unsicher!)

Script-Template (Best Practices):

<#
.SYNOPSIS
    Kurze Beschreibung des Scripts
.DESCRIPTION
    Detaillierte Beschreibung
.PARAMETER ComputerName
    Name des Ziel-Computers
.EXAMPLE
    .\Script.ps1 -ComputerName SERVER01
.NOTES
    Author: Max Mustermann
    Date: 2024-12-14
#>

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]$ComputerName,
    
    [Parameter(Mandatory=$false)]
    [switch]$Verbose
)

# Error Handling
$ErrorActionPreference = "Stop"
try {
    # Script Logic hier
    Write-Host "Processing $ComputerName..." -ForegroundColor Green
    
    # Code...
    
} catch {
    Write-Error "Fehler: $_"
    exit 1
} finally {
    # Cleanup
    Write-Host "Script beendet." -ForegroundColor Cyan
}

3. File Server und Storage

File Server Einrichtung

File Server Role installieren:

# File Server installieren
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools

# Optional: DFS für verteilte File-Systeme
Install-WindowsFeature -Name FS-DFS-Namespace,FS-DFS-Replication -IncludeManagementTools

Shares erstellen und verwalten:

# SMB Share erstellen
New-SmbShare -Name "Shared" -Path "D:\Shares\Shared" -FullAccess "CONTOSO\IT-Admins" -ChangeAccess "CONTOSO\Domain Users"

# Share-Eigenschaften anzeigen
Get-SmbShare -Name "Shared"
Get-SmbShareAccess -Name "Shared"

# Share-Berechtigungen ändern
Grant-SmbShareAccess -Name "Shared" -AccountName "CONTOSO\HR-Team" -AccessRight Change
Revoke-SmbShareAccess -Name "Shared" -AccountName "CONTOSO\Guest"

# Share entfernen
Remove-SmbShare -Name "Shared" -Force

# Alle Shares anzeigen
Get-SmbShare | Select-Object Name,Path,Description

NTFS-Berechtigungen:

# ACL auslesen
Get-Acl -Path "D:\Shares\Shared"

# ACL setzen
$acl = Get-Acl -Path "D:\Shares\Shared"
$permission = "CONTOSO\IT-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl -Path "D:\Shares\Shared" -AclObject $acl

# Vererbung deaktivieren
$acl = Get-Acl -Path "D:\Shares\Confidential"
$acl.SetAccessRuleProtection($true, $true)  # True = Vererbung blockieren, True = existierende Rechte kopieren
Set-Acl -Path "D:\Shares\Confidential" -AclObject $acl

# Berechtigungen rekursiv auf Unterordner anwenden
$acl = Get-Acl -Path "D:\Shares\Shared"
Get-ChildItem -Path "D:\Shares\Shared" -Recurse | Set-Acl -AclObject $acl

File Server Resource Manager (FSRM):

# FSRM installieren
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

# Quota erstellen (Disk-Space begrenzen)
New-FsrmQuota -Path "D:\Shares\UserData" -Size 10GB -SoftLimit

# File Screen (bestimmte Dateitypen blockieren)
New-FsrmFileScreen -Path "D:\Shares\Shared" -Template "Block Executable Files"

# Storage Reports
New-FsrmStorageReport -Name "Disk Usage Report" -Namespace "D:\Shares" -ReportType LargeFiles,DuplicateFiles

# File Management Tasks (automatisches Löschen alter Files)
New-FsrmFileManagementJob -Name "Delete old files" `
    -Namespace "D:\Shares\Temp" `
    -Action Delete `
    -Condition @{Property='File.DateCreated'; Condition='Before'; Value=(Get-Date).AddDays(-30)}

DFS (Distributed File System)

DFS Namespace:

# DFS Namespace erstellen
New-DfsnRoot -Path "\\contoso.local\Files" -TargetPath "\\FILESERVER01\Files" -Type DomainV2

# Folder zu Namespace hinzufügen
New-DfsnFolder -Path "\\contoso.local\Files\Shared" -TargetPath "\\FILESERVER01\Shared"

# Folder Target hinzufügen (Redundanz!)
New-DfsnFolderTarget -Path "\\contoso.local\Files\Shared" -TargetPath "\\FILESERVER02\Shared"

# DFS Namespace anzeigen
Get-DfsnRoot
Get-DfsnFolder -Path "\\contoso.local\Files\*"

DFS Replication:

# Replication Group erstellen
New-DfsReplicationGroup -GroupName "FileReplication"

# Folder zu Replication Group hinzufügen
New-DfsReplicatedFolder -GroupName "FileReplication" -FolderName "Shared"

# Member hinzufügen
Add-DfsrMember -GroupName "FileReplication" -ComputerName "FILESERVER01","FILESERVER02"

# Replication konfigurieren
Set-DfsrMembership -GroupName "FileReplication" -FolderName "Shared" `
    -ComputerName "FILESERVER01" -ContentPath "D:\Replication\Shared" -PrimaryMember $true

Set-DfsrMembership -GroupName "FileReplication" -FolderName "Shared" `
    -ComputerName "FILESERVER02" -ContentPath "D:\Replication\Shared"

# Connection erstellen (bidirektional)
Add-DfsrConnection -GroupName "FileReplication" `
    -SourceComputerName "FILESERVER01" -DestinationComputerName "FILESERVER02"

Storage Spaces und Storage Pools

Storage Spaces (Software RAID):

# Physical Disks anzeigen
Get-PhysicalDisk

# Storage Pool erstellen
New-StoragePool -FriendlyName "DataPool" `
    -StorageSubSystemFriendlyName "Windows Storage*" `
    -PhysicalDisks (Get-PhysicalDisk -CanPool $true)

# Virtual Disk erstellen (mit Mirroring = RAID 1)
New-VirtualDisk -StoragePoolFriendlyName "DataPool" `
    -FriendlyName "MirroredDisk" `
    -Size 500GB `
    -ResiliencySettingName Mirror

# Oder mit Parity (RAID 5)
New-VirtualDisk -StoragePoolFriendlyName "DataPool" `
    -FriendlyName "ParityDisk" `
    -Size 1TB `
    -ResiliencySettingName Parity

# Volume erstellen
New-Volume -DiskNumber 1 -FriendlyName "Data" -FileSystem NTFS -DriveLetter E

4. Netzwerk-Verwaltung

DNS Server

DNS installieren und konfigurieren:

# DNS installieren
Install-WindowsFeature -Name DNS -IncludeManagementTools

# DNS Zone erstellen
Add-DnsServerPrimaryZone -Name "contoso.local" -ReplicationScope Domain

# A-Record hinzufügen
Add-DnsServerResourceRecordA -Name "webserver" -ZoneName "contoso.local" -IPv4Address "192.168.1.100"

# CNAME-Record
Add-DnsServerResourceRecordCName -Name "www" -HostNameAlias "webserver.contoso.local" -ZoneName "contoso.local"

# MX-Record (Mail)
Add-DnsServerResourceRecordMX -Name "." -ZoneName "contoso.local" -MailExchange "mail.contoso.local" -Preference 10

# PTR-Record (Reverse Lookup)
Add-DnsServerResourceRecordPtr -Name "100" -ZoneName "1.168.192.in-addr.arpa" -PtrDomainName "webserver.contoso.local"

# DNS-Records anzeigen
Get-DnsServerResourceRecord -ZoneName "contoso.local"

# DNS-Cache leeren
Clear-DnsServerCache

DNS Forwarders (für externe Auflösung):

# Forwarders setzen
Set-DnsServerForwarder -IPAddress "8.8.8.8","1.1.1.1"

# Forwarders anzeigen
Get-DnsServerForwarder

DHCP Server

DHCP installieren und konfigurieren:

# DHCP installieren
Install-WindowsFeature -Name DHCP -IncludeManagementTools

# DHCP in AD autorisieren
Add-DhcpServerInDC -DnsName "dhcp01.contoso.local" -IPAddress 192.168.1.10

# DHCP Scope erstellen
Add-DhcpServerv4Scope -Name "Main Office" `
    -StartRange 192.168.1.100 `
    -EndRange 192.168.1.200 `
    -SubnetMask 255.255.255.0 `
    -LeaseDuration 8.00:00:00

# DHCP Options (Gateway, DNS)
Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 `
    -Router 192.168.1.1 `
    -DnsServer 192.168.1.10 `
    -DnsDomain "contoso.local"

# DHCP Reservierung (feste IP für MAC)
Add-DhcpServerv4Reservation -ScopeId 192.168.1.0 `
    -IPAddress 192.168.1.50 `
    -ClientId "00-50-56-C0-00-01" `
    -Description "Drucker Büro"

# DHCP Leases anzeigen
Get-DhcpServerv4Lease -ScopeId 192.168.1.0

# DHCP Failover (Redundanz)
Add-DhcpServerv4Failover -ComputerName DHCP01 `
    -PartnerServer DHCP02 `
    -Name "DHCP-Failover" `
    -ScopeId 192.168.1.0 `
    -LoadBalancePercent 50

Network Policy Server (NPS) – RADIUS

NPS für WLAN/VPN Authentication:

# NPS installieren
Install-WindowsFeature -Name NPAS -IncludeManagementTools

# RADIUS Client hinzufügen (z.B. WLAN Access Point)
New-NpsRadiusClient -Name "Office-AP" `
    -Address "192.168.1.20" `
    -SharedSecret "SuperSecretKey123!"

# Network Policy erstellen
# GUI-basiert über: Server Manager → Tools → Network Policy Server

Windows Firewall mit PowerShell

# Firewall-Status
Get-NetFirewallProfile

# Firewall aktivieren
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Firewall-Regel erstellen
New-NetFirewallRule -DisplayName "Allow HTTP" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 80 `
    -Action Allow

New-NetFirewallRule -DisplayName "Allow RDP from Admin Network" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 3389 `
    -RemoteAddress 192.168.10.0/24 `
    -Action Allow

# Firewall-Regeln anzeigen
Get-NetFirewallRule | Where-Object {$_.Enabled -eq $true} | Select-Object DisplayName,Direction,Action

# Firewall-Regel löschen
Remove-NetFirewallRule -DisplayName "Allow HTTP"

# Firewall-Log aktivieren
Set-NetFirewallProfile -Profile Domain -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" `
    -LogMaxSizeKilobytes 16384 `
    -LogAllowed True `
    -LogBlocked True

Network Teaming (NIC Teaming)

# Network Adapter anzeigen
Get-NetAdapter

# NIC Team erstellen (Redundanz/Load Balancing)
New-NetLbfoTeam -Name "Team1" `
    -TeamMembers "Ethernet 1","Ethernet 2" `
    -TeamingMode SwitchIndependent `
    -LoadBalancingAlgorithm Dynamic

# Team-Status
Get-NetLbfoTeam
Get-NetLbfoTeamMember

# VLAN auf Team-Interface
Add-NetLbfoTeamNic -Team "Team1" -VlanID 10

5. Windows Server Update Services (WSUS)

WSUS einrichten

# WSUS installieren
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

# WSUS Post-Installation
Set-Location "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall CONTENT_DIR=E:\WSUS

# WSUS konfigurieren
$wsus = Get-WsusServer
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.SetAutoApproveLocalPublishedUpdates($true)
$wsusConfig.Save()

# Produktkategorien synchronisieren
Get-WsusProduct | Where-Object {$_.Product.Title -like "*Windows Server 2022*"} | Set-WsusProduct

# Classifications auswählen
Get-WsusClassification | Where-Object {$_.Classification.Title -in @("Critical Updates","Security Updates","Definition Updates")} | Set-WsusClassification

# Synchronisation starten
$subscription = $wsus.GetSubscription()
$subscription.StartSynchronization()

# Computer Groups erstellen
$wsus.CreateComputerTargetGroup("Production Servers")
$wsus.CreateComputerTargetGroup("Test Servers")

WSUS via GPO auf Clients konfigurieren:

Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update

Settings:
- Configure Automatic Updates: Enabled - Auto download and schedule install
- Specify intranet Microsoft update service location: http://wsus.contoso.local:8530
- Automatic Updates detection frequency: 4 hours
- Enable client-side targeting: Enabled - Target Group: "Production Servers"

6. Remote Desktop Services (RDS)

Terminal Server / Remote Desktop

RDS Role installieren:

# RD Session Host installieren
Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools

# RD Licensing
Install-WindowsFeature -Name RDS-Licensing -IncludeManagementTools

# RD Gateway (für externe Zugriffe)
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools

# RD Connection Broker (für Load Balancing)
Install-WindowsFeature -Name RDS-Connection-Broker -IncludeManagementTools

RemoteApp konfigurieren:

# RemoteApp erstellen (z.B. für MS Office)
New-RDRemoteApp -CollectionName "Office Apps" `
    -DisplayName "Microsoft Word" `
    -FilePath "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" `
    -ShowInWebAccess $true

RDS Lizenzen:

• Per Device oder Per User
• Aktivierung über Microsoft Clearinghouse
• Grace Period: 120 Tage

Remote Desktop Configuration

# RDP auf Server aktivieren
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

# Firewall-Regel für RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# NLA (Network Level Authentication) aktivieren
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1

# Max Connections
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MaxInstanceCount" -Value 20

7. Hyper-V Virtualisierung

Hyper-V einrichten

# Hyper-V installieren
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -Restart

# Virtual Switch erstellen (External = mit physischem Netzwerk verbunden)
New-VMSwitch -Name "External-Switch" -NetAdapterName "Ethernet 1" -AllowManagementOS $true

# Internal Switch (nur zwischen VMs und Host)
New-VMSwitch -Name "Internal-Switch" -SwitchType Internal

# Private Switch (nur zwischen VMs)
New-VMSwitch -Name "Private-Switch" -SwitchType Private

VM erstellen und verwalten

# Neue VM erstellen
New-VM -Name "TESTSERVER" `
    -MemoryStartupBytes 4GB `
    -Generation 2 `
    -NewVHDPath "E:\Hyper-V\TESTSERVER\TESTSERVER.vhdx" `
    -NewVHDSizeBytes 60GB `
    -SwitchName "External-Switch"

# VM konfigurieren
Set-VM -Name "TESTSERVER" -ProcessorCount 2
Set-VM -Name "TESTSERVER" -DynamicMemory -MemoryMinimumBytes 2GB -MemoryMaximumBytes 8GB

# VM starten/stoppen
Start-VM -Name "TESTSERVER"
Stop-VM -Name "TESTSERVER"
Restart-VM -Name "TESTSERVER"

# ISO mounten (für OS-Installation)
Set-VMDvdDrive -VMName "TESTSERVER" -Path "E:\ISOs\WindowsServer2022.iso"

# Checkpoint (Snapshot) erstellen
Checkpoint-VM -Name "TESTSERVER" -SnapshotName "Before Update"

# Checkpoint wiederherstellen
Restore-VMSnapshot -Name "Before Update" -VMName "TESTSERVER" -Confirm:$false

# VM exportieren (Backup)
Export-VM -Name "TESTSERVER" -Path "E:\Backups\VMs"

# VM importieren
Import-VM -Path "E:\Backups\VMs\TESTSERVER\Virtual Machines\xyz.vmcx"

# VHD vergrößern
Resize-VHD -Path "E:\Hyper-V\TESTSERVER\TESTSERVER.vhdx" -SizeBytes 120GB

# VM klonen
$vm = Get-VM "TESTSERVER"
Export-VM -VM $vm -Path "E:\Temp"
Import-VM -Path "E:\Temp\TESTSERVER" -Copy -GenerateNewId
Rename-VM -VM (Get-VM | Where-Object {$_.Name -eq "TESTSERVER"} | Select-Object -Last 1) -NewName "TESTSERVER-CLONE"

Hyper-V Replica (Disaster Recovery)

# Replica aktivieren (auf beiden Hosts)
Set-VMReplicationServer -ReplicationEnabled $true `
    -AllowedAuthenticationType Kerberos `
    -ReplicationAllowedFromAnyServer $true

# Replikation für VM einrichten
Enable-VMReplication -VMName "TESTSERVER" `
    -ReplicaServerName "HYPERV-02.contoso.local" `
    -ReplicaServerPort 80 `
    -AuthenticationType Kerberos `
    -CompressionEnabled $true

# Initial Replication starten
Start-VMInitialReplication -VMName "TESTSERVER"

# Replikation-Status
Get-VMReplication -VMName "TESTSERVER"

# Planned Failover (bei geplantem Ausfall)
Start-VMFailover -VMName "TESTSERVER" -Prepare
Start-VMFailover -VMName "TESTSERVER" -AsReplica

# Unplanned Failover (Notfall)
Start-VMFailover -VMName "TESTSERVER"

8. Internet Information Services (IIS)

IIS Webserver

# IIS installieren
Install-WindowsFeature -Name Web-Server -IncludeManagementTools

# Website erstellen
New-IISSite -Name "MyWebsite" `
    -PhysicalPath "C:\inetpub\mywebsite" `
    -BindingInformation "*:80:www.example.com"

# HTTPS Binding mit Zertifikat
New-IISSiteBinding -Name "MyWebsite" `
    -BindingInformation "*:443:www.example.com" `
    -Protocol https `
    -CertificateThumbPrint "ABCDEF1234567890..."

# Application Pool erstellen
New-WebAppPool -Name "MyAppPool"
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.identityType -Value 2  # NetworkService

# Website zu AppPool zuweisen
Set-ItemProperty "IIS:\Sites\MyWebsite" -Name applicationPool -Value "MyAppPool"

# Virtual Directory erstellen
New-WebVirtualDirectory -Site "MyWebsite" -Name "images" -PhysicalPath "E:\WebImages"

# URL Rewrite (Redirect HTTP zu HTTPS)
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' `
    -filter "system.webServer/rewrite/rules" `
    -name "." `
    -value @{name='HTTP to HTTPS';patternSyntax='Wildcard';stopProcessing='True'}

IIS Application Request Routing (Load Balancing):

# ARR installieren (via Web Platform Installer oder manual)
# Server Farm erstellen für Load Balancing zwischen mehreren Webservern

SSL-Zertifikate in IIS

# Zertifikat importieren
Import-PfxCertificate -FilePath "C:\Certs\certificate.pfx" `
    -CertStoreLocation Cert:\LocalMachine\My `
    -Password (ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force)

# Zertifikat zu IIS Binding hinzufügen
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.com*"}
New-IISSiteBinding -Name "MyWebsite" `
    -BindingInformation "*:443:" `
    -Protocol https `
    -CertificateThumbPrint $cert.Thumbprint

9. SQL Server Verwaltung

SQL Server Basics

# SQL Server Module
Import-Module SqlServer

# SQL Server Instanzen anzeigen
Get-SqlInstance -ServerInstance "localhost"

# Datenbank erstellen
Invoke-Sqlcmd -Query "CREATE DATABASE MyAppDB" -ServerInstance "localhost"

# SQL Server Login erstellen
Invoke-Sqlcmd -Query @"
CREATE LOGIN myappuser WITH PASSWORD = 'P@ssw0rd123!';
USE MyAppDB;
CREATE USER myappuser FOR LOGIN myappuser;
ALTER ROLE db_datareader ADD MEMBER myappuser;
ALTER ROLE db_datawriter ADD MEMBER myappuser;
"@ -ServerInstance "localhost"

# Backup
Backup-SqlDatabase -ServerInstance "localhost" `
    -Database "MyAppDB" `
    -BackupFile "E:\Backups\MyAppDB_Full.bak" `
    -BackupAction Database

# Restore
Restore-SqlDatabase -ServerInstance "localhost" `
    -Database "MyAppDB" `
    -BackupFile "E:\Backups\MyAppDB_Full.bak" `
    -ReplaceDatabase

SQL Server Maintenance:

-- Index Rebuild (in SQL Management Studio)
USE MyAppDB;
ALTER INDEX ALL ON dbo.TableName REBUILD;

-- Update Statistics
UPDATE STATISTICS dbo.TableName;

-- Check Database Integrity
DBCC CHECKDB ('MyAppDB');

-- Shrink Database (nur wenn nötig!)
DBCC SHRINKDATABASE (MyAppDB, 10);

SQL Server Jobs (Automated Tasks):

• Via SQL Server Agent
• Backup Jobs
• Maintenance Tasks
• Monitoring

10. Security und Hardening

Windows Defender

# Defender Status
Get-MpComputerStatus

# Scan starten
Start-MpScan -ScanType QuickScan
Start-MpScan -ScanType FullScan

# Defender Update
Update-MpSignature

# Exclusions hinzufügen
Add-MpPreference -ExclusionPath "C:\MyApp"
Add-MpPreference -ExclusionExtension ".log"

# Defender deaktivieren (nur temporär für Tests!)
Set-MpPreference -DisableRealtimeMonitoring $true

BitLocker Verschlüsselung

# BitLocker Status
Get-BitLockerVolume

# BitLocker aktivieren
Enable-BitLocker -MountPoint "C:" `
    -EncryptionMethod XtsAes256 `
    -UsedSpaceOnly `
    -TpmProtector

# Recovery Key in AD speichern
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId

# BitLocker entsperren
Unlock-BitLocker -MountPoint "E:" -Password (ConvertTo-SecureString "RecoveryKey" -AsPlainText -Force)

Windows Firewall Advanced Security

# IPsec Regeln (verschlüsselte Kommunikation zwischen Servern)
New-NetIPsecRule -DisplayName "Require Encryption from Admin Network" `
    -InboundSecurity Require `
    -OutboundSecurity Request `
    -RemoteAddress 192.168.10.0/24

# Connection Security Rules
# Via GUI: Windows Defender Firewall with Advanced Security → Connection Security Rules

AppLocker (Application Control)

# AppLocker aktivieren via GPO
# Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies

# Default Rules erstellen
Get-AppLockerFileInformation -Directory "C:\Program Files" -Recurse | 
    New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -Optimize | 
    Set-AppLockerPolicy -Merge

# AppLocker Status
Get-AppLockerPolicy -Effective

Local Security Policy

Wichtige Security Settings:

Local Policies → Security Options:
- Interactive logon: Do not display last user name → Enabled
- Network access: Do not allow anonymous enumeration of SAM accounts → Enabled
- Network security: LAN Manager authentication level → Send NTLMv2 response only. Refuse LM & NTLM

User Rights Assignment:
- Allow log on through Remote Desktop Services → Nur Admins und spezifische Gruppen
- Deny log on locally → Deny für Service Accounts

Audit Policies:
- Audit account logon events → Success, Failure
- Audit logon events → Success, Failure
- Audit object access → Success, Failure
- Audit policy change → Success, Failure

11. Backup und Disaster Recovery

Windows Server Backup

# Windows Server Backup installieren
Install-WindowsFeature -Name Windows-Server-Backup

# Backup Policy erstellen
$policy = New-WBPolicy
$filespec = New-WBFileSpec -FileSpec "C:\ImportantData"
Add-WBFileSpec -Policy $policy -FileSpec $filespec

# Backup Target (externe Festplatte)
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target

# Schedule (täglich 02:00 Uhr)
Set-WBSchedule -Policy $policy -Schedule 02:00

# Policy speichern
Set-WBPolicy -Policy $policy

# Manuelle Backups
Start-WBBackup -Policy $policy

# System State Backup
$policy = New-WBPolicy
Add-WBSystemState -Policy $policy
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
Start-WBBackup -Policy $policy

# Bare Metal Recovery Backup
$policy = New-WBPolicy
Add-WBBareMetalRecovery -Policy $policy
# ... rest wie oben

Disaster Recovery Planning

Recovery Point Objective (RPO):

• Wie viel Datenverlust ist akzeptabel? (z.B. 4 Stunden)

Recovery Time Objective (RTO):

• Wie schnell muss System wieder laufen? (z.B. 2 Stunden)

Backup-Strategie (3-2-1 Regel):

• 3 Kopien der Daten
• 2 verschiedene Medien
• 1 Kopie offsite

Dokumentation:

• Recovery-Runbooks
• Kontaktlisten
• Konfigurationsdokumentation
• Netzwerk-Diagramme

12. Monitoring und Performance

Performance Monitor (Perfmon)

# Performance Counter abfragen
Get-Counter '\Processor(_Total)\% Processor Time'
Get-Counter '\Memory\Available MBytes'
Get-Counter '\PhysicalDisk(_Total)\Avg. Disk Queue Length'

# Data Collector Set erstellen (für längeres Monitoring)
$DataCollectorSet = New-Object -COM Pla.DataCollectorSet
$DataCollectorSet.DisplayName = "System Performance"
$DataCollectorSet.Duration = 3600  # 1 Stunde
$DataCollectorSet.SubdirectoryFormat = 3
$DataCollectorSet.RootPath = "C:\PerfLogs"

# Performance Counter hinzufügen
$DataCollector = $DataCollectorSet.DataCollectors.CreateDataCollector(0)
$DataCollector.CounterDisplayName = "Processor Time"
$DataCollector.Counter = [string[]]@("\Processor(_Total)\% Processor Time")
$DataCollectorSet.DataCollectors.Add($DataCollector)

$DataCollectorSet.Commit("System Performance", $null, 0x0003)
$DataCollectorSet.Start($false)

Task Manager und Resource Monitor

• Task Manager (taskmgr.exe): Schneller Überblick
• Resource Monitor (resmon.exe): Detaillierte Analyse
  • CPU-Nutzung pro Prozess
  • Disk I/O
  • Network Activity
  • Memory Details

Event Log Monitoring

# Critical Events der letzten 24h
Get-WinEvent -FilterHashtable @{
    LogName='System','Application'
    Level=1,2  # Critical, Error
    StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated,LevelDisplayName,ProviderName,Message

# Failed Logins (Security Log)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625  # Failed logon
    StartTime=(Get-Date).AddHours(-1)
} | Select-Object TimeCreated,Message

# Event Subscriptions (zentrales Logging)
# Via Event Viewer → Subscriptions → Create Subscription

Scheduled Tasks für Monitoring

# Scheduled Task erstellen (täglicher Health Check)
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' `
    -Argument '-File C:\Scripts\HealthCheck.ps1'
$trigger = New-ScheduledTaskTrigger -Daily -At 6am
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1)

Register-ScheduledTask -TaskName "Daily Health Check" `
    -Action $action `
    -Trigger $trigger `
    -Principal $principal `
    -Settings $settings

# Task manuell ausführen
Start-ScheduledTask -TaskName "Daily Health Check"

# Task-Historie anzeigen
Get-ScheduledTask -TaskName "Daily Health Check" | Get-ScheduledTaskInfo

13. Troubleshooting Methodology

Systematische Problemlösung

1. Identify (Problem definieren):

• Was funktioniert nicht?
• Wer ist betroffen?
• Wann trat es auf?
• Was hat sich geändert?

2. Gather Information:

# System Information
systeminfo
Get-ComputerInfo

# Event Logs
Get-EventLog -LogName System -Newest 50 -EntryType Error
Get-EventLog -LogName Application -Newest 50 -EntryType Error

# Services
Get-Service | Where-Object {$_.Status -ne "Running" -and $_.StartType -eq "Automatic"}

# Network
ipconfig /all
Test-NetConnection google.com
Test-NetConnection dc01.contoso.local -Port 389  # LDAP

# Processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

# Disk
Get-Volume
Get-PhysicalDisk | Select-Object FriendlyName,HealthStatus,OperationalStatus

3. Analyze:

• Logs interpretieren
• Patterns erkennen
• Hypothese bilden

4. Test:

• Hypothese überprüfen
• Ein Change nach dem anderen
• Dokumentieren

5. Resolve:

• Lösung implementieren
• Verifizieren
• Dokumentieren

Häufige Probleme

Problem: Server bootet nicht:

1. Check Disk-Status im BIOS/UEFI
2. Safe Mode booten (F8)
3. Last Known Good Configuration
4. System File Check: sfc /scannow
5. Disk Check: chkdsk /f C:
6. Boot Repair: bootrec /fixmbr, /fixboot, /rebuildbcd
7. System Restore
8. Bare Metal Restore von Backup

Problem: Domain Controller repliziert nicht:

# Replikation prüfen
repadmin /showrepl
repadmin /replsummary

# DNS prüfen (DCs müssen sich gegenseitig auflösen)
nslookup dc01.contoso.local
nslookup dc02.contoso.local

# Zeit-Synchronisation prüfen (max 5 Min Abweichung)
w32tm /query /status
w32tm /resync

# Firewall-Ports prüfen
Test-NetConnection dc02.contoso.local -Port 135  # RPC
Test-NetConnection dc02.contoso.local -Port 389  # LDAP

# Kerberos testen
klist
klist purge  # Ticket Cache leeren

Problem: Hohe CPU-Last:

# Top Prozesse
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Name,CPU,WS

# Windows Update läuft?
Get-Service -Name wuauserv

# Windows Defender Scan?
Get-MpComputerStatus

# Scheduled Tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Running"}

Problem: Disk Space voll:

# Große Dateien finden
Get-ChildItem C:\ -Recurse -File -ErrorAction SilentlyContinue | 
    Sort-Object Length -Descending | 
    Select-Object -First 20 FullName,@{N="Size(GB)";E={[math]::Round($_.Length/1GB,2)}}

# Temp-Files
Remove-Item C:\Windows\Temp\* -Recurse -Force
Remove-Item $env:TEMP\* -Recurse -Force

# Windows Update Cleanup
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

# Log-Files rotieren
Get-ChildItem C:\inetpub\logs -Recurse -File | 
    Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-30)} | 
    Remove-Item -Force

14. Automation mit PowerShell Scripts

Praktische Scripts für den Alltag

Server-Inventory-Script:

<#
.SYNOPSIS
    Server-Inventarisierung
.DESCRIPTION
    Sammelt Informationen über alle Server im Netzwerk
#>

$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} -Properties *

$inventory = foreach ($server in $servers) {
    try {
        $info = Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName $server.Name -ErrorAction Stop
        $os = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $server.Name
        $disk = Get-CimInstance -ClassName Win32_LogicalDisk -ComputerName $server.Name -Filter "DriveType=3"
        
        [PSCustomObject]@{
            ComputerName = $server.Name
            Domain = $info.Domain
            Model = $info.Model
            Manufacturer = $info.Manufacturer
            TotalRAM_GB = [math]::Round($info.TotalPhysicalMemory/1GB,2)
            OS = $os.Caption
            OSVersion = $os.Version
            InstallDate = $os.InstallDate
            LastBootTime = $os.LastBootUpTime
            DiskSpace_GB = ($disk | Measure-Object -Property Size -Sum).Sum/1GB
            FreeSpace_GB = ($disk | Measure-Object -Property FreeSpace -Sum).Sum/1GB
            Status = "Online"
        }
    } catch {
        [PSCustomObject]@{
            ComputerName = $server.Name
            Status = "Offline or Access Denied"
        }
    }
}

$inventory | Export-Csv "C:\Reports\ServerInventory_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
$inventory | ConvertTo-Html | Out-File "C:\Reports\ServerInventory_$(Get-Date -Format 'yyyyMMdd').html"

User-Onboarding-Script:

<#
.SYNOPSIS
    Neuen User anlegen mit allen Berechtigungen
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$FirstName,
    
    [Parameter(Mandatory=$true)]
    [string]$LastName,
    
    [Parameter(Mandatory=$true)]
    [string]$Department,
    
    [Parameter(Mandatory=$true)]
    [string]$Title,
    
    [Parameter(Mandatory=$false)]
    [string]$Manager
)

# Username generieren
$username = ($FirstName.Substring(0,1) + $LastName).ToLower()
$email = "$username@contoso.com"

# OU basierend auf Department
$ouPath = "OU=$Department,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"

# Temporäres Password
$tempPassword = ConvertTo-SecureString "Welcome2024!" -AsPlainText -Force

try {
    # User erstellen
    New-ADUser `
        -Name "$FirstName $LastName" `
        -GivenName $FirstName `
        -Surname $LastName `
        -SamAccountName $username `
        -UserPrincipalName "$username@contoso.local" `
        -EmailAddress $email `
        -Path $ouPath `
        -AccountPassword $tempPassword `
        -Enabled $true `
        -ChangePasswordAtLogon $true `
        -Department $Department `
        -Title $Title `
        -Company "Contoso GmbH"
    
    Write-Host "✓ User $username erstellt" -ForegroundColor Green
    
    # Zu Department-Gruppe hinzufügen
    Add-ADGroupMember -Identity "$Department-Users" -Members $username
    Write-Host "✓ User zu Gruppe $Department-Users hinzugefügt" -ForegroundColor Green
    
    # Home-Verzeichnis erstellen
    $homePath = "\\fileserver\home\$username"
    New-Item -Path $homePath -ItemType Directory -Force
    
    # Berechtigungen setzen
    $acl = Get-Acl $homePath
    $permission = "CONTOSO\$username","FullControl","ContainerInherit,ObjectInherit","None","Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($accessRule)
    Set-Acl $homePath $acl
    
    Write-Host "✓ Home-Verzeichnis erstellt: $homePath" -ForegroundColor Green
    
    # Email an Manager
    if ($Manager) {
        $managerEmail = (Get-ADUser $Manager -Properties EmailAddress).EmailAddress
        Send-MailMessage `
            -From "it@contoso.com" `
            -To $managerEmail `
            -Subject "Neuer Mitarbeiter: $FirstName $LastName" `
            -Body "Username: $username`nEmail: $email`nTemp Password: Welcome2024!" `
            -SmtpServer "mail.contoso.local"
        
        Write-Host "✓ Benachrichtigung an Manager gesendet" -ForegroundColor Green
    }
    
    Write-Host "`n=== Zusammenfassung ===" -ForegroundColor Cyan
    Write-Host "Username: $username"
    Write-Host "Email: $email"
    Write-Host "Temp Password: Welcome2024!"
    Write-Host "Home Directory: $homePath"
    
} catch {
    Write-Error "Fehler beim Erstellen des Users: $_"
}

Patch-Compliance-Report:

<#
.SYNOPSIS
    Prüft Patch-Status aller Server
#>

$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} | Select-Object -ExpandProperty Name

$patchReport = foreach ($server in $servers) {
    try {
        $session = New-CimSession -ComputerName $server -ErrorAction Stop
        
        # Letzte Installation
        $lastUpdate = Get-HotFix -CimSession $session | 
            Sort-Object InstalledOn -Descending | 
            Select-Object -First 1
        
        # Pending Updates
        $updateSession = New-Object -ComObject Microsoft.Update.Session
        $updateSearcher = $updateSession.CreateUpdateSearcher()
        $searchResult = $updateSearcher.Search("IsInstalled=0")
        $pendingCount = $searchResult.Updates.Count
        
        # Pending Reboot
        $pendingReboot = $false
        if (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue) {
            $pendingReboot = $true
        }
        
        [PSCustomObject]@{
            Server = $server
            LastUpdate = $lastUpdate.InstalledOn
            LastUpdateKB = $lastUpdate.HotFixID
            PendingUpdates = $pendingCount
            PendingReboot = $pendingReboot
            Status = if ($pendingCount -eq 0 -and -not $pendingReboot) {"Compliant"} else {"Non-Compliant"}
        }
        
        Remove-CimSession $session
        
    } catch {
        [PSCustomObject]@{
            Server = $server
            Status = "Error: $_"
        }
    }
}

$patchReport | Export-Csv "C:\Reports\PatchCompliance_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Non-Compliant Server hervorheben
$patchReport | Where-Object {$_.Status -eq "Non-Compliant"} | Format-Table -AutoSize

15. Microsoft 365 / Azure AD Integration

Azure AD Connect

Hybrid Identity Setup:

# Azure AD Connect installieren
# Download von: https://www.microsoft.com/en-us/download/details.aspx?id=47594

# Post-Installation: Password Hash Sync, Pass-through Auth oder ADFS wählen

# Sync-Status prüfen
Import-Module ADSync
Get-ADSyncScheduler
Start-ADSyncSyncCycle -PolicyType Delta  # Manuelle Sync
Start-ADSyncSyncCycle -PolicyType Initial  # Vollständige Sync

# Sync-Errors prüfen
Get-ADSyncConnectorRunStatus

Microsoft 365 PowerShell:

# Module installieren
Install-Module -Name MSOnline
Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement

# Verbinden
Connect-MsolService
Connect-AzureAD
Connect-ExchangeOnline

# Lizenz zuweisen
Set-MsolUserLicense -UserPrincipalName "user@contoso.com" -AddLicenses "contoso:ENTERPRISEPACK"

# Mailbox erstellen
New-Mailbox -UserPrincipalName "user@contoso.com" -Alias user -Name "Max Mustermann"

# Teams-User aktivieren
Enable-CsUser -Identity "user@contoso.com" -SipAddress "sip:user@contoso.com"

Conditional Access (Security)

• Multi-Factor Authentication (MFA)
• Location-based Access
• Device Compliance
• Risk-based Access

Über Azure Portal: Azure AD → Security → Conditional Access → New Policy

16. Certificates und PKI

Certificate Authority (CA) einrichten

# AD CS Role installieren
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

# Enterprise CA konfigurieren
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 2048 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10

# Certificate Templates verwalten
# Via: Certification Authority MMC → Certificate Templates

# Certificate Auto-Enrollment via GPO
# Computer Configuration → Policies → Windows Settings → Security Settings → 
# Public Key Policies → Certificate Services Client - Auto-Enrollment

Zertifikate ausstellen:

# Certificate Request erstellen
$cert = Get-Certificate -Template "WebServer" `
    -SubjectName "CN=webserver.contoso.local" `
    -DnsName "webserver.contoso.local","www.contoso.local" `
    -CertStoreLocation "Cert:\LocalMachine\My"

# Zertifikat exportieren
Export-PfxCertificate -Cert $cert.Certificate `
    -FilePath "C:\Certs\webserver.pfx" `
    -Password (ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force)

17. Container und Cloud-Native (Modern Windows Admin)

Windows Containers

# Container Feature installieren
Install-WindowsFeature -Name Containers

# Docker installieren
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider

# Docker Service starten
Start-Service Docker

# Windows Container Images
docker pull mcr.microsoft.com/windows/servercore:ltsc2022
docker pull mcr.microsoft.com/windows/nanoserver:ltsc2022

# Container starten
docker run -d -p 80:80 --name iis mcr.microsoft.com/windows/servercore/iis

# Container Management
docker ps
docker stop iis
docker rm iis

Kubernetes auf Windows (optional für große Umgebungen)

• Windows Nodes in Kubernetes Cluster
• Azure Kubernetes Service (AKS)
• Hybrid-Workloads

18. Best Practices und Professionelles Arbeiten

Change Management

Niemals direkt in Production ändern!

1. Change Request erstellen
   • Was wird geändert?
   • Warum?
   • Wann?
   • Rollback-Plan?
2. Testing in Development/Staging
   • Vollständige Tests
   • Performance-Tests
   • Security-Tests
3. Documentation
   • Before-State dokumentieren
   • Schritt-für-Schritt-Anleitung
   • After-State verifizieren
4. Change Window
   • Außerhalb Business Hours
   • Stakeholder informieren
   • Backup vor Change!
5. Post-Implementation Review
   • Hat alles funktioniert?
   • Lessons Learned
   • Documentation updaten

Documentation Standards

Runbook-Template:

# Runbook: [Task Name]

## Purpose
Was macht dieses Runbook?

## Prerequisites
- Erforderliche Berechtigungen
- Benötigte Tools
- Backup vorhanden?

## Procedure
1. Schritt 1 mit konkreten Commands
```powershell
   Command-Here
```
2. Schritt 2...
3. Verification

## Rollback Procedure
Wie macht man es rückgängig?

## Troubleshooting
Häufige Probleme und Lösungen

## References
- Link zu weiterführender Dokumentation

Security Best Practices

Principle of Least Privilege:

• Nur nötige Berechtigungen vergeben
• Regelmäßige Access Reviews
• Service Accounts mit minimalen Rechten

Password Management:

• Komplexe Passwords (12+ Zeichen)
• Regular Password Changes (90 Tage)
• Never share Admin Passwords
• Password Manager verwenden (KeePass, 1Password)

Privileged Access Workstations (PAW):

• Separate Admin-Workstations
• Keine Internet-Browsing
• Keine Email auf Admin-Maschinen

Just-In-Time (JIT) Administration:

• Admin-Rechte nur wenn benötigt
• Time-limited Elevation
• Privileged Access Management (PAM) Solutions

Patch Management Process

1. Patch Tuesday (2. Dienstag im Monat)
2. Testing (1 Woche)
   • Test-Umgebung patchen
   • Applikationen testen
3. Staging (2. Woche)
   • Non-critical Server
   • Monitoring
4. Production (3. Woche)
   • Critical Server
   • Maintenance Window

Monitoring und Alerting

Was monitoren:

• Disk Space < 15%
• CPU > 80% für > 5 Min
• Memory > 90%
• Service Failures
• Failed Logins > 5
• Backup Failures
• Certificate Expiration < 30 Tage
• Replication Failures

Alert-Kanäle:

• Email
• SMS (für Critical)
• Microsoft Teams/Slack
• PagerDuty/OpsGenie

19. Zertifizierungen und Weiterbildung

Microsoft Certifications (Empfohlen)

Fundamentals (Einstieg):

• AZ-900: Azure Fundamentals
• MS-900: Microsoft 365 Fundamentals

Associate Level:

• AZ-104: Azure Administrator Associate
• MS-102: Microsoft 365 Administrator
• AZ-800/801: Windows Server Hybrid Administrator Associate

Expert Level:

• AZ-305: Azure Solutions Architect Expert
• SC-100: Cybersecurity Architect Expert

Lernressourcen

Microsoft Learn:

• Kostenlose Online-Kurse
• Hands-on Labs
• Learning Paths

Dokumentation:

• Microsoft Docs
• TechNet (legacy)
• PowerShell Gallery

Communities:

• Reddit: r/sysadmin, r/PowerShell
• Spiceworks Community
• Microsoft Tech Community

YouTube Channels:

• John Savill’s Technical Training
• Microsoft Mechanics
• PowerShell.org

Bücher:

• „Windows Server 2022 Inside Out“
• „Learn PowerShell in a Month of Lunches“
• „Active Directory: Designing, Deploying, and Running“

20. Realistische Timeline & Zusammenfassung

Career Path

Junior Admin (0-2 Jahre):

• Grundlegende AD-Verwaltung
• User/Computer-Management
• Basic PowerShell
• Ticket-basiertes Arbeiten
• Unter Supervision

Mid-Level Admin (2-5 Jahre):

• Vollständige AD-Verwaltung
• GPO-Management
• File Server Administration
• WSUS/Patch Management
• Basic Automation
• Eigenständige Projektarbeit

Senior Admin (5-10 Jahre):

• Infrastructure Design
• Automation Expert
• Disaster Recovery Planning
• Security Implementation
• Team Lead / Mentoring
• Multiple Technologien (Hybrid Cloud)
• Business Alignment

Was du HEUTE tun kannst

1. Lab-Umgebung aufbauen:

Hyper-V oder VMware:
- 2x Domain Controller (Redundanz üben)
- 1x File Server
- 1x WSUS
- 2-3x Client-VMs (Windows 10/11)

2. Tägliche Übungen:

• Woche 1-2: AD aufsetzen, User/Computer erstellen
• Woche 3-4: GPOs erstellen und troubleshooten
• Woche 5-6: PowerShell Scripts schreiben
• Woche 7-8: File Server + DFS
• Woche 9-10: WSUS + Patch Management
• Woche 11-12: Backup/Recovery-Szenarien

3. Praktische Projekte:

• Komplettes AD-Setup mit allen Roles
• User-Onboarding automatisieren
• Monitoring-Dashboard bauen
• Disaster Recovery üben (DC kaputt machen und recovern!)

4. Dokumentiere alles:

• Schreibe Runbooks
• Screenshot-basierte Anleitungen
• PowerShell Script-Library aufbauen

5. Community:

• r/sysadmin beitreten
• Fragen stellen
• Anderen helfen (bester Lernweg!)

Die Wahrheit über Seniorität

Du kannst nicht direkt als Senior starten.

Senior bedeutet:

• 5-10 Jahre praktische Erfahrung
• Hunderte Production-Issues gelöst
• Mehrere Major-Incidents gemeistert
• Verschiedene Unternehmensumgebungen gesehen
• Mentoring-Fähigkeiten
• Business-Verständnis

Aber: Mit diesem Wissen und intensivem Üben kannst du:

• Als Junior einsteigen (0-1 Jahr)
• Zu Mid-Level aufsteigen (2-3 Jahre)
• Senior erreichen (5+ Jahre)

Erfolgsformel

Knowledge (aus diesem Guide) 
+ Praktische Erfahrung (tägliches Üben) 
+ Production Experience (echter Job)
+ Continuous Learning (nie aufhören zu lernen)
= Senior System Administrator

Soft Skills (oft unterschätzt!)

• Kommunikation: Erkläre technische Probleme für Non-IT
• Dokumentation: Schreibe so, dass andere es verstehen
• Troubleshooting-Mentalität: Systematisch, nicht panisch
• Teamwork: Niemand arbeitet alleine
• Customer Service: Freundlich bleiben, auch bei Stress
• Zeitmanagement: Priorisierung ist key
• Continuous Improvement: Gibt es einen besseren Weg?

---

Final Thoughts

Dieser Guide gibt dir die Roadmap für deine Karriere als Windows System Administrator. Aber bedenke:

✅ Wissen ist der erste Schritt – dieser Guide gibt dir das Fundament ✅ Praxis ist essentiell – baue ein Lab, breche Dinge, repariere sie ✅ Zeit ist notwendig – Senior wird man nicht über Nacht ✅ Attitude matters – Lernbereitschaft und Problemlösung sind wichtiger als alles auswendig zu können

Der beste Rat: Starte mit einem Junior/Mid-Level Job, auch wenn das Gehalt niedriger ist. Die praktische Erfahrung mit echten Production-Systemen, echten Usern und echten Deadlines ist unbezahlbar und durch kein Buch oder Tutorial ersetzbar.

Du hast jetzt die komplette Blueprint – jetzt liegt es an dir, den Weg zu gehen! 💪

Viel Erfolg! 🚀