Der komplette Weg zum Senior Windows System Administrator
Ein umfassender, praxisorientierter Leitfaden für die Windows-Systemadministration. Beachte: „Senior“ bedeutet normalerweise 5-10 Jahre Berufserfahrung, aber dieser Guide zeigt dir alles Wichtige.
1. Active Directory – Das Herzstück
Active Directory Domain Services (AD DS)
Als Senior Windows Admin ist Active Directory dein tägliches Werkzeug. Du musst es komplett beherrschen.
Domain Controller einrichten
Voraussetzungen:
- Windows Server 2019/2022
- Statische IP-Adresse
- DNS korrekt konfiguriert
- Sinnvoller Hostname
Installation via PowerShell:
# Active Directory installieren
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Domain Controller promoten (neue Forest)
Install-ADDSForest `
-DomainName "contoso.local" `
-DomainNetbiosName "CONTOSO" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force
# Zusätzlichen DC hinzufügen (Redundanz!)
Install-ADDSDomainController `
-DomainName "contoso.local" `
-InstallDns `
-Credential (Get-Credential) `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)
Organizational Units (OUs) Struktur
Eine saubere OU-Struktur ist essentiell für Group Policy Management:
# OU-Struktur erstellen
New-ADOrganizationalUnit -Name "CONTOSO" -Path "DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Computers,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Computers,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Users" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Departments" -Path "OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "IT" -Path "OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "HR" -Path "OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=CONTOSO,DC=contoso,DC=local"
New-ADOrganizationalUnit -Name "Service-Accounts" -Path "OU=CONTOSO,DC=contoso,DC=local"
Best Practice OU-Struktur:
Domain Root
├── CONTOSO (Company OU)
├── Computers
│ ├── Workstations
│ │ ├── Windows10
│ │ └── Windows11
│ ├── Servers
│ │ ├── File-Servers
│ │ ├── Web-Servers
│ │ └── Database-Servers
│ └── Laptops
├── Users
│ ├── Departments
│ │ ├── IT
│ │ ├── HR
│ │ ├── Finance
│ │ └── Sales
│ └── Admins (Protected)
├── Groups
│ ├── Security-Groups
│ └── Distribution-Groups
└── Service-Accounts
User- und Group-Management
User erstellen (PowerShell – professioneller Weg):
# Einzelner User
New-ADUser `
-Name "Max Mustermann" `
-GivenName "Max" `
-Surname "Mustermann" `
-SamAccountName "mmustermann" `
-UserPrincipalName "mmustermann@contoso.local" `
-EmailAddress "max.mustermann@contoso.com" `
-Path "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local" `
-AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true `
-Department "IT" `
-Title "System Administrator" `
-Company "Contoso GmbH" `
-OfficePhone "+49 30 12345678" `
-MobilePhone "+49 170 1234567"
# User aus CSV importieren (Bulk-Operations)
Import-Csv "C:\Users.csv" | ForEach-Object {
New-ADUser `
-Name "$($_.FirstName) $($_.LastName)" `
-GivenName $_.FirstName `
-Surname $_.LastName `
-SamAccountName $_.Username `
-UserPrincipalName "$($_.Username)@contoso.local" `
-EmailAddress $_.Email `
-Path $_.OUPath `
-AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true
}
Group Management:
# Security Group erstellen
New-ADGroup `
-Name "IT-Admins" `
-GroupScope Global `
-GroupCategory Security `
-Path "OU=Security-Groups,OU=Groups,OU=CONTOSO,DC=contoso,DC=local" `
-Description "IT Department Administrators"
# User zu Gruppe hinzufügen
Add-ADGroupMember -Identity "IT-Admins" -Members "mmustermann","jdoe"
# User aus Gruppe entfernen
Remove-ADGroupMember -Identity "IT-Admins" -Members "mmustermann" -Confirm:$false
# Gruppen-Mitgliedschaften anzeigen
Get-ADPrincipalGroupMembership -Identity "mmustermann" | Select-Object Name
# Alle Mitglieder einer Gruppe anzeigen
Get-ADGroupMember -Identity "IT-Admins" -Recursive | Select-Object Name,SamAccountName
Group Policy Objects (GPOs)
GPOs sind das mächtigste Werkzeug für zentrale Konfiguration.
GPO-Management Grundlagen:
# Neue GPO erstellen
New-GPO -Name "Workstation-Security-Policy"
# GPO mit OU verknüpfen
New-GPLink `
-Name "Workstation-Security-Policy" `
-Target "OU=Workstations,OU=Computers,OU=CONTOSO,DC=contoso,DC=local"
# GPO-Status prüfen
Get-GPOReport -Name "Workstation-Security-Policy" -ReportType Html -Path "C:\GPOReport.html"
# Alle GPOs auflisten
Get-GPO -All | Select-Object DisplayName,GpoStatus,CreationTime
# GPO Backup
Backup-GPO -Name "Workstation-Security-Policy" -Path "C:\GPO-Backups"
# GPO Restore
Restore-GPO -Name "Workstation-Security-Policy" -Path "C:\GPO-Backups"
Wichtige GPO-Settings (Beispiele):
1. Password Policy:
- Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
Minimum password length: 12 characters
Password complexity: Enabled
Maximum password age: 90 days
Minimum password age: 1 day
Password history: 24 passwords
2. Account Lockout Policy:
Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 30 minutes
3. Windows Firewall:
# Via GPO Registry
Set-GPRegistryValue -Name "Workstation-Security-Policy" `
-Key "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" `
-ValueName "EnableFirewall" `
-Type DWord -Value 1
4. Software Deployment via GPO:
# MSI-Paket über GPO verteilen
# Computer Configuration → Policies → Software Settings → Software installation
# → New → Package → Wähle \\server\share\package.msi
# Deployment Type: Assigned (automatische Installation)
5. Drive Mapping (Netzlaufwerke):
User Configuration → Preferences → Windows Settings → Drive Maps
→ New → Mapped Drive
Drive Letter: H:
Location: \\fileserver\home\%username%
Reconnect: Enabled
Label: Home Directory
6. Folder Redirection (wichtig für Roaming Profiles):
User Configuration → Policies → Windows Settings → Folder Redirection
→ Documents → Properties
Setting: Basic - Redirect everyone's folder
Target folder location: \\fileserver\redirected\%username%\Documents
GPO Troubleshooting:
# GPO auf Client aktualisieren
gpupdate /force
# Resultant Set of Policy (RSoP) - Was wird wirklich angewendet?
gpresult /H C:\gpresult.html
gpresult /R # Zusammenfassung in Console
# GPO-Verarbeitung tracen
gpresult /V # Verbose output
Active Directory Replikation
Replikations-Status prüfen:
# Replikations-Status aller DCs
repadmin /replsummary
# Detaillierte Replikationsinformationen
repadmin /showrepl
# Erzwungene Replikation
repadmin /syncall /AdeP
# Replikations-Topologie anzeigen
repadmin /showvector DC=contoso,DC=local
# FSMO-Rollen anzeigen (wichtig!)
netdom query fsmo
# FSMO-Rollen verschieben (bei DC-Ausfall)
Move-ADDirectoryServerOperationMasterRole `
-Identity "DC02" `
-OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster
Die 5 FSMO-Rollen (Forest/Domain-weit):
- Schema Master (Forest): Schema-Änderungen
- Domain Naming Master (Forest): Domain hinzufügen/entfernen
- PDC Emulator (Domain): Zeitserver, Password-Changes, Legacy-Support
- RID Master (Domain): Vergibt RID-Pools für SIDs
- Infrastructure Master (Domain): Cross-Domain Objekt-Referenzen
AD Backup und Recovery
# System State Backup (enthält AD)
wbadmin start systemstatebackup -backupTarget:E: -quiet
# AD authoritative Restore (nach Boot in DSRM)
# 1. Server in Directory Services Restore Mode booten (F8)
# 2. Anmelden mit DSRM-Password
# 3. Restore:
wbadmin start systemstaterecovery -version:12/01/2024-00:00
# Authoritative Restore für gelöschte Objekte
ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
quit
quit
# AD Recycle Bin aktivieren (ab Windows Server 2008 R2)
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" `
-Scope ForestOrConfigurationSet `
-Target "contoso.local"
# Gelöschte Objekte wiederherstellen
Get-ADObject -Filter {IsDeleted -eq $true -and Name -like "*Mustermann*"} `
-IncludeDeletedObjects | Restore-ADObject
2. PowerShell – Deine Superpower
PowerShell Basics für Profis
Cmdlet-Struktur: Verb-Noun (Get-Service, Set-ExecutionPolicy)
Wichtige Konzepte:
# Pipeline (Output von einem Cmdlet als Input für nächstes)
Get-Process | Where-Object {$_.CPU -gt 10} | Sort-Object CPU -Descending
# Variablen
$computerName = "SERVER01"
$users = Get-ADUser -Filter *
# Arrays
$servers = @("SERVER01","SERVER02","SERVER03")
foreach ($server in $servers) {
Test-Connection $server -Count 1
}
# Hash Tables
$serverInfo = @{
Name = "SERVER01"
IP = "192.168.1.100"
Role = "File Server"
}
# Objekte erstellen
$server = [PSCustomObject]@{
Name = "SERVER01"
Status = "Online"
LastBoot = (Get-Date)
}
Administrative PowerShell-Scripts
Remote Management (PowerShell Remoting):
# PSRemoting aktivieren (auf Ziel-Computer)
Enable-PSRemoting -Force
# Einzelner Remote-Befehl
Invoke-Command -ComputerName SERVER01 -ScriptBlock {
Get-Service -Name Spooler
}
# Remote-Session (interaktiv)
Enter-PSSession -ComputerName SERVER01
# Befehle auf mehreren Computern
Invoke-Command -ComputerName SERVER01,SERVER02,SERVER03 -ScriptBlock {
Get-EventLog -LogName System -Newest 10
}
# Mit Credentials
$cred = Get-Credential
Invoke-Command -ComputerName SERVER01 -Credential $cred -ScriptBlock {
Restart-Service Spooler
}
Service-Management:
# Services anzeigen
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-Service -ComputerName SERVER01
# Service starten/stoppen
Start-Service -Name Spooler
Stop-Service -Name Spooler
Restart-Service -Name Spooler
# Service-Startup-Type ändern
Set-Service -Name Spooler -StartupType Automatic
# Service auf mehreren Servern neustarten
$servers = Get-Content "C:\servers.txt"
Invoke-Command -ComputerName $servers -ScriptBlock {
Restart-Service W3SVC
}
Disk-Management:
# Disk-Informationen
Get-Disk
Get-Volume
Get-Partition
# Neue Disk initialisieren und formatieren
Initialize-Disk -Number 1 -PartitionStyle GPT
New-Partition -DiskNumber 1 -UseMaximumSize -DriveLetter E
Format-Volume -DriveLetter E -FileSystem NTFS -NewFileSystemLabel "Data"
# Disk-Space prüfen
Get-Volume | Select-Object DriveLetter,FileSystemLabel,
@{N="Size(GB)";E={[math]::Round($_.Size/1GB,2)}},
@{N="Free(GB)";E={[math]::Round($_.SizeRemaining/1GB,2)}},
@{N="Free%";E={[math]::Round(($_.SizeRemaining/$_.Size)*100,2)}}
Event Log-Analyse:
# Event Logs auslesen
Get-EventLog -LogName System -Newest 100
Get-EventLog -LogName Application -EntryType Error -Newest 50
# Mit WinEvent (moderner, flexibler)
Get-WinEvent -LogName System -MaxEvents 100
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625 # Failed login attempts
StartTime=(Get-Date).AddDays(-1)
}
# Event Logs von Remote-Servern
Invoke-Command -ComputerName SERVER01,SERVER02 -ScriptBlock {
Get-EventLog -LogName System -EntryType Error -Newest 10
} | Select-Object PSComputerName,TimeGenerated,Source,Message
# Export zu HTML-Report
Get-EventLog -LogName System -EntryType Error -Newest 50 |
ConvertTo-Html | Out-File C:\ErrorLog.html
User-Management Scripts:
# Alle User einer OU anzeigen
Get-ADUser -Filter * -SearchBase "OU=IT,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local" -Properties *
# Disabled Accounts finden
Get-ADUser -Filter {Enabled -eq $false} | Select-Object Name,SamAccountName
# Inactive Accounts (90+ Tage nicht eingeloggt)
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $date -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object Name,SamAccountName,LastLogonDate
# Password läuft bald ab
Search-ADAccount -PasswordExpiring -TimeSpan "14.00:00:00" |
Select-Object Name,PasswordExpireDate
# Bulk-Operations: Alle User in OU deaktivieren
Get-ADUser -Filter * -SearchBase "OU=Terminated,OU=Users,OU=CONTOSO,DC=contoso,DC=local" |
Disable-ADAccount
# User-Report erstellen
Get-ADUser -Filter * -Properties * |
Select-Object Name,SamAccountName,EmailAddress,Department,Title,Enabled,LastLogonDate |
Export-Csv C:\UserReport.csv -NoTypeInformation
Monitoring-Script (Health Check):
# Server-Health-Check
function Get-ServerHealth {
param([string]$ComputerName)
$result = Invoke-Command -ComputerName $ComputerName -ScriptBlock {
[PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
CPU = (Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples.CookedValue
MemoryUsed = [math]::Round((Get-Counter '\Memory\% Committed Bytes In Use').CounterSamples.CookedValue,2)
DiskSpace = Get-Volume | Where-Object {$_.DriveLetter} |
Select-Object DriveLetter,
@{N="FreeSpace%";E={[math]::Round(($_.SizeRemaining/$_.Size)*100,2)}}
FailedServices = (Get-Service | Where-Object {$_.StartType -eq 'Automatic' -and $_.Status -ne 'Running'}).Count
}
}
return $result
}
# Alle Server prüfen
$servers = Get-Content "C:\servers.txt"
$healthReport = foreach ($server in $servers) {
Get-ServerHealth -ComputerName $server
}
$healthReport | Export-Csv C:\ServerHealth.csv -NoTypeInformation
PowerShell Module und Best Practices
Wichtige Module:
# Installierte Module anzeigen
Get-Module -ListAvailable
# Wichtige Module:
Import-Module ActiveDirectory
Import-Module DnsServer
Import-Module GroupPolicy
Import-Module Hyper-V
Import-Module ServerManager
# Module aus PowerShell Gallery installieren
Install-Module -Name Az # Azure Management
Install-Module -Name PSWindowsUpdate # Windows Update Management
Install-Module -Name Posh-SSH # SSH von PowerShell
# Module updaten
Update-Module -Name Az
Execution Policy:
# Aktuelle Policy anzeigen
Get-ExecutionPolicy
# Policy setzen (für Scripts)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# RemoteSigned = lokale Scripts OK, downloaded Scripts müssen signiert sein
# AllSigned = alle Scripts müssen signiert sein
# Unrestricted = alle Scripts erlaubt (unsicher!)
Script-Template (Best Practices):
<#
.SYNOPSIS
Kurze Beschreibung des Scripts
.DESCRIPTION
Detaillierte Beschreibung
.PARAMETER ComputerName
Name des Ziel-Computers
.EXAMPLE
.\Script.ps1 -ComputerName SERVER01
.NOTES
Author: Max Mustermann
Date: 2024-12-14
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$ComputerName,
[Parameter(Mandatory=$false)]
[switch]$Verbose
)
# Error Handling
$ErrorActionPreference = "Stop"
try {
# Script Logic hier
Write-Host "Processing $ComputerName..." -ForegroundColor Green
# Code...
} catch {
Write-Error "Fehler: $_"
exit 1
} finally {
# Cleanup
Write-Host "Script beendet." -ForegroundColor Cyan
}
3. File Server und Storage
File Server Einrichtung
File Server Role installieren:
# File Server installieren
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools
# Optional: DFS für verteilte File-Systeme
Install-WindowsFeature -Name FS-DFS-Namespace,FS-DFS-Replication -IncludeManagementTools
Shares erstellen und verwalten:
# SMB Share erstellen
New-SmbShare -Name "Shared" -Path "D:\Shares\Shared" -FullAccess "CONTOSO\IT-Admins" -ChangeAccess "CONTOSO\Domain Users"
# Share-Eigenschaften anzeigen
Get-SmbShare -Name "Shared"
Get-SmbShareAccess -Name "Shared"
# Share-Berechtigungen ändern
Grant-SmbShareAccess -Name "Shared" -AccountName "CONTOSO\HR-Team" -AccessRight Change
Revoke-SmbShareAccess -Name "Shared" -AccountName "CONTOSO\Guest"
# Share entfernen
Remove-SmbShare -Name "Shared" -Force
# Alle Shares anzeigen
Get-SmbShare | Select-Object Name,Path,Description
NTFS-Berechtigungen:
# ACL auslesen
Get-Acl -Path "D:\Shares\Shared"
# ACL setzen
$acl = Get-Acl -Path "D:\Shares\Shared"
$permission = "CONTOSO\IT-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl -Path "D:\Shares\Shared" -AclObject $acl
# Vererbung deaktivieren
$acl = Get-Acl -Path "D:\Shares\Confidential"
$acl.SetAccessRuleProtection($true, $true) # True = Vererbung blockieren, True = existierende Rechte kopieren
Set-Acl -Path "D:\Shares\Confidential" -AclObject $acl
# Berechtigungen rekursiv auf Unterordner anwenden
$acl = Get-Acl -Path "D:\Shares\Shared"
Get-ChildItem -Path "D:\Shares\Shared" -Recurse | Set-Acl -AclObject $acl
File Server Resource Manager (FSRM):
# FSRM installieren
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
# Quota erstellen (Disk-Space begrenzen)
New-FsrmQuota -Path "D:\Shares\UserData" -Size 10GB -SoftLimit
# File Screen (bestimmte Dateitypen blockieren)
New-FsrmFileScreen -Path "D:\Shares\Shared" -Template "Block Executable Files"
# Storage Reports
New-FsrmStorageReport -Name "Disk Usage Report" -Namespace "D:\Shares" -ReportType LargeFiles,DuplicateFiles
# File Management Tasks (automatisches Löschen alter Files)
New-FsrmFileManagementJob -Name "Delete old files" `
-Namespace "D:\Shares\Temp" `
-Action Delete `
-Condition @{Property='File.DateCreated'; Condition='Before'; Value=(Get-Date).AddDays(-30)}
DFS (Distributed File System)
DFS Namespace:
# DFS Namespace erstellen
New-DfsnRoot -Path "\\contoso.local\Files" -TargetPath "\\FILESERVER01\Files" -Type DomainV2
# Folder zu Namespace hinzufügen
New-DfsnFolder -Path "\\contoso.local\Files\Shared" -TargetPath "\\FILESERVER01\Shared"
# Folder Target hinzufügen (Redundanz!)
New-DfsnFolderTarget -Path "\\contoso.local\Files\Shared" -TargetPath "\\FILESERVER02\Shared"
# DFS Namespace anzeigen
Get-DfsnRoot
Get-DfsnFolder -Path "\\contoso.local\Files\*"
DFS Replication:
# Replication Group erstellen
New-DfsReplicationGroup -GroupName "FileReplication"
# Folder zu Replication Group hinzufügen
New-DfsReplicatedFolder -GroupName "FileReplication" -FolderName "Shared"
# Member hinzufügen
Add-DfsrMember -GroupName "FileReplication" -ComputerName "FILESERVER01","FILESERVER02"
# Replication konfigurieren
Set-DfsrMembership -GroupName "FileReplication" -FolderName "Shared" `
-ComputerName "FILESERVER01" -ContentPath "D:\Replication\Shared" -PrimaryMember $true
Set-DfsrMembership -GroupName "FileReplication" -FolderName "Shared" `
-ComputerName "FILESERVER02" -ContentPath "D:\Replication\Shared"
# Connection erstellen (bidirektional)
Add-DfsrConnection -GroupName "FileReplication" `
-SourceComputerName "FILESERVER01" -DestinationComputerName "FILESERVER02"
Storage Spaces und Storage Pools
Storage Spaces (Software RAID):
# Physical Disks anzeigen
Get-PhysicalDisk
# Storage Pool erstellen
New-StoragePool -FriendlyName "DataPool" `
-StorageSubSystemFriendlyName "Windows Storage*" `
-PhysicalDisks (Get-PhysicalDisk -CanPool $true)
# Virtual Disk erstellen (mit Mirroring = RAID 1)
New-VirtualDisk -StoragePoolFriendlyName "DataPool" `
-FriendlyName "MirroredDisk" `
-Size 500GB `
-ResiliencySettingName Mirror
# Oder mit Parity (RAID 5)
New-VirtualDisk -StoragePoolFriendlyName "DataPool" `
-FriendlyName "ParityDisk" `
-Size 1TB `
-ResiliencySettingName Parity
# Volume erstellen
New-Volume -DiskNumber 1 -FriendlyName "Data" -FileSystem NTFS -DriveLetter E
4. Netzwerk-Verwaltung
DNS Server
DNS installieren und konfigurieren:
# DNS installieren
Install-WindowsFeature -Name DNS -IncludeManagementTools
# DNS Zone erstellen
Add-DnsServerPrimaryZone -Name "contoso.local" -ReplicationScope Domain
# A-Record hinzufügen
Add-DnsServerResourceRecordA -Name "webserver" -ZoneName "contoso.local" -IPv4Address "192.168.1.100"
# CNAME-Record
Add-DnsServerResourceRecordCName -Name "www" -HostNameAlias "webserver.contoso.local" -ZoneName "contoso.local"
# MX-Record (Mail)
Add-DnsServerResourceRecordMX -Name "." -ZoneName "contoso.local" -MailExchange "mail.contoso.local" -Preference 10
# PTR-Record (Reverse Lookup)
Add-DnsServerResourceRecordPtr -Name "100" -ZoneName "1.168.192.in-addr.arpa" -PtrDomainName "webserver.contoso.local"
# DNS-Records anzeigen
Get-DnsServerResourceRecord -ZoneName "contoso.local"
# DNS-Cache leeren
Clear-DnsServerCache
DNS Forwarders (für externe Auflösung):
# Forwarders setzen
Set-DnsServerForwarder -IPAddress "8.8.8.8","1.1.1.1"
# Forwarders anzeigen
Get-DnsServerForwarder
DHCP Server
DHCP installieren und konfigurieren:
# DHCP installieren
Install-WindowsFeature -Name DHCP -IncludeManagementTools
# DHCP in AD autorisieren
Add-DhcpServerInDC -DnsName "dhcp01.contoso.local" -IPAddress 192.168.1.10
# DHCP Scope erstellen
Add-DhcpServerv4Scope -Name "Main Office" `
-StartRange 192.168.1.100 `
-EndRange 192.168.1.200 `
-SubnetMask 255.255.255.0 `
-LeaseDuration 8.00:00:00
# DHCP Options (Gateway, DNS)
Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 `
-Router 192.168.1.1 `
-DnsServer 192.168.1.10 `
-DnsDomain "contoso.local"
# DHCP Reservierung (feste IP für MAC)
Add-DhcpServerv4Reservation -ScopeId 192.168.1.0 `
-IPAddress 192.168.1.50 `
-ClientId "00-50-56-C0-00-01" `
-Description "Drucker Büro"
# DHCP Leases anzeigen
Get-DhcpServerv4Lease -ScopeId 192.168.1.0
# DHCP Failover (Redundanz)
Add-DhcpServerv4Failover -ComputerName DHCP01 `
-PartnerServer DHCP02 `
-Name "DHCP-Failover" `
-ScopeId 192.168.1.0 `
-LoadBalancePercent 50
Network Policy Server (NPS) – RADIUS
NPS für WLAN/VPN Authentication:
# NPS installieren
Install-WindowsFeature -Name NPAS -IncludeManagementTools
# RADIUS Client hinzufügen (z.B. WLAN Access Point)
New-NpsRadiusClient -Name "Office-AP" `
-Address "192.168.1.20" `
-SharedSecret "SuperSecretKey123!"
# Network Policy erstellen
# GUI-basiert über: Server Manager → Tools → Network Policy Server
Windows Firewall mit PowerShell
# Firewall-Status
Get-NetFirewallProfile
# Firewall aktivieren
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Firewall-Regel erstellen
New-NetFirewallRule -DisplayName "Allow HTTP" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 80 `
-Action Allow
New-NetFirewallRule -DisplayName "Allow RDP from Admin Network" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3389 `
-RemoteAddress 192.168.10.0/24 `
-Action Allow
# Firewall-Regeln anzeigen
Get-NetFirewallRule | Where-Object {$_.Enabled -eq $true} | Select-Object DisplayName,Direction,Action
# Firewall-Regel löschen
Remove-NetFirewallRule -DisplayName "Allow HTTP"
# Firewall-Log aktivieren
Set-NetFirewallProfile -Profile Domain -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" `
-LogMaxSizeKilobytes 16384 `
-LogAllowed True `
-LogBlocked True
Network Teaming (NIC Teaming)
# Network Adapter anzeigen
Get-NetAdapter
# NIC Team erstellen (Redundanz/Load Balancing)
New-NetLbfoTeam -Name "Team1" `
-TeamMembers "Ethernet 1","Ethernet 2" `
-TeamingMode SwitchIndependent `
-LoadBalancingAlgorithm Dynamic
# Team-Status
Get-NetLbfoTeam
Get-NetLbfoTeamMember
# VLAN auf Team-Interface
Add-NetLbfoTeamNic -Team "Team1" -VlanID 10
5. Windows Server Update Services (WSUS)
WSUS einrichten
# WSUS installieren
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
# WSUS Post-Installation
Set-Location "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall CONTENT_DIR=E:\WSUS
# WSUS konfigurieren
$wsus = Get-WsusServer
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.SetAutoApproveLocalPublishedUpdates($true)
$wsusConfig.Save()
# Produktkategorien synchronisieren
Get-WsusProduct | Where-Object {$_.Product.Title -like "*Windows Server 2022*"} | Set-WsusProduct
# Classifications auswählen
Get-WsusClassification | Where-Object {$_.Classification.Title -in @("Critical Updates","Security Updates","Definition Updates")} | Set-WsusClassification
# Synchronisation starten
$subscription = $wsus.GetSubscription()
$subscription.StartSynchronization()
# Computer Groups erstellen
$wsus.CreateComputerTargetGroup("Production Servers")
$wsus.CreateComputerTargetGroup("Test Servers")
WSUS via GPO auf Clients konfigurieren:
Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update
Settings:
- Configure Automatic Updates: Enabled - Auto download and schedule install
- Specify intranet Microsoft update service location: http://wsus.contoso.local:8530
- Automatic Updates detection frequency: 4 hours
- Enable client-side targeting: Enabled - Target Group: "Production Servers"
6. Remote Desktop Services (RDS)
Terminal Server / Remote Desktop
RDS Role installieren:
# RD Session Host installieren
Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools
# RD Licensing
Install-WindowsFeature -Name RDS-Licensing -IncludeManagementTools
# RD Gateway (für externe Zugriffe)
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools
# RD Connection Broker (für Load Balancing)
Install-WindowsFeature -Name RDS-Connection-Broker -IncludeManagementTools
RemoteApp konfigurieren:
# RemoteApp erstellen (z.B. für MS Office)
New-RDRemoteApp -CollectionName "Office Apps" `
-DisplayName "Microsoft Word" `
-FilePath "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" `
-ShowInWebAccess $true
RDS Lizenzen:
- Per Device oder Per User
- Aktivierung über Microsoft Clearinghouse
- Grace Period: 120 Tage
Remote Desktop Configuration
# RDP auf Server aktivieren
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
# Firewall-Regel für RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# NLA (Network Level Authentication) aktivieren
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1
# Max Connections
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MaxInstanceCount" -Value 20
7. Hyper-V Virtualisierung
Hyper-V einrichten
# Hyper-V installieren
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -Restart
# Virtual Switch erstellen (External = mit physischem Netzwerk verbunden)
New-VMSwitch -Name "External-Switch" -NetAdapterName "Ethernet 1" -AllowManagementOS $true
# Internal Switch (nur zwischen VMs und Host)
New-VMSwitch -Name "Internal-Switch" -SwitchType Internal
# Private Switch (nur zwischen VMs)
New-VMSwitch -Name "Private-Switch" -SwitchType Private
VM erstellen und verwalten
# Neue VM erstellen
New-VM -Name "TESTSERVER" `
-MemoryStartupBytes 4GB `
-Generation 2 `
-NewVHDPath "E:\Hyper-V\TESTSERVER\TESTSERVER.vhdx" `
-NewVHDSizeBytes 60GB `
-SwitchName "External-Switch"
# VM konfigurieren
Set-VM -Name "TESTSERVER" -ProcessorCount 2
Set-VM -Name "TESTSERVER" -DynamicMemory -MemoryMinimumBytes 2GB -MemoryMaximumBytes 8GB
# VM starten/stoppen
Start-VM -Name "TESTSERVER"
Stop-VM -Name "TESTSERVER"
Restart-VM -Name "TESTSERVER"
# ISO mounten (für OS-Installation)
Set-VMDvdDrive -VMName "TESTSERVER" -Path "E:\ISOs\WindowsServer2022.iso"
# Checkpoint (Snapshot) erstellen
Checkpoint-VM -Name "TESTSERVER" -SnapshotName "Before Update"
# Checkpoint wiederherstellen
Restore-VMSnapshot -Name "Before Update" -VMName "TESTSERVER" -Confirm:$false
# VM exportieren (Backup)
Export-VM -Name "TESTSERVER" -Path "E:\Backups\VMs"
# VM importieren
Import-VM -Path "E:\Backups\VMs\TESTSERVER\Virtual Machines\xyz.vmcx"
# VHD vergrößern
Resize-VHD -Path "E:\Hyper-V\TESTSERVER\TESTSERVER.vhdx" -SizeBytes 120GB
# VM klonen
$vm = Get-VM "TESTSERVER"
Export-VM -VM $vm -Path "E:\Temp"
Import-VM -Path "E:\Temp\TESTSERVER" -Copy -GenerateNewId
Rename-VM -VM (Get-VM | Where-Object {$_.Name -eq "TESTSERVER"} | Select-Object -Last 1) -NewName "TESTSERVER-CLONE"
Hyper-V Replica (Disaster Recovery)
# Replica aktivieren (auf beiden Hosts)
Set-VMReplicationServer -ReplicationEnabled $true `
-AllowedAuthenticationType Kerberos `
-ReplicationAllowedFromAnyServer $true
# Replikation für VM einrichten
Enable-VMReplication -VMName "TESTSERVER" `
-ReplicaServerName "HYPERV-02.contoso.local" `
-ReplicaServerPort 80 `
-AuthenticationType Kerberos `
-CompressionEnabled $true
# Initial Replication starten
Start-VMInitialReplication -VMName "TESTSERVER"
# Replikation-Status
Get-VMReplication -VMName "TESTSERVER"
# Planned Failover (bei geplantem Ausfall)
Start-VMFailover -VMName "TESTSERVER" -Prepare
Start-VMFailover -VMName "TESTSERVER" -AsReplica
# Unplanned Failover (Notfall)
Start-VMFailover -VMName "TESTSERVER"
8. Internet Information Services (IIS)
IIS Webserver
# IIS installieren
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
# Website erstellen
New-IISSite -Name "MyWebsite" `
-PhysicalPath "C:\inetpub\mywebsite" `
-BindingInformation "*:80:www.example.com"
# HTTPS Binding mit Zertifikat
New-IISSiteBinding -Name "MyWebsite" `
-BindingInformation "*:443:www.example.com" `
-Protocol https `
-CertificateThumbPrint "ABCDEF1234567890..."
# Application Pool erstellen
New-WebAppPool -Name "MyAppPool"
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.identityType -Value 2 # NetworkService
# Website zu AppPool zuweisen
Set-ItemProperty "IIS:\Sites\MyWebsite" -Name applicationPool -Value "MyAppPool"
# Virtual Directory erstellen
New-WebVirtualDirectory -Site "MyWebsite" -Name "images" -PhysicalPath "E:\WebImages"
# URL Rewrite (Redirect HTTP zu HTTPS)
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' `
-filter "system.webServer/rewrite/rules" `
-name "." `
-value @{name='HTTP to HTTPS';patternSyntax='Wildcard';stopProcessing='True'}
IIS Application Request Routing (Load Balancing):
# ARR installieren (via Web Platform Installer oder manual)
# Server Farm erstellen für Load Balancing zwischen mehreren Webservern
SSL-Zertifikate in IIS
# Zertifikat importieren
Import-PfxCertificate -FilePath "C:\Certs\certificate.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password (ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force)
# Zertifikat zu IIS Binding hinzufügen
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.com*"}
New-IISSiteBinding -Name "MyWebsite" `
-BindingInformation "*:443:" `
-Protocol https `
-CertificateThumbPrint $cert.Thumbprint
9. SQL Server Verwaltung
SQL Server Basics
# SQL Server Module
Import-Module SqlServer
# SQL Server Instanzen anzeigen
Get-SqlInstance -ServerInstance "localhost"
# Datenbank erstellen
Invoke-Sqlcmd -Query "CREATE DATABASE MyAppDB" -ServerInstance "localhost"
# SQL Server Login erstellen
Invoke-Sqlcmd -Query @"
CREATE LOGIN myappuser WITH PASSWORD = 'P@ssw0rd123!';
USE MyAppDB;
CREATE USER myappuser FOR LOGIN myappuser;
ALTER ROLE db_datareader ADD MEMBER myappuser;
ALTER ROLE db_datawriter ADD MEMBER myappuser;
"@ -ServerInstance "localhost"
# Backup
Backup-SqlDatabase -ServerInstance "localhost" `
-Database "MyAppDB" `
-BackupFile "E:\Backups\MyAppDB_Full.bak" `
-BackupAction Database
# Restore
Restore-SqlDatabase -ServerInstance "localhost" `
-Database "MyAppDB" `
-BackupFile "E:\Backups\MyAppDB_Full.bak" `
-ReplaceDatabase
SQL Server Maintenance:
-- Index Rebuild (in SQL Management Studio)
USE MyAppDB;
ALTER INDEX ALL ON dbo.TableName REBUILD;
-- Update Statistics
UPDATE STATISTICS dbo.TableName;
-- Check Database Integrity
DBCC CHECKDB ('MyAppDB');
-- Shrink Database (nur wenn nötig!)
DBCC SHRINKDATABASE (MyAppDB, 10);
SQL Server Jobs (Automated Tasks):
- Via SQL Server Agent
- Backup Jobs
- Maintenance Tasks
- Monitoring
10. Security und Hardening
Windows Defender
# Defender Status
Get-MpComputerStatus
# Scan starten
Start-MpScan -ScanType QuickScan
Start-MpScan -ScanType FullScan
# Defender Update
Update-MpSignature
# Exclusions hinzufügen
Add-MpPreference -ExclusionPath "C:\MyApp"
Add-MpPreference -ExclusionExtension ".log"
# Defender deaktivieren (nur temporär für Tests!)
Set-MpPreference -DisableRealtimeMonitoring $true
BitLocker Verschlüsselung
# BitLocker Status
Get-BitLockerVolume
# BitLocker aktivieren
Enable-BitLocker -MountPoint "C:" `
-EncryptionMethod XtsAes256 `
-UsedSpaceOnly `
-TpmProtector
# Recovery Key in AD speichern
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId
# BitLocker entsperren
Unlock-BitLocker -MountPoint "E:" -Password (ConvertTo-SecureString "RecoveryKey" -AsPlainText -Force)
Windows Firewall Advanced Security
# IPsec Regeln (verschlüsselte Kommunikation zwischen Servern)
New-NetIPsecRule -DisplayName "Require Encryption from Admin Network" `
-InboundSecurity Require `
-OutboundSecurity Request `
-RemoteAddress 192.168.10.0/24
# Connection Security Rules
# Via GUI: Windows Defender Firewall with Advanced Security → Connection Security Rules
AppLocker (Application Control)
# AppLocker aktivieren via GPO
# Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies
# Default Rules erstellen
Get-AppLockerFileInformation -Directory "C:\Program Files" -Recurse |
New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -Optimize |
Set-AppLockerPolicy -Merge
# AppLocker Status
Get-AppLockerPolicy -Effective
Local Security Policy
Wichtige Security Settings:
Local Policies → Security Options:
- Interactive logon: Do not display last user name → Enabled
- Network access: Do not allow anonymous enumeration of SAM accounts → Enabled
- Network security: LAN Manager authentication level → Send NTLMv2 response only. Refuse LM & NTLM
User Rights Assignment:
- Allow log on through Remote Desktop Services → Nur Admins und spezifische Gruppen
- Deny log on locally → Deny für Service Accounts
Audit Policies:
- Audit account logon events → Success, Failure
- Audit logon events → Success, Failure
- Audit object access → Success, Failure
- Audit policy change → Success, Failure
11. Backup und Disaster Recovery
Windows Server Backup
# Windows Server Backup installieren
Install-WindowsFeature -Name Windows-Server-Backup
# Backup Policy erstellen
$policy = New-WBPolicy
$filespec = New-WBFileSpec -FileSpec "C:\ImportantData"
Add-WBFileSpec -Policy $policy -FileSpec $filespec
# Backup Target (externe Festplatte)
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
# Schedule (täglich 02:00 Uhr)
Set-WBSchedule -Policy $policy -Schedule 02:00
# Policy speichern
Set-WBPolicy -Policy $policy
# Manuelle Backups
Start-WBBackup -Policy $policy
# System State Backup
$policy = New-WBPolicy
Add-WBSystemState -Policy $policy
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
Start-WBBackup -Policy $policy
# Bare Metal Recovery Backup
$policy = New-WBPolicy
Add-WBBareMetalRecovery -Policy $policy
# ... rest wie oben
Disaster Recovery Planning
Recovery Point Objective (RPO):
- Wie viel Datenverlust ist akzeptabel? (z.B. 4 Stunden)
Recovery Time Objective (RTO):
- Wie schnell muss System wieder laufen? (z.B. 2 Stunden)
Backup-Strategie (3-2-1 Regel):
- 3 Kopien der Daten
- 2 verschiedene Medien
- 1 Kopie offsite
Dokumentation:
- Recovery-Runbooks
- Kontaktlisten
- Konfigurationsdokumentation
- Netzwerk-Diagramme
12. Monitoring und Performance
Performance Monitor (Perfmon)
# Performance Counter abfragen
Get-Counter '\Processor(_Total)\% Processor Time'
Get-Counter '\Memory\Available MBytes'
Get-Counter '\PhysicalDisk(_Total)\Avg. Disk Queue Length'
# Data Collector Set erstellen (für längeres Monitoring)
$DataCollectorSet = New-Object -COM Pla.DataCollectorSet
$DataCollectorSet.DisplayName = "System Performance"
$DataCollectorSet.Duration = 3600 # 1 Stunde
$DataCollectorSet.SubdirectoryFormat = 3
$DataCollectorSet.RootPath = "C:\PerfLogs"
# Performance Counter hinzufügen
$DataCollector = $DataCollectorSet.DataCollectors.CreateDataCollector(0)
$DataCollector.CounterDisplayName = "Processor Time"
$DataCollector.Counter = [string[]]@("\Processor(_Total)\% Processor Time")
$DataCollectorSet.DataCollectors.Add($DataCollector)
$DataCollectorSet.Commit("System Performance", $null, 0x0003)
$DataCollectorSet.Start($false)
Task Manager und Resource Monitor
- Task Manager (taskmgr.exe): Schneller Überblick
- Resource Monitor (resmon.exe): Detaillierte Analyse
- CPU-Nutzung pro Prozess
- Disk I/O
- Network Activity
- Memory Details
Event Log Monitoring
# Critical Events der letzten 24h
Get-WinEvent -FilterHashtable @{
LogName='System','Application'
Level=1,2 # Critical, Error
StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated,LevelDisplayName,ProviderName,Message
# Failed Logins (Security Log)
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625 # Failed logon
StartTime=(Get-Date).AddHours(-1)
} | Select-Object TimeCreated,Message
# Event Subscriptions (zentrales Logging)
# Via Event Viewer → Subscriptions → Create Subscription
Scheduled Tasks für Monitoring
# Scheduled Task erstellen (täglicher Health Check)
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' `
-Argument '-File C:\Scripts\HealthCheck.ps1'
$trigger = New-ScheduledTaskTrigger -Daily -At 6am
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1)
Register-ScheduledTask -TaskName "Daily Health Check" `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings
# Task manuell ausführen
Start-ScheduledTask -TaskName "Daily Health Check"
# Task-Historie anzeigen
Get-ScheduledTask -TaskName "Daily Health Check" | Get-ScheduledTaskInfo
13. Troubleshooting Methodology
Systematische Problemlösung
1. Identify (Problem definieren):
- Was funktioniert nicht?
- Wer ist betroffen?
- Wann trat es auf?
- Was hat sich geändert?
2. Gather Information:
# System Information
systeminfo
Get-ComputerInfo
# Event Logs
Get-EventLog -LogName System -Newest 50 -EntryType Error
Get-EventLog -LogName Application -Newest 50 -EntryType Error
# Services
Get-Service | Where-Object {$_.Status -ne "Running" -and $_.StartType -eq "Automatic"}
# Network
ipconfig /all
Test-NetConnection google.com
Test-NetConnection dc01.contoso.local -Port 389 # LDAP
# Processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
# Disk
Get-Volume
Get-PhysicalDisk | Select-Object FriendlyName,HealthStatus,OperationalStatus
3. Analyze:
- Logs interpretieren
- Patterns erkennen
- Hypothese bilden
4. Test:
- Hypothese überprüfen
- Ein Change nach dem anderen
- Dokumentieren
5. Resolve:
- Lösung implementieren
- Verifizieren
- Dokumentieren
Häufige Probleme
Problem: Server bootet nicht:
1. Check Disk-Status im BIOS/UEFI
2. Safe Mode booten (F8)
3. Last Known Good Configuration
4. System File Check: sfc /scannow
5. Disk Check: chkdsk /f C:
6. Boot Repair: bootrec /fixmbr, /fixboot, /rebuildbcd
7. System Restore
8. Bare Metal Restore von Backup
Problem: Domain Controller repliziert nicht:
# Replikation prüfen
repadmin /showrepl
repadmin /replsummary
# DNS prüfen (DCs müssen sich gegenseitig auflösen)
nslookup dc01.contoso.local
nslookup dc02.contoso.local
# Zeit-Synchronisation prüfen (max 5 Min Abweichung)
w32tm /query /status
w32tm /resync
# Firewall-Ports prüfen
Test-NetConnection dc02.contoso.local -Port 135 # RPC
Test-NetConnection dc02.contoso.local -Port 389 # LDAP
# Kerberos testen
klist
klist purge # Ticket Cache leeren
Problem: Hohe CPU-Last:
# Top Prozesse
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Name,CPU,WS
# Windows Update läuft?
Get-Service -Name wuauserv
# Windows Defender Scan?
Get-MpComputerStatus
# Scheduled Tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Running"}
Problem: Disk Space voll:
# Große Dateien finden
Get-ChildItem C:\ -Recurse -File -ErrorAction SilentlyContinue |
Sort-Object Length -Descending |
Select-Object -First 20 FullName,@{N="Size(GB)";E={[math]::Round($_.Length/1GB,2)}}
# Temp-Files
Remove-Item C:\Windows\Temp\* -Recurse -Force
Remove-Item $env:TEMP\* -Recurse -Force
# Windows Update Cleanup
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
# Log-Files rotieren
Get-ChildItem C:\inetpub\logs -Recurse -File |
Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-30)} |
Remove-Item -Force
14. Automation mit PowerShell Scripts
Praktische Scripts für den Alltag
Server-Inventory-Script:
<#
.SYNOPSIS
Server-Inventarisierung
.DESCRIPTION
Sammelt Informationen über alle Server im Netzwerk
#>
$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} -Properties *
$inventory = foreach ($server in $servers) {
try {
$info = Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName $server.Name -ErrorAction Stop
$os = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $server.Name
$disk = Get-CimInstance -ClassName Win32_LogicalDisk -ComputerName $server.Name -Filter "DriveType=3"
[PSCustomObject]@{
ComputerName = $server.Name
Domain = $info.Domain
Model = $info.Model
Manufacturer = $info.Manufacturer
TotalRAM_GB = [math]::Round($info.TotalPhysicalMemory/1GB,2)
OS = $os.Caption
OSVersion = $os.Version
InstallDate = $os.InstallDate
LastBootTime = $os.LastBootUpTime
DiskSpace_GB = ($disk | Measure-Object -Property Size -Sum).Sum/1GB
FreeSpace_GB = ($disk | Measure-Object -Property FreeSpace -Sum).Sum/1GB
Status = "Online"
}
} catch {
[PSCustomObject]@{
ComputerName = $server.Name
Status = "Offline or Access Denied"
}
}
}
$inventory | Export-Csv "C:\Reports\ServerInventory_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
$inventory | ConvertTo-Html | Out-File "C:\Reports\ServerInventory_$(Get-Date -Format 'yyyyMMdd').html"
User-Onboarding-Script:
<#
.SYNOPSIS
Neuen User anlegen mit allen Berechtigungen
#>
param(
[Parameter(Mandatory=$true)]
[string]$FirstName,
[Parameter(Mandatory=$true)]
[string]$LastName,
[Parameter(Mandatory=$true)]
[string]$Department,
[Parameter(Mandatory=$true)]
[string]$Title,
[Parameter(Mandatory=$false)]
[string]$Manager
)
# Username generieren
$username = ($FirstName.Substring(0,1) + $LastName).ToLower()
$email = "$username@contoso.com"
# OU basierend auf Department
$ouPath = "OU=$Department,OU=Departments,OU=Users,OU=CONTOSO,DC=contoso,DC=local"
# Temporäres Password
$tempPassword = ConvertTo-SecureString "Welcome2024!" -AsPlainText -Force
try {
# User erstellen
New-ADUser `
-Name "$FirstName $LastName" `
-GivenName $FirstName `
-Surname $LastName `
-SamAccountName $username `
-UserPrincipalName "$username@contoso.local" `
-EmailAddress $email `
-Path $ouPath `
-AccountPassword $tempPassword `
-Enabled $true `
-ChangePasswordAtLogon $true `
-Department $Department `
-Title $Title `
-Company "Contoso GmbH"
Write-Host "✓ User $username erstellt" -ForegroundColor Green
# Zu Department-Gruppe hinzufügen
Add-ADGroupMember -Identity "$Department-Users" -Members $username
Write-Host "✓ User zu Gruppe $Department-Users hinzugefügt" -ForegroundColor Green
# Home-Verzeichnis erstellen
$homePath = "\\fileserver\home\$username"
New-Item -Path $homePath -ItemType Directory -Force
# Berechtigungen setzen
$acl = Get-Acl $homePath
$permission = "CONTOSO\$username","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl $homePath $acl
Write-Host "✓ Home-Verzeichnis erstellt: $homePath" -ForegroundColor Green
# Email an Manager
if ($Manager) {
$managerEmail = (Get-ADUser $Manager -Properties EmailAddress).EmailAddress
Send-MailMessage `
-From "it@contoso.com" `
-To $managerEmail `
-Subject "Neuer Mitarbeiter: $FirstName $LastName" `
-Body "Username: $username`nEmail: $email`nTemp Password: Welcome2024!" `
-SmtpServer "mail.contoso.local"
Write-Host "✓ Benachrichtigung an Manager gesendet" -ForegroundColor Green
}
Write-Host "`n=== Zusammenfassung ===" -ForegroundColor Cyan
Write-Host "Username: $username"
Write-Host "Email: $email"
Write-Host "Temp Password: Welcome2024!"
Write-Host "Home Directory: $homePath"
} catch {
Write-Error "Fehler beim Erstellen des Users: $_"
}
Patch-Compliance-Report:
<#
.SYNOPSIS
Prüft Patch-Status aller Server
#>
$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} | Select-Object -ExpandProperty Name
$patchReport = foreach ($server in $servers) {
try {
$session = New-CimSession -ComputerName $server -ErrorAction Stop
# Letzte Installation
$lastUpdate = Get-HotFix -CimSession $session |
Sort-Object InstalledOn -Descending |
Select-Object -First 1
# Pending Updates
$updateSession = New-Object -ComObject Microsoft.Update.Session
$updateSearcher = $updateSession.CreateUpdateSearcher()
$searchResult = $updateSearcher.Search("IsInstalled=0")
$pendingCount = $searchResult.Updates.Count
# Pending Reboot
$pendingReboot = $false
if (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue) {
$pendingReboot = $true
}
[PSCustomObject]@{
Server = $server
LastUpdate = $lastUpdate.InstalledOn
LastUpdateKB = $lastUpdate.HotFixID
PendingUpdates = $pendingCount
PendingReboot = $pendingReboot
Status = if ($pendingCount -eq 0 -and -not $pendingReboot) {"Compliant"} else {"Non-Compliant"}
}
Remove-CimSession $session
} catch {
[PSCustomObject]@{
Server = $server
Status = "Error: $_"
}
}
}
$patchReport | Export-Csv "C:\Reports\PatchCompliance_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# Non-Compliant Server hervorheben
$patchReport | Where-Object {$_.Status -eq "Non-Compliant"} | Format-Table -AutoSize
15. Microsoft 365 / Azure AD Integration
Azure AD Connect
Hybrid Identity Setup:
# Azure AD Connect installieren
# Download von: https://www.microsoft.com/en-us/download/details.aspx?id=47594
# Post-Installation: Password Hash Sync, Pass-through Auth oder ADFS wählen
# Sync-Status prüfen
Import-Module ADSync
Get-ADSyncScheduler
Start-ADSyncSyncCycle -PolicyType Delta # Manuelle Sync
Start-ADSyncSyncCycle -PolicyType Initial # Vollständige Sync
# Sync-Errors prüfen
Get-ADSyncConnectorRunStatus
Microsoft 365 PowerShell:
# Module installieren
Install-Module -Name MSOnline
Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement
# Verbinden
Connect-MsolService
Connect-AzureAD
Connect-ExchangeOnline
# Lizenz zuweisen
Set-MsolUserLicense -UserPrincipalName "user@contoso.com" -AddLicenses "contoso:ENTERPRISEPACK"
# Mailbox erstellen
New-Mailbox -UserPrincipalName "user@contoso.com" -Alias user -Name "Max Mustermann"
# Teams-User aktivieren
Enable-CsUser -Identity "user@contoso.com" -SipAddress "sip:user@contoso.com"
Conditional Access (Security)
- Multi-Factor Authentication (MFA)
- Location-based Access
- Device Compliance
- Risk-based Access
Über Azure Portal: Azure AD → Security → Conditional Access → New Policy
16. Certificates und PKI
Certificate Authority (CA) einrichten
# AD CS Role installieren
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools
# Enterprise CA konfigurieren
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-ValidityPeriod Years `
-ValidityPeriodUnits 10
# Certificate Templates verwalten
# Via: Certification Authority MMC → Certificate Templates
# Certificate Auto-Enrollment via GPO
# Computer Configuration → Policies → Windows Settings → Security Settings →
# Public Key Policies → Certificate Services Client - Auto-Enrollment
Zertifikate ausstellen:
# Certificate Request erstellen
$cert = Get-Certificate -Template "WebServer" `
-SubjectName "CN=webserver.contoso.local" `
-DnsName "webserver.contoso.local","www.contoso.local" `
-CertStoreLocation "Cert:\LocalMachine\My"
# Zertifikat exportieren
Export-PfxCertificate -Cert $cert.Certificate `
-FilePath "C:\Certs\webserver.pfx" `
-Password (ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force)
17. Container und Cloud-Native (Modern Windows Admin)
Windows Containers
# Container Feature installieren
Install-WindowsFeature -Name Containers
# Docker installieren
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider
# Docker Service starten
Start-Service Docker
# Windows Container Images
docker pull mcr.microsoft.com/windows/servercore:ltsc2022
docker pull mcr.microsoft.com/windows/nanoserver:ltsc2022
# Container starten
docker run -d -p 80:80 --name iis mcr.microsoft.com/windows/servercore/iis
# Container Management
docker ps
docker stop iis
docker rm iis
Kubernetes auf Windows (optional für große Umgebungen)
- Windows Nodes in Kubernetes Cluster
- Azure Kubernetes Service (AKS)
- Hybrid-Workloads
18. Best Practices und Professionelles Arbeiten
Change Management
Niemals direkt in Production ändern!
- Change Request erstellen
- Was wird geändert?
- Warum?
- Wann?
- Rollback-Plan?
- Testing in Development/Staging
- Vollständige Tests
- Performance-Tests
- Security-Tests
- Documentation
- Before-State dokumentieren
- Schritt-für-Schritt-Anleitung
- After-State verifizieren
- Change Window
- Außerhalb Business Hours
- Stakeholder informieren
- Backup vor Change!
- Post-Implementation Review
- Hat alles funktioniert?
- Lessons Learned
- Documentation updaten
Documentation Standards
Runbook-Template:
# Runbook: [Task Name]
## Purpose
Was macht dieses Runbook?
## Prerequisites
- Erforderliche Berechtigungen
- Benötigte Tools
- Backup vorhanden?
## Procedure
1. Schritt 1 mit konkreten Commands
```powershell
Command-Here
```
2. Schritt 2...
3. Verification
## Rollback Procedure
Wie macht man es rückgängig?
## Troubleshooting
Häufige Probleme und Lösungen
## References
- Link zu weiterführender DokumentationSecurity Best Practices
Principle of Least Privilege:
- Nur nötige Berechtigungen vergeben
- Regelmäßige Access Reviews
- Service Accounts mit minimalen Rechten
Password Management:
- Komplexe Passwords (12+ Zeichen)
- Regular Password Changes (90 Tage)
- Never share Admin Passwords
- Password Manager verwenden (KeePass, 1Password)
Privileged Access Workstations (PAW):
- Separate Admin-Workstations
- Keine Internet-Browsing
- Keine Email auf Admin-Maschinen
Just-In-Time (JIT) Administration:
- Admin-Rechte nur wenn benötigt
- Time-limited Elevation
- Privileged Access Management (PAM) Solutions
Patch Management Process
- Patch Tuesday (2. Dienstag im Monat)
- Testing (1 Woche)
- Test-Umgebung patchen
- Applikationen testen
- Staging (2. Woche)
- Non-critical Server
- Monitoring
- Production (3. Woche)
- Critical Server
- Maintenance Window
Monitoring und Alerting
Was monitoren:
- Disk Space < 15%
- CPU > 80% für > 5 Min
- Memory > 90%
- Service Failures
- Failed Logins > 5
- Backup Failures
- Certificate Expiration < 30 Tage
- Replication Failures
Alert-Kanäle:
- SMS (für Critical)
- Microsoft Teams/Slack
- PagerDuty/OpsGenie
19. Zertifizierungen und Weiterbildung
Microsoft Certifications (Empfohlen)
Fundamentals (Einstieg):
- AZ-900: Azure Fundamentals
- MS-900: Microsoft 365 Fundamentals
Associate Level:
- AZ-104: Azure Administrator Associate
- MS-102: Microsoft 365 Administrator
- AZ-800/801: Windows Server Hybrid Administrator Associate
Expert Level:
- AZ-305: Azure Solutions Architect Expert
- SC-100: Cybersecurity Architect Expert
Lernressourcen
Microsoft Learn:
- Kostenlose Online-Kurse
- Hands-on Labs
- Learning Paths
Dokumentation:
- Microsoft Docs
- TechNet (legacy)
- PowerShell Gallery
Communities:
- Reddit: r/sysadmin, r/PowerShell
- Spiceworks Community
- Microsoft Tech Community
YouTube Channels:
- John Savill’s Technical Training
- Microsoft Mechanics
- PowerShell.org
Bücher:
- „Windows Server 2022 Inside Out“
- „Learn PowerShell in a Month of Lunches“
- „Active Directory: Designing, Deploying, and Running“
20. Realistische Timeline & Zusammenfassung
Career Path
Junior Admin (0-2 Jahre):
- Grundlegende AD-Verwaltung
- User/Computer-Management
- Basic PowerShell
- Ticket-basiertes Arbeiten
- Unter Supervision
Mid-Level Admin (2-5 Jahre):
- Vollständige AD-Verwaltung
- GPO-Management
- File Server Administration
- WSUS/Patch Management
- Basic Automation
- Eigenständige Projektarbeit
Senior Admin (5-10 Jahre):
- Infrastructure Design
- Automation Expert
- Disaster Recovery Planning
- Security Implementation
- Team Lead / Mentoring
- Multiple Technologien (Hybrid Cloud)
- Business Alignment
Was du HEUTE tun kannst
1. Lab-Umgebung aufbauen:
Hyper-V oder VMware:
- 2x Domain Controller (Redundanz üben)
- 1x File Server
- 1x WSUS
- 2-3x Client-VMs (Windows 10/11)2. Tägliche Übungen:
- Woche 1-2: AD aufsetzen, User/Computer erstellen
- Woche 3-4: GPOs erstellen und troubleshooten
- Woche 5-6: PowerShell Scripts schreiben
- Woche 7-8: File Server + DFS
- Woche 9-10: WSUS + Patch Management
- Woche 11-12: Backup/Recovery-Szenarien
3. Praktische Projekte:
- Komplettes AD-Setup mit allen Roles
- User-Onboarding automatisieren
- Monitoring-Dashboard bauen
- Disaster Recovery üben (DC kaputt machen und recovern!)
4. Dokumentiere alles:
- Schreibe Runbooks
- Screenshot-basierte Anleitungen
- PowerShell Script-Library aufbauen
5. Community:
- r/sysadmin beitreten
- Fragen stellen
- Anderen helfen (bester Lernweg!)
Die Wahrheit über Seniorität
Du kannst nicht direkt als Senior starten.
Senior bedeutet:
- 5-10 Jahre praktische Erfahrung
- Hunderte Production-Issues gelöst
- Mehrere Major-Incidents gemeistert
- Verschiedene Unternehmensumgebungen gesehen
- Mentoring-Fähigkeiten
- Business-Verständnis
Aber: Mit diesem Wissen und intensivem Üben kannst du:
- Als Junior einsteigen (0-1 Jahr)
- Zu Mid-Level aufsteigen (2-3 Jahre)
- Senior erreichen (5+ Jahre)
Erfolgsformel
Knowledge (aus diesem Guide)
+ Praktische Erfahrung (tägliches Üben)
+ Production Experience (echter Job)
+ Continuous Learning (nie aufhören zu lernen)
= Senior System AdministratorSoft Skills (oft unterschätzt!)
- Kommunikation: Erkläre technische Probleme für Non-IT
- Dokumentation: Schreibe so, dass andere es verstehen
- Troubleshooting-Mentalität: Systematisch, nicht panisch
- Teamwork: Niemand arbeitet alleine
- Customer Service: Freundlich bleiben, auch bei Stress
- Zeitmanagement: Priorisierung ist key
- Continuous Improvement: Gibt es einen besseren Weg?
Final Thoughts
Dieser Guide gibt dir die Roadmap für deine Karriere als Windows System Administrator. Aber bedenke:
✅ Wissen ist der erste Schritt – dieser Guide gibt dir das Fundament ✅ Praxis ist essentiell – baue ein Lab, breche Dinge, repariere sie ✅ Zeit ist notwendig – Senior wird man nicht über Nacht ✅ Attitude matters – Lernbereitschaft und Problemlösung sind wichtiger als alles auswendig zu können
Der beste Rat: Starte mit einem Junior/Mid-Level Job, auch wenn das Gehalt niedriger ist. Die praktische Erfahrung mit echten Production-Systemen, echten Usern und echten Deadlines ist unbezahlbar und durch kein Buch oder Tutorial ersetzbar.
Du hast jetzt die komplette Blueprint – jetzt liegt es an dir, den Weg zu gehen! 💪
Viel Erfolg! 🚀