Searching for a Windows Update

waldoWhen I was a kid, I use to love the “Where’s Waldo?” books.  If you were a child of the 80’s or 90’s, then I’m sure you had a couple of these books on your self as well.  Each page contained hundreds of cartoon characters doing a variety of entertaining things.  Your job was to search the pages looking for a man wearing a red-and-white-striped shirt, bobble hat, and glasses.  Yes, Waldo had style.

In the beginning of the book, Waldo was easy to find.  However as the book went on, trying to find Waldo was a huge challenge.  I remember at the end of one book, they dressed every character in the same red-and-white-striped shirt.  I hated that page!  It took forever to find him.

So why I’m I rambling about Waldo?  Well in our adult IT Careers, we have the same challenges when it comes to Windows Updates.  How many times have you been asked, “Is update something something whatever installed on server who cares”?  You then answer with, I don’t know let me look.  Then it’s a trip to the Start, Control Panel, Add or Remove Programs, (Programs & Features with 2008+), View Installed Updates.  Finally then, you get to search for Waldo, I mean the update.  And just like the book, in the beginning updates are easy to find with a new server.  However the longer you have the server, the harder it becomes.

So what can be done to speed up the process?  Well you have a couple choices.

If your on a Windows 2003 server you can run the following command.

 dir /ad %systemroot%\*KB2503665* 

You would change “*KB2503665*”  to whatever update you are looking for.  This will work as long as you didn’t delete the uninstall folder.  You should see the results below if the update is installed.


You could also just run the command without the “d” switch and pull the log file as well.

 dir /a %systemroot%\*KB2503665* 


Okay, that is great if we were living in the year 2003, but it’s 2013, and we now can harness the power of PowerShell.  All you have to do now is open up your PowerShell prompt and type Get-HotFix and the update your looking for.

 Get-HotFix –ID KB2488113 


You could even leave off the “-id” switch and it will still work.

The great thing about this command is, you can search not only for the Hot Fix ID, but for the description, who installed it, or when it was installed.

 Get-HotFix | where { $_.installedon -eq "5/9/2012"} 


On top of that, you can scan multiple computers.

  Get-HotFix -id KB2488113 -ComputerName ADDC03, ADDC04 


Before we go in further with the Get-HotFix cmdlet, I do have to warn you about one catch.  Since the introduction of Windows Vista, this cmdlet only returns updates supplied by Component Based Servicing (CBS).  This is due to the Get-HotFix cmdlet using the Win32_QuickFixEngineering WMI Class.  These updates are also not listed in the registry.

It also means any update installed by the Microsoft Windows Installer (MSI) or the Windows update site ( are not returned by this cmdlet.  “What Up with That?”  Instead to view everything, you will need to use a combination of the Get-Hotfix and something like the two commands below.  

$Installed = "hklm:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall","hklm:\software\microsoft\windows\currentversion\uninstall"

Get-ChildItem $Installed | ForEach-Object {Get-ItemProperty $_.pspath} | select DisplayName


Running the extra two commands will scan your registry, and give you a list of everything installed on your computer.  You can then manipulate the data to your liking.  Create reports to show Service Packs, Installed updates, Office Updates, or even applications that are installed.

Simple right?

Well this article isn’t ground breaking by any means, but if it saves you some time, and gets you out of the office a little earlier on a Friday afternoon, then I think I’ve done my job.  Maybe you will even have time to look through that old Where’s Waldo book again!  Nah…Go get a beer instead, you deserve it!

Installing a 2012 Domain Controller with PowerShell

If you didn’t know, the default installation for Server 2012 is Server Core.  You can still install the GUI, but if possible 2012 Core should be considered.  Server Core has come along way, and is a no brainer if you want to use less of the system processor, and less memory.  Without the GUI, your servers are also less of a target to attacks.  Less code means, less vulnerabilities.  So how are you going to take care of your Core Servers?  PowerShell of course!

In today’s article, we will be promoting a Windows 2012 server to a Domain Controller with PowerShell.  Exciting right!  Well maybe not, but you still need to know how to do it.  Okay, lets get started.

Just like in my pervious post, the first thing we will need to do is install the Active Directory Domain Service Role.

AD DS Role Installation:

PS C:\> Get-WindowsFeature AD-Doamin-Services


PS C:\> Get-WindowsFeature AD-Domain-Services | Install-WindowsFeature


Just like with the GUI, we will need to do the prerequisite checks.  The Prerequisites Check is a new feature in AD DS 2012 domain configuration.  These checks will alert you with suggested repair options, and inform you of new security changes that will affect older operating systems.  These test’s will also run during the installation process of a Domain Controller, so they don’t have to be run separately.  However for todays tutorial, we will run them.

Note: The domain controller promotion process cannot continue until all prerequisite tests pass.

 PS C:\> Test-ADDSForestInstallation

You will be prompted for your Domain Name, and the Safe Mode Administrator Password.


PS C:\> Test-ADDSDomainInstallation




AD Forest …Check

AD Domain…Check


Mission Control, we are a GO…

Domain Controller Promotion:

If you haven’t already imported the ADDS Deployment module, we will have to do that first.

PS C:\> Import-Module ADDSDeployment

If you want all the defaults and quickly add a new Domain Controller to your environment just type the following.

PS C:\> Install-ADDSDomainController

Now since that won’t work for 99% of you, lets take a closer look at this cmdlet.  By default, the cmdlet “Install-ADDSDomainController” will configure your Domain Controller with the following settings:

  • Read-only Domain Controller: No
  • Global Catalog: Yes
  • DNS Server: Yes*
  • Database Folder: C:\Windows\NTDS
  • Log File Folder: C:\Windows\NTDS
  • SYSVOL Folder: C:\Windows\SYSVOL

*DNS Server

1. New forest: always install DNS
2. New child or new tree domain: if the parent/tree domain hosts DNS, install DNS
3. Replica: if the current domain hosts DNS, install DNS

Unless those settings work for you, I always recommend installing your Domain Controllers by a script.  This will allow a consistency throughout your environment, and make your life easier.

The Script

The script is fairly simple.  Just fill in and configure your settings.  You will also need to set the execution policy on the server before you can run any scripts on it.  I’m going to use “Remote Signed”.

 Set-ExecutionPolicy RemoteSigned

# PowerShell Script to Install Domain Controllers #

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-InstallDns:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-DomainName "contoso.local" `
-NoRebootOnCompletion:$false `
-SiteName "SiteName" `

As you see from the script above, I will be configuring the server with these settings.

  • Read-only Domain Controller: No
  • Global Catalog: No
  • DNS Server: No
  • Create Dns Delegation: No
  • Database Folder: C:\Windows\NTDS
  • Log File Folder: C:\Windows\NTDS
  • SYSVOL Folder: C:\Windows\SYSVOL
  • No Reboot On Completion: No
  • Site Name: Name of site
  • For a full list of switches and settings, review this TechNet article.

Now that we have the script configured, save it as a “.ps1” file and run it.  Since we didn’t specify the “Safe Mode Administrator Password”, you will have to enter it in manually.  To fully automate this process just add the following argument “-safemodeadministratorpassword”, and password.


That’s it.  Go get a cup of coffee, or take the afternoon off.  When you get back, you should have a brand new 2012 Domain Controller.