Category: Windows Server 2003

Creating the perfect and fully automated reference image for Windows operating systems

A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=YES
DoCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipUserData=YES
SkipTimeZone=YES
SkipFinalSummary=YES
SkipSummary=YES
SkipLocaleSelection=YES
SkipDomainMembership=YES
SkipComputerName=YES
SkipBitlocker=YES
SkipApplications=YES
ComputerBackupLocation=NETWORK
BackupShare=\\server\share
BackupDir=Captures

6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

[Settings]
Priority=Default

[Default]
SkipBDDWelcome=YES
DeployRoot=\\server\share
UserDomain=CONTOSO.COM
UserID=username
UserPassword=password

7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

WSUSServer=http://nameofwsusserver

8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

BackupFile=Windows7Enterprisex64.wim

9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

Done! Happy deploying!

Busting the myths: Windows 7 require Windows Server 2008/2008 R2 domain controllers and raised functional levels

It seems a fairly common misconception is that to be able to use Windows 7 in a Windows or should I say Active Directory environment one need to have either Windows Server 2008 or Windows Server 2008 R2 domain controllers. There are also misconceptions about the need to raise the forest and domain functional levels to be able to use the full power of Windows 7. Neither of these are true.

You can get all the same features if you are using Windows Server 2003 domain controllers and that is also regardless of which forest or domain functional levels you are running with. The most common misconceptions are:

  • Group Policy Preferences. Work very well in a 2003 domain. However you need to manage the group policies from a Windows 7 or Windows Server 2008 R2 machine using Group Policy Management Console found in the Remote Server Administration Tools.
  • BitLocker. To store recovery keys in AD you need to extend the schema. If you have a domain controller that is running Windows Server 2008 or later you have what it takes, if you are running Windows Server 2003 on your domain controllers you simply extend the schema.

I must add that you get stronger encryption for Kerberos by using Windows Server 2008 domain functional level though but the bottom line is that the functionality of the Windows 7 client is the same regardless of forest or domain functional levels.

AppLocker does NOT require a Windows Server 2008 R2 DC

Documentation from Microsoft regarding the new feature AppLocker in Windows 7 (and Windows Server 2008 R2) early stated that to be able to use AppLocker you must have a “Windows Server 2008 R2 Domain Controller to host the AppLocker rules”. I have seen this information several times since then and at a seminar I payed a quick visit to yesterday regarding Windows 7 this particular questions was raised.

Of course I had to make sure what’s really going on here and I have now verified that AppLocker works perfectly fine in environments where there are only Windows Server 2003 DCs or Windows Server 2008 DCs. I can see no reason what so ever for AppLocker to require a Windows Server 2008 R2 DC to function. The only requirement is that you’re running Windows 7 Enterprise or Windows 7 Ultimate edition to be able to use th powerful feature of AppLocker.

When to troubleshoot blue screen crashes

The other day I got an email from a blog reader which contained the information of a successful analyze of a memory dump file which is generated when an infamous blue screen of death occur. The reader wanted me to give him the solution or point him in the direction of a solution. This got me into thinking. When is it worth putting time on doing blue screen analyzes?

The content of the crash dump is maybe not that relevant after all. What is more important is how often and when the blue screen of death occurs. If the crash occurred just once or very seldom and randomly I would say that it might not be worth finding out exactly what caused the crash. Keep in mind that a blue screen could indicate a hardware failure, although driver problems are the most common cause for crashes.

However if the crashes occur often or at when doing specific tasks you have all the reasons in the world to get to the bottom of the problem. In these cases I recommend following the guide for troubleshooting blue screen crashes.

An interesting thing to note about blue screens that start occurring after for instance upgrading the OS from Windows XP to Windows Vista or Windows 7 is that the new memory management in the later operating systems might reveal problems in the memory modules that did not show when using Windows XP.

Finally, whenever having problem with blue screens of death I would recommend upgrading the machine BIOS. Often there are compatibility and stability fixes which solves problems with hardware which might be causing you the problems you are experiencing.

WEBSPAPW = Microsoft IT Environment Health Scanner

I guess you’re wondering what the heck “WEBSPAPW” stands for and it is nothing but “Windows Essential Business Server Preparation and Planning Wizards”. Microsoft has now come to the conclusion that this tool as I’ve written before was not only used for EBS migrations but also for general health checks in Active Directory environments. This has resulted in the name change to “Microsoft IT Environment Health Scanner” which is built from the previous EBS tool.

When running the Microsoft IT Environment Health Scanner you may find problems related to AD, DNS, replication and many other things and for everyone in charge of or controlling the IT environment this tool is strongly recommended. Read more on the EBS Blog.

Download: Microsoft IT Environment Health Scanner

Install Windows client and server without product key

I just want to share a quick tip about something really smooth that many IT staff seems to be unaware of. Windows Vista and Windows Server 2008 introduced the fact that you can install it without entering a product key. This was later introduced in Windows XP (with service pack 3 slipstreamed) and also later Windows Server 2003 R2 media. Nothing about this changes for Windows 7 or Windows Server 2008 R2. So to sum it up you can install all current as well as coming operating systems without entering a product key and you will then have up to 30 days to enter it.

Restore permissions on objects in Active Directory

Some time ago I had the unfortunate job to do some manual cleaning of an old and since long disconnected (and not decommissioned) Exchange Server in Active Directory using adsiedit.msc and this is not something one want to do I can promise you. Anyway during the testing phase I had to make sure that certain keys and values in adsiedit.msc were safe to be deleted and to accomplish this I removed all permissions on the keys to make sure that no one could read the information. You might think that restoring the permissions on objects in adsiedit.msc is the same as the management with file and folders but that is not the fact.

Instead use the command DSACLS to control the access control lists of Active Directory objects and run for example the following command to let the group Everyone get full permission on the object “First administrative group”.

DSACLS "CN=First Administrative Group,CN=Administrative groups,CN=CONTOSO,
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=LOCAL"
/G Everyone:GA

Beware when working in adsiedit.msc and be very certain about what you are doing before deleting stuff. Sometimes just removing all permissions on objects is the best way because then you can always use the above command to restore permission to the object(s).

Add users to local groups on the Windows clients easily

If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at http://support.microsoft.com/?id=810076

Use EBS migration tool to do a quick health check in your Active Directory

When preparing an existing Active Directory environment for migration to Windows Essential Business Server  one must run a tool which scan the environment and make sure that no errors exist before the migration can even start. This tool is called Windows Essential Business Server Preparation and Planning Wizards and can be downloaded from Microsoft Download Center without cost.

The thing is that this tool is a great utility to use in existing environments, even though they are not being migrated and never will be migrated to Windows EBs. The tool is a great health check and will most likely show errors or potential problems you had no idea existed in your server environment. It find problems with DNS, in Active Directory and replication and will guide you to recommended system changes and much more. I strongly recommend everyone to run it on your own environments to see what it finds.

Just a quick note related to scanning for errors and best practices is that the upcoming Windows Server 2008 R2 will include a number of best practices analyzers for roles such as DNS, Active Directory and many more. This is really slick!

Download Windows Essential Business Server Preparation and Planning Wizards

HOW TO: Clean out Windows\Installer folder correctly

When disk space is running out on a system disk, may it be on a server or a client, there are certain things to clean out. One of them being the %SYSTEMDRIVE%\Windows\Installer folder. You cannot under any circumstances delete files from this folder manually as this not only may but most likely will break software that is installed using MSI files, or Windows Installer files.

The %SYSTEMDRIVE%\Windows\Installer folder is a cache for installation files and patches (MSP files) and removing those will cause you to not being able to repair or uninstall applications, and in some cases not removing patches or applying new patches to software. In the event when you actually did delete this cache you can rebuild the files you need manually by extracting the files from original installation media, from patch packages etc but this is a time consuming and not that easy task to accomplish.

But let me get to the point. If you do want to free disk space you can clean out the %SYSTEMDRIVE%\Windows\Installer folder by downloading Windows Installer Cleanup Utility (NOTE: This tool has been retired and is no longer available from Microsoft) and then running the command

msizap.exe G!

When running this, the installer and patch packages are enumerated and unreferenced packages are considered to be safe to delete and are thereby also deleted. Depending on the age of the system and the number of applications installed, this action can free a significant amount of disk space.