Category Archives: Windows Server 2008 R2

Installing Certificate Services, and configuring LDAPS on a SonicWALL

Assumptions: SonicOS 5.8+ and Windows Server 2008 R2 Enterprise running as a domain controller.

  1. On the Domain Controller: Open “Server Manager”, click “Roles”, click “Add Roles”.
  2. Click “Next >”, ensure there is a check mark next to “Active Directory Certificate Services”, click “Next >”, Click “Next >”, Ensure there is a check mark in the boxes “Certification Authority”, “Certification Authority Web Enrollment”, and “Online Responder” (Certification Authority Web Enrollment” and “Online Responder” are not technically needed, but are common parts of a CA infrastructure that should also be installed if you are installing a CA), Click “Next >”, Approve the installation of the IIS components that are required to run the Web Enrollment, Select the “Enterprise” radio button and click “Next >”, Select the “Root CA” radio button and then click “Next >”, Select the “Create a new private key” radio button and then click “Next >”, Select “RSA#Microsoft Software Key Storage Provider”, “4096”, and “SHA512” from the drop down boxes, click “Next >”, Edit the Common Name for the CA if desired, and then click “Next >”, Change the validity period if desired, and then click “Next >”, Click “Next >” to leave the database in its default location, click “Next >” to install IIS, Leave default IIS installation options checked, and click “Next >”, click “Install”, Click “Close”.
  3. From the Domain Controller, open Internet Explorer, and go to http://127.0.0.1/certsrv, when prompted login with the Domain Administrator account.
  4. Click the link “Download a CA Certificate, certificate chain, or CRL”
  5. Select the certificate with the common name from step 2, and then ensure the radio button “DER” is selected, click “Download CA Certificate”.
  6. Rename this certificate to match that of the common name and save it on the desktop.
  7. Login to the SonicWALL.
  8. Expand “System” from the left hand pane, and then click “Certificates”.
  9. Click “Import…” at the bottom.
  10. Select the radio button “Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem), or DER (.der or .cer) encoded file.” Is selected, and then click “Browse…” Select the certificate with the common name that you set in step 2. Click “Open”, Click “Import”.
  11. Expand “Users” from the left hand pane of the SonicWALL, click “Settings”.
  12. Change the drop down box titled “Authentication method for login: “ to “LDAP + Local Users”.
  13. Ensure that the check box “Case-sensitive user names” is UnChecked.
  14. Click “Accept” at the top.
  15. Click the “Configure…” button next to the “Authentication method for login: “ drop down box.
  16. On the “Settings” tab enter the IP address of the Domain controller in the box titled “Name or IP Address:”, Change “Port Number:” to “636”, change the radio button selection to “Give login name/location in tree”, Enter a Active Directory user account( a service account with “Domain Guest” group membership will suffice) in the “Login user name:” field, enter the password for the account in the “Login password:” field, UnCheck “require valid certificate from server”.
  17. On the “Directory” tab enter the following: In the “Primary Domain:” field enter the DNS active Directory Domain Name, change the “User tree for login to server:” to the full path of where the service account (used on the Settings tab) is located in Active Directory (spaces are okay), click “Apply”.
  18. Click “Auto-Configure” to test populate the directories in AD which contain Users or Groups.

So long as your list populated with OUs you should be good, this is everything you need to do in order to secure the connection between your SonicWALL and your domain controller.

Group Policy Loopback: Merge not working on Windows 7 / Server 2008 R2

I guess I wasn’t paying attention. It’s now November 2012, and I’m just now realizing that Group Policy Loopback, with Merge selected, no longer works as I’d expect with Windows 7 and Server 2008(R2)

It used to work like this:

Replace mode would ignore all GPOs applied to the user up until it got to the OU with the loopback policy, and then apply ONLY the GPOs with user settings in the OU with the loopback policy. This still works as expected in 2008/win7.

Merge mode would ADD the additional GPOs to what was already applied to the user, overriding any existing settings as needed, effectively merging them. This is what no longer works as expected.

Here is what I’ve found:

Microsoft published this KB, 953786, which says that the PCs now need to have a entry in the ACL of the GPO allowing them to read the settings of said GPO. What I’ve done to make this easier for myself is added the “Domain Computers” Active Directory group to any GPO which contains the user settings that I wish to apply via loopback merge.

In my testing, this added ACL entry has solved the issue, and allowed it to work as I expected, which is the way that 2003/xp behaved.

Windows Server 2008 R2 FTP is working internally but not through a Firewall

I ran into a problem today where a Server 2008 R2 FTP Server was working fine internally, but when you tried to access it from the internet it would not work. I checked the firewall rules, in this case a Sonicwall NSA, and the NAT and firewall rules were created properly, and they were passing traffic, but the connection was still failing.

The problem appears to be on the windows firewall, for some reasons the traffic is not making it through the windows firewall. Here is how we resolved the problem:

  1. Create a new Firewall in the Windows Firewall
  2. Allow a Program through the firewall, c:\windows\system32\svchost.exe
  3. Allow this rule for all traffic types, Public, Domain, Private
  4. Give the rule a name and click Finish.
  5. Now test again externally and you should be able to access the FTP site.

Install a Certificate for Remote Desktop Services or Terminal Services on a Terminal Server

You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.

On the Terminal Server in Question:

  1. Click “Start” and then “Run”.
  2. Enter “mmc” and then click “OK”.
  3. Click on the “File” menu and then select “Add/Remove Snap-in…”.
  4. Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
  5. Select “Local Computer” and then click “Finish”.
  6. Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
  7. Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
  8. Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
  9. Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
  10. Now open “Remote Desktop Session Host Configuration”.
  11. Right click on “RDP-tcp” in the center of the window and select “Properties”.
  12. On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
  13. Click “OK” one more time, and then all future connections will be secured by the certificate.

 

Apply Internet Explorer Settings with Group Policy without preventing users from making additional changes

Let’s say you want to roll out some default settings to IE, but you don’t want to prevent users from making additional changes. In the past I’ve seen this done through the Site to Zone Assignment List GPO but you end up with users who can’t modify those settings once they are set at the GPO level. The problem is this: say you’ve got a partial list of websites that should be placed in Trusted sites, but you don’t have the full list and you know users are going to need to add additional sites ad hoc.

Here is the better way to configure these settings:

  1. Open Group Policy Management Console, and Create a new GPO
  2. Expand User Configuration, Policies, Windows Settings, and Internet Explorer Maintenance, and finally Security
  3. Double click on “Security Zones and Content Rating”
  4. If and when the “Internet Explorer Enhanced Security Configuration” warning appears click on “Continue”
  5. Change the “Security and Privacy Settings” section to “Import the current security zones and privacy settings” and then click the “Modify Settings” button
  6. Make all of the appropriate changes for your environment and then press OK. These will now be the default settings for any users whom this GPO effects.

To be clear, I’ve not tested to see if these settings will re-apply if they are removed by the users, but my hunch is that if the users tries to remove any of these settings, they will be reapplied the next time the GPO is processed.

Using Windows Deployment Services to install custom images of Windows 7

Prerequisites

We’re going to need a few things before we can get started. Here is what we’ll need to gather:

  • 2 Windows 7 workstations (1 if you really want to punish yourself)
  • Windows 7 Open License media (DVD)
  • Windows 7 WAIK (Windows Automated Install Kit)
  • 1 Server 2008 R2 Server
  • Drivers for all workstations you plan on imaging(if different models)
  • Installation media for all Applications that you wish to put on the Image
  • A Windows Active Directory Domain
  • A USB External Hard Drive large enough to hold the Image of the PC

Install WDS on Server 2008 R2

First Start by installing WDS on your Server 2008 R2 server. If this server is not already on a Windows Active Directory Domain, also install AD DS and create a domain.

  1. Open Server Manager
  2. Click on Roles for the Left hand pane
  3. Click “Add Roles”
  4. Check the box for “Windows Deployment Services”, click Next
  5. Install Both the “Deployment Server, and Transport Server” Role Services
  6. Finish the Installation of the Role and reboot if necessary
  7. Click on START > Administrative Tools > Windows Deployment Services
  8. Expand Servers, Right click on your server and select “Configure Server”, Click Next to start the wizard
  9. Choose a location for the RemoteInstall Directory, Click Next
  10. If this Server (The WDS Server) is running DHCP make sure both “Do not listen on port 67” and “Configure DHCP option 60 to ‘PXEClient’” are both CHECKED. If this server does not run DHSP leave both of these un-checked. Click Next.
  11. Select the Option for “Respond to all client computers (known and unknown)” we’ll lock this down to “Respond only to known client computers” in a later section. Click Next.
  12. Uncheck the box for “Add images to the server now”. We’ll take care of this in a little bit. Click Finish.
  13. If the Add Image Wizard appears, close it.
  14. Right Click on the Server in the console and select Properties, Click on the “Boot” Tab.
  15. If you are like me, and you want this to be as idiot proof as possible for your users, Change both Radio buttons to “Always continue the PXE boot” After we’ve loaded the “Install” and “Capture” images later, come back and assign them as the default choices as well, to future reduce user error possibilities.
  16. Click the “Client” tab, Check the box for “Enable Client logging”, Hopefully we won’t need these, but you’ll thank me if you do.
  17. Close the Server Properties and then Right Click on “Install Images”. Create a new Image Group.

Create Boot and Capture files

  1. Take one of your windows 7 workstations and Install the Windows 7 WAIK on it. After installation place the Server 2008 R2 media in the drive.
  2. Create a new folder for all of the files you’ll be creating/editing C:\WDSStuff
  3. Copy the boot.wim from the [DVD Drive]\sources\boot.wim to C:\WDSStuff\Windows_2008_R2\
  4. Copy the NIC drivers for your workstation to C:\WDSStuff\NIC_Drivers. Make sure that the files are uncompressed, unzipped, extracted, etc. Basically make sure the .inf files are in this folder or subfolders. Also make sure these drivers are for Server 2008 R2 (x64 Windows 7 drivers if the vendor does not have 2008 R2 Drivers available). If you are unsure which drivers you need put everything except the kitchen sink in here (as far as different version of NIC drivers go)
  5. Click on START > All Programs > Microsoft Windows AIK > Deployment Tools Command Prompt
  6. Navigate to C:\WDSStuff\Windows_2008_R2\ and type: imagex /mountrw boot.wim 2 c:\WDSStuff\wim
  7. Change directory to C:\WDSStuff\NIC_Drivers and type: dism /image:c:\WDSStuff\wim /add-driver /driver:. /recurse
  8. Type: imagex /commit /unmount c:\WDSStuff\wim
  9. Copy C:\WDStuff\Windows_2008_R2\boot.wim to the WDS Server
  10. From the WDS Server: Open Windows Deployment Services, Right Click on Boot Images folder and select Add Boot Image…
  11. Add this boot.wim file that you just copied, and when Prompted name it “Install”
  12. Once the image is in the console, expand the “Boot Images” folder and right click on “Install” and then select “Create Capture Image…” Save this image in the same location as the Install image, and name it “Capture”

Create Custom Image on Windows 7 Computer

  1. Grab your Windows 7 installation media, and install a fresh copy of Windows 7 on one of your Windows 7 workstations. Format the drive in such a way that there is only 1 Partition.  When you get the prompts to create users and name the PC: STOP.
  2. Press CTRL + shift + F3 all at the same time. This will put you into Audit mode. Each time your PC restarts from here on forward it will remain on Audit mode. When it logs you into the desktop CLOSE the sysprep window that appears, don’t click anything on that little bastard.
  3. Install all of your drivers, Applications, Windows updates, etc, Join the domain, apply group policies, go hog wild, just do whatever you would normally do when creating an imaged PC.
  4. When you are all done make the core system the way you want it, we’ll create the default profile.

Setup Default Profile (the non stupid way)

Creating the Default Profile. What can I say? I can say this: Microsoft, are you paying attention? Okay here is what I can say about Default User Profiles on Windows 7: Microsoft, Go Fuck Yourselves. You dumb bastards. 10 years of being able to create default profiles by very easily moving customized profile over the “Default User” profile and you now want me to put the default profile where now? ON A DOMAIN CONTROLER? IN THE NETLOGON SHARE? What are you fucking serious? Name it .v2?!? That’s fucking stupid. I can’t wait until 70% of your product line is replaced with web apps and someone else’s browser. And for those of you saying that you can just use the copyprofile=true flag in the unattend.xml file? Technically you are right, except for it then discards pretty much every user customization you just spent 2 hours changing and then double checking. But alas, I digress…

  1. On your Domain Controller create a new Domain Admin called “DefaultUser”
  2. Log into your workstation as the user you just created: DefaultUser
  3. Customize your profile, IE, etc to the exact way you want it
  4. When you are all satisfied log out as that user and log back in as the Local Admin(note: while logged in as DefaultUser, re-enable the local admin and set it’s password)
  5. Now browser to c:\users\ and Right Click on DefaultUser (Not Default User). Take Ownership of this folder. Now grant “everyone” full control to this folder. Make sure NTFS permissions propagate to all sub folders.
  6. Open the Registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\ProfileList Edit the Reg String for “Default” Change the value from %SystemDrive%\Users\Default to %SystemDrive%\Users\DefaultUser

This is the best work around I’ve found to date to get the Non-Stupid methods of the old Copy To functionality to work. Let me know if you’ve found a better solution.

Create unattend files

This is a very long complicated process that’s prone to errors, if you run into problems, it’s probably here that you are having problems.

  1. Log into the Windows 7 Workstation that has WAIK installed
  2. Copy the Windows 7 Install.wim and Install.cfg file from the [DVD Drive]\sources\ folder to C:\WDSSTuff\Windows_7 folder  NOTE: Make sure it’s the same as the machine ready to be syspreped  (x86 versus x64)
  3. Click START > All Programs > Microsoft Windows AIK > Windows System Image Manager
  4. In the bottom left hang box titled “Windows Image” right click and point this to the Install.wim or .cfg file that we’ve copied to C:\WDSSTuff\Windows_7 folder
  5. In the top box titled “Answer File” right click and select “New Answer File…”
  6. We’re going to need to Add sections from the catalog file in the bottom left Box Titled “Windows Image” to the answer file, if you are making an Answer file from a different version Windows or for a different hardware type (x86) these names are going to be different than the ones that I mention here, BUT they will be close, find the one that most closely resembles what I’m telling you to select.
  7. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE” section of the answer file.
  8. Click on “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE” and then change the value of “UILanguage” in the far right pane to “en-us”
  9. Expand “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE”, Click on “SetupUILanguage” and then change the value of “UILanguage” in the far right pane to “en-us”
  10. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-setup_neutral” to the “1 windows PE” section of the answer file.
  11. Expand  “amd64_Microsoft-Windows-setup_neutral”, Click on “DiskConfiguration” and then change the value of “WillShowUI” to “OnError”
  12. Right Click on “DiskConfiguration” and select “Insert New Disk”
  13. Expand “DiskConfiguration” and Select the newly created disk, Change the setting on the far right side “DiskID” to “0”, Change the setting on the far right side “WillWipeDisk” to “true”
  14. Expand the newly created disk, Right Click on “CreatePartions” and select “Insert new CreatePartition”
  15. Expand the newly created “CreatePartition”, Change the setting “Extend” to “true”, change the setting “Order” to “1”, change the setting “Type” to “Primary
  16. Right click on “ModifyPartitions” and select “Insert new ModifyPartition”
  17. Expand “ModifyPartitions” and select the newly created “ModifyPartition”, change the setting  “Format” to “NTFS”, change the setting “Label” to “Windows”, change the setting “Order” to “1”, change the setting “PartitionID” to “1”
  18. Go back up to the level “amd64_Microsoft-Windows-Setup_neutral” and then expand “WindowsDeploymentServices”
  19. Expand ”ImageSelection”, Click on “InstallImage”, Change the setting “ImageGroup” to the name of the Image group created on the WDS Server.
  20. Click on “InstallTo” and change the setting “DiskID” to “0”, Change the setting “PartitionID” to “1”
  21. Expand “Login” and then click “Credentials”, change the setting “Domain” to the NETBIOS name of your Active Directory Domain, change the setting “Password” to the password of a Domain Admin, change the setting “Username” to that of a Domain Admin. You may be asking, is this safe? The password is encrypted before it’s put into the file, so that’s good, but I’m sure it’s not the safest thing to leave you Domain Admin credentials in this xml file that any user on the network can browse to, so see the addendum of how to get a Domain User account working instead of a Domain Admin.
  22. Save this answer file as “WDSUnattend.xml in your C:\WDStuff folder

Create a new blank answer file.

  1. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Security-SPP_neutral” to the “3 Generalize” section of the answer file.
  2. Click “amd64_Microsoft-Windows-Security-SPP_neutral”, change the setting “SkipRearm” to “1”
  3. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Deployment_neutral” to the “4 specialize” section of the answer file.
  4. Expand “amd64_Microsoft-Windows-Security-SPP_neutral”,  right click on “RunSynchronous” and select “Insert New RunSynchronousCommand”. Perform this task twice.
  5. Select the first newly created RunSynchronousCommand, change the setting “Order” to “1”, change the setting “Path” to net user administrator /active:yes. This command enables the local Administrator account on the workstation.
  6. Select the second newly created RunSynchronousCommand, change the setting “Order” to “2”, change the setting “Path” to “reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000000 /f. This command sets the first newly detected network to “work” automatically.
  7. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Security-SPP-UX_neutral” to the “4 specialize” section of the answer file.
  8. Select “amd64_Microsoft-Windows-Security-SPP-UX_neutral”, change the setting “SkipAutoActivation” to “true”
  9. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Shell-Setup_neutral” to the “4 specialize” section of the answer file.
  10. Select “amd64_Microsoft-Windows-Shell-Setup_neutral”,change the setting “BluetoothTaskbarIconEnabled” to “false”,  change the setting “ComputerName” to %MACHINENAME%, change the setting “CopyProfile” to “false”, change the setting “ShowWindowsLive” to “false”,  change the setting “TimeZone” to “Eastern Standard Time”, or whichever time zone you are in.
  11. Expand “amd64_Microsoft-Windows-Shell-Setup_neutral”, Select “Display”, change the setting “ColorDepth” to “32”, Change the setting “HorizontalResolution” to “1024”, change the setting “VerticalResolution” to “768”. Note: change these values to that of your PC being ready to be sysprepped.
  12. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-UnattendedJoin_neutral” to the “4 specialize” section of the answer file.
  13. Expand “amd64_Microsoft-Windows-UnattendedJoin_neutral”, Select “Identification”, change the setting “DebugJoin” to “true”, change the setting “JoinDomain” to the FQDN of your Active Directory Domain, change the setting “UnsecureJoin” to “true”.
  14. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-International-Core_neutral” to the “7 oobeSystem” section of the answer file.
  15. Select “amd64_Microsoft-Windows-International-Core_neutral”, change “InputLocate” to “en-us”, change the setting “SystemLocale” to “en-us”, change the setting “UILanguage” to “en-us”, change the setting “UserLocale” to “en-us”. Note: Change these setting to match your locale.
  16. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Shell-Setup_neutral” to the “7 oobeSystem” section of the answer file.
  17. Select “amd64_Microsoft-Windows-Shell-Setup_neutral”, change the setting “BluetoothTaskbarIconEnabled” to “false”, change the setting “Registered Organization” to the name of your organization, change the setting “RegisteredOwner” to the name of your organization, change the setting “ShowWindowsLive” to “false”, change the setting “TimeZone” to “Eastern Standard Time” or your local time zone.
  18. Expand “amd64_Microsoft-Windows-Shell-Setup_neutral”, Select “AutoLogon”, change the setting “Domain” to  the NetBIOS name of your Active Directory Domain, change the setting “Enabled” to “true”, change the “LogonCount” to “1”, change the setting “Username” to the name of your Domain Administrator account. Note: you don’t have to do this, this setting configures  an automatic logon after the system is imaged, which allows you to run commands automatically after the system is imaged, which we’ll do shortly.
  19. Expand “AutoLogon”, select “Password”, change the setting “Value” to the Password of the account that will automatically log in.  The password will be encrypted when the file is saved.
  20. Select “Display”, change the setting “ColorDepth” to “32”, Change the setting “HorizontalResolution” to “1024”, change the setting “VerticalResolution” to “768”. Note: change these values to that of your PC being ready to be sysprepped.
  21. Right Click on “FirstLogonCommands”, select “Insert New SynchronousCommand”. Perform this task 5 times.
  22. Select the first newly created SynchronousCommand, change the setting “CommandLine” to “c:\drivers\win\display\setup.exe -overwrite –s”, change the setting “order” to “1”, change the setting “RequiresUserInput” to “false”. Note: This is just something I thought to include because it seems like I run into it a lot, after imaging Intel Based graphics card don’t get configured with the correct driver, this just runs the setup silently and fixes that issue.
  23. Select the second newly created SynchronousCommand, change the setting “CommadLine” to cscript //b c:\windows\system32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your Windows 7 Open License MAK key, change the setting “Order” to “2”, change the setting “RequiresUserInput” to “false”
  24. Select the thrid newly created SynchronousCommand, change the setting “CommadLine” to cscript //b c:\windows\system32\slmgr.vbs /ato, change the setting “Order” to “3”, change the setting “RequiresUserInput” to “false”. These last two command activate windows with you MAK Open License Key.
  25. Select the fourth newly created SynchronousCommand, change the setting “CommadLine” to cscript //b "C:\program files\microsoft office\office14\ospp.vbs" /inpkey:XXXXX-XXXXX-XXXXX-XXXXX, change the setting “Order” to “4”, change the setting “RequiresUserInput” to “false”. where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your Office 2010 Open License MAK key.
  26. Select the fifth newly created SynchronousCommand, change the setting “CommadLine” to cscript //b "C:\program files\microsoft office\office14\ospp.vbs" /act, change the setting “Order” to “5”, change the setting “RequiresUserInput” to “false”.
  27. Select “OOBE”, change the setting “HideEULAPage” to “true”, change the setting “NetworkLocation” to “Work”, change the setting “ProtectYourPC” to “3”, change the setting “SkipUserOOBE” to “true”. Note: The network location in this part may be redundant, because of the registry fix above.
  28. Expand “UserAccounts”, click on “AdministratorPassword”, change the setting “Value” to  the desired local administrator password of the workstation.
  29. Right click on “LocalAccounts”, select “Insert New LocalAccount”
  30. Select the newly created LocalAccount, change the setting “DisplayName” to that of a second local administrator account, change the value “Group” to “Administrators”, change the setting “Name” to a that of a second local administrator username.
  31. Expand, LocalAccount, change the setting “Value” to the desired password of this newly created account. Note: Both of these passwords will be encrypted in the file.
  32. Finally, save this file as Unattend.xml in your C:\WDSStuff folder
  33. Copy both of these files over to your WDS Server.

Prepare Image for Capture

Now it’s time to get this image sealed and ready to be uploaded to the WDS Server.

  1. Copy the Unattend.xml file over to the local computer folder c:\windows\system32\sysprep\
  2. Create a new folder under C:\windows\Setup called “Scripts”
  3. Create a new file called “SetupComplete.cmd” in C:\windows\Setup\Scripts
  4. Edit this file with notepad, Enter the following commands, del /Q /F c:\windows\system32\sysprep\Unattend.xml & del /Q /F c:\windows\panther\Unattend.xml
  5. Save the SetupComplete.cmd file
  6. Prep Your Antivirus software for Imaging, for Symantec Endpoint Protection12 go here.
  7. Open Command prompt, Navigate to c:\windows\system32\sysprep\ enter for the following command: sysprep /generalize /oobe /shutdown /unattend:Unattend.xml

Upload image to Server

  1. Once the computer shuts down, connect the USB Hard Drive, and power the computer back up
  2. Turn on the computer, enter the BIOS, disable booting from the hard drive (just in case you miss the PXE boot), enable PXE boot on the NIC. Exit the BIOS
  3. Boot from the network card
  4. When prompted to select an image, select CAPTURE
  5. Follow the wizard to Select the C:\ drive, name the image, store it on the USB drive, and then upload it to the WDS Server.
  6. Once the image is done being uploaded to the WDS server shut this PC down.
  7. DO NOT IMAGE THIS PC, if you do, and the imaging does not work you’ll need to re-create the entire image.

Apply unattend file to WDS image

  1. Open the Windows Deployment Server MMC console
  2. Expand Install Images
  3. Expand the Install group you created earlier
  4. Find the image you just uploaded, right click it, and select properties
  5. Check the box titled “Allow Image to install in unattended mode”, select the WDSUnattend.xml file that was moved to the WDS Server
  6. Click OK.

Final Tasks

  1. Open the Windows Deployment Server MMC console
  2. Right click on your server and go to “properties”, click the “PXE Response” tab
  3. Select the radio button “Respond only to known client computers”
  4. Open Active Directory, Create a new computer account, when prompted during the new computer creation wizard check the box “This is a managed computer”, enter the GUID of this computer.
  5. You can obtain the GUID of the computer by booting from the NIC, and during the PXE attempt the GUID will be displayed, hit the pause button, and record that GUID, enter it into the Active Directory New Computer wizard.
  6. This step is how we a) Prevent unauthorized computers from being imaged, and b) give a value to the %MACHINENAME% variable we used in the answer file.
  7. Once the computer account has been pre-staged, reboot the computer and attempt to boot from the NIC again. You’ll now again see the option for INSTALL or CAPTURE, click INSTALL, and then select the image you just uploaded.
  8. If all goes well you’ll end up logged into windows as the Domain Administrator when you are done.

Making the install idiot proof for end users

  1. Disable the Capture image in the WDS console
  2. On the boot tab of the Server Properties in the WDS console, set the default boot image to the INSTALL image
  3. In the WDSUnattend.xml file, where we specified the Image Group, also specify the exact image name without the .wim extension, now when users PXE boot, everything will be hands free.

Appendix I: Updating Unattended files

Use the Windows System Image Manager to edit these files, they are seemingly easy to edit in notepad, but they’re harder to screw up in WSIM, Also if you ever need to change any of the passwords, re-import the component containing the password form the Components section, and re-do the entire section with the password, otherwise the updated password will not be encrypted and it will be visible in the file XML.

Appendix II: Installing additional drivers into an Image

Right click and Install Image in the WDS console and export it. Then follow the same steps that we used above to install the NIC drivers, but put all drivers and the associated files in subfolders of the folder where you run dism /image:[location of extracted files] /add-driver /driver:. /recurse command. The /recurse switch will add every driver that it can find in all subfolders, which allows you add a ton of drivers really easily.

Appendix III: Using a non Domain Admin account for the Unattend.xml file

This section coming as soon as I can figure it out.

Many Thanks for the following sites for contributing, even if you didn’t know you did.

Office Activation Commands(just add these after the RunSynchronous commands for activating Windows): http://blogs.technet.com/b/office2010/archive/2009/12/18/volume-activation-tips-and-tricks.aspx

Refernence for the fact that the WDSUnattend.xml file is the account used to join to the domain: http://social.technet.microsoft.com/Forums/fi-FI/w7itproinstall/thread/c90fe1ac-198d-4337-bb8a-8d6f3991fede

Sample unattend files:
http://social.technet.microsoft.com/Forums/fi-FI/w7itproinstall/thread/c90fe1ac-198d-4337-bb8a-8d6f3991fede

How to setup the answer file (mostly): http://blog.brianleejackson.com/sysprep-a-windows-7-machine-%E2%80%93-start-to-finish-v2

Changing the Deafult User profile: http://www.windows7hacker.com/index.php/2009/05/how-to-change-user-profile-default-location-in-windows-7/

When attempting to backup System State on Server 2008 R2 / SBS 2011 you get: ERROR – A Volume Shadow Copy Service operation error has occurred: (0x800423f0)

I created a script that takes a system state backup and I schedule it to run once a week so that we have a local copy of System state if we ever need it. I’m not sure that we’ve ever actually needed it, but just call me captain safety pants. About a week ago the script just stopped working, the scheduled job was failing, but the logs were pretty much empty with the exception of this one warning that was getting logged each time the script was run:

Source:        VSS
Event ID:      8230
Volume Shadow Copy Service error: Failed resolving account spsearch with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Gather writers' status
Executing Asynchronous Operation
Context:
Current State: GatherWriterStatus
Error-specific details:
Error: NetLocalGroupGetMemebers(spsearch), 0x80070560, The specified local group does not exist.

I’m not sure what the spsearch user account has to do with taking a System State Backup, but it looks like that account is listed under the registry as having access to the VSS writers. The problem is it doesn’t have permissions to the writers, so when the writers start they error out saying this account does not have permissions even though they don’t need to run under this user’s context, and in fact are running under the admin user’s context (configured in the scheduled task’s job preferences).

Since this particular Server (SBS 2011) is not going to be used for sharepoint services I just removed the account from the list in the following registy entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\VssAccessControl

Once that user was removed from that registry key I restarted the scheduled task and the script completed fine. I’m not sure if this account not being in this key will cause any problems but I suspect it wont because it does not have permissions to the VSS writers anyway, which is why the script started failing in the first place.

If anyone has any spare time and wants to explain the purpose of spsearch account being in the VssAccessControl key please feel free to leave a comment.

Thanks,

Sean

Disabling HP Printer Notifications using Group Policy and Group Policy Preferences

The HP printer status notification is enabled by default.  You can disable it manually for each printer just by clicking on the Settings option when the GIANT ANNOYING BIG SQUARE BOX pops up in the bottom right corner of your screen, but of course, you would not want to do that for every client; thus, GPOs become very useful.

Depending on your environment, there are a couple ways to accomplish this.

  1. If you have your server acting as the print server and sharing out all your printers, you are in luck.  HP makes a Universal Print Driver AD Tool Kit and Template that you can add to your GPM console.  Once the new options are added, you can easily disable the status notification option by checking a box.
  2. Download the HP Universal Print Driver AD Template and Guide Park-1.4 from HP’s site.
  3. Open Group Policy Management Console.
  4. Right click on the User Configuration section and add the .adm file you just downloaded.  This will give you added features. See Figure 1.

    Figure 1

  5. Figure 1By Selecting “Disabled”, you will stop the status notification from popping up on all your HP printers.
  6. NOTE: This is a User Configuration policy, thus, you can only apply this to an OU that contains users, not PCs.  Also, this will ONLY work if you are using/installing shared printers from the server.  If you are using local IP printers, jump to the next section.

If you are using local IP printers, disabling the status notification is a bit more complicated.  This is because you can only affect the HP Laser Jet settings using the options under the Computer Configuration section, not the User Configuration section since these are installed as local IP printers, not shared printers.  The printer settings are connected to the PC, not the users.  Unfortunately, the HP AD Template only adds options under the User Configuration, not the Computer Configuration, so you need to follow these steps to accomplish the same task.

  1. On an XP workstation, install the IP printer(s) you need to modify. Go to the following registry section: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\
    Printers\<PrinterName>\PrinterDriverData
  2. Create a DWORD value named: SSNPNotifyEventSetting, Give it a “0” value and  repeat this step for EVERY printer you need to modify.
  3. Create a new GPO called: Disable HP LJ Printer Status Notification
  4. Expand Computer Configuration\Preferences\Windows Settings\Registry
  5. Right click on the right side and choose New/Registry Wizard.
  6. Select the PC on which you installed the printers above.
  7. In the bottom section, go to the registry DWORD setting you just created and select it.
  8. Most of the default settings should suffice, but you may want to associate the

    Figure 2

    preference with a specific OU. See Figure 2.  If you do:

  • Open the preference you just created.
  • Click the Common tab.
  • Check Item-level targeting and then click the Targeting button.
  • Click on New Item and select Organizational Unit.
  • Select the OU to which you want to apply this preference.

Note: You can rename the preference in order to keep track of the printers you are modifying.

Finally reboot the PC

Attached Files:

Installing 32 Bit Print Drivers on Server 2008 R2 or 2008 x64

Remember the days when you could right click inside of the “Printers and Faxes” window and add an additional print driver? Me too, but those days are gone my friend. Apparently Microsoft fired the “good ideas” guy.

So you’ve got 32 bit Clients and a 64 bit Server sharing a printer huh? Are Clients prompting for the driver every time you try to connect…?

Follow these steps to resolve it:

  1. First download both the 32 and 64 bit version of the EXACT SAME DRIVER, make sure they are exactly the same, (Lexmark 4600 and Lexmark 4600 XL are not the same,  make sure yours are the same)
  2. Once both are extracted you can add them one of two ways

Method one: Installing them from the server

  1. Open Server Manager
  2. Click Roles
  3. Add the Print and Document Services Role (really you say?  Yes really.)
  4. After the Role finishes installing, click on Administrative Tools, and then Print Management
  5. Inside Print Management, expand Print Servers
  6. Right Click on the Print Server in question, and then Select Properties….
  7. Click on the Drivers tab and then Click Add. Click Next. Check off both X64 and x86 Drivers, and Click Next. When prompted select the location for one or the other, and when prompted again, specify the location of the remaining driver.
  8. Now Create a new printer, using the installed driver, and share it.

Method two: Installing the Drivers from the Client

  1. Install and share the printer as you normally would on the 2008 server
  2. From the client browse to the server using \\%servername%
  3. Open the folder “Printers and Faxes” from the \\%servername% window
  4. Right click on the empty white space and select “Server Properties”
  5. Click on the Drivers tab and then Click Add. Click Next. When prompted select the location of the remaining driver.

Windows 7 Not Rembering Remote Desktop Credentials for Server 2008 / Server 2008 R2

If you’re like me you use RDP all of the time, You’ve probably got tons of RDP icons with the passwords saved in each one so that you can quickly bounce into all of the servers you are managing. If you’ve upgraded to Windows 7 as your workstation OS, you’ve probably also noticed that those RDP connections are now no longer remembering your passwords for connections that connect to Windows Server 2008 or Server 2008 R2.

Here is how to resolve this problem:

  1. Click on Start, and then in the search bar type: gpedit.msc
  2. Expand Computer Configuration, Expand Administrative Templates, Expand System, Expand Credentials Delegation
  3. Double Click on “Allow Delegating Default Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  4. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  5. Double Click on “Allow Delegating Saved Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  6. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  7. Click on Start, and then in the search bar type: GPUPDATE /FORCE

You’ll now be able to save credentials into RDP connections for Server 2008 / 2008 R2 connections.