Category Archives: Uncategorized

Adding your ESXi Host to vCenter and finishing its configuration

Now that we’ve got our vCenter server setup and running it’s time to finish up it’s basic configuration and get our ESXi servers added to it.

The first thing we’re going to need to do is create a datacenter. Follow these steps:

  1. Right click on the vCenter server in the upper left part of the screen.
  2. Select “New Datacenter”, assign it a name.
Now we’ll add the Hosts to the newly created Data Center.
  1. Right click on the Datacenter you just created and select “Add Host…”.
  2. Enter the Hosts’s Name, the username (root) and the password configured during the ESXi Host’s orgininal setup process. Click “Next >”.
  3. Click “Yes” when the Security Alert appears.
  4. Click “Next >” to confirm the summary .
  5. Assign a license to the Host, or choose evaluation, and then click “Next >”.
  6. Check “Enable Lockdown Mode” if you want it enabled, Click “Next >”.
  7. Select the location for your VMs, if there are any. Click “Next >”.
  8. Click “Finish”.
Repeat this for each of your Hosts, and when you’ve added them all we can move on to creating a HA / DRS cluster.
  1. Right click on the Datacenter you just created. Select “New Cluster…”.
  2. Give your new cluster a name, and then select if you want to enable HA or DRS or both. For the purposes of this write up, we’ll be enabling both. Click “Next >”.
  3. The first section asks to configure your DRS automation level. I configure this as “Fully automated” and with Priority 1,2,3, & 4 recommendations being performed. Click “Next >”.
  4. The next section asks how to configure Power Management automation. I configure this to be automatic, and leave the DPM Threshold at the default. Click “Next >”.
  5. The next section asks about how to configure HA. I leave these at the default settings. Make changes if you wish and then click “Next >”.
  6. The next section asks about how to handle VMs that stop responding and Hosts that stop responding. I leave these settings at their defaults. Make changes if you wish and then click “Next >”.
  7. The next section asks about monitoring the guest VMs. Enable VM Monitoring if you want, and then set your sensitivity level. Click “Next >”.
  8. The next section asks about EVC, if you are running hosts with different versions of processors, then you should enable this, if all of your hosts are identical, you can leave this disabled. Click “Next >”.
  9. The next section asks about the VM Swap file location. Unless you have a specific reason to do so I would not modify this. I leave it at the default unless I’ve got a raid 0 volume setup somewhere. Click “Next >”.
  10. Click “Finish” to create you cluster.
Now we need to add our hosts to the newly created cluster. Drag your first host into the cluster and when you drop it you’ll be put into the “Add Host Wizard” Follow these steps to add the host to the cluster:
  1. The first section will ask you where you want to place the host’s VMs if there are any, if you’ve configured resource pools you and select one, otherwise leave this at the default setting and click “Next >”.
  2. Click “Finish”.
The last thing we need to do for our hosts is configure their Power Management settings. I’m using Dell servers, so I’m going to configure the Power Managment settings with the IP address, Mac address, and Username/password of the build in iDRAC on each server. Follow these steps:
  1. From the Hosts and Clusters Inventory,Click on the first host, and then click on the “Configuration” tab.
  2. Under the “Software” section click “Power Management”.
  3. Click “Properties…” in the top right corner of the screen.
  4. Enter the Username, Password, IP address, and MAC address of the host’s iDRAC interface. Click “OK”.
  5. If Power Management is configured on your cluster, the cluster can now put this host to sleep and wake it up when it’s needed.
Finally, the last thing we need to do to finish basic configuration is configure email alerts on the vCenter server. Follow these steps:
  1. Go to the “Home” screen in the vCenter client.
  2. Click on “vCenter Server Settings”.
  3. Click “Mail” in the left hand pane.
  4. Enter your SMTP server’s address, and enter a sender account for vCenter server. Click “OK”.
That’s it. We’re done with the basic configuration of vCenter server, our hosts, and our first cluster. We’ll move onto more advanced topics in future posts, such as Resource Pools, Cloning, Creating Templates, and Backing up VMs.

Using Windows Deployment Services to install custom images of Windows 7

Prerequisites

We’re going to need a few things before we can get started. Here is what we’ll need to gather:

  • 2 Windows 7 workstations (1 if you really want to punish yourself)
  • Windows 7 Open License media (DVD)
  • Windows 7 WAIK (Windows Automated Install Kit)
  • 1 Server 2008 R2 Server
  • Drivers for all workstations you plan on imaging(if different models)
  • Installation media for all Applications that you wish to put on the Image
  • A Windows Active Directory Domain
  • A USB External Hard Drive large enough to hold the Image of the PC

Install WDS on Server 2008 R2

First Start by installing WDS on your Server 2008 R2 server. If this server is not already on a Windows Active Directory Domain, also install AD DS and create a domain.

  1. Open Server Manager
  2. Click on Roles for the Left hand pane
  3. Click “Add Roles”
  4. Check the box for “Windows Deployment Services”, click Next
  5. Install Both the “Deployment Server, and Transport Server” Role Services
  6. Finish the Installation of the Role and reboot if necessary
  7. Click on START > Administrative Tools > Windows Deployment Services
  8. Expand Servers, Right click on your server and select “Configure Server”, Click Next to start the wizard
  9. Choose a location for the RemoteInstall Directory, Click Next
  10. If this Server (The WDS Server) is running DHCP make sure both “Do not listen on port 67” and “Configure DHCP option 60 to ‘PXEClient’” are both CHECKED. If this server does not run DHSP leave both of these un-checked. Click Next.
  11. Select the Option for “Respond to all client computers (known and unknown)” we’ll lock this down to “Respond only to known client computers” in a later section. Click Next.
  12. Uncheck the box for “Add images to the server now”. We’ll take care of this in a little bit. Click Finish.
  13. If the Add Image Wizard appears, close it.
  14. Right Click on the Server in the console and select Properties, Click on the “Boot” Tab.
  15. If you are like me, and you want this to be as idiot proof as possible for your users, Change both Radio buttons to “Always continue the PXE boot” After we’ve loaded the “Install” and “Capture” images later, come back and assign them as the default choices as well, to future reduce user error possibilities.
  16. Click the “Client” tab, Check the box for “Enable Client logging”, Hopefully we won’t need these, but you’ll thank me if you do.
  17. Close the Server Properties and then Right Click on “Install Images”. Create a new Image Group.

Create Boot and Capture files

  1. Take one of your windows 7 workstations and Install the Windows 7 WAIK on it. After installation place the Server 2008 R2 media in the drive.
  2. Create a new folder for all of the files you’ll be creating/editing C:\WDSStuff
  3. Copy the boot.wim from the [DVD Drive]\sources\boot.wim to C:\WDSStuff\Windows_2008_R2\
  4. Copy the NIC drivers for your workstation to C:\WDSStuff\NIC_Drivers. Make sure that the files are uncompressed, unzipped, extracted, etc. Basically make sure the .inf files are in this folder or subfolders. Also make sure these drivers are for Server 2008 R2 (x64 Windows 7 drivers if the vendor does not have 2008 R2 Drivers available). If you are unsure which drivers you need put everything except the kitchen sink in here (as far as different version of NIC drivers go)
  5. Click on START > All Programs > Microsoft Windows AIK > Deployment Tools Command Prompt
  6. Navigate to C:\WDSStuff\Windows_2008_R2\ and type: imagex /mountrw boot.wim 2 c:\WDSStuff\wim
  7. Change directory to C:\WDSStuff\NIC_Drivers and type: dism /image:c:\WDSStuff\wim /add-driver /driver:. /recurse
  8. Type: imagex /commit /unmount c:\WDSStuff\wim
  9. Copy C:\WDStuff\Windows_2008_R2\boot.wim to the WDS Server
  10. From the WDS Server: Open Windows Deployment Services, Right Click on Boot Images folder and select Add Boot Image…
  11. Add this boot.wim file that you just copied, and when Prompted name it “Install”
  12. Once the image is in the console, expand the “Boot Images” folder and right click on “Install” and then select “Create Capture Image…” Save this image in the same location as the Install image, and name it “Capture”

Create Custom Image on Windows 7 Computer

  1. Grab your Windows 7 installation media, and install a fresh copy of Windows 7 on one of your Windows 7 workstations. Format the drive in such a way that there is only 1 Partition.  When you get the prompts to create users and name the PC: STOP.
  2. Press CTRL + shift + F3 all at the same time. This will put you into Audit mode. Each time your PC restarts from here on forward it will remain on Audit mode. When it logs you into the desktop CLOSE the sysprep window that appears, don’t click anything on that little bastard.
  3. Install all of your drivers, Applications, Windows updates, etc, Join the domain, apply group policies, go hog wild, just do whatever you would normally do when creating an imaged PC.
  4. When you are all done make the core system the way you want it, we’ll create the default profile.

Setup Default Profile (the non stupid way)

Creating the Default Profile. What can I say? I can say this: Microsoft, are you paying attention? Okay here is what I can say about Default User Profiles on Windows 7: Microsoft, Go Fuck Yourselves. You dumb bastards. 10 years of being able to create default profiles by very easily moving customized profile over the “Default User” profile and you now want me to put the default profile where now? ON A DOMAIN CONTROLER? IN THE NETLOGON SHARE? What are you fucking serious? Name it .v2?!? That’s fucking stupid. I can’t wait until 70% of your product line is replaced with web apps and someone else’s browser. And for those of you saying that you can just use the copyprofile=true flag in the unattend.xml file? Technically you are right, except for it then discards pretty much every user customization you just spent 2 hours changing and then double checking. But alas, I digress…

  1. On your Domain Controller create a new Domain Admin called “DefaultUser”
  2. Log into your workstation as the user you just created: DefaultUser
  3. Customize your profile, IE, etc to the exact way you want it
  4. When you are all satisfied log out as that user and log back in as the Local Admin(note: while logged in as DefaultUser, re-enable the local admin and set it’s password)
  5. Now browser to c:\users\ and Right Click on DefaultUser (Not Default User). Take Ownership of this folder. Now grant “everyone” full control to this folder. Make sure NTFS permissions propagate to all sub folders.
  6. Open the Registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\ProfileList Edit the Reg String for “Default” Change the value from %SystemDrive%\Users\Default to %SystemDrive%\Users\DefaultUser

This is the best work around I’ve found to date to get the Non-Stupid methods of the old Copy To functionality to work. Let me know if you’ve found a better solution.

Create unattend files

This is a very long complicated process that’s prone to errors, if you run into problems, it’s probably here that you are having problems.

  1. Log into the Windows 7 Workstation that has WAIK installed
  2. Copy the Windows 7 Install.wim and Install.cfg file from the [DVD Drive]\sources\ folder to C:\WDSSTuff\Windows_7 folder  NOTE: Make sure it’s the same as the machine ready to be syspreped  (x86 versus x64)
  3. Click START > All Programs > Microsoft Windows AIK > Windows System Image Manager
  4. In the bottom left hang box titled “Windows Image” right click and point this to the Install.wim or .cfg file that we’ve copied to C:\WDSSTuff\Windows_7 folder
  5. In the top box titled “Answer File” right click and select “New Answer File…”
  6. We’re going to need to Add sections from the catalog file in the bottom left Box Titled “Windows Image” to the answer file, if you are making an Answer file from a different version Windows or for a different hardware type (x86) these names are going to be different than the ones that I mention here, BUT they will be close, find the one that most closely resembles what I’m telling you to select.
  7. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE” section of the answer file.
  8. Click on “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE” and then change the value of “UILanguage” in the far right pane to “en-us”
  9. Expand “amd64_Microsoft-Windows-International-Core-WinPE_neutral” to the “1 windows PE”, Click on “SetupUILanguage” and then change the value of “UILanguage” in the far right pane to “en-us”
  10. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-setup_neutral” to the “1 windows PE” section of the answer file.
  11. Expand  “amd64_Microsoft-Windows-setup_neutral”, Click on “DiskConfiguration” and then change the value of “WillShowUI” to “OnError”
  12. Right Click on “DiskConfiguration” and select “Insert New Disk”
  13. Expand “DiskConfiguration” and Select the newly created disk, Change the setting on the far right side “DiskID” to “0”, Change the setting on the far right side “WillWipeDisk” to “true”
  14. Expand the newly created disk, Right Click on “CreatePartions” and select “Insert new CreatePartition”
  15. Expand the newly created “CreatePartition”, Change the setting “Extend” to “true”, change the setting “Order” to “1”, change the setting “Type” to “Primary
  16. Right click on “ModifyPartitions” and select “Insert new ModifyPartition”
  17. Expand “ModifyPartitions” and select the newly created “ModifyPartition”, change the setting  “Format” to “NTFS”, change the setting “Label” to “Windows”, change the setting “Order” to “1”, change the setting “PartitionID” to “1”
  18. Go back up to the level “amd64_Microsoft-Windows-Setup_neutral” and then expand “WindowsDeploymentServices”
  19. Expand ”ImageSelection”, Click on “InstallImage”, Change the setting “ImageGroup” to the name of the Image group created on the WDS Server.
  20. Click on “InstallTo” and change the setting “DiskID” to “0”, Change the setting “PartitionID” to “1”
  21. Expand “Login” and then click “Credentials”, change the setting “Domain” to the NETBIOS name of your Active Directory Domain, change the setting “Password” to the password of a Domain Admin, change the setting “Username” to that of a Domain Admin. You may be asking, is this safe? The password is encrypted before it’s put into the file, so that’s good, but I’m sure it’s not the safest thing to leave you Domain Admin credentials in this xml file that any user on the network can browse to, so see the addendum of how to get a Domain User account working instead of a Domain Admin.
  22. Save this answer file as “WDSUnattend.xml in your C:\WDStuff folder

Create a new blank answer file.

  1. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Security-SPP_neutral” to the “3 Generalize” section of the answer file.
  2. Click “amd64_Microsoft-Windows-Security-SPP_neutral”, change the setting “SkipRearm” to “1”
  3. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Deployment_neutral” to the “4 specialize” section of the answer file.
  4. Expand “amd64_Microsoft-Windows-Security-SPP_neutral”,  right click on “RunSynchronous” and select “Insert New RunSynchronousCommand”. Perform this task twice.
  5. Select the first newly created RunSynchronousCommand, change the setting “Order” to “1”, change the setting “Path” to net user administrator /active:yes. This command enables the local Administrator account on the workstation.
  6. Select the second newly created RunSynchronousCommand, change the setting “Order” to “2”, change the setting “Path” to “reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000000 /f. This command sets the first newly detected network to “work” automatically.
  7. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Security-SPP-UX_neutral” to the “4 specialize” section of the answer file.
  8. Select “amd64_Microsoft-Windows-Security-SPP-UX_neutral”, change the setting “SkipAutoActivation” to “true”
  9. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Shell-Setup_neutral” to the “4 specialize” section of the answer file.
  10. Select “amd64_Microsoft-Windows-Shell-Setup_neutral”,change the setting “BluetoothTaskbarIconEnabled” to “false”,  change the setting “ComputerName” to %MACHINENAME%, change the setting “CopyProfile” to “false”, change the setting “ShowWindowsLive” to “false”,  change the setting “TimeZone” to “Eastern Standard Time”, or whichever time zone you are in.
  11. Expand “amd64_Microsoft-Windows-Shell-Setup_neutral”, Select “Display”, change the setting “ColorDepth” to “32”, Change the setting “HorizontalResolution” to “1024”, change the setting “VerticalResolution” to “768”. Note: change these values to that of your PC being ready to be sysprepped.
  12. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-UnattendedJoin_neutral” to the “4 specialize” section of the answer file.
  13. Expand “amd64_Microsoft-Windows-UnattendedJoin_neutral”, Select “Identification”, change the setting “DebugJoin” to “true”, change the setting “JoinDomain” to the FQDN of your Active Directory Domain, change the setting “UnsecureJoin” to “true”.
  14. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-International-Core_neutral” to the “7 oobeSystem” section of the answer file.
  15. Select “amd64_Microsoft-Windows-International-Core_neutral”, change “InputLocate” to “en-us”, change the setting “SystemLocale” to “en-us”, change the setting “UILanguage” to “en-us”, change the setting “UserLocale” to “en-us”. Note: Change these setting to match your locale.
  16. Expand Components in the Windows Image section and add “amd64_Microsoft-Windows-Shell-Setup_neutral” to the “7 oobeSystem” section of the answer file.
  17. Select “amd64_Microsoft-Windows-Shell-Setup_neutral”, change the setting “BluetoothTaskbarIconEnabled” to “false”, change the setting “Registered Organization” to the name of your organization, change the setting “RegisteredOwner” to the name of your organization, change the setting “ShowWindowsLive” to “false”, change the setting “TimeZone” to “Eastern Standard Time” or your local time zone.
  18. Expand “amd64_Microsoft-Windows-Shell-Setup_neutral”, Select “AutoLogon”, change the setting “Domain” to  the NetBIOS name of your Active Directory Domain, change the setting “Enabled” to “true”, change the “LogonCount” to “1”, change the setting “Username” to the name of your Domain Administrator account. Note: you don’t have to do this, this setting configures  an automatic logon after the system is imaged, which allows you to run commands automatically after the system is imaged, which we’ll do shortly.
  19. Expand “AutoLogon”, select “Password”, change the setting “Value” to the Password of the account that will automatically log in.  The password will be encrypted when the file is saved.
  20. Select “Display”, change the setting “ColorDepth” to “32”, Change the setting “HorizontalResolution” to “1024”, change the setting “VerticalResolution” to “768”. Note: change these values to that of your PC being ready to be sysprepped.
  21. Right Click on “FirstLogonCommands”, select “Insert New SynchronousCommand”. Perform this task 5 times.
  22. Select the first newly created SynchronousCommand, change the setting “CommandLine” to “c:\drivers\win\display\setup.exe -overwrite –s”, change the setting “order” to “1”, change the setting “RequiresUserInput” to “false”. Note: This is just something I thought to include because it seems like I run into it a lot, after imaging Intel Based graphics card don’t get configured with the correct driver, this just runs the setup silently and fixes that issue.
  23. Select the second newly created SynchronousCommand, change the setting “CommadLine” to cscript //b c:\windows\system32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your Windows 7 Open License MAK key, change the setting “Order” to “2”, change the setting “RequiresUserInput” to “false”
  24. Select the thrid newly created SynchronousCommand, change the setting “CommadLine” to cscript //b c:\windows\system32\slmgr.vbs /ato, change the setting “Order” to “3”, change the setting “RequiresUserInput” to “false”. These last two command activate windows with you MAK Open License Key.
  25. Select the fourth newly created SynchronousCommand, change the setting “CommadLine” to cscript //b "C:\program files\microsoft office\office14\ospp.vbs" /inpkey:XXXXX-XXXXX-XXXXX-XXXXX, change the setting “Order” to “4”, change the setting “RequiresUserInput” to “false”. where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your Office 2010 Open License MAK key.
  26. Select the fifth newly created SynchronousCommand, change the setting “CommadLine” to cscript //b "C:\program files\microsoft office\office14\ospp.vbs" /act, change the setting “Order” to “5”, change the setting “RequiresUserInput” to “false”.
  27. Select “OOBE”, change the setting “HideEULAPage” to “true”, change the setting “NetworkLocation” to “Work”, change the setting “ProtectYourPC” to “3”, change the setting “SkipUserOOBE” to “true”. Note: The network location in this part may be redundant, because of the registry fix above.
  28. Expand “UserAccounts”, click on “AdministratorPassword”, change the setting “Value” to  the desired local administrator password of the workstation.
  29. Right click on “LocalAccounts”, select “Insert New LocalAccount”
  30. Select the newly created LocalAccount, change the setting “DisplayName” to that of a second local administrator account, change the value “Group” to “Administrators”, change the setting “Name” to a that of a second local administrator username.
  31. Expand, LocalAccount, change the setting “Value” to the desired password of this newly created account. Note: Both of these passwords will be encrypted in the file.
  32. Finally, save this file as Unattend.xml in your C:\WDSStuff folder
  33. Copy both of these files over to your WDS Server.

Prepare Image for Capture

Now it’s time to get this image sealed and ready to be uploaded to the WDS Server.

  1. Copy the Unattend.xml file over to the local computer folder c:\windows\system32\sysprep\
  2. Create a new folder under C:\windows\Setup called “Scripts”
  3. Create a new file called “SetupComplete.cmd” in C:\windows\Setup\Scripts
  4. Edit this file with notepad, Enter the following commands, del /Q /F c:\windows\system32\sysprep\Unattend.xml & del /Q /F c:\windows\panther\Unattend.xml
  5. Save the SetupComplete.cmd file
  6. Prep Your Antivirus software for Imaging, for Symantec Endpoint Protection12 go here.
  7. Open Command prompt, Navigate to c:\windows\system32\sysprep\ enter for the following command: sysprep /generalize /oobe /shutdown /unattend:Unattend.xml

Upload image to Server

  1. Once the computer shuts down, connect the USB Hard Drive, and power the computer back up
  2. Turn on the computer, enter the BIOS, disable booting from the hard drive (just in case you miss the PXE boot), enable PXE boot on the NIC. Exit the BIOS
  3. Boot from the network card
  4. When prompted to select an image, select CAPTURE
  5. Follow the wizard to Select the C:\ drive, name the image, store it on the USB drive, and then upload it to the WDS Server.
  6. Once the image is done being uploaded to the WDS server shut this PC down.
  7. DO NOT IMAGE THIS PC, if you do, and the imaging does not work you’ll need to re-create the entire image.

Apply unattend file to WDS image

  1. Open the Windows Deployment Server MMC console
  2. Expand Install Images
  3. Expand the Install group you created earlier
  4. Find the image you just uploaded, right click it, and select properties
  5. Check the box titled “Allow Image to install in unattended mode”, select the WDSUnattend.xml file that was moved to the WDS Server
  6. Click OK.

Final Tasks

  1. Open the Windows Deployment Server MMC console
  2. Right click on your server and go to “properties”, click the “PXE Response” tab
  3. Select the radio button “Respond only to known client computers”
  4. Open Active Directory, Create a new computer account, when prompted during the new computer creation wizard check the box “This is a managed computer”, enter the GUID of this computer.
  5. You can obtain the GUID of the computer by booting from the NIC, and during the PXE attempt the GUID will be displayed, hit the pause button, and record that GUID, enter it into the Active Directory New Computer wizard.
  6. This step is how we a) Prevent unauthorized computers from being imaged, and b) give a value to the %MACHINENAME% variable we used in the answer file.
  7. Once the computer account has been pre-staged, reboot the computer and attempt to boot from the NIC again. You’ll now again see the option for INSTALL or CAPTURE, click INSTALL, and then select the image you just uploaded.
  8. If all goes well you’ll end up logged into windows as the Domain Administrator when you are done.

Making the install idiot proof for end users

  1. Disable the Capture image in the WDS console
  2. On the boot tab of the Server Properties in the WDS console, set the default boot image to the INSTALL image
  3. In the WDSUnattend.xml file, where we specified the Image Group, also specify the exact image name without the .wim extension, now when users PXE boot, everything will be hands free.

Appendix I: Updating Unattended files

Use the Windows System Image Manager to edit these files, they are seemingly easy to edit in notepad, but they’re harder to screw up in WSIM, Also if you ever need to change any of the passwords, re-import the component containing the password form the Components section, and re-do the entire section with the password, otherwise the updated password will not be encrypted and it will be visible in the file XML.

Appendix II: Installing additional drivers into an Image

Right click and Install Image in the WDS console and export it. Then follow the same steps that we used above to install the NIC drivers, but put all drivers and the associated files in subfolders of the folder where you run dism /image:[location of extracted files] /add-driver /driver:. /recurse command. The /recurse switch will add every driver that it can find in all subfolders, which allows you add a ton of drivers really easily.

Appendix III: Using a non Domain Admin account for the Unattend.xml file

This section coming as soon as I can figure it out.

Many Thanks for the following sites for contributing, even if you didn’t know you did.

Office Activation Commands(just add these after the RunSynchronous commands for activating Windows): http://blogs.technet.com/b/office2010/archive/2009/12/18/volume-activation-tips-and-tricks.aspx

Refernence for the fact that the WDSUnattend.xml file is the account used to join to the domain: http://social.technet.microsoft.com/Forums/fi-FI/w7itproinstall/thread/c90fe1ac-198d-4337-bb8a-8d6f3991fede

Sample unattend files:
http://social.technet.microsoft.com/Forums/fi-FI/w7itproinstall/thread/c90fe1ac-198d-4337-bb8a-8d6f3991fede

How to setup the answer file (mostly): http://blog.brianleejackson.com/sysprep-a-windows-7-machine-%E2%80%93-start-to-finish-v2

Changing the Deafult User profile: http://www.windows7hacker.com/index.php/2009/05/how-to-change-user-profile-default-location-in-windows-7/

Use Group Policy to enable Remote Desktop Connection on a group of PCs

This is a group policy that I use pretty often to enable Remote Desktop Connection on a group of PCs, add the proper users to the local Remote Desktop Users group, and enable RDP access on Windows Firewall. I’ve decided to post this here because there have been some slight changes in Group Policy Management on Windows 2008 R2 / SBS 2011 / Windows 7 (just for the actual enabling of RDP, the other things stay the same as they were with 2003 / XP)

Here is how I configure this when I need to enable RDP on a collection of machines:

  1. Create a new OU in Active Directory for all of the computers, or if one already exists make sure all of the computer accounts that need to be changed are in it.
  2. Open Group Policy Management Console and create and link a new GPO to this OU. I typically right click at the root of the GPO, select Properties, and disable the User Configuration Settings. (I do this to cut down on GPO processing time, if we know there will only be computer settings in this GPO, why process all of the unchanged User Policy Settings?)
  3. First we’ll need to add the firewall exception, expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > enable the policy “Windows Firewall: Allow inbound Remote Desktop Exceptions”
  4. Repeat the above for the Standard Profile as well.
  5. Next we Enable Remote Desktop Connectivity, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be  > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
  6. Next we need to add the proper users/groups to the Remote Desktop Users group on each PC, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  7. Right Click on “Restricted Groups” and select “Add Group…”
  8. Enter “Remote Desktop Users” Note: don’t click the “Browse” button because you’re on a Domain Controller (well more than likely anyway) and you don’t want to choose BUILTIN\Remote Desktop Users, which is where the browse button will take you, you want to edit the membership of the local “Remote Desktop Users” group on each PC) and click OK
  9. Click the “Add…” button next to “Members of this group:”, and now click the “Browse” button, enter “Domain Users” (or whichever group you created) and then click “Check Names”, once you’ve verified that you’ve got the right group click “OK”
  10. Click “OK” twice more and close the GPO, once all of the machines have rebooted you’ll now be able to remote into any of these PCs as a member of Domain Users.

Getting the impossible-to-use Microsoft Tools for SharePoint 2010 Farm backup to work

So it’s easy enough to get Share Point Central Administration to backup your farm, but it involves logging in every day to click the backup button, which can get tedious. I wanted a way to automate it but of course nothing was easy, after about two weeks to trying this that and the other thing, I came up with a little cheat sheet. It should be noted that I’m not a Share Point or SQL admin, and in fact I’m pretty new to working with either of them, so if you see something that could be improved on, please let me know.

The first time around in our test environment we didn’t install Share Point properly, and we tried to change the service accounts running Share Point through the Central Administration site. I’m not sure if it was bad luck, or something else, but the whole damn thing came crashing down, so please RTFM when installing new-to-you software. We  ended up going back, doing a little more planning, and performed a fresh install. I’ve decided to include some of those planning notes as pre-reqs before we go into getting the backup to work, as you’ll run into permissions problems if they’re not taken care of.

Pre Requisites Notes

Service Accounts:

svcSQL – This account is used to run all SQL related services, regardless of server.

svcSharePoint – This account is the account specified during SharePoint installation, also known as the “farm account” or “timer account” (don’t ask, I don’t understand either)

svcScheduledTask – This is the account under which the schedule task runs, when configuring the task make sure to use this account.

Installation of Applications

Okay, so when you install SQL make sure to use the svcSQL account to run all of the services.

When you install SharePoint, make sure to use the svcSharePoint account as the Farm account when installing. Also make sure to point all of your SQL needs to the SQL server and not a local database.

Assign the following permissions to the SQL databases for each service account:

User: svcSharepoint
Server Instance: SQL_SERVER\SQL_INSTANCE
Server Instance-Wide Role(s):
--dbcreator
--public
--securityadmin

Database Specific Role(s):
-SharePoint_AdminContent_{GUID}
--db_owner
--Public
--SharePoint_Shell_Access

-WSS_Content_Application_Pools
--db_owner
--Public
--SharePoint_Shell_Access

-SharePoint_Config
--db_owner
--Public
--SharePoint_Shell_Access

-WSS_Content_Application_Pools
--db_owner
--Public
--SharePoint_Shell_Access

-WSS_Content_{GUID}
--db_owner
--public

-WSS_Search_SQL_SERVER
--db_owner
--public

User: svcScheduledTask
Server Instance: SQL_SERVER\SQL_INSTANCE
Server Instance-Wide Role(s):
--Public

Database Specific Role(s):
-ALL Databases
--db_backupoperator
--public
--SharePoint_Shell_Access

Actual Backup Procedure

Now that the software is installed correctly we can take backups, if the software is not installed correctly forget about backups you’ll be lucky that central administration doesn’t implode. This is probably one of the most convoluted backup procedures you’ll ever see. Because of the combination of Batch scripts, and trying to call 1 Power Shell script from another, in combination with the fact that the Task Scheduler has a hell of a time with quotes, you end up with this, which is a scheduled task that runs 3 batch files, two of which contain Power Shell commands.

First, Create a new shared folder on the backup server, in this example we called it “data” give Full Control permissions to each service account (all three)

Then, Create a batch script called “cleanup” and put the following in it (adjust for LOCAL path)

rmdir C:\Data\SharepointBackups /s /q
mkdir c:\data\sharepointbackups

Next, Create a new Power shell script called “FarmBackup” (notepad file saved as .ps1) with the following lines (adjusted for UNC path):

Add-PSSnapin Microsoft.SharePoint.PowerShell
Backup-SPFarm -Directory \\BACKUP_SERVER\Data\sharepointbackups -BackupMethod Full

Next, Create a new batch script called “LaunchPowerShell” and put the following in it: (adjust for LOCAL path)

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Data\FarmBackup.ps1' "

Next, Create a new scheduled task that runs with the following settings on each tab:
General Tab:
-Run Whether use is logged in or not
-Run with highest privileges
Triggers Tab:
-Weekly – setup with proper days and times
Actions Tab:
-Create a new action, Run a Program, and run the Cleanup.bat file
-Create a 2nd action, Run a program, and enter the following command (adjusted for LOCAL path) in the Program/Script field:
D:\data\launchpowershell.bat

Run each of the following first to verify that they work before running a test job:

Cleanup.bat
Launchpowershell.bat
FarmBackup.ps1

Failures on either mean that the job won’t run.

Finally don’t forget to backup the C:\Data\SharepointBackups folder with some backup software.