Augusto Alvarez

It’s been a few weeks since its release but I finally managed to put my hands on to Hyper-V Server.

I was very curious about it: A free operating system released by Microsoft working only as an HyperVisor it makes wonder about a lot of things. Also recently I’ve been working with VMWare ESX Server 3i, that is also the hypervisor working directly on the machine, and I had a good experience (I really loved the monitoring and reporting features that you can use).

From the moment I started using Hyper-V Server few troubleshooting tasks needed to be done.

Installing Hyper-V Server

If you ever installed any operating system, ever, you should not have any problem with this. You’ll of course see that the process is identical from Vista and Windows 2008.

To get started with Hyper-V Server there’s available the Hyper-V Server 2008 Configuration Guide.

If you want to avoid almost any command line to be executed from now on, Hyper-V Server has a simple tool where you’ll load a menu to access most of the configurations you will need. You can access it using this cmd:

C:\windows\system32\hvconfig.cmd

But I’ll execute the next steps using the command line features, so this procedure will apply as well for Windows 2008 Server Core.

Managing Remotely

To start using Hyper-V Server you will need Hyper-V Console on your Vista SP1, it is the same console to manage remotely any other Windows 2008 with Hyper-V. If you don’t have it yet, you can download it from here:

Windows Vista Service Pack 1 Management Tools update for the release version of Hyper-V

But, from this moment I started to have a few problems.

1. Solving "Access denied. Unable to establish communication between: <Hyper-V Server> and <Vista client>"

For all of those who were using the early versions of this remote console probably had the same error.

The solution is the same, so I want to reference this post from John Howard’s blog; where it explain almost everything you must know about configuring Hyper-V role on a Windows 2008 Core Server. Hyper-V Server works the same way as this Core version of Windows 2008, so every step of configuration will apply.

Here’s a quick summary of the steps involved, I’m only applying the steps I considered necessary for my environment.

1. Since I’m using a domain environment, I joined this machine to the domain using NETDOM utility:

netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /passwordd:*

/passwordd: * Requires user password to be entered.

Reboot the machine to apply the changes:
shutdown /t 0 /r

2. Adding necessary rules on the Firewall to allow remote connections.

a. Remote Management:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Note: You can also use netsh to change server’s IP, using the following syntax:
netsh interface ip set address "<Adapter Name>" static ipaddr subnetmask gateway metric.

b. Enable Remote Desktop

cscript \windows\system32\scregedit.wsf /ar 0
cscript \windows\system32\scregedit.wsf /cs 0

c. Reboot the machine to apply the changes:
shutdown /t 0 /r

3. Solving the "Access denied" error from the client:

Now that the server is properly configured for remote management, you have to run a simple procedure to fix this common error:

a. On "Run" insert "DCOMCNFG". Click OK
b. Expand "Component Services", expand "Computers". Right click on "My Computer" and click on "Properties" (imagen)
c. Now click on "COM Security"
d. In "Access Permission" click "Edit Limits"
e. Select "ANONYMOUS LOGON" in "Group or User Name". In the column "Allow", set the "Permissions for User" with "Remote Access".

Now you should be able to connect remotely using the Hyper-V console.

Since I finally completed the Hyper-V Server configurations for remote management, so the obvious next step is creating a new virtual machine.

I started with a dummy virtual machine, just for testing. But in the last step of the virtual machine creation wizard I got "The virtual machine could not be started because the hypervisor is not running." Ouch!

2. Solving "The virtual machine could not be started because the hypervisor is not running"

You should not worry if you see this error. There’s a good chance that your hardware is not the problem and that the hypervisor feature on your processor it is running.

Even though that the hardware on your server supports Hyper-V and that the service is correctly installed, what happens is that the hypervisor was not added on the boot environment and the service was not started.

To solve this, you only need to run this command line:

BCDEdit /set hypervisorlaunchtype auto

Ok, NOW you can start using Hyper-V Server.

Adding Features to Hyper-V Server

Don’t get all excited, as we mentioned before, this is just an HyperVisor and you should not expect that much functionality available.

Most of the features (not roles) that you can install are there to increase security and to achieve interoperability with other platforms like System Center Virtual Machine Manager or Data Protection Manager, supporting Live Backup (backing up virtual machine without downtime) as well. 

To access all features available, as in Server Core, from cmd:

oclist

To install one of the features use: start /w ocsetup <NameofService> (for instance, I installed on this Hyper-V Server the TelnetClient)

You’ll find as well that Hyper-V Server includes a WMI interface for remote management extensibility. Here you can find more information:

Virtualization WMI Provider.

Hope you find it useful.

Cheers! 

 

I was very excited when I started to play around with the first beta versions of Windows Server 2008 and experiment with the latest security improvements. At first, I wanted to start with one of the more basics and important things on this new server: Active Directory.

Several improvements were made on security matters that we can find it related to Active Directory: Read-Only DCs, more group policies, auditing enhancements, etc. After installing a small lab to check all these features, I finally arrive to another important Active Directory matter: Backing up and Restoring Data from a Domain Controller.

I was pretty disappointed at first when I realized that there was no easy way to backup a system state from a Domain Controller. Even more disappointed when I couldn’t find out the way to schedule a system state backup! Well on this post I want to review the way to simply schedule a system state backup on a Domain Controller and maintain those backups by removing the old ones from the backup catalog.

Requirements

a. A secondary hard drive on the domain controller. It cannot be a network drive.
The only storage point possible for backing up your server is using a secondary hard drive that can only be attached locally.

b. Having the Windows Server Backup feature installed.

The first thing that you must know to start backing up data from Windows Server 2008 is that the backup tool is not installed by default, like it was on Windows Server 2003 with ntbackup. To install it:

a. Open Windows Server Manager snap-in

b. Access Features section and click on Add a New Feature

c. Select Windows Server Backup including the sub-item “Command Line Tools”

i. This will also need Powershell

d. Click on Install.

Scheduling System State Backup

If you check the GUI of the Windows Server Backup you’ll see that there’s no way to backup the system state from there:

The only way to backup the system state using this tool is using the command line. So, to use this backup feature as a scheduled task, we are going to create a .bat file and schedule this batch file to run on our desired time (actually you can skip creating the .bat file, and just use task scheduler with the right parameters).

1. Open notepad and insert:

@echo off
WBADMIN START SYSTEMSTATEBACKUP –backuptarget:e: -quiet

“e:” is your local hard drive where the backup catalog will be stored.

“-quiet”: is the parameter used to not ask for confirmation

2. Save it as a batch file. Like: systemstatebackup.bat

3. Open Task Scheduler and create a “New Task”. The task properties window will open.

4. On the “General” tab select:

a. “Run whether the user is logged or not”

b. “Run with the highest privileges”

5. On the “Triggers” tab, click on “New”:

Here is where you select how often the backup task will run. This is an example of a task running weekly:

6. On “Actions” click on “New” and select to “Start a Program” and browse the batch file you just created.

7. Click on “OK” and the schedule task is ready.

You can manually run this task on demand by right-clicking it and selecting “Run”.

This task to complete takes between 40 minutes to 1 hour (or even more), depending on the system state data (Active Directory, DNS, registry, certificates, etc).

This is the process running

I have the backup… but what a hell is this??

Probably your first impression on the backup won’t be the best:

You don’t have permissions to see the backup files at first

You don’t see a simple .bkf file as it was when you used ntbackup

The size of every backup (that means every time you run the task) is as much as the size of the system drive

After all that, maintaining those backups sounds a little bit hard to do, the backup hard drive will significantly increase in a few weeks and for sure, you won’t be feeling much comfortable if you just try to delete.

Keeping It Simple… and smaller

But not of these annoying things are here to just making our work a little bit hard and awkward. Besides from adding a new layer of security to our backups, it also the maintenance of the old backups will actually get simpler.

You can create a new scheduled task that will keep every week (if that’s your case) only the newer backups on your catalog:

WBADMIN DELETE SYSTEMSTATEBACKUP –backuptarget:e: -deleteOldest –quiet

This way you will prevent from the backup hard drive to easily increase enormously. A good thing to keep in mind if you are working with virtual machines, you’ll probably know that it’s REALLY annoying having a big size virtual disk, and not being able to decrease their size (not an easy way anyhow).

This is the cmd running and deleting an old backup from system state (without the -quiet parameter).

To restore an Active Directory using these backups is not very much different from backing it up, we can see that procedure on a next post.

Hope it helps!

Cheers!

Ok then, after completing the first configurations made on the Part I of this guide we can perform a clean but attended network installation of Windows Vista.

There are two main steps to take and complete a full image and unattended deployment:

1. Creating the base image to deploy: OS, programs and other special configurations + uploading it to the WDS server.

2. Making an unattended file to be used with that image.

Creating the Base Image

Note: On this series of posts we are only considering to deploy Windows Vista or Windows Server 2008 images. The files used on WDS Native mode as unattended files are only valid to those operating systems, if you want to make unattended deployment with Windows XP or 2003 OS; you will need to use RIS or WDS Legacy Mode.

The first step it’s pretty simple, it consists on installing the operating system with all the features, programs and configurations that you want. But there are some considerations first:

After you complete the image, there’s a process where you release all the specific data involving the computer where it’s installed, like the Security Identifier (SID), computer name, etc. Here are some of the things that the image won’t keep after the release process:

· Computer name
· Owner and Company name
· SID
· Domain or workgroup membership
· TCP/IP Settings
· Regional and keyboard settings
· Specific hardware drivers. This refers to specific computer hardware, like video or audio drivers. But if you only applied drivers used on the Windows installation, the same will apply for the deployment, but any other external driver installed will be unavailable.
· Any saved network connections (wireless networks saved)
· OS product key. This is an important note, since no matter if your product has been activated; the key is reset after this process.

But here are some of the things that are kept after this release process:

· Programs and features installed (pretty obvious to say that at this moment right?)
· Local Users and Groups created.
· Product Keys used for programs installed. Meaning if you have Microsoft Office installed, the key used will remain as the same on the deployments.
· Windows updates installed
· User Profiles: Since all the profiles configuration are basically data stored on the Users folders, all that information will be uploaded within the image.
· Printers installed.

All the uploading process is made from the client side; but we must first prepare the WDS server to be ready to receive images.

First, we are going to add a boot image that will be specially to capture operating system images.

1. Go to WDS Console and let’s upload a second boot image; it can be the same that we added on the first post using the boot.wim from a Vista or Windows Server 2008 media.

2. Instead of naming it Windows PE, use a name like “Image Capture”.

3. After the process completes, right click on the image you just added and select “Create Capture Boot Image”

Now we have set our WDS server, let’s prepare the client using the sysprep tool and upload the image:

1. On the Vista or Windows 2008 client open a “cmd” as administrator and insert “cd c:\windows\system32\sysprep”.

2. Run “sysprep /oobe /generalize /reboot”.

This process will require for a few second and after it completes the OS will automatically reboot.

3. Soon as the machine is rebooting, press F12 to select different devices to boot.

4. Select to boot from the network card connected to the LAN

Now the client is communicating with the DHCP server to require an IP and a boot image, the DHCP will forward the request to the WDS. You will be prompted to press F12 one more time.

5. Since we have two boot images, let’s select “Image Capture”

The boot image will start to load.

6. A image capture wizard will start, click on “Next”

7. Now let’s select the volume we want to capture, in our case C:\. And put a name for the image that will be uploaded as long with a description.

It’s important to note that if the sysprep process did not completed properly no volume will be available to select.

8. On the next window you must select where the .wim file will be temporary stored locally. Select to keep it on the root C:\ (this file it’s not uploaded within the image).

9. Select the option “Load the image to a WDS server”; put the name of the server and click on “Connect”

10. You will be prompted with credentials, use a privileged account on the domain or local administrator account of the WDS server.

11. Now select the image group name where you want to store the new image and click on Finish.

Here the process of the image compression and preparation starts, this could take several minutes (~30 mins to ~1hr) depending on the image size and the hardware involved. After this process, the image is uploaded to the WDS server.

After it completes, check on the WDS console, the image should be uploaded and ready to be deployed.

Still we have not configured any unattended file, so the image can be deployed but the entire OS configuration should be entered manually, like on normal OS installation but all the programs will be installed.

For the unattended files preparation and configuration take a look to the third post of WDS.

Cheers!

 

Recently I found out, thanks to one of our IT members (Beto), that there was no way to implement different password policies on domains running on Windows Server 2003. It didnt sound right to me, why I cannot keep different password complexity, for example, in different OUs for different users?

You can actually link to separate OUs with different policies with different values on passwords options, but theyll be ignored by Default Domain Policy.

It seems that there󒒒s a way to accomplish this (not an easy way, but anyhow�) running domains with Windows Server 2008 and of course in the highest domain functional level.

The tools involved: GPMC (included with Windows Server 2008) and ADSI Edit.

Here�s the solution:

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html

Cheers!

 On the Orlando Tech-Ed that took place on the first days of June, one of the things that were official announced and presented were the Windows Server 2008 exams for Microsoft's certification.

 Here's some of the things you should now if you are planning to get or upgrade to this certification:

 - This will be a new stage for certification, the names will be: MCTS (three exams) and MCITP (2 exams).

 - MCSA and MCSE there'll be still certifications available.

 - On 2008 the Windows 2000 exams will be retired (the exams but not the certification, of course).

 - MCTS exams will be availabe one moth after the RTM version of Windows Server 2008. MCITP will be available two months after.

 - There'll be a upgrade exam from 2003 certification to 2008.

 - There will be NOT an upgrade from Windows 2000 to 2008.

 - MCSA and MCSE professionals will have a 40% discount on the price of the Windows 2008 exams.

 Taking a look to some of the sites that talked about these new exams, I found out some of the topics that will be on these tests.

Peak to Windows 2008 exam:

Terminal Services – the different roles, the new features, etc

IIS 7 – the new command line tools, new features, etc

Server Core – ofcourse, know your way with all the cmdline tooling that you can use

Virtualization – be sure to study on how Virtual Server 2005 works

Active Directory – the new features, but also AD in general

 Cheers!

 Well as they predicted, the 32bits versions of operating systems it's getting to the end.

 Windows Server 2008 (wich it will be realeased in late october or november in this year) will be the last operating system to use an 32 bit arquitecture. Windows Server 2008 R2 (that it's expected on 2009) will be exclusively on 64bit editions.

 On the other hand, it's also expected that at least one more client operating system (besides Vista) will appear again as x32.

 Cheers!