RSS | MY PROFILE | PRIVACY 

WServerNews (formerly W2Knews) - Sysprep Situations

Vol. 17, #10 - March 5, 2012 - Issue #869

Sysprep Situations

  1. Editor's Corner
    • From the Mailbag
    • Sysprep Situations
    • Tip of the Week
    • Recommended for Learning
    • Quotes of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Webinars & Seminars
    • Conferences, Expos and Other Events  
    • Upcoming Microsoft Webcasts
    • Upcoming VMware Webcasts
    • Upcoming O'Reilly Webcasts
    • Cisco Events
    • Oracle Events
  4. Tech Briefing
    • IBM announces support for System Center 2012
    • Some Thoughts Buying State Of The Art Storage Solutions Anno 2012
    • Windows 8 Hyper-V Feature Glossary
    • TechNet Wiki gets a facelift
  5. Windows Server News
    • What?s stalling your enterprise?s private cloud adoption?
    • Devising in-house workarounds to solve virtualization problems
    • Cloud-hosted desktops and applications guide
    • Top 10 reasons why you shouldn?t ignore mobile device security 
  6. WServerNews FAVE Links
    • This Week's Links We Like. Tips, Hints And Fun Stuff.
  7. WServerNews - Product of the Week
    • FREE SAN Monitor for EMC CLARiiON - Monitor Storage Performance & Avoid SAN Slowdowns

 

FREE SAN Monitor for EMC CLARiiON - Monitor Storage Performance & Avoid SAN Slowdowns

With SAN Monitor for EMC CLARiiON, IT professionals can quickly and easily monitor EMC CLARiiON storage arrays and drill down into LUN inventory details, including LUN size, physical disks, RAID type, total IOPs, I/O response time and more. 

GET FREE TOOL>>>>

 

Editor's Corner

Save this newsletter so you can refer back to itand find helpful tips, tools and other resources that can help you when you face some planning decision, management task or troubleshooting headache!

From the Mailbag

A couple of issues ago in Apple in the Enterprise I asked readers for their thoughts and recommendations for managing Apple devices in Windows-centric environments. We received a number of responses, some short and some fairly long, and we're including a few of the shorter ones here while I'll probably include some of the longer ones in a future article on WindowsNetworking.com. If you still haven't sent us feedback on this topic and you'd like to do so, please go ahead and email me at wsn@mtit.com thanks!

One of the things I linked to in that issue was a blog post by James Bannan who demonstrated how to import Apple iOS and Android into SCCM 2012. James was kind enough to write to me with the following additional info:

Thanks for linking to my blog post. Admittedly, I wrote that before some further details about MDM in SCCM 2012 were known?.namely that there are "Depth Management" and "Light Management" approaches to mobile devices. Depth Management is anything using a native CM agent, but the only platforms supported are Windows Mobile (not Windows Phone) and Nokia Symbian. So really?who cares? Even MS acknowledge that. Light Management refers to CM12's ability to import anything which can talk against ActiveSync on an Exchange 2010 server (earlier versions of Exchange not supported). So, Exchange ActiveSync is the common management language, and therefore CM12 offers nothing extra to manage Android/iOS devices which Exchange can't already provide (except that your CM administrators can now do the work of your Exchange admins).

I work for an MS Gold partner in Australia, and we also partner with a number of companies who provide products which plug gaps in the various System Center products. One of them is Odyssey Athena, which is a native MDM solution for SCCM 2007 and 2012. We're the only Australian provider. It's a damn good product, especially as it makes use of the existing CM infrastructure (no extra servers needed) and all the management is handled via the CM Console, so the existing management environment is simply extended, rather than admins having to learn a completely new product. It doesn't have much traction in AU at the moment (it's a new product in this part of the world), but every customer we've shown it to has been very impressed, and we have some PoC's in the works.

Here's the link to Odyssey's product for those of you who would like further information about this product: http://www.wservernews.com/go/1330610307272

Iain from the UK also recommended some products:

Interesting article on Macs in a Windows environment. While we don't manage Macs per se here, but we do allow their use in a sandboxed fashion. For iPhones we have a product by Good Technology which allows users to get their corporate email on their iPhone (or iPad or Android device for that matter). This app is fully sandboxed - IE nothing on the device can touch the corporate environment - and the server side includes features like the ability to remotely kill devices that have been lost etc too. For iPads we use a Citrix Access Gateway which, through various policies, we have also sandboxed. The user can modify, send and receive documents from their personal folders, but again nothing on the device can leap off onto the corporate network. This means that we can let people use their own technology but at the same time ensure that no corporate data is stored on them. Loving the newsletter!

Thanks a lot! Here's a link to Good Technology:
http://www.wservernews.com/go/1330610411026

Rene from the USA says:

I don't have any experience with this but just spotted an article: Chicago Public Schools is serious about protecting their IT budget, their assets and the data on them. Working closely with Absolute Software they're managing over 100,000 PCs, Macs, and iOS 4 devices and have recovered over 350 stolen computers allowing them to invest in the future (versus replacement computers).

Here's a link to a free whitepaper from Absolute Software titled "PCs, iPads, Macs - Managing Diversity on a School District Budget" (registration required):
http://www.wservernews.com/go/1330610469611

And here's a webinar titled "23,000 Students, 7,000 iPads & iPhones - Lexington One School District Highlights Best Practices for Large-Scale iOS5 Rollouts" which hopefully will be recorded:
http://www.wservernews.com/go/1330610485844

Keep it coming, people. With over 100,000 subscribers to this newsletter I'm sure there are more of you who have stories to tell or products to recommend for managing Apple devices in Windows-centric environments. Send me email at wsn@mtit.com

 

Sysprep Situations

The Windows System Preparation Tool (Sysprep) is used to prepare a master Windows installation for disk imaging (cloning). You need to run Sysprep on your master or reference computer before you capture an image of that computer and then deploy the image to multiple destination computers in your environment. The reason you need to do this is because Sysprep removes the computer security identifier (SID) from the master image along with any other user- or computer-specific settings and data in the image. If you don't run Sysprep on your master Windows installation, all of your cloned images will have the same local machine SIDs and as a result your destination computers will have problems communicating with one another.

Now any IT pro worth his salt already knows all this, right? And yet...

But before we go any further, let's first ask the following question: Do you think we should CLONE A NEANDERTHAL? http://www.wservernews.com/go/1330610648630

And yet...some of us still try and get around running Sysprep on Windows installations which we then capture as a Windows image for deployment into our production environment. Why? Let's look at some cloning "experiments" I've heard of admins actually doing or at least seriously thinking of attempting, why they're not a good idea, and what they should have done instead.

Sysprepping a Domain-Joined Computer

Weird things can happen if you sysprep a Windows installation that is domain-joined. For example, you might discover that you can't log on to a computer on which the sysprepped image has been deployed. This can happen for example if your domain has a strong password policy and the password you specify for the local admin account is to short or insufficiently complex. What can be frustrating is that this may not always happen, and the reason for this is that when Sysprep runs on a system it executes about 44 different Sysprep providers to remove various kinds of machine- and user-specific settings and data on the system. Unfortunately Sysprep doesn't guarantee a specific order in which these provider should run, so if the provider that resets the admin password executes before the provider that disjoins the domain does, the existing domain password policy can get "burned into" the sysprepped image.

Moral of the story: Make sure you only run Sysprep on computers that belong to a workgroup, not a domain. If you want more, read what Microsoft MVP and deployment expert Johan Arwidmark says in the following thread in the Microsoft TechNet forums:
http://www.wservernews.com/go/1330610708143

Running Sysprep Multiple Times

Running sysprep on a Windows installation resets the activation count and therefore reduces the number of times you can rearm the system using the slmgr.vbs /dlv command. If you think you need to sysprep a Windows installation multiple times, you could use the DISM.exe command to create a custom sysprep file that sets the SkipRearm setting. But is it a good idea to run Sysprep multiple times on a Windows installation? Ideally, only once. Why? Because running Sysprep multiple times on a master Windows installation can cause various random hard-to-troubleshoot issues on the computers to which you deploy your sysprepped master image. For example, I've heard stories of computers ending up with multiple local accounts named Administrator and other weird stuff. By the way, you can see the Admin Tools section of this newsletter for links to the command syntax of the above two commands.

But (you complain) that throws a monkey wrench into the process we use for building our master images. What we've been doing when we need to update our master image (and it's worked fine, you insist) is to deploy the master image to a system, make the additional configuration changes needed, and then re-sysprep the installation to create our updated master image. We then repeat this procedure (and it's worked every time, you insist) each time we need to update our master image.

Well, I'm afraid you need to upgrade your deployment skills (and tools) a bit because the image building and maintenance process you've just outlined may have been OK for Windows XP but it's certainly out of date as far as Windows 7 is concerned. Specifically, you should be using the Microsoft Deployment Toolkit (MDT) to build and maintain your master images. See this blog post by Scott McArthur, a Senior Support Escalation Engineer with Microsoft Enterprise Platforms Support, for a comparison of the old vs. new approach to maintaining reference images:
http://www.wservernews.com/go/1330610806520

Can't I Just Run NewSID instead of Sysprep?

NewSID was a Sysinternals utility created by Mark Russinovich way back in 1997 to address some situations where running Sysprep didn't seem like a good idea by providing admins with a simple tool for changing the local machine SID of a Windows installation. But if you still have NewSID kicking around in your IT toolbox, you should get rid of it. Start by reading what Mark says about NewSID in his blog post The Machine SID Duplication Myth (and Why Sysprep Matters):
http://www.wservernews.com/go/1330610866454

Now check out the follow-up post Machine SIDs and Domain SIDs on Aaron Margosis' Non-Admin and App-Compat blog:
http://www.wservernews.com/go/1330610878956

Finally, make sure you read Sysprep, Machine SIDs and Other Myths by Michael Murgolo on The Deployment Guys blog:
http://www.wservernews.com/go/1330610891515

I think by now you should be convinced that you should chuck out NewSID, but if you're not yet convinced then take a look at this cartoon video on YouTube:
http://www.wservernews.com/go/1330610903276

See the Fave Links section of this issue if you want to make your own cartoon videos.

Sysprepping a Production System

So you have a Windows server that's been running on your production network for some time now, and you'd like to clone it and deploy several copies of it to scale out. Can you run Sysprep on your production system to generalize it, capture your master image, and deploy the image?

Unfortunately that's not a supported scenario. Sysprep is designed to prepare new installations of Windows (not existing installations) for deployment purposes and running Sysprep post deployment is not supported. There are also some other unsupported Sysprep scenarios you need to be aware of, and the following KB article outlines them for you and you should read it carefully:
http://www.wservernews.com/go/1330610939950

If you ignore these recommendations you have two choices:

  1. Cross your fingers and hope nothing bad happens down the road.
  2. Bite the bullet and rebuild the affected systems from scratch.

I always advise biting the bullet unless you wear dentures.

Sysprepping an OEM System

You just got a nice shiny new OEM system delivered to your office, and you want to clone it so you can deploy the captured image to some plain vanilla white-box systems down the hall. You haven't even used the new OEM system yet, so you might consider it "freshly deployed." Does this mean you can sysprep it?

The previously referenced KB article says "Microsoft does not support the use of Sysprep to create a new image of a system that was originally created by using a custom OEM installation image or by using OEM installation media. Microsoft only supports such an image if the image was created by the OEM manufacturer." The reason for this is not technical but legal--you are not allowed from a licensing perspective to deploy an OEM-created image in your organization because the OEM image is tied to the specific computer you purchased. So if you did this you'd be violating both the Windows EULA and your OEM agreement.

Cloning a Hyper-V Host

Can you install Windows Server 2008 R2 on a box, add the Hyper-V role, create a bunch of virtual machines and install guest operating systems in them, shut down all the VMs, sysprep the box to create a master image, and then deploy that image to other boxes?

You could, but you won't want to because the cloned boxes are going to have virtual networking problems because running Sysprep on your box will remove its current networking configuration. So a better approach would be to install Windows Server 2008 R2 on the box, add the Hyper-V role, create a bunch of virtual machines and install guest operating systems in them, shut down all the VMs, export the VMs and their configurations and then delete the VMs, and finally sysprep the box to create a master image. Then you can deploy the sysprepped image to other boxes and import the VMs and their configurations into these boxes using PowerShell scripts.

The Bottom Line

So what's the bottom line concerning not running Sysprep on your images?

  1. It will cause problems. For example, Windows Server Update Services (WSUS) may not be able to keep the computers up to date. And other more mysterious problems may occur weeks or even months down the line that may be difficult to diagnose and impossible to repair without reinstalling Windows on the affected systems.
  2. It's not supported. In other words, if you do this you will put your environment into an unsupported state, and that means if you initiate a support case with Microsoft they may tell you that you'll have to reinstall Windows on the affected systems because the only supported method to fix improperly cloned systems is to reinstall Windows using an image prepared with Sysprep.

What, you still don't believe me? Check out the Microsoft support policy for disk duplication in this KB article:
http://www.wservernews.com/go/1330611075754

'Nuff said.

 

Tip of the Week

Here's a tip about using Sysprep that I recently had published in the Admin Knowledge Base on WindowsNetworking.com:

How to troubleshoot a problem where your KMS server is not reporting the correct number of KMS clients on your network

Scenario: You are using KMS to manage activation of volume-licensed Windows 7 computers on your networks. To deploy these computers, you've created a master installation and then cloned the master image using third-party tools. The cloned images were then applied to the client computers to deploy Windows to them. You now have 25 client computers deployed, but your KMS server is only reporting one activated Windows installation. What's wrong?

Resolution: You either forgot to run sysprep /generalize on your master installation before you cloned it to the computers on your network, or you set equal to 1 in the unattend.xml answer file used when you sysprepped the master installation. Either way, the result is that all your deployed computers have the same Client Machine ID (CMID), and since KMS clients are identified by their CMIDs which are supposed to be unique to each computer, your KMS server only sees one KMS client on the network.

Do not try to fix the situation by running the slmgr.vbs /rearm command on each computer, for while doing this will provide each computer with a unique CMID, running this command will leave your computers in an unsupported state as it doesn't have the same result as running sysprep /generalize on the computers. The only supported way of resolving with this problem is to run sysprep /generalize on your master installation and then clone the generalized image and redeploy it to your computers. And either set equal to 0 or remove it entirely from the unattend.xml file used by sysprep.

Here's a link to the above tip:
http://www.wservernews.com/go/1330612579837

And here's a link to the entire Admin Knowledge Base section of WindowsNetworking.com:
http://www.wservernews.com/go/1330612636761


Recommended for Learning

I'll begin this week with one title that I highly recommend:

Microsoft OneNote 2010 Plain & Simple from Microsoft Press is exactly the book I need to read. OneNote has become a bigger part of my life of late as I try and use it to manage research that I collect for various projects I'm working on, but I've never actually sat down and tried to learn the product from scratch. Instead, I've just fumbled around and tried different things out, and there's probably a lot of obvious tips and tricks that I'm missing as a quick and cursory browse of this book suggests to me. This book should help fill in the gaps in my understanding of how to effectively use OneNote, so I'm bumping it up to the top of my must-read pile and will spend a free hour zipping thru it in the very near future. And the colorful, clearly labeled screenshots mean I can read it without having to actually sit at my computer, yay! In fact, I'm going to start reading it right now while I eat my lunch... [half an hour later] Wow, this is a terrific book. I've learned a LOT about working with OneNote from reading the first five chapters and can't wait to read the rest of the book!
http://www.wservernews.com/go/1330612840693
 

Here are a couple of other books I've recently had a chance to review:

Data Architecture: From Zen to Reality from Morgan Kaufmann gives you a bird's-eye view of data storage concepts and architectures. The various topic aren't covered in a lot of depth, but the way they are presented can be valuable to organizations planning on rethinking their data storage strategy. Unfortunately that sort of situation is common nowadays since the amount of data most companies need to process and store has been growing astronomically. So if you're just at the stage of beginning to realize you need to rethink your data architecture before your company gets overwhelmed, it might be a good idea to get hold of this book and read it through.
http://www.wservernews.com/go/1330612810329

SAP Basis Administration Handbook, NetWeaver Edition from Morgan Kaufmann is a quick guide to implementing, maintaining and supporting an ERP infrastructure based on SAP. The book includes procedures for tuning performance, configuring Oracle databases, performing backups, and lots more. I don't use SAP myself but if I did this looks like a pretty handy book to have on my shelf.
http://www.wservernews.com/go/1330612855725 

 

Quotes of the Week

"Standing up to bullies is not easy. The reason you do it early and resolutely is so you don't have to do it more than you should." --Rudolph Giuliani in Leadership

"You can't let anyone get to you. Believe in yourself even if no one else does -- that's how I was able to get where I am now." --2011 Arnold Classic winner Branch Warren in Muscular Development Magazine

Save this newsletter so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And be sure to forward this newsletter to a friend or colleague who might find the tips and tools in it helpful for performing their job. Finally, if you have feedback concerning anything in this newsletter, feel free to send it to my mailbag at wsn@mtit.com

Cheers, Mitch Tulloch 
Twitter: @mitchtulloch 
Facebook: mitchtulloch
Website: mtit.com

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

New Top 10 free tools for IT pros. Audit changes in AD, servers, mailboxes; manage passwords and event log; monitor disc space usage; secure end-points, etc.
http://www.wservernews.com/go/1330679679309

mPowerTools - an AD Admin essential! 200+ reports, bulk import/export, scheduling, GPO/File Share Reports. Eliminate scripting! Only $1499!
http://www.wservernews.com/go/1330679733059

Odyssey Athena is a native MDM solution for SCCM 2007 and 2012:
http://www.wservernews.com/go/1330613047189

Good Technology lets users to get their corporate email on their iPhone, iPad or Android device:
http://www.wservernews.com/go/1330613275177

 

Webinars & Seminars

Conferences, Expos and Other Events

March 26 - 29, 2012 - SQL Server 2012 Launch Conference and Expo at the MGM Grand in Las Vegas:
http://www.wservernews.com/go/1330613342425

April 16-20, 2012 - Microsoft Management Summit 2012 is where skilled IT professionals can meet to increase their technical expertise through hands-on training, breakout sessions and interacting with industry leaders in desktop and device management, datacenter, and cloud technologies:  
http://www.wservernews.com/go/1330613355598

Upcoming Microsoft Events and Webcasts

Sign up for these and other Microsoft events and webcasts at:  
http://www.wservernews.com/go/1330613439699

Upcoming VMware Webcasts

Sign up these and other VMware webcasts at:
http://www.wservernews.com/go/1330954684823

Upcoming O'Reilly Webcasts

Sign up for these and other O'Reilly webcasts at: 
http://www.wservernews.com/go/1330613533945

Upcoming Cisco Events

Browse the Cisco Corporate Events Calendar to find Cisco at events, trade shows and conferences around the world:
http://www.wservernews.com/go/1330613549035

Upcoming Oracle Events

Browse the Oracle Events page to find in-person events and live webcasts for your location:
http://www.wservernews.com/go/1330613566326

Got any other IT events or webcasts you'd like to recommend our readers? Let me know at wsn@mtit.com

 

Tech Briefing

IBM announces support for System Center 2012

This whitepaper from IBM outlines VMM storage automation with the IBM XIV storage system using SMI-S:
http://www.wservernews.com/go/1330613738155

Some Thoughts Buying State Of The Art Storage Solutions Anno 2012

A thought-provoking post from the blog Working Hard In IT:
http://www.wservernews.com/go/1330613780814

Windows 8 Hyper-V Feature Glossary

Some helpful info from the blog of Aidan Finn, Microsoft MVP and IT infrastructure consultant lead in Dublin:
http://www.wservernews.com/go/1330613792358

TechNet Wiki gets a facelift

Check out the new format and features here:
http://www.wservernews.com/go/1330613819756

 

Windows Server News

What?s stalling your enterprise?s private cloud adoption?

Enterprises often overestimate their cloud knowledge, and that?s causing many private clouds to stall before they even get off the ground. Learn how to ensure a successful deployment process with this expert tip.
http://www.wservernews.com/go/1330614015177

Devising in-house workarounds to solve virtualization problems

Virtualization problems are bound to come up. But you don?t need a pricey product to solve your issues. This featured article details how to devise in-house workarounds for your virtualization problems.
http://www.wservernews.com/go/1330678931167

Cloud-hosted desktops and applications guide

Cloud-hosted VDI provides companies a way to deliver virtual desktops to remote employees on any device without incurring the infrastructure costs of an on-premises virtual desktop infrastructure. But cloud isn't appropriate for all types of desktops and applications. In this guide, learn about cloud-hosted virtual desktops versus VDI, using hosted applications and the integration of cloud-based technologies with enterprise desktops.
http://www.wservernews.com/go/1330678962445

Top 10 reasons why you shouldn?t ignore mobile device security

How does your IT staff handle mobile device and tablet security? Does it use in-house security standards and policies? Or does your company have an ?anything goes? situation? Plenty of companies tell their employees there's no mobile computing at all. The point is, when it comes to mobile device security, businesses are all over the map -- and that's scary. Here?s ten reasons why you shouldn?t ignore mobile device security.
http://www.wservernews.com/go/1330678978029

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

Create your own cartoon videos at Xtranormal.com simply by typing on your keyboard:
http://www.wservernews.com/go/1330679000134

Discover Magazine questions whether the NFC might own the coin that's flipped at the start of each Super Bowl:
http://www.wservernews.com/go/1330679016186

Windows7Hacker shows how to make your Windows 7 desktop look like Mac OS X Lion:
http://www.wservernews.com/go/1330679028074

Check out Mitini, it's like Siri for Windows plus it's developed by a Canadian, eh?
http://www.wservernews.com/go/1330679039165

Time-lapse footage from 179 different and beautiful places around the planet.  Best viewed in Full Screen HD.
http://www.wservernews.com/go/1330679051785

 

WServerNews - Product of the Week

FREE SAN Monitor for EMC CLARiiON - Monitor Storage Performance & Avoid SAN Slowdowns

With SAN Monitor for EMC CLARiiON, IT professionals can quickly and easily monitor EMC CLARiiON storage arrays and drill down into LUN inventory details, including LUN size, physical disks, RAID type, total IOPs, I/O response time and more. 

GET FREE TOOL>>>>

 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization.  Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros.  Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press.  Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.