Alexander’s Blog

July 24, 2010

Choosing a Deployment Strategy for Windows 7

by Zubair Alexander @ 9:12 am. Filed under Tools/Utils, Windows 2008, Windows 7

When it comes to deploying Windows 7, one of the challenges administrators face is trying to figure out which deployment method is the best suited for a particular scenario. Fortunately, Microsoft has documented some guidelines for Choosing a Deployment Strategy in detail. The following table will help you with your decision but you might want to download the complete document here.

High-Touch with Retail Media High Touch with Standard Image Lite-Touch, High-Volume Deployment Zero-Touch, High-Volume Deployment
IT skill level IT generalist IT pro with optional deployment experience IT pro with deployment experience recommended IT pro with deployment and Configuration Manager 2007 R2 expertise
Windows license agreement Retail Retail or Software Assurance Software Assurance Enterprise Agreement
Number of client computers <100 100–200 200–500 >500
Infrastructure
  • Distributed locations
  • Small, unmanaged networks
  • Manual client computer configuration
  • Distributed locations
  • Small networks
  • Standardized configurations, including applications
  • Managed networks
  • At least one office with more than 25 users
  • Windows Server® products
  • Configuration Manager 2007 R2 (optional)
  • Managed network
  • At least one office with over 25 users
  • Windows Server products
  • Configuration Manager 2007 R2
Application support Manually installed commercial applications Manually installed commercial or line-of-business (LOB) applications Automatically installed commercial or LOB applications Automatically installed commercial or LOB applications
User interaction Manual, hands-on deployment Manual, hands-on deployment Limited interaction at the beginning of installation Fully automated deployment
Lower cost and effort by… …automating client computer configuration …creating standardized images …providing network-based deployment to support large-scale deployment with limited interaction …providing network-based deployment to support large scale-deployment with no interaction
Helping to… …create reproducible and faster client computer installation …reduce configuration testing and deployment time …leverage standardized images with network access by using pull automation …leverage standardized images with network access by using push automation
Strategy description High-Touch with Retail Media High Touch with Standard Image Lite-Touch, High-Volume Deployment Zero-Touch, High-Volume Deployment
Windows 7 Tools

July 23, 2010

Windows 7 Deployment FAQs

by Zubair Alexander @ 7:56 am. Filed under Tools/Utils, Windows 2008, Windows 7

Microsoft provides numerous tools for deploying Windows operating systems. It sure would be nice if we could use one tool that included all the functionality in dozens of separate utilities and toolkits. Here are some frequently asked questions that Microsoft has posted on TechNet. These will help you understand what you can and can’t do with all these new deployment tools for Windows 7 and Windows Server 2008.

If I am running Windows XP and haven’t looked at the Windows Vista and Windows Server 2008 imaging and deployment tools, what should I know about Windows 7 deployment?

If you have not yet looked at Windows Vista Deployment Enhancements, you can learn about the enhancements made around file-based, nondestructive imaging that uses the Windows® Imaging Format (WIM), Hardware Abstraction Layer (HAL) independence, and language neutrality in Windows Vista® and Windows 7 images.

Which tools are available to help with my Windows 7 deployment project?

The following are some of the predeployment and deployment tools that help you automate common project-related tasks:

  1. Microsoft Assessment and Planning (MAP) Toolkit This tool inventories hardware and devices.
  2. Application Compatibility Toolkit (ACT) version 5.5 This tool inventories applications, analyzes compatibility, and creates compatibility fixes for applications.
  3. Microsoft Deployment Toolkit (MDT) This tool helps you create images and automate the OS and application installations, data migration, and desktop configuration process.
  4. Microsoft System Center This is a family of products for large organizations that provides end-to-end deployment and management support.

    How is imaging and image servicing in Windows 7 different compared to Windows Vista?

    Deployment Image Servicing and Management (DISM) in the Windows Automated Installation Kit (AIK) provides additional functionality for Windows 7 and Windows Server® 2008 R2–based operating system images. In Windows 7, you can use DISM to enumerate drivers, packages (including updates), and features in the image. You can also use DISM to add and remove flat file drivers from a Windows 7 or Windows Server 2008 R2 system image. DISM consolidates functions previously found across several tools.

    Notably, you can also use DISM to manage Windows Preinstallation Environment (Windows PE) images; DISM can manage international configurations and can be used for mounting and unmounting WIM images. Previously, these functions were spread across the PEImg, IntlConfig, and ImageX tools. Finally, DISM contains changes that allow for backward compatibility with Package Manager (PKGMGR) commands that were used for Windows Vista and Windows Server 2008 image files to help ensure that existing tools and scripts written for previous versions of the Windows AIK continue to work. ImageX is still provided with the Windows AIK for system image creation and application functions.

    Where can I find the User State Migration Tool for Windows 7?

    The Microsoft® Windows® User State Migration Tool (USMT) 4.0 is included in the Windows Automated Installation Kit (Windows AIK), which you can download from the following Microsoft® Web site: The Windows Automated Installation Kit (AIK) for Windows 7. For more information about USMT 4.0, see User State Migration Tool 4.0 User’s Guide.

    What is Hard-Link Migration, and how can I migrate user states from one operating system to another?

    A hard-link migration store enables you to perform an in-place migration. The all-user state is maintained on the computer while the old operating system is removed and the new operating system is installed. Use of a hard-link migration store improves migration performance and reduces hard-disk space usage. For more information, see Hard-Link Migration Store.

    Are there any changes in the role of the Windows Deployment Services server in Windows Server 2008 R2?

    Windows Deployment Services (WDS) in Windows Server 2008 R2 enables network deployments of WIM images or virtual hard disks as files used for OS deployments. The previous release of WDS in Windows Server 2008 included multicast for image transmission to computers in the deployment pool.

    One consequence of using multicast in Windows Server 2008 was that the slowest client determined the transfer rate for all client machines. In Windows Server 2008 R2, multicast now supports the use of multiple stream transfer of 2 to 3 speeds to ensure that the fastest clients can receive deployment images faster. In addition, you can use standard multicast without multiple stream transfer to set minimum transfer thresholds and automatically remove slow clients from the multicast pool.

    Windows Server 2008 R2 with WDS also enables dynamic driver provisioning so that driver files can be stored centrally, outside the image, and only the required drivers are installed during deployment by using Plug and Play device matching. For organizations that include large driver payloads with standard network-installed images, dynamic driver provisioning can help reduce image size and ease driver management routines.

    Why is upgrade from Windows XP® to Windows 7 not supported?

    There are many changes in how PCs have been configured (applets, hardware support, driver model, and so on), and a clean installation yields the highest quality. The User State Migration Tool provides support for moving files and settings, but you must reinstall applications. For a set of customers this tradeoff may seem less than perfect, but the upfront time is well worth it. For more information about this topic, read the blog Engineering Windows 7: Delivering a quality upgrade experience. For more information about how to migrate data from Windows XP to Windows 7, see Step-by-Step: Windows 7 Upgrade and Migration.

    Are there any tools available to help find out which applications my users have installed and to test for application compatibility?

    You can use the Application Compatibility Toolkit (ACT) version 5.5 to inventory applications and identify known compatibility issues that are common to both Windows Vista and Windows 7. ACT 5.5 also includes tools for testing Web-based applications and for building compatibility fixes for applications where a compatible version is not available and recoding the application is not an option.

    You can also search for applications and devices that are compatible with Windows Vista at the Windows Vista Compatibility Center. To perform a bulk query of an inventoried application list against a known list of Windows Vista compatible applications, you can use the Windows Vista Application Compatibility Downloadable List for IT Professionals which is available from the Microsoft Download Center. Both resources share common data, which is currently specific to Windows Vista. Compatibility data specific to Windows 7 will appear in these resources as the data becomes available from software vendors.

    Microsoft is collaborating with service partners to help overcome application compatibility, from application inventory to application compatibility remediation. For more information, see the Application Compatibility Factory partner program on Microsoft TechNet.

    What specific changes are there in Windows 7 compared to Windows Vista that could affect application compatibility?

    Compatibility between Windows Vista and Windows 7 is very high. There are relatively minor changes that affect application compatibility, including the following:

    1. Operating system version The internal version number for Windows 7 and Windows Server 2008 R2 is 6.1.
    2. Removal of Windows gallery applications Windows Mail, Messenger, Address Book, Photo Gallery, and Movie Maker are deprecated in Windows 7.
    3. National Language Support changes The National Language Support (NLS) functions help applications support the different language-specific and locale-specific needs of users. Windows 7 includes some NLS changes.
    4. Internet Explorer 8 user agent string The user agent string is the Internet Explorer® identifier that provides data about its version and other attributes to Web servers. Many Web applications rely on the Internet Explorer user agent string.
    5. Removal of Windows registry reflection for 64-bit operating systems The registry reflection process copies registry keys and values between two registry views to keep them in sync.
    6. New low-level binaries To improve engineering efficiencies, Microsoft has relocated some functionality to new low-level binaries.
    7. File library replaces document folder Libraries provide a centralized folder for file storage, search, and access across multiple locations, both local and remote.
    8. User interface high DPI awareness The goal is to encourage end users to set their displays to native resolution and to use DPI rather than screen resolution to change the size of text and images.
    9. Internet Explorer 8 DEP/NX Internet Explorer 8 enables DEP/NX protection when run on an OS with the latest service pack.

      For detailed information on these changes, see Windows 7 and Windows Server 2008 R2 Application Quality Cookbook . If you are running Windows XP and want more information about changes starting with Windows Vista, see The Windows Vista and Windows Server 2008 Developer Story: Application Compatibility Cookbook .

      What about Volume Activation? Will I need a separate infrastructure for Windows 7?

      Volume Activation fundamentally works in the same way in Windows 7 as it does with Windows Vista and Windows Server 2008. You can use key management service or multiple activation keys. The same infrastructure is used to activate Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Virtual machine activations can be counted against activation thresholds. The volume activation management tool is included in the Windows AIK.

      With so many deployment options, how do I know which one is best-suited to my organization?

      For consumers and small businesses, manual deployment options include data migration assisted by Windows easy transfer and installation via retail media. For more information about migrating data with Windows Easy Transfer, see Step-by-Step: Windows 7 Upgrade and Migration.

      You can review the deployment options in the Choosing a Deployment Strategy evaluation. These topics describe the recommended deployment types based on your type of organization and help you select an appropriate deployment method.

      What is VHD Native Boot?

      In Windows 7, you can use a virtual hard disk as the running OS on designated hardware without any other parent operating system, virtual machine, or hypervisor. For more information, see Virtual Hard Disks in Windows Server 2008 R2 and Windows 7.

      How can I use the Microsoft Desktop Optimization Pack tools to help with my Windows 7 deployment?

      Microsoft Application Virtualization (App-V), a component of the Microsoft Desktop Optimization Pack (MDOP), can minimize time-consuming regression testing and application compatibility issues. This is possible because applications are virtualized and not redirected or installed on the client, saving you significant time and effort. You can use dynamic virtualization to control virtual application combinations, consolidate virtual environments, and simplify and speed administration. Customers can accelerate and centralize the deployment and management of operating systems and applications, including simplifying the global management of virtual applications by letting users work in localized environments with localized applications.

      July 15, 2010

      Microsoft turns over all Windows 7 and server source code to Russia’s new KGB

      by Zubair Alexander @ 10:01 am. Filed under News, Security/Firewalls, Windows 2008, Windows 7

      Here’s something in the news lately that is rather interesting. According to this blog on ZDNet, Microsoft is turning over all Windows 7 and server source code to Russia’s new KGB.

      “Microsoft has always carefully protected the source code to its operating systems. In fact, a key distinction between the various Windows variants and open source OSs like Linux and BSD is that Linux and BSD are open source.”

      “That’s why a little piece of news covered by ZDNet UK’s Tom Espiner is so astonishing.

      According to Espiner, Microsoft has turned over all its source code for Windows 7, along with its source for Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server to Russia’s Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii. The FSB is present-day Russia’s successor to the infamous Soviet-era KGB.”

      “From a security perspective, this is an astonishing act. The agency that took over from the KGB and which has been just recently proven to be conducting long-term spying operations against the United States now has access to Windows source code — while at the same time, most American IT operations don’t.

      Not only does this give the Russians the opportunity to find gaps in Windows security — it gives them the opportunity to do so while most American companies and organizations don’t have the same opportunity to find the same gaps and plug them.”

      “If Microsoft’s going to give source code to Russia, it should release it to the public. Open source certainly hasn’t harmed Linux’ success and doing so would at least put American IT operators on a level playing field with the Russian secret service.”

      I haven’t seen Microsoft’s response to this so far and will let Microsoft explain what exactly is and isn’t shared but I do know that Microsoft has a Product Source Program for the benefit of governments, enterprises, OEMs, developers, faculty & students, system integrators, and Microsoft MVPs like me.

      The MVP Source Licensing Program (MVPSLP) is a no-cost program that licenses Microsoft Windows source code to qualified Microsoft MVPs. The program gives MVPs the opportunity to differentiate themselves professionally as Windows platform experts through access to Windows source code. Similarly, there are free programs for enterprises and governments. The Government Security Program (GSP) provides national governments with information to help them evaluate the security of Microsoft products.

      I don’t think we should panic over this because Microsoft is run by Americans who love this country. It’s hard for me to believe that they would pass on any information to the Russians, or to any other government for that matter, that could impact our security. Not to mention the fact that all export of such information is subject to the U.S. export approval and over 90% of Shared Source offerings are available for download by anyone. According to Microsoft:

      “The Product Source Programs, licenses selected Microsoft product source code to qualifying customers, partners, and governments. Access to source is granted only to those who are eligible and who qualifying under the terms of each program.”

      Again, I haven’t seen Microsoft’s response to this but I seriously doubt that Microsoft will release every single bit of Windows code to anyone outside Microsoft…..and definitely not to the new Russian KGB (called FSB). If Microsoft does, they would join the Open Source community and as far as I know Microsoft has no intention of doing that.

      July 12, 2010

      Evaluation Copies of Microsoft Products

      by Zubair Alexander @ 7:33 am. Filed under Applications, Exchange/Outlook, Microsoft Office, SQL Server, Security/Firewalls, SharePoint, Virtualization, Windows 2008, Windows 7, Windows Home Server

      My students are always asking me where to get the evaluation copies of various Microsoft products. I’ve put together a list of some of the latest software evaluation downloads. My goal is to try and keep this list updated but frankly it is going to be challenging because Microsoft is known for changing the URLs without any redirection.

      1. Exchange Server 2010 (120-Day Trial)
      2. Forefront Server Security Management Console
      3. Forefront Threat Management Gateway 2010
      4. Office Communications Server 2007 R2 (180-Day Trial)
      5. Office Professional Plus 2010 (60-day Trial)
      6. Project Professional 2010 (60-day trial)
      7. SharePoint Server 2010 (180-day Trail)
      8. Small Business Server 2008 (60-day trial)
      9. SQL Server 2008 (180-day Trial)
      10. System Center Data Protection Manager 2010 (180-day Trial)
      11. System Center Essentials 2010 Beta
      12. System Center Virtual Machine Manager 2008 R2
      13. Visio Premium 2010 (60-day trial)
      14. Windows 7 Enterprise (90-day Trial)
      15. Windows Home Server (30-day Trial)
      16. Windows HPC Server 2008
      17. Windows Server 2008 R2 Trial Software

      WARNING! I should warn you that sometimes when you download a trial software you may think that you are opting out of receiving phone calls and e-mails from Microsoft but you are not. For more information read my blog post: When Microsoft Says No, It May Mean Yes.

      Microsoft offers more free products to consumers than any software manufacturer I know. And I am not talking about free evaluation software, I am talking about free tools, utilities and various products and services. Besides software, Microsoft offers these free TechNet and MSDN labs. These are a series of guided, hands-on labs which can be completed in 90 minutes or less.

      July 10, 2010

      Event ID 5153: The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group.

      by Zubair Alexander @ 8:52 am. Filed under Active Directory, Articles, IIS, Scripting, Tips & Tricks, Windows 2008

      Today I was installing Exchange Server 2010 Enterprise on a Windows Server 2008 R2 Domain Controller. Although Microsoft recommends that you install Exchange 2010 on a member server if possible, the environment I was working was very small so the Exchange Server 2010 was installed on a Domain Controller. There was an Exchange Server 2007 already in the same forest.

      After I installed Exchange Server 2007 SP3 (at least SP2 was required in my scenario) to meet the prerequisites, I was unable to install Exchange Server 2010. During the installation I received the following error, indicating IIS was not installed on the Windows Server 2008 R2 server.

      I installed IIS but still received the same error. The event viewer displayed the following warning:

      Log Name:      System
      Source:        Microsoft-Windows-WAS
      Date:          7/10/2010 8:54:01 AM
      Event ID:      5153
      Task Category: None
      Level:         Warning
      Keywords:      Classic
      User:          N/A
      Computer: Exchange.SeattlePro.com

      Description: The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group.  There may be problems in viewing and setting security permissions with the IIS_IUSRS group.  This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain.  Please see the online help for more information and solutions to this problem.  The data field contains the error number.

      Upon further investigation, I discovered that according to Microsoft KB article 946139, this is by design. Translation: This is a FEATURE, not a BUG.

      Symptoms

      You have a Windows Server 2008-based server that is running Internet Information Services (IIS) 7.0. You set the Windows Server 2008-based server as a domain controller of a Windows 2000-based domain or of a Windows Server 2003-based domain. In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group or the IUSR guest user account. You can see only the raw security identifier (SID) of the built-in IIS accounts.

      Note: This problem does not occur if you set the Windows Server 2008-based server as a domain controller of a Windows Server 2008-based domain.

      Reason

      This problem occurs because the IIS 7.0 built-in accounts specification for Windows Server 2008 does not exist in earlier domains, such as Windows 2000-based domains and Windows Server 2003-based domains. When the IIS 7.0 server is set as a Windows 2000-based domain controller or a Windows Server 2003-based domain controller, the Windows Server 2008 accounts cannot be resolved.

      Detailed Explanation

      This TechNet article explains Event ID 5153 in more detail. Essentially, you have to remap the built-in IIS accounts. IIS 7.0 uses several built-in Windows Server 2008 accounts, including the IIS_IUSRS group and the IUSR guest user account. These replace the <MACHINE_NAME>_USR account that was created by IIS 6.0.

      A problem occurs when a Windows Server 2008 computer that hosts IIS 7.0 becomes a domain controller (DC) of a non-Windows Server 2008 domain (that is, a DC of a Windows 2000 or Windows Server 2003 domain). When the DC promotion occurs, the new Windows Server 2008 built-in accounts are no longer available to IIS 7.0. Any Access Control List (ACL) that uses the built-in accounts will not be able to resolve to a friendly name, but will instead show their raw SID (Security Identifier) values.

      To resolve this issue, run a script that will restore the mapping of SIDs to friendly names for the built-in accounts. The script must be run on the DC while it is connected to its Primary Domain Controller (PDC). This will reestablish access to the built-in accounts that IIS 7.0 requires.

      Solution

      To resolve this problem, use this sample script. Save it as SamUpgradeTask.js.

      Note: You must restart the server after you run this script.

      Troubleshooting Tips

      After you have taken all these steps you may still get the same error, at least I did, and I know others have been in the same boat. Try these additional steps.

      1. Go to Server Manager/Web Server (IIS)/Add role services and check the box for IIS 6 Management Compatibility. If that doesn’t help then go to step 2.

      2. Start the PowerShell with elevated privileges (Start, All Programs, Accessories, Windows PowerShell) and run the following scripts one-by-one. You must start the PowerShell with elevated privileges, i.e. Run as Administrator.

      1. Import-Module ServerManager
      2. Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
      3. Set-Service NetTcpPortSharing -StartupType Automatic

      Notice that after the second script your server will reboot. You may run the third script manually or use the GUI by going to the Services Console (services.msc) and set the Net.TCP Port Sharing Service to start automatically. Restart the Exchange Server 2010 setup again and Exchange should install successfully this time.

      Copyright ©2010 Zubair Alexander. All rights reserved.

      « Previous Entries
      Next Page »

      Contact E-mail | Terms of Use | Privacy Policy

      Copyright ©2010 Zubair Alexander. All rights reserved.

      Internal Links

      Search Blog

      Categories

      Archives

      September 2010
      M T W T F S S
      « Aug    
       12345
      6789101112
      13141516171819
      20212223242526
      27282930  

      RSS Feeds

      TechGalaxy Visitors

      24 queries. 0.582 seconds