Monday, October 24, 2011

Modify Windows 7 Default Profile

Many organizations are still in the process of figuring out Windows 7 deployment. One thing that can come into play with a new Windows 7 deployment is the default profile. When a user logs on to Windows 7 for the first time their profile is created from the default profile. If the default profile is configured as you want it to be for the users then there is not need to modify the user profile after log on. Sounds good right?

The problem with modifying the default profile as a method of standardizing user profiles is maintenance. After desktop computers have been deployed it is very awkward to modify the default profile. The officially supported method of configuring the default profiles is:
  1. Create a blank install of Windows 7
  2. Install applications
  3. Log on as a local administrator and customize the profile
  4. Sysprep the system using an unattend.txt file with the copyprofile tag
  5. Take image of sysprepped system and deploy
Note: When you run sysprep, ensure that there is only one administrative user on the system. If there are multiple administrative users there is no way to guarantee that the correct administrative user is selected for the profile copy.
As you can see, this method is ok for new systems, but not already deployed systems. You can manually copy files and modify files in the default profile. You can also edit the ntuser.dat registry file that is part of the default profile, but it is pretty awkward. Also, modifying the default profile does not modify the profile of any existing user profiles.

The end solution is to avoid using default profiles as much as possible for configuration. Instead use Group Policy to push out as much of the configuration as you can. Group Policy can push out files, folders, and registry keys. However, you'll need to put some extra time into learning how to do it.

Here is a link to more discussion on how to do the sysprep and also how to edit the default user registry files:

Monday, October 17, 2011

SBS 2011 Exchange Not Installing

We have done several migrations from SBS 2003 to SBS 2011 without any significant incidents. This week we had a bit of hassle with Exchange 2010 not installing during the installation. No errors were reported by any of the premigration tools.

In the Exchangesetup.log and SBSSetup.log we got the following error:
[REQUIRED] A reboot from a previous installation is pending. Please restart the system and rerun setup.
Based on some quick research, the general recommendation seems to be that you should reinstall SBS 2011 rather than trying to add Exchange 2010 after the fact. So, to recover, we restored the system state to the old SBS 2003 server (which we cleverly created just before starting the installation).

At this point, we figured that maybe there was something weird because we had selected to download and install updates as part of the install. So, for attempt number two we did not install the updates and got a different error about being unable to find a domain controller. This one turns out to be an error that can occur if you have restored system state on Windows 2003. Apparently the file replication service gets confused. And although the KB for the hotfix below appears completely unrelated it seemed to resolve the issue. See the following:

Onward with further attempts and the original error continued. More searching and there were a fair number of references to registry keys specifying the restart was required, but we checked those and they did not exist on our server. However, for your reference:
We also found a few references to automatic printer installation causing this issue. This client does have a GPO that automatically installs printers. So, we disabled that and still no fix.

We think the problem was that DHCP was not configured on the source server. This client has an IP-based phone system that provides DHCP. This was configured by the phone provider to ensure that the necessary options are pushed out to the phones. When you configure the answer file for SBS 2011 installation there is a checkbox asking you to select whether DHCP is installed on the source server. However, the documentation explicitly states that DHCP must be installed and configured on the source server.

When DHCP was installed on the SBS 2003 server, it would not run because it conflicted with the DHCP on the phone system. So, finally, SBS 2003 and the new SBS 2011 were isolated off the main network. Then installation proceeded as normal.

Just for the record, my business partner Darrin is the one who finally figured this out.

Tuesday, October 11, 2011

Resolving an External DNS Record to an Alternate IP Internally

In some cases, you'd like a single externally hosted DNS record to resolve to a different IP internally than externally. For example, you may have an hostname such as webapp.domain.com to a valid external IP when on the Internet but an internal IP when on the internal network. The key here is that you want the same name to resolve to two different addresses depending on whether they are internal or external.

Let's also assume that domain.com is hosted externally on Internet accessible DNS servers that are different from your internal DNS servers. For example, domain.com is hosted by GoDaddy or your ISP. So, on GoDaddy, you would have webapp.domain.com resolve to an external IP address such as 1.1.1.1.

Now, you can't create domain.com on your internal DNS servers. If you do, you'll need to manually synchronize all external DNS names to your internal DNS server. This can quite the pain to keep track of. We have several clients where the web hosting company is in control of the externally hosted DNS and change the Web site address without notice based on their infrastructure changing.

To resolve only webapp.domain.com differently, you create the webapp.domain.com as a forward lookup zone on your internal DNS. Then create a host record for the domain in that zone that resolves to the internal IP address, such as 192.168.1.100. When you are creating the record, it should look something like the graphic below.



While I'd like to say I'm the first person to think of this, I'm sure many have in the past. However, I learned this from the installation of SBS 2011 which does this by default for the remote.domain.com record that is used for accessing Exchange Web services and SharePoint.


Hyper-V VM Unable to Start

This is an error that is unlikely to occur for most of us because our servers are relatively up to date, but I work with training centers that use workstation images which are not updated on a regular basis. Today I helped a training center resolve a problem with a Hyper-V virtual machine that would not start.

Scenario:
  • Windows 2008 R2 (not SP1)
  • New hardware
  • The OS image with VM worked fine on older hardware
The errors:
  • An error occurred while attempting to start the selected virtual machine(s). <virtual machine name> could not initialize
  • <virtual machine name> could not initialize. (Virtual machine ID <virtual machine GUID>)
  • <virtual machine name> Failed to set/change partition property
The problem occurs only for new hardware because some newer Intel processors support AVX instructions (http://software.intel.com/en-us/articles/introduction-to-intel-advanced-vector-extensions/) and Hyper-V in Windows 2008 R2 RTM, doesn't know what to do with them.

The simple solution is to install Windows 2008 R2 SP1. However, there is also a hot fix and WMI workaround for Windows 2008 R2 RTM. You can view the Microsoft knowledgebase article with the hotfix and workaround here:  http://support.microsoft.com/kb/2517374