Home > VMware ESX, VMware ESXi, VMware vSphere, Windows Server 2008 > How to Build a VMware vSphere VM Template for Windows Server 2008 R2

How to Build a VMware vSphere VM Template for Windows Server 2008 R2

A co-worker and myself were asked to create a VMware vSphere (ESX) template for Server 2008 R2 and it’s not as easy as you might think. Over the course of a day and half and through much research and trial and error, we have come up with the perfect template for our organization. It’s a perfect base template for us but depending on where you intend to deploy it and your own organization’s requirements, you may have to edit it a bit. We intend to tweak the template even further and possibly even create separate images depending on if the VM will be deployed internally or externally. Please do comment if you have any suggestions or think we may have missed something.

Building a VMware template for Server 2008 vs. Server 2008 R2 has some differences. This blog post will cover everything we did to successfully get it working and a detailed explanation of why we chose certain settings. Big thanks to to Jeremy Waldrop and his blog post that described setting up a template for 2008 which helped us quite a bit in our research to create the perfect template for 2008 R2.

OS Used: Windows Server 2008 R2 Standard (x64) Volume License Edition

VM Hardware config:

  • Single vCPU
  • 4 GB RAM
  • 40 GB Primary Hard Drive (for Operating System)
  • 10 GB Secondary Hard Drive (for Page File
  • LSI Logic SAS SCSI Controller
  • VMXNet 3 Network Adapter

I know most organizations using Server 2003 have always done a 20 GB C: partition. With 2008, I suggest going to 40 GB OS drives as a standard. Server 2008 (especially x64 versions) requires more space. Out of the box 2008 R2 x64 takes up 10 GB. Also Server 2008 has a component store (c:\windows\winsxs) which is very large. This is because 2008 no longer uses i386, everything is stored locally already in this component store folder. Remember, Server 2008 and any future MS product is all about componentization!! When you install a component from this store, my understanding is that it is “projected” to the OS. So basically Windows 2008 installed components run from this component store essentially. As the system receives updates over time, expect this directory to grow even larger since it never deletes old stuff. Think of the different versions of kind of stacking on each other. I believe with each service pack there is a tool to uninstall components that are no longer necessary or superseded. So stick with a 40 GB OS partition and you should be fine for a long time. You will also notice we have a 10 GB secondary drive for a page file. We’ll get to that later in the article.

Now on to the actual build:

  1. First create a new VM
    • Select Custom Configuration
    • Enter VM Name and Inventory Location
    • Select Datastore
    • Select Virtual Machine Version: 7
    • Select “Microsoft Windows Server 2008 R2 (64-bit)” as OS Version
    • # of Virtual Processors: 1
    • Amount of RAM: 4GB
    • Network
      • # of NICs: 1
      • Adapter Type: VMXNET 3
      • Select “Connect at Power On
    • SCSI Controller: LSI Logic SAS
    • Create New Virtual Disk: 40GB
    • Advanced Options: No Change
  2. Now prepare the virtual hardware:
    • Edit VM Settings > Options > General Section > Uncheck “Enable logging”
    • Boot Options > Check box to force going into the BIOS on next boot
    • Power on the VM (will go directly to BIOS) > Advanced > I/O Device Configuration:
      • Disable Serial port A
      • Disable Serial port B
      • Disable Parallel port
    • Exit and Save
  3. OS Installation and Configuration
    • Install Windows 2008 R2 Standard – Full Install
    • After OS install and reboot, change Administrator Password (will prompt)
    • Disconnect Windows 2008 R2 ISO and set device type to Client Device
    • Set Time Zone
    • VMware Tools Install
      • Install VMtools, choose Custom Install Type
      • Disable the “Shared Folders” drive and install Tools ** Note we are disable Shared Folder due to profile loading issues which was documented even back in ESX 3.5 and VMware Tools here on the VMare Communities forum. I have not personally had an issue leaving it enabled but just to be cautious and the fact we don’t use this feature in our organization, we have left it disabled.
      • Set time synching between the VM and ESX host
      • Reboot after Tools Install
    • Network Configuration
      • From Server Manager, select View Network Connections
      • Right click on Local Area Connection and select properties
      • Uninstall QoS Packet Scheduler and both Link-Layer Topologies (Mapper & Responder) ** We don’t do QOS at the server level, our switches do that. Link Layer is not used by us.
      • Uncheck IPv6 and close network connection screens ** We don’t use IPv6 yet so we disabled it for now
    • Server Name
      • From Server Manger select Change System Properties
      • On System Properties screen click Change on Computer Name Tab
      • Set Server Name and restart
    • Windows Updates
      • From Server Manager under Security Information, select Configure Updates
      • Select Let me choose
      • Under Important Updates, select Never check for updates, click ok
      • Start > All Programs > Windows Update > Check for updates and install all Recommended Updates
    • Enable Remote Desktop, choose “Allow connections from computers running any version of Remote Desktop” (2nd option)
    • Disable Windows Firewall **Not best practice to disable, but my environment requires it
    • From Server Manager, select “Do not show me this console at logon” and close Server Manager
    • Taskbar Changes
      • Right click 3rd icon from Start Button (Windows Explorer) and select “Unpin this program from taskbar”
      • Right click 2nd icon from Start Button (Windows PowerShell) and select “Unpin this program from taskbar”
      • Right click Taskbar and choose Properties and choose Customize under Notification Area
      • Select “Turn system icons on or off”, and turn Volume Off, click Ok
    • System Performance
      • From Server Manager select Change System Properties
      • Select Advanced Tab > Settings and choose “Adjust for best performance”
    • Folder and Search Options
      • Open “Computer” > Select Organize > Choose Folder and search options
      • Under View Tab
        • Select “Show hidden files, folders and drives”
        • Uncheck “Hide extensions for known file types”
    • IE ESC
      • From Security Information Section, select Configure IE ESC
        • Change Administrators to Off and leave Users On ** My reasoning for this is the only “Users” should be service accounts on a server so leaving it On should not matter
    • Change IE Home Page to blank so you don’t get that pesky Internet Exploer Enhanced Security Configuration warning page
    • Under Computer, right click c: and select properties, uncheck “Allow files on this drive to have contents indexed in addition to file properties”
      • Apply changes to c:\ and all subfolder/files
      • Continue/Ignore on Access Denied errors
    • Power Options (from Control Panel)
      • Change option to High Performance
    • Disable Hibernation
      • Command Prompt, enter powercfg.exe –h off
    • Delete the Page file and reboot (so c:\ can be fully defragmented)
    • Run defrag
    • Page File
      • Edit VM Properties
      • Add a 2nd hard drive (10GB) and change to SCSI (1:0)
      • Run Disk Manager and format as Z:\ drive ** We use Z: as the drive letter so it does not interfere with adding additional drives later on.
      • From Server Manager, select System Properties > Advanced > Performance Settings > Advanced > Virtual Memory Change
        • Assign 1024MB Page file to c:\
        • Assign 5120MB Page file to z:\
    • SNMP
      • Server Manager > Add Features > SNMP
      • Server Manager > Configuration > Services > SNMP > Security
        • Accepted community names – Add your community (as READ ONLY)
        • Accept SNMP Packets from these hosts – Add your hosts (remember to leave localhost in there)
  4. Turn VM into a Template
    This procedure will copy the Administrator account profile into the default user profile so that all users that login or that will be created in the future will get the same profile with all the customizations you have done above. When you sysrep a server template and create a new VM from it, a new SID is generated which means a new local Administratior account is created during the sysrep procedure. This means all the customizations you have done will be wiped out above unless you copy all your settings above when you create a new VM. In the past with Server 2003 and even Server 2008, you had the “Copy To” feature to copy a user profile to another. With Server 2008 R2, Microsoft has disabled this feature. It is now done via an unattend.xml file using the “CopyProfile” node. I actually prefer this method now after doing it a few times. This procedure is detailed per the Microsoft KB article http://support.microsoft.com/kb/959753

    • Create unattend.xml in “c:\windows\system32\sysprep” folder as follows. NOTE: Do not copy and paste the text below because WordPress messes up the quotes which will lead to errors during sysprep. Please right click-save as this link and copy and paste from the txt file instead.
      
      <?xml version="1.0" encoding="utf-8"?> 
      <unattend xmlns="urn:schemas-microsoft-com:unattend"> 
      <settings pass="specialize"> 
      <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
      <RegisteredOrganization>Your Organization Name</RegisteredOrganization> 
      <RegisteredOwner>Your Registered Owner</RegisteredOwner> 
      <CopyProfile>true</CopyProfile> 
      </component> 
      </settings> 
      <cpi:offlineImage cpi:source="wim:f:/sources/install.wim#Windows Server 2008 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> 
      </unattend>
      
    • At command prompt, type the following command:
      C:\windows\system32\sysprep\sysprep.exe  /generalize /unattend:unattend.xml
    • System Preparation Tool 3.14
      • Choose Enter System OOBE
      • Check Generalize button
      • Leave shutdown option as reboot
      • Click OK
    • Release the IP and turn VM into a template in Virtual Center
  5. I hope this guide we wrote helps someone out there and saves you time. If you have any suggestions or questions, please leave a comment. I can take screenshots of any parts above you are confused on. I am also interested in knowing about more performance related customizations you guys might use we can add to your template so if you have any, please let me know. :)

server2008r2logo


  1. David Jones
    May 16th, 2010 at 03:11 | #1

    Just some questions/comments for you…

    > 2. Now prepare the virtual hardware
    >> VMware Tools Install
    Why wouldn’t you take the opportunity to disable the floppy controller too?

    > 3. OS Installation and Configuration
    >> Set time synching between the VM and ESX host
    If you have you domain time heirarchy set correctly, presumably, you shouldn’t be time synching from the esx host (this is assuming you will join all computers deployed from the template into a domain, though)
    > IE ESC
    >> From Security Information Section, select Configure IE ESC
    You’ve lost me here. I know what IE ESC is (after googling it) but don’t know where to find the “Security Information Section” you are referring to.
    > 4. Turn VM into a Template
    >> At command prompt, type the following command:
    I can’t see any command after this statement, unless it’s the command that appears to have slipped to the bottom of your post?
    “C:\windows\system32\sysprep\sysprep.exe /generalize /unattend:unattend.xml”

    A very handy post otherwise. I hope these comments/questions are useful.

    Regards,

    David.

  2. David Jones
    May 16th, 2010 at 07:40 | #2

    Actually, having tried to work this out, item four onwards has lost me completely.

  3. Jason
    May 17th, 2010 at 10:30 | #3

    @David Jones

    Hi David,

    1. For the floppy, I typically don’t keep any connected to my VMs but definitely, this is a good time to disable if you do. Good catch.

    2. Yes you can definitely add the server to the domain. In our case, we have servers in other network segments which are either not part of a domain or are member servers of other domains. So we decided to leave the template as a standalone for the greatest flexibility and then add to the proper domain or leave it stand alone depending on what the server is being created for.

    3. Internet Explorer ESC (Enhanced Security Configuration) can be found in Server Manager under Security Information (it’s the last line on the right side in the 2nd box). It will say “Configure IE ESC”. Let me know if you can’t find it and I’ll post a screenshot.

    4. Thanks for catching! Yes, WordPress somehow dropped my blocks of code down to the bottom. I just fixed the post. Hopefully that makes more sense.

    Let me know if you need clarification on anything.

    Jason

  4. Greg
    May 18th, 2010 at 02:10 | #4

    Hello Jason,

    Have you noticed any strange performance issues with the VM’s created from the templates? I can create a base image fine, but the templates all see to be very slow from time to time, specifically noticeable when you logon.. Also, do you find that IP6 is enabled again once a VM is created from the template?

    Cheers
    Greg

  5. Greg
    May 18th, 2010 at 08:40 | #5

    @Greg
    By the way, that performance issue wasn’t with your template specifically, but just templates in general. It runs fine, but then when I convert my 2008 template to a VM and clone from the template using my customisation script, it just doesn’t run well… :(

  6. JohnC
    May 18th, 2010 at 22:29 | #6

    Hi, great blog on creating a windows 2008 R2 VM template, a few questions..

    1. At the last step, I’m receiving a ‘fatal error’ when attemping to sysprep the machine.

    In the logs, I’m seeing this error:

    2010-05-19 14:20:37, Error [sysprep.exe] UnattendFindAnswerFile: Unable to deserialize explicitly provided unattend file [unattend.xml]; status = 0×80070246, hrResult = 0×0.
    2010-05-19 14:20:37, Error [0x0f009e] SYSPRP SysprepSearchForUnattend: Failed while searching for unattend file; hr = 0×80070246
    2010-05-19 14:20:37, Error [0x0f00a5] SYSPRP WinMain:Encountered error while searching for unattend file; hr = 0×80070246

    My unattend.xml file is slightly different from yours, as I’m attempting to deploy Win2k8 R2 Enterprise edition rather than standard:

    Org Name

    Org Name

    true

    Any ideas why?

    2. Can the template be joined to an Active Directory domain temporarily to perform tasks such as windows update deployment, if a WSUS server is running in the domain, rather than downloading the updates through the web and then disjoined from the domain?

    3. We are using a MAK licence/key, which we activated in the template – are there any issues with activating the licence before the VM is ‘sealed’ and turned into a template?

    Thanks

  7. Greg
    May 19th, 2010 at 03:02 | #7

    The “fatal error” is due to the quotes. The best bet is to copy it to something like notepad, and then do a find/replace on them all with a generic “.

    If you look closely in Notepad, you will see that some of them look different, and I think it also mistakes a few for something else and replaces them with question marks.

    Not sure if this will help or still come up with funny formatting:

    Your Organization Name
    Your Registered Owner
    true

    I can’t answer but we use a MAK and I have done activation both before and after and not noticed any difference. In fact, I found that I had to reactivate anyway because the customization script didn’t do it correctly.

  8. Greg
    May 19th, 2010 at 04:55 | #8

    I also find that the process of creating a VM from the template annoying re-does any changes to drive letters you make, and also renables IPv6, and the link-layer stuff, and QOS etc. I do wonder what the pornt is sometimes. You change all these settings and the deployment process sets them all back again!

  9. Jason
    May 19th, 2010 at 11:17 | #9

    @Greg

    Hi Greg,

    I haven’t noticed any performance issues with any Server 2008 VMs created from templates yet. Couple of things I can think of to look at first:

    1. How many vCPUs do you on each VM? Try using just one vCPU and see if that helps any.
    2. Is VMware Tools installed?

    IPv6 was not re-enabled on any of the VMs I have created using this template. All the QOS and Link Layer Mapping also remained uninstalled. Are you setting CopyProfile to true in your unattend.xml file? This is what copies all your changes when you convert your template to a VM. Without this step, all your changes are undone.

    Jason

  10. Jason
    May 19th, 2010 at 14:48 | #10

    @JohnC

    Thanks for catching that Greg. John, WordPress converts the quotes like that for some reason even though if I try to edit it, it looks fine. I have added a .txt to the main post you can simply copy and paste to your unattend.xml file which should work fine. Let me know if you have any issues.

    Regarding adding to the domain and removing, I don’t see why not. I have personally not done that before and just relied on Windows Update when building templates. I’ve always just deselected unapproved or untested patches and installed everything else. Once I create a VM and add it to the domain, I expect WSUS or whatever patch management utility I have to take care of any missing patches. Only thing about adding to the domain and removing is that you are going to have a lot of domain specific stuff leftover like domain profiles you might have logged into the server with. Doesn’t hurt anything but still, I like to keep my templates as clean as possible with a minimal footprint.

    Regarding MAK activation, I activate both the template and any new servers created it from it afterward. My reasoning is that once I convert the base VM to a template, I might want to convert it back to a VM to make changes later on. I would be out of the activation grace period after 30 days if I don’t activate and will get that activation notification nag screen and have a black desktop background. I don’t want to see all that so I just activate the template too. Technically, you lose an activation to a template but it’s peace of mind. If your organization has strict limits on the number of activations you are allowed to do, then I suggest you DO NOT activate the template VM. Once you create VMs, you can activate it at that point and then and the nag screen and black desktop will go away. Remember, leaving a server inactivated won’t hurt anything and the server will continue to run normally, it’s just the annoying messages you have to deal with whenever you work on tweaking your template. Whenever you create a VM from your template, you will have to activate it again anyhow. It’s considered a brand new server so activation is required, no way around that or MS will come knocking. :)

    If at some point if you decide to start doing KMS activation, remember the VM will have to check in with your KMS server every 7 days. The KMS activation is only valid for 180 days. So if you turn your template back into a VM to tweak it after 180 days, you are going to be met with the nag screen and a black desktop.

    Jason

  11. Jason
    May 19th, 2010 at 15:01 | #11

    @Greg

    Greg, I noticed about the drive letter issue you mentioned though. It makes it D: instead of Z: so using diskpart.exe during sysprep should take care of that. Let me finalize a few things and I will post back with results.

  12. JohnC
    May 19th, 2010 at 17:09 | #12

    Thanks, that attend.txt worked fine..

  13. JohnC
    May 19th, 2010 at 19:08 | #13

    Ok, some feedback:

    1. After the last step of syspreping, the server went to restart back into the OS, at which point I switched it off & then converted it to a VM template.

    2. I created a ‘template’ based on the customised specification wizard in vcentre.

    3. Applied this to a Test-vm.

    4. After the vm fired up, and sat at ‘installing devices’ for 5 minutes (and before the OS booted it showed the safe mode screen saying there were hardware changes).

    5. The VM restarted again after ‘installing devices’.

    6. Vmware image customisation in progress…
    (Setup is preparing your computer for first use)

    7. And now presented with the Setup Windows screen (where I can choose country/region).

    After doing all this, I’ve noticed:

    a. The Paging Volume is totally missing, not online according to Disk Manager.
    (it says The disk is offline because of a policy set by the administrator)

    b. The Administrator account was renamed, but it still shows Administrator? (reverted back to its original name)

    c. The hostname of the template is not of the same value as specified in the Custom Specification Wizard, it looks like its defaulted to the standard windows/random number/letter format.

    d. Server appears activated?

    Cheers

  14. Greg
    May 20th, 2010 at 02:06 | #14

    Jason :

    IPv6 was not re-enabled on any of the VMs I have created using this template. All the QOS and Link Layer Mapping also remained uninstalled. Are you setting CopyProfile to true in your unattend.xml file? This is what copies all your changes when you convert your template to a VM. Without this step, all your changes are undone.
    Jason

    Cheers Jason. IPv6 remains enabled on the template after the sysprep, because I end up with “local area connection 2″, not “local area connection”.

    I will do some more testing.

    A silly question, but from what I understand, you don’t need sysprep on your VC for W2K8 right?

    Cheers
    Greg

  15. JohnC
    May 20th, 2010 at 04:55 | #15

    @Greg

    I’m finding the same thing.. local area connection 2, with ‘no internet access’ and the NIC comes up with a yellow exclamation mark, but the server is pingable, accessable, on the domain, etc?

    Also, each time the VM is restarted, it shoes ‘vmware image is customisating’ message and then eventually boots into the OS. Strange.

  16. JohnC
    May 20th, 2010 at 04:56 | #16

    Customizing..not customisating.. sorry, its gettin’ late here ;)

  17. JohnC
    May 20th, 2010 at 04:57 | #17

    Also..strange but true – the VM hasn’t asked me once to activate the product! It’s already showing as activated…

    Used a MAK Key in the customization wizard… if this helps?

  18. Tom
    May 20th, 2010 at 13:15 | #18

    Thank you for writing and posting this. One addition: for those who need the server (for whatever reason) to have a “nicer” GUI than the default GUI, one can install the ‘Desktop Experience’ feature to get more GUI customization — at least a Windows Classic GUI anyway. Anyway, thanks very much again!! Tom

  19. Tom
    May 21st, 2010 at 09:24 | #19

    System Preparation Tool 3.14 — is this already included or must I go get it somewhere??

    Thank you, Tom

  20. Tom
    May 21st, 2010 at 11:38 | #20

    Tom :
    System Preparation Tool 3.14 — is this already included or must I go get it somewhere??

    I figured this out…I also determined that the unattend statement must be on a single line, no wrapping, before it’s pasted to a command prompt window.
    Thank you, Tom

  21. Alain
    June 2nd, 2010 at 09:17 | #21

    Hello there !

    I’ve a problem with a VM template and Windows Server 2008 R2.
    As mentionned before, the machine created from this template is very slow, but also, the machine reboots at first creation, then shows a message error : Windows could not finish configuring the system. To attempt to resume configuration, restart the computer.

    Restart doesn’t actually work, I have to start in safe mode, shut down the machine several times, and reboot.

    PS : I can’t tell you what steps have been followed, because I’m not the admin, but this problem really annoys me !

    What could it be ?

    Thanks !

  22. Tom
    June 3rd, 2010 at 08:28 | #22

    One improvement would be to describe what happens and what one does after clicking OK with the sysprep 3.14 tool…It’s puzzling that it makes me repeat the entire installation etc.

  23. Tom
    June 3rd, 2010 at 08:33 | #23

    Explanation of the above comment: I created a nice VM with an unattended install…everything I wanted, properly joined to the domain etc….sysprep caused a complete new install, where I had to set up a new password etc. for a local Administrator account etc., which I did not want to have…I only wanted the one domain admin account on the VM…

  24. Tom
    June 3rd, 2010 at 08:44 | #24

    I re-read the sysprep explanation, now I understand what happens with the new local account, I would like to know if this is possible to avoid??
    I restored my VM to its former state and will try cloning instead, then changing the machine name…
    I understood templates in ESX but vSphere has me baffled :)

  25. June 8th, 2010 at 11:16 | #25

    Jason,

    Thanks for the article. I am having a bit of a problem with the sysprep part. I saved the file from your link to my desktop and transfered it to a server available to the VM. When I run the command I get an error that says “Windows could not parse or process unattended answer file [unattend.xml]. The specified file does not exist. I copied the unattend.xml file to the same directory ay sysprep.exe and it is not hidden or read only. I am using 2008R2 Enterprise and changed the line to reflect that.

    Any suggestions?

  26. June 8th, 2010 at 11:18 | #26

    Jason,

    Thanks for the article. I am having a bit of a problem with the sysprep part. I saved the file from your link to my desktop and transfered it to a server available to the VM. When I run the command I get an error that says “Windows could not parse or process unattended answer file [unattend.xml]. The specified file does not exist. I copied the unattend.xml file to the same directory ay sysprep.exe and it is not hidden or read only. I am using 2008R2 Enterprise and changed the line (cpi:offlineImage cpi:source=”wim:f:/sources/install.wim#Windows Server 2008 R2 SERVERENTERPRISE” xmlns:cpi=”urn:schemas-microsoft-com:cpi” /) to reflect that.

    Any suggestions?

  27. June 8th, 2010 at 11:27 | #27

    I just found that if I navigate to the sysprep directory and run the command sysprep.exe /generalize /unattend:unattend.xml from there it runs fine. Must be a 2008 R2 rights issue.

  28. Mike
    June 11th, 2010 at 07:46 | #28

    You guys Rock…. I am in the process of implementing vSphere on my network and introducing win2k8R2 and your posts is going to make my life much easier during the transition. Again, Thank you all for the post and the comments.

    Very Helpful

  29. Backstreets
    June 16th, 2010 at 16:03 | #29

    @Tom
    Tom,
    I have the same problem. I ran the sysprep and now after it rebooted I’m starting a new installtation again.

  30. franske73
    June 18th, 2010 at 03:57 | #30

    Excellent template, works prefect. Only thing I changed is setting the page file on drive C.
    Since we use sync/replication between our SANs, I don’t want the page file being replicated all the time. The swap drive is on a LUN which isn’t being replicated.

    Thanks

  31. July 15th, 2010 at 02:29 | #31

    I’ve gone through this process a couple of times now and everything works perfectly, except that once sysprep has run and the machine reboots I find that I have to reinstall the VMTools as the video, mouse and networking gets screwed up.

    I’m using vSphere 4.1 and Windows 2008 R2 Enterprise with all the latest patches.

    I’ve also has an issue where the windows interface freezes when I click on computer / drive c.

  32. July 15th, 2010 at 07:48 | #32

    @Alasdair Carnie
    Hi Alasdair,

    I’m afraid I am not able to replicate either issue. I have had no issues with the template so far.

  33. FrankS
    September 15th, 2010 at 07:45 | #33

    This is a nice list of those “oh I forgot to do…” for 2K8R2. It should help keep from switching back and forth between vm and template to update. The one item I disagree with is the sysprep. I see lots of discussion about this on here and some confusion. I do not manually run sysprep. During deployment, the customizations are inserted into the OS via sysprep “automagically”. No need to create an unattend file. More info> http://vinf.net/2009/07/09/how-to-deploy-a-windows-2008-server-from-a-template-with-vsphere/

  34. BrettM
    September 17th, 2010 at 14:17 | #34

    As FrankS said, nice “oh yeah” article.

    One question – what made you choose to put your swap file where you did? Why not just leave it on the C: drive, or not on a separately configured ESX datastore just for swapfiles (as some other blogs have recommended)?

  35. BrettM
    September 20th, 2010 at 16:22 | #35

    Oh, FYI – the Microsoft KB article for 2008 R2 (and Win7) for copying settings to the default user profile is http://support.microsoft.com/kb/973289

    The one you reference above (959753) is for Windows 2003 and XP.

  36. BrettM
    September 22nd, 2010 at 11:47 | #36

    Found more on Pagefiles for VM’s. Trouble is, most people still use rather antiquated (or just plain wrong) info on deciding pagefile size. Here’s a link to a much more updated way of deciding just how much pagefile you need: http://www.vmwareinfo.com/2009/02/how-big-should-i-make-paging-file-in.html

  37. Johan Lundqvist
    September 27th, 2010 at 08:32 | #37

    Very useful indeed. It would be kick-ass-cool if someone with good scripting skills could make a script of all these settings. THAT would be a tremendous time saver. Just install a base 2008 server and then *BANG* run the script and the server is ready…

  38. Steve C
    September 30th, 2010 at 07:28 | #38

    Thanks very much for this. I am just looking at creating a W2K8 R2 server template in vsphere 4. At present our servers use a seperate drive, Mode Independent | presistent, for pagefiles on a seperate LUN. Would this be recreated as part of the template build?

  39. Kimber
    October 8th, 2010 at 09:53 | #39

    Jason or anyone,

    At the end of this how to, you say:

    “System Preparation Tool 3.14
    Choose Enter System OOBE
    Check Generalize button
    Leave shutdown option as reboot
    Click OK
    Release the IP and turn VM into a template in Virtual Center”

    I am a little confused. Wouldn’t I need to shutdown and not reboot in order to convert this vm to a template? The VM rebooted and is not at the Set Up Windows screen.

    Please help if anyone can. Would like to finish this thing today.

    Thanks

  40. Peter
    October 18th, 2010 at 14:30 | #40

    Kimber,

    I also have the same question. If you let the system reboot after sysprep, you will be regenerating a new SID. If that VM is converted to template and later cloned into VMs, all the VMs will have the same SID. I think that step is a mistake unless MS changed the sysprep in Windows 2008 R2.

  41. BrettM
    October 18th, 2010 at 15:47 | #41

    Kimber, Peter,
    Yep you are right, you do not reboot, you just shut down and then turn it into a template, otherwise Sysprep will run on reboot, generate a new SID and as Peter pointed out your cloned VMs will then all have the same SID.

    Another thing to consider when using vSphere4.x – you have the option to either Convert to Template, or Clone to Template.

    Basically, if you sysprep the machine yourself (as is done here to preserve the profile settings) you should choose the Clone to Template option.

    The Convert to Template option allows vSphere to take a Windows Vista or later OS and apply sysprep automatically upon conversion (because Sysprep is included with all OS versions of Vista and later). It’s a quick and dirty method of applying sysprep to a machine to quickly turn it into a template so that you don’t have to mess with the Windows AIK toolkit (which is quite cumbersome). Problem is, this method has very limited options on how you can control sysprep; most notably (as far as Jason’s original post is concerned), it won’t allow you to copy any profile settings you made – any changes you make get undone. If you sysprep the machine yourself first (as Jason has done), then this option effectively applies sysprep twice to the machine – with the vSphere4.x Sysprep getting applied last. As a result, your profile changes remain (more or less) but it messes up the vSphere Tools deployment (or at least it did in my tests) and leaves the machine unable to connect to a network – and the only way to fix it is to remove and reinstall the vSphere Tools.

  42. Adeel
    November 24th, 2010 at 06:44 | #42

    Hi Jason
    wonderful work!

    1 question , u created the unattend.xml file for R2 std edition , if I like to create for enterprise and data centre edition then what should i do ?
    will change the last line manually do the job or i have to use WSIM to create for all versions one by one ?

    thanks

  43. Xeiran
    November 24th, 2010 at 10:05 | #43

    Adeel, nope you do not, the same unattend.xml file will work for all 3 versions; already tested it myself by building xml files for all 3 versions, they look the same except for the one line referring to the version, which is merely an “offline reference” and won’t affect sysprep (at least not as Jason has the unattend.xml file built anyway). The only thing you might need to change is the processorArchitechture = x86 or = amd64, depending on 32bit or 64bit.

    BrettM’s comment is also a little misinformed, vSphere4.x only reapplies sysprep if you choose to “customize” the template when deploying it. However, he’s right about the VMWare tools getting messed up if the template gets “double-sysprepped”.

    One other thing I’ve noticed with vSphere4.x, mouse movement is REALLY laggy in the vSphere Client. This is because VMWare Tools does not apply the correct video driver. The correct video driver does get copied onto the VM, however, and can be found at \Program Files\Common Files\VMWare, which fixes the mouse problem. Unfortunately, when you sysprep the machine to create your template, it makes the mouse laggy again even with the correct video driver. The only fix I have found so far (and it’s not much of a fix) is to remove VMWare Tools right before sysprepping, and then install it again (and re-correct the video driver) after deploying your template. You can also sysprep with VMWare Tools installed, then have to remove and reinstall it again after template deploy, but that’s just more work.

  44. Adeel
    November 24th, 2010 at 18:04 | #44

    thanks Xerian

    need some clarification .
    1- I belief amd64 is a standard regardless intel or AMD processor. is that correct?

    2- I understand 2008 got built-in sysprep so no need to choose option “customize” during the deployment in order to avoid “double-syspreped” . if this correct then i guess u do not need to define the product key bcoz thats required when u choose option customize?

    3- which option better once template ready , clone to template or convert to template?
    thanks

  45. Greg
    December 2nd, 2010 at 18:59 | #45

    It may just be me but i think i would add the second drive and use diskpart to allign=64 prior to using the VM.

  46. Xeiran
    December 3rd, 2010 at 10:50 | #46

    Adeel,
    1. Yes, “amd64″ is used for 64-bit systems regardless of AMD or Intel processors. AMD was the first to actually come out with a 64bit CPU based on the x86 cpu architecture (Intel was still trying to push their Itanium architecture at the time).

    2. All Windows OS’s from Vista onward have Sysprep “built-in” so to speak, it’s located in the \Windows\System32\sysprep directory. The “customize” setting (and the ability to possibly double-sysprep a system) is only possible if you are also using a VMWare vSphere4.x ESX or ESXi hypervisor, and you choose the option to “Deploy Virtual Machine from this Template”; the customize option is within there, and if you choose it, vSphere will try to sysprep the machine for you. However, if you have followed Jason’s instructions to create the template you are about to deploy, it has already been sysprepped once with Jason’s custom unattend.xml file, and as a result you would end up “double-sysprepping” your template, causing the problems I first described.

    3. Either option works, it’s your choice. Convert to Template literally converts your guest VM into a template, while Clone to Template leaves the guest VM alone and merely creates a clone of it in template form. Clone would be most useful when you want to create a “base” template image, but still want to further customize the guest VM (perhaps by installing additional software) for additional, more complex template images.

    Greg – that is a good idea if you are using Windows 2003 or below with a RAID or SAN setup. As of Windows Vista and above, Microsoft uses a 1,024KB partition offset, so there’s no need to manually align disk partitions anymore. See this article for more info: http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1344730_mem1,00.html

  47. Milo
    February 4th, 2011 at 17:30 | #47

    Thank’s to all. I have learned a lot.
    Next week I will try to create first template.

    Any more improvments or updates to this procedure???

  48. Acdalek
    February 23rd, 2011 at 17:28 | #48

    Thanks for this. Do you know if you can ‘thin provision’ the template harddisk?

  49. BrettM
    February 23rd, 2011 at 18:52 | #49

    AcDalek, thin provisioning is more a function of which hypervisor you are using, rather than the template itself.

    That being said, I’ve had no problems thin provisioning my own templates using ESXi 4.1.

    On another note – ESX templates:
    About 4 months ago I mentioned problems I’d had with converting to an ESXi template, which Xeiran mistook as problems with “double sysprepping”. It took me quite a while to track down what my actual problem was – turns out it was a video driver issue. If you use Jason’s “unattend.xml” above verbatim, it won’t correctly apply the VMWare video driver; as a result, the mouse becomes very laggy after the first sysprep which copies the profile. The way to fix this is to bring the machine back up, configure it as needed by sysprep, uninstall and reinstall the VMWare tools (this will take 3 reboots), and *then* convert it into a template.

    Of course, if you do this, then the machine must be re-sysprepped again in order to wipe the SID a second time. So when you choose “Deploy Virtual Machine from this template”, it will walk you through several choices, and at the end you have the option to “Customize” the deployment – you *must* choose this, and must choose the “Generate New Security ID (SID)” option as well. When ESX runs sysprep a second time with its own customized “unattend.xml” file, it will correctly re-insert the video drivers and your template will deploy correctly (the template will boot a first time, then will seemingly sit idle for about 3 minutes before shutting down and rebooting again, with the custom ESX sysprep unattend file running during the second boot).

  50. Alessandro
    April 15th, 2011 at 08:19 | #50

    Hello,
    Very nice tutorial! I have a question about the laggy mouse issue: would it be feasible installing VMWare Tools with a run one command in the Guest Customization instead of installing them in the template?

  51. April 22nd, 2011 at 12:13 | #51

    I was also running into the video display driver issues after Sysprep (using Generalize and OOBE options). One of my coworkers figured out that if you use the Guest Customization option in vCenter instead of manually running Sysprep, the issue does not occur. There must be something different with how Guest Customization runs Sysprep that it mitigates the issue.

  52. Diana
    May 5th, 2011 at 11:42 | #52

    How significant is the movement of the page file, especially in a vm for SQL?

    Why would I want to enable SNMP? Do I have to have a managment server in place?

  53. BrettM
    May 5th, 2011 at 16:45 | #53

    Moving the page file allows you to easily snapshot or back up the machine file w/o having the page file take up space on that snapshot\backup. For backups, it simply makes things a bit cleaner (you don’t have to take the time to exclude the pagefile from the backup), while for SANs this is important since most SAN based snapshot methods cannot exclude the pagefile from the snap, and snapping a pagefile is a large waste of snap space.

    SNMP is mostly for those folks who have programs for monitoring various metrics through SNMP/WMI. These programs (such as Microsoft System Management Server or PRTG or Orion to name a few) monitor such metrics as how full the disks are, memory and CPU use, uptime of the server, etc, and can be programmed to automatically alert you in the event of a problem, or generate statistical reports on those metrics.

    Regarding pagefile size: Windows uses very liberal settings for “recommended” pagefile usage. The truth is, as long as a server has enough RAM, the pagefile will hardly ever get used and can be set at a minimal amount. For VM’s, if you ever find a server needing more than a minimal pagefile, it really needs more RAM – resize that instead. This is also the most efficient thing to do for VMWare, since its ballooning feature is faster and more efficient than pagefile swapping. A small pagefile is still useful even for VM’s however, for holding modified (stale) page info and freeing more RAM for running processes or file cache. I personally only use a swapfile of roughly 1Gb, or at most 2 Gb for virtualized SQL or Exchange servers, and it works just fine like that. For more info on actual pagefile use, go here: http://www.vmwareinfo.com/2009/02/how-big-should-i-make-paging-file-in.html

  54. alen
    June 7th, 2011 at 13:23 | #54

    @Alain
    Thats because you clone template which was already activated more than N times!

  55. Richard
    June 17th, 2011 at 18:04 | #55

    Great Build Book template, but I was disappointed that you recommend to disable Windows Firewall. This is very noobish.

  56. MattH
    June 28th, 2011 at 04:02 | #56

    @Richard

    Richard, what makes you say that?

  57. June 28th, 2011 at 07:08 | #57

    @MattH

    Matt, I can answer that. It’s actually best practice to leave the Windows firewall on. I should have been more specific in my writeup. This is meant for my environment where we have a managment directive to keep it off across all Windows OSes. There are specific reasons for this in our environment and other security precautions in place of it.

    It should be kept on to prevent 0 day attacks among others. If you have a group of servers on a subnet and keep them isolated from another subnet, they can’t talk to that subnet which is great but they can talk to each other on any port using any protocol. This is very poor security. Several months ago, I was in an environment cleaning up a 0 day worm attack that propogated using high number ports. The latest antivirus definitions could not detect the worm and since the environment had Windows firewall off, the environment became infected very quickly. This worm could have been stopped dead in it’s tracks had Windows firewall been on.

    Now some people turn it off because they don’t want the headache of managing it. But really, it can be managed through group policy very easily. That’s how it’s meant to be managed in a sever environment though I don’t think most people realize that.

  58. Jez
    June 28th, 2011 at 18:09 | #58

    Fantasic blog, as a novice at this I learnt alot.

    Following all instructions line by line no problems at all until it came to deploying the template. Powered up the newly created VM all seemed ok until the desktop appeared, I then noticed slugish mouse movement – graphics driver listed correctly but not loaded correctly (solved by un and re installing vmtools but bit of a pain). Also second disk listed as Z containing pagefile is not visible.

    I think some of these issues have been raised before just wondering if anybody is any closer to a solution

  59. BrettM
    June 29th, 2011 at 09:41 | #59

    Jez, see my comment from Feb23.

    In short, you bypass the problem by sysprepping twice, once to copy the profile, and again via ESX “customized” template deployment to actually deploy the template. Unfortunately, this trick won’t work unless you are using paid ESX which gives you the “clone/convert to template” option.

  60. Simon Mason
    July 19th, 2011 at 07:23 | #60

    I know that from research I have done that disk alignment between Windows OS and VMware is important. When initially installing Windows 2008 R2 it creates a ‘system’ partition of 100MB, the remainder is then allocated for the OS, did you keep this or use DISKPART to manually create and format the disk before continuing on with the install?

    Here is the article I have followed to achieve this http://sarithvs.wordpress.com/creating-a-windows-2008-r2-server-without-100-mb-system-reserved-partition/

  61. Steve Strong
    August 1st, 2011 at 04:15 | #61

    Great template build procedure, used it for 50+ VMs so far. I’ve discovered a few tweaks you may find useful for a performance boost.

    Check out
    http://www.citrixtools.net/Resources/Articles/articleType/ArticleView/articleId/5610/Windows-2008-R2-Remote-Desktop-and-XenApp-6-Tuning-Tips-Update.aspx

    The section under “Windows 2008 CPU Tuning (for VM only)” does give some extra performance if your VMs have multiple CPUs.

    I’ve has sluggish Mouse response in a VMWare console, this has been fixed in vSphere 4.1 vmtools updates.

  62. August 2nd, 2011 at 10:41 | #62

    @Steve Strong

    Thanks Steve! That’s a great link. I’m going to try some of these.

  63. JonP
    August 18th, 2011 at 16:18 | #63

    BrettM – I think you have this all right and the whole manual sysprep vs esx sysprep and clone vs convert are confusing. I have my machine build per the tutorial above. When I had my idea machine ready, I did NOT sysprep, and then I just converted to template. Then I deployed my vm from that template with an esx customization that I had previously setup. In the end, none of the profile specific settings are saved and only about half of the customizations set in my esx customization are set correctly.

    My question is, from the point where I have my ideal machine setup, what steps then should I take if I want to use my esx customization? Do I sysprep manually before I convert/clone to template? Do I convert or clone to template? Then once I have my template, do I just deploy from template or clone it?

    I apologize that you have explained this a few time above already, but it’s kind of spread out and there are different ways to go about this and I’m still a little confused.

    Thanks Jason, Brett and all for your contributions.

  64. BrettM
    August 19th, 2011 at 08:16 | #64

    @JonP
    Simply put, after setting up the profile to look the way you want:
    – (1) Run sysprep once manually using Jason’s settings.
    – (2) Restart the machine and let sysprep run to completion.
    – (3) Uninstall and then reinstall VMWare tools.
    – (4) Make sure the mouse is working correctly in the Virtual Client. Turn hardware acceleration to full if need be.
    – (5) Clone to template or convert to template, it really doesn’t matter which.
    – (6) Deploy virtual machine from that template, making sure to choose “Guest Customization” at the end of the wizard, and to “Generate a New Security ID (SID)” within the guest customization.

    The primary reason for manually sysprepping the first time with Jason’s unattend.xml is to save your customized profile settings as the default for new users – and keep in mind that even when doing this, there are a few things Windows won’t let you set as a default and will still revert back.

    As for Clone to Template vs. Convert to Template, the only difference is that one will merely convert your machine to a template, while the other will make a clone copy and turn the copy into a template while leaving the original alone.

  65. Julien
    August 22nd, 2011 at 01:59 | #65

    Hi,

    You may also need to add SkipRearm to your Sysprep to prevent Rearm countdown :

    - – 1

  66. August 25th, 2011 at 16:29 | #66

    I have ESXi 4.1 with a working, fully activated guest OS of Windows 2008 Standard Server R2. I have cloned it using a CLI command and have created a new VM with this clone. Windows is not activated. What can I do to have Windows fully activated like the original? Help! Thanks.

  67. BrettM
    August 25th, 2011 at 17:32 | #67

    @Gina
    Like *all* windows OS’s after 2000, if you sysprep them in order to make a deployable template, then for legal purposes you will have to activate the “new” OS with a different activation code.

    Practically speaking, the only way to avoid this step after deployment would be to either use an OS old enough that it does not require activation, or for 2008 servers set up a KMS licensing server which will activate it for you, which themselves can be a hassle and have their own minimum requirements, although they can be well worth the effort if you’re a big enough operation or if you have Windows Datacenter licensing.

  68. August 26th, 2011 at 11:37 | #68

    What I’m trying to do is on the OEM hardware, create the original VM of the OS, but just in case it fails or goes bad, I want to be able to use the “backup” vm copy fully functional without having to worry about the activation. No way to do that, huh?

  69. BrettM
    August 26th, 2011 at 13:09 | #69

    @Gina
    In that case, you don’t need a template, you simply need to clone the server. So don’t run Sysprep, just make a clone, as the whole point of sysprep is to make a template to deploy multiple new machines.

    However, if you don’t run sysprep you won’t be able to set up a user profile and then make it the default for all new users. If you want to do that, then when initially configuring the OS, don’t activate it. Do your initial setup, sysprep it, uninstall and reinstall VMWare tools if this is a VMWare installation, and THEN activate the OS. Then just clone it with whatever cloning software you prefer and set the clone aside for your backup purposes.

  70. Deano
    September 14th, 2011 at 09:09 | #70

    @BrettM and @Jason

    BIG thanks Jason and thank you Brett for your post on the 19th August, that made things much clearer for me ;)

    On another note, when I attempted to sysprep I was getting the following error mesages on my Windows 2008 R2 Enterprise;

    Firstly I got this booting up;

    autochk program not found – skipping AUTOCHECK

    …followed by a BSOD;

    STOP: c000021a {Fatal System Error} with status of 0xc000003a

    The only way I could fix this was to run DISKPART before I run Jason’s sysprep procedure. Luckily I has a snapshot prior to the sysprep so I didn’t lose any of the settings I had made. Here are Diskpart commands;

    LIST VOL
    SELECT VOL x
    DETAIL VOL <– Notice the NoDefaultDriveLetter entry is set to Yes
    ATT VOL CLEAR NoDefaultDriveLetter
    EXIT

    This resolved the issue for me, so just wanted to post here to maybe help others with the same…

    Deano

  71. Behruz
    December 30th, 2011 at 02:11 | #71

    Jason, thanks for great guide.

    gents, i’m stuck with sysprep error “”windows could not parse or process unattend answer file for pass [specialize] the settings specified in the answer file cannot be applied the error was detected while processing settings for component microsoft-windows-shell-setup”.

    i have tried to rename Administrator account back to the original name, i have tried to rearm my VL copy of Windows 2008 R2 (version was specifed in XML file)

    i have never created other users in the system to delete them in registry

    any other suggestions?

  72. Deano
    December 30th, 2011 at 03:56 | #72

    Hello Behruz,

    I believe that error message appears if you enter a Product key into the Guest customization wizard. Please ensure that the activation key in the Guest customization is DISABLED (i.e. not entered). If you don’t do this you will receive the error, so try it without…

    Deano

  73. Behruz
    January 6th, 2012 at 06:35 | #73

    the problem was with deleted user.

    i had to delete deleted user registry key from

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

    now setup is ok. but I’m still unclear what to do with settings which are not surviving sysprep

  74. January 12th, 2012 at 08:37 | #74

    This is a great guide! I’m getting ready to set mine up soon, and will be using this to get it all going. Finger’s crossed!

  75. Forry
    January 12th, 2012 at 11:08 | #75

    Has anyone else noticed a problem with the UAC Settings window not working after deploying from this template?

    I have built a template for my organization and then run the sysprep steps that Jason provided above. After that I actually did reinstall of the VM tools and chose to repair them instead of uninstalling/reinstalling. This seemed to preserve my NIC and some other settings that a uninstall got rid of. I then shutdown the server and cloned to a template.

    After deploying from this template, I found that if I attempt to open the UAC options window, it just appears totally blank and then disappears. I will also get a “COM Surrogate has stopped working” error message from time to time.

    This seems to be the only thing I’m currently having issue with and any help would be appreciated.

  76. Forry
    January 12th, 2012 at 11:18 | #76

    Was just reading my post and realized that I didn’t mention that I did a sysprep on the server when deploying from the template also. So the problem seems to occur after doing the sysprep the 2nd time.

  77. Behruz
    January 14th, 2012 at 06:34 | #77

    Gents,

    i have updated unattend.xml file.

    1. You dont need to reinstall vmware tools! (true)

    2. it does not any question during after sysprep (accepts eula, set US locales),

    3. changes time zone

    4. configures IE to do not ask wizard

    5. Setup “P@ssw0rd” for Administrators account as password (you should change it)

    6. skip rearm process during sysprep (3 times max by default you can do rearm) so i think it will let us to do sysprep on single image many times

    pleasee bellow my full xml, but i’m not sure will you able to propely copy it

  78. Behruz
    January 14th, 2012 at 06:35 | #78

    
    
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
        <settings pass="specialize">
            <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-&#xD;&#xA;instance">
                <RegisteredOrganization>Damage Inc.</RegisteredOrganization>
                <RegisteredOwner>Damage Inc.</RegisteredOwner>
                <CopyProfile>true</CopyProfile>
                <TimeZone>Azerbaijan Standard Time</TimeZone>            
            </component>
            <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <DisableFirstRunWizard>true</DisableFirstRunWizard>
            </component>
        </settings>
        <settings pass="generalize">
            <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <SkipRearm>1</SkipRearm>
            </component>
            <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
            </component>
        </settings>
        <settings pass="oobeSystem">
            <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <OOBE>
                    <HideEULAPage>true</HideEULAPage>
                </OOBE>
                <UserAccounts>
                    <AdministratorPassword>
                        <Value>UABAAHMAcwB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value>
                        <PlainText>false</PlainText>
                    </AdministratorPassword>
                </UserAccounts>
            </component>
            <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <InputLocale>en-US</InputLocale>
                <SystemLocale>en-US</SystemLocale>
                <UILanguage>en-US</UILanguage>
                <UserLocale>en-US</UserLocale>
            </component>
        </settings>
        <cpi:offlineImage cpi:source="wim:e:/sources/install.wim#Windows Server 2008 R2 SERVERDATACENTER" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
    </unattend>
    

  79. Behruz
    January 14th, 2012 at 06:37 | #79

    i’m working on the script wich will finileze installation and edit Default User regisrty before Administrator logons to the system. so you will have full unattended installation soon

  80. Behruz
    January 19th, 2012 at 07:55 | #80

    Gents,
    I think I have finished my VMware GOLD template preparation. It took my while to understand finalization phase of template preparation. I hope this experience would be useful for other admins and will save a lot of time.
    You can find a lot of guides in Internet how to prepare VMware template but all of them has a gap of details
    I will start from the moment where reference machine is ready and Administrator account is configured as it’s described in the original blog post and your own settings. Please document all changes that you applying during customization even small changes like changing Windows Explorer Folder Options needs to be documented. It will let you track changes which is not surviving Sysprep process
    NOTICE: Do not create a test or any other user during preparing reference PC. Use only Administrator for configuring all changes. Even deleted user account can give use head each during Sysprep
    Bellow my the changes which is not surviving Sysprep
    1. Pinned apps to the taskbar
    2. Timezone
    3. IE First Run Wizard settings
    4. Local Administrator changed name (after Sysprep it comes back to the original name)
    5. Password never expires for Administrator account
    6. Lower Boot Menu timeout
    7. Windows Update Settings (will be managed by Group Policy)
    8. Disable Hibernation: powercfg.exe -h off (it really survive on my config, but most of the blogs says apposite)
    9. Windows Explorer: Show All Folders (Folder Options)
    10. Windows Explorer: Automatically expand to current folder (Folder Options)
    11. CDROM Drive letter changed from D: to X: (I will skip it)
    12. Data display format has been changed to dd-MMM-yy
    13. Short time display format has been changed to hh:mm tt
    14. Some other regional settings such as Metric instead of Inches or A4 paper size instead of Letter
    15. VMware Tools
    All settings above are not surviving VMware Customization Specifications Manager (it also half uses Sysprep) except regional settings. This happens because of VMware does not copy profile and default profile already edited during first Sysprep. I will back to this latter
    When reference VM is ready we need to Sysprep it but we don’t want it to be asked during Sysprep and leave custom settings. To do that we will use detailed unattend.xml and SetupComplete.cmd file and it will call additional vbs script to edit Default User registry hive during finale step of Sysprep.
    We are running Sysprep and specifying our unattend.xml to be used during generalization. Xml file does the following
    1. Specifies the Registered Organization and Owner (we will see this info in About window)
    2. Copy profile (copying Administrator’s profile in to the Default User)
    3. Timezone
    4. Disables IE first time wizard
    5. Skips rearm process (it will allow us to edit single image as much as we wanted)
    6. Persist All Device Installs (so we don’t need to reinstall VMware Tools after Sysprep)
    7. Hide EULA page during Sysprep
    8. Set’s password for Administrator
    9. Enter locales, Language, User locale settings (EN-US in my case)
    If would place SetupComplete.cmd in to the C:\Windows\Setup\Scrips Sysprep will look for it and run it. In my case I have edited the following settings which is not surviving Sysprep
    1. Timezone (for vmware customization)
    2. Local Administrator changed name (after Sysprep it comes back to the original name)
    3. Password never expires for Administrator account
    4. Lower Boot Menu timeout
    5. Disable Hibernation: powercfg.exe -h off (it really survive on my config, but most of the blogs says apposite)
    6. Windows Explorer: Show All Folders (Folder Options) by vbs script
    7. Windows Explorer: Automatically expand to current folder (Folder Options) by vbs script
    8. Data display format has been changed to dd-MMM-yy by vbs script
    9. Short time display format has been changed to hh:mm tt by vbs script
    10. Some other regional settings such as Metric instead of Inches or A4 paper size instead of Letter by vbs script
    SetupComplete.cmd as first step runs vbs script and script load Default User registry hive (stored at NTuser.dat) and changes it as I wanted then unload it, and runs simple command line commands and then deletes itself.
    When we are logging on under renamed Administrator we can see that most of the changes except Windows Update settings, changed letter for CDROM and pinned taskbar icons are in place.
    From this moment image is ready to be converted to the VMware template. Before we convert we need to place SetupComplete.cmd file to the C:\Windows\Setup\Scrips, remove line where it runs script. This has been done due to VMware run Sysprep once again and during this process it removes our custom settings except Default User registry changes and rearms windows copy. Remember we have skipped it once during first Syspep?
    In my custom specification manager template I have specified stronger password (default is P@ssw0rd) in VMware template, Time zone (even I’m specifying Azerbaijan +0400 afterwards it shows hated Yerevan instead of Baku), use virtual machine name as name of PC and generate new SID all other settings are default but you can join to domain during this process.
    I hope my explanation was easy to understand and helpful for you. I will post my xml, cmd and vbs file in another comment

  81. Behruz
    January 19th, 2012 at 07:57 | #81

    unattend.xml

    
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
        <settings pass="specialize">
            <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-&#xD;&#xA;instance">
                <RegisteredOrganization>Damage Inc</RegisteredOrganization>
                <RegisteredOwner>Damage Inc.</RegisteredOwner>
                <CopyProfile>true</CopyProfile>
                <TimeZone>Azerbaijan Standard Time</TimeZone>            
            </component>
            <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <DisableFirstRunWizard>true</DisableFirstRunWizard>
            </component>
        </settings>
        <settings pass="generalize">
            <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <SkipRearm>1</SkipRearm>
            </component>
            <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
            </component>
        </settings>
        <settings pass="oobeSystem">
            <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <OOBE>
                    <HideEULAPage>true</HideEULAPage>
                </OOBE>
                <UserAccounts>
                    <AdministratorPassword>
                        <Value>UABAAHMAcwB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value>
                        <PlainText>false</PlainText>
                    </AdministratorPassword>
                </UserAccounts>
            </component>
            <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <InputLocale>en-US</InputLocale>
                <SystemLocale>en-US</SystemLocale>
                <UILanguage>en-US</UILanguage>
                <UserLocale>en-US</UserLocale>
            </component>
        </settings>
        <cpi:offlineImage cpi:source="wim:e:/sources/install.wim#Windows Server 2008 R2 SERVERDATACENTER" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
    </unattend>
    
    

  82. Behruz
    January 19th, 2012 at 07:57 | #82

    SetupComplete.cmd

    
    REM ###################################################
    REM ###################################################
    REM ##                                               ##
    REM ##     Apply customizations to the System        ##
    REM ##   settings which is not surviving Sysprep     ##
    REM ##                                               ##
    REM ###################################################
    REM ###################################################
    @echo off
    REM ******************************************************
    REM  Load and Edit Default User registry hive via vbscript (disable this part during second sysprep called by VMware)
    REM ******************************************************
    %systemroot%\system32\cscript.exe /nologo %systemroot%\setup\Scripts\registry.vbs
    REM ******************************************************
    REM  Pauses system for 1 second (';' means disabled)
    REM ******************************************************
    ;CHOICE /C N /D N /T:1 >nul
    REM ****************************************************************
    REM  Edits Timezone, System Boot menu timeout, disables Hibernation 
    REM ****************************************************************
    tzutil /s "Azerbaijan Standard Time"
    bcdedit /timeout 5
    powercfg.exe -h off
    ;CHOICE /C N /D N /T:1 >nul
    REM *****************************************************************************
    REM  Renames default Administrator name and set password to never expires option
    REM *****************************************************************************
    wmic useraccount where name='Administrator' call rename name='!frontrow'
    ;CHOICE /C N /D N /T:1 >nul
    wmic useraccount where name='!frontrow' Set PasswordExpires="FALSE"
    ;CHOICE /C N /D N /T:1 >nul
    REM ******************************************************
    REM  Cleanup
    REM ******************************************************
    del /F /Q %systemroot%\setup\scripts\SetUpComplete.cmd
    
    

  83. Behruz
    January 19th, 2012 at 07:58 | #83

    registry.vbs

    
    dim objWshShell
    
    Set objWshShell = WScript.CreateObject("WScript.Shell")
    
    '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    'Default User Regisrty Editing
    '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
    objWshShell.Run ("reg.exe load HKEY_USERS\CustomizeDefaultUserProfile ""c:\Users\Default User\NTuser.dat"""), 0, True 
    
    '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    'Settings
    '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
    'Set the registry keys to display Date (short and long) in EU format
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\sShortDate", "dd/MM/yyyy","REG_SZ" 
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\sLongDate", "dd MMMM yyyy","REG_SZ" 
    'Set the registry keys to display Time (short and long) in EU format
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\sShortTime", "HH:mm","REG_SZ" 
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\sTimeFormat", "HH:mm:ss","REG_SZ" 
    'Set the registry keys to display Date/Time (short and long) in EU format? (see LOCALE_IDATE and LOCALE_ITIME at MSDN)
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\iDate", "1","REG_SZ" 
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\iTime", "1","REG_SZ" 
    'Set the registry keys to use A4 paper size as defeault (EU regional settings)
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\iPaperSize", "9","REG_SZ" 
    'Set the registry keys to use Metric as defeault measurement system(EU regional settings)
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\iMeasure", "0","REG_SZ" 
    'Set the registry keys to use Monday as defeault first day of the week(EU regional settings)
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Control Panel\International\iFirstDayOfWeek", "0","REG_SZ" 
    
    'Set the registry keys to always dispaly Menu in Explorer, enables Show all folders and Automatically expand to current folder in Navigation pane in Explorer
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NavPaneExpandToCurrentFolder", "1","REG_DWORD" 
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NavPaneShowAllFolders", "1","REG_DWORD" 
    objWshShell.RegWrite "HKEY_USERS\CustomizeDefaultUserProfile\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AlwaysShowMenus", "1","REG_DWORD" 
    
    'Unload the Default User profile registry hive 
    objWshShell.Run ("reg.exe unload HKEY_USERS\CustomizeDefaultUserProfile"), 0, True
    
    'Delete the script
    DeleteSelf
    
    Sub DeleteSelf()       
            Dim objFSO
            'Create a File System Object
            Set objFSO = CreateObject("Scripting.FileSystemObject")
            'Delete the currently executing script
            objFSO.DeleteFile WScript.ScriptFullName
            Set objFSO = Nothing
    End Sub
     
    

  84. Dave D
    February 2nd, 2012 at 11:24 | #84

    Turns out powercfg is case sensitive on parameters use -H OFF

    Disable Hibernation
    Command Prompt, enter powercfg.exe –h off

    There are a couple extra steps to get from control panel to High Performance. Print screens would be sweet.

    This guide is great. Thank you Jason

  85. Spooner
    February 3rd, 2012 at 10:24 | #85

    Hi,

    Great post.

    But Im havign issues with the pagefile. I’ve set it to map to the Z: drive on a NFS share so it’s not included in any backups and for SRM. But when the VM is rebooted Im seeing the disk and being offline. I have to online it, initialiase and then create the volume. Very frustrating. This is on my base image before I run sysprep.

    Any ideas anyone?

    Thanks

  86. February 20th, 2012 at 06:22 | #86

    Great article and very helpfull. I have a question regarding to setting up a template with Win 2008 server. If hardware changes on the esx machine or in the virtual machine. Do i need to re-activate the win server 2008 vm? So if i change memory or cpu specs to the vm, wil Windows still be activated? If it doesn’t, i can call Microsoft for this and let it to work with the license anyway, but i don’t want this to be an issue for every template that is being used.

  87. March 13th, 2012 at 02:05 | #87

    Very nice information , which saved lot of time for me. Thanks you. I have mentioned this article on my blog as well.

  88. March 13th, 2012 at 02:07 | #88

    Very nice information , which saved lot of time for me. Thanks you. I have mentioned this article on my blog as well.

  89. Zeman
    March 21st, 2012 at 01:22 | #89

    Excellent guide!

    Out of curiosity does all the fun and games regarding sysprepping and double-sysprepping also hold true for vSphere5? Not sure if any changes were made since 4.1 regarding this.

  90. Andy
    March 30th, 2012 at 02:47 | #90

    I have the same problem as Behruz on 30 dec.

    “Windows could not parse or process unattend answer file for pass [specialize] the settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].”

    After this i get the error “The computer restarted unexpectedly or encountered an unexpected error. Windows installation cannot proceed. To install Windows, click “OK” to restart the computer, and then restart the installation.

    Any ideas?

  91. Andy
    March 30th, 2012 at 08:20 | #91

    Behruz gaf de oplossing al aan maar ik vond het toen niet direct.
    Onder HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList was er inderdaad nog een sleutel met een bijhorende user.

  92. Dan
    March 30th, 2012 at 08:37 | #92

    @Behruz

    Behruz, you are my Hero ! It took me a while to digest and understand what you did, but I finally got it and it WORKS!
    What I figured out is ;
    1) Edit your 3 files to adjust for the settings I wanted (Eastern Standard Time, Company name, etc) and copy the files to the server, I put the unattend.xlm in the c:\windows\system32\sysprep folder, put the other two files in %systemroot%\setup\scripts\

    2) run sysprep with your ‘enhanced’ unattend.xml and then that sets the image up where it does not rearm.. I think that is key. (this also runs the .cmd file when it boots)

    3) login with the password you mention (I did not change that here) Then copy the .cmd file back to the scripts folder (it deletes itself) , the REM this line in the .cmd file: %systemroot%\system32\cscript.exe /nologo %systemroot%\setup\………

    4) Convert it to a template and then deploy !!

    It then runs the VMWare guest customizations (it was never doing this before,) I think because either VMWare is broken or it did not like the fact it was sysprepped once already.

    I think VMWare could fix this by putting the copyprofile option in their guest customization? not sure thought.

    thanks again !!

  93. Mark Wolf
    April 3rd, 2012 at 11:38 | #93

    Great blog Jason. Sounds like you and your co-worker really know your stuff…especially the co-worker :)

    LOL

    Mark

  94. July 4th, 2012 at 09:49 | #94

    Thank you, I had same problem

  95. August 17th, 2012 at 16:29 | #95

    After I initially commented I seem to have clicked
    on the -Notify me when new comments are added- checkbox and from now on every time a
    comment is added I receive 4 emails with the same comment.
    Is there a way you are able to remove me from that service?
    Kudos!

  96. Katia Dean
    September 9th, 2012 at 22:53 | #96

    Good web site you have here.. It’s difficult to find good quality writing like yours nowadays. I honestly appreciate individuals like you! Take care!!

  97. Levi
    October 23rd, 2012 at 21:12 | #97

    Great writeup. Sure wish our IT department would pull their heads out of their a%$es. So with that, I’ll continue better practices with my personal lab at the house!

  98. Carl
    November 20th, 2012 at 11:41 | #98

    I’m curious why you move the paging file to another drive? If the virtual disks are stored on the same datastore (and physical disk), is there any benefit to moving it?

  99. Miguel
    August 16th, 2013 at 10:34 | #99

    Hi, great article, can you tell me if the sysprep section applys to windows server 2012?

  100. Matt
    August 14th, 2014 at 10:51 | #100

    Only thing I would tweak would be changing the controller for LSI Logic SAS to VMware Paravirtual. Easiest way is when you add a 2ndary disk, switch that 2nd disk controller to VMware paravirtual, this will install the needed driver (from vmware tools). Then shut down, and change your main OS disk to Vmware Paravirtual.

    Thanks for the article.

  1. April 7th, 2011 at 15:22 | #1
  2. December 10th, 2011 at 17:12 | #2
*


NOTE: Due to increased spam, your comment may not immediately appear on the site until validated.