Mike's Realm chown -R us ./base


Howto: Build a Windows Server 2008 R2 VMware Template

So, you have to build a Windows Server 2008 R2 VM Template ESX/ESXi?  Theres a lot of folks out there that give their 2 cents on the matter, and a few walkthroughs but everytime you read one thing you come across something new...So I decided to put my procedure online and I also added some notes about each task with reasoning for why I do each task.

I integrated bits and pieces from: SOLORI's BlogJeremy Waldrop's Blog, Techhead and  Yellow Bricks as well as various bits from technet.

Remember to setup vCenter for Guest Customizations by placing the sysprep files for all the various versions of Windows in the proper locations, refer to this VMware KB Article for locations and instructions: VMware KB: 1005593

Give your feedback, if you don't agree with something let me know!

Things you may need to keep out of your templates: (research your particular product)

  • Anti-Virus Agents
  • Systems Management Clients (LANDesk, Altiris, SMS, SCCM, etc.)

This is how I put together Windows Server 2008 R2 VMware Templates:

Build a VM with these specs:

Disk - C:\ 40Gb (Thin Provisioned)
Memory 1024 MB
Network Adapter 1 VMNET 3

Then follow this procedure:

Task Notes/Reasoning
Mount Windows 2008 R2 ISO How else are you going to install? (anyone still using RIS out there?)
Boot to CD Drive ...
Install Windows 2008 R2 (Full) Select full, we aren't doing a core edition template...
Set Admin Password when prompted yes...
Log in Setup will have rebooted the machine and you'll be looking at the login screen
Set Time Zone Time is important
Install VMware Tools Fix that laggy mouse and gain the additional benefits
Enable Remote Desktop w/ NLA Allow Secure RDP
Install Telnet Client Nice to have it installed before you need it your netadmin will <3 you for this
Install SNMP Services feature (SNMP Service, SNMP WMI Provider) Most people have some kind of network monitoring that will take advantage of the additional info SNMP will provide
Configure SNMP:
Contact: Help Desk
Location: VMware
Services: Physical, Applications, End-to-end
This is SysContact, SysLocation and SysServices (as defined by RFC1213)- these are picked up by alot of network monitoring tools, letting them know it's virtual without having to nmap or otherwise find the NICs mac and see it's VMware is nice
Disable Windows Firewall on all 3 profiles You can turn it back on and punch your holes later
Disable Indexing on C:\ This is really a performance thing, and is augmented further by virtualization, imagine your VMs sitting idle indexing the C:\ drive, awesome use of CPU cycles!
Configure IE:

  • Home page: about:blank
  • Set Google as default search
  • Remove Bing
  • Remove all Accelerators
  • Configure Advanced Settings
    • Disable Show friendly HTTP error messages
    • Enable Empty Temporary Internet Files folder when browser is closed
These are what I like, home pages slow down IE loading, when I'm just going to navigate elsewhere, Google > Bing, Kill Bing, Remove accelerators--because we aren't mapping or blogging from our servers..., and advanced settings, ensure temp files are cleared when you exit IE, and turn off those friendly HTTP errors
Configure systray to always show icons/notifications Personal preference, I don't want to have to unhide icons when I'm looking for something...
Configure IE ESC to be disabled for Administrators Admins are going to do this anyway...
Adjust visual effects for performance Save some CPU, removes the unnoticable fancy stuff, window shadows, cursor shadows, etc.
Lower Boot Menu timeout to 5 seconds In case something else ends up in the boot menu, don't want reboots to take longer then they have to...oh and this won't survive sysprep anyway...
Modify Folder Options to:

  • Enable Show hidden files, folder, and drives
  1. Disable Hide extensions for known file types
  2. Disable Hide protected operating system files
  3. Disable Sharing Wizard
  4. Enable Display the full path in the title bar
This is all self explanatory no?
Set Control Panel to Large Icons Not even sure if this survives sysprep
Set Windows Update to Never check for updates This won't survive sysprep but is required so you can check for updates
Windows Update -> Check for updates
Apply Updates
Restart (required for Windows Updates)
Log in
Windows Update -> Check for updates
No more updates required to apply--Did not apply:

  1. .NET Framework 4.0
  2. None of the Best Practices Analyzers
  3. IE8 Compatibility View List
I don't put any of these updates into images (.NET 4.0 can present problems, you can always install it if required on a per machine basis, but not hose up the works on every other VM that likely won't need it.
Install BGInfo to C:\BGInfo
Create Shortcut with switches in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
BGInfo is your friend! - click here for more info on BGInfo
Rename Computer to Win2k8-R2-E-Template This is just personal preference, when you deploy the VM your guest customization will rename it to whatever you want anyway
Add Description: “VMware Template” Let AD know this is a VM
Delete desktop.ini file on desktop House keeping before defrag
Empty C:\Users\Administrator\AppData\Local\Temp House keeping before defrag
Disable Hibernation via powercfg.exe -h off (deletes hiberfile.sys) Our servers aren't going to hibernate
Disable Paging Don't be afraid, this is to defrag as much as possible
Restart (required for disabling paging)
Defrag C:\ Optimize everything
Renable Paging self explanatory...
Set Power Plan to High Performance & Never Turn off the display Ensure that the server never sleeps or anything
Create temp user and add to local administrators group This is the beginning of the h4x!
Log out because your going to login with the temp account
Log in as temp user mkay...
Copy Administrator Profile to Default Profile Now you see why we made that temp account, some people use sysprep to do this, I like to use Windows Enabler since this option is grayed out in Windows Server 2008
Log out
Delete temp user
Restart required to delete locked temp user profile bits
Log in as Administrator
Delete temp user profile
Delete ntuser.dat.* files from Default Profile
Test IE and verify settings An update may have botched your IE settings, so double check!
Shutdown Bye guys
Detach ISO Ya...
Convert to Template Mkay...

Build your Guest Customization Specification with these RUNONCE commands

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v AUOptions /t REG_DWORD /d 1 / Disable automatic updates (does not survive sysprep)
start /w slmgr.vbs -ipk <YOUR PRODUCT KEY HERE> Set your product key, required for activation
start /w slmgr.vbs -ato Activate Windows
bootcfg /timeout 5 Set bootmenu timeout to 5 seconds (does not survive sysprep)
powercfg.exe -h off Turn off Hibernation (does not survive sysprep)
Comments (22) Trackbacks (0)
  1. I ran into following problem

    Guest customization with Microsoft Windows 2008 Enterprise and R2 Forces Administrator to Change Password

  2. Wow! Finally a guide out there that explains their logic behind each step. If only more bloggers wrote like this to actually educate and allow administrators to make their own decisions. So many people act like sheep and follow articles without questioning things.

  3. This is all fine, except the default user process. Using Windows Enabler and the grayed-out Copy To button is a bad idea with Win2008 R2. The right and proper way to do this is with sysprep, and it’s way easier than everybody thinks. Create a file C:\Windows\RebuildProfile.xml. Fill it with this:

    <?xml version=”1.0″ encoding=”utf-8″?>
    <unattend xmlns=”urn:schemas-microsoft-com:unattend”>
    <settings pass=”generalize”>
    <settings pass=”specialize”>
    <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
    <cpi:offlineImage cpi:source=”wim:e:/sources/install.wim#Windows Server 2008 R2 SERVERSTANDARD” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />

    Then run this command:
    C:\Windows\system32\sysprep\sysprep.exe /generalize /oobe /restart /unattend:C:\Windows\RebuildProfile.xml


  4. The only change we make is we do not re-enable page on the “C:” drive but create a second drive “D:” for the page file and find that the system performs much better. It allows us to move the page file to higher performing disk on system that is having ballooning and caching issues.

  5. This is a great article, and I am setting up my servers in much the same way, but for some reason I am not able to pass those RUNONCE commands to the server for some reason. Any one have an idea why they seem to get ignored?

  6. How else are you going to install? (anyone still using RIS out there?)

    Nah, WDS on 2008 R2 with or without SCCM.

    Thanks for this, very good page.

  7. Thnx for your time and effort to write this GREAT Step-by-Step.
    Very Clear and with some humor!
    Nicely done

  8. Per h0st, you’re rock solid with this. We’re currently using template from the dinosaur era- starting fresh with this tutorial, thanks!

  9. Superb link and a great one stop shop for creating a Template. Thanks a lot and well done

  10. Does it apply for Windows Server 2012??

  11. Kudo to Michael!!!. Great guide. Thanks for keeping it simple

Leave a comment

No trackbacks yet.