So, you have to build a Windows Server 2008 R2 VM Template ESX/ESXi? Â Theres a lot of folks out there that give their 2 cents on the matter, and a few walkthroughs but everytime you read one thing you come across something new…So I decided to put my procedure online and I also added some notes about each task with reasoning for why I do each task.
I integrated bits and pieces from: SOLORI’s Blog, Jeremy Waldrop’s Blog, Techhead and  Yellow Bricks as well as various bits from technet.
Remember to setup vCenter for Guest Customizations by placing the sysprep files for all the various versions of Windows in the proper locations, refer to this VMware KB Article for locations and instructions: VMware KB: 1005593
Give your feedback, if you don’t agree with something let me know!
Things you may need to keep out of your templates: (research your particular product)
- Anti-Virus Agents
- Systems Management Clients (LANDesk, Altiris, SMS, SCCM, etc.)
This is how I put together Windows Server 2008 R2 VMware Templates:
Build a VM with these specs:
| Disk – C:\ | 40Gb (Thin Provisioned) |
| CPUs | 1 vCPU |
| Memory | 1024 MB |
| Network Adapter 1 | VMNET 3 |
Then follow this procedure:
| Task | Notes/Reasoning |
| Mount Windows 2008 R2 ISO | How else are you going to install? (anyone still using RIS out there?) |
| Boot to CD Drive | … |
| Install Windows 2008 R2 (Full) | Select full, we aren’t doing a core edition template… |
| Set Admin Password when prompted | yes… |
| Log in | Setup will have rebooted the machine and you’ll be looking at the login screen |
| Set Time Zone | Time is important |
| Install VMware Tools | Fix that laggy mouse and gain the additional benefits |
| Enable Remote Desktop w/ NLA | Allow Secure RDP |
| Install Telnet Client | Nice to have it installed before you need it your netadmin will <3 you for this |
| Install SNMP Services feature (SNMP Service, SNMP WMI Provider) | Most people have some kind of network monitoring that will take advantage of the additional info SNMP will provide |
| Configure SNMP: Contact: Help Desk Location: VMware Services: Physical, Applications, End-to-end |
This is SysContact, SysLocation and SysServices (as defined by RFC1213)- these are picked up by alot of network monitoring tools, letting them know it’s virtual without having to nmap or otherwise find the NICs mac and see it’s VMware is nice |
| Disable Windows Firewall on all 3 profiles | You can turn it back on and punch your holes later |
| Disable Indexing on C:\ | This is really a performance thing, and is augmented further by virtualization, imagine your VMs sitting idle indexing the C:\ drive, awesome use of CPU cycles! |
Configure IE:
|
These are what I like, home pages slow down IE loading, when I’m just going to navigate elsewhere, Google > Bing, Kill Bing, Remove accelerators–because we aren’t mapping or blogging from our servers…, and advanced settings, ensure temp files are cleared when you exit IE, and turn off those friendly HTTP errors |
| Configure systray to always show icons/notifications | Personal preference, I don’t want to have to unhide icons when I’m looking for something… |
| Configure IE ESC to be disabled for Administrators | Admins are going to do this anyway… |
| Adjust visual effects for performance | Save some CPU, removes the unnoticable fancy stuff, window shadows, cursor shadows, etc. |
| Lower Boot Menu timeout to 5 seconds | In case something else ends up in the boot menu, don’t want reboots to take longer then they have to…oh and this won’t survive sysprep anyway… |
Modify Folder Options to:
|
This is all self explanatory no? |
| Set Control Panel to Large Icons | Not even sure if this survives sysprep |
| Set Windows Update to Never check for updates | This won’t survive sysprep but is required so you can check for updates |
| Windows Update -> Check for updates | |
| Apply Updates | |
| Restart (required for Windows Updates) | |
| Log in | |
| Windows Update -> Check for updates | |
No more updates required to apply–Did not apply:
|
I don’t put any of these updates into images (.NET 4.0 can present problems, you can always install it if required on a per machine basis, but not hose up the works on every other VM that likely won’t need it. |
| Install BGInfo to C:\BGInfo Create Shortcut with switches in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup |
BGInfo is your friend! – click here for more info on BGInfo |
| Rename Computer to Win2k8-R2-E-Template | This is just personal preference, when you deploy the VM your guest customization will rename it to whatever you want anyway |
| Add Description: “VMware Template†| Let AD know this is a VM |
| Delete desktop.ini file on desktop | House keeping before defrag |
| Empty C:\Users\Administrator\AppData\Local\Temp | House keeping before defrag |
| Disable Hibernation via powercfg.exe -h off (deletes hiberfile.sys) | Our servers aren’t going to hibernate |
| Disable Paging | Don’t be afraid, this is to defrag as much as possible |
| Restart (required for disabling paging) | |
| Defrag C:\ | Optimize everything |
| Renable Paging | self explanatory… |
| Set Power Plan to High Performance & Never Turn off the display | Ensure that the server never sleeps or anything |
| Create temp user and add to local administrators group | This is the beginning of the h4x! |
| Log out | because your going to login with the temp account |
| Log in as temp user | mkay… |
| Copy Administrator Profile to Default Profile | Now you see why we made that temp account, some people use sysprep to do this, I like to use Windows Enabler since this option is grayed out in Windows Server 2008 |
| Log out | |
| Delete temp user | |
| Restart | required to delete locked temp user profile bits |
| Log in as Administrator | |
| Delete temp user profile | |
| Delete ntuser.dat.* files from Default Profile | |
| Test IE and verify settings | An update may have botched your IE settings, so double check! |
| Shutdown | Bye guys |
| Detach ISO | Ya… |
| Convert to Template | Mkay… |
Build your Guest Customization Specification with these RUNONCE commands
| reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update†/v AUOptions /t REG_DWORD /d 1 / | Disable automatic updates (does not survive sysprep) |
| start /w slmgr.vbs -ipk <YOUR PRODUCT KEY HERE> | Set your product key, required for activation |
| start /w slmgr.vbs -ato | Activate Windows |
| bootcfg /timeout 5 | Set bootmenu timeout to 5 seconds (does not survive sysprep) |
| powercfg.exe -h off | Turn off Hibernation (does not survive sysprep) |
March 12th, 2011 at 8:56 am
I ran into following problem
Guest customization with Microsoft Windows 2008 Enterprise and R2 Forces Administrator to Change Password
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1020428
March 18th, 2011 at 4:33 pm
That problem you linked to has to do with VMware Lab Manager–are you sure you are experiencing the same thing?
May 13th, 2011 at 10:56 am
Wow! Finally a guide out there that explains their logic behind each step. If only more bloggers wrote like this to actually educate and allow administrators to make their own decisions. So many people act like sheep and follow articles without questioning things.
May 13th, 2011 at 10:59 am
One question, do you think it is appropriate to disable IPv6 in the template? There is a known issues with MAPI amongst other services. Considering these templates are likely to be used to interact with MS applications such as Exchange/Outlook, should this be something done in the template or after deployment?
As per the MAPI expert: http://blogs.msdn.com/b/stephen_griffin/archive/2009/01/28/more-issues-with-mapi-and-ipv6.aspx & MS KB:http://support.microsoft.com/kb/929852
Unselect IPv6 from the properties of your NIC.
Under the regkey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add a 32 bit DWORD with the name DisabledComponents and value 0xFFFFFFFF.
Reboot the machine.
May 13th, 2011 at 1:13 pm
Thanks for the info–I’ll revise the guide and add your info. We aren’t an Exchange shop and haven’t had any other problems with disabling IPv6 but it’s always good to check. I wasn’t aware of IPv6 causing any issues like you linked. Again that is great info that could help out others.
May 13th, 2011 at 1:11 pm
Appreciate it Sean, working on guides for CentOS and Windows Server 2003, hopefully you’ll find them just as helpful.
September 13th, 2011 at 10:35 am
This is all fine, except the default user process. Using Windows Enabler and the grayed-out Copy To button is a bad idea with Win2008 R2. The right and proper way to do this is with sysprep, and it’s way easier than everybody thinks. Create a file C:\Windows\RebuildProfile.xml. Fill it with this:
<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”generalize”>
<settings pass=”specialize”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source=”wim:e:/sources/install.wim#Windows Server 2008 R2 SERVERSTANDARD” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />
</unattend>
Then run this command:
C:\Windows\system32\sysprep\sysprep.exe /generalize /oobe /restart /unattend:C:\Windows\RebuildProfile.xml
Cheers.
November 23rd, 2011 at 12:37 pm
The only change we make is we do not re-enable page on the “C:” drive but create a second drive “D:” for the page file and find that the system performs much better. It allows us to move the page file to higher performing disk on system that is having ballooning and caching issues.
May 17th, 2012 at 7:37 am
This is a great article, and I am setting up my servers in much the same way, but for some reason I am not able to pass those RUNONCE commands to the server for some reason. Any one have an idea why they seem to get ignored?
May 27th, 2012 at 9:49 pm
I haven’t run into that before…you are sure that sysprep is working though?
Check the logs in the panther folder (C:\Windows\Panther) for clues
June 10th, 2012 at 1:07 pm
How else are you going to install? (anyone still using RIS out there?)
Nah, WDS on 2008 R2 with or without SCCM.
Thanks for this, very good page.
June 16th, 2012 at 6:41 pm
Lol, kicking it old school!
June 27th, 2012 at 5:45 am
Thnx for your time and effort to write this GREAT Step-by-Step.
Very Clear and with some humor!
Nicely done
June 28th, 2012 at 7:47 pm
Thanks for the kind words!
January 2nd, 2013 at 10:20 am
Per h0st, you’re rock solid with this. We’re currently using template from the dinosaur era- starting fresh with this tutorial, thanks!
January 11th, 2013 at 7:07 am
Superb link and a great one stop shop for creating a Template. Thanks a lot and well done
January 21st, 2013 at 4:20 pm
Does it apply for Windows Server 2012??
April 11th, 2013 at 3:10 pm
No, I’m writing a new article for Server 2012
May 8th, 2013 at 7:17 pm
Michael,
Have you finished writing the article for server 2012?
Regards,
Kalam
October 7th, 2013 at 10:13 am
Not yet…this is on my to-do list…
September 24th, 2013 at 12:32 pm
Thanks for this, very helpful. Eager to see your 2012/2012R2 guide.
April 23rd, 2013 at 1:50 pm
Kudo to Michael!!!. Great guide. Thanks for keeping it simple