VMware: My favorite Windows 2008R2 template configuration
Virtual Hardware (VMX) template configuration:
Hardware: | Value: |
Memory | 2 GB |
CPU’s | 1 |
Video card | Auto-detect video settings |
VMCI device | None |
SCSI Controller 0 | LSI Logic SAS, bus sharing: none |
Hard disk 1 | 40 GB, Thin (after deploy always Thick) |
CD/DVD Drive 1 | Client Device |
Floppy Drive 1 | Removed |
Network Adapter 1 | VMXNET3, network: VM Network with DHCP (for joining domain) |
General Options | OS: Microsoft Windows Server 2008 R2 (64-bit) |
VMware Tools | Advanced: Check and upgrade Tools during power cycling |
Virtual Machine Version | 7 |
Microsoft Windows Server 2008 R2 template configuration:
– Install always the latest VMware Tools (in my case: ESXi 4.1 build 260247)
– Change the CD/DVD Drive 1 from drive letter D:\ to X:\
– Install VMware display driver: VMware SVGA 3D (Microsoft Corporation – WDDM)
Driver located: C:\Program Files\Common Files\VMware\Drivers\wddm_video\
– Windows Updates: Install all available Windows Updates
– Enable Remote Desktop Protocol: Allow connections from computers running any version of Remote Desktop (less secure)
– Performance Options: selected: Adjust for best performance
– Startup and Recovery: Change the default value from 30 seconds to 5 for faster rebooting. Write debugging information: Small memory dump (256 KB)
– Disable UAC: Never notify when: Programs try to install software or make changes to my computer + I make changes to Windows settings
– Disable Windows Firewall: Domain networks: Off , Home or work(private networks: Off, Public networks: Off (service must be enabled and started.. don’t change this)
– Notification bar: Always show all icons and notifications on the taskbar
– Customize Start Menu: Number of recent programs to display: 1 + Number of recent items to display in Jump List: 1 , and uncheck some options like “help” and “highlight newly installed programs”.
– Internet Explorer: Turn Internet Explorer Enhanced Security off for Administrators. Leave it On for users.
– Internet options: Use black + Check: Delete browsing history on exit
– Account: Select for local Administrator account: Password never expires
– Desktop: Show icons on the Administrators desktop
– Folder options: Check Allows show icons, never thumbnails + Allows show menus + Display the full path in the title bar. Uncheck: Hide extensions for known file types
– Remote Desktop: Disable restrict user single remote RDP session
Location: MMC: Local Group Policy: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session
Customization Specifications Manager:
– Use virtual machine name. This because I use sometimes scripts to deploy multiple VM’s with PowerCLI
– Join automatic the Windows domain
– Always generate a new SID before you join a domain even it’s Windows 2008
Enjoy your new template and deployment activities!!
Yesterday Christian Mohn (@h0bbel) says on Twitter: “Now turn that into GPO’s!”
Good one, .. the reason I didn’t do that is because I need some servers wich I configure in DMZ or standalone. If I don’t configure this in the template I still need to configure this manualy
Fair point on the standalone boxes – but if you configure it all at GPO level then no matter what kind of machine you join ( virtual or physical ) it’ll be set up right 🙂 How much template maintenance do you have to do ?
Oke good to know, indeed a good and simple template for default use
@Chris Dearden
I agree, license activation with KMS, Windows Updates with Shavlik or WSUS, AV with McAfee ePo, GPO’s for the settings.. but still need a template 🙂
I configured you’re settings as my default production template, works like a charm
Regards,
Dirk Rakin
Interesting. But, lots of works upfront could save u a lot efforts later.
BTW, how about configure the time synch. for Windows system as part of the template?
Default the server will sync with the domaincontroller(s), if standalone/non domain the server will sync with time.windows.com (default) because I’ve set the location settings in the specifications template (in my case: Amsterdam)
I am referring to the vmware KB on Timekeeping best practices for Windows:
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1318&sliceId=1&docTypeID=DT_KB_1_1&dialogID=73678717&stateId=0%200%2078515868
Is there anything in the above KB we need to consider configuring for the Win2008 R2 template?
Nice!
Nice template, used a lot of this options
Many of the options you configured (start menu, folder options, etc) are stored in user profile (Administrator in your case) and won’t apply to the users that will connect to the server later (because their profile will be created from the default profile). You have to replace the default user profile with your customized profile.
Most in-secure configuration ever award! disable FW, disable UAC, disable IE ESC, Any version of RDP… Might as well use FAT32 as well.
I don’t get the option to disable the firewall. A lot of System Administrators disabled the Firewall because they think it costs to much time.
If you want to know what kind of traffic the server handles you can do the next thing.
In our environment i configured a group policy that enabled the firewall settings (public, private etc) and configured two rules. one job that allows all incoming traffic and one rule that allows all outgoing traffic. In the rule i setup a log file with a maximum of 30 mb and a retention of 3 logsfiles. With any trouble you can see what happends en who was connected to the server.
Further on, all the settings what you mentioned we have it also in our template W2K8R2 so good job 😀
Nice, used a lot 🙂
Use the Paravirtualized SCSI adapter instead of the LSI Logic. It gives better performance.
How?
– Shutdown VM
– Add a new SCSI disk on 1:0. It will add a 2nd adapter automatically.
– Change the second adapter to Paravirtualized (Change type)
– Boot the VM (now it will install the drivers for the PV adapter)
– Shut down VM
– Remove the second disk and the 1st adapter. VMware will automatically hook the first disk up to the new adapter.
– Start up VM to make sure it boots.
@Sandor
I don’t agree on that. You should use the Parav. SCSI adapter for high IO workloads only.
True + you can’t snapshot this machine (bootdisk), I think this isn’t recommended for a template
Very nice information , which saved lot of time for me. Thanks you. I have mentioned this article on my blog as well.
Do you have some kind of Powershell script that would do all that! It would be amazing!
I think the parav.SCSI is now fixed, in that it is not only for high io workloads. However the benefits of parav.SCSI are not that great if you check my website. I use to sing to all that would listen about the benefits but after doing some extensive testing I think for a microsoft server it is best to leave as vmware default of LSI Logic SAS.
Now if only I can work out the correct way to use the tail license (180 Days) as a template that is activated on deploy from template… very frustrating.
Aparently this is the way to do it, having tried everything else.
—-http://support.microsoft.com/kb/2550978—-
Thanks for your personal marvelous posting! I actually enjoyed
reading it, you will be a great author. I will make sure to bookmark your blog and may come
back later in life. I want to encourage you continue your great posts, have a nice afternoon!
Thanks for finally writing about >VMware: My favorite Windows 2008R2 template configuration | VMpros <Liked it!
VMware: My favorite Windows 2012R2 template configuration
https://blog.vmpros.nl/2014/12/16/vmware-my-favorite-windows-2012r2-template-configuration/
I’ve installed the licensed VM-Ware ESXi 4.1 and, most of the time, it’s working perfectly. Randomly, however, I lose connectivity to the virtual machine having SAP Application installed on it. During this timeout period, the application struck
at client end.
General Server Details:
HP DL380-G5 Proliant
RAID level: 0 + 5
Separate VLAN for management
This, to me, indicates that the issue isn’t with networking outside of the ESX host, but rather within the virtual machine or the virtual switch. I’ve moved the VM to
another ESXi host but the problem persists.
Another curious sign is the ping latency from the Local Traffic Manager out to a VM node (same ESXi host):
PING 172.16.xxx.xxx (172.16.xxx.xxx) 56(84) bytes of data.
64 bytes from 172.16.xxx.xxx: icmp_seq=1 ttl=128 time=7.25 ms
64 bytes from 172.16.xxx.xxx: icmp_seq=2 ttl=128 time=9.26 ms
64 bytes from 172.16.xxx.xxx: icmp_seq=3 ttl=128 time=10.2 ms
64 bytes from 172.16.xxx.xxx: icmp_seq=4 ttl=128 time=10.2 ms
64 bytes from 172.16.xxx.xxx: icmp_seq=5 ttl=128 time=9.12 ms
64 bytes from 172.16.xxx.xxx: icmp_seq=6 ttl=128 time=10.3 ms
— 172.16.xxx.xxx ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5035ms
rtt min/avg/max/mdev = 7.252/9.421/10.319/1.091 ms
@AndrewPWR:
1. Nothing logged to any of the /var/log files that would be of any help.
2. Performance graphs don’t indicate that I’m hitting any sort of ceiling.
3. Outages last for 1 – 2 minutes, then traffic resumes on its own.
After trying different methodologies, configuration, using different network latency test tool. In Last with the help of Mr. Marc (Sr. Infrastructure Specialist) @ SDN Singapore we have found that the bug is in VMXNET 3 driver, all the reports and statics has been forwarded to VM support center and after 1 week they have resolved this bug via releasing a driver patch, details are mentioned below.
Name: ESXi410-201404001
Ver: 4.1.0 Patch 11
Release 2015-04-20
Build: 1682698
I will try my level best in future to identify these types of bugs, which will help us and other to run there all live applications flawless.
Trying to Upgrade and Migrate on Latest Versions as well.
lookie here
Hello, everything is going nicely here and ofcourse every one
is sharing information, that’s really good, keep up writing.