When creating a Windows Server Gold build for use in VMware ESX I specify and modify the following configuration settings for the server I am going to use as a template.
This is not an exhaustive list by any means though are a few of the main things I usually do.
Let me know if there are any other modifications or ‘tweaks’ you do when creating a Windows Gold Build.
UPDATE: Thanks for the additional tips that you apply to an ESX template – keeping it coming. I am going to add these recommendations to this list (see below). I’ve also adjusted the title of the post as there are now more than 10 basic things to consider. 🙂
- Use a 20GB C partition for the OS – Or there about’s. This gives plenty of headroom for installing most applications. There is nothing worse than trying to increase the size of this later. Disk space is now so cheap there is no excuse to scrimp with the OS partition.
- Apply Microsoft Service Pack and Security patch updates – Either use Windows Update, push the patches out via MS Operations Manager, or similar. If the VM isn’t connected to the internet then check out this article by vinf.net that outlines how to use a rather good utility called ‘CTUpdate’ to build a Windows patch update CD. Definitely worth a look.
- Change screen resolution – I usually go for 1024 x 768 as this gives adequate screen real-estate whilst it not taking over your entire screen. The default 800 x600 just doesn’t cut it.
- Move CD drive mapping to Z – I don’t know how many times I’ve seen the CD drive still mapped as D with disk partitions allocated to E, F drive, etc. This, in my opinion, just looks sloppy. Allocate the CD drive to Z on all your servers to make it distinguishable from the hard disk partitions. **UPDATE** David Lomas has raised a very valid point: "There is a very good reason for not changing drive letters from their default order. If you ever P2V or V2P a machine it will typically put all the drives back to the default order. This will really mess up some servers, for example a domain controller with its database or logs on a different drive won’t start AD, which means you can’t even log in!". So take heed if changing default drive mappings!
- Configure SNMP – it is always good practice to monitor your IT environment and VM server instances are no exception. Install the SNMP service and configure it up to talk to your monitoring software.
- Enable remote desktop – By default Remote Desktop is not enabled. Go into ‘System Properties’ and allow Remote Desktop connections from Administrators (or who ever administers your environment).
- Copy the OS source files to C:i386 – In doing this you won’t have to search high and low for the OS media when going to add new services as all the required files will be on the local hard disk.
- Make c:i386 the default OS source location – As long as you followed point 7 above this will get around those annoying prompts for the source media when installing new services (eg: SNMP, IIS, etc.)Hive:HKEY_LOCAL_MACHINESOFTWARE
Value: SourcePath (change to C:)
- Change the default ‘Administrator’ username – The reason for this is security. There are two schools of thought as to whether this is necessary or is a best practice. I personally like to change the default local ‘Administrator’ account as anything that reduces the risk of the environment being compromised I am keen to do.
- Install Windows Server Resource Kit – There are some great utilities that may come in useful in this kit. Best to have them installed and ready to go in a time of crisis. This can be downloaded from Microsoft here.
- Disable Internet Explorer Enhanced Security Configuration. [from Mark Roe]
- Apply security templates from within the MMC snap-in. [from Mark Roe]
- Create a download directory on the D drive. [from Mark Roe]
- Install the latest VMtools before Templating. [from Stuart Mycock]
- ESX Host Time Sync – Configure the VMtools for local ESX host time sync and in also disable the Windows time service to avoid conflicts. [from Stuart Mycock] **UPDATE** Another option as highlighted by Scott Lowe is to leave this disabled and let Windows handle the time synchronisation.
- Install BGINFO – BGinfo is also still a useful thing to have load on login as some techies can forget what machine they’ve RDP’d into or what IP addresses it is using, etc. [from Stuart Mycock]
- Consistent Desktop for all server users – Set all desktop preferences using the admin account, then copy that provide to the ‘Default User’ profile. New users get a consistent desktop. [from Ben Conrad]
- Adjust the Disk Timeout – to a value recommended by your storage vendor. Set: [from Ben Conrad] HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDiskTimeOutValue
- Applications that report to centralised server – Some apps that report to a centralized server (like McAfee) need to have some settings cleared after ‘ghosting’ using Sysprep runonce. [from Ben Conrad]
- Disable the pre-logon screensaver – Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable updates of the last access time attribute for your NTFS filesystem – Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable all visual effects – Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable mouse pointer shadow – Click here for details. [from Duncan at Yello
- Increase the colour depth of RDP sessions – When using virtual Desktop machines increase the could depth of for RDP. Gives a 32 bit colour range when using graphics based applications. [from Anthony Preston]
HKLMsystemcurrentcontrolsetControlTerminal ServerWinStationsRDP-TcpColorDepth = 4
- Disable Last Access tracking – May bring a slight performance increase. Click here and see comment #4 below for details. [from David Lomas and Stuart Mycock]
- Attach a 2nd VMDK, formatted as FAT32 given the drive-letter “S”. Move pagefile.sys to this drive. [from omfgz]