How to Create a Boot VHD Step By Step

Windows 7 and Windows Server 2008 R2 allow you to create a bootable VHD (virtual hard disk) with its own operating system (also called Native Boot).  This is really useful when you need to run another operating system or platform on the same hardware.

Note: Native Boot is limited to the following operating systems: Windows 7 Enterprise (x86 or x64), Windows 7 Ultimate (x86 or x64), and Windows Server 2008 R2.

For example, my Dell workstation normally runs Windows 7 Ultimate x64.  I wanted to update the BIOS from Dell's support site, but the BIOS installer won't run in x64 operating systems.  I also wanted to update the firmware on my Parrot Minikit Slim bluetooth car kit, but the USB driver for the P5+ USB Stage1 device is only available for x86 computers.

In previous versions of Windows, the solution would be to make a dual-boot system.  The problem with this is that you and Windows will need to contend with similarly named folders (i.e., \Windows and \Program Files).  A bootable VHD is a discreet virtual disk that contains it's own OS.  The single VHD file can reside on your normal disk drive (for example, C: or D:), or even a USB drive.  The VHD will contain its own file structure, but you can still access the physical drives, folders and devices on the parent computer.

The walkthrough I'm documenting here will create a bootable VHD file that runs Windows 7 Enterprise x86.  Let's get started.

 Creating the VHD Drive

• First, start up and login to the parent operating system (in my case, Windows 7 Ultimate x64).
• Open Computer Management in Administrative Tools
• Expand Storage and click Disk Management. You will see your normal physical drives.
• Right-click Disk Management and select Create VHD
• Enter the file path and name, size, and format for the VHD as show below:

• Here, I'm creating a 20GB dynamically expanding VHD named D:\Win7x86.vhd.  A dynamic disk will start off very small (~42KB) and will grow as data is written to it, up to the maximum size specified (20GB).  Microsoft has made huge improvements in the performance of dynamic VHDs in Windows 7 and Windows Server 2008 R2, so they perform nearly the same as fixed size disks.
• Click OK to create and mount the VHD volume.  The new disk will be listed in the bottom pane of the Disk Management console as an Unknown Disk.
• Right-click the Unknown Disk and select Initialize Disk, as shown here:

• Click OK to initialize the disk with an MBR partition.
• Now right-click the Unallocated disk and create a New Simple Volume.  The New Simple Volume Wizard will run.  Assign the new volume as drive X:, give it the volume name, Win7x86, and quick format it with the NTFS file system.  The new volume will be displayed in Disk Management and the D:\Win7x86.vhd file will grow to about 77MB.

You now have a new 20GB virtual hard disk, drive X:  Next, we will prepare the disk to install Windows 7 Enterprise x86.

Preparing the VHD for the New Operating System

• First, you need to download and install the Windows Automated Installation Kit (WAIK) for Windows 7 from Microsoft.  Be aware that this is a 1.7GB ISO and can take some time to download.  Burn the ISO to a DVD or mount it using virtual CD-ROM software like UltraISO, PowerISO, etc., and then install WAIK.
• Open a CMD prompt as Administrator and change to the %SystemDrive%\Program Files\Windows AIK\Tools\ folder.  In my case, this is C:\Program Files\Windows AIK\Tools\amd64.
• Mount the Windows 7 Enterprise Edition x86 media.  In my case, this is on the DVD drive E:
• Run the following command to prepare drive X: for the new operating system:

imagex /apply E:\sources\install.wim 1 X:\

• Imagex will apply the Windows 7 binaries to the VHD drive X:  The 1 specifies that the operating system is Enterprise Edition.  The application will begin, as shown below:

• Imagex application normally takes about 7-8 minutes, despite what the progress bar shows.  When it completes, you will see several new folders on drive X:
• Now you need to detach the VHD disk.  In Disk Management, right-click the VHD disk and select Detach VHD, as shown below:

• You will notice that the D:\Win7x86.vhd file has grown to about 5.5GB.

We now have a VHD with the Windows 7 Enterprise x86 files installed on it.  We need to configure the computer so that it can boot to the VHD and complete the installation of Windows 7.

Adding the VHD to the Boot Menu

•  Open an elevated CMD prompt and enter the following command:

bcdedit /copy {current} /d "Windows 7 Enterprise x86"

• This will return the GUID of the Loader Object that you will use to replace in the following commands:

bcdedit /set device vhd=[driveletter:]\vhdpath\vhdfilename

bcdedit /set osdevice vhd=[driveletter:]\vhdpath\vhdfilename

bcdedit /set detectHAL on

The detectHAL command is used to force Windows to auto-detect the hardware abstraction layer. The commands I used are shown below:

Completing the Installation

Now we are ready to boot from the VHD. When you restart the computer you will see a new entry in the boot menu for Windows 7 Enterprise x86, along with the default Windows 7 or Windows Server 2008 R2 option.

Restart the computer and select the new Windows 7 Enterprise x86 option to complete the installation of Windows 7. The first time the new OS starts, the install process will install needed device drivers and restart the computer. The second time your start the OS, miniprep process will walk you through configuring the user name, password, computer name, and the network settings.

Congratulations! You have completed the boot to VHD process.

---

Subscribe in a reader Subscribe by Email

NTFS Inheritance Rule Change

Up until recently, NTFS permissions have followed these inheritance rules:

• If a file or folder is copied to some other location, it will inherit the new location's NTFS permissions.
• If a file or folder is moved to some other location on a different disk drive, it will inherit the new location's NTFS permissions.
• If a file or folder is moved to some other location on the same disk drive, it will retain the original location's NTFS permissions.

One of the NTFS inheritance rules changed in Windows 2008, R2, Windows Vista, and Windows 7. Now if you move a file or folder, it will inherit the new location's NTFS permissions, even if the new location is on the same disk drive. This is a radical shift that you need to taken into account when you're moving files.

You can find a reference to this change in the Notes section in the Microsoft article "Inherited permissions are not automatically updated when you move folders".

Thanks to Murat Yildirimoglu, an MCSE and MCT in Istanbul, Turkey, for the article.

---

Subscribe in a reader Subscribe by Email

Exchange 2007 WILL Be Coming to R2

Reversing an earlier decision to NOT support Exchange 2007 on top of Windows Server 2008 R2, Microsoft has reversed their reversal and announced they WILL develop support for putting Exchange 2007 on top of Windows 2008 R2 in an upcoming release…

http://msexchangeteam.com/archive/2009/11/04/453026.aspx

---

Subscribe in a reader Subscribe by Email

Exchange Server 2010 RTM Upgrade and Installation - Phase 3

This is the third and final phase of my Exchange 2010 / Windows Server 2008 R2 / Hyper-V migration. Phase 1 can be read here and phase 2 can be read here.

At this point, my Hyper-V host server is still running Windows Server 2008 SP2 and also functions as my Exchange Edge Transport server (currently Exchange 2007 SP2). It is hosting three VM guests: a Windows Server 2008 R2 domain controller/global catalog server; an Exchange 2007 SP2 server running the Hub/CAS/Mailbox roles; and a new Exchange 2010 server running the Hub/CAS/Mailbox roles. All mailboxes have been moved to the new E2010 server.

In phase 3, I will uninstalled the Exchange 2007 Edge Transport server role from the host, upgrade the host server to Windows Server 2008 R2, install the Exchange 2010 Edge Transport role, and decommission my last Exchange 2007 Hub/CAS/Mailbox server.

I began by uninstalling Forefront Security for Exchange Server from the Exchange 2007 Hub/CAS/Mailbox server. In order to do this, you must stop all the Exchange services and then uninstall the product using Programs and Features in Control Panel.

Next, I created a new Public Folder database on the Exchange 2010 Mailbox server and enabled replicas on the E2010 mailbox server using the Exchange 2010 Public Folder Management Console in the Exchange Management Console (EMC). I then removed all the Public Folder replicas from the Exchange 2007 Mailbox server role using the Exchange 2007 Public Folder Management Console in the EMC.

You cannot decommission an Exchange mailbox server that contains active mailboxes. They must be moved to another server or disabled. Since I had already moved all my user and resource mailboxes to the new Exchange 2010 server, all that was left was the system CAS mailbox which must be disabled (it cannot be deleted or moved). This is accomplished using the following command from the Exchange Management Shell (EMS):

Get-Mailbox -Database "EX\Mailbox Database" Disable-Mailbox

Now I'm finally ready to uninstall Exchange 2007 from the Hub/CAS/Mailbox server using Programs and Features in Control Panel. However, removal of the Mailbox role fails with the error, "Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0)." I also discover I get the same error if I try to delete the E2007 Public Folder database.

After some research, I found that the only way to delete the "upgraded" Exchange 2007 Public Folder store is using ADSIEdit. This is detailed here, but the basic steps are to navigate to the Public Folder store in ADSIEdit and delete it, which I've done here.

Once the Public Folder database was removed, I ran the uninstallation again, which then succeeded. After Exchange 2007 was uninstalled, I completed the decommissioning by dis-joining the Exchange 2007 server from the domain and turned it off. I then tested mailflow to ensure that inbound/outbound SMTP email is working properly.

Next, I began the operating system upgrade of the Hyper-V host server by uninstalling Forefront Security for Exchange Server and the Exchange 2007 Edge Transport role. This went very smoothly with no issues.

In preparation for my OS upgrade, I shutdown and exported my two Hyper-V VMs to a new folder, H:\Exports. Exporting an VM exports the VM configuration, which includes the hardware, drives, networks (and most importantly, MAC addresses) to an XML file. This allows you to import the VM into a new Hyper-V host server without further configuration.

My process for upgrading the host server was to perform an in-place installation, not an upgrade. This is performed by booting to the Windows Server 2008 R2 DVD and choosing a new installation. Setup will warn that there is already a copy of Windows installed and prompt to continue. When you continue, setup will copy all the old user folders (Documents and Settings), Program Files, and the Windows folders to a new folder named C:\Windows.old, which can be accessed later from the new operating system. When setup completed, I was left with a base Windows Server 2008 R2 server.

I then installed the Hyper-V role and imported the VMs from H:\Exports. I started them up and verified that everything was running properly. I was very pleased to see that the VMs performed faster, due to R2's improved handling and performance of dynamic VHDs.

Next, I installed the Exchange 2010 Edge Transport server role on the host server, reconfigured my anti-spam settings, and created a new Edgesync subscription. After importing the Edgesync subscription in the Exchange 2010 Hub Transport server, I tested Edgesync and mailflow, which worked as expected.

I hope this series helps some of you out!

---

Subscribe in a reader Subscribe by Email

Fix for Remote Desktop Gateway authentication error from clients

If you use Remote Desktop Gateway Manager (formerly, Terminal Services Gateway) in Windows Server 2008 R2, you may find that Windows clients are unable to authenticate to the RD Gateway server.

This happens because the default configuration in Windows Server 2008 R2 Remote Desktop Gateway is to request that clients send a statement of health before the connection can be made. If this option is selected and you do not have a Remote Desktop connection authorization policy (RD CAP) for Network Access Protection (NAP) configured, clients will be unable to connect to the RD Gateway. They will repeatedly be prompted for Gateway Server Credentials as shown below:



To fix this issue, ensure that you have a valid statement of health configured in NAP. Alternatively, as in the case of clients that cannot or do not provide a statement of health (I'm looking at you, Windows XP), you can disable requesting statements of healthy entirely. Here's how to do that:

• Logon to the Remote Desktop Gateway computer and open the RD Gateway Manager (Start > Administrative Tools> Remote Desktop Services > Remote Desktop Gateway Manager)
• Right-click the RDG server and select Properties
• Click the RD CAP Store tab and clear the checkbox for "Request clients to send a statement of health", as shown below and click OK.

It may take a moment for the change to go into effect. Occacionally, I've had to restart the Remote Desktop Services service.

---

Subscribe in a reader Subscribe by Email

Hyper-V-Worker Event 23012 Explained

If you load a Windows Server 2008 R2 virtual machine on a Windows Server 2008 Hyper-V host server, you will get an error on the host server similar to the following:

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin

Source: Microsoft-Windows-Hyper-V-Worker
Date: 10/23/2009 7:56:48 AM
Event ID: 23012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mailgate.theguillets.com

Description:
Device 'VMBus' in 'EX1 ENT x64' cannot load because it is incompatible with virtualization stack. Server version 13 Client version 65537 (Virtual machine 98EEEED7-A97D-48CF-87F5-E1E8F698D169).

This happens because the Windows Server 2008 R2 Hyper-V Integration Components are not compatible with the Hyper-V v1 release components. 

Incompatible does not mean they won't work - because they do.  It's just that the R2 version includes enhancements and changes that are beyond the capabilities of Hyper-V v1.

If you want to run an R2 build in a VM on Hyper-V v1 and you don't want to see this error, use a Legacy NIC for the R2 VM.

The Integration Components are already present in Windows Server 2008 and Windows Server 2008 R2.  You do not need to install them on these VMs.  You can only upgrade the Integration Components, not downgrade them.

---

Subscribe in a reader Subscribe by Email

RAM Upgrade

I just doubled the RAM on my Hyper-V server to 16GB. This is the server that hosts this blog, as well as my other domains and Exchange 2007. Much faster!

Now I have more room to add another Windows Server 2008 R2 test domain and Exchange 2010. Good thing, too, since I just got an invitation email from Microsoft to take the beta exam 71-662: TS: Microsoft Exchange Server 2010, Configuring. I'll probably be taking that in September.

---

Subscribe in a reader Subscribe by Email

Exchange 2007 won't be coming to R2

Microsoft Exchange Server 2007 is supported on Windows Server 2003 and Windows Server 2008 servers, but will not be supported on the upcoming Windows Server 2008 R2 operating system.

The reason, according to Michael Atalla, group product manager in the Unified Communications group at Microsoft, is lack of resources. "We are focusing our resources on getting Exchange Server 2010, which will be fully tested and supported on Windows Server 2008 and Windows Server 2008 R2, customer ready to be released later this year."

This means that if you're planning to do a complete operating system refresh when Windows Server 2008 R2 is released later this year, you'll have to move to Exchange 2010 as well. Not that I need any more reasons to do so, anyway. Exchange 2010 rocks!

---

Subscribe in a reader Subscribe by Email

Windows 7 and Windows Server 2008 R2 RTMs

Microsoft just announced that Windows 7 and Windows 2008 R2 released to manufacturing (RTM’d).

RTM officially happens only after sign-off occurs. What happens is a build gets designated as a RTM contender after going through significant testing and meeting our quality bar for RTM. Then, it goes though all the validation checks required for RTM including having all languages of that build completed. If all the validation checks have passed – sign-off for RTM can occur. Today after all the validation checks were met, we signed off and declared build 7600 as RTM.

I've been working with Windows 7 and Windows Server 2008 R2 for over 18 months in the Windows TAP (Technology Adoption Program) and as an early adopter. I'm happy to see a lot of changes that I and others in my company requested get implemented. We are delighted to work with the Windows and Server development teams, who produced such awesome products.

Evaluation software will be available for download in the first half of August and the full product available to customers with Software Assurance in the second half of August. General “off the shelf” availability will come in the September timeframe, as planned.

Congratulations, Windows Development Teams! You have two sure fire winners with these new operating systems.

PS - Look for our new book, "Windows Server 2008 R2 Unleashed" to be released soon.

---

Subscribe in a reader Subscribe by Email

Windows Server 2008 R2 Service Pack Level at RTM

You may have known that Windows Server 2008 RTM shipped as Service Pack 1. This is because the Windows Server 2008 code base is shared by Windows Vista, and Windows Vista was at SP1 when 2008 shipped. Windows Server 2008 SP2 was released on May 26, 2009 and was the first service pack you can actually apply to Windows Server 2008.

Unlike Windows Server 2003 R2, which was based on the same code base as Windows Server 2003 SP1, Windows Server 2008 R2 is based on an entirely different code base (Windows 7). The Windows 7 code base is derived from Vista, but is actually a seperate kernel. This change in strategy was required to address challenges that 2008 R2 faced, such as hardware platforms with many processor cores and new power saving features that couldn't be addressed by keeping the same kernel as Server 2008.

For this reason, Windows Server 2008 R2 RTM will ship as service pack level SP0, not SP1.

---

Subscribe in a reader Subscribe by Email

Windows Server 2008 R2 Download and Product Codes

The following product codes will work for the various flavors of Windows Server 2008 R2 Release Candidate:

Windows Server 2008 R2 Release Candidate Enterprise
Product Code : Q7Y83-W4FVQ-6MC6C-6QQTD-TPM88

Windows Server 2008 R2 Release Candidate Standard
Product Code : V4KRB-QDWK2-GVT4X-BV4XG-34TV4

Windows Server 2008 R2 Release Candidate DataCenter
Product Code : WXGKX-XXW8X-P8KTJ-PFX7T-DPYYW

Windows Web Server 2008 R2 Release Candidate
Product Code: RBBKH-BVD6B-74FV9-RYPJ7-TCFXB

Windows Server 2008 R2 Release Candidate Itanium Edition
Product Code : MW6C7-2MYCB-PF3DK-VCQ2W-XGWFP

Windows Server 2008 R2 Release Candidate (RC) is available for download here.

---

Subscribe in a reader Subscribe by Email

Windows 7 and Windows 2008 R2 RC is Available

Today, Microsoft released the Windows 7 and Windows Server 2008 R2 Release Candidate (RC) for general IT users.

What's new in RC?

In addition to improvements in performance, reliability, and compatibility, the Windows 7 RC has two new features that we think you will like:

Windows XP Mode (beta): We know that compatibility is a big issue for many small businesses. Which is why we are excited to announce the availability of Windows XP Mode (beta). This new feature allows Windows 7 Professional users to run many Windows XP productivity applications seamlessly in Windows XP Mode. Utilizing Windows Virtual PC, Windows XP applications can be launched with a single click directly from the Windows 7 desktop. (Please note that Windows XP Mode is currently not included at the time of downloading Windows 7 RC.) Install the Windows XP Mode (beta).

Remote Media Streaming: Remote streaming enables you to securely access your digital media libraries regardless of where you are. Simply associate two Windows 7 PCs with the way you connect to the Internet and allow Internet access to your media on both of them. Windows Media Player displays and plays the media libraries from those remote PCs in the same manner as other shared media libraries on a home network.

There is a lot to be excited about. So go ahead, Install Windows 7 RC today and experience for yourself why this operating system a great choice for your customers - and a great opportunity for your business.

---

Subscribe in a reader Subscribe by Email

Windows 7 and Windows Server 2008 R2 RC Released

Microsoft released Windows 7 Release Candidate (RC) build 7100 today. The RC reflects extensive beta tester feedback which the MVP Community directly impacted.

Managed Beta program participants, including MSDN and TechNet subscriberscan download it from Microsoft Connect. If you are not among those who participated in one of the managed Beta programs, you only have to wait until Tuesday, May 5, when the RC will be available through the Customer Preview Program. The final engineering milestone is the release to manufacturing (RTM), typically 3-5 months after the RC.

As a member of the Windows7 Technology Adoption Program (TAP), I've had the chance to work with Windows7 and Windows Server 2008 R2 from the earliest builds and have traveled to Redmond to participate in the Windows7 Summits. As time goes on, I'll be posting my usual tips, tricks and troubleshooting articles on this blog.

Windows 7 beta facts:

• Over 2000 MVPs participated in the beta on Connect.


• MVPs contributed and filed over 700 bugs in the first week the beta was released.


• Engineering fixed over 2000 bugs during the first two weeks.


• The Windows 7 Forum was the premier destination support beta testers with over 25k posts in the first month


• Windows 7 Beta forums success continues to be moderated by 100+ MVPs.


• Windows 7 Beta forums answer rate soars to 88% on a volume of more than 40,000 posts.


• Highlights of positive feedback from beta testers: Windows 7 beta speed / responsiveness, taskbar, and UX are top rated early features

I can tell you that I've been running Windows 7 on my Asus 1000HE netbook and it's absolutely awesome! It ran right out of the box with 1GB of RAM and even displays the Windows Aero interface. I would venture to say that anything that can run Windows XP will run Windows 7 - and it will run even better! Microsoft has a real winner with this operating system. I can't wait to see the RTM version.

The recommended minimum hardware for Windows 7 Beta can be found at https://www.microsoft.com/windows/windows-7/beta-faq.aspx.

As for Windows 2008 R2, I run it on several host servers, VMs and even a dual-boot Windows 7 / Windows Server 2008 R2 laptop computer. The build quality is outstanding and I love all the new features including mobile broadband support, Agile VPN, and the improvements to Server Manager. Be sure to check out the Best Practices Analyzers in Server Manager.

---

Subscribe in a reader Subscribe by Email

How to Hide a User Account on the Logon Screen

Maybe you created a user account on your XP computer so your nephew could use it when he was visiting you. Now he's gone home and you really don't want to see that account choice every time you log on to Windows, but you also don't want to just delete the account because he'll probably be back again next year. Here's how to hide an account from the logon screen:

• Before editing the registry, always back it up just to be safe.


• Open the registry editor and navigate to the following key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \
Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \
UserList

Note: The SpecialAccounts \ UserList keys may not exist on your computer. If they do not, create them.

• In the right pane, you'll see a list of items that correspond to the user accounts that exist on the computer but are not shown on the logon screen. You'll probably be surprised at how many there are.


• Right click an empty space in the right pane, select NEW and DWORD value.
  Right click the new value and rename it to the exact name of the user account you want to hide.


• Close the registry editor.

Now the account name won't show up on the logon screen. You can unhide the account at any time by deleting the registry key you created. Your nephew can still log onto the account while it's hidden. Just press CTRL+ALT+DEL twice in a row at the logon screen and you'll get the logon dialog box that allows you to type in the username.

Note: This tip works for Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. The SpecialAccounts key may not exist by default, but if you create it as specified above it works a treat!

Additional Note: I've discovered this tip does not work in Windows Vista because Microsoft removed the "Classic Logon" functionality from this OS. You can still hide the account, but you won't be able to logon as this hidden account by pressing Ctrl-Alt-Del twice. You can, however still switch to this account using user account switching.

Thanks to Deb Shinder for the tip!

---

Subscribe in a reader Subscribe by Email

How To Enable Change Notification On All Site Links

Normally, there are two replication intervals for Active Directory in a Windows domain: Intra-site (replication between DCs in the same site) and Inter-site (replication between DCs in different Active Directory sites).

Intra-site replication is very fast - typically around 15 seconds. This schedule can be configured via the registry using the following values in the HKLM\SYSTEM\CurrentControlSet\Service\NTDS\Parameters key:

Replicator notify pause after modify (secs)
It is a REG_DWORD value of 15 by default

Replicator notify pause between DSAs (secs)
It is a REG_DWORD value of 3 by default

See Microsoft TechNet (Active Directory Replication Tools and Settings) for a thorough explanation of what these keys do.Inter-site replication is dictated by the schedule associated with the replication connection in Active Directory Sites and Services. Using this GUI you can specify that the connector never replicates or to replicate once, twice or four times per hour.

Note: The inter-site replication schedule runs based on the server startup time. For example, if the DC starts up at 12:10pm and the replication connector's schedule is set to twice per hour, replication on this connector will occur at 12:10pm, 12:40pm, etc.

But what if you want Intersite replication to occur more frequently than every 15 minutes? For this, you must enable Change Notification on the Active Directory site link. How you do this depends on which OS is on your DC.

For Windows 2003 Domain Controllers:

• Open ADSIEdit.msc (in the Windows Support Tools) as a Domain Admin


• Open the Configuration naming context


• Navigate to Sites > Inter-Site Transports > IP


• Right-click the siteLink to modify in the results pane and click Properties


• Locate the options attribute and edit the value from to 1


• Click OK and repeat for other siteLinks, as necessary.

For Windows 2008 and Windows 2008 R2 Domain Controllers:

You can use the same method as Windows Server 2003 DCs or you can edit the values directly from AD Sites and Services, as follows.

• Locate the Site Link to modify in AD Sites and Services


• Right-click the Site Link and choose Properties


• Click the Attribute Editor tab


• Locate the options attribute and edit the value from to 1


• Click OK and repeat for other Site Links, as necessary.

I also wrote two VBScripts for displaying and configuring Change Notification:

• DisplayChangeNotification.vbs displays the current value of the options attribute on each site link in the Active Directory domain where it is run.


• EnableChangeNotification.vbs will enable Change Notification on all site links in the Active Directory domain where it is run by changing the options value to 1.

Both scripts are in the ChangeNotificationScripts.zip file, located here.

---

Subscribe in a reader Subscribe by Email

Add RunAs Functionality to Windows Server 2008 for All Users

You may be aware that Windows Server 2008 does not allow you to "Run As a Different User", only "Run As Administrator."

You may also be aware of ShellRunAs, by Sysinternals. ShellRunAs adds command-line RunAs funtionality to the context menu of executable programs. Once installed using the command "ShellRunAs /reg", you can right-click on any program, select "Run as a different user," and enter the credentials of the user you want to run the program as.

This RunAs functionality allows you to logon to a server with low level permissions and still run programs that require higher permissions, thereby keeping your server safe and happy.

The only problem with ShellRunAs is that it is a per user installation. That means that it needs to be "installed" for each user on the server. This is because "ShellRunAs /reg" actually updates the registry for the current user (HKCU) hive. This can be a real problem for servers where a lot of different people logon, such as a Terminal Server.

So how do you provide this functionality for all users on the server? Read on to find out how.

• Download ShellRunAs from Sysinternals and extract ShellRunAs.exe to %SystemRoot%\System32


• Use Notepad to create a reg file called ShellRunAs.reg with the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" "%1\"%*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

• Finally, double-click the ShellRunAs.reg file to import it into the registry.

Now right-click an application or program and you will see the new "Run as a different user" menu option. Best of all, it will work for all users on the server without having to register it for each user.

Note: When a user selects Run as a different user for the first time, they will have to accept the end user license agreement. This only happens once because the EULA acceptance is written to the HKCU hive for each user.

By the way, this Run as a different user and Run as Administrator functionality is native in Windows Server 2008 R2.

---

Subscribe in a reader Subscribe by Email

New Hyper-V Dedicated Network is Coming

Windows Server 2008 R2 will offer Hyper-V V2, the second version of Microsoft's hypervisor virtualization solution.

Among the new features, Hyper-V V2 will feature a new "Dedicated" virtual network type. This will be in addition to the External, Internal, and Private networks currently available in Windows Server 2008.

As background, when you create a new virtual network in Windows Server 2008 Hyper-V converts the physical network adapter to a Microsoft Virtual Switch. It also creates a new virtual network adapter attached to the new virtual switch.

In the example above, we see a Hyper-V host with four physical NICs. The first NIC is dedicated to the host, as per best practice, and is attached to the corporate LAN. The other three NICs have been configured as External virtual networks using the Hyper-V Virtual Network Manager.

You will note that there are three disabled virtual NICs at the bottom of the image for the host to use. These virtual NICs were automatically created by Hyper-V when you configure the External virtual network, and are normally enabled by default. I've renamed each NIC and virtual switch on my host server for clarity.

If you're following the best practice of using a dedicated NIC for the Hyper-V host, as above, there normally would be no reason to use these virtual NICs. If you leave them enabled, it can cause a number of problems for the Hyper-V host:

• The virtual NICs will attempt to get DHCP addresses. If no DHCP server is available, it will get the automatic private IP address (169.254.x.x).
• The network binding order may be out of order, causing network inefficiencies.
• The Windows Firewall will apply vastly different settings (I'll blog more on this later).
• Trying to sort out an IPCONFIG /ALL is a mess

The current recommended way of dealing with this in the Windows Server 2008 version of Hyper-V is to remove all the connections for the new virtual NIC (IPv6, IPv4, etc.) and then disable the virtual NIC. Finally, you should check the network bindings to ensure that the host's NIC is at the top, followed by the virtual switches, and then the disabled NICs.

In Windows Server 2008 R2, Microsoft introduces the Dedicated virtual network type. When you create a Dedicated virtual network, Hyper-V does not automatically create a corresponding virtual NIC. It simply converts the selected physical NIC to a Microsoft Virtual Switch for the VM(s) to use. No need to disable anything or change network binding orders. Very cool!

Note that you will be unable to create a Dedicated virtual network on a single NIC Hyper-V host. If you did, the host would be unable to connect to the corporate LAN since there would be no NIC (physical or virtual) for it to use.

This new network will be a welcome addition to Hyper-V!

---

Subscribe in a reader Subscribe by Email

How to Enable Aero Glass on Windows Server 2008 and R2

Some of us geeks like to use Windows Server 2008 or R2 as our desktop operating system. It's rock solid and offers more features and better perfomance than Windows Vista.

If you're missing the Vista Aero Glass interface on your Windows Server 2008, here's how to enable all that eye candy goodness.

First, you need to install the Desktop Experience feature using Server Manager, or with the following command line:

ServerManagerCmd -i Desktop-Experience

This will install the Windows Aero and other desktop themes, along with a lot of other programs that go into Vista by default (Windows Media Player, Windows Photo Gallery, etc.).

Next, you need to set the Themes service to Automatic and start it.

If you're running Windows Server 2008 (not Windows Server 2008 R2):

• Click Control Panel > Personalization
• Click Windows Color and Appearance and select the Windows Aero color scheme
• (To turn Aero off, click Theme and select the Windows Classic theme)

For Windows Server 2008 R2:

• Click Control Panel > Appearance and Personalization
• Click Personalization and select the Aero Theme

---

Subscribe in a reader Subscribe by Email

How to Modify the All Users Startup Menu

As you no doubt know, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 have modified the locations for user profiles. They are no longer in %SystemDrive%\Documents and Settings and exist in the %ProgramData%\Users folder.

However, to modify the All Users profile to add a shortcut to the Startup menu you actually need to access the %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup folder.

See Peter Fitzsimon's blog for all the gory details.

---

Subscribe in a reader Subscribe by Email

How to Enable Autologon for Windows Server 2008 Member Servers and Windows 7 Member Workstations

In a previous post I showed how to enable Autologon for workgroup servers and workstations.

Once you join a server to a domain, Windows will automatically delete the AutoAdminLogon value from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. This causes the userpasswords2 control to hide the "Users must enter a user name and password to use this computer" checkbox shown above.

Here's how to get the missing checkbox back and configure Autologon:

• Open a CMD prompt and enter the following (all on one line):

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f

• Click Start, Run and enter control userpasswords2
• Clear the checkbox for Users must enter a user name and password to use this computer and click OK
• Enter the user name and password that will be used for Autologon and click OK

When the computer starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

This tip works for Windows 7, Windows Server 2008, and Windows Server 2008 R2.

---

Subscribe in a reader Subscribe by Email

How to Enable Autologon in Windows Server 2008 Workgroup Servers and Windows 7 Computers

---

Note: Click here for instructions for enabling AutoLogon for Windows Server 2008 member servers and Windows 7 member workstations.

---

There may be times that you want/need to enable Autologon for Windows Server 2008 or Windows 7. Examples may be lab machines or kiosks. Here's how to do it:

• Click Start Run and enter control userpasswords2


• Clear the checkbox for Users must enter a user name and password to use this computer and click OK. If this checkbox is missing, see my article about enabling Autologon on member servers and workstations.


• Enter the user name and password that will be used for Autologon and click OK

When the computer starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

This tip works for Windows 7, Windows Server 2008, and Windows Server 2008 R2.

---

Subscribe in a reader Subscribe by Email