Setup FTP 7.5 on Windows Server 2008 and publish through Forefront TMG 2010

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

• Integration with IIS 7: IIS 7 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6.0 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.
• Support for new Internet standards: One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.
• Shared hosting improvements: By fully integrating into IIS 7, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.
• Custom authentication providers: The new FTP server supports authentication using non-Windows accounts for IIS Managers and .NET Membership.
• Improved logging support: FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, additional detail fields in FTP logs, and much more.
• New supportability features: IIS 7 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.
• Extensible feature set: FTP supports extensibility that allows you to extend the built-in functionality that ships with the FTP service. More specifically, there is support for creating your own authentication and authorization providers. You can also create providers for custom FTP logging and for determining the home directory information for your FTP users.

Additional information about new features in FTP 7.5 is available in the “What’s New for Microsoft and FTP 7.5?” topic on Microsoft’s http://www.iis.net/ web site.

This document will walk you through installing the new FTP service and troubleshooting installation issues.

Installing FTP for IIS 7.5

IIS 7.5 for Windows Server 2008 R2

1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.

Installing FTP for IIS 7.0

Prerequisites

The following items are required to complete the procedures in this section:

1. You must be using Windows Server 2008.
2. Internet Information Services 7.0 must be installed.
3. If you are going to manage the new FTP server by using the IIS 7.0 user interface, the administration tool will need to be installed.
4. You must install the new FTP server as an administrator. (See the Downloading and Installing section for more.)
5. IIS 7.0 supports a shared configuration environment, which must be disabled on each server in a web farm before installing the new FTP server for each node. Note: Shared configuration can be re-enabled after the FTP server had been installed.
6. The FTP server that is shipped on the Windows Server 2008 DVD must be uninstalled before installing the new FTP server.

Downloading the right version for your server

There are two separate downloadable packages for the new FTP server; you will need to download the appropriate package for your version of Windows Server 2008:

• 32-bit Installation Package:
  • FTP 7.5 for IIS 7.0 (x86)
• 64-bit Installation Package:
  • FTP 7.5 for IIS 7.0 (x64)

Launching the installation package

You will need to run the installation package as an administrator. This can be accomplished by one of the following methods:

1. Logging in to your server using the actual account named “Administrator”, then browsing to the download pages listed above or double-clicking the download package if you have saved it to your server.
2. Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting “Run as administrator”, then typing the appropriate command listed below for your version of Windows to run the installation:
   • 32-bit Windows Versions:
     • msiexec /i FTP 7_x86_75.msi
   • 64-bit Windows Versions:
     • msiexec /i FTP 7_x64_75.msi

Note: One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config file. For more information about UAC, please see the following documentation:

• http://go.microsoft.com/fwlink/?LinkId=113664

The following steps walk you through all of the required settings to add FTP publishing for the Default Web Site.

Walking through the installation process

1. When the installation package opens, you should see the following screen. Click Next to continue.
   
2. On the next screen, click the I accept check box if you agree to the license terms, and then click Next.
   
3. The following screen lists the installation options. Choose which options you want installed from the list, and then click Next.
   • Common files: this option includes the schema file. When installing in a shared server environment, each server in the web farm will need to have this option installed.
   • FTP Publishing Service: this option includes the core components of the FTP service. This option is required for the FTP service to be installed on the server.
   • Managed Code Support: this is an optional component, but features that use managed extensibility require this option before using them, such as ASP.NET and IIS manager authentication. Note: This feature cannot be installed on Windows Server 2008 Core.
   • Administration Features: this option installs the FTP 7 management user interface. This requires the IIS 7.0 manager and .NET framework 2.0 to be installed. Note: This feature cannot be installed on Windows Server 2008 Core.
     
4. On the following screen, click Install to begin installing the options that you chose on the previous screen.
   
5. When installation has completed, click Read notes to view the FTP README file, or click Finish to close the installation dialog.
   

Note: If an error occurs during installation, you will see an error dialog. Refer to the Troubleshooting Installation Issues section of this document for more information.

Troubleshooting Installation Issues

When the installation of FTP 7 fails for some reason, you should see a dialog with a button called “Installation log”. Clicking the “Installation log” button will open the MSI installation log that was created during the installation. You can also manually enable installation logging by running the appropriate command listed below for your version of Windows. This will create a log file that will contain information about the installation process:

• 32-bit Windows Versions:
  • msiexec /L FTP 7.log /I FTP 7_x86_75.msi
• 64-bit Windows Versions:
  • msiexec /L FTP 7.log /I FTP 7_x64_75.msi

You can analyze this log file after a failed installation to help determine the cause of the failure.

Clicking the “Online information” button on the error dialog will launch the “Installing and Troubleshooting FTP 7.5” document in your web browser.

Note: If you attempt to install the downloaded package on an unsupported platform, the following dialog will be displayed:

Known Issues in This Release

The following issues are known to exist in this release:

1. While Web-based features can be delegated to remote managers and added to web.config files using the new IIS 7 configuration infrastructure, FTP features cannot be delegated or stored in web.config files.
2. The icon of a combined Web/FTP site may be marked with a question mark even though the site is currently started with no error. This occurs when a site has a mixture of HTTP/FTP bindings.
3. After adding an FTP publishing to a Web site, clicking the site’s node in the tree view of the IIS 7 management tool may not display the FTP icons. To work around this issue, use one of the following:
   • Hit F5 to refresh the IIS 7 management tool.
   • Click on the Sites node, then double-click on the site name.
   • Close and re-open the IIS 7 management tool.
4. When you add a custom provider in the site defaults, it shows up under each site. However, if you attempt to remove or modify the settings for a custom provider at the site-level, IIS creates an empty <providers /> section for the site, but the resulting configuration for each site does not change. For example, if the custom provider is enabled in the site defaults, you cannot disable it at the site-level. To work around this problem, open your applicationHost.config file as an administrator and add a <clear/> element to the list of custom authentication providers, the manually add the custom provider to your settings. For example, in order to add the IIS Manager custom authentication provider, you would add settings like the following example:
   <ftpServer>
   <security>
   <authentication>
   <customAuthentication>
   <providers>
   <clear />
   <add name=”IisManagerAuth” enabled=”true” />
   </providers>
   </customAuthentication>
   </authentication>
   </security>
   </ftpServer>
5. The following issues are specific to the IIS 7.0 release:
   • The FTP service that is shipped on the Windows Server 2008 DVD should not be installed after the new FTP service has been installed. The old FTP service does not detect that the new FTP service has been installed, and running both FTP services at the same may cause port conflicts.
   • IIS 7 can be uninstalled after the new FTP service has been installed, and this will cause the new FTP service to fail. If IIS is reinstalled, new copies of the IIS configuration files will be created and the new FTP service will continue to fail because the configuration information for the new FTP service is no longer in the IIS configuration files. To fix this problem, re-run the setup for the new FTP service and choose “Repair”.

To Add FTP Site from the IIS management Console

Creating a New FTP Site Using IIS 7 Manager

The new FTP service makes it easy to create new FTP sites by providing you with a wizard that walks you through all of the required steps to create a new FTP site from scratch.

Step 1: Use the FTP Site Wizard to Create an FTP Site

In this first step you will create a new FTP site that anonymous users can open.

Note: The settings listed in this walkthrough specify “%SYSTEMDRIVE%inetpubftproot” as the path to your FTP site. You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.

1. Open IIS 7 Manager. In the Connections pane, click the Sites node in the tree.
2. As shown in the image below, right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
   • Create a folder at “%SystemDrive%inetpubftproot”
   • Set the permissions to allow anonymous access:
     1. Open a command prompt.
     2. Type the following command:
        ICACLS "%SystemDrive%inetpubftproot" /Grant IUSR:R /T
     3. Close the command prompt.

   

3. When the Add FTP Site wizard appears:
   • Enter “My New FTP Site” in the FTP site name box, then navigate to the %SystemDrive%inetpubftproot folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths.
   • When you have completed these items, click Next.

   

4. On the next page of the wizard:
   • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of “All Unassigned.” Because you will be using the administrator account later in this walk-through, you must ensure that you restrict access to the server and enter the local loopback IP address for your computer by typing “127.0.0.1” in the IP Address box. (Note: If you are using IPv6, you should also add the IPv6 localhost binding of “::1”.)
   • Enter the TCP/IP port for the FTP site in the Port box. For this walk-through, choose to accept the default port of 21.
   • For this walk- through, do not use a host name, so make sure that the Virtual Host box is blank.
   • Make sure that the Certificates drop-down is set to “Not Selected” and that the Allow SSL option is selected.
   • When you have completed these items, click Next.

   

5. On the next page of the wizard:
   • Select Anonymous for the Authentication settings.
   • For the Authorization settings, choose “Anonymous users” from the Allow access to drop-down, and select Read for the Permissions option.
   • When you have completed these items, click Finish.

   

Summary

You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in this step:

1. You created a new FTP site named “My New FTP Site”, with the site’s content root at “%SystemDrive%inetpubftproot”.
2. You bound the FTP site to the local loopback address for your computer on port 21, and you chose not to use Secure Sockets Layer (SSL) for the FTP site.
3. You created a default rule for the FTP site to allow anonymous users “Read” access to the files.

Step 2: Adding Additional FTP Security Settings

Creating a new FTP site that anonymous users can browse is useful for public download sites, but web authoring is equally important. In this step, you add additional authentication and authorization settings for the administrator account. To do so, follow these steps:

1. In IIS 7 Manager, click the node for the FTP site that you created earlier, then double-click FTP Authentication to open the FTP authentication feature page.
   
2. When the FTP Authentication page displays, highlight Basic Authentication and then click Enable in the Actions pane.
   
3. In IIS 7 Manager, click the node for the FTP site to re-display the icons for all of the FTP features.
4. You must add an authorization rule so that the administrator can log in. To do so, double-click the FTP Authorization Rules icon to open the FTP authorization rules feature page.
   
5. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
   
6. When the Add Allow Authorization Rule dialog box displays:
   • Select Specified users, then type “administrator” in the box.
   • For Permissions, select both Read and Write.
   • When you have completed these items, click OK.
     

Summary

To recap the items that you completed in this step:

1. You added Basic authentication to the FTP site.
2. You added an authorization rule that allows the administrator account both “Read” and “Write” permissions for the FTP site.

Step 3: Logging in to Your FTP Site

In Step 1, you created an FTP site that anonymous users can access, and in Step 2 you added additional security settings that allow an administrator to log in. In this step, you log in anonymously using your administrator account.

Note: In this step log in to your FTP site using the local administrator account. When creating the FTP site in Step 1 you bound the FTP site to the local loopback IP address. If you did not use the local loopback address, use SSL to protect your account settings. If you prefer to use a separate user account instead of the administrator account, set the correct permissions for that user account for the appropriate folders.

Logging in to your FTP site anonymously

1. On your FTP server, open a command prompt session.
2. Type the following command to connect to your FTP server:FTP localhost
3. When prompted for a user name, enter “anonymous”.
4. When prompted for a password, enter your email address.

You should now be logged in to your FTP site anonymously. Based on the authorization rule that you added in Step 1, you should only have Read access to the content folder.

Logging in to your FTP site using your administrator account

1. On your FTP server, open a command prompt session.
2. Type the following command to connect to your FTP server:FTP localhost
3. When prompted for a user name, enter “administrator”.
4. When prompted for a password, enter your administrator password.

You should now be logged in to your FTP site as the local administrator. Based on the authorization rule that you added in Step 2 you should have both Read and Write access to the content folder.

Summary

To recap the items that you completed in this step:

1. You logged in to your FTP site anonymously.
2. You logged in to your FTP site as the local administrator.

Publish FTP site from Forefront TMG 2010

Let’s begin

Note:
Keep in mind that the information in this article is based on a release candidate version of Microsoft Forefront TMG and is subject to change.

A few months ago, Microsoft released RC 1 (Release Candidate) of Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exciting features.

One of the new features of Forefront TMG is its ability to allow FTP server traffic through the Firewall in both directions. It does this in the form of Firewall access rules for outbound FTP access and with server publishing rules for inbound FTP access through a published FTP Server. This server is located in your internal network or a perimeter network, also known as a DMZ (if you are not using public IP addresses for the FTP Server in the DMZ).

First, I will show you the steps you will need to follow in order to create a Firewall rule which will allow FTP access for outgoing connections through TMG.

FTP access rule

Create a new access rule which allows the FTP protocol for your clients. If you want to allow FTP access for your clients, the clients must be Secure NAT or TMG clients, also known as the Firewall client in previous versions of Forefront TMG.

Please note:
If you are using the Web proxy client, you should note that through this type of client only FTP read-only access is possible and you cannot use a classic FTP client for FTP access, only a web browser FTP access is possible with some limitations.

The following picture shows a FTP access rule.

Figure 1: FTP access rule

A well-known pitfall beginning with ISA Server 2004 is, that by default, after the FTP access rule has been created, the rule only allows FTP read-only access for security purposes in order to prevent users from uploading confidential data outside the organization without permission. If you want to enable FTP uploads you have to right click on the FTP access rule, and then click Configure FTP.

Figure 2: Configure FTP

All you have to do is remove the read only flag, wait for the new FTP connection to be established, and the users get all the necessary permissions to carry out FTP uploads.

Figure 3: Allow write access through TMG

FTP Server publishing

If you want to allow incoming FTP connections to your internal FTP servers, or to FTP servers located in the DMZ, you have to create server publishing rules if the network relationship between the external and the internal/DMZ network is NAT. If you are using a route network relationship, it is possible to use Firewall rules to allow FTP access.

To gain access to an FTP server in your internal network, create an FTP server publishing rule.

Simply start the new Server Publishing Rule Wizard and follow the instructions.

As the protocol you have to select the FTP Server protocol definition which allows inbound FTP access.

Figure 4: Publish the FTP-Server protocol

The standard FTP Server protocol definiton uses the associated standard protocol which can be used for inspection by NIS, if a NIS signature is available.

Figure 5: FTP-Server protocol properties

The Standard FTP Server protocol definition allows FTP Port 21 TCP for inbound access and the protocol definition is bound to the FTP access filter which is responsible for the FTP protocol port handling (FTP Data and FTP control port).

Figure 6: FTP ports and FTP Access Filter binding

Active FTP

One of the changes in Microsoft Forefront TMG is that the Firewall does not allow Active FTP connections by default anymore, for security reasons. You have to manually allow the use of Active FTP connections. It is possible to enable this feature in the properties of the FTP access filter. Navigate to the system node in the TMG management console, select the Applicaton Filters tab, select the FTP Access filter and in the task pane click Configure Selected Filter (Figure 7).

Figure 7: FTP Access filter properties

In the FTP access filter properties select the FTP Properties tab and enable the checkbox Allow Active FTP Access and save the configuration to the TMG storage.

Figure 8: Allow Active FTP through TMG

FTP alerts

Forefront TMG comes with a lot of predefined alert settings for several components and events. One of them is the alert function for the FTP Filter Initialization Warning. This alert informs Administrator when the FTP filter failed to parse the allowed FTP commands.

Figure 9: Configure FTP alert options

The alert actions are almost the same as in ISA Server 2006, so there are no new things to explain for experienced ISA Administrators.

Conclusion

In this article, I showed you some ways to allow FTP access through the TMG Server. There are some pitfalls for a successful FTP implementation. One of the pitfalls is that since the introduction of ISA Server 2004, allowing FTP write access through the Firewall and the other pitfall is new to Forefront TMG. Forefront TMG does not allow Active Mode FTP connections by default, so you have to manually activate this feature if you really need this type of special configuration.

Using the Microsoft Offline Virtual Machine Servicing Tool Version 2.1 with WSUS (Part 2)

Introduction

In Part I of this article, you were introduced to the Microsoft Offline Virtual Machine Servicing Tool, Version 2.1, and how it can help you to resolve the problem of updating offline virtual machines stored in a VMM library. In Part II of the article series, I will share the OVMST 2.1 installation requirements, presented with a step-by-step procedure guide to install and configure OVMST 2.1, and configure and store target VMs as offline virtual machines in a VMM library. You also learn how to create and monitor an OVMST 2.1 servicing job.

Overview

There are several steps required to install, configure, and use OVMST 2.1 in conjunction with Windows Software Update Services (WSUS) to update offline virtual machines. The procedures in this article will walk you through the following steps:

• Installing and configuring OVMST 2.1 on a VMM server
• Configuring Group Policy to identify the WSUS server
• Configuring virtual machine client firewall settings
• Storing virtual machine clients as offline virtual machines in a VMM library
• Configuring OVMST 2.1 to perform offline virtual machine updates
• Monitoring an OVMST 2.1 servicing job

Before proceeding with OVMST 2.1 installation, you must ensure that the environment into which it is deployed includes the following infrastructure services:

• Active Directory Domain Services (ADDS)
• DNS and DHCP Services
• Windows Software Update Services 3.0 SP1 or later version
• System Center Virtual Machine Manager 2008 or later version
• Virtual Server 2005 R2 SP1, Hyper-V, or Hyper-V R2

Even though this article focuses on integrating OVMST 2.1 with WSUS, you can also integrate it with System Center Configuration Manager 2007 SP1 or later version, if that is your standard software update distribution system.

OVMST 2.1 Installation Assumptions

The procedures presented in this article assume that the following components are already deployed, configured, and operating in your environment:

• Windows Software Update Services 3.0 SP2 (WSUS 3.0 SP2)
• System Center Virtual Machine Manager 2008 R2 (VMM 2008 R2)
• Windows Server 2008 R2 Hyper-V

With the exception of Windows Server 2008 R2 Hyper-V which must be installed on physical machine, all other components can be installed on either physical or virtual machines.

The System Center VMM 2008 R2 server must have the following components installed:

• VMM Server
• VMM Administrator Console
• VMM Library

Although the VMM roles are not required to be installed on a single server, OVMST 2.1 must be installed on the same server as the VMM Administrator Console because it provides Windows PowerShell support.

In a production environment, it is also a best practice to create a new host group on your VMM server that includes one or more Hyper-V hosts that will be used to deploy and service offline virtual machines, and perform other maintenance tasks. Hyper-V maintenance hosts should be excluded in the placement and execution of production virtual machines. In an environment with limited physical hardware, you can forgo this step and use the default Hyper-V host group and Hyper-V hosts. However, you should anticipate that OVMST servicing jobs may impact the performance of your Hyper-V hosts.

Installing and configuring OVMST 2.1 on a VMM server

The following procedure provides the steps to install OSVMT 2.1 and modify VMM server configuration settings to support it. You must perform these steps on the server where the VMM Administrator Console is installed.

Setting the Windows PowerShell Execution Policy

Before installing OVMST 2.1, you must change the execution policy on the server to require downloaded scripts to be signed by a trusted publisher before they can be executed.

1. Log into the server where the VMM Administrator Console is installed and open a VMM PowerShell command window. You can launch it by selecting Start | All Programs | Microsoft System Center | Virtual Machine Manager 2008 R2, and then select Windows PowerShell – Virtual Machine Manager.

Figure 1

1. In the VMM PowerShell command window, type get-executionpolicy and it should come back with Restricted.

Figure 2

1. In the VMM PowerShell command windows, type set-executionpolicy remotesigned.
2. When prompted, enter Y (for Yes) to accept the execution policy change, and then press Enter.
3. Close the Windows PowerShell command window.

Installing OVMST 2.1 on the VMM Server

1. In a temporary directory on your VMM server, download and extracted the OVMST 2.1 files.
2. From the directory where you extracted the OVMST 2.1 files, launch the OVMST 2.1 installation by double-clicking on OfflineVMServicing_x64.msi (use OfflineVMServicing_x86.msi for 32-bit installation), and select Run when prompted.

Figure 3

1. On the Microsoft Office Virtual Machine Servicing Tool Setup Wizard page, click Next.

Figure 4

1. On the End-User License Agreement page, select I accept the terms in the License Agreement, and click Next.

Figure 5

1. On the Features To Install page, click Next.

Figure 6

1. On the Ready to Install page, click Install.

Figure 7

1. On the Completing the Microsoft Offline Virtual Machine Servicing Tool Setup Wizard page, click Finish to complete the installation.

Figure 8

1. OVMST 2.1 will install in the C:Program FilesMicrosoft Offline Virtual Machine Servicing Tool directory.

Copying and Configuring the PsExec Utility on the VMM Server

After the installation of OVMST 2.1, you must also download the PsExec utility (which is part of the PsTools set) to the VMM server and unblock it on the server. The PsExec utility allows remote execution of OVMST processes on client virtual machines during servicing jobs.

1. In a temporary directory on your VMM server, download the PsTools files.

Figure 9

1. Select the psexec.exe and pdh.dll files, and copy them to the C:Program FilesMicrosoft Offline Virtual Machine Servicing ToolBin folder.

Figure 10

1. In the list of files in the Bin folder, right-click psexec.exe, and then click Properties.

Figure 11

1. Near the bottom of the dialog box, click Unblock, and then click OK.
2. Repeat steps 3 and 4 for the pdh.dll file.

Configuring Active Directory and Group Policy to Identify the WSUS Server

When you are using WSUS to manage software updates, you must create a group policy object (GPO) that configures the WSUS server settings to be used for offline virtual machine servicing. You may want to consider creating a new Active Directory (AD) container and placing the virtual machine clients in it to link and more strictly enforce the GPO.

1. On an Active Directory Domain Controller (DC) in your domain, open the Group Policy Management Console (gpmc.msc).

Figure 12

1. Select the container to which you want to link the GPO (WSUS in the figure below), right-click, and select Create A GPO In This Domain, And Link It Here from the menu.

Figure 13

1. Enter a name for the new GPO, and click OK.

Figure 14

1. In the Domain tree, right-click the GPO and select Edit.

Figure 15

1. In the Group Policy Management Editor, navigate to Computer Configuration | Policies | Administrative Templates: Policy Definitions | Windows Components | Windows Update.
2. Enable the following settings:
   1. Configure Automatic Updates
   2. Specify Intranet Microsoft Update Service Location
   3. Allow Automatic Updates Immediate Installation
3. In the settings for Specify Intranet Microsoft Update Service Location, make sure to enter the URL for the WSUS server.

Figure 16

1. Close the Group Policy Management Editor.
2. Close the Group Policy Management Console.

Configuring Virtual Machine Client Firewall Settings

The following procedure prepares a virtual machine for offline update servicing by modifying configuration settings to allow communication through the Windows client firewall.

1. Connect to the virtual machine client and open Control Panel.

Figure 17

1. Under Security, select Allow a program through Windows Firewall.
2. In the Windows Firewall Settings dialog, under the Program or Port section, check the following selections:
   1. File and Printer Sharing
   2. Remote Administration
   3. Windows Management Instrumentation (WMI)

Figure 18

1. After making the proper selections, click OK.
2. Close the Control Panel.

Storing Virtual Machine Clients as Offline Virtual Machines in a VMM library

After you have configured a virtual machine client and it is ready to store, you use the VMM Store In Library feature to transform it into an offline virtual machine and store it in the VMM library.

1. Log into the VMM server and launch the VMM Administrator Console.
2. Select the Virtual Machines workspace, right-click the desired virtual machine, and select Store In Library from the menu.

Figure 19

1. In the Store Virtual Machine Wizard, on the Select Library Server page, select the VMM server, and then click Next.

Figure 20

1. On the Select Path page, enter the path to the VMM library share to store the virtual, and then click Next.

Figure 21

1. On the Summary page, review the settings, and then click Store.

Figure 22

1. A Jobs dialog box will display to allow you to monitor the progress of the job.
2. When the job completes successfully, close the Jobs dialog box.

Configuring OVMST 2.1 to Perform Offline Virtual Machine Updates

After you have converted all of your virtual machine clients into offline virtual machines that are stored in the VMM library, you can configure the OVMST 2.1 tool, create a virtual machine group, and then create a servicing job.

Configuring OVMST 2.1 Settings

1. Ensure that you are logged in the VMM server with Domain Administrator credentials.
2. On the desktop, click Start and then click on the Microsoft Offline Virtual Machine Servicing tool menu option to launch the OVMST 2.1 Administrator Console.

Figure 23

1. In the Administration workspace, under the Actions heading, click Configure Tool.

Figure 24

Note:
The first time that you start the OVMST 2.1 tool, you must complete the Configure Tool wizard. The wizard establishes the connections between the tool and the other applications and services that are used to update offline virtual machines.

1. In the Configure Tool wizard, on the Configure Server page, enter the following information:

   a.    VMM Server

   b.    WSUS Server

Figure 25

Note:
You should configure either the Configuration Manager Primary Site Server or WSUS Server, not both.

1. After you enter the information, click Next.
2. On the Configure Maintenance Hosts page, select your Hyper-V host, and then click Next.

Figure 26

1. On the Configure Global Settings page, enter a value of 30 for each of the time-out settings.

Figure 27

1. Click Finish to close the Configure Tool wizard.

Creating a virtual machine group

1. In the left pane of the OVMST 2.1 Administrator Console, select the Virtual Machine Groups workspace.

Figure 28

1. In the Actions pane, under Virtual Machine Groups, select the New Group option.

Figure 29

1. In the New Group wizard, on the Create A Virtual Machine Group page, enter the following information:

   a.    Virtual Machine Group Name

   b.    Virtual Machine Group Description

Figure 30

1. Move the offline virtual machines from Available to Selected.
2. Click Finish.
3. In the Virtual Machine Groups workspace, verify that the Vista Machine Group was successfully created and that the offline virtual machines were added to the new group.

Creating and running an OVMST 2.1 Servicing Job

1. In the left pane of the OVMST 2.1 Administrator Console, select the Servicing Jobs workspace.

Figure 31

1. In the Actions pane, under Servicing Jobs, select the New Servicing Job option.
2. In the New Servicing Job wizard, on the Configure Job Type page, enter the following information:

   a.    Servicing Job Name

Figure 32

Note:
Make sure that you do not enter any spaces in the service job name. Although the UI does not flag this as an issue, the job will fail if you enter a job name that includes spaces.

1. In the Software Update Management System section, verify that the WSUS option is selected, and then click Next.
2. On the Select Virtual Machines page, verify that the Select Virtual Machines From A Group option is selected, and that the correct Machine Group is selected. Then move the offline virtual machine from Available to Selected, and click Next.

Figure 33

1. On the Select A Network page, select the Use The Configured Virtual Machine Network option if you want the offline virtual machine to be connected to the previously configured virtual network, or select Use An Isolated Virtual LAN if you will use a VLAN to isolate the offline virtual machines during the servicing job.

Figure 34

1. When you have completed your selection, click Next.
2. On the Select Maintenance Hosts page, move your Hyper-V host from Available Maintenance Hosts to Maintenance Hosts To Use For This Servicing Job, and click Next.

Figure 35

1. On the Configure Account Information page, enter account credentials with local administrator privileges on the offline virtual machines, and then click Next.

Figure 36

1. On the Schedule the Servicing Job page, select the Run The Servicing Job Now option to run the servicing job immediately, or select Schedule The Servicing Job and enter the date and time to schedule the job. You may also specify job recurrence, if needed.

Figure 37

1. When you have completed your selection, click Finish.

Monitoring an OVMST 2.1 Servicing Job

Once an OVMST 2.1 servicing job has started, you can monitor the servicing job and verify that the virtual machines are being updated.

In the OVMST 2.1 Administrator Console, select the Servicing Jobs workspace in order to monitor its progress. By selecting the job that you just created (or that is running), you can monitor the job details. At the beginning of the job, the status should reflect that a virtual machine is being moved out of the VMM library to be deployed on the Hyper-V host. Once a virtual machine is deployed, the status will then change to reflect that the update cycle was initiated.  As new updates are installed, a virtual machine may require a restart. The servicing job monitors and ensures that a virtual machine properly restarts. When the update cycle is complete, the status will reflect that the virtual machine is being moved back into the VMM library.

You can monitor the deployment of virtual machines from the VMM library onto maintenance hosts using the VMM Administrator Console. In the VMM Administrator Console, simply select the VMM library workspace, and then select the virtual machine to monitor. You can then review task details as the virtual machine is moved from the VMM library share to the maintenance host storage location. It is also possible to monitor the virtual machine deployment using the Hyper-V Manager.

If you encounter any errors, or after a servicing job successfully completes, you can review the OVMST 2.1 job logs stored in the %SystemDrive%Program FilesMicrosoft Offline Virtual Machine Servicing ToolLog folder. As shown in the figure below, two log files are created for each OVMST servicing job.

Figure 38

The log that begins with the JOB_DBG prefix contains a list of all the scripts and processes that executed during the servicing job, as well as the completion status. The information contained in the log can assist you to pinpoint the cause of problems that may occur during a servicing job.

Conclusion

In Part I of this article, you were introduced to the Microsoft Offline Virtual Machine Servicing Tool, Version 2.1 and how it can help you to resolve the problem of updating offline virtual machines stored in a VMM library. In Part II of the article, you learned about OVMST 2.1 installation requirements, how to install and configure OVMST 2.1, how to configure and store target VMs as offline virtual machines in a VMM library, and how to create and monitor an OVMST 2.1 servicing job.

Microsoft Deployment Toolkit 2010: Using MDT to Prepare, Install and Capture customized Windows 7 Images – Part I

Microsoft Deployment Toolkit team released the first beta of their next version: Microsoft Deployment Toolkit 2010 (you can access to the Beta program from Microsoft Connect and download the build). This new version includes several improvements, but perhaps the most important ones are related to Windows 7 and Windows Server 2008 R2 compatibility.

Some of the New Features

• Support for deploying: Windows 7 and Windows Server 2008 R2
• Hard Link Migrations using USMT 4 (User Migration Toolkit).
• Integration with new Windows Automated Installation Kit (WAIK) 2.0 toolset such as BCDBOOT and Windows PE 3.0.
• DISM tool (Dism.exe) included with WAIK 2.0 replace three other tools on previous version: Pkgmgr.exe (Package Manager), Intlcfg.exe (Internal Settings Configuration Tool) and PEimg.exe (WindowsPE Command Line tool ).

If you are planning to implement Windows 7 on your environment or you want to start to get to know Microsoft Deployment Toolkit in this new version; I’ve prepared this step-by-step guides that will cover almost everything you need to know about MDT 2010 and automated Windows 7 deployment, with personalized images.

These posts will cover the Lite Touch Installation (LTI) type of deployment of Windows 7 (Zero Touch Installation with System Center Configuration Manager 2007 it’s not currently supported with these Beta versions).

What we are going to achieve? Add Windows 7 to MDT, include applications (Office 2007) to be deployed within the operating system to generate a reference image. And finally we’ll capture this reference image (in a single .wim file) and make it available for a massive deployment with MDT 2010.

Requirements

Note: LTI deployment does not require Windows Deployment Services (WDS) to be fully operational to actually work, but we are going to take this as a requirement to implement WDS for PXE boot for only WindowsPE images.

Environment

• Active Directory and DNS
• DHCP properly configured for WDS.
• Windows Deployment Services (WDS) configured.
• Windows 7 source files.

Note: WDS must be configured to work together with DHCP.

Server

• Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2 Beta
• Windows Automated Installation 2.0 (WAIK).
  You can download WAIK 2.0 from this link (English).

Installation

You won’t have any problem installing MDT 2010 . There’s only a simple wizard to complete.

To verify that the installation completed successfully and all the necessary components are installed: Open “Deployment Workbench” snap-in from Start Menu, and check “Information Center” > “Components” > “Installed”.

MDT 2010 First Configurations

These initial configurations don’t differ from MDT 2008:

1. Create the distribution share.
2. Add operating system files to the distribution share.
3. Create a task sequence for the reference computer.
4. Create a deployment point.

Create the Distribution Share

This is the folder where the MDT files (OS, applications, drivers, etc) will be kept.

1. Open “Deployment Workbench”. Right click on “Distribution Share”  > “Create a Distribution Share Directory”.

2. Select a folder. Click on “Finish”.  Recommendation: Use a separate partition like “E:Distribution”.

Add Windows 7 Operating System

Here we are going to add the OS to be deployed and create the reference image.

1. On “Deployment Workbench” > “Distribution Share”, right-click on “Operating Systems” > “New”.

2. Choose the type of OS to add. Select “Full set of source files” and click on “Next”.

3. Select the Source Directory. In my case, I have the Windows 7 x64 files copied in the hard drive, so I also mark the option “Move the files to the distribution share instead of copying them”. Click on “Next”.

4. Select a directory name. And click on “Finish”.

Now all the files will be moved to the Distribution Share folder and should appear as available after it completes.

Create the Task Sequence

This is where we define the steps involved in the installation process for the target computer.

1. “Deployment Workbench” > “Distribution Share” > “Tasks Sequences” > “New”.

2. Enter a “Task Sequence ID”: “Win7”; and a “Task Sequence Name”: “Deploy Windows 7”.

3. Select “Standard Client Task Sequence”.

4. Select the version of the OS to be deployed, in this case “Windows 7 ULTIMATE”.

5. Enter the OS settings. “Full Name”, “Organization” and “Internet Explorer Home Page”.

6. Specify Administrator’s password. And click on “Finish”.

Create a Deployment Point

Here we’ll define the rules and parameters involved in the deployment.

1. “Deployment Workbench” > “Deploy” > “Deployment Points” > “New”.

2. Since we are going to use the distribution share on this computer, select “Lab or single-server deployment”.

3. Select a deployment point name “LAB”.

4. Leave deselected the options for this upgrade scenarios.

5. Select “Ask if an image should be captured”.

6. Leave deselected the option “Ask user to set the local Administrator Password” (already included on the task sequence).

7. Leave deselected the option “Ask user for a product key”.

8. On the next step, the Distribution (“Distribution$”) folder should be selected as the Share. Click on “Next”.

9. Select “Automatically determine the location on the network”. And click on “Finish”.

Now the deployment point is created, we now have to generate the boot media from the deployment point; this media will be used to create the reference computer.

10. “Deployment Workbench” > “Deploy” > “Deployment Points” > “LAB” > “Properties”.

11. Check on the “General Tab” the “x64” option for “Platforms Supported”. Also you can verify on “WindowsPE” tab other options like drivers or background image.

12. Now to generate the boot files:“Deployment Workbench” > “Deploy” > “Deployment Points” > “LAB” > “Update”.

This last step could take several minutes to complete, so be patient. It takes a while generate from scratch the ISO and WIM files used to boot environments. After it completes, you can find LiteTouchPE files inside “%distribution%Boot”

Notice that I haven’t used the option “Out-of-Box Drivers”. Windows 7 contains almost every hardware driver available on the market, you won’t get much problem with this. But MDT has a simple and effective way to handle device drivers, using “Groups” where you can add specific files depending on your need. For example: You could have a group of drivers with all the files for specific model of notebooks devices, other for desktop.

We’ll be reviewing how to handle applications, most specific Office 2007, within an MDT deployment on the next posts.

Create a Task Sequence using PowerShell to Rename Local Administrator Account – Microsft Deployment Toolkit

I am working on to create a Windows 7 image using MDT 2010, one of the request is to rename the local administrator account in the image. I did this in XP build which I have no problem, rename the local admin account then capture the image. The deployed image will keep my renamed local admin account. But in Windows 7 image, I just can’t do that! I rename the admin account, capture the image. But when I deploy the captured image, the local admin account reverse back to “administrator”. The indication is this is by design, may have something to do with UAC?

Here is my solution, I built my “gold” image without trying to rename local admin account. I then deploy the captured image but add a task sequence to rename local admin account. There are some ways to do this, but with my PowerShell root, I decide to accomplish using PowerShell! Michael Niehaus has a blog about how to create a task sequence using PowerShell. All we need to do is to save our PowerShell script in the %ScriptRoot% folder and then reference it in the Task Sequence like

PowerShell.exe – File “%ScriptToot%RenameLocalAdmin.ps1

But there is a catch, as we know by default, PowerShell set the execution policy to “restricted”, in order to run our PowerShell script, we need to change the execution policy to at least “Remotesigned”

Here is the exact command enlightened by this thread

Powershell.exe -command “Set-ExecutionPolicy RemoteSigned; cpi z:scriptsRenameLocalAdmin.ps1 -Destination c:; c:RenameLocalAdmin.ps1; ri c:RenameLocalAdmin.ps1; Set-ExecutionPolicy Restricted”

What it does is to set the ExecutionPolicy to “RemoteSigned” ;

Copy our script from %ScriptRoot% locally to the C drive;

Run the script; and delete the script from C drive;

Last but not least, set the ExecutionPolicy  back to “Restricted”

Here is what’s in my RenameLocalAdmin.ps1

$admin=[adsi]”WinNT://./Administrator,user”
$admin.psbase.rename(“whatever”)

So now with this technique, running PowerShell Task Sequence in MDT 2010 is as easy as 1 – 2 – 3! :)

Sysprep in Windows Vista and Windows Server 2008

I thought I’d document how to setup the new Sysprep process equivalent on Windows 2008 since the old setupmgr tool for making sysprep.inf’s doesn’t exist anymore (and neither does the sysprep.inf file itself).

The first step is acquiring the Windows Automated Installation Kit (WAIK) from somewhere. You can get this package in ISO file format from Microsoft’s website at http://www.microsoft.com/downloads/details.aspx?FamilyID=94bb6e34-d890-4932-81a5-5b50c657de08&DisplayLang=en. The download is about an 800MB install on a Windows Server 2003 SP2 x86 machine.

The tool of choice for building your Sysprep configuration is the Windows System Image Manager (WSIM). When you start it you’ll get a blank screen like this:

The first step is to catalog the image file. You can do this from Tools>Create Catalog, selecting your install.wim and then what image(s) to catalog. I’m setting up Windows Server 2008 Enterprise so I selected the appropriate option. The final three choices are the server core variants:

Note: You’ll also need to copy the install.wim from your installation media DVD sources folder to the hard drive as the tool won’t work with it if it doesn’t have write access to the WIM file.

All of the settings you will want to setup in your unattend.xml file are in the tree under Windows Image. The documentation for all the settings can be found at http://technet2.microsoft.com/WindowsVista/en/library/69eee519-55a6-440d-ab94-56330ef57e291033.mspx. This link shows a mapping table between the sysprep.inf file and the new unattend.xml format.

All of the various settings can be applied during different passes of the setup process which sysprep will trigger. You can read about these passes here. I built a simple unattend file just for sysprep’ing my base image which includes settings in the generalize, specialize, and oobeSystem passes. All of the settings I chose are outlined below.

My answer file tree:

Disabling the initial configuration dialog:

Disabling auto-starting the server manager application:

Setting my product key, timezone settings, and my name:

Configuring the screen resolution and color depth – 1280×960 is what works in VMWare full screen mode with the tabs across the top:

Configuring setup not to show me the EULA again:

Configuring setup to install a default local administrator account password:

One of the things I discovered doing this is that unlike Sysprep from Windows 2000 – 2003, the unattend.xml file isn’t deleted at the conclusion of the Sysprep process. When down-level Sysprep completes, it deletes the c:sysprep folder. In order to replicate this functionality, you can put a command in to delete the unattend.xml file in the SetupComplete.cmd batch file (which must be located in c:windowssetupscripts) which gets called at the end of Sysprep. Reference this link for more info.

I put a simple one line command in my SetupComplete.cmd file:

del /Q /F c:windowssystem32sysprepunattend.xml

In order to run Sysprep you’ll need to use a new command. The old Sysprep user interface that was there in Windows 2000 – Windows Server 2003 doesn’t really exist anymore. All of the Sysprep command line switches are documented at http://technet2.microsoft.com/WindowsVista/en/library/72cc64e2-a0f3-4516-84fc-097577127fc91033.mspx.

sysprep /generalize /oobe /shutdown /unattend:sysprep.xml

So far this process is working fine for me with Windows Server 2008 Enterprise x86 full installs. I haven’t tried it with server core yet, but if it’s different I’ll post something about that.

Sysprep in Windows Server 2008 R2 and Windows 7

Note: This post discusses Sysprep as it pertains to Windows 7 and Windows Server 2008 R2. If you’re working with a different version of Windows, check out these posts:

• Windows Vista and Windows Server 2008

The first step is acquiring the Windows Automated Installation Kit (WAIK) and installing it on a machine. It will run fine on a Windows Vista or Windows Server 2008 machine. You can get it from Microsoft’s website at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34.

The tool of choice is the Windows System Image Manager (WSIM). When you start it you’ll get a blank screen like this:

The first step is to open the image file for the Windows SKU you want to build a sysprep file for by going to File>Select Windows Image:

Note: You may need to first create a catalog file before completing the preceding step. In order to do this, you’ll first need to copy the install.wim from your installation media DVD sources folder to the hard drive as the tool won’t work with it if it doesn’t have write access to the WIM file. You can then go to Tools>Create Catalog and create the catalog file.

All of the settings you will want to setup in your unattend.xml file are in the tree under Windows Image. The documentation for all the settings can be found in the Unattended Windows Setup Reference CHM file which ships with the WAIK. This link http://technet.microsoft.com/en-us/library/cc749272(WS.10).aspx shows a mapping table between the sysprep.inf file and the new unattend.xml format. This link is for Windows Vista but it still applies.

All of the various settings can be applied during different passes of the setup process which sysprep will trigger. You can read about these passes here. I built a simple unattend file just for sysprep’ing my base image which includes settings in the generalize, specialize, and oobeSystem passes. All of the settings I chose are outlined below.

My answer file tree:

Disabling the initial configuration dialog:

Disabling Server Manager from loading at first run:

Setting the Internet Explorer homepage to “about:blank”, turning off the IE8 Accelerators, and disabling the first run wizard:

Setting Google as my default Search Provider in Internet Explorer:

Note: To do this, you should right click on SearchScopes and Insert New Scope.

There are two versions of Internet Explorer on a 64-bit machine – the 64-bit IE and the 32-bit one. You’ll need to set the settings for them independently. Duplicate the above IE configuration in the wow64_Microsoft-Windows-IE-InternetExplorer_neutral component:

Setting my product key, timezone settings, and my name:

Configuring localization settings – if you want something other than US English, look under Input Locales in the index of the Unattended Windows Setup Reference CHM file referenced earlier:

Configuring the screen resolution and color depth – 1280×960 is what works for me in VMWare full screen mode with the tabs across the top:

Configuring setup not to show me the EULA again:

Configuring setup to install a default local administrator account password:

One of the things that’s unlike Sysprep from Windows 2000 – Windows Server 2003 is that the unattend.xml file isn’t deleted at the conclusion of the Sysprep process. The down level Sysprep deletes the c:sysprep folder when it finishes. In order to replicate this functionality, you can put a command in to delete the unattend.xml file in the SetupComplete.cmd batch file (which must be located in c:windowssetupscripts) which gets called at the end of Sysprep.

I put a simple one line command in my SetupComplete.cmd file:

del /Q /F c:windowssystem32sysprepunattend.xml

In order to run Sysprep you’ll need a new command. The old Sysprep UI that was there in Windows 2000 – 2003 doesn’t really exist anymore. All of the Sysprep command line switches are documented at http://technet.microsoft.com/en-us/library/dd744330(WS.10).aspx.

sysprep /generalize /oobe /shutdown /unattend:unattend.xml

Microsoft System Center Data Protection Manager 2007 SP1 with Hyper-V

Introduction

In this article, you will learn about Microsoft System Center Data Protection Manager (DPM) 2007 SP1, and how it can backup Hyper-V configuration information and virtual machines. In addition to reviewing DPM 2007 SP1’s functionality, you will understand how to update Hyper-V and virtual machines for backup using DPM 2007 SP1.

Microsoft DPM 2007 SP1 Overview

If you are looking for a backup solution that supports Hyper-V, take a look at Microsoft System Center Data Protection Manager (DPM) 2007 SP1. DPM 2007 SP1 leverages the Volume Shadow Copy Service (VSS) to allow you to perform backups of Hyper-V configuration information and virtual machines.

More specifically, DPM 2007 SP1 provides backup and recovery for the following Microsoft virtualization products:

• Windows Server 2008 Hyper-V (full and Server Core installations)
• Hyper-V Server 2008
• Virtual Server 2005 R2

DPM 2007 SP1 also supports backup and recovery of Hyper-V clustered servers. In addition, DPM 2007 SP1 is a backup and recovery solution for Windows Server 2008 and other Microsoft applications such as Exchange Server 2007, SQL Server 2008, and Office SharePoint Server 2007. If you want more details on the full range of supported products, take a look at the product website.

Microsoft DPM 2007 SP1 and Hyper-V Backups

Depending on the requirements of your environment, you may choose to perform Hyper-V host-level backups, virtual machine based backups, or backups of applications running in virtual machines. With a Hyper-V host-level backup, you install a DPM agent only on the Hyper-V server, not on each individual virtual machine. This type of backup enables the equivalent of a bare-metal recovery for a virtual machine. However, with this method you cannot recover individual guest operating system or data files. If you require the ability to recover individual virtual machine files and implement host-level backups, you could restore the entire virtual machine to an alternate directory and then restore only the set of files needed to the appropriate virtual machine VHD(s). If you need to provide backup and recovery for only a specific application running in a virtual machine, DPM 2007 SP1 also supports the deployment of an agent to the virtual machine guest operating system.

In order to recover an entire virtual machine, individual files, or an application, you can perform a Hyper-V host-level backup of a virtual machine in conjunction with backups of specific data files or applications using a DPM agent deployed inside the virtual machine guest operating system. However, you should ensure that you work diligently and create a backup schedule for each server that does not include simultaneous backups, or you must ensure that you configure the physical server with the right processor, memory, disk, and network resources to support concurrent backups.

Virtual Machine Online Host-Level Backups

DPM 2007 SP1 can perform online backups of Hyper-V virtual machines for guest operating systems that are supported by Integration Services, as well as virtual machines running on Virtual Server 2005 R2 with guest operating systems supported by Virtual Machine Additions. More specifically, the guest operating system must support the Hyper-V Volume Shadow Copy Integration Services component, as shown in Figure 1.

Figure 1: Hyper-V Volume Shadow Copy Integration Services Component

When DPM 2007 SP1 performs an online backup of a virtual machine, it directs Hyper-V to pause the virtual machine, creates a shadow copy, and then Hyper-V resumes execution of the virtual machine. DPM 2007 SP1 continues to process the shadow copy and copies the backup data set to tape or to another DPM server without significant service interruption.

Virtual Machine Offline Host-Level osBackups

DPM 2007 SP1 also supports offline backups of virtual machines with non-VSS-ware guest operating systems. In order to perform an offline backup, DPM 2007 SP1 directs Hyper-V to transition the virtual machine into a saved state, creates the shadow copy, and then Hyper-V brings the virtual machine back online. With this offline backup process, DPM 2007 SP1 minimizes virtual machine service interruption.

Requirements to Backup Hyper-V and Virtual Machines using DPM 2007 SP1

If you have DPM 2007 servers deployed in your environment, you must perform the following actions before you can successfully back up and recover Hyper-V configuration information and virtual machines using Hyper-V host-level backups:

• Update Hyper-V servers using KB956697 and KB959962
• Update virtual machine Integration Services
• Install DPM 2007 SP1
• Deploy DPM 2007 SP1 protection agents to Hyper-V servers

KB956697 contains an update for the VMMS service that ensures that the Hyper-V VSS writer is recognized and properly used during VSS-based backups. KB959962 contains updated files for core Hyper-V components, including Integration Services. The updated Integration Services must be installed on supported virtual machines for successful DPM 2007 SP1 backups.

Updating Hyper-V Servers with KB959962

Among other files, installing KB959962 copies a new Vmguest.iso file to the Hyper-V server. This file contains an updated version of the Integration Services that you must install on each supported virtual machine if you want to perform a back up using DPM 2007 SP1.

One way to easily check the Integrations Services version currently installed in a virtual machine is to check the version number displayed in the Hyper-V Volume Shadow Copy driver properties. Here are the steps:

• Open the Hyper-V Manager Console, right-click the virtual machine, and select Connect to start a Virtual Machine Connection session
• Log into the virtual machine guest operating system, and open the Device Manager in the Control Panel
• In the Device Manager, expand System Devices, right-click Hyper-V Volume Shadow Copy, and select Properties
• In the Hyper-V Volume Shadow Copy Properties dialog box, click the Driver tab
• As shown in example in Figure 2, the Driver Version property lists the Integration Services version number. In this case, 6.0.6001.18016 is the Integration Services version that was originally released with Hyper-V

Figure 2: Hyper-V Volume Shadow Copy Driver Version

Updating Virtual Machine Integration Services

If you need to update the Integration Services version of one or more virtual machines, follow these steps:

• Open the Hyper-V Manager Console, right-click the virtual machine, and select Connect to start a Virtual Machine Connection session
• Log into the guest operating system with an account that has local administrator credentials
• As shown in Figure 3, click on the Virtual Machine Connection application Action menu, and select Insert Integration Services Setup Disk

Figure 3: Virtual Machine Connection Application Action menu

• Start Windows Explorer in the virtual machine and double-click the DVD drive
• As shown in Figure 4, when the Upgrade Hyper-V Integration Services dialog box appears, click OK to start the installation

Figure 4: Upgrade Hyper-V Integration Services dialog box

• When the installation completes, click Yes to restart the virtual machine
• After the virtual machine restarts, reconnect using the Virtual Machine Connection Application, and verify that the Hyper-V Volume Shadow Copy Driver Version property is 6.0.6001.22334 or later

Upgrading to System Center Data Protection Manager 2007 SP1

If you already have DPM 2007 installed on some servers, you can download the DPM 2007 SP1 update from the Microsoft Web site and install the update on each DPM 2007 server.

Here are the major steps that you want to use to perform Hyper-V server-level backups:

1. Before you begin, ensure that you do not have any backup jobs in progress or about to start.
2. Open Windows Explorer, navigate to the directory where you stored the DPM 2007 SP1 update, and double-click the DPM 2007 SP1 update file to begin the installation.
3. On the Welcome page shown in Figure 5, check for warnings or errors, take appropriate actions, and then click Next.

Figure 5: The DPM 2007 SP1 Installer Welcome page

1. On the Microsoft Software License Terms page, review the information and then select I Accept, if you agree with the license terms.
2. Click Next to begin the DPM 2007 SP1 installation
3. On the Installation Success page, click Close.
4. Restart the Hyper-V server.

Enabling Local Data Protection in DPM 2007 SP1

If you have a small test environment or lab, you can install DPM 2007 SP1 on a Hyper-V server and create local backups of the Hyper-V configuration and virtual machines. However, this configuration is not recommended for production environments. In fact, DPM 2007 SP1 will not allow you to perform local backups until you enable the Local Data Protection setting. Fortunately, it is a really simple process that can be performed using the DPM management shell and entering the following command:

Set-DMGGlobalProperty –AllowLocalDataProtection $true

If you want to disable Local Data Protection, use the following command:

Set-DMGGlobalProperty –AllowLocalDataProtection $false

Deploying a DPM 2007 SP1 Protection Agent

Before you can perform host-level backups of virtual machines on remote Hyper-V servers, you must install a DPM protection agent on that server. After installing the DPM 2007 SP1 update, you can utilize the DPM 2007 Administrator Console to enumerate servers joined to the Active Directory that it is able to protect, and present them as targets for a DPM protection agent deployment. You can control the installation of DPM protection agents using the DPM 2007 Administrator Console, Active Directory Group Policy, and other management tools such as System Center Configuration Manager 2007 or Systems Management Server 2003.

Configuring DPM 2007 SP1

After new DPM protection agents are deployed to your Hyper-V servers, you need to configure DPM 2007 SP1 beginning with the allocation of disks to create a storage pool. A storage pool includes one or more dynamic volumes that are used exclusively to store DPM backup data sets. They cannot be shared with other applications, or used to store any other data. Be aware that DPM 2007 SP1 formats new dynamic volumes, so any data previously stored is lost. DPM 2007 SP1 supports Direct Attached Storage (DAS), Storage Area Networks (SAN), and iSCSI disk storage. However, it does not support removable USB/1394 disks.

After you configure a DPM 2007 SP1 storage pool, you must configure a protection group to perform host-level backups of virtual machines. A protection group defines all of the details of the backup, including the Hyper-V configuration information, virtual machines, and other resources that you want to include in the backup data set. A protection group also defines the backup schedule, the backup retention range, the tape backup schedule (this is optional, but highly recommended), and recovery points.

Conclusion

Hyper-V, with its built-in support for the Volume Shadow Copy Service, allows you to use System Center DPM 2007 SP1 to implement a backup and recovery plan for your virtualization environment. If Integrations Services are available for the virtual machine guest operating system and the Hyper-V Volume Shadow Copy driver is installed, DPM 2007 SP1 can perform a backup without significant service interruption (online backup). DPM 2007 SP1 also allows you to perform backups of virtual machines that do not support Integration Services by placing the virtual machine in saved state for the short period of time needed to create a shadow copy (offline backup). If you are interested in more details, including how to deploy System Center DPM 2007 SP1 protection agents, as well as how to configure storage pools and protection groups, take a look at my video posted on the VirtualizationAdmin.com site.

SQL Server 2008 Reporting Services

For many years, SQL Server did not have a good answer for creating attractive reports that summarize information in ways that make sense to business users. Finally, Microsoft shipped SQL Server Reporting Services. Like Notification Services, Reporting Services was originally an add-on for SQL Server 2000, and now it’s a part of the core product. In this chapter, you’ll learn how to use Reporting Services to produce your own reports.

SSRS 2008 Tutorial: The Reporting Services Architecture

Reporting Services has a quite a few components that work together seamlessly to provide a complete reporting solution. The full Reporting Services architecture includes development tools, administration tools, and report viewers. There are a number of ways to get to Reporting Services programmatically, including URL, SOAP and WMI interfaces.

Figure 17-1 shows a simplified diagram of the main Reporting Services components that we’ll be using in this chapter.

Figure 17-1: Report Server architecture

In this chapter you’ll learn about these components:

• Report Server is the core engine that drives Reporting Services.
• Report Manager is a Web-based administrative interface for Reporting Services.
• Report Designer is a developer tool for building complex reports.
• Report Builder is a simplified end-user tool for building reports.
• The Report Server database stores report definitions. Reports themselves can make use of data from many different data sources.

SSRS 2008 Tutorial: Using Report Designer

Reporting Services includes two tools for creating reports:

• Report Designer can create reports of any complexity that Reporting Services supports, but requires you to understand the structure of your data and to be able to navigate the Visual Studio user interface.
• Report Builder provides a simpler user interface for creating ad hoc reports, directed primarily at business users rather than developers. Report Builder requires a developer or administrator to set up a data model before end users can create reports.

We’ll start our tour of Reporting Services with Report Designer. Report Designer runs inside the Business Intelligence Development Studio shell, and offers several ways to create reports. You can either use the Report Wizard to quickly create a report, or you can use a set of design tools to build a report from scratch. You can also use the design tools to modify a report created with the wizard.

Using the Report Wizard

The easiest way to create a report in Report Designer is to use the Report Wizard. Like all wizards, the Report Wizard walks you through the process in step-by-step fashion. You can make the following choices in the wizard:

• The data source to use
• The query to use to retrieve data
• Whether to use a tabular or matrix layout for the report
• How to group the retrieved data
• What visual style to use
• Where to deploy the finished report

Try It!

To create a simple report using the Report Wizard, follow these steps:

1. Launch Business Intelligence Development Studio.
2. Select File > New >Project.
3. Select the Business Intelligence Projects project type.
4. Select the Report Server Project Wizard template.
5. Name the new report ProductReport1 and pick a convenient location to save it in.
6. Click OK.
7. Read the first page of the Report Wizard and click Next.
8. Name the new data source AdventureWorksDS.
9. Click the Edit button.
10. Log on to your test server.
11. Select the AdventureWorks2008 database.
12. Click OK.
13. Click the Credentials button.
14. Select Use Windows Authentication.
15. Click OK.
16. Check the Make This a Shared Data Source checkbox. This will make this particular data source available to other Reporting Services applications in the future.
17. Click Next.
18. Click the Query Builder button.
19. If the full query designer interface does not display by default, click the query designer toolbar button at the far left end of the toolbar. Figure 17-2 shows the full query designer interface.

    Figure 17-2: Query Builder

20. Click the Add Table toolbar button.
21. Select the Product table and click Add.
22. Click Close.
23. Check the Name, ProductNumber, Color, and ListPrice columns.
24. Click OK.
25. Click Next.
26. Select the Tabular layout and click Next.
27. Move the Color column to the Group area, and the other three columns to the Detail area, as shown in Figure 17-3.

    Figure17-3: Grouping columns in the report

28. Click Next.
29. Select the Stepped layout and click Next.
30. Select the Ocean style and click Next.
31. Accept the default deployment location and click Next.
32. Name the report ProductReport1.
33. Check the Preview Report checkbox.
34. Click Finish.

Figure 17-4 shows the finished report, open in Report Designer.

Figure 17-4: Report created by the Report Wizard

Figure 17-4 shows the main features of Report Designer:

• The Datasets window shows the data that is available to the report.
• The main design window lets you view the report itself. You can see a preview of the report, work with the report in a layout designer, or work with the query that returns the data for the report.
• The Solution Explorer, Output, and Properties windows are the standard Visual Studio windows.

Modifying a Report

Now that you’ve created a report with the Report Wizard, you can modify it with the Report Designer. If you’ve used any sort of visual report design tool in the past, you should have no problem making changes here. Among the possibilities here:

• You can change the available data or the sort order for the report by modifying the query on the Data tab.
• You can resize or rearrange controls on the Layout tab.
• You can use the Properties window to change properties of individual controls including their font, alignment, colors, and so on.

Try It!

To modify the report that you just created, follow these steps:

1. Click the Design tab to make the report editable.
2. In the Report Data window, right-click on DataSet1 and select Dataset Properties.
3. In the Dataset Properties window, click the Query Designer button.
4. Select a Descending sort type for the ListPrice column and click OK.
5. Click OK.
6. Click in the textbox at the top of the report, where the report name is displayed.
7. Click a second time in the textbox to put it in edit mode and change the value of this control to Products By Color.
8. Click on the header for the Product column.
9. Place the cursor between the column selectors above the Name and Product Number columns to display a double-headed arrow. Hold down the mouse button and drag the cursor to the right to widen the Name column.
10. Place the cursor between the column selectors above the Product Number and ListPrice columns to display a double-headed arrow. Hold down the mouse button and drag the cursor to the right to widen the Product Number column.
11. Click on the Preview tab to view the modified report, as shown in Figure 17-5.

    Figure 17-5: Modified product report

Designing a Report From Scratch

You can also use Report Designer to build your own reports starting from scratch. In general, you’ll follow these steps to create a report:

1. Create a Report project in Business Intelligence Design Studio or open an existing Report project.
2. Add a report to the project.
3. Create one or more datasets for the report.
4. Build the report layout.

Try It!

To create a fresh report in Report Designer, follow these steps:

1. Select File > New > Project.
2. Select the Business Intelligence Projects project type.
3. Select the Report Server Project template.
4. Name the new report ProductReport2 and pick a convenient location to save it in.
5. Right-click on the Reports node in Solution Explorer and select Add > New Item.
6. Select the Report template.
7. Name the new report ProductReport2.rdl and click Add.
8. In the Report Data window, select New > Data Source.
9. Name the new Data Source AdventureWorksDS.
10. Select the Embedded Connection option and click on the Edit button.
11. Connect to your test server and choose the AdventureWorks2008 database.
12. Click OK.
13. Click OK again to create the data source.
14. In the Report Data window, select New > Dataset.
15. Name the dataset dsLocation.
16. Click the Query Designer button.
17. If the full Query Designer does not appear, click on the Edit As Text button.
18. Click the Add Table button.
19. Select the Location table.
20. Click Add.
21. Click Close.
22. Check the boxes for the Name and CostRate columns.
23. Sort the dataset in ascending order by Name and click OK.
24. Click OK again to create the dataset.
25. Open the toolbox window (View > Toolbox).
26. Double-click the Table control.
27. Switch back to the Report Data window.
28. Expand the dataset to show the column names.
29. Drag the Name field and drop it in the first column of the table control on the design tab.
30. Drag the CostRate field from the Report Data window and drop it in the second column of the table control.
31. Place the cursor between the column selectors above the Name and CostRate columns to display a double-headed arrow. Hold down the mouse button and drag the cursor to the right to widen the Name column.
32. Figure 17-6 shows the report in Design view.

    Figure 17-6: Designing a report from scratch

33. Select the Preview tab to see the report with data.

SSRS 2008 Tutorial: Publishing a Report

Creating reports in Business Intelligence Development Studio is good for developers, but it doesn’t help users at all. In order for the reports you build to be available to others, you must publish them to your Reporting Services server. To publish a report, you can use the Build and Deploy menu items in Business Intelligence Development Studio. Before you do this, you need to check the project’s configuration to make sure that you’ve selected an appropriate server for the deployment.

Try It!

You can publish any report, but the first report you created is probably more visually interesting at this point. To publish the first report, follow these steps:

1. Select File > Recent Projects and choose your ProductReport1 project.
2. Select Project „ ProductReport1 Properties.
3. Click the Configuration Manager button.
4. Fill in the Target Server URL for your Report Server. If you’re developing on the same computer where Reporting Services is installed, and you installed in the default configuration, this will be http://localhost/ReportServer. Figure 17-7 shows the completed Property Pages.

   Figure 17-7: Setting the active configuration

5. Click OK.
6. Select Build > Deploy ProductReport1. The Output Window will track the progress of BIDS in deploying your report, as shown in Figure 17-8. Depending on the speed of your computer, building the report may take some time.

   Figure 17-8: Setting report project properties

7. Launch a web browser and enter the address http://localhost/reports.
8. It may take several minutes for the web page to display; Reporting Services goes to sleep when it hasn’t been used for a while and can take a while to spin up to speed. Figure 17-9 shows the result.

   Figure 17-9: Deploying a report

9. Click the link for the ProductReport1 folder.
10. Click the link for the ProductReport1 report.

SSRS 2008 Tutorial: Using Report Builder

Report Designer gives you one way to create reports for Reporting Services, but it’s not the only way. SQL Server 2005 also includes a tool directed at end users named Report Builder. Unlike Report Designer, which is aimed at Developers, Report Builder presents a simplified view of the report-building process and is intended for business analysts and other end users.

Building a Data Model

Report Builder doesn’t let end users explore all of a SQL Server database. Instead, it depends on a data model: a preselected group of tables and relationships that a developer has identified as suitable for end-user reporting. To build a data model, you use Business Intelligence Development Studio. Data models contain three things:

• Data Sources connect the data model to actual data.
• Data Source Views draw data from data sources.
• Report Models contain entities that end users can use on reports.

Try It!

To create a data model, follow these steps:

1. If it’s not already open, launch Business Intelligence Development Studio
2. Select File > New > Project.
3. Select the Business Intelligence Projects project type.
4. Select the Report Model Project template.
5. Name the new project AWSales and save it in a convenient location.
6. Click OK.
7. Right-click on Data Sources in Solution Explorer and select Add New Data Source.
8. Read the first page of the Add New Data Source Wizard and click Next.
9. Click New.
10. In the Connection Manager dialog box connect to the AdventureWorks2008 database on your test server and click OK.
11. Click Next.
12. Name the new data source AdventureWorks and click Finish.
13. Right-click on Data Source Views in Solution Explorer and select Add New Data Source View.
14. Read the first page of the Add New Data Source View Wizard and click Next.
15. Select the AdventureWorks data source and click Next.
16. Select the Product(Production) table and click the > button to move it to the Included Objects listbox.
17. Select the SalesOrderDetail(Sales) table and click the > button to move it to the Included Objects listbox.
18. Click the Add Related Tables button.
19. Click Next.
20. Click Finish.
21. Right-click on Report Models in Solution Explorer and select Add New Report Model.
22. Read the first page of the Report Model Wizard and click Next.
23. Select the Adventure Works2008 data source view and click Next.
24. Keep the default rules selection, as shown in Figure 17-10, and click Next.

    Figure 17-10: Creating entities for end-user reporting

25. Choose the Update Statistics option and click Next.
26. Click Run to complete the wizard.
27. Click Finish. If you get a warning that a file was modified outside the source editor, click Yes.
28. Select Build > Deploy AWSales to deploy the report model to the local Reporting Services server.

Building a Report

Report Builder itself is a ClickOnce Windows Forms application. That means that it’s a Windows application that end users launch from their web browser, but it never gets installed on their computer, so they don’t need any local administrator rights on their computer to run it. To get started with Report Builder, browse to your Reporting Services home page. Typically, this will have a URL such as http://ServerName/Reports (or http://localhost/Reports if you’re running the browser on the same box with SQL Server 2008 itself). Figure 17-11 shows the Reporting Services home page.

Figure 17-11: Reporting Services home page

To run Report Builder, click the Report Builder link in the home page menu bar. Report Builder will automatically load up all of the available report models and wait for you to choose one to build a report from.

Try It!

1. Open a browser window and navigate to http://localhost/Reports (or to the appropriate Report Server URL if you’re not working on the report server).
2. Click the Report Builder link.
3. Depending on your operating system, you may have to confirm that you want to run the application.
4. After Report Builder is loaded, select the AdventureWorks2008 report model and the table report layout. Click OK. Figure 17-12 shows the new blank report that Report Builder will create.

   Figure 18-12: New report in Report Builder

   The Explorer window to the left of the design surface shows all of the tables in the report model. Beneath that, the Fields window shows the attributes in the currently-selected entity. Note that not everything in this window is a column in the table: the report model also contains aggregate entities such as Total Safety Stock Level and automatically calculated fields.

5. Select the Product table.
6. Drag the Name field and drop it in the area labeled Drag and Drop Column Fields.
7. Click on Special Offer Products in the Explorer window to show related child tables.
8. Click on Sales Order Details.
9. Drag the Total Order Qty field and drop it to the right of the Name field.
10. Click where it says Click to Add Title and type Product Sales.
11. Click the Run Report button to produce the report shown in Figure 17-13.

    Figure 17-13: Report in Report Builder

12. Click the Sort and Group toolbar button.
13. Select to sort by Total Order Qty descending.
14. Click OK.
15. Select File > Save.
16. Name the new report Product Sales.
17. Click Save. This will publish the report back to the Reporting Services server that you originally downloaded Report Builder from.

SSRS 2008 Tutorial: Using Report Manager

The Web home page for Reporting Services provides a complete interface for managing reports (as well as other objects such as data sources and models) after they are created. This interface, known as Report Manager, is intended primarily for database administrators, but as a developer you should know about its capabilities for managing and modifying reports.

When you click on a report in Report Manager, you’ll see the report’s data, as shown in Figure 17-14.

Figure 17-14: Report in Report Manager

Note that reports in Report Manager open in a tabbed interface. The four tabs allow you to perform various functions:

• View allows you to see the current data in the report.
• Properties lets you adjust such things as the report’s name, data source, security credentials, caching, and end-user security.
• History shows you saved snapshots of the report.
• Subscriptions lets you create subscriptions to the report. Subscriptions allow you to set up periodic delivery of reports to end users by e-mail or file share.

Printing and Exporting Reports

When viewing reports in the Report Manager, users can print the reports directly from their browser. The print button in the report toolbar utilizes an ActiveX control for client-side printing. The first time this button is clicked on a given computer, the user is prompted to install the ActiveX control, as in Figure 17-15. After that, the standard Windows print dialog box is displayed for the user to select a printer and paper size, etc.

Figure 17-15: ActiveX install prompt.

Users can also export the report into any of several handy formats. Table 17-1 lists the available export formats.

Export Format	Handles
XML	Creates a data file in XML format.
CSV	Creates a comma-delimited text file of report data.
PDF	Creates an Adobe Acrobat file with the formatted report.
MHTML	Creates a Web Archive file with the formatted report.
EXCEL	Creates a MS Excel spreadsheet with the formatted report.
TIFF	Creates a TIFF graphic of the formatted report.
Word	Creates a MS Word document with the formatted report.

Table 17-1: Export Formats

SSRS 2008 Tutorial: Exercises

Use Report Builder to create a report from the AdventureWorks2008 data model showing the minimum and maximum order quantity for orders taken by each salesperson in the company. You’ll find the necessary data in the SalesOrderHeader and SalesOrderDetail tables.

Solutions to Exercises

1. Open a browser window and navigate to http://localhost/Reports (or to the appropriate Report Server URL if you’re not working on the report server).
2. Click the Report Builder link.
3. Select the AdventureWorks2008 report model and the table report layout.
4. Click OK.
5. Select the Sales Order Header table.
6. Drag the Sales Person ID field and drop it in the area labeled Drag and Drop Column Fields.
7. Click on Sales Order Details in the Explorer window.
8. Expand the Total Order Qty field in the Fields window to show the alternative fields beneath it.
9. Drag the Min Order Qty field and drop it to the right of the Name field.
10. Drag the Max Order Qty field and drop it to the right of the Min Order Qty field.
11. Click where it says Click to Add Title and type Sales Performance.
12. Click the Run Report button to produce the report shown in Figure 17-15.

Figure 17-15: Sales performance report