VMware Cloud Community
atom_acres
Enthusiast
Enthusiast

Windows Server templates best practices - sysprep vs. custom specs and handling default profiles

I am not finding much information on this so I am posting in here...

What are the best practices / guidelines for making windows server templates in vSphere 5.1 and higher? I know in the past everyone would just sysprep the template and be done with it. Correct me if I am wrong, but the custom specs should be a viable replacement for syspreping as it does the sysprep for you along with several other settings. The problem I am running into is creating a default user profile on the server for when we (the server admins) log into the server with our admin accounts. There doesn't seem to be any good solution other than using sysprep. I am trying to get away from it because I have came across some other posts where people had issues when using custom specs against a sysprepped template - and like I already stated, custom specs syspreps for you.

In this article, the author lists a couple options but states the only Microsoft supported option is to use sysprep. Does VMware have a stance on this? I assume they would prefer we use custom specs but what can we do to create a default user profile? Being that it is dealing with Windows profiles I am thinking we are going to be stuck with the MS solution - which stinks.

Reply
0 Kudos
6 Replies
atom_acres
Enthusiast
Enthusiast

I see this is a hot topic...

How about more simply put:

What are the guidelines/best practices for creating a master or golden template in vCenter for Windows? (please do not link me to something older than 2013)

Is it recommended or supported to sysprep a template AND use custom specs?

Reply
0 Kudos
aneverov
VMware Employee
VMware Employee

Hi,

I would say that using sysprep *is* the way to go. As you correctly stated, that's what Microsoft requires as well.

We try to address all the sysprep issues we hear from the customers by applying certain workarounds inside the Guest Customization engine where sysprep fails to do something. E.g. we have a "fix" for many versions of Windows where sysprep fails to clear static IPv4/IPv6.

Besides those nasty nits which we can fix, the major issues I've heard about were related to the Rearm counts. Basically, Microsoft enforces a restriction which only allows to run sysprep's /generalize only up to 3 times (for KMS keys - 1 time). Which means that it's really a bad idea to come up with a workflow where something gets customized, turned into a template and customized again and again without carefully managing the Rearms count. Our current vision is that in such cases the best practice would be to use KMS (supported on Vista+). KMS resets Rearms count to 1 each time it's activated. Which means that the template can be customized one more time. Such activation could be invoked using the RunOnce commands or in some other way inside the template itself.

And yes - you can use the "custom specs". Those don't do anything magical. It's just a way to "save" a set of the customization parameters to be applied later.

Hope that helps.

Thanks,

Andrii

/* Please remember to mark answer as 'helpful' or 'correct' such that other users know it can be used and people focusing on ‘unanswered’ questions can skip it. */
atom_acres
Enthusiast
Enthusiast

Thank you for the reply!


Am I OK to only use custom specs if I prefer to not run sysprep manually? My latest template I did this way and everything appears to work as expected. The *only* thing I could not get around (without cheating) was setting up the default profile.

Reply
0 Kudos
aneverov
VMware Employee
VMware Employee

Hi,

Actually, for Vista+, "change SID" is the mandatory option - we don't support not running sysprep (at least not in vCenter - another product called vCloud Director can do that, although I'm not sure what does it mean in terms of Microsoft support). You will get an error. It is only supported for XP/2003.

For the "default profile" issue, I encourage you to log an SR with the detailed description of what you're trying to achieve and we'll try to do something about it in the future releases.

Thanks,

Andrii

/* Please remember to mark answer as 'helpful' or 'correct' such that other users know it can be used and people focusing on ‘unanswered’ questions can skip it. */
Reply
0 Kudos
atom_acres
Enthusiast
Enthusiast

Just to clarify I am creating templates for Server 2008 R2, Server 2012, and Server 2012 R2.

I always check "Generate New Security ID (SID)".

I will log a support request / feature request.

Thanks again!

Reply
0 Kudos
aneverov
VMware Employee
VMware Employee

Yes, that means that sysprep will run with /generalize which regenerates the SID. If you uncheck it, you'll get an error for any of those versions of Windows.

Best Regards,

Andrii

/* Please remember to mark answer as 'helpful' or 'correct' such that other users know it can be used and people focusing on ‘unanswered’ questions can skip it. */
Reply
0 Kudos