Mark Minasi's Windows Networking Tech Page
My Three-Day Server 2012/2012R2 Class is Running in California at a Great Price!MISAC, a nonprofit group of IT pros who work in support roles for cities throughout California, have hired me to do my in-depth three-day Server 2012/2012R2 class in three cities in California. The class normally runs $1600 per student, but they're offering it to their members for $799/student. Now, I've unfortunately been too busy to put together a public seminar calendar for 2014 yet -- apologies -- so I asked them if they'd be interested in opening their enrollment to the public at large, and they kindly agreed. They're offering seats for non-MISAC members for $999, a $601 discount. The first class runs next Tuesday-Thursday (25-27 February 2014) in Petaluma, followed by a session in March at Diamond Bar (25-27 March 2014) and then in April in Encinitas (22-24 April 2014). Anyone's welcome, and you'd register with MISAC on their Web site, not me. Find out more here: http://www.misac.org/
Vista is the most secure Windows that Microsoft has released, so there's lots of new stuff to learn, and much of it is good news for anyone looking to keep the bad guys away. But while it is good news, and we all say we want security, facing new security technologies sometimes means having to learn to do familiar tasks differently, which can be a pain. In some cases, it can be enough of a pain to cause someone to choose to deploy Vista later, and that'd be a shame; hence my new book. Administering Windows Vista Security: The Big Surprises focuses on the eight new Vista security technologies that I feel are pretty good when understood, but that could either scare away the casual evaluator or that are so subtle but nonetheless important that they might not be noticed. (And at 266 pages, it's a quick read.)
Find out more and read a sample chapter at www.minasi.com/vistsecbook.
Those of you who've heard me talk about Vista's BitLocker feature will know that I've been grumbling that Microsoft has omitted a central aspect to making BitLocker useful for enterprises: the part that lets techies store their BitLocker recovery passwords in Active Directory. But this week brought good news. Go to www.microsoft.com/downloads and search for "Bitlocker" and you'll find "BitLocker AD Guide." The puzzle piece has arrived!
By Rhonda Layfield, co-author, Mastering Windows Server 2003 Upgrade Edition for R2 and SP1
Anyone who's got to get Microsoft's new desktop OS, Vista onto a desktop is — or should be — looking into MS's new deployment tools as well. Of course, you probably already knew that, as it seems like every IT magazine I pick up has at least one article if not more on Vista's new deployment tools like ImageX, Windows Deployment Service (WDS) server (the new RIS), Windows Pre-Installation Boot Environment (WinPE), and Windows System Image Manager (WSIM).
As a Windows techie, that all sounded like big news and — even better — new toys, so I started to look into it, only to find mountains of white papers and a bunch of tools that whose documentation was, well, a bit uneven, if you know what I mean. Lacking a roadmap to Deploymentville, I figured I'd begin at the beginning or, rather, begin at the boot — the boot OS, that is. The process of putting an operating system on a computer has always suffered from a chicken-and-egg problem in that you can't run a Setup program on a bare-metal computer without an operating system, but the whole point of that Setup program is get the OS on the machine in the first place. For years, many of us have had to cobble together DOS boot floppies to get the whole Setup-over-a-network or apply-a-Ghost-image process rolling. I suspect you'll empathize when I say that putting those floppies together ranks up in the list of things I love doing somewhere below root canals. Therein lies one of Vista's unalloyed benefits: WinPE. In this newsletter, I want to explain to you what it is, where to get it, how to add an extra program to it and how to install new network drivers on it — something that I discovered that I had to learn before I could get WinPE to run on VMWare!
WinPE 2.0 is a scaled-down version of the Vista kernel that you could think of it as "Vista Junior." (If WinPE's not new to you, then you're probably a big Microsoft customer; volume license folks have been able to play with WinPE 1.x since XP days.) As an OS, WinPE has limited functionality, but you can do things like partition and format hard drives. It also contains a small set of utilities, things like netstat, ping, ipconfig, and chkdsk to name a few, and let's not forget one of Mark's favorites, netsh. WinPE is a simple OS, but it's the basis of most deployment scenarios as well as the platform for many recovery tools. Interested? Then let's get started.
First, you'll need a "technician machine," Microsoft's name for a system that can create WinPE images. A machine running Vista, XP SP2 or Server 2003 SP1/R2 will work just fine. You will need to install the Windows Automated Installation Kit (WAIK) or the Business Desktop Development tool (BDD 2007), both of which are free downloads from Microsoft. The BDD is really just a shell for Vista's new deployment tools, so if you choose to go with the BDD then you will still have to download the WAIK as a component of the BDD. There has been some talk about making the WAIK available only as a component to the BDD. As of Dec 26th I could still download the WAIK as a separate tool, but I can't guarantee that by the time you read this the that WAIK will still be available as an independent tool. Regardless of whether you choose to use the BDD or WAIK, you will need to ensure that the .NET Framework 2.0 and MSXML 6.0 are installed on your technician machine (both can be found in either the BDD or the WAIK) if that technician machine is XP or 2003. No need to add those to a Vista machine, as they're built into it.
You can find the WAIK at www.microsoft.com/downloads. Search "Windows AIK Windows 7" and it should be the first hit, but when I last updated this page (31 May 2010), the download offered a file named "KB3AIK_en.iso" that was 1,789,542,400 bytes. To use it, just burn the file to a DVD (it won't fit on a CD) using whatever burning software you like. (If you're running Windows 7, just right-click it and you'll see that Windows 7 includes an ISO burning ability built right in. If you're not running Win 7 and don't have any CD/DVD burning software, then you can either use the CDBURN or DVDBURN software in the 2003 Resource Kit, or Google "ISO Recorder" to find a very nice, free ISO burner for 2000 and later.) Once burned, use that DVD to install the WAIK on an XP SP3 or later system.
Important note: when WAIK's setup program asks where to install the WAIK, do not use the default. Instead, have the setup program put it in c:\waik. That'll make typing some command lines a whole lot easier than if you install the WAIK into Program Files!
Once the WAIK's installed, then open the Windows PE Tools Command Prompt by clicking on Start -> All Programs -> Microsoft Windows AIK -> Windows PE Tools Command Prompt. If you're running this from Vista, then be sure to elevate the command prompt -- don't click it, right-click it and choose "Run as administrator." Why not just use the Windows command prompt? Choosing Windows PE Tools Command Prompt ensures that your PATH environment variable points to everything that you'll need to create a WinPE image: some apps we'll soon meet named copype.cmd, imagex.exe, peimg.exe and oscdimg.exe. All commands must be typed in this command prompt.
Next, you'll create your WinPE build environment in a new folder. Type the following command in your Windows PE Tools Command Prompt:
copype architecture (x86, ia64 or amd64) C:\foldernameFor example, to create a WinPE build environment for an x86 machine into a folder named WinPE, type the following:
copype x86 C:\WinPE
Your new WinPE build environment will contain the following three folders:
oscdimg -n -h -betfsboot.com iso winpe.iso
That created the file "c:\winpe\winpe.iso," which is a standard ISO that'll fit easily on a CD. Burn it to a CD and boot it on a computer with at least 256 MB of RAM, and you'll see a screen like this one:
[Summer 2008 Update: if you download the 9 April 2008 WAIK -- the most recent one -- then you'll see a gray background rather than the blue-green one. Don't worry about it, it's a slighter newer "WinPE 2.1" with a more boring bit of wallpaper.]
Look familiar? It kind of looks like a Vista desktop with just a command prompt window. But there's no Start menu, no taskbar, and pretty much no GUI. (Regedit does work, though, and it's sort of GUI-ish.) That's the main barrier to using WinPE — you've got to be somewhat comfortable with the command prompt to get anything done in WinPE. Nevertheless, it's a nice basic OS for doing a lot of things.
Now, in my case, I didn't have an extra machine around to try my WinPE on, so I ran it in a VMWare Workstation 5.3.3 virtual machine.
Important note: if you do this, then create the virtual machine of type "Windows Vista (experimental)." Choosing Windows 2000, "other," or something else will get you a virtual machine with a virtual NIC that Windows PE doesn't have drivers for and can't get drivers for — so you'll never get it to network.
It booted up fine — that's where the screen shot came from — but when I immediately checked my network status by typing ipconfig, I got a result of just "Windows IP Configuration" and no NICs. A quick try of the WinPE CD on my notebook yielded an ipconfig output that had NICs, so clearly I was facing a driver problem. VMWare's virtual machines have virtual NICs, and those NICs don't reflect any actual NICs; instead, they run an imaginary NIC called a "vmxnet" NIC. Installing VMWare Tools on a virtual Vista, XP or other Windows machine results in a folder c:\program files\vmware\vmware tools\drivers\vmxnet on that virtual machine that contain the drivers for this imaginary vmxnet NIC... but how to get WinPE to recognize those drivers, particularly as trying to install VMWare Tools on a WinPE VM failed?
And while we're modifying our WinPE image, let's add a program to it. The WAIK includes a tool named imagex.exe that is fundamental to most WinPE-related deployment scenarios, so I was a bit puzzled that imagex.exe wasn't already installed on the basic WinPE, but it wasn't, so let's also see how to add imagex.exe to WinPE.Now, when we created that first WinPE ISO, we just built it out from the default configuration supplied from the WAIK. To add things to that configuration and create a new WinPE image, we'll have to learn a few skills:
A look in the c:\winpe folder shows a large file called "winpe.wim." That single file is of a new type called a "Windows image" file, which as you can see has the extension .wim. WIM files are sort of Microsoft's answer to Ghost files, a method of capturing and storing an entire OS image to a single file, which can be deployed with a number of tools. The winpe.wim image that the WAIK supplies is the all-in-one-file version of the WinPE CD that you've already built. To change that image, though, we'll need to "unlock" it and expose the files inside of it. The imagex.exe program that I mentioned earlier will let us do that by letting us "mount" the image to a folder. Notice that the c:\winpe folder contains a folder called "mount;" it's empty and should stay empty. Its only job is to provide a kind of "alias" that lets us look into the winpe.wim image through the c:\mount folder. That'll be a bit clearer once we do it.
Return to your technician machine and the Windows PE Command Prompt, which should be at c:\winpe; if not, then cd \winpe to get there. Mount winpe.wim to the mount folder by typing
imagex /mountrw winpe.wim 1 mount
Note that if you didn't start your command prompt by clicking "Windows PE Command Prompt," then you'd have to type the path of imagex, and the command would be
c:\waik\tools\x86\imagex /mountrw winpe.wim 1 mount
ImageX is a topic for another day, but briefly here's what you've typed. "/mountrw" is the switch used to mount the winpe.wim file in a read/write format — if you forget to add the rw to the end of the mount statement, you won't be able to edit the image file. The winpe.wim is the .wim file you would like to mount. The number 1 is the image index number. The image index number is important because Microsoft's new imaging technology allows you to store multiple images in a single .wim file. The index number identifies the image within the .wim file that you want to work with. The default winpe.wim only has one index but you still need to include the number 1 in the mount command or it won't work. To find out how many images a .wim contains, type the following:
imagex /info c:\winpe\winpe.wim
Your available image choices will be listed, <IMAGE INDEX=1> is the image we are working with in this example. Finally, mount is the folder you are going to mount your winpe.wim image to.
Assuming that all went well, try looking in the c:\winpe\mount folder. What was once empty now has folders named Users, Windows and more but, again, they aren't really in the mount folder — imagex just lets us essentially put on "WIM goggles" and see inside winpe.wim through the mount folder. Now that winpe.wim's mounted, we can use a few tools to add things to the winpe.wim image so that we can then make and ISO and a boot CD of that image.
WAIK lets you load any add-ons called "packages" that provide additional functionality. More specifically, if you would like to include support for running HTML, WMI, XML or WSH scripts, you will need to add one or more of the available packages. There are 15 packages by default to choose from. To view the list of packages type the following:
peimg /list /image=c:\winpe\mount
You will see a listing of packages that look like this:
To add a package, say the XML parser support package (so you can run XML scripts in your WinPE) you would type the following:
peimg /install=WinPE-XML-Package C:\WinPE\mount\windows
OR you can use wildcards (*) for less typing:
peimg /install=*XML* C:\WinPE\mount\windows
To confirm that your package has been added to your winpe.wim, run the “peimg /list /image=c:\winpe\mount” command again, the packages you added should have a + sign in the Ins column, like this:
We're ready now to add those vmxnet drivers to our WinPE image. First, you'll need to get the drivers; here's how. Create a new virtual Vista machine from the Vista product DVD using VMWare Workstation 5.5.3. By default your virtual Vista machine will not have networking, but installing the VMWare tools into your virtual Vista machine will load network drivers, so go ahead and install the VMWare tools (from the VMWare menu click on VM and then choose "Install VMware Tools"). Now, after installing the VMware tools you should have networking on your virtual Vista machine, you can check this by typing /ipconfig at a command prompt -- if you have an IP address, you have networking. Next, from the virtual Vista machine that you just installed the VMware tools on, copy the entire contents of the C:\Program Files\VMWare\VMWare Tools\Drivers\vmxnet folder to a folder named C:\Drivers on your technician machine. To inject the VMware network drivers into your winpe.wim type the following two commands in your Windows PE Tools Command Prompt:
peimg /inf=c:\drivers\vmxnet.inf c:\winpe\mount\windows
peimg /inf=c:\drivers\vmware-nic.inf c:\winpe\mount\windows
OR, remember that wildcards (*) work, so typing the following works as well:
peimg /inf=c:\drivers\vm*.inf c:\winpe\mount\windows or peimg /inf=c:\drivers\vm*.* c:\winpe\mount\windows
As I suggested earlier, we'll want imagex.exe on our WinPE image. That's because imagex is a powerful command line tool that allows you to capture and apply images and, again, for some reason imagex is not included in a WinPE by default (which is why we have to add it).
As for getting imagex.exe into your WinPE, a simple copy is all that's needed. Imagex.exe is installed by default when you install the Windows AIK. You could choose to use Windows Explorer and browse to image.exe by launching Windows Explorer and expanding c:\waik\tools, where you'll see folders named x86, amd64 and ia64 -- there's an imagex for standard 32-bit systems, x64 systems, and Itanium systems. We'll copy the x86 version with this command:
Copy C:\WAIK\Tools\x86\imagex.exe c:\winpe\mount\windows\system32
That just copied the file to the system32 folder of our winpe.wim image, where it'll always be on the path and easily available from the command line.
Now that we've finished our changes, let's save them to our winpe.wim by typing:
imagex /unmount c:\winpe\mount /commit
The /commit switch saves your changes. If you forget to type the /commit, your changes will not be saved.
Now our changes are in the winpe.wim file, as a look at its "last modified" date and time will confirm. But don't re-type the oscdimg command that we did before — there's another step we've got to do to see that winpe.wim's image end up as an ISO. The oscdimg command that we did before said to take the files in the folder named "ISO" and assemble them into an ISO file. A look inside the ISO folder shows that there's a folder named "Sources" and, inside that, a large file named boot.wim. That is the WIM that is the WinPE image we'll create, not winpe.wim, so we need to overwrite that boot.wim with our customized winpe.wim to get our desired image on that ISO. Do that by typing
xcopy c:\winpe\winpe.wim c:\winpe\iso\sources\boot.wim /y
Now we're ready to make our final customized ISO! Type the following:oscdimg -n -h -bc:\winpe\etfsboot.com c:\winpe\iso c:\winpe\winpe.iso
The oscdimg.exe is the command line utility that tells etfsboot.com to look in the c:\winpe\iso folder for a file named boot.wim, when found convert the boot.wim to an ISO named winpe.iso, and put it in the WinPE folder. The -n option allows for long file names and the -b option makes it bootable or El-Torito compliant. If you are creating a bootable ISO for a ia64 architecture, replace etfsboot.com with efisys.bin. -h says to write any hidden files or folders.
You now have a bootable WinPE ISO called winpe.iso. Burn that to a CD, fire it up and you'll see that ipconfig yields good news, and the imagex command works. Congratulations, you've built your first custom WinPE system! You'll could now choose to connect to a server that has a Vista installation image using the net use V: \\servername\sharename command and download a Vista installation image, repartion the system's drive — WinPE is running now from a RAM disk and you can remove the CD if you like without crashing the system — or do any of a number of things. You've completed the first real task in building your deployment toolkit!
I hope you have found these step-by-steps useful and if you have any questions or comments on the WinPE information provided, please email Rhonda Layfield at Rhonda@Minasi.com.
I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm. In just two days, I'll make your current NT techies into Vista, security, XP, Active Directory or 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).
Have a quiet and safe month.
Please share this newsletter; I hope that it is a useful source of NT/2000/2003/XP information. Please forward it to any associates who might find it helpful, and accept my thanks. We are now at over 40,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.
To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2006 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.