Wednesday, November 29, 2006

Automated Deployment Services

I recently have had the opportunity to learn and use Microsoft Automated Deployment Services package in my environment. Let me say that I have beat my head against a wall countless times trying to learn all the nuances involved with it. Over the past month or so I have setup a master image using Sysprep and have used ADS to deploy the image to Dell's new PoweEdge model (2950).

Some of the issues I ran into were getting Sysprep's .inf file configured correctly with the latest mass storage drivers, getting the drivers loaded into the ADS Controller repository (located in C:\Program Files\Microsoft ADS\nbs\repository\User\PreSystem directory) so that ADS will be able to image the server and making a working .XML file that is used to tell ADS what image to use and what variables to define.

Order of operations is something like this:

- Create master image (do not add to domain and do not set admin password)
- Sysprep master image (use deployment tools - get latest version of the .cab from MS website)
- Boot freshly sysprepped image to the Deployment Agent (using ADS after taking control of the end machine)
- Capture image using modified sample .XML task sequence
- Create and customize new .XML task sequence for deploying image
- Test new image by deploying your captured image to test machine using the ADS Controller

Make sure you include all drivers needed when preparing your master image prior to capturing. You WILL NOT be able to add the drivers to the image later contrary to popular belief. Also keep in mind you might need to edit the .inf driver files (ex: oemsetup.inf) in your ADS Controller repository if you are using multiple images for multiple Mass Storage Drivers.

I found an EXCELLENT article from Microsoft that should answer any other questions anyone might have. Click HERE

Have a good one!!

Tuesday, November 21, 2006


Posts are going to be slow this week due to the holiday. I'm working on an overview of using Sysprep and Automated Deployment Services to deploy images on a domain, so hopefully I will have it finished next week for those interested.

Friday, November 17, 2006

My Take on Battlefield 2142

Per request i'm gonna post something a little different today, but it's my dang blog and I'll post what I want dangit. First let me say that I love games, PC games for that matter, specifically shoot-em-ups ever since I got my grubby mitts on a shareware copy of Doom back in the old days. More recently in the MMO genre I got started with WWII-Online. Lovely gameplay but me being the graphics geek I am got hold of a copy of Battlefield 1942 soon as it came out and loved it. Oh and that silly little game that didn't make any money called World of Warcraft.... I could ramble on and on about those games but onto the meat of the post.

Got a chance to play the demo of BF2142 the other day and being the Battletech/Mechwarrior geek that I am when I jumped in a game ready to put some holes in anything red on my radar, something caught my eye. A 'Mech' as I call it was sitting there at my spawn base all shiny and inviting and sexy looking. So since I have played any given Mechwarrior game dozens of times I figured I was going to simply own folks with this new toy. With a huge ego I crawled up into the giant metal beast and started waddling toward an enemy missile silo. Noticed right away that the feel of the machine wasn't the same as Mechwarrior. Anyway, so I'm stomping across a bridge and this armored car starts slamming me with what looked like Proton Torpedoes from Star Trek and knocks my shields down pretty good. The little punk caught me on a bridge and I couldn't strafe...anyway I made quick work of him. I get to the silo and some infantry puke decides to tickle me with his pea shooter from inside the silo. What a noob. I jump out of the 'Mech' and ran inside and had a good shootout. After I capped the silo I ran back outside only to get pulverized into hambuger by my own fargin walker as my dad (FoG) laughed on.

I definitely had a lot of fun with the game. I had my doubts about it since I prefer old-fashioned tanks and machine gun WWII - Present warfare games but BF2142 really pulled it off. The game mechanics were easy to get used to and didn't require reading a 500 page manual to play. Of course the transition from BF2 to 2142 was seamless if you played the previous titles. I think there is an improvement in power balance from BF2 regarding Jets and copters considering if you knew how to pilot one you rained down hellfire and total destruction with little opposition. In 2142 they toned the air superiority down a notch, you get these pods and other vertical aircraft which can deliver a powerful punch but then again you have a freakin walking 3 story high tank and better anti-aircraft weaponry too...

Now I need to convince my wife of the importance of moving to at least 1GB of RAM from 512MB. This is going to be a challenge. I was walking tall with WoW, Doom3 and Quake4 with the 512 Corsair I have but I am humbled by the latest greatest out there (Battlefield 2 & 2142, Oblivion and the up and coming Quake Wars). Any advice you fellers can give me out there to help with the dilemma I'm in be sure to comment :-)

Have a good one! (BTW - All you Old Farts out there, FoG runs like a girlie-girl when his son jumps in a game!!)

Wednesday, November 15, 2006

Windows Vista gets installed on test box

So I got my hands on a copy of the new Windows Vista Pre-Release ed. from Technet and I must say, it is pretty. The interface is slightly altered (again) from what we are used to but the graphics are definately nice. They look almost as good as a well-built Linux OS. One thing I noticed about the graphics of the new Windows edition was that they are vector-based which means lots and lots of memory is used up just running Windows. On a machine with 512MB RAM the memory utilization was 82%+ with nothing running. Wouldn't hurt to have a decent graphics card too.

Another new feature includes a slick new login interface and start menu, easy to use Network connection and problem solving utilities which makes setting up your home or business network a snap. It seems like MS has worked hard at the built-in help and self-diagnostic system. Also had a cool new side-bar type application that sat on the right or left side of your screen that kind of faded away unobtrusively where which you could load various 'widgets'. These included a nice clock, calendar, memory usage meter, a notepad etc. After oohing and aahing at the cool new toy I moved onto the work-related side of Vista.

I was disappointed to find out that it has problems integrating itself into a previously existing network. I couldn't get ANY snap-ins that I use on a daily basis to work right. These include Active Directory for Users and Computers, Group Policy, Certificates etc. etc. Couldn't remote into it even after I added it to the domain. I did some research and they (Microsoft) are still working on these issues. Of course you don't want to buy in my opinion ANY new copy of Windows without letting MS work out the bugs first. (IE: Windows XP)

So ultimately the box I had just built was pretty much useless. There is next to no driver support for various devices and no domain-level functionality aside from adding the machine to the domain. Other than that it sure was pretty to look at!

Look for the new release in the latter half of Jan 07.

Tuesday, November 14, 2006

Encrypted File System / Public Key Infrastructure

Ok, so it took me about 3 days to learn a handy little security tool built into Windows called EFS. My boss's words in fact were, 'EFS, learn it and learn to love it.' So presented with this new challenge I needed to decide on where to start.

EFS uses what is called Public Key Infrastructure to issue 'certificates' to the end user which they can then use to encrypt files and/or folders. EFS can be used on a domain or standalone environment.

First things first when you are implementing a new technology in your environment. Figure out your business need. In my case, if you read about me you know I work in a hospital environment and when you have sensitive information regarding patients floating around on a Doctors laptop you want it secured right? So there was the need, now on to the reading.

If any of you haven't been to Microsoft's Technet you should crawl from behind your rock and grab some coffee. There are certain differences between standalone PKI (Public Key Infrastructure) and a PKI implemented on a domain. First being that if a user encrypts files and folders using their domain profile, only that user or a domain Recovery Agent can decrypt it. That means that the local administrator on that box can't even see the file's content. If you are on a workgroup or just want to try it out outside of a domain, note that the local admin of the machine IS the recovery agent and can unlock the file.

Down to business, I will explain the process of using EFS with domain functionality. You will need to have Windows Server 2003 (will work with 2000) installed and have a Enterprise Certificate Authority setup as a role on the server. This will be your rootCA. The Authority to which all others bow down to. Since this is not Technet I won't go into specifics just the theory. I had configured auto-enrollment for Authenticated Users to pull certificates and setup the Domain Admin accounts to have permissions as Recovery Agents. With that out of the way I needed to test functionality.

Using my own domain admin profile I logged on and loaded the 'Certificates' MMC snap-in and requested a Recovery Agent certificate from the EFS Recovery template that was on the rootCA. Once I had the certificate on the machine I loaded up Active Directory and making sure to enable 'Advanced' under view I imported my shiny new certificate into my AD account store. Once this was done I needed to modify group policy to tell the domain that I in fact am a Recovery Agent. I used the Default Domain Policy and added my name to the list under Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System. Once group policy is applied you will be listed in the details of any encrypted file on the domain as a RA. Don't forget a handy little tool to use when updating policy is 'gpupdate' or 'gpupdate /force'.

A key thing to remember and this is what I couldn't understand at first using EFS Recovery Agents is that you cannot simply log into a users machine as yourself (recovery agent) and decrypt files. You must first understand how Public Key Infrastructure works. When you obtain your certificate as a RA, you have a public and private key that is loaded into the local store on the machine you are using. It is considered best practice to upload the private key to a secure location on your network using the export function and delete the keys from the machine when done. You don't want your RA key floating around on people's PC's. When the need arises to decrypt files or folders, you must import that private key from your network store down to the local machine and then and only then will you be able to access or decrypt the file or folder. Also be sure to delete the RA key from that machine after you are through doing your thing.

So I am still in the process of testing the ins and outs but I have successfully used my Recovery Agent keys to decrypt a users encrypted file on our domain here at the Hospital. My team and I will be testing among ourselves before pushing this to a production environment. I only hope we can make the process of encrypting files easy enough so that the docs won't need to go back to school to use it! I have glazed over much of the details and how certain things are done but if anyone has any questions just comment and I will do my best to answer them, when I was looking (googling :-) EFS setup I couldn't find anyone that could explain the way the keys work in lamans terms. I kept trying to log on and decrypt files because I had everything set up correctly EXCEPT the fact that I didn't have my RA keys imported on the users machine.

UPDATE: I have created an .ADM file for use with a custom GPO (group policy object) that will enable a user to right click and have the option to encrypt/decrypt right there one the mini-list. This is cool, very cool indeed...


Hi! This blog for all intents and purposes will be a virtual notebook of sorts by an IT tech. It will also include other geek fuel for the masses and basically whatever is on my mind. I'm new to the blogosphere so hopefully some of you will learn some things and get a laugh every once in a while.