This is something i do in the lab so all of my vm’s are able to access iso’s etc (very handy for quick builds). Quite handy doing it through windows since its easiey enough to setup a windows network share to the same location and update various files via that.
This site has some good clear instructions : http://vmetc.com/2008/02/19/create-a-nfs-share-for-vm-iso-files-with-windows-2003-server-r2/
- On the Windows 2003 Server make sure “Microsoft Services for NFS” in installed. If not you need to add it under Add/Remove Programs, Windows
Components, Other Network File and Print Services
- Next go to folder you want to share and right-click on it and select Properties
- Click on the NFS Sharing tab and select “Share this Folder”
- Enter a Share Name, check “Anonymous Access” and make sure the UID and GID are both -2
- In VirtualCenter, select your ESX server and click the “Configuration” tab and then select “Storage”
- Click on “Add Storage” and select “Network File System” as the storage type
- Enter the Windows Server name, the folder (share) name and a descriptive Datastore Name
- Done. Now you can map CD iso’s to your various vm’s.
I’ve used true image for testing packages etc then reverting back to a standard image for further testing. But there can be a problem if the machine updates it domain password then you revert back to the original image. It will not let you logon to the domain if the passwords don’t match.
The way to prevent this is to disable password update so that hte machine does not change its password as per the domain policy.
So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.
http://blogs.technet.com/askds/archive/2009/02/13/machine-account-password-process.aspx
Warning If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.
Here is the article that talks about disabling automatic machine account password change.
Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = DisablePasswordChange REG_DWORD
Default = 0
Changing this key to 1 will disable password change for this PC. Then you can safely image the machine without having to worry about the machine changing its password with the domain controller.
I’ve had this on a few windows 2003 machines, where the “DHCP client” service refuses to start and prompts with an access denied window.
Unsure of the cause at this point (it may be a security patch), but here is the fix…
Give the local “network service” account full rights to the following registry key;
hkey_local_machine\system\currentcontrolset\services\dhcp
Now try starting the service, should work. In some cases you may also need to add the rights to the following key..
hkey_local_machine\system\currentcontrolset\services\tpip
Done.
I’ve been doing a bit of work recently on McAfee 8.7i enterprise and ePO 4. I wanted to push out the McAfee client via SMS straight after a gold disk build…
First you need to export the repository sitelist.xml and the various keys from your ePO server…
The security keys must be located in the same folder as the site list. Use ePolicy Orchestrator to export the files:
- Export the siteinfo file:
- Select Software | Master Repository.
- Click Export Sitelist.
- Save the file to a new location.
- Export the security keys:
- Select Configuration | Server Settings | Security Keys, and click Edit.
- Select Master Agent-server secure communication key, and click Export.
- Save the files to the same location as the siteinfo file.
Next you need to create your FramePkg.exe via ePO. Go to systems, click “new systems” near bottom left, then choose “create and download agent installation package”, save this into your shared install directory.
Now to deploy run this from the shared location (or via sms);
framepkg.exe /install=agent /forceinstall /s
I generally use /forceinstall to stop any issues with versioning. /s is for silent install.
Done.
When using wpad there are some things that you should take note of;
- DHCP wpad will override DNS wpad
- DHCP 252 option can in some cases be slightly slower to resolve than DNS – there may be a patch for WinInet to resolve this.
- You should always use lower case – wpad.dat (it is case sensitive)
- DHCP will allow either a URL or a file location for wpad.dat
Within IE on the LAN settings tab if you have WPAD “automatically detect settings” enabled and also configure a proxy server the WPAD should override the manual proxy configuration.
There is some good detail at the usual places http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
I’ve done a bit of work around WPAD, but have yet to write up a decent “how-to”. I’ll update this the next time i dabble in the area.
Here is a quick example of the syntax of a typical wpad.dat file…
function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (shExpMatch(url,"*.example.com/*")) {return "DIRECT";}
if (shExpMatch(url, "*.example.com:*/*")) {return "DIRECT";}
// URLs within this network are accessed through
// port 8080 on fastproxy.example.com:
if (isInNet(host, "10.0.0.0", "255.255.248.0")) {
return "PROXY fastproxy.example.com:8080";
}
// All other requests go through port 8080 of proxy.example.com.
// should that fail to respond, go directly to the WWW:
return "PROXY proxy.example.com:8080; DIRECT";
}