August 1st, 2008 
Kiwi Si 
When creating a Windows Server Gold build for use in VMware ESX I specify and modify the following configuration settings for the server I am going to use as a template.
This is not an exhaustive list by any means though are a few of the main things I usually do.
Let me know if there are any other modifications or ‘tweaks’ you do when creating a Windows Gold Build.
UPDATE: Thanks for the additional tips that you apply to an ESX template – keeping it coming. I am going to add these recommendations to this list (see below). I’ve also adjusted the title of the post as there are now more than 10 basic things to consider. 
- Use a 20GB C partition for the OS – Or there about’s. This gives plenty of headroom for installing most applications. There is nothing worse than trying to increase the size of this later. Disk space is now so cheap there is no excuse to scrimp with the OS partition.
- Apply Microsoft Service Pack and Security patch updates – Either use Windows Update, push the patches out via MS Operations Manager, or similar. If the VM isn’t connected to the internet then check out this article by vinf.net that outlines how to use a rather good utility called ‘CTUpdate’ to build a Windows patch update CD. Definitely worth a look.
- Change screen resolution – I usually go for 1024 x 768 as this gives adequate screen real-estate whilst it not taking over your entire screen. The default 800 x600 just doesn’t cut it.
- Move CD drive mapping to Z – I don’t know how many times I’ve seen the CD drive still mapped as D with disk partitions allocated to E, F drive, etc. This, in my opinion, just looks sloppy. Allocate the CD drive to Z on all your servers to make it distinguishable from the hard disk partitions. **UPDATE** David Lomas has raised a very valid point: "There is a very good reason for not changing drive letters from their default order. If you ever P2V or V2P a machine it will typically put all the drives back to the default order. This will really mess up some servers, for example a domain controller with its database or logs on a different drive won’t start AD, which means you can’t even log in!". So take heed if changing default drive mappings!
- Configure SNMP – it is always good practice to monitor your IT environment and VM server instances are no exception. Install the SNMP service and configure it up to talk to your monitoring software.
- Enable remote desktop – By default Remote Desktop is not enabled. Go into ‘System Properties’ and allow Remote Desktop connections from Administrators (or who ever administers your environment).
- Copy the OS source files to C:\i386 – In doing this you won’t have to search high and low for the OS media when going to add new services as all the required files will be on the local hard disk.
- Make c:\i386 the default OS source location - As long as you followed point 7 above this will get around those annoying prompts for the source media when installing new services (eg: SNMP, IIS, etc.)Hive:HKEY_LOCAL_MACHINE\SOFTWARE\
Key: Microsoft\Windows\CurrentVersion\Setup
Value: SourcePath (change to C:\) - Change the default ‘Administrator’ username – The reason for this is security. There are two schools of thought as to whether this is necessary or is a best practice. I personally like to change the default local ‘Administrator’ account as anything that reduces the risk of the environment being compromised I am keen to do.
- Install Windows Server Resource Kit – There are some great utilities that may come in useful in this kit. Best to have them installed and ready to go in a time of crisis. This can be downloaded from Microsoft here.
- Disable Internet Explorer Enhanced Security Configuration. [from Mark Roe]
- Apply security templates from within the MMC snap-in. [from Mark Roe]
- Create a download directory on the D drive. [from Mark Roe]
- Install the latest VMtools before Templating. [from Stuart Mycock]
- ESX Host Time Sync – Configure the VMtools for local ESX host time sync and in also disable the Windows time service to avoid conflicts. [from Stuart Mycock] **UPDATE** Another option as highlighted by Scott Lowe is to leave this disabled and let Windows handle the time synchronisation.
- Install BGINFO – BGinfo is also still a useful thing to have load on login as some techies can forget what machine they’ve RDP’d into or what IP addresses it is using, etc. [from Stuart Mycock]
- Consistent Desktop for all server users – Set all desktop preferences using the admin account, then copy that provide to the ‘Default User’ profile. New users get a consistent desktop. [from Ben Conrad]
- Adjust the Disk Timeout – to a value recommended by your storage vendor. Set: [from Ben Conrad] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\TimeOutValue
- Applications that report to centralised server – Some apps that report to a centralized server (like McAfee) need to have some settings cleared after ‘ghosting’ using Sysprep runonce. [from Ben Conrad]
- Disable the pre-logon screensaver – Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable updates of the last access time attribute for your NTFS filesystem - Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable all visual effects – Click here for details. [from Duncan at Yellow-Bricks.com]
- Disable mouse pointer shadow - Click here for details. [from Duncan at Yellow-Bricks.com]
- Increase the colour depth of RDP sessions – When using virtual Desktop machines increase the could depth of for RDP. Gives a 32 bit colour range when using graphics based applications. [from Anthony Preston]
HKLM\system\currentcontrolset\Control\Terminal Server\WinStations\RDP-Tcp\ColorDepth = 4
- Disable Last Access tracking – May bring a slight performance increase. Click here and see comment #4 below for details. [from David Lomas and Stuart Mycock]
- Attach a 2nd VMDK, formatted as FAT32 given the drive-letter “S”. Move pagefile.sys to this drive. [from omfgz]
Related posts:
- Some Basics of Microsoft Server OS Licensing on VMware vSphere One common area of confusion for many is around...
- Microsoft Windows 7 – August 2009 Launch Date? It looks like the cat has been let out...
- HP Proliant Server Firmware Update CD – Help keep your server running smoothly How many of your HP Proliant servers do you...
Posted in 
My name is Simon Seagrave and I am a London (UK) based Technical Architect. 
Loading ...
Nice tips! I know it goes without saying, but make sure the latest VMtools are installed before templating.
I also like to configure the VMtools for local ESX host time sync and in doing that I also disable Windows time service to avoid conflicts.
BGinfo is also still a useful thing to have load on login as some techies can forget what machine they’ve RDP’d into or what IP addresses it is using, etc.
[Reply]
Hi Stuart,
Thanks for the good tips – I’ve added them to the list.
Cheers,
Simon
[Reply]
Hi Stuart,
Here is another thing you could add to your guest template build.
When using virtual Desktop machines I increase the could depth of for RDP.
HKLM\system\currentcontrolset\Control\Terminal Server\WinStations\RDP-Tcp\ColorDepth = 4
Gives a 32 bit colour range when using graphics based applications.
[Reply]
Hi Stuart,
some good tips, although some seem to be specific to people’s environments rather than to ESX templates.
One more tip is to disable the File Last Access Time Check (Set: HKLM\System\CurrentControlSet\Control\FileSystem\NTFSDisableLastAccessUpdate), which should imporve performance.
Also, see the Windows Server Performance Tuning Guidelines from Microsoft for a few more tips (http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx)
I have to disagree with tip number 4 though.
There is a very good reason for not changing drive letters from their default order. If you ever P2V or V2P a machine it will typically put all the drives back to the default order. This will really mess up some servers, for example a domain controller with its database or logs on a different drive won’t start AD, which means you can’t even log in!
There has to be a much better reason than ‘it looks sloppy’ to ever change drive letters about in my opinion.
Regards,
David
[Reply]
Hi David,
Thanks for the tip and comments. I have added the tip to the ever increasing list.
My original intention for creating this list was to provide a list of extra steps or configurations I perform with my Windows Server Gold Build templates within ESX.
It definately isn’t intended as a “must do” definitive type list but instead I am hoping to generate a list that provides tips into what I and other admins include in their Gold Builds.
Admins who find the list can look over it and decide if any of the tips would be suitable/appropriate for their builds and hopefully in some instances have people think, “Hmm, that’s a good idea I never thought of doing that – I may give that a go”.
After reading your comment about changing the CD/DVD drive to Z – you hightlight a real oversight in my quest for keeping my drive mappings “non sloppy”.
Good call – I will ammend my tip accordingly.
Thanks for the feedback.
Cheers,
Simon
[Reply]
Thank you all for the tips, can someone please send me the complete list of windows gold build process if any one have. That will be very helpful
[Reply]
[...] a list of some of the basic things you should do on a “golden master” template for Windows Server VMs. I actually disagree with #15, [...]
I’d also like to add:
Attach a 2nd VMDK, formatted as FAT32 given the drive-letter “S”.
Move pagefile.sys to this drive.
[Reply]
Why would you use FAT32?
[Reply]
Not sure TBH – I would personally always recommend NTFS.
[Reply]
The theory goes that it’s simpler and (slightly) higher performing for small filesystems.
Assuming of course you don’t need journaling, ACLs or files >4gb.
I haven’t benchmarked it myself though.
[Reply]
Kiwi Si Reply:
January 14th, 2009 at 1:19 pm
Fair comment
Out of curiosity has anyone ever seen any benchmarks around this?
[Reply]
Points 21 & 25 are actually identical – however I would tend to use Duncan’s method (using fsutil) as its more obvious and documented as to what you are doing…
[Reply]
[...] Basic things to do when creating a Microsoft Server Gold Build for use on a VMware ESX Template. | T… [...]
[...] all you need to do is get your master VM built with the OS, patched, VMtools installed and you can shut it down, convert to template and then just use [...]
Right-click My Computer.
Click Properties.
Click the Advanced tab.
Click the Environment Variables tab.
Add a new variable in the System Variables box:
devmgr_show_nonpresent_devices=1
Whilst this is most useful for P2V’d machines (not Gold Images) it’s still useful to be able to get rid of non-present hardware.
[Reply]
Two of mine:
1) If the server will be used for file shares, create a folder called “data” and set permissions to administrators only. That way, newly-created subfolders will have sensible default permissions.
2) Create a reserve file on each volume using “fsutil file createnew x:\deleteme.dat 1000000000″. That way, if you fill up the disk you can delete the reserve file and then have some breathing space to fix the problem. Of course, proper monitoring would render this unnecessary. Be sure to exclude files called “deleteme.dat” from your backup job.
[Reply]
Any suggestions/ best practices for creating Windows XP Pro VMs?
[Reply]
If you’re thin-provisioning (and I’m sure most of you will be), then be sure to run the awesome sdelfrag vbs script to clean up your drive as much as possible:
http://www.yellow-bricks.com/2008/01/04/vmware-consolidated-backup-and-deleted-files/
This will make your Gold image as tight as possible.
[Reply]
I always enable Remote Desktop because it is disabled by default
[Reply]
For Move CD drive mapping to Z has anyone tried B?
[Reply]