Nelson Araujo's WebLog

Virtual Server 2005 – IDE to SCSI Virtual Machine Migration

The following white paper contains important information on how to migrate your Virtual Server hard disks from IDE to SCSI. That will increase the overall performance of your virtual machines. If you have any questions, don't hesitate to ask! Enjoy.

http://www.microsoft.com/downloads/details.aspx?FamilyId=8D71F23D-0380-4C2F-81DF-6F96ABE05493&displaylang=en

MSDN Wiki pages

Microsoft released a Wiki for MSDN. You can check them here: http://msdnwiki.microsoft.com/

My contributions to the Wiki can be found here: http://msdnwiki.microsoft.com/wikiedit/myprofile.aspx?name=Nelson%20Araujo&skinlocale=en-us

Updating a template

Due to the way the file system is organized into the disk, it is not possible to patch the disk on the parent without invalidating (thus destroying all modifications made since then).

The recommended procedure to update a template would be:

1. Create a new Virtual Machine from a template
2. Install updates and make any other changes you wish
3. Save & Commit the VM
4. Move the updated VHD file to the template folder (with another name different from the current template)
5. Update the <Template> entry with the information
• Change the ID of the template
• Add the same path
• Keep the same <Name> & <Description>
6. Mark the original template as disabled

After that any new VM created will use the new template. You can use the report on the Administration section to monitor when the old template is idle

• Delete the original template when it is idle

Installing VSDM on a 64-bits Windows Server System 2003

VSDM works on a 64-bits system. To enable it the system needs to be correctly configured. Please follow the steps below to enable VSDM to run on those systems.

System Requirements

1. Install Virtual Server 2005 AMD64
2. Install .NET Framework 1.1
3. Install .NET Framework 1.1 Service Pack
4. Execute the following command from a Command Prompt window:
   cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1

Security: Do not forget to visit Windows Update (or Microsoft Update) to make sure all the installed software is up-to-date with the latest critical security patches available.

Installing VSDM

After you meet the requirements above, follow the normal installation and configuration of VSDM. No other changes are necessary to run VSDM on a 64-bits system other than configuring the server correctly.

Automating VSDM via scripts

Sample scripts are bundled with VSDM in its installation folder (by default C:\Program Files\VSDM\samples). It is recommended that you have some understanding of the VSDM solution before continuing to read this article.

Option Explicit
Dim server
Dim wsh
Dim inet
Dim newVM
Dim vmName
Dim template
Dim network
Dim vmID
Dim rand

' This variable points to your VSDM server root
' e.g.: http://yourserver:81
server = "http://myserver"

' These variables define your VM name and template used
vmName = "AutomationTest" ' Your machine name
template = "xp-pro" ' Machine template to base on
network = 2 ' 2 = Internal Network (but subject to change)

' Random number to avoid collision when running this sample
rand = Now
rand = Replace(rand, "/", "-")
rand = Replace(rand, ":", "-")

Set wsh = CreateObject("WScript.Shell")
Set inet = CreateObject("InternetExplorer.Application")

' Building your VM name
vmID = wsh.ExpandEnvironmentStrings("%USERNAME%." & template & "." & vmName & " " & rand)

' URL to create a new VM
newVM = server & "/vm_ctrl.asp?action=add&name=" & vmID &_
   "&template=" & template &_
   "&types=" & template &_
   "&nettype=" & network

'WScript.Echo "Create <[" & newVM & "]>"

' Call the Internet object to perform the action
WScript.Echo "Performing action. Please wait..."
inet.Navigate newVM

' Wait the request to complete
while inet.Busy
   WScript.Echo "Waiting to complete..."
   WScript.Sleep 1000
wend

WScript.Echo "Request completed"

Security: What to configure when using VSDM?

Q: What do I need to configure on Virtual Server or File System to secure my installation?

A: Nothing!

If you are using VSDM to manage your Virtual Server, whenever you apply the Security Policy VSDM automatically hardens Virtual Server and File System for you. Just make sure your <Security> section (or in the Wizard: Users, Teams, Guests) are correct.

Whenever you change these settings, VSDM will popup a request for you to apply the policy again. Just click the Apply button and you are good to go.

Error "FATAL: Cannot load config file"

If you just installed VSDM and when you create a virtual machine you continuously get this error message, you might be missing some configuration information. To resolve this issue, follow the steps below:

• Make sure you log in as administrator
• Select "Administration" page on VSDM main page

Tip #1: If you cannot open the page and you get access denied, please review the Security settings of the vsdm_config.xml file or go back to the Wizard and check the settings.

• Look at the "System Dashboard" and make sure all the items show a green check
• If you have any missing configuration, warning messages will show there. Please act on all of them (usually a "one click" resolve button is provided)

Done, you might be good to start using VSDM.

Tip #2: If your machine is not joined to a domain, only local accounts can be authorized by Windows, even if you come from a domain-joined computer. In this case, please use the computer name as the Domain for the administrator account.

Tip #2.1: You might create local accounts that match the same username and password on the domain and authorize those. Windows will automatically enable them if you are using Internet Explorer 4.0 or greater.

Why my VM does not start?

In my previous post I talked about the need to keep the template ID and VM names small. If you make them too big, your machine might not start. You can check the Virtual Server Web Administration page to make sure this is the reason (Administration > Launch)

You might also inspect your default VMs folder on vsdm_config.xml file. All those ingridients are mixed together and if one or more are too big, it might overflow the OS limit.

Fix: Try to reduce the template ID, machine names and/or folder locations to smaller lengths.

Hint: Keep you Template ID small

A very useful hint for the VSDM administrators: keep the template IDs as small as possible. The Template ID will be used to build the Virtual Machine name, virtual machine folder and other important system information.

The operating system has a maximum file and path names and making either the template ID or the VM name too big (or both) might lead the system to fail to start the VM.

If possible also avoid using spaces or other "funny" characters on it. Dots (".") are definitely prohibited to be used as part of the template ID.

Determining missing updates from command-line output

Here is a quick tip on how to quickly script MBSA 2.0 to filter and show only the missing updates. But before start using it, note that using a script to parse the <UpdateData> nodes is a far better idea because of the richness of the information it is there. Refer to other posts in my blog for samples on how to achieve that (for example, this one). Now the quick filter:

mbsacli /n password+os+iis+sql | findstr "|| Missing ||"

By using the /n switch, you will be disabling all other checks but security update compliance, so be careful when using such option. Also notice that the word "Missing" is localized (it changes depending on the language of MBSA you installed). The example above only works for English MBSA 2.0 installations. You need to update the term to other languages as appropriate.

(Cool) Tablet PC game published

I'm very happy to write here that it is now available on Windows Tablet PC Power Toys a game I've written: Word Search game. If you have a Tablet PC you can (and should) download it for free from here: http://download.microsoft.com/download/5/e/7/5e7ff50e-2745-407f-baf1-24a83f1425a4/WordSearchGameforTabletPCsetup.exe

Converting a MBSA 2.0 report into text format (updates check)

Before you start relying on this sample, I'd like to say that: If you still uses MBSA 1.2.1 and this script would help you keep your automation, I strongly encourage you to upgrade your scripts to support MBSA 2.0. MBSA 2.0 provides more data, in a more structured and organized format, making the parsing easier, more precise and more robust. Now let's get to the sample...

---

Usage: cscript /nologo mbsa2lr.vbs <your-report-file>

Example: cscript /nologo mbsa2lr.vbs "%USERPROFILE%\SecurityScans\REDMOND - NELSONA (7-25-2005 2-53 PM).mbsa"

---

File: MBSA2LR.XSL - Rules to convert the report

<?xml version="1.0"?>
<!--
mbsa2text.xsl - Converts the missing updates into text-delimited format

Requires: MBSA 2.0
Author: Nelson Araujo
Download: http://blogs.msdn.com/nelson_araujo/archive/2005/07/29/mbsa_automation_sample2.aspx

Copyright (C) 2005 Microsoft Corporation. All rights reserved.
Microsoft provides programming examples for illustration only, without
warranty either expressed or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose.
This example assumes that you are familiar with the programming language
that is being demonstrated and the tools that are used to create and debug
procedures. Microsoft support professionals can help explain the
functionality of a particular procedure, but they will not modify these
examples to provide added functionality or construct procedures to meet your
specific requients. If you have limited programming experience, you may
want to contact a Microsoft Certified Partner or the Microsoft fee-based
consulting line at 1-800-936-5200. For more information about Microsoft
Certified Partners, see the following Microsoft Web site:

http://directory.microsoft.com/resourcedirectory/Solutions.aspx

For additional information about the support options available from
Microsoft, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:variable name="CR" select="'
'"/>
<xsl:variable name="TAB" select="' | '"/>
<xsl:template match="/">
Machine Name<xsl:value-of select="$TAB"/>Product<xsl:value-of select="$TAB"/>Bulletin<xsl:value-of select="$TAB"/>Q Number<xsl:value-of select="$TAB"/>Reason<xsl:value-of select="$TAB"/>Status
<xsl:apply-templates select="//UpdateData"/>
</xsl:template>
<xsl:template match="UpdateData">
<xsl:value-of select="../../../@DisplayName"/>
<xsl:value-of select="$TAB"/>
<xsl:value-of select="../../@GroupName"/>
<xsl:value-of select="$TAB"/>
<xsl:value-of select="@BulletinID"/>
<xsl:value-of select="$TAB"/>
<xsl:value-of select="@KBID"/>
<xsl:value-of select="$TAB"/>
<xsl:text>N/A</xsl:text>
<xsl:value-of select="$TAB"/>
<xsl:if test="@IsInstalled = 'true'"><xsl:text>Installed</xsl:text> </xsl:if>
<xsl:if test="@IsInstalled = 'false'"><xsl:text>Missing</xsl:text></xsl:if>
<xsl:value-of select="$CR"/>
</xsl:template>
</xsl:stylesheet>

---

File: MBSA2LR.VBS - XSL rules processor

'------------------------------------------------------------------------------
'
' mbsa2text.vbs - Converts the missing updates into text-delimited format
' Requires: MBSA 2.0
' Author: Nelson Araujo
' Download: http://blogs.msdn.com/nelson_araujo/archive/2005/07/29/mbsa_automation_sample2.aspx
'
' Copyright (C) 2005 Microsoft Corporation. All rights reserved.
'
' Microsoft provides programming examples for illustration only, without
' warranty either expressed or implied, including, but not limited to, the
' implied warranties of merchantability or fitness for a particular purpose.
' This example assumes that you are familiar with the programming language
' that is being demonstrated and the tools that are used to create and debug
' procedures. Microsoft support professionals can help explain the
' functionality of a particular procedure, but they will not modify these
' examples to provide added functionality or construct procedures to meet your
' specific requirements. If you have limited programming experience, you may
' want to contact a Microsoft Certified Partner or the Microsoft fee-based
' consulting line at 1-800-936-5200. For more information about Microsoft
' Certified Partners, see the following Microsoft Web site:
'
' http://directory.microsoft.com/resourcedirectory/Solutions.aspx
'
' For additional information about the support options available from
' Microsoft, visit the following Microsoft Web site:
'
' http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
'
'------------------------------------------------------------------------------

Option Explicit

Dim xml
Dim xsl
Dim output

Set xsl = CreateObject("MSXML2.DOMDocument")
Set xml = CreateObject("MSXML2.DOMDocument")

If Not xsl.load("mbsa2lr.xsl") Then
   WScript.Echo "Cannot load XSL file"
   WScript.Quit(2)
End If

If Not xml.load(WScript.Arguments(0)) Then
   WScript.Echo "Cannot load MBSA report file"
   WScript.Quit(3)
End If

' Process the report
WScript.Echo xml.transformNode(xsl)

---

Sample output:

<?xml version="1.0" encoding="UTF-16"?>
Machine Name | Product | Bulletin | Q Number | Reason | Status
REDMOND\NELSONA | Office |  | 842774 | N/A | Installed
REDMOND\NELSONA | Office |  | 842532 | N/A | Installed
REDMOND\NELSONA | Office |  | 840663 | N/A | Installed
REDMOND\NELSONA | Office | MS05-023 | 887979 | N/A | Installed
REDMOND\NELSONA | Windows |  | 867460 | N/A | Installed
REDMOND\NELSONA | Windows | MS04-043 | 873339 | N/A | Installed
REDMOND\NELSONA | Windows | MS04-041 | 885836 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-001 | 890175 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-004 | 886903 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-007 | 888302 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-009 | 887472 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-013 | 891781 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-015 | 888113 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-012 | 873333 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-016 | 893086 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-018 | 890859 | N/A | Installed
REDMOND\NELSONA | Windows | MS04-044 | 885835 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-011 | 885250 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-026 | 896358 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-032 | 890046 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-027 | 896422 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-033 | 896428 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-025 | 883939 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-019 | 893066 | N/A | Installed
REDMOND\NELSONA | Windows |  | 890830 | N/A | Installed
REDMOND\NELSONA | Windows | MS05-037 | 903235 | N/A | Installed
REDMOND\NELSONA | Windows |  | 890830 | N/A | Missing
REDMOND\NELSONA | Windows | MS05-036 | 901214 | N/A | Installed

Determining if a patch/update is installed with MBSA 2.0

In the 2.0 version of MBSA there are structured information about patches and updates. To verify if a patch is missing or installed, simple XML queries can be issued for that purpose. The 2 small programs below accomplish that task. You can use them as a start for your integration scripts and/or to get an idea where to start.

---

Usage: CheckIsInstalled <REPORT-FILE> <PATCH-TO-SEARCH>

Example: CheckIsInstalled "%USERPROFILE%\SecurityScans\REDMOND - NELSONA (7-25-2005 2-53 PM).mbsa" MS05-001

---

 CheckIsInstalled.cmd - Command script to verify if a patch is missing

@echo off
REM
REM CheckIsInstalled.cmd - Verifies if a patch is missing on the system
REM Requires: MBSA 2.0
REM Author: Nelson Araujo
REM Download: http://blogs.msdn.com/nelson_araujo/archive/2005/07/28/mbsa_automation_sample1.aspx
REM
REM Copyright (C) 2005 Microsoft Corporation. All rights reserved.
REM
REM Microsoft provides programming examples for illustration only, without
REM warranty either expressed or implied, including, but not limited to, the
REM implied warranties of merchantability or fitness for a particular purpose.
REM This example assumes that you are familiar with the programming language
REM that is being demonstrated and the tools that are used to create and debug
REM procedures. Microsoft support professionals can help explain the
REM functionality of a particular procedure, but they will not modify these
REM examples to provide added functionality or construct procedures to meet your
REM specific requirements. If you have limited programming experience, you may
REM want to contact a Microsoft Certified Partner or the Microsoft fee-based
REM consulting line at 1-800-936-5200. For more information about Microsoft
REM Certified Partners, see the following Microsoft Web site:
REM
REM http://directory.microsoft.com/resourcedirectory/Solutions.aspx
REM
REM For additional information about the support options available from
REM Microsoft, visit the following Microsoft Web site:
REM
REM http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
REM
REM ------------------------------------------------------------------------------
REM
REM Usage: CheckIsInstalled "%USERPROFILE%\SecurityScans\MyReportFile.mbsa" PATCH
REM MyReportFile = modify to represent your MBSA report name
REM PATCH = modify to represent the patch you want to find, e.g. MS05-023
REM
REM ------------------------------------------------------------------------------

echo Checking for update...

cscript IsPatchMissing.vbs %1 %2
if errorlevel 3 goto reportfail
if errorlevel 2 goto updatenotfound
if errorlevel 1 goto not_installed
if errorlevel 0 goto installed
goto EOF

:reportfail
echo ERROR: Cannot load report from %1
goto EOF

:updatenotfound
echo ERROR: Cannot find information for %2
goto EOF

:not_installed
echo WARNING: Update %2 is NOT installed
goto EOF

:installed
echo OK: Update %2 is installed
goto EOF

:EOF

---

IsPatchMissing.vbs - Helper VB Script to verify the presence of a specific patch/update by ID

'------------------------------------------------------------------------------
'
' IsPatchMissing.vbs - Verifies if a patch is missing on the system
' Requires: MBSA 2.0
' Author: Nelson Araujo
' Download: http://blogs.msdn.com/nelson_araujo/archive/2005/07/28/mbsa_automation_sample1.aspx
'
' Copyright (C) 2005 Microsoft Corporation. All rights reserved.
'
' Microsoft provides programming examples for illustration only, without
' warranty either expressed or implied, including, but not limited to, the
' implied warranties of merchantability or fitness for a particular purpose.
' This example assumes that you are familiar with the programming language
' that is being demonstrated and the tools that are used to create and debug
' procedures. Microsoft support professionals can help explain the
' functionality of a particular procedure, but they will not modify these
' examples to provide added functionality or construct procedures to meet your
' specific requirements. If you have limited programming experience, you may
' want to contact a Microsoft Certified Partner or the Microsoft fee-based
' consulting line at 1-800-936-5200. For more information about Microsoft
' Certified Partners, see the following Microsoft Web site:
'
' http://directory.microsoft.com/resourcedirectory/Solutions.aspx
'
' For additional information about the support options available from
' Microsoft, visit the following Microsoft Web site:
'
' http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
'
'------------------------------------------------------------------------------

Option Explicit

Dim xml
Dim update
Dim isInstalled
Dim report
Dim updID

report = WScript.Arguments(0)
updID = WScript.Arguments(1)

Set xml = CreateObject("MSXML2.DOMDocument")

xml.Load report

If Len(xml.xml) = 0 Then
   WScript.Echo "Cannot load MBSA XML report: " & report
   WScript.Quit(3)
End If

' Searches for the patch ID
Set update = xml.SelectSingleNode("//UpdateData[@ID='" & updID & "']")
If update Is Nothing Then
   WScript.Echo "Update information not found"
   WScript.Quit(2)
End If

' Verifies if patch is installed
Set isInstalled = update.SelectSingleNode("@IsInstalled")
If isInstalled Is Nothing Then
   WScript.Echo "Update information corrupted or missing"
   WScript.Quit(2)
End If

If isInstalled.Value = "true" Then
   WScript.Echo "Update " & updID & " is installed"
   WScript.Quit(0)
Else
   WScript.Echo "Update " & updID & " is NOT installed"
   WScript.Quit(1)
End If

Microsoft Baseline Security Analyzer 2.0 (MBSA 2.0) shipped

I'd like to let you all know that Microsoft Baseline Security Analyzer 2.0 (aka MBSA 2.0) has shipped. To get the new application, also available in other languages, please visit the product download page at http://www.microsoft.com/mbsa. The download is free and it is very simple to use.

VSDM :: Customizing the help page

VSDM offers the administrator the option to customize the appearance of the help page. This is very useful to put important information about troubleshooting, contacts and other relevant information for the daily job, without poluting the main page. It is actually very simple to add help topics to VSDM. This feature is not provided by the Configuration Wizard though. You have to edit the vsdm_config.xml directly (with Notepad or any other text or XML editor).

How does it work?

The configuration file contains a section called <HelpTopics> that contains the information that will be presented to users when they visit the help page. For every <HelpTopic> you add to that section, a new item will show up for the users. Simple like that. Let's take a look at an example of a help topic:

<HelpTopic target="_blank">
    <Title>Sample Help Topic: Microsoft Web Site</Title>
    <URL>http://www.microsoft.com</URL>
</HelpTopic>

HelpTopic Fields

• Title (mandatory, node): Text that will be displayed to the user
• URL (optional, node): Makes text in <Title> will be presented as a clickable hyperlink, and specifies where the browser should be pointed when clicked.
• target (optional, attribute): Specifies the target window to display the help topic. I suggest you leave "_blank". This will make your browser open the topic in a new window.