Friday, July 11, 2008

Unable to template Server 2008 virtual machine with SCVMM or deployment fails unable to customize

I struggled with this myself, and it is an issue that an administrator rarely has to deal with anymore.

Any administrator that has had to set domain password secirity levels and enforcements, knows what I am talking about. Password security policy.

Let's back up and talk about VMM first.
My references are going to be specific to SCVMM 2008 (since that is what is new and improved - this can apply to VMM 2007 in some cases).

In VMM there are two ways to create VM templates.

One is to select the Library view, Click the New Template action to launch the wizard. Select the button to use an existing virtual machine.
After you finish the wizard, the VM is prepared to be a template. One of these steps involves using the local administrator credentials that you provided and actually modifying the VM with a blank local administrator password and running sysprep. This way, on deployment of the template, there is a blank administrator password that allows the injection of the OS Profile (sysprep answer file - sysprep.inf or unattend.xml) to finish the deployment.

The other way to create a template is from an existing VHD that is already stored in the Library. Following the process above - VMM expects that the VHD has been prepared by the administrator with a blank local administrator password and sysprep has been run.

(This is all in the documentation BTW - no secrets are being revealed).

Now, why does the tempolating process fail? Especially with Server 2008? - this is where the machine local security policy comes in.

Start -> Administration Tools -> Local Security Policy (this is within the VM - just to make sure that you were following along)
Account Policies -> Password Policy

Minimum Password Length must be 0 (this is a blank password that we are trying to accept)
Password must meet complexity requirements must be disabled.

Wait a minute...I just tried changing these settings in my VM and I can't...what's up?

Most likely, your VM is joined to a Domain and the Domain security policy is overriding the local security policy - you remember, strictest and/or last applied wins.

Unjoin your VM from the Domain, set the local security password policy, shutdown the VM - return to the VMM New Template wizard and prepare your VM as a template.

This will get you past the security bug when you create templates.

In the case of VHDs that have been used to create templates - If you did not set the local administrator password to blank then the deployment of the VM will fail, not the template creation.

It is a different step in the process, and a different failure, but the same cause.

BTW - just to clarify. When I said the local administrator password needed to be blank I didn't mean the letters b.l.a.n.k or the word 'blank' - I meant (in programmer terms) empty string - null - nothing.


Daniel said...

Can you attach the drives to a SCSI controller on the VM? I know the boot drive has to be IDE, but you should be able to add many more data drives to the SCSI controller.

BrianEh said...

Yes, you can always use the SCSI interface to add additional drives.
However, this is dependant upon the Integration Components installed and running in the VM - therefore it is OS dependant.