Unable to mount the WIM/DISM was unable to set the system root

My company has recently started to deploy Server 2012 R2.  Before we could do this, the security team had to develop the policies to apply to the systems before we were allowed to do so.  Naturally, this leads to some times where we have to troubleshoot issues due to restrictive policies.  I started the process to deploy a new MDT server to replace one of my 2008 MDT systems that hosts WDS to attempt to get past the issue documented here.

I built my MDT Server, with 2013, ADK, and copied my old Deployment Share over to get the process started.  I updated my bootstrap.ini file to show the proper server name and tried to build a new boot image.  *BAM!*  I was hit with an error as soon as it started.

Unable to mount the wim, so the update process cannot continue.

Image

 

I looked and searched high and low for the cause.  I removed policies, thinking I knew what the issue was.  I *couldn’t* find it.  I took a break and came back to it by adding policies one at a time to see what broken my process.

I was able to get past this issue by changing the following setting:

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Backup Files and Directories – Add Administrators back in
  • Restore Files and Directories – Add Administrators back in

These two policy settings had only Backup Operators as to provide for the least rights possible.

This should alleviate the first issue.


 

Once I fixed this issue, I (re-applied group policy, logged out/in) attempted to re-build my WIM file.  I was hit by the next errors.

  • DISM Imaging Servicing Utility has stopped working
  • DISM was unable to set the system root (target path) for the Windows PE image, so the update process cannot continue.
    • Exit Code = -1073741819
    • DISM /Set-TargetPath failed, rc = -1073741819

Image

Image

 

Well…crap.  Back to looking.  I had an idea what the issue may be by looking at my event logs.  In my (fast scrolling, due to advanced auditing) security logs, I was able to see some Task Category entries for Process Creation.  I can’t claim to know what all of this means, but I did see that it was attempting to get a new Token for WIM build.

Process Information:
New Process ID: 0×1010
New Process Name: C:\Windows\System32\cmd.exe
Token Elevation Type: TokenElevationTypeFull (2)
Creator Process ID: 0×918
Process Command Line:

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Tokens Eh?  I remember seeing a policy for that!

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Create Token Object

I added Administrators, applied policy, logged out/in.  No dice.  I read a little more.

 

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Create global objects – Add Administrators.

Bingo! Our setting was LOCAL SERVICE, NETWORK SERVICE only.  I adjusted this setting, I was able to build my WIM’s successfully.

I hope this blog post is useful for someone else!

 

 

Posted in MDT | Tagged | Leave a comment

MDT 2013 – Roles and Features

This post focuses mainly on 2008 R2 (Std/Ent) and 2012 R2 as the OS Roles and Features are relatively similar and most software works between each OS.  The OS Roles and Features install via MDT is a nice addition, but it does have some caveats.  You should be sure to select *only* the roles you need.

For Example:

IIS – You want to install the following roles:

  • Static Content
  • Default Document
  • Directory Browsing
  • HTTP Errors

If you select Common HTTP Features and only the features listed above, it will install all features.

Image

 

Secondly, if you have to install a feature that has dependencies, the Roles and Features section will not do that for you.  If you are installing the WSUS Role via the Task Sequence, you will need to select the IIS Features that it needs. (For Reference).

Be sure to select the proper OS (2008 R2, 2012 R2, 7, 8.1, etc)

Posted in MDT | Tagged | Leave a comment

Installing the SolarFlare Drivers and Software

My company has recently purchased some SolarFlare 10GbE Network Adapters.  For the most part, these cards provide a basic install like most other utilities (Dell Drivers, VMWare Tools, McAfee, etc..)

I did run into a couple of caveats when installing the software.

  1. Do not extract the install package.
  2. The return code appears to be 18.  I’ve done one test and gotten a RC of 19.
  3. The install will force a reboot if not specified. (Include REBOOT=Suppress in your install line)

Caveat #1

The driver file to download is named: SF-107785-LS-4_Solarflare_Windows_x64_64-bit_Driver_Package.exe

Rename this file to setup.exe rather than extracting.  If you extract, you get the following error:

Image

Caveat #2

I added the following to my code: (iRetVal = 18) or (iRetVal = 19). This allowed the install to complete successfully.  I am following up with SolarFlare to find out why.  I will update with any response.

Note #1

I added a WQL query for my Group in MDT to only install this software if the HardWareID of PCI\VEN_1924% was in the system.  This will check WMI to see if the device is in the system.  This DeviceID is specific for the SolarFlare SFN6122F.

Query: SELECT * FROM Win32_PnPEntity WHERE DeviceID LIKE ‘PCI\\VEN_1924%’

Image

Note #2

I did not write the code to include any architecture checks as these cards are only going to run under a 64-bit OS.  If it is, you can add a If oEnvironment.Item(“Architecture”) = “X64″ then section.

Recommendation #1

As a recommendation, when installing any software that touches the network stack (Broadcom BACS, SolarFlare, VMTools), copy these to a temp folder and install from there.  The software installs better when its local with less issues.

Now…the Code!

A basic flow of the code…

  • Set destination folder to C:\temp
  • Create folder if it doesn’t exist
  • Copy Source folder to C:\temp\Source
  • Run setup.exe to install all features (SolarFlare User Guide - Page 123 for the ADDLOCAL info)
  • Sleep for a few seconds, just in case the install hasn’t finished
  • Cleanup
  • Be sure to include a reboot step in your Task Sequence.

sApplicationName = “SolarFlare Software”

oLogging.CreateEntry “Install-” & sApplicationName & “: Starting ” & sApplicationName & ” installation”, LogTypeInfo

‘//Set Destination Folder
sDestFolder = “c:\temp\”

‘//Set Source Install Directory
sSourceDir = oUtility.ScriptDir
sSourceDir = sSourceDir & “\Source”

‘//Check that folder exists, if not, create it.
oLogging.CreateEntry “Install-” & sApplicationName & “: Check that ” & sDestFolder & ” exists.”, LogTypeInfo
if not oFSO.FolderExists (sDestFolder) then
oFSO.CreateFolder sDestFolder
End If

‘//Copy folder from MDT share to C:\Temp
oLogging.CreateEntry “Install-” & sApplicationName & “: Copy from ” & sSourceDir & ” to ” & sDestFolder, LogTypeInfo
oFSO.CopyFolder sSourceDir, sDestFolder

‘//Sleep for 2 seconds to allow copy to finish
wscript.sleep 2000

sFile = sDestFolder & “Source\setup.exe”

‘// Check if file/folder exists
If not oFSO.FileExists(sFile) then
oLogging.CreateEntry “Install-” & sApplicationName & “: ” & sFile & ” was not found, unable to install ” & sApplicationName & “”, LogTypeError
ZTIProcess = Failure
Exit Function
End if

‘// Create log entry to show file being run
oLogging.CreateEntry “” & sFile & ” /quiet /Install ADDLOCAL=CoreDrivers,OptimizeTCP,SNMP,NetworkAdapterManager,CommandLineTools,Launcher REBOOT=Suppress”, LogTypeInfo

iRetVal = oUtility.RunWithHeartbeat(“” & sFile & ” /quiet /Install ADDLOCAL=CoreDrivers,OptimizeTCP,SNMP,NetworkAdapterManager,CommandLineTools,Launcher REBOOT=Suppress”)

if (iRetVal = 0) or (iRetVal = 3010) or (iRetVal = 18) or (iRetVal = 19) then
ZTIProcess = Success
Else
ZTIProcess = Failure
End If

I’ll try to update the post to show the code better, but you get the gist of it.

As always, thanks to Johan (http://www.deploymentresearch.com) and Mikael (http://www.deploymentbunny.com) for providing the base VBScript to edit.

Helpful Links: Microsoft WMI Code Creator

Posted in MDT | Leave a comment

Unable to Boot to WinPE (0xc0000001 – a required device isn’t connected)

When performing builds of servers, you tend to run into some strange errors that cannot always be explained.  Other team members see the problem but you can rarely encounter it.  When you see it, it’s easier to troubleshoot.  We have a VMWare environment running pure VMXNET3 for performance concerns.  We image our systems using MDT and have recently run into the error message shown below:

Image

Status: 0xc0000001

Info: A required device isn’t connected or can’t be accessed.

After much research and some quick testing in our development environment, I was able to find a solution that has, so far, worked fine for our environments.

Run all of the below commands from an elevated command prompt.  I have only tested this on Windows Server 2008 R2 (we are not at 2012 R2 yet and are skipping 2012 Non-R2)

I had to edit the BCD Store to set the maximum TFTP block size to 4096.

To get the block size type: (where d: is your path to RemoteInstall)

bcdedit /enum all /store d:\RemoteInstall\Boot\x64\default.bcd

Image

You must run the above command to get the GUID listed.  This is required to run the TFTP block size command.  To set the TFTP block size to 4096 (or any multiple of 4096), type the following:

bcdedit /store d:\RemoteInstall\Boot\x64\default.bcd /set {GUID} ramdisktftpblocksize 4096

 

Image

After this command, you must run

sc control wdsserver 129

Source: http://technet.microsoft.com/en-us/library/cc731245(WS.10).aspx#BKMK_41

Trackback to this forum posting that pointed in the proper direction. – Technet Forum Thread

Posted in WDS | 3 Comments

Build and Capture Task Sequence

Hello all.  Time for one of my first posts with my real world deployment problems.  One of the things that I struggled with in my deployments is image updates.  I would image a system on a VM using MDT, make my updates manually, take a snapshot, then start a capture task sequence.

What a pain.

After finding some time, I was determined to make this simpler.  I ignored our legacy deployments (Server 2003), and went for only 2008 R2+ deployments.  What I came up with, was integrating as much base Microsoft components as possible.  Being server deployments, I plan on as thin of an image as possible for less attack vectors on a completed and production system.

Below is my completed image build task sequence.  There are no OS or Registry customizations done inside the build.  Everything is done afterwards in case we find a major issue with some entry we are creating (or Microsoft finds it).

Image

You’ll notice that I left most of the base Imaging steps from a base Server.xml Task Sequence template.

I use Windows Update (via a WSUS auto-authorized system) to automatically update.  Doing this allows only needed updates to be installed (thus eliminating the “superseded” updates from applying and being unnecessary.  This slims down the dreaded WINSXS folder as there is no cleanup for it like there is in Windows 7.

That’s all for now.

Posted in MDT | Tagged , , | Leave a comment

Welcome!

All – This blog is here to provide some real world problems and solutions to things I’ve experienced while developing our MDT build processes around Server 2003, 2008 R2, and 2012 R2.  This blog will feature solutions to problems that come up in real world deployments.

Please feel free to provide any feedback to any solutions that I have provided if you have a better/smarter idea.

Some ideas may have been taken from other IT Pro’s in the deployment field, but we all need to work together to solve each others problems to let us work on more important tasks.

Image consistency is the key to a successful deployment solution.

Posted in Uncategorized | Leave a comment