How Symbolic Links Make Server Migrations Much Easier

This is a guest post from Joseph Moody at DeployHappiness.com. More information on Joseph is included in his author box following this post. Thanks, Joseph!!!

 

Symbolic Links are the most powerful file server tool that you aren’t using. Occasionally called symlinks, these advanced shortcuts allow you to perform some serious smoke and mirrors when accessing data.

Consider the following common scenarios:

  • An application checks for data in a certain location. You would rather store that data elsewhere.
  • Old software needs to write to C:\. You want it to write to %ProgramFiles%.
  • You wish to move data to a new share but don’t want to break existing shortcuts
  • You need an easier way to migrate paths from standard shares to DFS Namespaces

In all of these cases, symbolic links provide a solution.

 

Creating Your First Symbolic Link

If you have ever installed Windows Vista or higher, you’ve created a symbolic link. That hidden Documents and Settings shortcut in the root of C: is technically a symbolic link. It refers to C:\Users for compatibility purposes.

Windows symbolic link Documents and Settings linked to Users

Making a symbolic link is easy. To create one, you will use the mklink command. Fire up an administrative command prompt and type mklink /? to see the syntax.

Command Prompt showing mklink syntax

As an example, let’s create a symbolic link that redirects a folder from the root of C: to %ProgramFiles%. First, create a folder in C:\ named data. Populate this folder with a file or two. This is your source folder – the folder that you will be moving.

Cut this folder from C:\ and move it to %ProgramFiles%. In your administrative command prompt, type: mklink /D C:\Data “%ProgramFiles%\Data”

example of making a symbolic link with mklink

You should now see a shortcut in C: named Data. Its type though should read file folder. When sorted by name, it should also appear as a folder (one advantage over shortcuts).

If you open the Data folder, you should see the exact content that you moved over to %ProgramFiles%. As a test, open a second Explorer window and navigate to %ProgramFiles%\Data. Create a new text document – it should appear in C:\Data. Like Magic!

 

How Will You Use Symbolic Links?

The mklink command supports way more than we just showed. At times, you may have to use a directory junction, create hard links, or specify relative target paths.

Working with symbolic links is the fastest way to master these advance parameters. If you want to learn more about symbolic links, check out these three links:

Stop Mouse and Keyboard Theft with a Cable Lock and Washer

I recently had to deal with the disappearance of several keyboards and mice from computers that are set up in a semi-public hotelling area.  I received a support request from someone that noticed that some of the computers were missing either a keyboard, a mouse, or both.  We had no reason to believe they were stolen and were most likely taken by a well-meaning employee assisting a co-worker or fixing their own issue.  We keep a stockpile of extra keyboards and mice; so, replacing the missing keyboards and mice was trivial.  However, we still have to account for the inventory and really need people to contact us when their equipment breaks.

The solution?  A cable lock and a washer that cost less than $0.25.

inexpensive washer

The cable for the mouse or keyboard is looped through the washer.

mouse cord looped through the washer

If you find a washer with a large enough hole, you can loop both the keyboard and mouse through.  If the hole isn’t large enough, you may need to increase your budge by ~$0.25 for each PC.  🙂

keyboard and mouse cord looped through the washer

As you can see in this up close shot, the end of the USB cables can’t be pulled through the washer.

keyboard and mouse cord looped through washer up close

Many of our computers are already attached to desks as a theft deterrent using a cable lock. All we had to do was disconnect the lock from the back of the computer and pull it through the loop created on the cables.

security lock pulled through cable loop in keyboard and mouse

Obviously this isn’t completely foolproof, but should be enough of a deterrent to keep the casual keyboard/mouse thief from walking away with your equipment.

Prevent the “Your browser has been upgraded” tab in Internet Explorer

Microsoft’s June Cumulative Security Update for Internet Explorer (MS14-035 / KB2957689) had a change that caught many IT departments off guard. If you’re in an environment running Windows 7 with either Internet Explorer 9 or Internet Explorer 10 your users may have received an additional tab that opened after the reboot from their monthly updates applying:

Internet-Explorer-Your-browser-has-been-upgraded
Your browser has been upgraded… sort of… with a monthly security patch…

Initially, users were redirected to http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/windows-internet-explorer-9-privacy-statement, a rather lengthy privacy statement for Internet Explorer 9. After customer complaints user feedback, Microsoft altered the redirect to send users to http://windows.microsoft.com/en-us/internet-explorer/ie-9-welcome-upgrade3.

Unfortunately, this still isn’t expected behavior in a corporate environment. End users tend to either ignore something like this completely or open a help desk ticket costing the IT organization money in the form of the help desk request. The problem is compounded by: (#1) Microsoft not warning corporate IT departments this change was coming, (#2) Microsoft not giving corporate IT departments a way to suppress the extra tab with the warning, and (#3) some users receiving the additional tab every time they open an IE window instead of seeing it just once.

The good news is that this extra tab can be suppressed with a Registry entry. The easiest way to do this in a managed environment is with Group Policy.  In a Group Policy Object (GPO) that applies to user accounts, go to User Configuration > Preferences > Windows Settings > Registry.  Right-click on Registry and choose New > Registry Item.

Group Policy Management Editor Add new Registry entryIn the Properties for the new Registry item, set the following:

Action:  Update
Hive:  HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value Name: PrivacyPolicyShown
Value Type: REG_DWORD
Value Data: 00000001

PrivacyPolicyShown PropertiesObviously this won’t help you for the hordes of end users that have already received the extra tab, but it should prevent anyone logging into a system for the first time from seeing it down the road.

Encourage Users to Submit a Ticket Instead of Emailing You Directly With a MailTip

Exchange-2013-LogoHow many times has this happened to you? You go on vacation, to a conference, you’re inundated with email, or for any of a hundred other reasons you don’t see a support request from an end user come in. Fast forward a few days or weeks and the end user is concerned that their issue hasn’t been resolved. [And we all know that “concerned” could be anything from genuine concern for your well being (“You always respond so quickly!”) to concern that your job performance should be discussed at the highest levels of your organization for not responding to them within 5 minutes.] So what’s the problem? The end user emailed you directly instead of submitting a support request through a ticketing system… a ticketing system that, most times, alerts a team of people about the problem so that their issue can be handled when you’re out of pocket.

We all know what happens… end users find a favorite “computer guy” or you’re a one man shop; but, support requests start coming directly to you that should go through the ticket system. Short of outright refusing direct support requests, it can be difficult to get some people to submit tickets.

Use an Exchange MailTip!

One creative way I’ve seen companies handle this is by setting an Exchange MailTip for certain IT Pros.  Here’s how to do it in Office 365:

Go to the Exchange Admin Center at https://outlook.office365.com/ecp and click on Mailboxes.

01-mailitp_for_it_supportHighlight your account (or any other IT Pro) and click the Edit button.

02-mailitp_for_it_supportClick on MailTips and enter the message you want to be displayed.  When you’re done, click the “save” button.

03-mailitp_for_it_support There’s a slight lag from when you set a MailTip and when it shows up for end users. When the MailTip starts showing up, end users should get your warning that they should submit a ticket instead of contacting someone directly.

04-mailitp_for_it_support

Windows 8.1 Reference Image Planning Checklist

We recently started evaluating Windows 8.1 at work and, quite frankly, I forgot how much effort went into creating a fully customized reference image.  I did the work several years ago when we migrated to Windows 7 and I can build out that infrastructure in my sleep.  But, it seems that there are even more settings that we’ll need to tweak in Windows 8.1 so that our customers don’t revolt when we start rolling it out.

Don’t get me wrong, I’m not a Windows 8.1 hater.  But, we try to strike a balance between what our end users are used to using in their current environment and the new features they’ll be getting when they move to the new OS.  A little up front planning can go a long way toward ensuring a smooth roll-out!

The List

Be warned, this is a work in progress.  I’m not making any claims that it is complete… yet.  I’ll be coming back as I progress through the process and adding links and tutorials for how we did things. 

  • Make sure you’re building from the latest ISO
  • Do you need to support both x86 and x64?
  • Pull inventory of machine models so you can start the process of pulling updated drivers.
  • Does the WSUS (or SCCM) server need to be updated to include Windows 8.1 updates?
  • Update Office 2013 files to latest ISO
  • Update .msp for Office 2013 deployment since we’re updating the install source.
    I had to find out the hard way that the .msp file that is generated by the setup.exe for Office 2013 doesn’t seem to work quite right with the setup.exe for Office 2013 SP1.  I ended up completely regenerating our .msp file just to be on the safe side.
  • Do you need/want to customize the Start Screen?
    • If yes, does it need to be in the Reference Image, OS deployment, or forced with Group Policy?
    • Plan out what will be on the customized Start Screen
  • Customize logon screen wallpaper
  • Customize default user wallpaper
    • Do you want the Start Screen wallpaper to be the same as the Desktop?
  • Add additional custom wallpapers for user to select
  • Change default color scheme to match organization logo colors.
  • Remove inbox Metro/Modern apps that we don’t want users to have
    Ben Hunter has a great script on The Deployment Guys blog that you can use to remove inbox apps.
  • Plan for end user of OneDrive and whether it needs to be blocked.
  • Update file extensions to open specified file types in desktop apps instead of Metro apps.
  • Plan for BitLocker if some or all systems are going to be encrypted.
  • Review/Test Group Policy to determine need for updates to support Windows 8.1.

See something missing?  Let me know in the comments!

IE 11 Enterprise Mode Not Working?

A few weeks back, I wrote about the Group Policy changes in the Windows 8.1 Update.  One of the big changes in the Update was the addition of Enterprise Mode for Internet Explorer 11.  Enterprise Mode allows web sites (either specified by the end user or via Group Policy) to be processed in such a way that they appear to to the site to be Internet Explorer 8.  There are also some additional ActiveX security tweaks that happen in Enterprise Mode so that [hopefully] organizations can get away from being tied to older versions of IE.

In my testing of IE 11, I came across an application that many of my customers use on a daily basis that had some compatibility issues.  Specifically, a JavaScript pop-up that was supposed to appear when clicking on certain links wouldn’t show up.  All I was getting was a spinning “Please Wait” icon.

I had that “Aha!” moment and put the site into Enterprise Mode and…. buzzer.  Nope, same problem.  What gives?  This was supposed to fix this problem, right?

The Fix!

After banging my head against the desk a few times, it occurred to me that this particular web application has about 10 different URL’s behind it.  You go to the published URL for the application that looks something like http://application.trekker.net, get kicked to https://app.auth.trekker.net, then get kicked to a central login service page (Shibboleth, ADFS, etc.).  After logging in, you’re kicked to https://prod.app.authd.trekker.net:1234.  [URL’s have been sanitized and replaced with trekker.net to protect the innocent!]

After looking at the source of the page (right click > View source), there were another two (!) URL’s in the page I’d never seen before:  https://files.app.trekker.net and https://scripts.app.trekker.net.  Another “Aha!” moment!

I added both of these sites to my XML file (here are instructions on how to set that up) and, voila!  The app works!  It appears that Enterprise Mode was taking my list literally and wasn’t including either of these URL’s since they were different than the main web application.  Lesson learned: if using Enterprise Mode, make sure any other URL’s that are being called by the app get added to the Enterprise Mode IE website list to ensure that everything is running in Enterprise Mode.

Customize Disk Partitions in MDT

For most systems, I typically recommend using the primary disk’s full capacity as one partition, C:\, instead of creating multiple partitions/drive letters for end users. As an IT Pro, it makes it easier for me to find someone’s “stuff” if they store their data in a standard location like their default profile location, C:\Users\%username%\.  If all of your documents, pictures, shortcuts, Favorites, settings, etc. all live in the same place, I don’t have to go hunting for files when it’s time to migrate someone to a new machine.  (Or, better yet, I can automate it!)  For the end user, it’s just easier:  Most people are used to just saving files to the default locations on their home computers.  Any time you can keep the corporate computing experience similar to what people experience at home, it saves you time and money.

However, there are some times when it can be advantageous to create more than one partition when deploying an operating system (OS) to a computer.  I know quite a few people who actually prefer that their end users store their data on D:\ so that it can be fully separated from OS and applications on C:\.  In the event of an OS crash or malware infection that isn’t recoverable, C:\ can be wiped out and all of the user’s data on D:\ is still there.  Personally, I’m not a huge fan of that because it tends to miss application settings, the Registry hive, and other important things a user may miss later.  But, to each his own I guess.

I am, however, a fan of separating data from OS and software on servers.  I’m also a fan of keeping my virtual machines totally separate from C:\ also. (Those things have this bad habit of filling up disks, don’t they!?!)

How MDT Partitions Disks

The disk partitioning process is a task that is part of each OS deployment Task Sequence.  By default, MDT creates a C:\ partition using the full first disk and names it OSDisk.  If this default doesn’t work for your environment, it is pretty easy to change.

Change the Default Partition

In the MDT Deployment Workbench, go to Deployment Shares > $YourDeploymentShare > Task Sequences.  Find the Task Sequence you want to edit and right-click on it.  Click on Properties.

00-custom_disk_partition_mdt

In the Task Sequence Properties, go to Preinstall > New Computer only > Format and Partition Disk.

01-custom_disk_partition_mdtIn the Volume section, you should see “OSDisk (Primary).”  Click on OSDisk (Primary) and then click the Edit button.  (The Edit button is the middle button that looks like a hand pointed at a document with a bulleted list.)

02-custom_disk_partition_mdtIn the Partition Properties, you can change the Partition name, the size, file system, etc.

03-custom_disk_partition_mdtFor our example, we’ll change the partition size to “Use specific size” and set it to 80 GB.  Once we’re done, click Ok.

03b-custom_disk_partition_mdt
I don’t want to waste the remaining disk space; so, we’ll add a second partition that uses the remaining space.  Back in the “Format and Partition Disk” task, click on the New button.  (The New button is the left-most button that looks like a yellow star.)

04-custom_disk_partition_mdtIn the Partition Properties, fill in the Partition name with “Data Disk,” and select the “Use a percentage of remaining free space.”  Set the Size (%) to 100.  Ensure the File system is set to NTFS and click Ok.

05-custom_disk_partition_mdtWhen you’re done, you should have something that looks like this:

06-custom_disk_partition_mdtIf we perform a test deployment, you should get an 80GB drive and a second with the remaining space.

07-custom_disk_partition_mdt