Duncansapien’s Techblog

Overview

VMware ESX3i is now a free product, comparable to the ESX software.

Quick Facts

• One can evaluate both ESX and ESX3i inside Workstation 6.5 - see "Running VMware ESX 3.5 and ESXi in Workstation" (great video blog)

• One can convert Workstation 6.x files to ESX3i format and upload them to the ESXi server from within the VMware Converter Software - see Carl Tyler’s Blog for an excellent screen-capture based guide on all this.

Overview

VDI - Virtual Desktop - is handled by Citrix using XenServer and XenDesktop 2.0 technologies. Trial/Express versions of both are available, as very well described (May 20th 2008) here.

The site above provides far better information than can be replicated here, but as a reminder only, ZenServer functions in a similar manner to VMware ESX (both bare metal installations) and Xen Desktop provides access to virtual PCs (XP/Vista).

XenDesktop, additionally, can access VMs stored on either XenServer or VMware ESX and versions range from the (free) Express version to Enterprise verions.

How does on access a VM in Citrix? Citrix uses a broker service which handles authentication (to Active Directory) and then directs the user to their VM. This broker service runs atop Windows Server 2003 and is called the DDC (Desktop Deliver Controller).

Overview

VMware Desktop Infrastructure has changed to View 3

Read more at http://www.vnunet.com/vnunet/news/2231693/vmware-view-enhances-virtual

Further VMware Product names changes have been made, see http://www.vmware.com/support/product_renaming.html 

Overview

Inside a Microsoft Virtual PC 2007 VM we require NTFS permissions to be de-restricted on a set of files. The end-user running the script has no administrative rights, so we must use a third-party tool (CPAU).

The Problem

1. Software named MultiTerm requires read+write access to files in a certain folder under %programfiles%
2. The software runs inside a Virtual PC (or VM)
3. The VM is held on an external USB drive, and the Microsoft Virtual PC software resides on a student microlab.
4. Of core importance, the C: drive of the host student-lab PC is visible inside the VM as shared drive F:. This will permit us to distribute a solution

The Solution

1. Use the CPAU utility to encode administrator credentials and commands to run into a job file.
   These will use the scacls utility modacl.exe to open-up the NTFS permissions.
2. Pass the job file to the students in their microlab.
3. Ask the students to execute a batch file which runs the CPAU jobs.

Steps:

1. In the student microlab, students have access to folder F:NTAppsinstalllanMultiterm_patch inside of which resides one sub-folder, MTPATCH, with all the tools we need.

The student runs F:NTAppsinstalllanMultiterm_patchuser.bat which will copy the MTPATCH folder
to C:temp of the student lab PC.

Here is user.bat

@echo off
rem: Path for MultiTerm iX Software
rem: Duncan J. Potter, SML x3400
rem: November 2008
rem:
rem: - Overview -
rem: MultiTerm software runs inside a Microsoft Virtual PC 2007 Environment.
rem: A patch is needed to unlock (NTFS-wise) a certain folder in order for MultiTerm to run.
rem:
rem: The first stage is to copy the MTPATCH folder to C:tempmtpatch on PC Caledonia, which this script does.
rem: The second stage is for the student, within VPC2007, to run f:tempmtpatchinstall.bat
rem:
rem: Take Note:
rem: The VPC environment has no network drives.
rem: From within VPC drive F: refers to the shared C: drive of the PC Caledonia host.
rem:

goto END
:WRONGLAB
echo This microlab is not suitable for the installation of this software.
%hwsys_pth%sleep for 2
:END

Creating the CPAU Job

A single batch file creates the encoded jobs. In the following, the password for the Administrator account has been changed naturally!

@echo offecho MT Patch 1 Jobcd /d c:vpc2007cpau

rem: goto EXE

:CREATErem: On the HOST PC, drive C: is seen as shared drive F: by the VMcpau -u administrator -p theadminpassword -lwp -ex "regedit /s f:tempmtpatchscacls.reg" -enc -file scacls_reg.job  

echo Creating job mtpatch1 ...rem: Next three lines are all on one line, split for readability here:cpau -u administrator -p theadminpassword -lwp -ex  "f:tempmtpatchmodacl /v "%programfiles%tradosMTiXmultitermtermbase*.*" /ar everyone:full"  -enc -file mtpatch1.job  

echo.echo Creating job mtpatch2 ...rem: Next three lines are all on one line, split for readability here:cpau -u administrator -p theadminpassword -lwp -ex "f:tempmtpatchmodacl /v "%programfiles%tradosMTiXmultitermtermbase" /ar everyone:full"  -enc -file mtpatch2.job  

goto END

:ENDecho.echo Done.pause

As can be seen, the modacl command (from scacls) requires placed in a folder f:tempmtpatch. Remember, the commands that CPAU calls are to be executed by the student but running as administrator. The commands themselves are not run at this time, but encoded job files containing the commands are created.

It was the job of user.bat above to make all the executables available to the student, copying from a shared network drive of the student workstation to c:tempmtpatch of that workstation.

Finally, we need to create the batch file that the student will call to apply the encrypted CPAU jobs, and this is named install.bat, held in the MTPATCH folder. This file makes use of KixTart executables also in the folder:

This is Install.bat

@echo off
rem: Patch to unlock MultiTerm database folder
rem: Folder to ‘unlock’ is c:program filestradosMTiXmultitermtermbase

cd /d f:tempmtpatch
f:tempmtpatchwkix32.exe f:tempmtpatchpatch_installed.kix

xxx

Overview

Datastream Advance v4.0 SP6 is required for use by students in the School. The software is not currently installed on the general PC Caledonia system and, being deemed too complex to script an installation, it was decided to try deplying a pre-configured Virtual Machine instead.

Virtual PC 2007

Using the Technology & Translation MSc as a basis (Windows 2000), all non-relevant software was removed and Datastream Advace (abbrev: DS) installed. The DS software connects to a remote service and registration of the IP number in use is required in order to pass the remote DS Firewall. Registration information is held locally (by me).

The host PC used in VPC2007 temporarily used a pre-registered IP number to gain access to the DS service. NAT was used within VPC2007 to share this IP with the guest VM.

It was found

• Non-admin users require read+write NTFS permissions to the local DS folder, which creates databases as it works.
• Installing as an admin user did not permit a non-admin to ‘Connect’ to the Datastream server. One had to elevate the student user account (msc) to administrator, perform the installation, then demote the user for a connection to work. Connection here refers to ‘Tools…Connect’ which ‘logs in’ to the remote Datastream service.

Finally

1. The Group Policy editor had been used to create secure Registry.pol objects to make the VPC as secure as possible. On the host PC a script named C:VPC2007GPOsystem.bat controls copying of the secure and clean GPO Registry.pol files to lock and unlock the VPC during configuration time.
   Make sure to run this to secure the VPC before deploying.
2. In VPC 2007, use the Wizard to create a new virtual disk named ‘undo’. Associate this, the wizard will say how, with the main disk and specify that it is a ‘differencing disk’. Enable undo in the settings for the VPC. Lastly, under the Close settings, check the box marked ‘Automatically close without a message’ and ‘Turn off and delete changes’.

   This will ensure that anything a student does to the VPC will not be remembered.