Vista Migration Danielle Ruest and Nelson Ruest Introduction Introduction to Realtimepublishers by Don Jones, Series Editor For several years, now, Realtime has produced dozens and dozens of high-quality books that just happen to be delivered in electronic format—at no cost to you, the reader. We’ve made this unique publishing model work through the generous support and cooperation of our sponsors, who agree to bear each book’s production expenses for the benefit of our readers. Although we’ve always offered our publications to you for free, don’t think for a moment that quality is anything less than our top priority. My job is to make sure that our books are as good as—and in most cases better than—any printed book that would cost you $40 or more. Our electronic publishing model offers several advantages over printed books: You receive chapters literally as fast as our authors produce them (hence the “realtime” aspect of our model), and we can update chapters to reflect the latest changes in technology. I want to point out that our books are by no means paid advertisements or white papers. We’re an independent publishing company, and an important aspect of my job is to make sure that our authors are free to voice their expertise and opinions without reservation or restriction. We maintain complete editorial control of our publications, and I’m proud that we’ve produced so many quality books over the past years. I want to extend an invitation to visit us at http://nexus.realtimepublishers.com, especially if you’ve received this publication from a friend or colleague. We have a wide variety of additional books on a range of topics, and you’re sure to find something that’s of interest to you—and it won’t cost you a thing. We hope you’ll continue to come to Realtime for your educational needs far into the future. Until then, enjoy. Don Jones i Table of Contents Introduction to Realtimepublishers.................................................................................................. i Chapter 1: To Migrate or not to Migrate .........................................................................................1 What is Windows Vista and why should I migrate?........................................................................4 Compelling Vista Features...................................................................................................8 Compelling Features for End Users.........................................................................9 Compelling Vista Features for IT Pros ..............................................................................14 Compelling Vista Features for Developers............................................................19 Creating the Migration Business Case...........................................................................................21 Migration Strategies...........................................................................................................23 Making a case for a flexible infrastructure ........................................................................25 Chapter 2: Planning the Migration.................................................................................................27 Actual Migration Tasks..................................................................................................................27 Hardware and Software Readiness Assessment ................................................................28 Personality Capture............................................................................................................32 Creating and Deploying Base Images................................................................................33 Application Packaging .......................................................................................................35 Software Installation ..........................................................................................................36 Personality Restoration ......................................................................................................36 Migration Status Reporting................................................................................................37 An Extended View of Migrations ..................................................................................................37 Using the QUOTE© System...............................................................................................38 Question Phase — Problem Statement ..............................................................................40 Understanding Phase — Exploring the Impacts of Migration...........................................42 Organization Phase — Preparing for the Migration ..........................................................46 Transfer Phase — Performing the Pilot Project, then moving on to Deployment.............51 Evaluation Phase — Moving on to Production..................................................................54 Creating a Migration Project Plan..................................................................................................56 Project Planning Considerations ........................................................................................57 Required Teams and Roles ................................................................................................59 Chapter 3: Creating the Migration Test Bed..................................................................................61 Identifying Team Needs.....................................................................................................63 Working with Different Testing Levels.............................................................................65 Required Lab Environments ..............................................................................................68 ii Table of Contents Relying on Virtual Machine Software ...........................................................................................69 Physical versus Logical Workspaces .................................................................................71 Defining Lab Requirements...........................................................................................................72 Minimal Configurations for Lab Systems..........................................................................73 Virtual Machine Configurations ........................................................................................75 VM User Accounts ............................................................................................................76 Required Server and Workstation Roles............................................................................77 Requirements for each Testing Level ............................................................................................79 Creating the Lab Environment.......................................................................................................81 Chapter 4: Building the Migration Toolkit ....................................................................................86 Technical and Administrative Migration Guidance.......................................................................86 Project Support Tools ....................................................................................................................88 Using a Deviance Registry.................................................................................................90 Lab Management Tools .....................................................................................................91 The Windows Vista Migration Toolkit..........................................................................................93 Inventory and Asset Management Tools ...........................................................................94 Personality Migration Tools ..............................................................................................96 Operating System Imaging Tools ......................................................................................99 Application Preparation Tools .........................................................................................101 Application Packaging Tools...............................................................................102 Software Virtualization Tools..............................................................................104 Software Deployment Tools ................................................................................104 Making the Case for Extended, Lifecycle Management Systems ...............................................106 Chapter 5: Security and Infrastructure Considerations................................................................108 Perform Initial Inventories...........................................................................................................111 The Inventory Assessment Tool ......................................................................................112 Technical Requirements for Inventory Tools ..................................................................116 Collecting the Basic System Inventory............................................................................117 Server-based Operations in the Lab.............................................................................................120 Build the Host Servers .....................................................................................................120 Build Central Laboratory Services...................................................................................122 Participate in the Solution Design....................................................................................123 Prepare the Detailed System Inventory........................................................................................123 iii Table of Contents Validating Inventories......................................................................................................124 Rationalize Everything.....................................................................................................124 Perform the Inventory Handoff........................................................................................126 Perform a Profile Sizing Analysis................................................................................................127 Perform Project Engineering Activities .......................................................................................128 Vista OS Management Infrastructures.........................................................................................131 Manage Vista GPOs.........................................................................................................132 Manage Vista Folder Redirection ....................................................................................136 Manage Vista Security.....................................................................................................136 Manage Vista Event Logs................................................................................................137 Manage Vista Licenses ....................................................................................................138 Support the Operations Team ......................................................................................................139 Chapter 6: Preparing Applications...............................................................................................140 Application Support in Vista .......................................................................................................143 Vista Application Compatibility Features .......................................................................146 Vista File and Registry Virtualization .............................................................................148 64-bit Support for 32-bit Applications.............................................................................148 Program Compatibility Assistant.....................................................................................149 Windows Installer version 4.0 .........................................................................................151 Microsoft ACT version 5.0 ..............................................................................................152 In-house Development Compatibility Tools....................................................................154 Develop a Structured Application Management Strategy ...........................................................155 The Application Management Lifecycle .........................................................................155 Manage Commercial Software Licenses .........................................................................157 Develop a Structured System Management Process....................................................................157 Work with a System Stack...............................................................................................158 Maintain Constant Inventories.........................................................................................160 Package Applications for Windows Installer...............................................................................162 Explore Application Virtualization Options ................................................................................166 Do away with Application Conflicts................................................................................168 Review your System Construction Strategy ....................................................................170 Integrate Application Virtualization to the Migration Process ....................................................172 Chapter 7: Kernel Image Management ........................................................................................174 iv Table of Contents Defining the Logical OS Configuration.......................................................................................176 Physical Layer..................................................................................................................177 Operating System Layer ..................................................................................................178 Networking Layer ............................................................................................................178 Storage Layer ...................................................................................................................179 Security Layer..................................................................................................................180 Communications Layer....................................................................................................182 Common Productivity Tools Layer .................................................................................183 Presentation Layer ...........................................................................................................184 Non-Kernel Layers...........................................................................................................185 Identifying Kernel Contents.............................................................................................185 “Thick” versus “Thin” Images.............................................................................186 Using a Single Worldwide Image ........................................................................188 Discovering the Installation Process............................................................................................189 Identifying Hardware Requirements................................................................................189 Identifying Installation Methods......................................................................................190 Using Installation Documentation ...................................................................................195 The Installation Preparation Checklist.................................................................196 Documenting PC Installations .............................................................................197 Post-Installation Processes...................................................................................197 Supported Installation Methods .......................................................................................199 Selecting an Installation Process......................................................................................200 Determining the Physical OS Configuration ...............................................................................200 Applying the Post-Installation Checklist .........................................................................201 Update the Default User Profile.......................................................................................204 Determining the OS Deployment Method ...................................................................................206 Preparation and Prerequisites...........................................................................................208 Build a Smart Solution.................................................................................................................209 Chapter 8: Working with Personality Captures ...........................................................................210 Define your Profile Policy ...........................................................................................................212 Choosing the Profiles to Protect ......................................................................................214 Differences between Windows XP and Vista..................................................................216 Completing the Personality Protection Policy .................................................................219 v Table of Contents Determine your Backup Policy........................................................................................225 Prepare your Protection Mechanisms ..........................................................................................226 Long-term Personality Protection Mechanisms...........................................................................229 Relying on Vista’s Folder Redirection ............................................................................230 Enabling Folder Redirection with Roaming Profiles.......................................................234 Finalizing the Personality Protection Strategy.............................................................................237 Chapter 9: Putting it all Together.................................................................................................238 Bring the Teams Together ...........................................................................................................241 Move into the Integration Testing Level .........................................................................242 Maintain the Deviance Registry...........................................................................244 Move to the Staging Testing Level..................................................................................245 Review the Migration Workflow .........................................................................247 Perform the Proof of Concept Project Team Migration.......................................249 Obtain Acceptance from Peers.............................................................................250 Validate your Operational Strategies ...........................................................................................251 Kernel Image Management Strategy ...............................................................................253 Application Management Strategy ..................................................................................255 Technical Outcomes of the Project ..............................................................................................257 Chapter 10: Finalizing the Project ...............................................................................................259 Closing the Organize Phase .............................................................................................260 Running the Transfer Phase .........................................................................................................262 Run the Pilot Project ........................................................................................................262 Identify Pilot Users ..............................................................................................263 Build a Deployment Schedule .............................................................................263 Initiate Communications to End Users ................................................................264 Perform the Deployment......................................................................................266 Collect Pilot Data.................................................................................................267 Perform the Pilot Evaluation................................................................................268 Performing the Final Deployment ...................................................................................268 Running the Evaluate Phase.........................................................................................................271 Project Handoff to Operations .........................................................................................272 Project Post-Mortem ........................................................................................................274 Calculating Return on Investment (ROI).............................................................274 vi Table of Contents Future Systems Evolution ............................................................................................................275 Taking Baby Steps ...........................................................................................................276 Lessons Learned...............................................................................................................277 Moving on to other QUOTEs ......................................................................................................279 vii Copyright Statement Copyright Statement © 2007 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at [email protected] viii Chapter 1 Chapter 1: To Migrate or not to Migrate Today, we are at the crux of a new age in computing and it makes sense, with Windows VistaTM, Microsoft is releasing its first true x64 operating system (OS), and x64 processors abound not only on the server, but also, and especially on the desktop. Even better, x64 processors are multicore, delivering yet more power than the exponential growth we can expect from a move from 32- to 64-bit computing. In addition, Vista will be Microsoft’s first OS to truly support IPv6—the next version of TCP/IP—expanding networked communications from a 32-bit to 128-bit address space. The timing is just right, at least for governmental agencies, with the US government’s Office of Management and Budget having set a deadline of June 2008 “…as the date by which all agencies’ infrastructures…must be using IPv6…” More information on this governmental requirement can be found here. This new age is not going to be a big bang. This time it is quiet revolution—a revolution that we as individuals will feel whenever we use a computer, something we haven’t seen for a long time, if ever: speed. Vista includes a host of new features that help speed it up: SuperFetchTM, ReadyBoostTM, ReadyDriveTM, low priority I/O and much more. In addition, running it on x64 hardware grants Vista access to much more memory than ever before. Vista also provides better TCP/IP throughput and removes traditional system bottlenecks. Are you ready for speed? So what are you waiting for? Have you started the Vista migration process yet? No? Why not? It’s true that before you can take advantage of a new OS on the desktop, you need to feel right about the one you are running now. We’re in the year 2006, well into the 21st century and IT professionals still don’t have complete control over desktops. System upgrades, software updates, security patches, asset management all seem to be out of control, making IT administrators react to issues and problems rather than predict and master them before they occur. If you find yourself in this situation, perhaps it is the ideal time to consider a Vista migration and at the same time, review and enhance the system management strategies you use in your organization. 1 Chapter 1 Why not wipe the slate clean and do it right this time? A migration, by its very nature, offers the ideal opportunity for massive IT change—all the desktops will be involved, new management and deployment features are introduced and the deployment relies on common IT processes— processes that can be reviewed and updated. Why not take advantage of this opportunity and clean house? The benefits far outweigh the disadvantages: reduced diversity is always easier to manage. If this is what you want, then read on. You aren’t alone. According to Jim Allchin, co-president of Microsoft’s platforms and services division, industry analysts predict that some 200 million people will be using Windows Vista in the first 24 months after its release. He may be right. In a recent survey which covered 715 IT officials in North America and Europe ranging from 1,000 to 20,000 employees, Cambridge, Mass. research firm Forrester Research found that 40 percent of respondents were planning to deploy Vista within the first year of its release and 11 percent within the first six months. For more information on the Forrester report, go to http://www.forrester.com/FirstLook/Vertical/Issue/0,6454,673,00.html. To assist you with your move to Vista, we’ve put together a complete toolkit for migration support. This toolkit is drawn from the multitude of migration projects we have worked on—ever since Windows 3.1, in fact—projects that have made our clients successful in desktop management. Here’s what you’ll find in this and future chapters: • Chapter 1 starts with the business case, offering a template business case you can adapt to your needs in support of your own deployment project. • Chapter 2 will provide you with a structured migration strategy, the QUOTE System, which is a system we have been using for almost a decade to help customers manage change in their networks. • Chapter 3 will outline how to rely on virtualization technology to create migration testing environments so that you can ensure that your solution is completely functional before you put it into production. • Chapter 4 discusses the various tools you need to build the migration toolkit. This includes both technical and administrative or non-technical tools. In short, everything you need to make the migration to this new operating system as smooth as possible at every level of the organization—end-user, technical, support—and keep it under budget. • Chapter 5 looks at the changes you need to make in your existing infrastructure to support the deployment. It also identifies all of the security elements of the migration, focusing on the principle of least privilege but still ensuring that this critical project runs efficiently. • Chapter 6 covers application compatibility and will introduce the concept of software virtualization—a new technology that could very well prove to be the most significant reason for moving to Windows Vista or performing a migration project of this scale. 2 Chapter 1 • Chapter 7 helps you build the system kernel or the core system image you will be deploying to your PCs. This chapter will focus on the creation of a single worldwide image and cover how this image is to be maintained and updated once it is deployed. • Chapter 8 introduces the concept of personality captures, focusing on making user documents, data and preferences available to them immediately after the deployment. Personality data also includes software applications or the tools users need to properly perform their everyday work. With software virtualization, software becomes just another component of personality captures. This provides better business continuity during the migration. • Chapter 9 brings it all together linking the different components of the project—system images, applications, personality data and so on—to perform the delivery of Windows Vista to your desktops and mobile PCs. • Chapter 10 concludes the guide by walking you through the pilot project, identifying all the elements you need to monitor during this first deployment test, then goes on to the actual deployment, focusing on the routine of repetitive tasks you need to perform. This chapter finishes with the post-mortem you should perform at the end of any project of this scale, identifying which project elements need to be transited into production now that your systems infrastructure has been modified. Together, these chapters form the Desktop Deployment Lifecycle (DDL)—a cycle that you will repeat each time you need to update your desktop infrastructure (see Figure 1.1). Figure 1.1: The Desktop Deployment Lifecycle. 3 Chapter 1 Our goal is to assist you in getting the ball rolling and to help you avoid pitfalls. After all, with Microsoft releasing new versions of its OS on a regular basis, migrations are just one more IT process you need to master and master well. If you set this project up properly, you should reap automatic benefits, perhaps the most important of which will be the delivery of an infrastructure that provides ongoing management of all systems and provides excellent return on investment (ROI). Now is the time to deploy Vista as it will also help you prepare for the next version of Windows Server Codenamed “Longhorn” which is slated for release late next year. Send us some feedback. If there is something you need and can’t find it in this book, write us at [email protected] And as coauthors of the supporting documentation for the Microsoft Solution Accelerator for Business Desktop Deployment 2007, we will also be drawing on this guidance to provide complete, concise documentation on what you need to do to make this project the most successful deployment project you have ever performed. This guide complements the BDD guidance with non-Microsoft processes and practices for deployments, and helps you put it into perspective. The Microsoft Solution Accelerator for Business Desktop Deployment 2007 can be found at http://www.microsoft.com/technet/desktopdeployment/bdd/2007/default.mspx. What is Windows Vista and why should I migrate? The question is not if you will migrate, it is rather when you will migrate. In an informal poll, Windows Server News asked over 1,000 readers when they would migrate to Vista. About 15% said they would migrate within the first six months of its release. More than 18% would migrate after the first six months. Another 33.8% said they would use system attrition to perform the migration, for example, upgrading failing systems as they are replaced. The rest said they would wait for the first service pack to be released. This means that the timing of this book, with one chapter released every month over the next ten months is directly in line with the migration plans of over 40% of the organizations deciding to migrate (Source: WServerNews Volume 11, #41 – October 9, 2006 – Issue #597 from http://www.wservernews.com). The timing is just right. The timing is also right for Windows Vista. As Microsoft’s flagship operating system and the first to be delivered under Microsoft’s new Trusted Computing Platform (TCP) initiative, Vista may be Microsoft’s most secure OS to date. Under TCP, each of the developers working on the Vista code received extensive security training. Microsoft claims this will be its most secure OS ever. It may be true, only time will tell, but with features such as integrated anti-spyware, integrated system protection features, user account control, code execution prevention, network access protection, integrated firewall, Windows service hardening and BitLocker full drive encryption all integrated right into the OS, it seems Vista is on the right track. In addition, Vista sports a brand new version of Internet Explorer, IE 7, that Microsoft claims will herald a new era in safe Web surfing. And with some 5 million potential beta testers, you’d think that Microsoft will have learned its lesson and made sure the code is stable and solid without the need for a service pack. Once again, only time will tell, but if they maintain the record they set with Windows Server 2003 (WS03)—providing a stable platform that did not require a service pack before deployment—then we’ll know they are on the right track. 4 Chapter 1 Microsoft also claims that this will be the last 32-bit operating system it develops, heralding a new era in 64-bit computing. As such, Vista for x64 systems will no longer support 16-bit applications, but you can always use virtual machine technology to run legacy operating systems to provide backward compatibility for these applications. More information on manufacturer about CPU and graphic processor capabilities can be found: http://www.microsoft.com/technet/windowsvista/evaluate/hardware/entpguid.mspx. From the point of view of simple productivity, Vista will sport some impressive speed enhancements, display graphics in 3-D and provide a transparent glass-like interface that is simply a delight to work with—if you have the right hardware of course. Even if you’re not considering Vista yet, the very least you should do is consider Vista hardware requirements in all PC purchases moving forward from today, ensuring that the systems you buy today will run Vista tomorrow. Base hardware requirements for Vista are not too unusual considering the type of hardware available right now. They are outlined in Table 1. Two sets of requirements are defined: Vista Capable and Vista Premium PCs. The first allows you to run the base level Vista editions and the second lets you take advantage of all of Vista’s features. If you want to plan for the future, you should really opt for a Vista Premium PC. You’ll be buying new PCs anyway through attrition programs, why not buy the right systems? Vista Mode Component Requirement Vista Capable PC Processor At least 800 MHz Minimum Memory 512 MB Graphics Processor Must be DirectX 9 capable Processor 32-bit: 1 GHz x86 64-bit: 1 GHz x64 Memory 1 GB Graphics Processor Support for DirectX 9 with a WDDM driver, 128 MB of graphics memory*, Pixel Shader 2.0 and 32 bits per pixel Drives DVD-ROM drive Accessories Audit Output Connectivity Internet access Vista Premium PC * If the graphics processing unit (GPU) shares system memory, then no additional memory is required. If it uses dedicated memory, at least 128 MB is required. Table 1.1 Vista system requirements. More information on manufacturer about CPU and graphic processor capabilities can be found: http://www.microsoft.com/technet/windowsvista/evaluate/hardware/entpguid.mspx. 5 Chapter 1 Vista is both for home and business use. Microsoft has made this very clear in the various editions to be published for this new OS. For home, Vista includes the Home Basic, Home Premium, and the Ultimate editions. For business, the Business, Enterprise, and once again, Ultimate editions are available. Each of these business editions requires a Vista Premium PC to run and includes: • Vista Business Edition: This is the base edition for small to medium business. It includes the new Aero 3D interface, tablet support, collaboration tools, advanced full disk backup, networking and remote desktop features as well as all of the base features of the OS. • Vista Enterprise Edition: This edition is only available to organizations that have either software assurance or enterprise agreements with Microsoft. It adds full drive encryption, Virtual PC Express, the subsystem for UNIX and full multilingual support. • Vista Ultimate Edition: For small businesses or others that want to access the full gamut of new Vista features, Microsoft is releasing the Ultimate Edition. It includes a host of features including all of those in the Enterprise Edition, but also entertainment tools such as Photo Gallery, Movie Maker and Media Center. Though you might not want these programs on business computers, this edition might be the only choice for any organization that wants full system protection and does not want to enter into a long-term software agreement with Microsoft. Microsoft is also releasing a Vista Starter Edition; this version will be available to emerging markets because it is designed to give them access to low-cost versions of Windows and avoid piracy. To learn more about each of the different Vista Editions, go to http://www.microsoft.com/windowsvista/getready/editions/default.mspx. For a fun overview of the different Vista Editions, look up http://blogs.technet.com/james/archive/2006/11/29/explaining-vista-editions-the-fun-way.aspx. Better yet, test your systems right now. Microsoft offers a new and enhanced Windows Vista Upgrade Advisor (VUA). VUA will scan your systems and tell you whether they are able to upgrade to the new OS. It will also tell you which edition it recommends based on your system capabilities. In addition, it will identify both device driver and application compatibility issues. Vista uses a new file system driver, so don’t be surprised if disk-based utilities such as anti-virus or disk defragmentation tools are singled out as requiring upgrades (see Figure 1.2). In order to run VUA, you’ll need a version of the .NET Framework as well as MSXML, but if they are not present, it will automatically install them for you. 6 Chapter 1 Figure 1.2: The results of a system scan with Windows VUA. To download the Windows VUA, go to http://www.microsoft.com/windowsvista/getready/upgradeadvisor/default.mspx. You’ll need administrative rights on the PC to install and run this tool. VUA is an interactive tool and only works on one PC at a time. For a corporate-wide scan of all systems, use the Application Compatibility Toolkit (ACT) version 5.0. ACT will be released at the same time as Vista. As its name implies, ACT is designed to focus on applications, but it does include rudimentary hardware assessments. ACT will be discussed in more detail in Chapters 4 and 6. Microsoft is also working to release a free Windows Vista Readiness Assessment (VRA), an agent-less network scanning tool that is aimed at small to medium organizations. VRA will let you scan multiple computers from a central location and generate a compatibility report for each of them. VRA is in beta right now but should be available by the time you are ready to move forward. More on VRA can be found at: http://www.microsoft.com/technet/windowsvista/deploy/readassess.mspx. In the end, the best tool to use for readiness assessments is a true inventory tool, one that is part of a desktop management suite and one that can help support all aspects of a migration. 7 Chapter 1 Compelling Vista Features There are a host of new features in Windows Vista, but for the purposes of a migration, especially for the justification of a migration, you’ll need to concentrate on just a few to make your point. Three communities are affected by a new desktop OS: users, IT professionals, and developers. Users can take advantage of improvements in productivity and security. IT professionals will focus on new deployment and management features. Developers will want to address new infrastructure components and the application programming interfaces (API) that give them access to those components. For users, Vista provides key improvements in the following areas: • Integrated search • Performance improvements • Security • Desktop experience • Networking experience For IT professionals, Vista offers improvements in: • Operating System deployment • Management technologies • Security For developers, Vista includes more than 7000 native APIs linking to three new core feature sets. • The Windows Presentation Foundation • The Windows Communication Foundation • The .NET Framework version 3.0 For a complete list of Vista features, go to http://www.microsoft.com/windowsvista/features/default.mspx. 8 Chapter 1 Compelling Features for End Users According to Microsoft, Vista heralds a whole new era in user productivity. Heard it before? Think it’s a marketing slogan? Well, it is, but for once there may be some truth in it. In the past couple of years, the hot button for users has been search or the ability to find information anywhere at any time. Computer systems and past Windows versions have helped us generate tons of personal, professional and public digital information. Just organizing all of the various files we create ourselves is a task in and of itself. Few people can spend a whole day without searching for at least one thing on the Internet, ergo Google’s immense success. Despite the fact that we’ve been very good at creating information, we haven’t been all that good at teaching our users how to use good storage practices so that they can find what they create. Even showing them how to name files properly would have been a help, but training budgets are usually the first to go during cutbacks. As IT professionals, we’re now faced with having to install and deploy third-party search tools—tools that may or may not respect the security descriptors we apply to data within our networks. To resolve this situation, Microsoft has integrated search into the basic user interface (UI) of Vista. Search is how you access all information on a Vista PC. The Start menu now sports a search tool and provides constant search, the Explorer sports a search tool, and IE sports a search tool—search is everywhere. At least in IE, you can choose which search engine you want to rely on. On the desktop it is a different story. Search indexes everything it has access to: personal folders, system tools, legacy shared folders, removable drives, collaboration spaces and so on— all driven by the PC’s capability to index content. When Windows Server Codenamed “Longhorn” is released, search will be able to rely on server-based indices and take a load off of the local PC. Search is such an integral part of the system that Windows Explorer now boasts new search folders—folders that are virtual representations of data based on search criteria. It’s not WinFS—Microsoft’s flagship file system due to replace NTFS—but it works and it works really well. Working on a special project such as the Vista migration? All you have to do is create a virtual folder based on these key words and you will always have access to the data so long as you have the proper permissions and you are connected to the data. It’s simple, just perform the search, click Save Search, and give the folder a meaningful name. Saved searches are dynamic, so any time new content is added, it will automatically be linked to your virtual folder. Figure 1.3 shows how saved search folders work as well as laying out the new Windows Explorer window. In addition to having access to indexed content, you have full control over the way you view and organize data in Windows Explorer. New buttons sort information in new ways, new views show extensive previews of document contents, and new filters let you structure information just the way you like it. Even better, you can restore a previous version of any document so long as it existed before the last shadow copy was taken—that’s right, Vista now does shadow copies on the desktop. With Vista, there is no reason why anyone would ever lose a document again. For more information about Volume Shadow Copies and Previous Versions, especially how you can start using them even before you deploy Vista, go to “10 Minutes to Volume Shadow Copies”. 9 Chapter 1 Figure 1.3: The new Windows Explorer in Vista allows you to save searches into virtual folders. Beyond search, Vista will sport several new features aimed at productivity. We already discussed speed and performance; Vista includes several features to improve performance on a PC, 32- or 64-bit: • SuperFetch will learn from your work habits and preload your most common applications into memory before you call on them. When you actually do call on them, they will launch from RAM and not from disk. They will be lightning fast. • ReadyBoost will rely on flash memory to extend the reach of normal RAM and reduce hard disk access times. For example, Samsung is releasing a new 4 GB flash drive that is specifically designed for the ReadyBoost feature. This will also vastly increase system speed. • ReadyDrive will work with new hybrid hard disk drives—drives that also include flash memory—to cache frequently used data and access it from the flash memory while the hard drive takes time to spin up. In addition, sleeping systems will wake up much faster since they will use the flash memory to restore the working state of the PC. With the exception of ReadyBoost, all performance improvements are completely transparent. Other speed enhancements include self-tuning performance and diagnostics that will detect and attempt to self-correct any performance-related issue. In fact, if you configure it correctly, the Vista PC will be so fast; you’ll have to change your habits. If you’re used to stepping up to your PC in the morning, turning it on and then going for coffee, you’ll have to learn to go for coffee first because you won’t have that interminable lag between turning on the power button and actually facing a logon prompt. This is bound to force some habit changes. 10 Chapter 1 Our advice: run Vista on a 64-bit PC if you can, especially a multi-core system. Since x64 operating systems are still in their infancy, nobody has figured out how to slow them down yet. Now is the time to take advantage of all of the speed you can get. Vista also includes a whole series of improvements at the security level—improvements that both users and IT professionals can take advantage of. The most significant is User Account Control (UAC). With UAC, Windows Vista will allow administrators to execute most processes in the context of a standard user and only elevate privileges by consent and vice-versa for users. When you are logged on as administrator and a process requires elevation, a dialog box requesting your response is presented. If you agree, the process is allowed, if you disagree, the process is denied. When you are logged on as a standard user, UAC will prompt you for an appropriate administrative account and its password each time an administrative task is performed. UAC prompts are impossible to miss because the entire desktop is dimmed when UAC is activated and only the UAC dialog box is displayed clearly (see Figure 1.4). UAC will require significant adaptation since it is a completely new way to work as a standard user. When computer systems are properly prepared and managed, corporate end users should very rarely if ever face a UAC prompt, yet they will benefit from the anti-malware protection running as a standard user provides. In addition to UAC, Vista supports Fast User Switching even in a domain. If someone wants or needs to use a computer that is already in use, there is no need to log off the current user, just switch users, perform your tasks and then log off. The existing user’s session is still live and the user may not even know someone else used their computer. Figure 1.4: Using an application requiring UAC elevation. 11 Chapter 1 Another security element is Windows service hardening. By default, Vista monitors services for abnormal activity in the file system, the registry and network connections. If any untoward behavior occurs, Vista simply shuts down the service. In addition, Vista includes a series of antimalware technologies such as Windows Defender, an anti-spyware detection and removal engine, a new version of Windows Firewall that users can access and control to some degree, an updated version of the Windows Security Center; and a new engine for security updates. As previously mentioned, it also sports a new version of IE, version 7 which has several improvements in terms of ease of use—tabbed browsing, RSS feed integration and improved Web page printing—but its major improvements are in secure Web browsing. The following list highlights IE 7’s new features: • New phishing Web site identification and reporting tools. • A clearer way to determine whether you are connected to a Web site using either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS). • ActiveX opt-in, which will easily let you determine which ActiveX controls are safe to use. • Single click deletion of all browsing history. • Automatic protection from domain name spoofing. • Control of uniform resource locators (URL) processing to avoid URL parsing exploits. • Protected mode, isolating itself from other applications running in the OS. As this list shows, this new, sand-boxed version of IE provides safer, cleaner Internet browsing (see Figure 1.5). The desktop experience is also vastly improved. The new Aero interface provides glass-like windows that show the background desktop when in use. In addition, the integrated support for three-dimensional graphics paves the way for a very high-quality graphical experience. If you’re going to use a graphical user interface (GUI), why not make it the best possible experience? That’s exactly what Vista delivers. 12 Chapter 1 Figure 1.5: Internet Explorer version 7 provides a better experience than any previous version. Finally, end users will find that their networking experience in Windows Vista will also be vastly improved. Not only has the entire TCP/IP stack been rewritten in Vista to significantly increase networking speeds, but also Vista now fully supports IPv6, the next version of the TCP/IP networking protocol. IPv6 automatically gives each computer its own unique IP address—unique in the entire world, that is—and protects it through integrated IP security (IPSec) support. Whether you are running IPv4 or IPv6, the new networking stack will herald vast speed improvements, especially between PCs running Vista. Servers will have to wait for the next version of the Windows Server operating system to access these benefits, but users will notice speed improvements even in mixed networks. To download a PowerPoint presentation on new Vista features, go to http://www.resonet.com/download.asp?Fichier=P84. Despite this new feature set, user training for Vista should be relatively painless because everyone should be already familiar with the standard Windows UI. This doesn’t mean that no training is required, but that training could easily be performed through short presentations and demonstrations, either live or online, which take users through each of the new capabilities. 13 Chapter 1 Compelling Vista Features for IT Pros There are several compelling features in Windows Vista for IT professionals. The first is in operating system deployment. Vista supports three deployment scenarios by default: new computer (even a bare metal system), PC upgrade, and PC replacement. These three scenarios are supported by several technological improvements. All versions of Vista now ship in the new Windows Image Format using the .WIM extension. WIM images are file-based system images as opposed to some other tools that use a more traditional sector-based disk image. The WIM file-based image uses a single instance store to include only one copy of any shared file between different images. This allows Microsoft to ship multiple editions of Vista, even Windows Server Codenamed “Longhorn” when it becomes available, on the same DVD. The version you install is based on the product identification (PID) number you use during installation. This also means that when you create images for deployment, you can use the same image to deploy to workstations, mobile systems and tablet PCs. WIM images are mountable as NTFS volumes and therefore can be edited without having to recreate reference computers. Microsoft is not the first to use file-based images. Altiris Deployment Solution supports both file- and sector-based images though most users will opt for the file-based .IMG format as it is much easier to manage in the long run. Microsoft has created several tools to work with WIM images—ImageX, a WIM image generator, Windows System Image Manager, a WIM image editor, and Windows Deployment Services (WDS) which replace the previous Remote Installation Services (RIS) to support bare metal WIM deployment. In addition, Microsoft is releasing Windows Preinstallation Environment (Windows PE) to the general public. Windows PE is not new, but has been updated in support of Vista deployments. Previously, Windows PE was available only to customers acquiring either enterprise licenses of Windows XP or software assurance for the OS. To learn more on Vista deployment technologies, go to http://www.microsoft.com/technet/windowsvista/evaluate/feat/deplovw.mspx. Existing disk imaging technologies can still be used to deploy Windows desktops in organizations. Tools such as Symantec Ghost, Altiris Deployment Solution, Arconis True Image, and so on continue to be viable options for OS deployment. One significant advantage some of these tools have over the WIM image format is their support for multicast image deployment. Multicasting allows you to deploy the same image to multiple PCs at the same time using the same data stream. By contrast, unicast deployments send unique copies of the operating system to each target device. If you are deploying to 50 PCs at a time, multicasting will require a single data stream whereas unicasting will require 50 copies of the same data stream. You do the math. Even if you can keep your WIM image as thin as possible, without support for multicasting, it will take longer to deploy than with other imaging tools. Chapter 7 will provide more information about disk imaging. 14 Chapter 1 Don’t get us wrong. WIM imaging is still a boon to organizations that don’t have any system management software in place—though you should consider using a massive deployment of this kind to introduce new systems management software. However, if you still aren’t ready for a full-fledged management system, go ahead and rely on WIM and the other Microsoft tools which support it. You’ll find that most of them are command-line tools that require some scripting expertise to use. You’ll also find that each tool is contained within itself and offers little integration to the others. Your best bet is to look for systems management tools that can interact with both WIM and sector-based imaging, then choose which suits your needs best. Several manufacturers will release updated versions of their management suites to fully support Vista in the coming months. Another area where Vista will assist IT professionals is in management technologies. Once again, Microsoft is investing in Group Policy, its flagship system management technology. Vista sports almost 800 more policy settings than Windows XP, bringing the total number of settings to 2450. In Vista, you can use Group Policy Objects (GPO) to manage everything from the firewall to wireless networks to removable storage devices, diagnostics and power settings. In addition, Vista can support multiple local GPOs, letting you specify different settings for different users on the same computer. This feature is useful for shared computer environments such as kiosks or manufacturing environments. Microsoft recently purchased Desktop Standard, a provider of advanced Group Policy tools. This acquisition adds a change control system for all Group Policies including roll-back, software update delivery through Group Policy, the ability to create conditional policies, the ability to modify any registry setting, the ability to control non-Microsoft applications through Group Policy, and much more to Microsoft’s existing Group Policy toolkit. Microsoft is making these tools along with others available through the Microsoft Desktop Optimization Pack for Software Assurance. For more information on Microsoft Desktop Optimization Pack for Software Assurance products, go to http://www.microsoft.com/windowsvista/getready/optimizeddesktop.mspx. Vista also includes a vastly improved Task Scheduler (see Figure 1.6) which is now much more of a job manager than just a scheduler. Tasks can now be configured to launch based on specific events. For example, if a hard disk drive runs out of space, you can automatically launch a task to clean up temporary files and alert desktop support teams. Tasks can also run when a user locks or unlocks the computer, letting you specify custom scripts to execute even if the user does not reboot their machine. Tasks can run when the computer is idle for a specified period of time. Finally, tasks can be conditional, running when another task is activated or when a specific condition is met. These new event-based tasks give you much more power over remote systems. Backup is also much easier in Vista. Vista sports a brand new backup system that will take complete system images and store them in Microsoft’s virtual hard disk drive (.VHD) format. Backup images can now be mounted with either Microsoft Virtual PC or Virtual Server, VMware Workstation or Server, modified if needed and restored to the original system. This is a powerful new backup system that anyone can work with. 15 Chapter 1 Vista includes a new implementation of Windows Remote Management (WinRM), Microsoft’s implementation for the Web Service Management standard, letting you manage and administer systems through common HyperText Transport Protocol (HTTP) ports. And of course, Vista relies on the Microsoft Management Console (MMC) version 3.0, providing a much more comprehensive and pliable task-oriented management interface. Figure 1.6: The new Task Scheduler provides much more functionality than previous versions. Even managing updates has been made easier in Vista through the Restart Manager. During update installations, if a restart is required, Restart Manager will automatically take note of open applications, save their state and restart them once the system is back up and running. This makes the update process completely transparent to end users. Of course, applications have to be written to take advantage of this feature. Print management has been improved in Vista through the use of a new Print Management console which gives you centralized access to all the printers in your organization, letting you view their status in one single place. Print Management can manage printers for both Vista and Windows XP, letting you manage mixed environments. It also lets you automatically deploy printers to groups of computers through Group Policy. The Print Management console supports delegation of authority; as a result, you can assign aspects of this task to support personnel, providing much needed relief for administrators. To learn more on Vista management technologies, go to http://www.microsoft.com/technet/windowsvista/mgmntops/default.mspx. 16 Chapter 1 The Event Viewer has also received important upgrades. Many more events are now found in the Windows Event Log, especially events that were previously stored in separate text files. The Event Viewer now supports event forwarding, so you can configure custom events, for example, security events, to be forwarded to a central location. This feature is very useful in support of compliance requirements such as those needed to comply with the Sarbanes-Oxley Act. Events are now much more informative and provide more meaningful resolution information. Events are linked to the Task Scheduler so that you can use an event to generate a new task in one single step. This facilitates event management and troubleshooting for administrators. Windows Vista also sports several security improvements. Because of UAC, the default administrator account on a Vista PC is disabled by default. This does not mean that it is secure, as every administrative account should have a strong password whether it is disabled or not. UAC also provides registry and file system virtualization to let applications that require machine-level access be automatically redirected to user-level access. This provides better application compatibility than even Windows XP because older applications will run without any changes to their structure. In addition, Vista includes Windows Resource Protection (WRP) which protects both the registry and the file system from unauthorized changes. WRP works in conjunction with UAC to ensure that only authorized changes occur on the PC. Though it is not recommended, you can disable UAC. This can be done in one of two ways. Through the Control Panel | User Accounts, you will find a control to Turn User Account Control on or off. The second way is through the Local Security Policy under Security Settings | Local Policies | Security Options where you will find nine policies that affect UAC (see Figure 1.7). Think long and hard before you decide to do this as it may endanger your systems by exposing them to malicious behavior. Perhaps the best way to turn this off is to use the setting User Account Control: Behavior of the elevation prompt for standard users: Automatically deny elevation requests. This would also be an excellent opportunity to use multiple Local Security Policies, one for non-technical standard users that have this setting and one for technical staff that allows them to request elevation rights. To test your applications and determine if they will properly operate in standard user mode, test them with the Standard User Analyzer (SUA) which will tell you which elevated rights the application requires. Obtain SUA from http://www.microsoft.com/downloads/details.aspx?FamilyId=DF59B474C0B7-4422-8C70-B0D9D3D2F575&displaylang=en. Figure 1.7: Group Policy settings for UAC. 17 Chapter 1 For network protection, Vista relies on the Windows Firewall with Advanced Security (see Figure 1.8). End users only have access to the default Windows Firewall that is found in the Control Panel, but administrators have access to a more advanced version through a custom MMC. This allows you to completely control both inbound and outbound connections on any PC. It also automatically restricts resources if they behave abnormally. For example, if a service that is designed to send messages on a specific port tries to send messages over another port, Windows Firewall will prevent the message from leaving the computer, possibly preventing the spread of malware. Figure 1.8: Windows Firewall with Advanced Security provides very comprehensive protection for each PC. One of the most famous security features of Vista is BitLocker Drive Encryption. BitLocker encrypts the entire contents of the system drive, protecting not only user data but also the entire OS. BitLocker relies on the Trusted Protection Module (TPM) version 1.2—a special hardware module—to store decryption keys. If a TPM chip is not available, keys can be stored on USB flash drives, but this is obviously less secure because many users might store both the USB key and the computer in the same bag. Lose the bag and the entire system can be compromised. BitLocker is only available in the Enterprise and Ultimate editions and requires two partitions on the system volume, one for the boot process and one for the encrypted operating system. This consideration will be vital during system preparation for deployment. Considering that according to Times Magazine, 1,600 mobile computers are lost or stolen every day in the U.S., BitLocker will be a boon to businesses of all sizes. 18 Chapter 1 By default, Windows Vista includes Network Access Protection (NAP) or the ability to quarantine computers that do not meet specific health parameters as outlined by your security policy. In fact, because NAP is really a server-based technology—it requires servers to define the health policy, create and maintain the quarantine network, and provide security and other updates to client computers—Vista really only includes the NAP client. But, because the NAP server components will not be released by Microsoft until Windows Server Codenamed “Longhorn” is released—about a year from now—you might think that this is not much of a feature. You’re right, unless of course you rely on another product to provide this level of protection. Microsoft has worked with Cisco Systems to make sure that its NAP will be fully compatible with the Cisco Network Admission Control (NAC). If system quarantine and system health validation is important to your organization, you can deploy Vista today along with Cisco’s NAC server components to protect your network. Because Vista includes a built-in NAP client that is interoperable with Cisco’s NAC, it will automatically be able to take advantage of this feature— other client operating systems would require an additional Cisco client to be deployed. Then, when Microsoft releases its new server code, you can simply integrate its features into your already protected network. To learn more on NAP and NAC, go to http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx or http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html. At press time, it is unclear whether the integrated Vista client is in the original release of Windows Vista. Make sure you have this integrated client before building your NAC environment. Vista provides a better management story than its predecessors. But simplifying desktop management isn’t just a matter of new features in an OS. It requires careful thought and planning, preparations that must be performed during the set up of the migration project. This is just another reason why massive desktop migration projects are an excellent vehicle for a move towards service-oriented management of all your systems. To learn more on Vista’s security features, go to http://www.microsoft.com/technet/windowsvista/security/default.mspx. Compelling Vista Features for Developers Windows Vista is built on managed code, relying on a new programming model to provide a completely updated desktop platform. Developers will want to take advantage of the new feature set in Windows Vista to create new, three-dimensional applications that rely on this new model. Developers and IT Professionals alike will want to take a very close look at the Windows Vista Compatibility Cookbook, a document that outlines all of the compatibility changes between Vista and Windows XP. The cookbook can be found at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AppComp.asp. In addition, developers may want to take advantage of the additional resources available on the Innovate on Windows Vista portal. The portal can be found at: http://microsoft.mrmpslc.com/VistaPlatformAdoption/. Windows Vista is built on three core technologies. The first is the Windows Presentation Foundation (WPF). WPF, formerly codenamed ‘Avalon’, is a series of components that allow 19 Chapter 1 developers to build high-quality user interface experiences. It blends together documents, media and traditional as well as alternative forms of input such as the Tablet PC. It links to the new Windows Color System Microsoft developed for Vista to produce higher quality output to both the screen and print media and it provides integration points into the Windows shell to enhance the experience of the user. Developers should definitely take the time to examine how WPF can help them provide better information to users. For more information about Windows Presentation Foundation, go to http://msdn2.microsoft.com/enus/netframework/aa663326.aspx. Videos on WPF can be found at www.youtube.com by searching for the words ‘presentation foundation’. The second important technology that is included in Vista for developers is the Windows Communication Foundation (WCF). WCF, formerly codenamed ‘Indigo’ is designed to assist in the construction of connected systems, Microsoft’s version of service-oriented architectures (SOA). WCF is built around common Web Services to secure transactions on the Web. It covers transports, security components, messaging patterns, networking topologies, hosting models and software encodings to provide the basis for new transaction models. Although it is being delivered directly in Vista, WCF will also be available for previous versions of Windows, such as XP and Windows Server 2003. For more information on the Windows Communication Foundation, go to http://msdn2.microsoft.com/en-us/netframework/aa663324.aspx. Finally, Vista will also include WinFX or as it is now named, the .NET Framework version 3.0. This is Vista’s managed code programming model and is an extension of the previous versions of the Framework. In fact, the new version of the Framework brings together all of the components built around WinFX into one single programming model. This includes the Windows Communication Foundation, the Windows Presentation Foundation, the Windows Color System, CardSpace, and Windows Workflow Manager and merges them into one single rapid application development environment. Organizations of all sizes will want to look to this version of the Framework for all Windows-based or Web Service-based development that pertains to Vista. Of course, Vista also supports traditional development through unmanaged code such as C++ or Dynamic HTML and JavaScript. The choice of which language to use will depend on the type of tool or functionality you want to develop. For more information on the .NET Framework version 3.0, go to http://msdn.microsoft.com/windowsvista/prodinfo/what/about/default.aspx#winfx. These feature descriptions are by no means exhaustive. They are designed to give you a taste of what Vista will offer your organization. You will need to examine the entire Vista feature set to determine how your organization can benefit most from its expanded feature set, but at least with the features outlined here, you will already have an idea of where to look. Examining the feature set is one of the most significant aspects of building a business case for migration. This is part of the first task anyone must perform in any migration project. After all, if the business case isn’t approved, there won’t be much of a migration. This is why business cases are a very important aspect of any migration project and should be your starting point. 20 Chapter 1 Creating the Migration Business Case Business cases are structured documents that provide technical, financial and management information related to a significant undertaking that will take the form of a project in an organization. One of the purposes of a business case is to assess the readiness of the organization to proceed with the recommended change. The business case structure is fairly stable and should include the following items: • Executive summary • Background information o Current issues o Preparation team • Description of the upcoming project • Proposed approaches and alternatives o Issues to be addressed o Recommended approaches o Potential alternatives and expected results • Impacts of the project on current operations • Assessments o Business environment o Technology o Risks • Cost/benefit analysis • Projected schedule • Verification mechanisms • Implementation strategies • Recommendations • Required approvals A sample business case for a Vista Migration project can be found here. A one-time registration is required to access this business case. Click on the New members button to register. 21 Chapter 1 There are several reasons to introduce change into an organization. The first is that change is constant and is at the very core of the IT world. Therefore introducing change offers the opportunity to control change and adapt it to your needs. The second reason is to reduce risk. For example, the U.S. government’s need to move to an IPv6 infrastructure is an excellent example of a change introduced to reduce risk since IPv6 is much more secure than IPv4 because of its very structure and offers single, individual addresses for each host connected to a network. This is much more than IPv4 can ever offer given the need to use private versus public addresses and network address translation (NAT) to connect multiple hosts to the Internet. A third reason is to add value or functionality to the services you offer. If you are a private corporation, then this goal is to increase profits, but if you are an organization that operates without profits, adding value may only mean providing a higher quality service to your clienteles. The advantage of controlling change before it controls you is that you are in the driver’s seat. This is why we recommend migrating to Windows Vista in a structured and controlled manner. As any migration project aims to reduce risk while increasing value, you should consider the following four reasons for moving to Vista: 1. Take advantage of a new, more sophisticated and more secure desktop operating system. 2. (Optional) Take advantage of 64-bit processing, increasing speed and security for the desktops. 3. (Optional) Take advantage of the integrated IPv6 capabilities in Vista and use the migration project as a carrier to migrate to a new generation of TCP/IP. 4. (Optional) Take advantage of the migration project to improve desktop management operations and move to a completely managed infrastructure. Three of these justifications are optional, but each of them adds significant value and helps organizations move into the 21st century in terms of desktop infrastructures. Use a structured process to design your business case. We use the IDEA, an eight-step process that helps gather the information required to populate the different sections of the business case document (see Figure 1.9). Figure 1.9: The Vista IDEA, a structured approach for the elaboration of the Vista Migration Business Case. 22 Chapter 1 The IDEA begins with a review of the current situation. For example, one excellent source of information for this review is a collection of desktop-related issues reported to the help desk. It then moves on to a market analysis, or a review of the market press and advisory sources on their opinion of Vista. Step three is the definition of the goals of the project. Step four focuses on risk analysis and mitigation. Step five looks at possible infrastructure changes to support the project. Step six outlines the deployment approach. Step seven lists required resources—human, financial and technical. Step eight looks to the future beyond the implementation of the requested change. Each of these is taken into consideration in the template business case you will find online. Migration Strategies As you move forward with your migration project, you’ll need to consider different migration approaches. Several are available: • Let’s just install, users be damned! Surprisingly, organizations actually use this approach in many migration projects. This is especially evident in projects that are completely driven by IT and do not include feedback or input from other parts of the organization. Unfortunately, these projects are doomed to fail because of their naive approach. • Hardware Refresh. The hardware refresh approach is a better approach because it relies on attrition to make the change. Organizations normally have three to four year PC replacement programs and can rely on these programs to carry the migration. Unfortunately, too many organizations who choose this approach don’t do a better job than the “Let’s just install” approach because there is little structure in the approach to replacement. Just look at organizations that buy new servers with Windows Server 2003 R2 pre-installed, only to replace it with the previous version of Windows Server. Given the small differences between the functionality of R2 versus WS03, it is really surprising that anyone would even assign any resources to this effort. If these organizations fear the small changes in WS03 R2, then how will they fare with the massive changes in Windows Vista? • Gradual Migrations. This approach looks at specific workloads and addresses increasing performance demands by migrating them to the new operating system. This way, only key user populations are migrated, one at a time, making the project more manageable because it runs in specific chunks. Because of this, this approach is much more viable than the first two. 23 Chapter 1 • Forklift Migrations. This approach tends to be the best for several reasons. A forklift migration means that every single desktop and mobile system in the organization is migrated in the same timeframe. This vastly reduces the need to manage mixed environments and reduces the strain on the help desk as well as operations teams. The management of mixed environments is controlled by the project and lasts only for a specific time. In addition, forklift projects because of their very nature, are often much more structured than gradual or hardware refresh projects. For this reason, they include more comprehensive communications and training programs—two tools that can either make or break massive change management projects. Also, because a forklift project changes everything at the same time, they often tend to be architected more thoroughly. This is because massive changes need more comprehensive forethought and planning than gradual changes. • Carrier Projects. This approach relies on carriers—key functionality upgrades in the IT infrastructure—to introduce new changes. x64 computing or IPv6 are excellent examples of carriers that could support the introduction of a new OS within your organization. Both require careful planning and architecting to provide the promised benefits. Carrier projects are very similar to forklift migrations in nature because everything is changed at once. The best recommendation is to use a combination of the last two approaches if possible. Consider your user base. You have to prepare for a Vista migration in the next year or so, otherwise users will start asking for it and you won’t have a ready response for them. User sophistication increases exponentially with time as more and more users grow up with access to computer systems. Better to be prepared and have your answers ready when users start grumbling for the Vista features they have at home. Using a combination approach allows you to be prepared ahead of time and control user expectations rather than react to them. No organization can reliably expect any migration approach based on attrition to work properly unless they have performed a proper forklift migration beforehand. This is because forklift migrations, by their very nature, allow organizations to clean house and implement proper management structures. Most organizations that invest in these types of migrations and maintain a stable client network once the project is complete will be able to profitably use other migration strategies for Vista. If you haven’t performed a proper forklift beforehand and you still want to use an approach based on attrition, then make sure the design and engineering portions of your migration project are fully completed before starting to deploy Vista PCs. This guide will assist you in both these aspects no matter which migration strategy you choose. 24 Chapter 1 Making a case for a flexible infrastructure Migrating to Vista should also be the time to upgrade and modify your PC management infrastructure. If you already have a proper management infrastructure, you’ll be good to move forward with a migration because it will already be an integrated process in your normal operations. But if you don’t, consider this. According to Gartner, an independent research firm, organizations implementing a well-managed PC platform can reduce costs by up to 40 percent. Organizations using some form of management, save 14 percent over unmanaged systems (see Figure 1.10). Figure 1.10: According to Gartner, well-managed PCs can bring a 40 percent reduction in costs. Gartner Research note entitled “Use Best Practices to Reduce Desktop PC TCO, 2005-2006 Update” by Michael A. Silver and Federica Troni, published 8 December, 2005. Well-managed PCs are locked-down PCs, and users only have access to standard user accounts. Vista makes great strides in this area because it includes a complete revision of what is and what isn’t locked down for standard users. Two examples are the fact that standard users can now control the time zone on their PCs as well as control the different power modes the PC is running under; two areas that are completely locked out from them in Windows XP. The Gartner results were compiled for Windows XP Service Pack 2 (SP2) running on microchips supporting the no execute (NX) instruction set to protect against malicious code. In the same paper, Gartner also claims that according to their research, the ideal attrition rate for PC replacement should be three years as organizations running well-managed PCs reap the most benefits and the best return on investment (ROI) when replacing one third of their PCs every year. This is a very good argument for making a significant PC purchase for the Vista migration, selecting new x64 systems running multi-core microchips and the latest in video hardware. 25 Chapter 1 Well-managed infrastructures involve the use of a complete PC management toolkit as well as a reliance on properly trained resources both in operations and at the end user level. Locking down PCs is a significant challenge as many organizations still allow users to run with administrative rights. There are no justifications for doing so today, unless, of course, you have money to throw away. Surprisingly, lots of organizations do. According to a report conducted in 2006 by Applied Research West Inc. for Symantec, 48 percent of American IT managers say concern about disabling or reconfiguring of security systems by employees is increasing. Does this mean that 48 percent or more of employees are running with administrative rights? If so, you need to learn to just say ‘no’. Surely we don’t have to spell out that the best way to manage desktops is to rely on three year leases, frequent renewals and less diversity in computer models. Doing this is just common sense. If you’re not, then you should seriously consider it. And if you’re not doing this because of some resistance in upper management then show them this chapter. It’s time to get it right. As one of our customers would say, “If it’s in print, it’s got to be true, right?” In one of our most successful forklift migration projects, the client organization reduced PC-related support calls by a factor of seven through the implementation of a well-managed and locked down environment. This is just one example of the benefits you can reap from a well-organized and planned migration. At the expense of repeating ourselves, if you want to move to the new Vista feature set and at the same time reap the benefits of locked-down systems and well-managed infrastructures, stay tuned. We will provide you with the tools we have relied on to make all of our migration projects a complete success. The toolkit provided in this guide will of course be focused on Vista but will also be useful for any migration. It will include processes, sample documents, management tool recommendations, structured and detailed instruction sets, and everything else you’ll need to finally make migrations just like any other process in your IT operations. If you already have proper desktop management systems in place, then you can also profit from this guide, reviewing your own practices to make sure they are best of breed. Migrations should never be at issue again. 26 Chapter 2 Chapter 2: Planning the Migration So you’ve decided to migrate to Windows Vista. Good for you! Your goal now is to design the very best migration possible and to ensure that the network remains stable during and after the migration has been performed. Successful migration projects rely on a proper structure. For this reason, this chapter will focus on how the migration project itself will be organized. To do this, we will begin by looking at the actual tasks required to perform a migration on a PC in order to help you understand what a tangible migration process involves. But, because you know what to do to migrate one PC doesn’t mean that the migration of dozens, hundreds or even thousands of PCs will just work. Migration projects are massive undertakings that require the coordination of hundreds of tasks—tasks that must be correctly orchestrated to be delivered on time, under budget and with a very high level of quality. To meet these requirements, you need a change management strategy, one that will help you blueprint each step of the process and ensure that everything works as planned. Finally, you need to launch the migration project. Armed with the structured change management strategy, you can begin to lay out the steps you need to undertake to complete this project. That’s why we close the chapter with a look at the actual project plan for the migration and the process you need to put it in place. Actual Migration Tasks Migrating a PC and making that migration transparent to a user is hard work. Not that the work is actually hard, but rather, it is the coordination of multiple sequential tasks and the intricate linking of each task that is often difficult. You need to make sure that predecessor tasks are performed accurately, otherwise all of the tasks will fall out of sequence and the result will be less than successful. This is the old computer principle of GIGO or ‘garbage in, garbage out’ and it applies even more when the migration addresses more than one PC. You need to understand which tasks are required and how they fit together. When you perform the migration, you need to coordinate seven specific tasks and link them together (see Figure 2.1): 1. Hardware and software readiness assessment 2. Personality capture 3. Creation and deployment of base images 4. Application packaging 5. Software installation 6. Personality restoration 7. Migration status reporting Each task is performed in sequence and each has its own particularities. The PC Migration Cycle was originally based on Altiris’ Six Step Migration Process. More on the Altiris process can be found here. 27 Chapter 2 Figure 2.1: The PC migration cycle. This guide is about Vista migration. Many organizations will choose to include a new productivity suite such as Microsoft Office 2007 in the migration to a major new OS. Though this guide will not cover the migration to Office 2007, you can rely on the same processes and procedures to add it to your migration. Hardware and Software Readiness Assessment Before you can begin to even consider installing a new operating system (OS) on any PC, you need to assess its current content and structure to first see if it will support the new operating system’s requirements, and second, have any issues with hardware drivers, installed applications and expected system purpose. One of the best ways to perform this assessment is to rely on a checklist that leads you through the requirements analysis. If you’re performing the migration for a single PC, you’ll face a reduced list of questions, but if you’re performing the migration for a number of PCs—any number, you’ll face additional questions—questions that have to do with volume and address issues of location. Of course, if you’re working on a single PC, all you really need to do is to run a compatibility analyzer on it. As described in Chapter 1, the best way to do this for single PCs is to use the Vista Upgrade Advisor (VUA). This tool runs against your system and provides you with information on the latest requirements and compatible components. But running this on multiple PCs—any more than 10 actually—is less than practical. That’s why you’ll need to run a system check using either a deployed inventory tool, the Application Compatibility Toolkit version 5.0, or the Windows Vista Readiness Assessment (VRA), both from Microsoft. Note that both VUA and ACT require administrative credentials to install. More information about VUA, VRA and ACT can be found at http://www.microsoft.com/windowsvista/getready/upgradeadvisor/default.mspx; http://www.microsoft.com/technet/windowsvista/deploy/readassess.mspx; http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx. If you have an existing system management tool, you can use its own readiness assessment reports to determine whether your systems are up to snuff. For example, tools such as Altiris Inventory Solution or LANDesk Inventory Manager will include updated reports that allow you to assess both hardware and software readiness in one single pass. 28 Chapter 2 More information on Altiris Inventory Solution can be found at: http://www.altiris.com/Products/InventorySolution.aspx More information on LANDesk Inventory Manager can be found at: http://www.landesk.com/Products/Inventory/ Whichever tool you choose to rely on, you should concentrate on the following questions: 1. Do the PCs meet the system requirements for the new operating system? System requirements for Windows Vista were outlined in Chapter 1. a. Which proportion of your systems meets these requirements? b. Which proportion can meet them with minimal component changes? c. Which components require changes—random access memory (RAM), video cards, displays, printers, others? d. Would you rather change components or replace the system in order to aim for a standardized set of PCs in the network? Is this within budget? e. How many systems do not meet the minimum requirements? Are you ready to replace them? Is this within budget? 2. Are there any driver issues on any system? a. Which components are missing drivers? b. Do the manufacturers of these components offer updated drivers? c. If not, which do? d. Are there compatible drivers you can rely on until the manufacturer updates theirs? 3. If hardware upgrades or replacements are required, should the upgrades be sized to meet any other project, present or future, requirements since change is required? 4. If PCs are to be replaced, are they in the same location or do you need to cover multiple locations? 5. Which operating systems are running on your systems? Are they homogeneous or heterogeneous—will you have to upgrade from many different operating systems? Note that Windows XP, Windows Media Center Edition and Windows XP Tablet Edition will all upgrade to Windows Vista as there is no longer a distinction between these operating systems as far as the Vista upgrade process is concerned. Of course, you will need the appropriate edition of Vista— Business, Enterprise or Ultimate—to perform the upgrade. 6. Are there any licensing costs associated with the migration? If yes, how will they be addressed? Remember that Vista uses a completely new licensing model (discussed further on) that requires you to put in place internal validation systems if you don’t want all of your computers to be activated through the Microsoft Web site. More on this licensing model will also be covered in Chapter 5 as we discuss infrastructure changes to support the migration. 29 Chapter 2 7. Which applications are deployed on your network? a. Will they run on Windows Vista? b. Better yet, are they actually in use? Do you have metering information to tell you if an installed application is actually being used by that PC’s principal user? c. If you are also considering moving to the x64 platform, will your current applications run on it? d. Are there any applications that should be deployed to every single user? If so, should these applications be included in the PC image you will prepare? 8. What about user data? a. Is it already located on servers and protected? b. Is it located on each PC and will it need to be protected during the OS replacement? c. Is there any data that can be filtered out, especially non-corporate data, to speed the replacement process? 9. Are any infrastructure changes required for the migration? a. Is the project running on its own or will your organization include other changes—changes such as deploying a desktop deployment or management suite, moving to a new directory structure, including mergers and acquisitions—with the migration? b. Will the migration only include the operating system or are some core applications—Microsoft Office 2007, for example—also included? c. Is the network able to support in-place migrations? Are additional migration servers required? d. If not, will you use a PC rotation process to bring each PC into a staging area and upgrade or replace it? e. Which is the best schedule for the migration? If multiple locations are involved, will the change be location-based or based on lines of business? 10. Which non-IT processes will be required? a. Do you need to start a communications plan for the migration? b. Is training required along with the OS deployment? c. Are any other administrative processes impacted by the migration? The purpose of this questionnaire is to determine what is required to properly plan the migration. You might have a series of other questions to address your own particular situation, but this list is a good starting point. It should provide you with the financial, technical, administrative and organizational answers that will form the nucleus of the project. 30 Chapter 2 Much of this information is gathered in inventories—inventories that need to be automated. Two inventories are required. The first occurs at the very beginning of the project and is deemed a cursory inventory. Here you’re focused on numbers of PCs, numbers of users, PC types and configurations, locations of each PC and a general inventory of the software in your network. The purpose of this inventory is to give you a broad general idea of the scope of the project, allow you to generate a budget, and produce the business case that was discussed in Chapter 1. The second inventory is much more detailed and is focused on the content of each individual PC. This content, detailing software, data, utilities and optional hardware components, will be used to actually replace the operating system on the PC and return it into the same state or rather, as similar a state as possible, once the migration is complete. In order to reduce the migration effort, this detailed inventory needs to be validated. Validation can occur through metering data if it is available. This will tell you if the software that is installed on the PC is actually used by the principal user of that PC. If you do not have access to metering data, then the inventory needs to be validated with the users themselves. This is a tough and time-consuming job. Traditionally, organizations do not manage PCs very well. They tend to load programs on each PC based on the requirements of the principal user; but, as users evolve in the organization and move, add, changes (MAC) are performed on the PC, repurposing them for new users, software keeps being piled onto the PC. After a period of time, the PC begins to contain products that are not required by its current principal user. This can cause a lot of issues, especially in terms of licensing. Most software licenses are based on installation state: if a piece of software is installed, it requires a license, whether it is in use or not. Yet, so many organizations do not remove unused software when they repurpose the PC. Beyond the licensing and non-compliance issues, having unused software on a PC becomes a real problem when it is time for an OS migration. That’s because the project needs to take the time to validate the presence of each piece of software or utility on a PC with the principal user. This is never easy as users often have no idea what the software or utility actually does and cannot confirm whether they use it or not. We have been in countless migration projects where software inventories were validated with users and software removed from the migrated system only to find out that they actually did use the software but didn’t know the name of the product or even that they were using it. This is usually because they address the software through other interfaces or through the performance of another task in their work. It is extremely important to validate these detailed inventories by actually walking through a typical day’s activities with the user instead of just producing a list of items and asking them if they use it or not. More on inventories and detailed validations will be covered in Chapters 5 and 9 as we discuss how to perform them and how to transfer the validated inventory to the deployment or release manager. So, in the end you’ll want to produce automated inventories as much as possible. Make sure you use a good inventory tool. Too many products produce only a list of all application components, registered dynamic link libraries (DLL), executables and so on, delivering an incomprehensible list of content for each PC. For this reason, make sure you look to the right requirements if you need to evaluate an inventory tool. For a review of asset management products, look up “Cover your Assets”, an article examining four asset management products which can help with your readiness assessments. 31 Chapter 2 Personality Capture When inventories are complete, you’ll want to move on to the capture of the personality of each PC. PC personalities include the personal settings of each user that logs onto the computer, including their profile, favorites, data, application settings, desktops, mapped drives and so on. You also want to include any custom application properties such as custom dictionaries, templates, email data files and so forth. This information is vital to the success of the migration project. For a user, there is nothing worse than having to recreate this personality once the OS migration has been performed. This step is related to the quality of service or service level that the project will provide. An OS migration is an IT task—a task that should be as transparent as possible to the end user. After all, it is IT that is responsible for all computing processes, not users. For users, a migration project or the delivery of a new tool should be business as usual and the disruption of business processes should be as minimized as possible. For this reason, it is so important to properly design computer systems, clearly identifying what belongs to users, what belongs to the corporation and what IT is responsible for. It is the portion that belongs to the user that makes up the personality capture. This division of responsibility will be covered in Chapter 7 as we discuss building locked-down computer images. In addition, personality captures must be evaluated for each user profile you find on the computer. Most organizations assign a PC to a principal user—at least it is easier to manage PCs when they are assigned to one single principal user. So, during the personality capture, you need to evaluate if existing profiles are in use or not, rationalizing unused profiles so that you do not restore ‘garbage’ to the new PC. Some organizations however do not have the luxury of assigning a principal user to PCs. These include organizations that have 24/7 service offerings or organizations that are in the manufacturing industry and have shifts that work around the clock. In these cases, several users access the same PC. Organizations often use generic accounts for this so that only one profile needs to be captured. This may change with Vista since it supports Fast User Switching, even when the PC is joined to a domain. Generic accounts are a security risk because you can never guarantee you know who is logged on with the account. Organizations should look to the removal of generic accounts from their production networks. Several tools are available for personality captures. And of course, the best tools will also identify the validity of a profile and whether it should be moved or not. The best policy is to capture all profiles, store them on the network, archive them after the project and restore only those profiles that are actually in use. This way, you have access to old profiles that you may have unwittingly marked as obsolete when they were not. This can happen when users are on prolonged leaves of absence or on vacation during the project timeframe. This policy costs the project in storage space and network bandwidth, but provides the very best quality of service. We have seen projects where vital personalities have been lost—personalities of users with several years’ worth of data stored locally—because this service level was not put in place. Best to be safe than to be sorry. Many tools will be discussed in Chapter 8 as we cover the capture and replacement of personalities on computer systems. 32 Chapter 2 Of course, the very best policy is to rely on network features such as folder redirection to map user profiles and data to networked drives where they can be protected at all times. This will be one of the considerations for infrastructure modifications in preparation of the migration. For more information on personality captures for Windows Vista, look up Migrating to Windows Vista through the User State Migration Tool. Captures can also be performed with a number of third-party tools such as Altiris PC Transplant Solution, LANDesk Management Suite or CA Unicenter Desktop DNA. Creating and Deploying Base Images The very best value for organizations relying on PC-based technologies is to reduce diversity, or reducing the numbers of hardware configurations, buying PC systems in lots with identical configurations, reducing the number of operating systems in use and rationalizing everything from applications to utilities to external devices. Too many organizations, especially organizations that are brought together through acquisitions and mergers, have several different antivirus systems, several different deployment systems, or several different monitoring technologies. The principle of standardization can never be overused when it comes to IT and systems management. Many organizations find themselves very happy to deal with heterogeneous systems, but usually, these organizations are driven by IT, not by business requirements. Today’s organizations need to drive this point home with their IT groups: business is the ultimate driver for the use of technology, nothing else. That’s why you should push for a single worldwide global image for your computer systems. With Vista, this is not a dream, but a reality. Vista no longer has issues with different hardware abstraction layers (HAL)—the component that is particular to each PC configuration and is absolutely required to run Windows. Vista can now apply different HALs at load time from a single system image, removing the need to create and maintain one image per HAL. Of course, today, it is possible, through scripts and other mechanisms, to create a single disk-based system image and deploy it to multiple computer configurations, but few organizations take the time to make this effort. With Vista, this effort will be greatly reduced. The PC system image needs to be designed from the ground up. It should contain everything that is generic to a PC and should ensure that the PC is secure and protected at first boot. You need to determine if you will create an image with the OS only or whether it should contain all generic applications as well. There is a strong argument for both positions and in the end, the most determining factors will be how you stage systems and which tool you use to do it. For example, if your staging tool supports multi-casting—sending one single stream of data over the network to multiple endpoints and thereby greatly reducing network traffic when deploying multiple computers—you’ll probably look to the ‘fat’ image or the image that contains as much as possible since deploying one or fifty PCs at once will take the same time. If not, you’ll want to stick to ‘thin’ images as each deployment will take considerably more time. Chapter 7 will provide a detailed discussion on thick versus thin images. 33 Chapter 2 Windows Vista introduces new concepts and new ways to work with system images based on three installation scenarios: upgrade, refresh and replace (see Figure 2.2). In the upgrade scenario, you can now use Vista to actually perform a non-destructive upgrade of the system, replacing the complete contents of the operating system without affecting user data or application settings. This is the first time that the upgrade scenario actually works, but it remains to be seen if organizations are ready to move to this installation format. In the refresh scenario, you capture personality data, wipe or erase the computer’s disk drive and reload a brand new operating system, reload applications and restore personality data. This is the scenario most organizations are familiar with. There is a lot to be said for it as it reformats the disk drive and creates a new, pristine environment. But, with Vista, reformatting the hard disk drive may no longer be necessary. Because it is installed as an image by default, Vista has the ability to non-destructively replace an operating system either 32- or 64-bit without destroying existing files. Then, because it includes an automated disk defragmenter, it will automatically begin to defragment the hard disk drive using low priority I/O once the installation is complete. It may be worth examining this scenario as it offers the ability to use local disk drives for personality captures and restores and would save time by cutting down network traffic. In the replace scenario, you capture data from an old computer and then perform a bare metal installation on a new computer—a computer with no preexisting OS—reloading applications and data once the installation is complete. This is also a favorite among organizations and IT professionals. Whichever scenario you decide to use, make sure your original system image is properly designed and ready for prime time before you begin testing with it. Finally, you’ll need an image management strategy, allowing you to update the image as new patches and hotfixes are provided for the components it contains. Figure 2.2: Windows Vista supports three migration scenarios. 34 Chapter 2 Application Packaging Inventories will be very useful not only to determine how but also which applications will be deployed to end systems once the OS is loaded. Ideally, all applications will be rationalized, removing duplicates from the network and of course, removing any application that is made obsolete by the features of the new OS you are deploying, leaving you with a reduced list of applications to deploy. Deployment methods will be discussed in the next step, but before you can move on to deployment, you need to package all applications for automation. Software packaging is one of the most important aspects of any deployment or migration project, yet it is often overlooked or addressed in cursory manners. Application management is a lifecycle which involves several steps, one of which is the management of all automated installations of applications. After all, if users are focused on the business, you don’t want them to lose productivity by trying to run software installations on their systems. Besides in a lockeddown environment, they just won’t be able to. So you need to automate installations, and these automations need to be standardized. You just can’t afford to deploy software packages that run several different installation methods. If you decide to install applications locally on each system, then you’ll want to package for the Windows Installer Service (WIS) as it provides a single installation strategy for all locally installed software in Windows Vista. You can also choose this migration project as a vehicle for change in the way applications are managed on desktops. If you do, then you should consider application virtualization—a process that installs all applications within a sandbox on the PC and protects the operating system at all times from any changes required by the application. Software virtualization offers many advantages, the least of which is the ability to run conflicting applications on the same PC. Since all applications are sandboxed both from the OS and from each other, two versions of the same application can run on the same system at the same time. More on this will be covered as we discuss application preparation, but for now, the important aspect of this topic is that software needs to be packaged through standard processes—processes that need to be transferred to normal production operations once the project is complete. For more information on software packaging in general, visit the Articles page on the Resolutions Web site and look for the Application Lifecycle Management section. For more information on software virtualization, look up our white paper on Software Virtualization. 35 Chapter 2 Software Installation Software installation refers to the deployment of any software that is required by a user to complete their function within the organization. Once again, PC design is very important here. If you choose to rely on thin images, you will need to deploy more software to your users. If you choose to rely on thick images, fewer applications will require deployment. Whichever model you decide to use, you’ll need to properly identify the targets for software deployment. Ideally, these targets will group users into role-based categories, letting you deploy appropriate software based on the role the user plays within the organization. This way, finance users will receive all of the financial applications; manufacturing users will receive manufacturing applications and so on. Grouping applications doesn’t only help in deployment, it also helps in software management and package preparation as you only have to make sure that the applications in a given group will work together and don’t need to verify the application against any others. You inevitably have to deploy applications on an ad hoc basis as well, but this should be to a greatly reduced group of users. One caveat: if you want to minimize application management tasks, you’ll have to make sure that your deployment tool supports the automated removal of applications, not only when the application is upgraded from one version to another, but also when the application falls out of the scope of deployment. For example, if you want to avoid finding applications that don’t belong to a user role on a system and you want to make sure you have a tight control over your licensing costs, you’ll want to make sure you implement a software management system that automates the process of changing a PC role, removing obsolete applications and applying appropriate applications automatically. Personality Restoration Once the applications have been restored to a system along with the new OS, you’re ready for the return of the system’s personality. Ideally, this process will be automated along with the preceding steps. Remember that profiles also need to be rationalized and only valid profiles should be restored. You’ll probably want to change the way the personality is designed on user’s systems. For example, Vista completely changes the way user information is stored on the PC, no longer relying on the Documents and Settings folder, but now focusing more on a new Users folder. In addition, because of the built-in search engine in Vista, users should no longer rely on desktops cluttered with unused icons, but should rely on more efficient access methods for applications and documents. If you do change the design or the way anything in the personality functions, make sure that you communicate all changes to users. There is nothing worse for a user to find something missing without any explanation. 36 Chapter 2 Migration Status Reporting The last step in the actual migration process is status reporting. If you’re working on a single system, you’ll want to make sure that it is stable, up-to-date in terms of security patches and running properly. You’ll want to verify that all applications have been installed and that the user’s personality has been restored as it should be. If, on the other hand, you’re working with a multitude of systems, migrating several locations in parallel and managing all of the deployments from one central location, you’ll want to make sure that each and every success is properly reported back to central administration for the project. You also want to track any issues that may arise, any migration failures and any unsatisfied users. Ideally, you will have prepared a special help desk team for the support of the migration and you may even have gone through the trouble to provide local coaching resources for migrated users. You’ll want to track all of these issues if you want to control project costs. In addition, you want to be able to have a single view of the progress of the project at all times. How many PCs are deployed? How many are left? How many are being deployed right now? Are we on target? Do we need to modify our schedules? Deployment management requires intricate planning and lots of administrative hard work as users move and shift in the organization during the deployment. Having the right deployment reporting tool is one of the most important aspects of project management for migrations. Make sure you get the right information and have access to it when you need it. You’ll also want to rely on this information for the project post-mortem. This will help you generate return on investment (ROI) reports and demonstrate the value of the massive effort your organization just undertook. An Extended View of Migrations The migration of an actual PC is a seven-step process, but managing change on this scale in organizations of any size is much more than just running through the seven steps described previously. The project requires proper structure and organization. Few sources exist for this type of information—information that guides you through the change management process implied in OS migrations. Because of this, Microsoft has produced the Solution Accelerator for Business Desktop Deployment 2007 (BDD). The Microsoft BDD can be found here. The documentation contained in Microsoft’s BDD attempts to put each and every step of the deployment program into perspective. It relies on the Microsoft Solutions Framework (MSF) to do so, but unfortunately, MSF is a framework that is designed for software development, not systems integration. It makes sense that Microsoft would rely on MSF since it is an organization whose focus is nothing else but software development. 37 Chapter 2 Also, the BDD guidance is divided into multiple feature teams. In our experience, there are really two major feature teams: one who is in charge or preparing all aspects of the desktop and its construction, and one who is in charge of preparing all aspects pertaining to server components for the deployment. Within these two teams, you’ll find applications specialists, security experts, management gurus, and other technical staff with all sorts of expertise; in fact, the broader the experience of your teams, the better. Managing two teams makes it easier to control the outcome of the project and keeps everyone in better contact. But, nevertheless, BDD is a very valuable source of information on deployments and there is no doubt that the tools it includes are a great help for organizations of all sizes. We’d like to supplement its guidance with our own deployment management strategy—a strategy which is focused on the integration, not development, tasks that make an OS migration project work. This system has been in use for over eight years and has been successfully adopted by a multitude of firms. It helps identify the critical path for any migration project. Using the QUOTE© System The QUOTE© System is a structured approach for change management which is based on five phases (see Figure 2.3): • Phase 1, Question: This is the diagnostics or discovery phase. It is focused on a situation review, followed by a needs analysis. You need to identify the factors of the change situation. First is the fact that change is coming. Second is the scope of the change. Third is where and how the change originated. Fourth is what you already have in place and how it will be affected. Question phases always involve an inventory of some sort. • Phase 2, Understand: This is the planning phase and focuses on initial solution development. Now that you have all of the information on the change in hand, you can start planning how to influence the change. If the change is technological in nature—for example, a desktop deployment—it is essential to fully understand how the new technology feature set will impact and improve the elements and processes already in place within the organization. This stage © may include one or several proofs of concept Figure 2.3: The QUOTE system. (POC)—working mock-ups of the solution to come. These POCs will help flesh out the details of the solution you will deploy because they provide additional, and often non-technical, evaluations of the way the solution is structured. This phase also finalizes the scope of the project and its structure. 38 Chapter 2 • Phase 3, Organize: This begins the execution portion of the project. It is focused on preparing the deployment mechanisms and the deployed content; in fact, all of the engineering tasks of the project. It includes everything from detailed conception of the solution to complete validation, testing all of the facets of the solution to ensure quality of service for the next phase. Since changes such as OS deployments tend to affect the organization as a whole, it is vital to validate all the elements of the solution before they are implemented. • Phase 4, Transfer: This is the second part of the execution portion of the project and focuses on manufacturing processes or massive operations because of the repetitive nature of deployments. All systems are “Go!” and a production environment is used to deploy the solution on a massive scale. Begin with the pilot project to validate that everything works as planned, and if not, make final modifications. Then, when all solutions have been fully tested and adapted, you begin to transfer them to the sections of the organization that are impacted by the change. • Phase 5, Evaluate: Finally, you need to evaluate the change you implemented in order to best view how it can continue to evolve within your organization. In addition, the project’s performance as a whole is evaluated against its original objectives. Rules are derived for future projects and adjustments are made to future approaches. This is also the stage where the solution passes into ongoing operations. You need to transfer project mechanisms into production, finalize all support training and transfers of knowledge and report on your successes. Because change works in cycles, you’ll also need to re-initiate the discovery phase to ensure the continued evolution of the solutions you deployed. This re-initiation is crucial if you want to fully benefit from the change you implemented. Many projects fail because this re-initiation is not performed and the project is closed off once it is complete. This approach can be used in almost any change situation, personal or organizational. Using this approach within organizations ensures that organizational and especially, IT change is always structured. It greatly simplifies and reduces the impact of change in organizations of all sizes. In Chapter 1, we argued that operating system deployments are part and parcel of PC lifecycles. In IT, change is constant as manufacturers constantly improve on existing products and new products abound. You should rely on the QUOTE System to manage all IT change. Forklift versus Hardware Refresh Migration Strategies As discussed in Chapter 1, there are several different strategies for migrating to Vista. Most organizations will use one of two main strategies: forklift—migrating all systems at once; or hardware refresh—migrating systems as they are replaced through purchasing programs. Both methods are valid, but in order to make your migration a success, you’ll need to properly prepare the design and engineering aspects of the project. This means that no matter which migration method you use, you’ll still need to run through the Question, Understand, and Organize phases of the QUOTE. Where the strategies differ is in the Transfer and Evaluate phases. With forklift migrations, the Transfer phase is a massive effort affecting all PCs in the organization. With hardware refresh migrations, the Transfer phase actually carries on for several years until each and every PC is replaced. Whichever one you use, don’t make the mistake of not being thoroughly prepared before delivering the new OS to your users. Because of its nature, the QUOTE System is ideal for the preparation and review of deployment projects. Here’s how it works. 39 Chapter 2 Question Phase — Problem Statement As mentioned earlier, the Question Phase relies on inventorying the organization (see Figure 2.4). You need to collect and review several different inventories and refine them if the information you need isn’t available. If you’re already running a modern infrastructure, you’ll always be ready for change because you’ll already have this information in hand and if you don’t, you’ll already have deployed the tools that can provide this information to you. If you don’t have an up-to-date infrastructure yet, then you’ll have to determine how you’re going to generate these inventories. And, make sure you take advantage of the project to put in place an automated inventory tracking process, one that will be part of your default infrastructure after your deployment is complete. The Question Phase This phase includes: • Situation Review including: Internal Inventories/Problem Identification Hardware Readiness Assessment Software Readiness Assessment Infrastructure Readiness Assessment Organizational Readiness Assessment • Needs Analysis Initial Solution Design Selection of New Technologies Review of New Technology Features • Initial Project Evaluation Including: Potential Benefits Initial Budget Estimates (~25% error) Initial Project Scope • Cost/Benefit Analysis • Production and Presentation of the Business Case • Go/No Go for the Project In deployment projects, the Question Phase is usually initiated by a series of potential situations: • Software Product Owners—if you have them—have identified that new versions of the technologies they are responsible for are available and meet the organization’s criteria for project initiation. • Users have identified that new technologies are available, are using them at home and they want to take advantage of them at work. • Business objectives or business processes have changed and new technologies are required to support them. • The organization is ready for change and requires the introduction of new technologies to promote it. • A major manufacturer or software publisher has released a new version of their product. • A major manufacturer or software publisher has announced the end of life for a specific product you are currently using and will no longer provide support for that product. 40 Chapter 2 In the case of a Vista migration, the project initiation can originate from a number of these factors, especially end-of-life or user demand. It is good practice for you to initiate the project before these factors come into play. When you do so, you’ll want to begin with a situation review and then follow with a needs analysis to identify the benefits that could be acquired through the integration of Vista’s host of new features. The situation review needs to focus on readiness assessments—hardware, software, infrastructure and organizational—that will indicate whether your assets are compliant with Vista’s requirements. Then, the needs analysis will focus on a list of potential benefits including existing problems that could be solved by the technology. Remember to include the Help Desk database in your assessments; it is a very valuable source of information for this type of project. The needs analysis should include a scope definition—who will be affected, what the impact of the change will be and how you wish to approach it—and initial budget estimates with plus or minus 25 percent error margin. This is enough to generate the relative size of the budget you will require. You should also generate an initial solution design, outlining how the new technology will improve and address issues you are facing today and how these benefits can turn into real value for the organization. Keep an eye on the potential return on investment your organization will reap when it moves to the proposed solution. This will help you create first, a risk analysis, then, a cost/benefit analysis to ensure that the organization will profit from the change. Figure 2.4: The Question Phase focuses on inventories and initial solution design. 41 Chapter 2 Where to Spend your Dollars Research has shown that those who spend little time engineering their solutions before moving on to deployment, have much more painful experiences than those who do. Remember the 80-20 Rule, spend lots of time getting all of the engineering right and your project will run more smoothly. The Value of Automation Make sure you aim for a fully-automated deployment. In our experience, costs for manual deployments average between $500 and $1,000 per PC. Semi-automated or Lite Touch deployments, to use a term from the BDD, average about $350 per PC. Microsoft’s goal for fully automated or Zero Touch deployments is less than $50 per PC. That’s why you should aim for a fullyautomated deployment strategy. That’s also why this is the strategy recommended by this guide. All of the previous elements will become part of one major deliverable: the business case. Prepare your business case with care and have it validated by the other members of your initial team. Then, when you feel that you have everything in place, present the business case to the stakeholders. This phase culminates in a Go/No Go decision for the project. Remember to go to the DGVM’s companion Web site to obtain the tools provided in Chapter 1: the Business Case Template and the List of New Features for Vista. These tools will greatly help your own project’s Question Phase. Understanding Phase — Exploring the Impacts of Migration The Understand Phase is used to begin mastering the new technologies to be implemented and identify solutions to known problems. The first step is to list the features of Windows Vista which you have decided to implement. Then, using the results of the Needs Analysis created in the previous phase, you can map features to current issues. This will serve to refine the initial solution design that was created in the previous phase. Next is project definition. Once again, you refine the initial project plan and scope prepared in the previous phase. While the objective of the previous phase was to get the business case approved, the objective of this phase is to refine all aspects of the project so that it can move forward on to the other three phases. Refining the project definition means preparing and generating all of the elements of the project: Vision, Objectives, Scope, Structure, Teams, Tools and Timelines; all this in order to create the definitive project plan. This time, the project definition should include a refined budget estimate to within plus or minus an error margin of 10 percent. This becomes the project’s official budget. This budget should be supplemented by two additional documents: an evaluation of the potential impacts of the project on all aspects of your business and the migration strategy. The impact evaluation should cover items such as work patterns and operational processes, user interaction with IT Systems, system changes, operational changes, structural changes, and so on. The summary migration strategy that was presented in the business case is refined to identify the strategies that will be used for systems deployment, interactions with users during the deployment, training strategies, remote and local deployments and so on. 42 Chapter 2 The Understand Phase This phase includes: • Secondary Review of the features of the new technology including: Identification of features to be implemented Final mapping of features to known issues • Project Definition including: Vision/Objectives Scope Structure Teams Tools Budgets & Impact Analysis Timelines Project Plan Project Organization Manual • Initial Communications Program • Logical Solution Definition including: Naming and other standards that apply to the solution Identification of Problem Resolution Strategies Logical Solution Architecture Initial Training Solution Detailed Deployment Strategy • Initial Acquisitions • Initial Laboratory Creation including: Operating and Testing Standards Preparation and Testing Environments Initial Tests Solution Mock-up Technical Training • Proof of Concept • Go/No Go for the Project Also, now that the project is officially in place, the project’s communications program needs to be designed and initiated. Its scope depends on the scope of the change the organization will bear. In the case of Vista deployments, you should make sure you invest in communications early. It’s never too early to promote comprehensive change projects like an OS migration. Your objective is to promote good will towards the project and its deliverables. There are several ways to do this. Don’t make the mistake of underestimating the importance of the communications plan in this project! Lack of proper communications programs can make even the best engineered solutions fail because users will resist the change. One good example of the kind of help the communications program can provide to the project is through the creation of a project ‘welcome kit’—a tool that outlines all of the major points of the project, its structure, its objectives and the role each person will play in it. With projects of this scale, this kit will quickly become a vital tool as personnel rotate through the teams. 43 Chapter 2 For a detailed discussion on the requirements of a communications program for your Vista project, see Communications Plans: a Sample Chapter from Preparing for .NET Enterprise Technologies at http://www.reso-net.com/documents/ruestch08.pdf. You also need to launch the initial training program and training analysis. Little training is required at this time and is often limited to basic technical training for the core project team, but this is the time to begin examining all of the training options that will be required by the project—end user, technical, support teams, and so on. As with communications, training programs are critical to the success of a Vista project. Actual user training does not need to be overwhelming; it needs to be direct and to the point. Often simple presentations outlining new ways to do things and offered to end users are all you need. Technical training needs to be more comprehensive, but can once again, be very creative, running in-house or Web-based programs to cover just what you need and nothing else. The training program needs to be tightly integrated to the solution you design. Make sure you budget for this very important task. At the same time, you can begin to refine the initial solution you outlined in the business case. This will include the definition of the standards that will guide the architecture of solution. It will rely on these standards to identify problem resolution strategies and eventually culminate into the Solution Architecture. This architecture serves as input into both the communications and training programs and will provide direction for the engineering work that lies ahead. Because you need to refine the solution, you’ll need to begin the creation and preparation of the laboratory you’ll require to support the preparation of the technical elements or engineering work of the project. You may only need to adapt existing laboratories if they are already in place; if not, you’ll have to create it from scratch. In either case, you may need to perform some initial acquisitions in order to populate this laboratory. And, since this laboratory will be used for the duration of the project, you will need to define its operational and testing standards. Chapter 3 will outline how to go about preparing the laboratory for the Vista migration. It will focus on the use of virtualization technologies as these technologies are ideal for the support of laboratory efforts. It is a good idea at this stage to create a working mock-up of the solution. This mock-up can greatly assist in budget definitions through cursory testing of existing applications and systems. For example, with a migration to Windows Vista, you should use the lab to identify what the acceptable baseline is for existing hardware. Should this baseline be different than that outlined in the business case, you’ll have to refine the budgets for hardware acquisition. The mock-up can take the form of a single virtual machine image that can be used to demonstrate new feature sets to the project stakeholders. The laboratory serves three major roles: solution preparation, testing, and personnel training. The latter role is as important to the success of the project as the first two. Technical staff requiring retraining should have scheduled access to the lab so that they can begin playing with the technologies. Often the best way to give them this access is to, once again, rely on virtual machines running with the new OS so that they can begin to familiarize themselves with the coming delivery. It is also vital to schedule this training officially, especially with the core project team, otherwise no training will ever take place and the technical training program may have to be outsourced. Keep in mind that one of the main project goals is to ensure that a transfer of knowledge is performed to all technical staff. You want to keep all new skills in-house at the end of this project. 44 Chapter 2 The laboratory is called the certification laboratory because it will be used to certify all engineering aspects of the solution—PC images, application packages, support structures, deployment procedures, personality captures and restores and so on. And, because several different teams will be working in this laboratory, it is a great idea to prepare a laboratory welcome kit that outlines how the lab works and where team members can find the resources they require to perform their tasks. Finally, it is often a very good idea to perform a proof of concept to clearly demonstrate the benefits brought by the migration to the new OS in order to get refined budgets approved. Once again, the organization must issue a Go/No Go decision for the project since new budget authorizations are requested (see Figure 2.5). Figure 2.5: The Understand phase focuses on solution refinement and project preparation. The Scope of the Proof of Concept The Proof of Concept (POC) can take a number of different forms. It could be just a mock up demonstration to the Project Steering Committee—the management group that oversees the project. Or, it could take the form of an actual deployment to key team members. In some cases, the POC can eventually cover about one percent of your user population. You’ll probably have several POCs—some focusing on individual features, others on portions of the overall solution, and eventually, a one percent population sample. It is a good idea to treat POCs the same way you treat any engineering project, with Alpha, Beta, and Gold deliveries. 45 Chapter 2 Organization Phase — Preparing for the Migration The third phase of the project focuses on finalization of all technical aspects of the deployment and eventually, preparation to move to the pilot project. The stage involves the bulk of the engineering work required to perform the deployment. Everything is refined and tested and then tested over again until it all falls into place as one integrated process. This is the phase that addresses the actual migration tasks described earlier. In fact, the purpose of this stage is to engineer and automate each aspect of these tasks. The Organization Phase This stage includes: • Finalization of the Solution Architecture • Solutions Development (if required) • Solution Integration Programs including: Deployment Infrastructure Preparation Solution Security Elements Application Compatibility Testing and Packaging/Certification Automated Installation Mechanisms User Data or Personality Recovery Mechanisms Solution Certification • Solution Support Programs including: Refined User and Hardware Inventories Validation of all Inventories with Users Technical Training Program End User Training Program Preparation Special Support Mechanism Preparation Data/Application Conversion Programs • Continued Communications • Deployment Strategy Finalization and Approval • Final Acquisition Launch • Pass/Fail Acceptance Testing This phase also addresses the finalization of the architecture for the solution. This architecture may need updates as engineering work proceeds and identifies actual processes and procedures instead of expected logical outcomes. Solutions focusing on infrastructure changes, such as the Vista deployment, require a lot of integration and very little development, but developers should be part of the team to offer support for any automation request through scripts and other measures. They are also called upon to develop custom components for the solution such as Web tools or documentation libraries. Another reason to include developers at this stage is that they are one of the final clienteles for the deployment and their requirements are considerably different than those of normal users. That’s because they need to have some form of access to elevated privileges in order to perform their work. Unlike users who will run with standard privileges, developers need to install and test code as it is being produced. The solution can either be focused on giving them virtual machines or granting them elevated rights in development domains. Whichever you choose, try to avoid giving them access to elevated rights accounts in your production domain because this can lead to both security and administration issues down the road. 46 Chapter 2 This phase is all about the integration programs. These include system image staging mechanisms, application compatibility testing and repackaging, the definition of data recovery mechanisms or personality captures and restores, the definition of all of the security elements of the solution, and the preparation of deployment infrastructures such as mobile staging rooms and training facilities. A lot of work needs to be performed by the various teams that are engaged in this technical aspect of the project. After all, for the deployment to work, these mechanisms must be fully flushed out. Each aspect of these programs is fully tested and certified before it is ready for testing. The bulk of this eBook addresses each of these programs in detail and helps you understand how to go about preparing them. The preparation of the support programs is also one of the tasks addressed with this phase. Several support programs are required. First, you need to validate all of the inventories of each PC. This validation is essential because you don’t want to be deploying unnecessary products to end users. This is an arduous administrative task unless you have software usage or metering data. Quality control is very important at this stage because these validated inventories will become the production request sheets that will be handed off to the release manager for the migration of each and every PC in your network. If mistakes are made here, mistakes will be made during the deployment. This is also the time where the bulk of the technical training program will be performed. Begin with the personnel on the project team and then move on to other, non-project personnel. Now is the time to train them because the deployment is not yet engaged and resources only need to deal with the day-to-day issues they are already used to. Don’t wait until the deployment actually starts because then, your resources will more strained as unforeseen issues may arise and project teams are engaged in deployment support activities. In addition, now is the time to begin the preparation of the end user training program. As the solution coalesces into a final deliverable, you can begin to see which elements will need to be covered by such training. Be creative. One great idea would be to include custom training videos users could view during the deployment and then access later if they need a refresher course. Another aspect of the project that needs to be covered here is the preparation of special support mechanisms: Will the regular support team absorb support of the deployment, or should a special, separate team be put in place? How long will this special team be required? When does a migrated user move back to the regular support team? What is the project guarantee time period? The answers to all of these questions form the support mechanisms for the project. In most cases, deployment support is offered by the project for a period of 20 working days before the user is returned to recurring support mechanisms. This 20-day period forms the project’s deployment support guarantee. Finally, you need to put in place data conversion programs, especially if you decided to include Microsoft Office into the deployment of your client operating system. This might mean deploying conversion tools to existing PCs as you deploy the new OS and then, performing a final data conversion after the deployment is complete. You may also need to perform application conversions. For example, Microsoft Access databases and custom tools often need to be upgraded when new versions of the suite are deployed. These conversion programs are as important as any other aspect of the project because they deal with your most valued asset: information. 47 Chapter 2 If you find you need to perform application conversions such as those for Microsoft Access, we highly recommend you redesign these application programs. For more information on gaining control of Microsoft Access applications, see Decentralized Deployment Strategies. This is also the time to initiate all of the acquisitions for the project; getting the right licensing agreements for Windows Vista and for any other software you might choose to deploy, for example, Microsoft Office Professional 2007. It also means obtaining any hardware upgrade components or new computer systems to be able to supply the deployment rate in the next phase. Microsoft Windows Vista Licensing Changes Microsoft has put in a lot of effort into Vista to protect itself from theft or software pirating. Many of these features are also designed to protect your organization and to ensure that your licensing keys are not being used outside your organization. These issues address the most common problem with Windows XP volume licenses: theft or misuse of the volume licensing key. After all, you don’t want your licensing key to be used on computers that no longer belong to you or being used by users who no longer work in your organization. The new licensing changes address just this type of situation. Organizations have three options for the acquisition of Windows Vista. The first and simplest is to acquire retail licences of the product either with new PCs or through upgrades. In this case, you’ll probably want to acquire Windows Vista Ultimate Edition as it is the only one that includes all of the features that make Vista truly great, but is also the most expensive edition. Organizations that acquire Vista through volume licensing or software assurance programs have two more options. The first is to deploy a centralized key management service (KMS) which controls the activation of Windows operating systems without requiring individual PCs to connect to a Microsoft Web site. At the time of this writing, KMS can run on either Vista or Windows Server Codenamed “Longhorn” (WSCL). It may be adapted to Windows Server 2003 in 2007. To run KMS, organizations need to have at least 25 PCs running Vista or five WSCL servers consistently connected to an organization’s network to operate—virtual instances of operating systems do not count. KMS can support the activation of hundreds of thousands of PCs from one single KMS device, though organizations should have at least two KMS devices in the network, one main device and a backup system. Location of KMS devices can be performed through autodiscovery relying on the DNS service or through direct connections, entering the machine name and port number for the connection. Client computers must renew activation by connecting to the KMS device at least once every 180 days. New, un-activated clients will try to contact the KMS every 2 hours (configurable), and once activated will attempt to renew their activation every seven days (configurable) to renew their 180-day lifespan. This 180-day lifespan ensures that any system that leaves your premises with a copy of your license will eventually expire. Organizations requiring multiple activations, but with fewer than 25 systems or with special situations that does not allow them to connect to a KMS, can rely on Multiple Activation Keys (MAK). MAKs are special activation keys that will support individual PC activation with no time limits or can go through a MAK Proxy to activate several keys at once. If the copy of Windows Vista becomes deactivated for some reason, the following features will no longer work: • The Windows Aero user interface will no longer operate. • Windows Defender will no longer remove non-critical threats. • Windows ReadyBoost will no longer operate. • The Windows Update Web site will no longer provide downloads. • Windows will provide persistent notifications that this copy is unlicensed. 48 Chapter 2 Un-activated or de-activated PCs have a 30-day grace period before requiring re-activation. Copies of Windows that go beyond the grace period enter Reduced Functionality Mode (RFM). In addition to the reduced functionalities listed above, a PC in RFM mode will: • Run a default Web browser when the user opens a session. • Run sessions with no Start Menu, no desktop icons, and a black desktop background. • Log users out after an hour without warning. Make sure you take these aspects of licensing into account when engineering your deployment. Note that Microsoft will be releasing a version of the KMS for Windows Server 2003 in the first half of 2007. You can then run KMS on a server as it should be instead of relying on a Vista PC. As each of the engineered elements of the solution is released from the solutions integration programs, it needs to undergo certification—arduous testing programs that validate that the new component will work under any condition. If it fails certification, the component must return to the integration center and be modified or updated to meet certification. If it passes certification, then the product passes on to acceptance testing—testing that is performed by appropriate clienteles, such as user representatives, local developers, line of business representatives and so on. These users have a pass or fail authority on each component and will determine if it is ready for prime time. Once all components pass acceptance testing, they are ready for the final test: the pilot project (see Figure 2.6). Since change is a constant in IT, it is often better to lease than to buy. Leasing programs include automatic upgrades on a scheduled basis. In addition, they provide consistent costs over the years. 49 Chapter 2 Figure 2.6: The Organize phase concentrates on finalizing the technology transfer methodology. Enterprise Project Planning It is important to identify existing and ongoing projects in preparation of the next phase because yours may conflict with other project schedules. If synchronization is possible in delivery schedules, you should do everything to make it happen. After all, your driving principle is little or no disruption to business operations. 50 Chapter 2 Transfer Phase — Performing the Pilot Project, then moving on to Deployment Once all engineering aspects of the project are complete, you need to take the time to complete the administrative and support aspects of the program before you test actual deployments. This includes the finalization of the end user training program, the communications program, the support program and the deployment schedule. Each of these needs to wait until all engineering is complete before it can be finalized. Don’t try to rush things. Much of this effort can be performed in parallel with the engineering tasks, but not all of it. You need to reserve a period of time after engineering finishes, but before the pilot to finalize the content of these programs. After all, it is hard to finish the training kit or the user guide until you are 100 percent sure of what the image will look like once it is deployed. The Transfer Phase This stage includes: • Finalization of Deployment Procedures Including: Training Program Communications Program Support Program Deployment Schedule • Pilot Project including: User Communications Solution Deployment Training Programs for Users Training Programs for Technical Staff Solution Support Pilot Evaluation Approach Modifications (if required) • Deployment Launch including: Deployment Coordination Deployment Risk Management User Communications Massive Solution Deployment User Training Programs Residual Technical Training Programs Deployment Support Hardware Disposal Program Ongoing Program Evaluation 51 Chapter 2 Once all components, administrative and technical, are ready, you can move on to the final test: the deployment of the pilot project before you move on to massive deployment (see Figure 2.7). Pilot projects should address up to 10 percent of the user population and should include at least one remote site if your organization includes remote sites. The purpose of the pilot project is to test of all of the facets of the deployment process to ensure quality of service for the actual deployment. The pilot project should represent every deployment activity from user communications warning them of the upcoming deployment to PC and software deployment as well as training. It should deliberately test every deployment mechanism. For example, if the project aims for the replacement of PCs, a select target group of users should be chosen to ‘forget’ applications on purpose during the PC staging process. This allows the testing of the support mechanisms for post-deployment rapid application distribution. You need to choose a select group for this type of test in order to avoid skewing the deployment results which will be used to help determine if you are ready to move on to massive deployment. Using a System Stack This guide outlines how to use a system construction model to build the PC image. This allows you to structure how applications will be deployed during the project. Generic applications or applications that are targeted to 100 percent of the user population are prepared first, which means that you can begin to deploy to users who only require generic applications as soon as they are ready. This often means as many as 50 to 60 percent of your user population. Then, as you are deploying to these users, your software packaging teams can complete the packaging of applications that are outside of the system stack. These applications should be grouped by role and when a role is complete, then you can include it into your deployment schedule, giving you time to complete the next role and so on. This lets you manage deployment activities in parallel and shorten the actual deployment schedule. Your pilot should aim to meet the goals of the massive deployment. For example, if your goal is to deploy 50 PCs per day during the massive deployment, then you should aim to meet that same objective during the pilot. Also, in order to capture comments from pilot users, you should include regular meetings with user representatives to determine the ongoing status of the pilot. Marry Training with Migration No matter how good your engineering is, migrating each PC will take time. Depending on your approach, it could take between one to three hours. It is always good to estimate half a day for each group of migrated PCs. Of course, you can’t expect users to hang around for that time doing nothing as their PC is out of commission. If you did, you couldn’t consider your approach as having no impact on business as usual. One excellent approach is to marry the user training program along with the PC migration. Call users into training, either through Webcasts or in larger presentation rooms, and introduce them to the new desktop and tool set while their PC is being upgraded or replaced. This way, users will find themselves moving to the new OS from the moment they walk into the training room. When they return to their desk after the training program, they find their PC migrated and ready to go. Give users some time to get used to the new system. Vista is not a major change, but it is different from any previous version of Windows and if you want them to be as productive as possible, let your users have some time to get used to the new system at their own pace. 52 Chapter 2 Since the purpose of the pilot is to validate and refine every aspect of the process, you’ll need to perform an evaluation at its end, sort of a pilot post-mortem. You should collect comments from every pilot participant: project managers, coordinators, administrators, technicians, users, trainers, support personnel—centralized and local, communicators, and any other personnel that participated in the pilot. Comments and recommendations should be used to modify deployment approaches in order to improve the quality of deployment services. You don’t want to identify issues with the approach when you’re ready to perform massive deployment operations, so get it right during the pilot. If you find that some re-engineering is required, pilot project users should be first on the deployment list for the next phase. Because they are the first to receive the new Vista operating system, pilot users accept to bear any inconveniences the project may bring if its approaches and solutions are not completely fine-tuned. That’s why it is important to “reward” them with the first reception of the refined solution. Figure 2.7: The Transfer phase concentrates on repetitive deployment tasks. Final modifications should be made to the deployment strategy before you start. Make sure you get management to buy off on this strategy before you can proceed. So, now you’re ready for deployment at last. All of your processes and solutions have been tested and approved and you’re ready to proceed with the deployment itself. 53 Chapter 2 Actual deployments tend to be quite complex to orchestrate—users aren’t available for training sessions, parts don’t come in on time, technical staff fall sick—sometimes its seems as if everything is going wrong, especially with massive. Two factors will help: strong deployment coordination and deployment risk management. Since the deployment is in fact the coordination of a sequence of activities, the personnel you select to administer it require very strong coordination skills. You can also rely on the communications program which should warn users one month, three weeks, two weeks, one week and them one day before they are migrated. As for risk management, it means identifying potential project weaknesses and preparing for them. Before launching the deployment, make sure that you’ve covered all the bases. Your pilot project should have helped identify the majority of these risks. Remember: always have a backup plan. For example, you should have a select list of replacement users ready and on hand in case some of the targeted users are not available. This way, you can continue to meet your daily deployment objectives and return to missed users later. When you proceed with the deployment, you’ll quickly see that after a while it becomes quite repetitive. All the better, practice makes perfect! You’ll soon be repeating all of the activities in the pilot project on an ongoing basis. Don’t get lulled by the monotony of the process! Always perform ongoing project status evaluations and be ready to modify approaches if something goes wrong. Also provide status reports to management so they can see you are continuing to meet objectives and staying right on target. Evaluation Phase — Moving on to Production The Evaluate Phase This phase includes: • Project Post-mortem Evaluation • Transfer of Project Processes into Recurring Administration including: Final Transfer of Knowledge to Operations Staff Deactivation of Project Support Mechanisms Final Documentation Delivery • Beginning of the Solution Evolution The final phase includes three major activities. The first is to perform a project post-mortem to evaluate the project’s performance against its objectives. Did it complete within budget? Did it meet every objective? Did it fit within defined timelines? Where there any overruns? Answers to these questions help form the rules and guidelines for future projects. After all, you know there is another OS deployment in your future. The second is the transfer of the deployment solution to recurring operations. If you didn’t have a managed desktop before the deployment, then now is the time to make sure you maintain all of the deployment processes in your ongoing operations, otherwise, you’ll find yourself in the same situation next time you need to run a project of this type. To do this, you need to finalize all project documentation and have project personnel perform a final transfer of knowledge to administrative and operations staff. All project support mechanisms will be deactivated. In a modern architecture, it is important to deactivate and not dismantle project support structures since you know they are required on a recurring basis. 54 Chapter 2 And third is the evolution of the solution. Once operational staff has accepted delivery of the new technology and signed off on it, secondary evolutionary projects can begin. For example, after deploying and implementing Windows Vista, you can now begin to learn how to master it and leverage its capabilities to increase quality of service within your IT infrastructure. This is the right starting point for this evolution because many of Windows Vista’s features are only available to a network that has completely migrated to this operating system. These modifications can often be performed in the background with no further disruption of organizational or operational activities. This way, the Evaluate Phase becomes the starting point of a new Questioning phase and process as your organization moves on and evolves with the new capabilities you just implemented (see Figure 2.8). Figure 2.8: The Evaluate phase begins the productive use and evolution of the solution. 55 Chapter 2 Creating a Migration Project Plan Now that you understand the QUOTE© System, it becomes important to see how it maps out to the Desktop Deployment Lifecycle (DDL) presented in Chapter 1 (see Figure 2.9). As you can see, it maps out as follows: • Question Phase: step 1, generate the business case and step 2, strategy development • Understand Phase: step 3, build the test environment and step 4, identify toolkits • Organize Phase: step 5, infrastructure analysis & update, step 6, applications strategy, step 7, pc image creation, step 8, personality protection strategy and the first part of step 9, integration strategy • Transfer Phase: the second part of step 9, integration strategy and the first part of step 10, deployment strategy • Evaluate Phase: the second part of step 10, deployment strategy As you can see, the bulk of the technical work is within the Organize phase. Figure 2.9: Mapping the QUOTE© System to the desktop deployment lifecycle. 56 Chapter 2 Project Planning Considerations Each IT project—whether a deployment project or not—relies on the five phases of the QUOTE© System. You should structure your project to align with these phases. But even with such an alignment, you’ll need to consider the actual objectives you aim to achieve with this project. In Chapter 1, we discussed the ability to rely on this project to finally gain complete control over your PC environment. We reiterate it again: if you don’t have control now, then get it; if you have control now, then refine it. Making Common Mistakes Don’t make the most common mistakes with your project. For example, make sure the technical lead isn’t also the project manager. Both roles are vital and need to be assigned to different people. Deployment projects are intricate, not to say complicated. Make sure you do not underestimate the level of work required to make this project a success. Also, define your scope and stick to it. As time goes by, others will want to add this or that to your project scope. Don’t let scope creep be the downfall of your project. If you choose to lock down the desktops and you should, don’t let anyone become an exception. In projects we have run, less than one percent of users have full administrative access and then, only through the Run As command. We’ll give you tools to make it work in future chapters. Make sure you track project progress and report on it to the Steering Committee. You might even want to put it into the communications plan—sort of a series of coming soon announcements—to build anticipation for the release and to ensure management knows how well you’re doing. Worst of all; don’t let politics dictate how the project will run. Public sector organizations are the worst for this, unfortunately for them, but private organizations are not immune to this either. This is one more reason why communications are so important. Offset politics by managing expectations. Finally, test, test and retest. This is the best advice we can give. Don’t make the mistake of delivering poor quality products. If you are in a service industry, then quality of service is how success is measured. Go for the gold! There are four pillars to any project: Cost, Scope, Quality and Time (see Figure 2.10). Each is directly tied to the other. If you change the value for one, the value for the others will automatically change. As the project proceeds, you will be under pressure to do exactly that. When deadlines loom, management will want you to cut on quality to save money, but shortterm quality cuts will turn into long-term costs. The same thing with scope; management and others will pressure you to get rid of technical ‘wish lists’. Don’t do it. Each time you get rid of a project component to try to cut corners, you’ll have to pay for it in the end. Build some leeway into your project plan so that you can have some flexibility, but aim for the highest quality. Your organization will benefit from it in the end. 57 Chapter 2 Figure 2.10: The four pillars of the project. Go to the DGVM’s companion Web site to obtain a copy of a Sample Project Plan relying on the QUOTE© System to help build out your own project. Remember that you can supplement its information with the information contained in the sample project plan Microsoft provides in the BDD. Case Study: Supporting a Migration Organization type .......................................................................................................................Public Sector Number of users..................................................................................................................................... 2,500 Number of computers............................................................................................................................. 3,000 Project focus ...........................................................................................................Migration to Windows XP Project duration ................................................................................................................................ 8 months Specific project focus ........................................... Migration from multiple operating systems to a single OS Administrative type........................................................................................................................Centralized An organization that moves to a new operating system must use complete support mechanisms during the migration. These systems must support not only the users during their familiarization with new tools, but it must also support the migration process itself and the teams that operate within it. This is often more than an internal Help Desk can manage because their own personnel are already occupied. This organization chose to supplement its support program with special help for the duration of the migration. Thus they had to increase staffing levels according to the following table: Group ______________________________________________________________________ Increase Technical support personnel _________________________________________________________ 40% User support personnel _____________________________________________________________ 20% Project information support personnel __________________________________________________ 10% Average temporary staff increase ___________________________________________________ 24% This increase was based on the following key elements: 1. 2. 3. 4. 5. 6. 7. The architectural solution was very sound. The deployment was very well structured. The project used a very complete communications program. Appropriate levels of training were offered. The support team was given intensive training. The project included a data conversion program. Technicians were very well prepared before the beginning of the deployment. These key elements helped the organization control all support costs during the migration. Most of the temporary personnel were used to replace ongoing operations and free internal technicians to work on the project, keeping all knowledge in house after the project. 58 Chapter 2 Required Teams and Roles Also, now is the time to start building up your teams. Remember that we strongly recommend that you get two types of external help if you need it, but you probably will: expert help to supplement technical leadership for the project, and technical help to replace your staff in ongoing operations and free them to work with your project team and gain immediate and direct knowledge on the new technology. After all, one of your main goals is to make sure this knowledge stays in house after the project. If you acquire external technical help and put them on the project, the knowledge will leave with them when the project is over. Don’t make this mistake! Rely on the DDL to determine which teams are required. Build on the team you gathered for the preparation of the Business Case. In the end, you’ll require the following team roles: • Logical Architect or Technical Lead • Technical Architect • Project Manager • Project Administrator/Coordinator • Lab Coordinator • Lab Assistant • Project Steering Committee o Project Sponsor o Business Unit Manager(s) o Chief Technical or Information Officer o Upper Management • IT Team Members o Inventory Analysis o Infrastructure Assessment o Security Considerations o Application Compatibility Analysis o Application Rationalization o Application Packaging o System Image Preparation o Personality Capture/Restore o Personality Rationalization o Deployment Mechanisms o System Integration 59 Chapter 2 • Support or Help Desk member(s) • User Representative(s) o Software Product Owners o Standard Users o Power Users o Business Unit Experts o Local Application Developer(s) • Financial Analyst or Asset Management Expert • Communications o Communications Lead o Technical Writers o Relay Agents • Training o Training Lead o Technical Writers o Technical Trainers o End User Trainers Remember that these roles are important even if you don’t have a massive number of PCs to deploy. You may even have the same person playing several roles, and therefore, wearing many hats during the project. Just make sure each role is covered. Of course, in larger projects, you’ll want actual teams and team leaders for each crucial activity in the project. You’re off and running. Your project is in its building stages and you now have a very good idea on how to proceed. Next, you need to begin preparing for all of the technical activities of this project. That’s exactly where future chapters will take you. Meanwhile, you have a lot of work to do. Good luck! Remember, if you want to give us feedback on this project and the content of the eBook, feel free to do so. All you need to do is write us at [email protected] 60 Chapter 3 Chapter 3: Creating the Migration Test Bed The testing laboratory is perhaps the most important part of any technical implementation project. Testing and retesting solutions before they are deployed is the only way to ensure high quality. After all, you do not want to find yourself in a situation where you are deploying garbage into your network. Garbage aside, you’ll quickly find that the lab environment is one of the most exciting aspects of the project. Things move fast, you’re playing with new technologies, you’re the hub of all technological requests; it’s just fun to work in the lab. This is another reason why you want to have everything in place the right way. When it comes to the deployment of Windows Vista, make sure you follow the golden rule of high quality solutions and provide a testing environment that meets and exceeds every need. But a testing lab is not only a technical solution; it also requires processes and procedures that must be followed to a ‘T’ if you want it to succeed. To build the appropriate lab, you need to understand what your technical teams will require. What type of project they are in and how will the project teams be organized? In the case of PC deployments, two main tracks must be covered: the creation of the PC structure and the modification of server infrastructures to support new PC operating system (OS) features. Dividing the technical aspects of the project into these two streams will help you understand what your technical team will require and when they will require it. As discussed in Chapter 1, the Desktop Deployment Lifecycle (DDL) involves several preparatory steps prior to deployment. Each of these steps—infrastructure modifications, application preparation, personality protection and PC image preparation—involves activities that are either concentrated on the PC or at the server level. Teams work together to prepare each aspect of the complete whole. Therefore, when it comes to the laboratory, you’ll need to make several important decisions: 1. Will the laboratory involve physical space? What kind of physical space will be required? 2. Will you rely on virtual machine technology and if so, to which extent? 3. What are the minimal configurations you need to use for testing? 4. Which server and workstation roles are required in the lab? 5. Which testing levels will you want your teams to proceed through? 6. How will you create each testing environment? 7. Which strategies will you use to control the graduated testing that is required to refine the solution? The answer to these questions will help you formulate your laboratory environment as well as the procedures it will rely on. 61 Chapter 3 Begin by identifying your technical teams (see Figure 3.1). Every desktop deployment project will involve at least three teams: • The administrative team is responsible for all project logistics as well as for coordination of all efforts. • The PC team is responsible for the creation of the PC solution. • The Server team is responsible for the preparation of the server environment to support the PC solution. You should ensure a very tight collaboration between the server and the PC teams and interchange personnel between the two teams whenever possible. For example, your project may only require one security professional whose job will involve the analysis of all security features, the preparation of local security policies, the preparation of access rights on file shares in the lab, the preparation of Group Policy Objects (GPO) for production and so on. By properly scheduling activities throughout the project, you should be able to create virtual teams that intermix skills and improve communications throughout all the technical aspects of the solution you are designing. Figure 3.1. The Structure of the Technical Team 62 Chapter 3 Identifying Team Needs Every technical activity for this project needs to be tested in the lab somehow. For example, if you need to deploy a tool, script or otherwise, into production to perform your inventory or readiness assessment, then you should test it in the lab before deployment. If you need to determine which tools you will use in your deployment, then you’ll need to test them. If you want to use a new method to deploy PC images, then you’ll need to test it. Everything needs to be tested. And, since you know your teams will focus on two areas, PCs and servers, you’ll need to provide functional support for each technical aspect. In addition, your testers and technicians will begin small and grow as their solution progresses. For example, at first, PC image designers will only need a workstation and perhaps some file server space to test their part of the solution, but then as their portion of the solution grows, they will require servers with special services in support of image deployment, systems to manage image servicing, systems to test image deployment results and so on. For a good overview of testing activities and testing schedules, review the Test Feature Team Guide in Microsoft’s BDD 2007. The guide is included with the other BDD documentation which can be found here. As you’ll see, the guide runs through several testing levels and helps you identify which tests need to be performed when. The best way to identify the needs of your teams is to sit down with them and run through the processes they intend to use to develop their portion of the solution. For the PC preparation aspect, this should include: • PC Image Preparation o Workstations representative of the baseline systems you’ve selected, both mobile and desktop systems o Image management and servicing systems o Reference computers o Image storage space on a server o Network connectivity components to link test systems to image sources o Deployment mechanisms • Application Packaging o Source software for all the retained applications that are moving forward to Vista o An electronic repository of all source software o A software packaging tool, including server-based workload management tools and a software repository o Test systems for quality assurance o Packaging workstations o Database system for storing all software packaging information 63 Chapter 3 • Security Preparation o Test systems for the preparation of all security aspects of the workstation o Server-based security technologies such as Group Policy and therefore an Active Directory o Tools for testing the security measures put in place o Security utilities such as antivirus and others to harden the systems • Personality Protection o Test systems for the preparation of the solution o Personality protection tools o Server-based storage for protected personalities o Backup technologies for personality archiving And of course, each team will need appropriate workspaces, access to the Internet and search engines, documentation tools and so on. You basically need to reproduce your production environment for the teams to be able to perform their work. But you also need to have central control systems to manage all of the work and activity within the lab. For example, the lab coordinator will need to have a lab schedule that will be maintained on a daily basis to help coordinate access to limited resources without negatively impacting the project schedule. In addition, the lab needs its own technical mechanisms. For example, when someone uses a workstation, it needs to be reset back to its pristine state for the next person to use it. This is only one example of the technical requirements for the lab. It also needs protection mechanisms for all the deliverables prepared in the lab— software packages, scripts, PC images and so on. Therefore the lab needs its own infrastructure as well as the more volatile infrastructure used for testing and preparation. Ideally, your lab will be set up in a permanent space and will continue to be used once this project is over. Laboratories of this type grow and shrink according to need, but continue to meet all of the testing requirements of the organization. They are formal structures that are part and parcel of the IT infrastructure and need to be administered as such. Whether it is for training, testing or development, it’s really handy to have a readily available working environment you can just jump into when you need it. 64 Chapter 3 Working with Different Testing Levels Another requirement for the lab is testing levels. Testing is performed in a graduated process which gradually evolves into more and more complicated testing levels. For desktop deployments and other IT integration projects, there are five testing levels: • Unit • Functional • Integration • Staging • Pilot Project Each level integrates more complexity as technical teams progress through them. The Unit testing level is designed for information discovery. Its purpose is to let individual technical team members discover how the feature they are tasked with designing actually works. For example, the PC Image Preparation technicians should use this testing level to discover how the Windows Vista installation actually works, play with initial Unattend.XML scripts in support of installation automation, discover how the SysPrep feature of Windows has been modified for Vista and generally familiarize themselves with the entire installation process. For this, they need access to Windows machines, including bare metal systems—systems with no OS installed—as well as Windows XP systems they can upgrade. The Functional testing level is designed for initial solution testing. Here, the technical team has determined just how a feature works and now they want to test the automation mechanisms they are preparing. They also want to demonstrate it to their peers. In the example of the PC Image Preparation task, technicians will need bare metal machines as well as upgradeable PCs. Once Functional testing is complete, you may decide to perform a larger proof of concept and perform an early deployment to select members of the project team. This will give them the opportunity to comment on the quality of the solution and provide additional feedback into the final configuration of your systems. Proof of concepts of this type do not need to be deployed automatically, though if you can do it, this type of test provides an additional level of assurance that the deployment project will succeed. The Integration testing level starts bringing each individual component of the technical solution together. For example, here you would blend PC Image Preparation with Personality Capture and Restore as well as other tasks. If you remember the PC Migration Cycle presented in Chapter 2, you’ll find that the first time you run through the entire cycle is when your technical teams reach the Integration testing level. The objective is to make every aspect of the cycle work smoothly with the others. 65 Chapter 3 The Staging testing level is focused on getting everything right. Basically, this level will provide an environment that is very similar to your production environment. While in Integration, you blended every aspect of the solution together, in Staging, you want to make sure you can reproduce every technological aspect from A to Z without a hitch. You’ll have to repeat the process until it is absolutely right. This way, you’ll know exactly what to do when you move to production and you won’t make any mistakes. Technical implementations are 80 percent preparation and 20 percent implementation, but you can only get there if you’ve fully tested each aspect. The final testing level is the Pilot Project. While all of the other testing levels focused on technical testing, the Pilot Project focuses on the complete solution, including any administrative aspect of the process. Here you test absolutely everything: the technical solution, communications, deployment coordination, training, support and so on. This test will validate the logistics of your solution as well as the technical aspects. Make sure you’ve completely evaluated each aspect before you move on. These testing levels require graduation from one to the other (see Figure 3.2). Each level will have both exit and entry criteria. For example, to leave the Unit level, technicians must prove that they have covered all of the activities for this level. To enter the Functional level, technicians must meet key requirements, and so on. You’ll build your exit and entry criteria as you learn to work more fully with the lab, but basically, they should aim to make sure that technical teams are fully prepared to move from one level to another. With the high demand you’ll have for the resources of the lab, you don’t want one team to hog resources when they weren’t ready to access them. Also, you want to make sure no damage is done to any of the high level environments—for example, Integration and Staging—causing you to have to restore them from backup or worse, recreate them from scratch. The lab is for the use of all technical team members and should never be monopolized for one single aspect of the technical solution. For a view into the Integration Architecture—the architecture that is used to build and manage testing levels—as well as a sample Exit Criteria sheet, have a look at this article which is part six of a seven part series on Enterprise Architectures. 66 Chapter 3 Figure 3.2. The Five Different Testing Levels Remember that building the lab is part of the Understand phase of the QUOTE System. Once the initial components of the lab are ready, technicians can undertake Unit and Functional testing. Then, when you move on to the Organize phase, testing will progress to Integration and Staging. The final testing level, Pilot, is part of the Transfer phase. 67 Chapter 3 Required Lab Environments Besides providing different testing levels, you’ll find that your lab will also have to provide multiple environments. A minimum of three environments are required: • The Certification Center • The Conversion Center • The Acceptance Center The first, the Certification Center, is the core environment required for technical testing. It includes the five testing levels discussed earlier and is designed to support the preparation and certification of the technical solution. Certified solutions help protect your production environments by validating that each aspect of the solution passed all of your testing requirements and is ready for prime time. Unlike the other centers, the Certification Center is virtual and does not require a specific physical location. Certification is one of the most important processes in IT implementation preparation. It is closely tied to two other concepts: standardization and rationalization. Together, these three concepts help you maintain a dynamic infrastructure that can quickly meet any business requirement. For its part, certification focuses on validating technical solutions. When solutions have been certified before delivery, you’ll find that you will have fewer support issues. In some of the projects we have performed, certified solutions were often delivered with zero defects and not one single support issue. That’s why we believe that certification is worth its weight in gold for all IT environments. The second, the Conversion Center, is required once the solution has begun to gel into a cohesive whole which is often after it has entered the Integration testing level. At this stage, you begin to understand just what your solution will look like and how it will affect both your in-house applications and the data in your organization. For example, if your only moving to Vista, you might find that you don’t have a lot of data to convert since it does maintain the same data types as previous versions of Windows. But, if you decide to include Microsoft Office Professional 2007 with your Vista deployment, you’ll have to provide a space for your users to build a conversion program. This means converting Word or Excel templates as well as document repositories. You might also need to develop an interim strategy, deploying conversion filters to people that don’t have the new solution yet so they can continue to exchange documents with their peers. In terms of applications, the Conversion Center can be used by in-house developers to upgrade the applications they are responsible for. Depending on the scale of the applications to be converted, you may find that you have to build up the scale of the Conversion Center. For example, if you are converting a line of business application that is supported by a team of developers, you might create a Conversion Center space just for them so that their work does not impact others. But, if you are looking to convert custom applications build by user developers, for example, Access applications, a single Conversion Center may be the right ticket. At the same time, you should look to restructure the way your organization uses Access and other user development tools. If you need to convert Microsoft Access applications, you should take a look at how to gain control of decentralized application proliferation through Decentralized Deployment Strategies. 68 Chapter 3 If you do need to convert data and applications because you are moving to Microsoft Office Professional 2007, then you should definitely get a hold of the Microsoft Office Compatibility Pack as well as the Microsoft Office 2007 Resource Kit. The Conversion Center can be opened as soon as you have a working solution for the creation of new PCs. The solution doesn’t have to be deployable in an automated way. It all depends on whether you are using virtual machine technology or physical machines for testing and conversion. If you are using virtual machine technology, then you can just reset each virtual machine after each test, but if you use physical machines, then you’ll have to at least have some system images of the machines so you can easily reset them after each test. More on virtual machine technology and its role in the laboratory is covered later in this chapter. Finally, the Acceptance Center also needs to be maintained and supplied by the laboratory. Acceptance doesn’t occur until components are ready for it so this part of the lab rarely comes until at least the Integration testing level has been reached. Exceptions are software packages. Each software package must be accepted by the appropriate software product owner—a subject matter expert who is also responsible for the evolution of a product in your network—when it has been prepared. Several packages need to be prepared before the complete solution needs to be integrated. As each package is finished, it should be passed through acceptance testing as soon as possible. This allows you to run parallel streams of activities and reduce the overall project timeline. For full acceptance of the entire solution, tests must be done from the Staging testing level and must include all aspects of the solution. In this case, acceptance is performed by various IT stakeholders—stakeholders who will be responsible for the solution once it is in production. At the expense of repeating ourselves, we strongly recommend that if you are bringing in outside help for this project, you make sure that the bulk of the help you get is to replace your staff in their day to day tasks. This liberates them to work on this project. Its more ‘fun’ than normal day to day work and it gets them to learn new tricks and techniques. What’s better is that in the end, you get to keep all the knowledge in house, letting you move forward at a faster pace. Relying on Virtual Machine Software Virtual machine (VM) software—software that emulates a physical machine and lets you run other instances of an operating system—is an ideal complement to the laboratory. There are lots of reasons why this is the case. First of all, in almost all instances, you can virtualize most of the servers in the solution. Ideally servers will be running Windows Server 2003 R2 (WS03) to ensure that they offer the most up to date server capabilities. In most of our tests, we’ve been able to run file server roles with as little as 256 MB of RAM allocated to the VM. Of course, you may need to increase the amount of RAM when you add roles to the server, but if you have the appropriate host, you should easily be able to run any server role you need. 69 Chapter 3 Windows Vista client machines are a bit more problematic. Vista requires a minimum of 512 MB of RAM. You can cut it down to lower RAM levels, but performance will seriously decrease. Remember though that some physical PCs will still be required to test Vista image deployment. Several aspects of this test cannot be driven through virtual machines—driver tests, hardware abstraction layers (HAL) and the Aero user interface—at least not yet, so you’ll need to have access to come physical PCs for testing. Nevertheless, working with both client PCs and servers through VMs will seriously cut down the cost of building the laboratory. You can rely on virtual technology from either Microsoft or VMware as both offer free copies of their tools, once again reducing lab costs. Both offer full support for running Windows servers or PCs. In addition, you may want to obtain tools for the conversion of physical machines to virtual instances. This saves a lot of time as you simply point to the physical machine you want to capture, and easily transform it into a virtual instance. Get your free copies of the various products you need to support virtualization in your lab: • Microsoft Virtual Server 2005 R2 • Microsoft Virtual PC 2004 SP1 • VMware Server • Microsoft Virtual Server 2005 Migration Toolkit • VMware Converter 3.0 In addition, working with virtual machines, you can ‘virtualize’ the laboratory. Many of our clients buy some very large host machines to run their laboratories. The ideal machine will be an x64 server running several multicore processors, lots of RAM and lots of disk space. Use Windows Server 2003 R2 x64 Enterprise Edition as the host OS for this server, install the virtualization technology you’ve chosen and you’re off and running. When you consider the cost of these machines compared to the cost of having a complete physical lab, they really cut down the overall cost of the lab. For example, one customer was able to build an entire collaboration testing environment in less than 32 hours with only three people, two of which could not touch the keyboard since they were foreign nationals. Think of it: less than four days to build three physical hosts and more than 10 virtual machines playing roles as various as Active Directory, Exchange, SharePoint Portal Server, Content Management Server, SQL Server, Live Communications Server and more. This also included all of the standards for the install, all of the documentation for installation and configuration procedures, and of course, the virtual machines themselves including source machines for WS03 Standard Edition, Enterprise Edition and Windows XP Pro. In addition, they are now able to reuse and even duplicate this environment for other testing purposes. There is no doubt that this level of ROI is simply not available with physical laboratory environments. There are a whole series of operations you can perform with virtual machines that you just can’t perform with physical machines. For example, you can very easily create a source machine. Install a first instance of the OS into a VM, customize its configuration, update its default user profile, update it in terms of patches and once it is ready, copy it and SysPrep the copy. Voila! You now have a source machine that can be copied and reused to seed any machine role you need. That’s a lot easier than working with a physical machine. 70 Chapter 3 Another major benefit is the use of Volume Shadow Copies (VSC) on WS03. Since virtual machines are nothing more than a series of files on a hard disk, you can enable automatic backup protection for them by enabling VSC and then relying on the Previous Versions client to restore any damaged machine almost instantly. VSC automatically takes two snapshots per day and can store up to 64 different snapshots which provides a very adequate level of protection for your VMs. This doesn’t replace proper backups, but it is at least a first line of defense that costs very little if anything. Physical versus Logical Workspaces Another advantage of virtual machine technology in the testing lab is that you don’t need the physical space a conventional lab usually requires. If you create the lab space in a datacenter by hosting a series of virtual machines on a given set of servers, the host servers can easily be located in the normal datacenter and profit from the standard operations applied to any production server—backup, patch updates, antivirus updates and so on. Then, your technical team can connect to the VMs these servers host through the normal network. There may be reason for you to provide your teams with a separate network segment to isolate their network traffic, but if everything happens in the datacenter on the same server hosts, then network traffic is not really an issue. You can create a single workspace for both technical and administrative project team members; that is, if they are in the same physical location. A workspace of this type will really help foster team building as well as ensure that there is constant communications between all team members. This type of work environment can seriously cut down project timelines and increase team bonding, one of the major factors in project success (see Figure 3.3). Figure 3.3. The Layout of the Project Workspaces 71 Chapter 3 In the best projects we have run, a central workspace was created for team members. If other locations were involved in the project, this central workspace was duplicated in each location. Within the central workspace, each team member had their own PC for day to day work. Technical team members were given more powerful PCs with lots of RAM so that they could run local VMs if required. In addition, examples of each of the baseline PCs retained for the solution were available. All of these systems had a connection to the VMs in the datacenter either through the VM client or through Remote Desktop Connections. This forms a ‘virtual’ Certification Center. As far as the other centers were concerned—the Conversion and Acceptance Centers—they were located in separate rooms, not too far from the central workspace. Separate rooms were used because of the nature of the work conducted in each center and because we needed to provide support to the users working at both conversion and acceptance. Each location was linked to the datacenter and to each other. Using a central workspace allowed team leaders to conduct ad hoc meetings whenever issues came up. These issues were often resolved before they became problems. This strategy provided the very best results and supported every aspect of the project. In addition, it fostered team building as all team members, even administrative members, grew excited as they saw the progress of the solution through instant demonstrations by technical staff. Defining Lab Requirements Now that you understand the various needs for the lab, you can begin to prepare for it. This may require some initial acquisitions in order to properly populate the lab. Too many organizations populate labs as afterthoughts, bringing in the oldest machines in the network and leaving lab technicians with having to cannibalize various machines to try to put something decent together. Don’t make this mistake! This lab is the epicenter of the project so make sure you populate it appropriately. Here’s an example of what you might need. The scale of the requirement will depend on the scale of your project. Keep in mind that you can run to five or six virtual machines per processor if all of the other requirements—RAM, Hard Disk Space—are available. 72 Chapter 3 Minimal Configurations for Lab Systems The minimal configurations required to support the lab should resemble the following list. 1. Host Server(s) • Dual x64 dual-core SMP Server • 512 MB RAM for the host OS • 256 to 512 MB RAM for each VM running on the host • At least 2 disks for RAID 1 (mirroring) • Preferably, 3 or more disks for RAID 5 (stripe with parity) • Use the largest disk size you can, currently about 300 GB • Retain about 30 GB for the system drive • Assign the bulk of the space to a data drive which will store the VMs • Retain about 30 GB for a third drive which will host the shadow copies produced by VSC • Dual network interface cards (NIC) at a minimum speed of 100 Mbps to support multiple connections to the virtual machines hosted by the server; verify with the virtualization manufacturer to see if you can team the NICs Use 64-bit processors because they break the memory barrier and can handle significantly more network throughput. 32-bit processors are limited to 4 GB of RAM and have to use special procedures to access any RAM above this limit. 64-bit processors can natively access up to 32 GB of RAM. There’s just no comparison when it comes to running VMs. Also, make sure you acquire the proper versions of 64-bit processors because you will want to run x64 VMs. Currently, all AMD 64-bit processors support 64-bit VMs, but only VT-enabled processors from Intel will do so. Finally, you might consider selecting AMD processor-based servers since AMD currently guarantees that it will use the same socket footprint for quad-core processors when they are released later in 2007. To upgrade your server, simply pop out the existing processor and pop in a quad-core. For more information on x64 servers, view the Move to the Power of x64 webcast from Resolutions. 2. Vista Premium Ready PC(s) • 1 GHz processor, 32- or 64-bit • 1 GB of RAM minimum • DirectX 9 support with at least 128 MB of dedicated graphics memory • DVD-ROM drive • Audio Output A Premium Ready PC configuration is listed here, but if you opt to keep some Vista Capable PCs in your network, you should also include examples in the lab. In fact, you need to have examples of each machine configuration you will retain after the migration to Vista. 73 Chapter 3 3. Technician Workstation(s) • 1 GHz processor, 64-bit if possible • 2 GB of RAM minimum • DirectX 9 support with at least 128 MB of dedicated graphics memory • DVD-ROM drive • Audio Output Technicians should have as powerful a PC as possible. They will be running VMs both locally and remotely and may need to run more than one VM at a time. Only technician workstations are listed here, but you might consider giving each staff member, even administrative members, PCs that meet at least the baseline systems you have selected for your project. The entire project team will act as guinea pigs when you perform the proof of concept and get the entire project team to test the solution. This is another strategy that fosters excitement within the project team. 4. External Hard Drive(s) • External drive of 80 GB at 7200 RPM with USB 2.0 or Firewire (IEEE 1394) For Unit and Functional testing levels, the lab can deliver canned VMs on external hard disk drives. Technicians can then work from their own PCs with their own VMs without impacting any other person in the team. Running these VMs on high-speed external drives provides much better performance than running them on the system disk. In addition, because of the average size of a VM—from 4 to 20 GB per VM—delivering them on external hard disks makes a lot more sense than trying to place them on spanned DVDs. Using external hard disks, you will also be able to deliver VMs to remote offices where technical staff may perform activities in support of the project. 74 Chapter 3 Virtual Machine Configurations Virtual machines should be configured as follows: 1. Standard Server VM RAM: ..................................... 512 MB of RAM minimum OS: ........................................ WS03 Standard Edition Service Packs:...................... All applicable service packs and hotfixes should be installed Number of Disks: .................. Depends on the role; can be from 1 to 3 Disk Size: .............................. Drive C: 20 GB expandable disk (leaves room for upgrades) Drive D: 50 GB expandable disk (optional based on server role) Drive E: 10 GB expandable disk Network Cards:..................... At least one NIC per VM CD/DVD Drive: ..................... When providing VMs for use either locally or remotely, you should include ISO files for the installation media; this lets technicians add roles to the machine and generally control its feature set 2. Enterprise Server VM RAM: ..................................... 512 MB of RAM minimum OS: ........................................ WS03 Enterprise Edition Service Packs:...................... All applicable service packs and hotfixes should be installed Disk Size: .............................. Drive C: 20 GB expandable disk (leaves room for upgrades) Drive D: 50 GB expandable disk (optional based on server role) Drive E: 10 GB expandable disk Network Cards:..................... At least one NIC per VM CD/DVD Drive: ..................... When providing VMs for use either locally or remotely, you should include ISO files for the installation media; this lets technicians add roles to the machine and generally control its feature set 3. Bare Metal PC VMs RAM: ..................................... 512 MB of RAM minimum OS: ........................................ No OS Service Packs:...................... No fixes or service packs Disk Size: .............................. Drive C: 20 GB expandable disk (leaves room for Vista installation) Network Cards:..................... At least one NIC per VM CD/DVD Drive: ..................... When providing VMs for use either locally or remotely, you should include ISO files for the installation media; this lets technicians add roles to the machine and generally control its feature set 4. Vista PC VMs RAM: ..................................... 512 MB of RAM minimum OS: ........................................ Windows Vista based on the editions you decide to deploy Service Packs:...................... All applicable service packs and hotfixes should be installed Disk Size: .............................. Drive C: 20 GB expandable disk Network Cards:..................... At least one NIC per VM CD/DVD Drive: ..................... When providing VMs for use either locally or remotely, you should include ISO files for the installation media; this lets technicians add roles to the machine and generally control its feature set 75 Chapter 3 5. Windows XP PC VMs RAM: ..................................... 512 MB of RAM minimum OS: ........................................ Windows Vista based on the editions you decide to deploy Service Packs:...................... All applicable service packs and hotfixes should be installed Disk Size: .............................. Drive C: 20 GB expandable disk (leaves room for the upgrade) Network Cards:..................... At least one NIC per VM CD/DVD Drive: ..................... When providing VMs for use either locally or remotely, you should include ISO files for the installation media; this lets technicians add roles to the machine and generally control its feature set When creating client VMs, keep in mind that Windows Vista requires 15 GB of disk space to perform an installation or an upgrade. Stay on the safe side and make the disks even bigger. Since you’re using expandable disks, the actual space won’t be used until the system needs it. Also note that no Windows 2000 machine is required since you cannot upgrade from 2000 to Vista. You need to perform a clean installation. Also, if you are working with VMware, check out this blog on the Realtime Publishers’ Vista Community Web site for this on how to make it work right. VM User Accounts User accounts are also critical when setting up VMs for distribution to the technical team. With the Unit and Functional testing levels, it is safe to give administrative access to the technicians on your project team in both server and workstation VMs because they are standalone environments. But as you proceed through the testing levels, you need to tighten down change control and grant access to high privileged accounts only to the lab administrator. After all, capturing the changes required to the infrastructure is the purpose of these environments. When you deliver standalone machines for either the Unit or Functional environment, you should endeavor to make servers domain controllers. Their behavior will be different than member servers, but it will be easier to assign different roles to the accounts the technicians will require. In many cases, these testing levels will require either a single PC VM or a PC VM coupled with a server VM where the server is playing a series of different roles. Technicians need to have appropriate access rights to discover how the Vista installation process works or to work with any utilities which will be required to support the migration. When you grant users access to the VMs that make up either the Integration or Staging testing levels, you give them accounts with appropriate access rights as outlined by the information the technical team will provide you. Remember that in Windows Vista, the default administrator account is disabled at installation. Your technicians will require their own administrative accounts. You should make sure that whenever you provide access to machines in a shared testing level, that the administrative account includes a strong secret password. 76 Chapter 3 Required Server and Workstation Roles Within each testing level, you’ll need to assign or create several different machine roles. As mentioned previously, in the Unit and Functional testing levels, server roles can be integrated into one single VM, but as you move up the testing ladder, you’ll want to separate different roles to represent the production environment you’re running. For example, your Integration level may still join several roles together into a few machines, but when you get to Staging, it should be as similar as possible to the production environment. Staging is that last technical test before you start making changes in production itself so you need to get it right (see Figure 3.4). You can even use VMs to simulate remote sites. Windows Server 2003 includes routing capabilities that are very similar to those of Cisco’s devices. You can enable Routing and Remote Access (RRAS) on two different VMs and use them to simulate the routing of data from a local to a remote site. Then you can add branch office server roles to the site located behind the remote routing server. In the end your lab will need to provision several different types of levels and several different environments. Remember that when you build the more permanent testing levels or environments, you’ll want to build in redundancy into the lab infrastructure. For example, the Staging testing level should have at least two domain controllers for redundancy. File servers will need to have several different file shares to provide storage for PC images, software repositories, and user data repositories. Deployment systems will need to support several features such as inventory, PC image deployment, software deployment, status reporting and perhaps software metering if you need it. Each level will also require some form of database server because several deployment components require it. And if you simulate remote sites, you’ll also need to include replication engines into your solution to replicate objects such as software packages, PC system images, and so on. Rely on WS03 R2 for all replication scenarios. WS03 R2 includes the Distributed File System Replication System (DFSRS), a new delta compression replication engine that is a snap to configure and replicates only changes between files. It is much better and easier to use than either the traditional File Replication Service (FRS) or scripts based on the Robocopy utility found in the WS03 resource kit. Try it, you’ll love it! 77 Chapter 3 Figure 3.4. The Different Roles required in the Virtual Lab Reproducing Business Critical Applications In some instances it is not possible to reproduce business critical applications—applications such as SAP databases—within the lab environment. There are several strategies you can use (see Figure 3.5) depending on the size of your organization. Small organizations will want to link testing PCs to the production SAP database and will need to proceed with utmost care. Medium organizations may be able to generate a duplicate SAP database with scrubbed data. Large organizations will already have development versions of their SAP databases and can link to those to perform application and compatibility testing. In all cases, testing systems should be isolated from the production network as much as possible. In any event, make sure you fully back up all critical systems before you begin any form of testing against them. 78 Chapter 3 Figure 3.5. Complex Business Critical Testing Scenarios based on Organization Size Requirements for each Testing Level Table 3.1 outlines guidelines for the requirements for each testing level. Adjust them according to your own needs. Test Level Objective Virtual Machines Physical Machines Unit Discovery of new features and feature operation • PC Team: Typical Windows XP PC and Bare Metal • Server Team: Multi-purpose Server plus Windows XP PC and Bare Metal • None Functional Automate features and obtain peer review • All Teams: Same as Unit • None Integration Link all aspects of the solution together • All Teams: Several Singlepurpose Servers plus Windows XP PC, Bare Metal and Vista • Testing Stations: all models of retained configurations plus all external hardware devices Staging Finalize all technical procedures and prepare for final acceptance testing • All Teams: Servers represent small-scale production environment plus Windows XP PC, Bare Metal and Vista • Same as Integration Pilot Finalize all technical and administrative procedures • Few VMs if any • Use production systems in preparation of massive deployment Table 3.1. Requirements for each Testing Level 79 Chapter 3 Each of the five environments has its own requirements, but fortunately, you can reuse many of the requirements of a previous level for those of the next. Here’s the breakdown of machine reuse. • Unit level: individual technicians work with their own machines stored on an external disk and linked to their own PC. • Functional level: as team members graduate from Unit to Functional, they reuse the original individual machines they had in Unit since they are no longer needed at that level. • Integration level: all team members begin to share the same set of virtual and physical machines as they begin to integrate their part of the solution into a single environment. Change control is activated to capture all practices. • Staging level: all technical team members share an environment which is a scaled down version of the production environment. Change control is absolute and no change can be performed without being tracked. Procedures are completely finalized and are tested from end to end. • Pilot level: All team members, including administrative staff, use production systems to target a deployment to about 10% of the population. In addition to the requirements for testing levels, you’ll also need to understand the requirements for the three environments—Certification, Conversion and Acceptance—the lab will support. The Certification requirements are listed in Table 3.1 because this environment comprises each of the testing levels. The requirements for the other two environments are listed in Table 3.2. Environment Objective Virtual Machines Physical Machines Conversion Convert data and applications, both enduser developed and corporate • Data Conversion: Possibly a Vista PC linked to the Staging test level • End-User Apps: A Vista PC linked to either Integration or Staging • Corporate Apps: A Vista PC linked to either Integration or Staging • All: PCs with access to the virtual environments • Corporate Apps: Possibly Vista PCs with Aero interface linked to either Integration or Staging Acceptance Provide acceptance of software packages and of the overall solution • Software Owners: Vista PC linked to Integration • IT Stakeholders: Reuse Staging • All: PCs with access to the virtual environments • IT Stakeholders: All baseline systems retained to support Vista Table 3.2. Requirements for Conversion and Acceptance Environments 80 Chapter 3 Creating the Lab Environment The actual creation of the laboratory environment is simpler once you understand how it should work. If you want to get your technical team members going early, all you need to do is prepare the virtual machines that are required for Unit and Functional testing. These are fairly quick to prepare, but you should still proceed with care. Ideally, you will already have initiated the acquisitions required for these VMs—external drives and perhaps high performance PCs—and have determined which virtualization technology you want to use as well as obtain the virtualization software. This will be the first of many source installation files that the lab will be responsible for maintaining. You will also need to obtain source installation media for all of the operating systems you will be working with. To make them easier to work with, transform the install media into ISO files because these act as CD drives in virtual machines. Once you’re ready, prepare these two environments in the following order. Rely on an existing workstation with sufficient capabilities to perform these steps. 1. Install the virtualization technology on a workstation with sufficient capabilities to create virtual machines. 2. Create your first virtual machine, assigning RAM, disk space and network interface cards. It is best to create a new folder with the machine name and store all VM component files into this folder. 3. Connect the VM’s CD/DVD drive to the ISO file for the OS you want to install. 4. Perform the installation, running through your standard procedures for OS installation in your organization. If you also elected to obtain a physical to virtual conversion tool, you can also create this machine by converting an existing physical machine into a VM. 5. Customize the machine as you normally would, update the default user and apply any patches or updates that are required. 6. For any copy of Windows prior to Windows Vista, copy the following files from the Deploy.cab file located on the appropriate Windows installation CD to a new folder called SysPrep on the %systemroot% drive—usually the C: drive: a. Setupmgr.exe b. SysPrep.exe c. Factory.exe d. Setupcl.exe 7. Run Setupmgr.exe to generate a SysPrep.inf file. Use your organizational standards to provide the answers required for this file. Close Setupmgr.exe. 8. Copy the VM’s entire folder, rename the folder and the VM files to “machinename SysPrepped” and open the new machine in your virtual machine tool. 9. Run SysPrep.exe on the machine to select the Reseal option, depersonalize it, and shut it down. You now have a source machine from which you can generate a number of copies. 81 Chapter 3 10. Since Unit and Functional levels require at least three source machines: WS03 Standard, WS03 Enterprise and Windows XP, repeat this process until each one is created. 11. Create a fourth source machine with no OS. This will become the bare metal machine testers will use for the Vista installation. 12. Document each machine, listing user accounts and capabilities, copy them onto the external disks and provide the disks to your technical team members. That’s it. Now that your team members are ready to proceed with their own work, you can move on to create and prepare the working environment for the lab as well as preparing the Integration and Staging environments. Virtual Machines and Software Licensing Even though you’re working with virtual machines, you still have to be conscious of licensing issues, especially if you’re building a laboratory to last. For this reason, we don’t recommend using evaluation copies of software or operating systems. Here are some general guidelines on how you should license virtual machines. You should verify with your vendor to make sure these guidelines meet their licensing requirements. • SysPrep machine: A SysPrep machine does not require a license because it is a machine that is used only to seed other machines and doesn’t actually get used as is. Once you’ve copied the SysPrep machine and start personalizing it, you need a license for the machine. • Running virtual machines: Each machine that is named and is running on a constant basis needs to have its own license. • Copied virtual machines: Each copy of a virtual machine does not need its own license so long as they are not running at the same time. • Copied and renamed virtual machines: Each time you copy a virtual machine and rename it, you need to assign a license to it. A renamed machine is treated as a completely different machine and therefore needs a license. Using either the Microsoft Developer Network (MSDN) or TechNet Plus subscriptions, you have access to ten licenses of each product, though each license needs activation. Both subscriptions support the legal reuse of virtual machines. Note: If the host operating system is WS03 Enterprise Edition, then you can run four server VMs at no additional cost. This makes a good argument for making the host systems run this OS. More information on virtual machine licensing for Microsoft Windows Server 2003 can be found here: http://www.microsoft.com/licensing/highlights/virtualization/faq.mspx. When you’re ready to build the lab itself as well as Integration and Staging, you’ll need to perform the following activities: • Begin with the base server installation(s) for the host servers • Create file shares for the lab repositories • Install virtual machine (VM) software on host servers • Create the VMs that simulate production servers and other aspects of the production environment 82 Chapter 3 You’ll find that you need a great deal of storage space. You must plan for storage space, keeping in mind the following requirements: • Space for storing all lab data • Space for the installation media for all OSs and for all retained software products • Space for the images built during testing—images of both VMs and physical systems • Space for backing up virtual hard disks and duplicating entire virtual environments On average, a minimum of 200 GB of space is required, but this number is affected by the number of disk images, VMs, and application packages your project covers and it does not include the storage space required on the host servers themselves. When you build the Integration and Staging test levels, remember that they need to be as similar to production as possible. Also remember that they don’t need to be identical. For example, there is no reason to use the same Active Directory forest or domain names since they do not affect the PC deployment process. Ideally, you’ll use proper names for AD components, names that make sense and that you can keep on a permanent basis. In our opinion, it is always best to actually acquire proper domain names for this purpose because they are permanent and this low cost is not a burden on the project’s budget. When you work on the client computer portion of the lab, design it to test the same functions and features currently in use or planned use in the production environment. Include the same types of hardware, applications, and network configurations. Remember, the hardware components of the lab can be limited to the actual computers targeted for deployment and the host servers for VMs. In addition, the host servers can double as file servers for lab data. There is no reason for the actual production server hardware to be duplicated so long as all of the services provided in production are duplicated in VMs. With the use of the right hardware, the lab can also be transformed into a portable environment. Several manufacturers are now releasing very powerful portable hardware. For example, NextComputing LLC offers a portable lab server through its NextDimension system. This system can include multiple dual-core CPUs, loads of RAM, multiple serial ATA (SATA) drives with lots of space and even multiple monitors, all in a transportable format. For more information on the NextDimension, go to http://www.nextcomputing.com/products/nextdim.shtml. Once you’ve built out the entire lab including machines for use in each of the testing levels, you can build a custom Microsoft Management Console (MMC) using the Remote Desktops snap-in to create a single console that will give you access to all machines, virtual and physical (see Figure 3.6). Add multiple copies of the Remote Desktops snap-in—one for each of the different testing levels and one for the physical hosts—to differentiate between each level. Also, use significant names to easily identify which machine you are working with. Make sure Remote Desktop connections are enabled in each machine and you can use this console to manage each and every environment. 83 Chapter 3 Figure 3.6. Multiple copies of the Remote Desktops snap-in in an MMC give you access to all testing levels The lab coordinator and the lab assistant are responsible for the construction of the lab. They will draw upon some technical resources for this construction, and then need to put in processes for the reuse of VMs and other lab components. The lab coordinator will also be responsible for the creation of a lab schedule and perhaps a team workspace. Microsoft SharePoint Portal Server is ideal for the support of both of these tasks. You can use a copy from your MSDN or TechNet licenses to put it in place. SharePoint is also ideal for the creation and maintenance of the deviance registry—the tool you will use to track any issue, both technical and administrative, the project will encounter as it creates the solution for deployment. Once again, the lab manager will be responsible for the maintenance of this registry. You can use either Windows SharePoint Services (free with a license of WS03) or SharePoint Portal Server. SharePoint Services are easier to implement, but both require a back end database. In addition, you can find a template for a project team site here. More templates for SharePoint can be found here. 84 Chapter 3 The lab includes project deliverables, the lab itself being one of them. Other deliverables include: • Laboratory description: this outlines the strategy you will use to create and implement the environments supported by the lab. • Technical laboratory deliverables: this helps identify how the deliverables from the laboratory can be used in support of other testing or development scenarios. With virtual laboratories in particular, it’s really easy to include pre-constructed machines as deliverables to other projects. • Laboratory management practices: the practices you’re going to use for the management and operation of the laboratory. • Future plans and projected growth: to look beyond the immediate and cover both best practices and recommendations for future lab usage as well as for the creation and management of a distributed virtual laboratory structure as more and more members of the organization require access to virtual technologies. When the technical builds of the test levels are complete, they should be fully tested to ensure that they do indeed reproduce the production environment and that they will support testing of the entire deployment solution, including image and software deployment. Then, once this is complete, your lab will be ready for prime time and will be able to support all aspects of the solution preparation. You can build your own lab, or if you want to fast-track this aspect of your project, you can rely on virtual appliances—pre-built VMs that include all of the required features to support each testing level—that have been prepared by third parties. Click here to find out more about virtual appliances in support of the Desktop Deployment Lifecycle. 85 Chapter 4 Chapter 4: Building the Migration Toolkit Now that the test bed is ready and some members of your team are in the process of beginning the unit tests they need to complete to get the engineering aspects of the migration project going, you can begin the selection or verification process for the different tools your project will require. The toolkits you will need to rely on cover three procedural and technical different requirements for this project: • General project guidance as well as technical guidance for the engineering aspects of the project. • Tools to provide support for the administrative and other processes the migration project itself will require. • Tools to support the actual migration. The first two help provide structure for the project and all of the technical processes the project requires. In addition, the technical guidance obtained for the project will support the third requirement: tools to sustain the actual migration. For this, you should rely on the seven-step PC Migration Cycle (PMC) introduced in Chapter 2. Ideally, the tools you select for this project will be tools you can carry forward into production once the project is complete. As such, this toolkit must also aim to support ongoing management and administration of Vista PCs once they are deployed into your network. Technical and Administrative Migration Guidance To properly run a migration project, especially a PC migration project, you need to follow some form of guidance, ideally, best practices guidance. Up until now, there has been very little such guidance available and each and every organization had one of two choices: • Build their own guidance through actual project realizations, or, • Hire high-powered consultants or consulting firms to provide guidance they have developed over years of practice in this field. Both had their own risks. The first led you to build your own expertise through trial and error, most often errors. While this is an effective way to build internal expertise, it can be costly, especially in terms of potential loss of data or a potentially disgruntled user base. The second can also be costly, although the project’s end result should be of better quality. Fortunately, things have changed. Microsoft and other vendors have realized that it is important if not essential, to provide guidance to client organizations on how migration projects should be run. The result has been the publication of white papers and other documentation on PC migrations along with tools that are designed specifically to assist in the migration process. Of course, we like to think that this particular guide is an excellent source of information on PC and other migrations as it stems from our own experience as high-powered consultants providing this type of guidance to our clients. But it is important for us to point you to any other materials you can rely on to supplement what we provide here. This way, you won’t forget anything in this most important project and make it the resounding success it should be. 86 Chapter 4 Microsoft has been trying to alleviate the lack of guidance through the release of its own Business Desktop Deployment Solution Accelerator (BDD). BDD has been mentioned before, but it is important to note that BDD, especially the new 2007 version, is not just a set of tools, but that it also includes guidance for the migration. What’s different with BDD 2007 is that Microsoft has now generalized the guidance, removing any mention of its own particular tools in support of migrations. This means that Microsoft partners that specialize in migrations and system deployments can adapt the BDD guidance to their own toolkits, while relying on the generic guidance it includes. The BDD guidance can be found at http://www.microsoft.com/technet/desktopdeployment/bddoverview.mspx. Partners Altiris Corporation and LANDesk Corporation have done so and supplement BDD with their own recommendations, based of course, on the tools they provide to support OS migrations. As you may have noticed as you read through the BDD guidance, it provides a ton of information on the migration process. This is why both partner organizations have kept their own guidance shorter and more to the point, using sort of a ‘notes from the field’ or hands on from extensive consulting experience with actual customers approach. Though both Altiris and LANDesk provide supplementary guidance, they are not the only ones to do so. Several Web sites provide additional guidance on OS migration. This is one reason why you should also research the terms ‘OS Migration’ on the Web using your favorite search engine if you feel that you’re still missing information after using all of these different sources, including this eBook. Altiris migration guidance can be found at http://www.easyvistamigration.com. LANDesk migration guidance can be found at http://www.landesk.com/vista. Realtime Publishers also has a Vista community Web site that is chock full of information. Find it at http://www.realtime-vista.com. Other Web sites are also useful: AppDeploy talks a lot about application packaging: www.appdeploy.com. MyITForum also includes a lot of information about deployments: www.myitforum.com. Desktop Engineer is also a site that offers good migration advice: http://desktopengineer.com/. Of course, Resolutions Enterprises Ltd. has a ton of articles on migration and other management practices at http://www.reso-net.com/articles.asp?m=8. Along with this structural guidance, you’ll need technical guidance—information on how the technical tools you need to work with work and how you should use them. Because this guidance will be required for each of the different steps in the migration process and because it is also required in support of other, related technical process, it will be addressed as we discuss each tool you need in the remainder of this chapter. Note that this chapter has two goals. The first is to provide you with sources of information in support of building your migration toolkit. The second is to help you build the list of requirements for each tool you will need so that you know how to proceed during the selection of the tool itself. 87 Chapter 4 Project Support Tools As mentioned in previous chapters, you need a series of different tools to support the administrative processes tied to this project. These tools range from simple spreadsheet management tools to sophisticated collaboration systems you can use to share information with the entire project team. A project such as this requires a lot of coordination. Several actors are involved, each with their own tasks to perform at different levels of the process. More detailed information about each task will be covered in coming chapters, but if you rely on the QUOTE System as outlined in Chapter 2, you’ll at least have a good starting point on who needs to do what. Also, Chapter 2 provided a sample project plan to help you get started with your own. This project plan was prepared in Microsoft Project Professional 2003 and can also be used in Microsoft Project 2007. You’ll need this tool if you want to begin the process. In fact, Microsoft Office or some other office-like suite is an important part of the project management and administrative process: • Microsoft Word is used to prepare the Business Case (also provided as a template download for Chapter 1), as well as for supporting documentation for each of the technical or engineering aspects of the project. It is also a must-have tool for the communications and training groups. • Microsoft Excel is required to manage several lists the project will produce: inventory validations, financial analyses, issue tracking and so on. • Microsoft PowerPoint is used for the preparation of presentations to both officials and to introduce the project to new team members. It is also of high value for training and communications. • Microsoft Visio is essential to prepare network diagrams or logical constructs of the technical solution as it is devised. It is often a good idea for project team members to use the latest and greatest technology, or at least the technology they plan to deploy among themselves. Using the latest technology acts as a proof of concept and helps program members learn how the new technology will benefit their organization. If you plan to include Microsoft Office 2007 in your deployment, then you should aim to deploy this tool as early as possible to all team members so that they can begin to use its added functionality in support of the project. There are several options for the deployment of these new tools to the team. One of the best and easiest options is to deploy these tools inside virtual machines and make the virtual machines available to team members. But most often, project teams will elect to deploy PC operating systems (OS) and productivity suites directly onto team members’ physical systems, while deploying and server-based technologies onto virtual instances of the servers. This is often the easiest way to introduce these technologies in a manner which allows the project team to profit from advanced feature sets immediate without disrupting the production network. 88 Chapter 4 Creating virtual instances of servers would then be ideal for two key products: • Microsoft Office Project Server 2007 (http://office.microsoft.com/en-us/projectserver ) which helps regroup project information into a central location, distributing workloads and task assignments to each team member and updating the central repository as tasks are completed. • Microsoft Office SharePoint Server 2007 (http://office.microsoft.com/enus/sharepointserver ) which regroups the functionality of both SharePoint Server 2003 and Content Management Server 2002 providing a single repository for collaborative efforts including change control and content management. As mentioned in Chapter 3, creating a collaborative environment is an excellent way to share information with the different members of the project team. It lets you store all project information and project updates in one single location, it lets non-technical teams such as training and communications, even upper management keep up with project progress and it serves as a mechanism to store and protect all project information—information that can be carried over to the production environment once the project is complete. To build the project collaboration environment, you can use either Windows SharePoint Services (free with a license of WS03 or incorporated into WS03 R2) or SharePoint Portal Server. SharePoint Services are easier to implement, but both require a back end database. In this case, you should rely on Microsoft SQL Server 2005 rather than a runtime version of Microsoft’s database because it is more robust, more secure and will make it easier to carry over information once the project is complete. The collaboration environment will let you store critical components of the project in one location. These include: • Project membership lists • Project plans and task list • Project schedules • Laboratory coordination information such as lab welcome kit, lab schedule and calendar, lab request sheets, lab testing sheets • Deviance registry or the registry of all of the issues that come up during project realization • Project presentations and other documentation • Project member My Sites which can be used to list team member expertise in support of a skills cross reference system where team members know who to turn to when they need help Much more can be added to the SharePoint site. Of course, you will have different features based on whether you are working with SharePoint Services or Office SharePoint Server. The version you choose will of course depend on the size of your project and the scale of your project team, but if you can, you should opt for Office SharePoint Server since it will provide much more functionality including search, change control, blogs—which can be used to provide in-depth information about issues or approaches, wikis and more (see Figure 4.1). 89 Chapter 4 Figure 4.11. Using Office SharePoint Server to build the collaboration environment Using a Deviance Registry Perhaps the most important document of the entire project, the deviance registry is used to record deviances between the technological solution and the logical design prepared at the very beginning of the project. This issue-tracking tool, often called a bug tracking or change log tool, will list the different elements of the logical architecture for the deployment and be used to record any technical element that deviates from expected behavior. Issues are classified into different categories and are assigned priorities. To keep it simple, use three different categories: 1. High: these issues are show-stoppers and must be resolved before the project can move forward. 2. Medium: these issues are important, but can be resolved in parallel as the project continues to progress. 3. Low: these issues are ‘nice to haves’ and would be nice to include in the solution, but if budget controls do not provide allowances for fixes to these issues, they will not be resolved before the solution is finalized. In addition, you will want to prioritize the issues within each category so that you can determine in which order the issues need to be dealt with. Perhaps the best person to manage the deviance is the lab coordinator as this role is the closest to both the lab schedule and the technicians working on the engineering aspects of the solution. Make sure that you don’t only include technical issues in your deviance registry. Administrative issues such as those related to communications and training are also important to track as they will have a direct impact with the way your customers—end users—view the project as a success or failure. 90 Chapter 4 To assist with the creation of your new collaboration environment, a Microsoft Office SharePoint Server 2007 template for a team site including a deviance registry list is available on the companion Web site at http://www.reso-net.com/livre.asp?p=main&b=Vista. This template includes a sample deviance registry which helps you identify how to categorize issues. Lab Management Tools Another required technical tool is a tool to manage the virtual machines running in the laboratory. Several types of tools can do this, but only a couple are specifically oriented at laboratory management. Of course, the type of tool you use will also depend on the virtualization provider you select. If you’re working with Microsoft Virtual Server, then you can use Microsoft’s upcoming System Center Virtual Machine Manager or VMM (see Figure 4.2). VMM is not really designed to manage testing laboratories, but with its ability to provision virtual machines (VM) from source images and to monitor as well as manage virtual machines on multiple hosts at the same time, it offers powerful management and administration capabilities. At the time of this writing, VMM is still in beta and the only way to get a hold of it is to join the beta program at http://connect.microsoft.com. You’ll have to request to join the beta and be qualified to do so. More information on VMM can be found at: http://www.microsoft.com/systemcenter/scvmm/default.mspx. Figure 4.12. Virtual Machine Manager can be used to control multiple testing VMs 91 Chapter 4 If you’re running VMware ESX Server version 3.0.1 or later as a virtualization engine, then you might consider using VMware Lab Manager. Lab Manager is a very powerful tool that is designed to capture and manage entire series of virtual machines in support of both product testing and product development. For example, Lab Manager could capture the entire state of the Integration testing environment, store, it save it, and restore it as needed. Most small to medium organizations will not have access to ESX Server as it requires shared storage solutions and powerful hardware to run. Information on VMware Lab Manager is available at http://www.vmware.com/products/labmanager/. Information on VMware ESX Server is available at http://www.vmware.com/products/vi/esx/. If you’re using other VMware products such as VMware Server or VMware Workstation or if you’re using Microsoft Virtual Server and you don’t have access to Virtual Machine Manager, you will have to turn to other solutions to manage the multiple machines and multiple hosts that your lab will require. Fortunately, several manufacturers of OS deployment tools also provide support for the management of both virtual machines and the hosts that run them. After all, provisioning a virtual machine is very much like provisioning a physical machine. The only real difference is that when you provision a virtual machine, you are going from a set of files on a disk to another set of files on a disk. When you provision a physical machine, you go from a set of files on a disk to an actual disk drive. If you decide to use the same tool for OS deployment as for lab management as you should, then make sure it includes the following features: • Support for the virtualization technology you use, either Microsoft Virtual Server or VMware Server. • Support for host management and host resource monitoring. • Support for host event gathering to quickly identify potential issues on host servers. • Support for virtual machine image creation (using the Windows SysPrep command). • Support for the starting, stopping, pausing, and saving state of virtual machines. • Support for the management of virtual machine components such as hard disk drives, network configurations, virtual local area networks (VLAN) and so on. These are just some of the requirements you’ll need to be able to manage your virtual laboratory. Of course, you can always just rely on the default management interfaces your virtualization technology provides, but if you’re going to acquire a set of deployment tools, why not kill two birds with one stone? This will save you considerable time and effort throughout the entire project. Our recommendation: Choose the right tool and manage both the lab and the deployment with one single interface. Microsoft is offering free virtual labs for you to begin testing early at http://msdn.microsoft.com/virtuallabs/vista/default.aspx. Since they are hosted over the Web, don’t expect the performance levels you would normally get in your own lab. 92 Chapter 4 The Windows Vista Migration Toolkit Now you’re ready to start building your Vista migration toolkit, or the toolkit that is specifically aimed at the PC Migration Cycle (see Figure 4.3). As is illustrated in this cycle, you’ll need tools that will support six specific steps in this cycle: readiness assessment, personality management, OS image creation, application packaging, software deployment, and status reporting. Figure 4.13. The PC Migration Cycle There are a lot of commercial and non-commercial tools on the market to support migrations. We include here the ones that seem the most popular and to us, seem to offer the best features, particularly in regard to Windows Vista. Don’t take this as meaning that if you are using a tool or if you prefer a tool that is not listed here, it is not a valid tool to use. On the contrary, use the guidelines and requirements listed here to make sure your tool does meet the needs of a Vista deployment. And, if you find that it is a valid tool, email us at [email protected] and we’ll try to include information on it in upcoming chapters. 93 Chapter 4 Inventory and Asset Management Tools A lot has been said in terms of readiness assessment to date, but if you need to evaluate if your readiness assessment tool is ready to support your migration to Vista, or if you need to select a readiness assessment tool to support your migration, then make sure it meets the following requirements: • First, it must evaluate both hardware and software readiness. • In terms of hardware readiness, it must be able to scan for: o RAM o Disk size and configuration o Network devices o Attached devices Most hardware inventory tools can do this by default. But, because Vista’s requirements, especially the requirements for Vista Premium PCs, need to know about graphics cards and especially, the amount of dedicated RAM available to the graphics card, you need to be able to scan for this. Also, if you intend to use Vista features such as ReadyBoost—the ability to add dynamic memory to systems through flash or USB memory devices— you’ll need to know if your systems include either extra USB ports or flash card readers. So, you’ll need to make sure the inventory tool you select includes the ability to scan for the following: o Graphics device o Amount of dedicated RAM on the graphics device o USB ports, busy and free o Flash card readers This means that the inventory tool must either include this capability right out of the box or have the ability to add this particular through custom edits and modifications to the default collection set. • In terms of software readiness, it must be able to scan for: o Commercial single applications o Commercial application suites o Utilities such as antivirus, disk defragmentation, anti-spyware and so on o Application runtimes such as Microsoft Access, Visual Basic, Visual C++ o Custom, in-house applications o End user-developed applications such as Word macros and templates, Excel macros, Access databases and so on o Custom scripts or command files 94 Chapter 4 One of the most important thing to look for is to ensure that the inventory tool will not list a series of dynamic link libraries (DLL), executables, command files or any other component that make up an application. It needs to be able to roll up individual components into a legible and recognizable application name as well as roll up individual applications into application suites if they are installed. For example, Microsoft Office should read as a suite and not individual components even if they are not all installed. Similarly, Microsoft Word should not be represented as WINWORD.EXE or a series of dynamic link library (DLL) files. Ideally, the software readiness assessment tool would also be able to identify usage information. If an application is installed on a system and it has not been used for over six months, then you might be able to consider it for the process of rationalization—reducing and removing obsolete or unused applications from the network prior to the deployment of this new operating system. If usage information is not available, you’ll have to verify with individual users if they actually need each and every application found on their system. Finally, the software readiness assessment tool should be able to identify custom corporate applications, or at least be extensible to the point where you can add definitions of applications it should scan for. • In terms of readiness reporting, the inventory tool should be able to produce: o Hardware assessment reports categorizing computers according to whether they are ready, require upgrades or are simply unsuitable for any business edition of Vista. o Software assessment reports categorizing software based on compatibility with Vista and possibly including integration with Microsoft’s Application Compatibility Toolkit to provide comprehensive reports on how applications will interact with Vista. o Computer group reports by region, by IT role, by principal owner, by suitability to migrate. o Cost analysis reports comparing cost of upgrade versus cost of replacement, including labor costs for the upgrade. o Ideally, reports that integrate information from your inventories to information from the purchasing contracts you rely on to acquire both hardware and software as well as links to support or warranty contracts for each product. In addition, the inventory tool should include the ability to easily create custom reports to suit the requirements of your own situation. 95 Chapter 4 Potential Inventory Tools There are several types of inventory tools: interactive tools for very small organizations, automated tools for larger organizations, free tools, and commercial tools. Several have been mentioned in previous chapters, but they are included again here as a recap. Microsoft offers several free tools: The Vista Upgrade Advisor: http://www.microsoft.com/windowsvista/getready/upgradeadvisor/default.mspx; The Vista Hardware Assessment (still in beta at the time of this writing): http://www.microsoft.com/technet/windowsvista/deploy/readassess.mspx; The Microsoft Application Compatibility Toolkit which offers very rudimentary inventory features: http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx. Commercial inventory and assessment tools include: Altiris Inventory Solution: http://www.altiris.com/Products/InventorySolution.aspx; LANDesk Inventory Manager: http://www.landesk.com/Products/Inventory/; Microsoft Desktop Optimization Pack for Software Assurance, especially the Microsoft Asset Inventory Service: http://www.microsoft.com/windowsvista/getready/optimizeddesktop.mspx; Microsoft Systems Management Server 2003: http://www.microsoft.com/smserver/default.mspx; Specops Inventory: http://www.specopssoft.com/products/specopsinventory/; Symantec Ghost Solutions Suite: http://www.symantec.com/enterprise/products/overview.jsp?pcid=1025&pvid=865_1. Personality Migration Tools The second part of any PC migration involves capturing and protecting personality information— personal user settings, applications settings, personal data files and folders. In Windows 2000 and XP, most of these settings will be stored in the Documents and Settings folder where each user that logs on to the computer system will have a folder of their own to store this information. This is called the user profile. Profiles are created each time a user logs on to a computer for the first time. They are generated from the Default User profile so if your Default User profile has been properly created, then there is some consistency between each user profile and each user experience; if not, then profiles will be widely different. In organizations using Active Directory domains, two types of profiles are stored on each computer: local and domain profiles. In many cases, local profiles do not need to be captured if domains are present because only technicians and support staff log on locally. This means you only need to save and migrate the domain profiles. If you are not in a domain or if the machines you are migrating are not domain members, then you’ll need to save local profiles. If, for some reason, you’re using both local and domain profiles then you’ll need to save both. Profiles have changed in Windows Vista. Vista no longer includes a Documents and Settings folder. This folder has been replaced by a number of folders. The Users folder now stores user preferences and user data. The Program Data folder now stores application settings. 96 Chapter 4 For these reasons, the tool you will select should include the following capabilities: • Inventory profiles without capturing them to support profile analysis. • Capture local profiles. • Capture domain profiles. • Capture single or multiple profiles. • Restore single or multiple profiles. • Analyze profile usage to help determine obsolete profiles. • Filter out unwanted profiles from the capture. • Filter out unwanted profiles from the restore, letting you capture profiles for backup and restore only selected profiles to target machines. • Store profiles in a variety of locations: local hard disk, network drive, burn it to CD or DVD as required. • Restore profile settings to appropriate locations for Windows Vista. • Support either x86 or x64 systems in both captures and restores. • Capture custom folders, for example, a C:\LocalData folder for information not stored into the default My Documents folder. • Capture legacy application settings that may be stored in the program’s directory instead of proper locations. • Capture settings from one version of an application and restore to a newer version, supporting the concept of application rationalization or the reduction of multiple versions of one product. • Scour the local hard disk for data and documents that have not been stored in appropriate locations. • Support execution from a remote location (network drive) or interactively from a local source. • Support full automation for the capture and restore processes. • Support the generation of automated executables or scripts for execution in disconnected environments. • Include encrypted administrative credentials or support the ability to run in protected user mode. • Integrate with an automated OS deployment tool to provide an end to end deployment process. • Provide reports on profiles to capture in support of workload estimates. Ideally, this tool will also include a graphical interface to facilitate the profile capture and restore process and perhaps wizards to illustrate the required step by step process. Ideally, the selected tool will support extensibility to provide full functionality. 97 Chapter 4 Potential Personality Migration Tools If you’re migrating single profiles or profiles from one single computer to another, you should use the Windows Easy Transfer (WET) tool that is integrated into Windows Vista (see Figure 4.4). WET is useful for single PC to PC migrations but is not appropriate for multi-system deployments. There are several personality migration tools on the market. Free tools include: Microsoft User State Migration Tool (USMT, a command line tool): http://www.microsoft.com/downloads/details.aspx?FamilyID=799ab28c-691b-4b36-b7ad6c604be4c595&DisplayLang=en. Commercial personality migration tools include: Altiris PC Transplant Solution: http://www.altiris.com/Products/PCTransplantSolution.aspx; CA Unicenter Desktop DNA: http://www3.ca.com/solutions/Product.aspx?ID=4920; LANDesk Management Suite (full migration suite, not only personality protection): http://www.landesk.com/Products/LDMS/. Figure 4.14. The Windows Easy Transfer tool 98 Chapter 4 Operating System Imaging Tools Organizations have been using disk imaging in support of OS migrations for several years. The ability to prepare a reference computer interactively, depersonalize it and then capture its image for reproduction to multiple systems is truly a godsend when it comes to migration projects. This is one reason why Microsoft has introduced Image-Based Setup (IBS) with Windows Vista. Because of the new IBS, Vista now supports the WIM file-based imaging format which, unlike disk images, does not take an exact copy of the sectors of a hard disk, but captures the files that make up the Windows installation on that hard disk. Microsoft is not the only organization to do this as manufacturers such as Altiris Corporation have been supporting file-based imaging for years. But the advantage of a file-based image is clear: it is much easier to service since it is a mountable image that can be manipulated without having to recreate the reference computer. Managing images is an ongoing process; that’s because they have to be updated whenever patches or updates are released for the components they include. And, because of the way Windows relies on hardware abstraction layers (HAL) that are different from computer configuration to computer configuration, organizations traditionally needed several images, one for each HAL they managed. With IBS, Vista does away with the need for HAL-dependent images. Also, because Vista provides a core OS with a separate language layer, it does away with language-dependent images as well. The combination of these two features means that you should be able to reduce the total number of images you manage to one single image per processor architecture—that is, one image for 32-bit and one for 64-bit processors. Image deployment is also important. Most manufacturers of disk imaging technologies have ensured that they also provide a tool in support of the deployment of those images. These tools deploy images through multicasting as opposed to unicasting. Images can be as large as several gigabytes and when they are sent through unicasting, they must create a data stream for each endpoint to which the image is sent. When sent through multicasting, only a single data stream is delivered to multiple endpoints. This could make or break many deployments. The default WIM image for Windows Vista—without any customizations—is 2.24 GB in size. Send that to 100 desktops overnight using unicast and you’re delivering 224GB of data. Send the same stream over multicast and you’re delivering 2.24 GB. Is multicast worth it? You do the math. 99 Chapter 4 For these reasons, the imaging tool you select should include the following features: • Capture an image from a reference computer. • Support HAL-independence in the image. • Support multicast deployment (this may come from a secondary tool or utility from the vendor). • Support the ability to mount the image for examination or update. • Provide a graphical interface for image capture. • Support the generation of x86 and x64 images. • Support the NTFS file format for the images. • Support the capture of an image from a remote computer. • Support the automation of the image depersonalization through Microsoft’s SysPrep tool. • Support the capture and deployment of images using BitLocker—requiring two partitions, one of which is encrypted. This feature may require a script to deploy the partitions in unencrypted format then encrypt the BitLocker partition once the image is deployed. • Support language independence for Vista OSes. • Support the application of multiple language packs once the image is deployed. • Support automation to script the image installation. • Support the integration of the image capture and deployment to the overall OS deployment process. In addition, you may want to make sure your OS image capture tool can integrate with the Microsoft WIM image format. 100 Chapter 4 Potential OS Imaging Tools Microsoft offers two tools in support of its WIM image format: ImageX, a command line tool for capturing and installing images and the Windows System Image Manager, a graphical tool for editing image contents and generating the corresponding Unattend.XML file. Both are included in the Windows Automated Installation Kit (Windows AIK): http://www.microsoft.com/downloads/details.aspx?FamilyID=c7d4bc6d-15f3-4284-9123679830d629f2&DisplayLang=en. The WAIK also includes Windows Pre-Execution or PE which is used to deploy the image. Microsoft also offers Windows Deployment Services (WDS) as an update to Remote Installation Services. WDS is designed to work with WIM images for OS deployments including bare metal installations (http://www.microsoft.com/windowsserver/longhorn/deployment/services.mspx). Anyone with a license for WS03 will have access to WDS. The WDS update for WS03 is included in the WAIK download. Commercial OS imaging tools will both capture the image and deploy it. They include: Acronis True Image and Snap Deploy: http://www.acronis.com/; Altiris Deployment Solution (migration suite, not only image capture and deployment): http://www.altiris.com/Products/DeploymentSolution.aspx; LANDesk Management Suite (full migration suite, not only personality protection): http://www.landesk.com/Products/LDMS/; Microsoft SMS 2003 with the Operating System Deployment Feature Pack: http://www.microsoft.com/technet/downloads/sms/2003/featurepacks/osdfp.mspx; Symantec Ghost Solution Suite: http://www.symantec.com/enterprise/products/overview.jsp?pcid=1025&pvid=865_1. Application Preparation Tools Application management and preparation is often the biggest challenge and the most demanding effort in an OS migration project. This is why it is so important to apply a rationalization process to applications—or a removal of any applications that offer duplicate features or multiple versions of the same application in your network—before any other activity. Rationalization helps control the effort required to prepare and deploy applications. But, before you can rationalize them, you have to first inventory, then analyze applications for compatibility. If an application proves to be completely incompatible, it might be a prime candidate for rationalization. Inventory tools will offer some information on application compatibility, but the only tool that will tell you if the application will run on Vista is Microsoft’s Application Compatibility Toolkit (ACT). That is because ACT is designed to collect information on the different applications organizations run and allow them to share information about an application’s compatibility anonymously through the Application Compatibility Exchange. Then, when you run ACT in your own network, you can collect information about the applications you run from the Exchange and learn from information that has been shared by others. Because of this, ACT should definitely be part of your application readiness toolkit. 101 Chapter 4 Application Compatibility Resources at Microsoft Microsoft offers several tools and lots of information on application compatibility. For a full list of these resources by IT role, go to http://technet.microsoft.com/en-us/windowsvista/aa905066.aspx. For information on application development issues in Windows Vista, see Application Compatibility in Vista: Working as a Standard User at http://www.reso-net.com/presentation.asp?m=7. But, compatibility is not the only tool required for application preparation. You also need: • Tools to package applications for automated installation. • Tools to virtualize applications if you choose to integrate this process into your migration project. • Tools to deploy applications once they have been packaged. This will round out your application preparation toolkit. Application Packaging Tools Software packaging is a very important part of any OS deployment or migration. That’s because if you want to automate the process from A to Z, you’ll need to have applications in a format that will automatically install them without user intervention. Even worse, it you choose to lock down all computers as you should, you’ll need to make sure applications install silently in the background even and especially when users do not have administrative credentials. Fortunately, Microsoft has done a lot of work in providing a service which can help standardize all application installations: the Windows Installer Service (WIS). WIS has been updated for Windows Vista and is now in its fourth iteration. WIS 4.0 includes support for the new Restart Manager, a tool that will automatically shut down and restart open applications when installations occur, as well as for User Account Control. 102 Chapter 4 Organizations have been working with WIS for several years and many will already have WIS packages for each and every application, but because of the changes in Windows Installer 4.0, you’ll need to make sure your existing packages will run with this service. This compatibility check is one of the most important features you’ll need in the application packaging tool you select. In addition, this tool should include the following features: • Full support for all WIS features. • Support for.NET Framework installations. • Support for Terminal Services installations. • Repackaging of legacy installations to the Windows Installer Service. • Editing of Windows Installer of MSI files. • Creation of transform (MST) and patch (MSP) files. • Support for editable exclusion lists—lists of items to omit in a capture—with explanatory text for the exclusion. • Support for the inclusion of scripts to the MSI file to include activities such as security modifications for repackaged legacy software. • Support for the Windows Logo Guidelines in regards to Windows Installer integration. • The ability to inventory all of the packaged components. • The ability to store package inventories in a database containing all of a system’s components in order to detect and resolve conflicts. • Support for the inclusion of variable installation sources within packages. • Validation of existing MSI packages for WIS 4.0. • Support for Vista Standard User installations. If you have a large organization, you might also be interested in workflow support for packaging teams as well as change control and tracking for each package, especially if roll-back is supported. Potential Application Packaging Tools Microsoft does not offer an application packaging tool, though several others do. The most popular are from two vendors, though they are not the only manufacturers to offer these tools by far: Altiris Wise Package Studio (WPS): http://www.altiris.com/Products/WisePackageStudio.aspx; Macrovision AdminStudio: http://www.macrovision.com/products/adminstudio/adminstudio/index.shtml. Macrovision also offers a workflow management tool for organizations wanting to control these types of processes. Macrovision Workflow Manager (http://www.macrovision.com/products/adminstudio/workflow/index.shtml) even includes a custom workflow in support of migrations based on Microsoft’s BDD. More information on this workflow can be found at http://www.macrovision.com/products/adminstudio/workflow/resources/index.shtml. For a more complete deployment tool set, Altiris offers the Migration Suite which includes all of the components of the Deployment Solution plus WPS, providing complete support for the PC Migration Cycle (http://www.altiris.com/Products/MigrationSuite.aspx). 103 Chapter 4 Software Virtualization Tools As mentioned in previous chapters, new processes have emerged for the delivery and management of software on desktops and servers. These processes virtualize the software layer, protecting the operating system from any changes performed by a software installation. They do this by abstracting software layers from operating system layers. In addition, these tools provide support for the centralization of software sources, letting you update all applications in a single location and automatically updating all systems which have access to the application. This is done through software streaming. Using application or software virtualization means that you can create an OS image, deploy it to your systems, maintain and patch it as needed, but never have to worry about it being damaged or modified in any way by any application you deploy to it. This makes for a very powerful distributed system management model, one you should most definitely examine closely before you migrate to Vista. Potential Software Virtualization Tools There are only three manufacturers of software virtualization tools today. Each offers much the same feature set, but each uses a completely different approach. Our best recommendation is to evaluate the capabilities of each tool and determine for yourself which offers the best features. For a presentation examining two of these tools, download Software Virtualization — Ending DLL Hell Forever from http://www.reso-net.com/download.asp?Fichier=P82. Citrix’ Application Delivery tool (http://www.citrix.com/lang/English/ps2/technology/index.asp?ntref=hp_nav_US) was in beta at the time of the delivery of this presentation. Some changes have occurred since this presentation was delivered. Microsoft has acquired SoftGrid and has included it in the Desktop Optimization Pack for Software Assurance (http://www.microsoft.com/windowsvista/getready/optimizeddesktop.mspx). Altiris has included software streaming to its virtualization technology through its integration with AppStream (http://www.appstream.com/). Information on Software Virtualization Solution can be found at http://www.altiris.com/Products/SoftwareVirtualizationSolution.aspx. Software Deployment Tools The final stage of application preparation is delivery. These tools are more complex than others since they require an identification of the target systems prior to being able to deliver software to them. That’s why software delivery tools are usually tied to inventory tools of some form. One exception is Active Directory Software Installation (ADSI). That’s because Active Directory (AD) already knows of each target system since they need to be joined to the AD structure before they can be managed by the directory. This is sort of an inventory in reverse. For an overview of software delivery management practices and a view into a powerful software delivery tool integrated to Active Directory, download Software Deployment Done Right at http://mcpmag.com/techlibrary/resources.asp?id=140. 104 Chapter 4 Organizations using ADSI would normally be small in size since ADSI lacks many of the features a true software delivery system requires. These features include: • Support for Windows Installer package deployments. • Support for the execution of scripts and legacy deployments. • Support for deployments to various targets—computers, servers, users, groups, sites, or custom collections. • Support for dynamic collections—collections that are based on membership rules and that are updated dynamically. • Integration or links to the Active Directory to reuse its contents for collection definition. • Support for automatic uninstalls when targets fall out of the deployment scope. • Support for conditional installations, letting you install multiple packages in a row or letting you make sure that dependencies are met before the installation of a key package. • Support for bandwidth control, ensuring that installations do not hog the wide area network connection when downloading installations to clients. • Support for delta-based replications, ensuring that if an installation package changes, only those changes are replicated to distribution points. • Support for copying the installation file locally, then performing the installation from the local copy and persisting the local copy in support of Windows Installer self-healing, especially for mobile systems. • Ideally, support for integration of each of the steps in the PC Migration Cycle. • Graphical interface and wizards to simplify complex tasks. It should also include extensibility to allow you to customize it to your own needs if required as well as providing support for software patching and system administration once they are deployed. Potential Software Deployment Tools For the purpose of operating system deployment, Microsoft offers the BDD Workbench, a tool that integrates OS image preparation, image deployment, as well as software and update deployment into one interface. BDD Workbench is free as part of BDD 2007: http://www.microsoft.com/technet/desktopdeployment/bddoverview.mspx. Commercial software deployment tools include: Altiris Deployment Solution: http://www.altiris.com/Products/DeploymentSolution.aspx; LANDesk Management Suite: http://www.landesk.com/Products/LDMS/; Microsoft Systems Management Server 2003: http://www.microsoft.com/smserver/default.mspx; Specops Deploy: http://www.specopssoft.com/products/specopsdeploy/. 105 Chapter 4 Making the Case for Extended, Lifecycle Management Systems As you can see, there are quite a series of different tools you will need to work with as you’re preparing your migration and there are quite a few tools to choose from for each step of the migration process. This list is not exclusive by far. In addition, you’ll see that as we move through the detailed steps of the PC Migration Cycle in future chapters, other tools will be required—often custom tools that perform specific activities in your network depending on your circumstances. You have several choices. You can, if you want to, use free tools most of which are command line driven, and script all of your installation steps manually. In our opinion, only the smallest of organizations will choose to do this and even then, we would argue against it. Consider this. Each and every step you will perform for a migration to Windows Vista will be a step you will need to perform again and again in your network as you manage and maintain the systems you deployed. Most organizations use a three to four year hardware refresh cycle. This means that each year, these organizations need to perform many of the steps in the PC Migration Cycle each year for a third or a fourth of the PCs in their network. In addition, each time a computer system fails, you’ll need to use some of the steps in the PMC to either replace or repair it. This makes a very strong argument for the selection of a tool set that will provide full support for the PMC as well as full support for long term management and administration of the systems in your network. PCs have a lifecycle in your network (see Figure 4.5). This lifecycle goes beyond the PMC: • Inventories must link to asset management systems as well as contract management. • OS and software deployment must include patching and update management. • Production systems must be monitored for proactive problem management as well as performance. • Support technicians need remote control or remote assistance tools to help users as well as access to service desks that help them manage and track problems as they occur. • All data must be linked to a central configuration management database (CMDB) to facilitate information sharing and system support. • Tools must be fully integrated into one seamless interface. • Tools must provide both graphical and command line support as well as wizards for the most common tasks. • Tools must provide support for delegation of administration to help technicians focus on the key tasks they are responsible for. • And, ideally, tools must manage any system—PCs, servers, handhelds, laptops and any other device your network will include. 106 Chapter 4 Figure 4.15. Managing the Entire PC Lifecycle with an Integrated Tool Set One thing is sure: you’ll need to use and reuse the various steps of the PMC in production once the deployment is complete. This means you need to make sure all of the processes and all of the tools you use for the migration are transited into production once the project is complete. There is no better opportunity than an OS migration project to implement a full systems management suite of tools. If you don’t have such a tool set in place, or, if your current tool set does not provide support for each and every task listed here, then take the time to review a full management suite as part of your migration project. You won’t regret it and you’ll make up your return on investment in no time since every step of the processes you use for the PMC and for ongoing management will be automated, standardized, and repeatable as well as always provide expected results. As we have stated before, don’t miss this opportunity to gain full and complete control of your network! Potential Lifecycle Management Tools Because of their very nature, lifecycle management suites are all commercial products. As highpowered systems management consultants, we have had many opportunities to work with and fully review several management suites in the past. Not all are listed here. Those we recommend you include in your review are: Altiris Client Management Suite http://www.altiris.com/Products/ClientMobile.aspx; LANDesk Management Suite: http://www.landesk.com/Products/LDMS/; Microsoft Systems Management Server 2003: http://www.microsoft.com/smserver/default.mspx; Specops family of products: http://www.specopssoft.com/; Symantec Ghost Solution Suite: http://www.symantec.com/enterprise/products/overview.jsp?pcid=1025&pvid=865_1. Microsoft is retiring the SMS name and will release an updated version of its management tool as System Center Configuration Management sometime in 2007. 107 Chapter 5 Chapter 5: Security and Infrastructure Considerations This chapter begins the preparation of all of the engineering tasks required to perform the deployment. Once again, it follows the Desktop Deployment Lifecycle (see Figure 5.1) as well as the PC Migration Cycle. The project has now moved from the preparation phases, including Question and Understand and is beginning the Organize phase of the QUOTE System. There is however, one part of the activities listed here that is required as input to both of the first two phases: initial inventories, especially if you don’t have existing inventory capabilities. Figure 5.16. Moving through Step 5 of the DDL The activities of Step 5 of the DDL are performed now because they are required to support the remainder of the engineering process. While most of the other engineering activities will focus on the PC—desktop or laptop—the activities related to infrastructure preparation and security configuration are focused on services provided through the network and therefore affect server structure and may even affect router and switch configuration. In our experience, most organizations do not allow PC support or administration groups to modify the services the network delivers. Because of this, the activities related to Step 5 must involve a server-based group of administrators (see Figure 5.2). 108 Chapter 5 This group should include the following roles: • A technical architect who will provide direction and evaluate the impact of changes on the network and network services. • A security expert who may be the same as the one used in the PC team, but who must be focused on server aspects for now. • A group of technicians focused on: o Inventory o Application compatibility o Deployment o System integration • Support and operations staff to learn new ways of doing things. Figure 5.17. The Server Team is responsible for the activities of Step 5 109 Chapter 5 The entire group will be under the supervision of the logical architect or technical lead. In addition, this group must be integrated to the team as a whole as they will need to communicate with their PC counterparts in order to properly discover the expected changes on the network. As such, this group will be responsible for the following activities: 1. Gathering inventories in support of the initial situation analysis o Deploying inventory gathering tools if they are not available o Performing inventory analysis 2. Support and server-based operation within the testing lab o Create central data repositories o Build host servers o Install virtualization technologies o Install collaboration technologies 3. Support for detailed inventories, creating an exact image of what is on each system 4. Support for profile sizing analysis, to help determine required server space 5. Project engineering activities for servers and networks o Prepare central and distributed data repositories in support of the deployment Prepare and implement an application compatibility database Install the Microsoft Application Compatibility Toolkit (ACT) version 5.0 if you decide to use it Deploy the ACT client (in conjunction with the PC team) Prepare application packaging systems Prepare data repository shares in support of the PC team, mostly for documentation and user profile captures Configure share replication in multi-site environments o Prepare operating system deployment tools If tools exist, then update them to support Windows Vista deployments If tools don’t exist, then deploy them in the network Support the various migration scenarios o Ensure that network equipment fully supports the deployment technology 6. Prepare Vista OS management infrastructures o Prepare for Vista Event Log management o Prepare for Vista Group Policy management Active Directory preparation Security considerations Document management considerations o Prepare for Vista license management 7. Support the operations team in preparing for the administration of Vista PCs 110 Chapter 5 Generally, the job of the server team is to perform any task that affects servers or network components and provide server-based support to the deployment project team. This assistance occurs both within and without the lab environment. Inventory and other tools are discussed with a focus on organization size. Three sizes are considered: • Small organizations (SORG) are organizations that have only one location or site. They usually include less than 100 employees. • Medium organizations (MORG) are organizations that have at least two locations or sites and thus need to deal with connectivity issues. They usually have up to 1,000 employees. • Large organizations (LORG) are organizations that have multiple sites, often in different geographical zones that may include multiple languages. These organizations have the most challenging deployments and require extensive planning before the migration can be performed. Each type of organization has different needs, but mostly in terms of scale, not in terms of actual services required in support of the migration. Perform Initial Inventories These activities are part of the Question phase of the QUOTE System. A lot has been discussed about performing inventories in previous chapters, all with the purpose of leading up to this point—the point where you actually perform the inventory. Two inventories are required. The first is the initial inventory which is focused on gathering information in support of the situation analysis. Server administrators are involved in this activity because inventories are collected centrally and if the organization includes several sites, must first be collected locally, and then assembled centrally. An excellent source of information on inventory requirements and infrastructure preparation is the Infrastructure Remediation Guide of the Business Desktop Deployment Solution Accelerator 2007, especially its two appendices. This guide can be found at http://www.microsoft.com/technet/desktopdeployment/bdd/2007/InfraRmdtn.mspx. The second inventory is discussed further below, but it is focused on the specific details of each system you intend to migrate. 111 Chapter 5 The Inventory Assessment Tool Ideally, an inventory system will have the ability to collect a variety of information from a variety of different sources. Sophisticated inventory systems are actually tied into asset management systems and while the inventory service is under the control of the server administrators, the inventory data is under the control of the Finance department of the organization. A good inventory tool will have three key features: • Hardware inventory • Software inventory • Reporting capabilities Chapter 4 listed many more features for the inventory tool you select, but these three are the main focus of the tool. If you don’t have an inventory tool in place, then you should rely on the guidelines list in Chapter 4 to identify what you need in this tool. Deploying an inventory tool falls directly onto the server administrator’s plate because it is a central network service. If you are a small organization and don’t want to obtain a sophisticated tool, then you can look to free tools. There are tons of free tools on the market, but as you would expect, they require a bit of work to get the results you’ll need. All you have to do to find them is to perform a search with your favorite search engine and you’ll have a complete list. The organizations that use free tools will either be very small or have very simple networks that they are very familiar with. Microsoft offers three free tools that provide inventory. You may have tested them out by now, but here they are again. • The Microsoft Windows Vista Hardware Assessment (WVHA) tool which unlike other inventory tools, is designed to work from a PC and can scan networks of up to 5,000 PCs. The WVHA is in beta at the time of this writing and can be found at http://www.microsoft.com/technet/windowsvista/deploy/readassess.mspx Eventually it will make its way to the Microsoft Web site and be available for a free download. WVHA is an agentless tool that scans any computer that you have administrative privileges over. Microsoft states that it can run on a PC and it should since it requires both Microsoft Word and Microsoft Excel (2003 or 2007 versions). Data is stored within SQL Server 2005 Express which is installed as you install WVHA. WVHA does not recognize the presence of a real version of SQL Server 2005 even if it is installed and will install the Express version anyway. All the more reason for leaving this tool on a PC. It does include a number of methods to collect information (see Figure 5.3) and once you get through the hype, especially in the Word reports, you actually get useful information. 112 Chapter 5 Figure 5.18. Using the Windows Vista Hardware Assessment tool • The Microsoft Software Inventory Analyzer (MSIA) which is a graphical tool that scans local systems for a list of Microsoft products can be found at http://www.microsoft.com/resources/sam/msia.mspx. MSIA will let you prepare a command line input file for the settings you want to use. Once again, administrator credentials are required, but output can be redirected to a network share. It only scans for Microsoft products, but at least it lets you find out which ones you have. • The Microsoft Application Compatibility Toolkit (ACT) version 5.0 which is designed to provide an analysis of the applications running on your systems, whether they are used and their level of compatibility with Windows Vista. ACT can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=24da89e9-b581-47b0b45e-492dd6da2971&displaylang=en. ACT requires a SQL Server database to run and as such should be installed on a server. In order to collect inventory, you need to prepare a collection package which must be run on each PC you want to scan. Administrative rights are required to run the installation of the package and since the package comes in .EXE format, it requires special approaches for delivery to the endpoints. Once delivered, the package runs on the local PC, collects information and then returns it to the central collection point. ACT is useful in that it lets you share information with a community of users through the Microsoft Application Compatibility Exchange (ACE), though the value of ACE is only as good as the value of the input that goes into it. Since all input is anonymous, it may be questionable. Microsoft is trying to make it as valuable as possible, but its best value is focused on commercial software since few organizations will want to share information on their internally-developed applications. More on ACT will be discussed in Chapter 6. 113 Chapter 5 Commercial tools also abound. For example, Symantec also offers a good inventory assessment tool for small to medium businesses. The Symantec Ghost Solutions Suite (GSS) version 2.0 consists of a console that can be located on either a PC or a server. Information on GSS can be found at http://www.symantec.com/enterprise/products/overview.jsp?pcid=1025&pvid=865_1. The console uses its own database. Agents must be delivered, again with administrative rights, to each target PC. Inventory tasks can then be performed from the console. Unlike other inventory systems, GSS does not run inventory tasks on a schedule; you need to tell it when to run. This way each time you collect the information, it is up to date. GSS is not designed to cross routing boundaries or, in other words, wide area network (WAN) connections. If you have more than one physical location, you will need to install a GSS console into each site to collect the information for that site. There is no means, other than exporting data, to consolidate multiple inventories from multiple sites. GSS does however offer some very detailed inventory collections right out of the box (see Figure 5.4), especially for Vista Premium PCs, including items such as video memory. In fact, Ghost is the first tool to do so by default. Other tools require you to create a custom collection. Ghost is not strong on inventory reporting—contents have to be exported to a tool such as Microsoft Excel to create charts—but it is very strong on its traditional feature set: PC imaging and image deployment. Figure 5.19. Ghost Solution Suite includes custom inventory collectors for Vista Premium PC readiness 114 Chapter 5 Organizations that are using Active Directory might choose to rely on Special Operations Software’s Inventory tool. Specops Inventory is the only tool that integrates directly with Active Directory to perform inventory collection and therefore does not require a secondary infrastructure to run (see http://www.specopssoft.com/products/specopsinventory/). It does however require a separate SQL Server database to store inventory data. Specops Inventory is quite powerful if your systems are all connected to the directory service and like Ghost, is really easy to set up and install since it relies on an infrastructure you have already deployed. Inventory collection is performed through the standard Group Policy client any Windows machine already includes. Just open an existing Group Policy Object (GPO) or create a new one, identify what you want to look for and close the GPO. Inventory will begin to be collected as GPOs are refreshed and applied. Reports are very easy to view since they rely on a Web interface. Organizations that want to implement a full-fledged PC management system including inventory collection can look to three products: • Altiris offers several different options for inventory support. The Altiris Inventory Solution (http://www.altiris.com/Products/InventorySolution.aspx) is specifically designed for inventory collection only. But, this solution is also integrated to different products. For example, the Altiris Deployment Solution is a full migration suite which also supports minimal inventory capabilities (http://www.altiris.com/Products/DeploymentSolution.aspx). The Migration Suite includes all of the components of the Deployment Solution plus Wise Package Studio for software packaging and software management as well as the full Inventory Solution (http://www.altiris.com/Products/MigrationSuite.aspx). The Client Management Solution (http://www.altiris.com/Products/ClientMobile.aspx) includes all of the above products as well as full lifecycle management of all client devices, not only PCs. Altiris has been one of the first software manufacturers to provide tools which support a migration to Vista. Our recommendation: if you are going for a full-fledged suite, then why not select the one that does it all and perform one single suite deployment. • The LANDesk Management Suite (LDMS) is also a strong contender for Vista migration (http://www.landesk.com/Products/LDMS/). Like the Altiris products, LDMS provides full support for the PC Migration Cycle with special emphasis on Vista migration support. Inventories provide information on both hardware and software readiness while the other parts of the suite provide system imaging, profile protection and software packaging and deployment. • Microsoft Systems Management Server 2003 (SMS) which is undergoing a name change in its next version to become System Center Configuration Manager 2007 (see http://www.microsoft.com/smserver/default.mspx). Meanwhile, organizations that want to rely on SMS to support the inventory process should upgrade to service pack 3. SP3 is in beta as of this writing but should be released sometime in the first half of 2007. New features include better inventory reports for software inventory, reports for Vista hardware readiness and the ability to manage PCs running Windows Vista. In addition, SMS 2003 SP3 provides support for software rationalization by helping you identify applications with similar functionality, letting you consolidate on one single application for each functionality type, thus reducing costs and reducing migration efforts. 115 Chapter 5 Of all the products listed, only the products from Altiris, LANDesk and Symantec offer support for multicasting—the ability to deploy system images in one single data stream when deploying to multiple endpoints. This saves considerable bandwidth and time during deployments. Keep this in mind when making your choice. Microsoft products will not have access to multicasting until the release of Windows Server Codenamed “Longhorn” later this year. At that time Microsoft will be adding multicasting capabilities to the Windows Deployment Services role Longhorn will support. Technical Requirements for Inventory Tools Every product that is oriented towards systems management uses the same basic framework. Data is always stored in a database, either SQL Server or other, servers are always required centrally to manage the multiple functions of the suite and secondary role servers are required if remote sites are part of the picture. Depending on the size of the organization, secondary databases may be required to collect information in remote sites and then replicate it to the central site, but this situation usually only applies to LORGs. For deployment support, a central repository is required and once again, if remote sites exist, secondary repositories will be required. Data for inventories is collected from the remote sites and sent to the central site. Data for software and operating system repositories is provisioned centrally and replicated to the remote sites. Status of the deployment jobs is sent from remote sites to central repositories. This means that bi-directional replication technologies as well as bandwidth control technologies are required in the management solution. Finally, an agent is required on the PCs to communicate with the management service and perform management operations locally. The overall solution will also need to take into consideration the management and administration of Windows Vista. Event log management is different in this OS as is Group Policy support. License management is also different. Server administrators will need to keep all of these considerations in mind when addressing the requirements for the migration (see Figure 5.5). Our advice: Start in the lab and then build out your systems management product deployment. Learn its features and then and only then, deploy it to production to collect your inventories. 116 Chapter 5 Figure 5.20. Infrastructure considerations in support of the migration Procedures for the preparation of the infrastructure in support of the migration are outlined further in this chapter when we discuss the server preparation activities in the lab. Collecting the Basic System Inventory For the first inventory, you need to identify the scale of the deployment. This means you need to collect bulk data related to how many PCs you have in the network, what they have on them, which PCs meet which requirements and which PCs don’t. Administrators will help collect this data from systems that are both online and offline, connected and not and provide it to the analysts which will help formulate the baselines for your migration. The inventory collection process actually goes through a series of steps (see Figure 5.6): 1. Collection: Bulk information is collected from all of the systems in the organization. 2. Data extraction: Numbers and facts are drawn from the bulk information. These numbers and facts are sufficient to support initial project cost estimates and produce the business case for the migration. 3. Refinement and additions: A refinement process is applied to the original data to filter out unnecessary data and focus on more precise data—who is the principal user, what is actually used on the system, what needs to be recovered post migration and so on. Additional data may need to be collected to produce the required level of detail. For example, in order to determine if the applications found on the system are actually used by both the principal and other users of the system, an actual visit and discussion with the principal user may be required. 4. Rationalization: Rationalization processes are applied to bulk data to further refine the data. Three processes are required: 117 Chapter 5 a. Reduce: The objective of rationalization is to reduce the number of applications that will be carried forward during the migration. Be strict and remove anything that is not necessary. This means any duplicates in terms of functionality—only one drawing tool, only one word processor, only one browser, and so on—as well as multiple versions of the same product. Any deviations should require serious justification. b. Reuse: Learn to reuse systems as much as possible. One of the best ways to do this is to standardize on all aspects of the solution—standardized procedures, standardized PC images, standardized applications, and so on. This will cut costs and ensure a more stable solution. c. Recycle: If you have invested in some management efforts in the past, then focus on reusing as much as possible during your migration. For example, if you have existing Windows Installer packages, look to their conversion instead or rebuilding them. Aim to adapt systems instead of reinventing the wheel. 5. Net values: Net values are produced after all of the refinements have been applied. 6. User data sheets: User data sheets are produced for each PC to be migrated. These sheets include everything that is now on the PC and everything that should be ported once the PC has been migrated. 7. Release management: User data sheets are provided to the release manager. The release manager will produce the migration schedule from this information—information which will also be provided to the technicians that perform the migration. This process is essential to the success of the migration as the hand off to release management is the driver for the actual migration. Remember, users are only happy if everything is as smooth as possible for them. This means that if you know items are going to change, make sure you integrate these changes into your communications plan and announce them well ahead of time. 118 Chapter 5 Figure 5.21. The Inventory Collection Process As identified in the inventory process, information from the initial inventory analysis is aimed at identifying bulk values. The specific questions you need answered are: 1. How many desktops are in the organization? 2. How many laptops are in the organization? 3. Which PCs—desktops and laptops—need upgrades and how much do the upgrades cost? 4. How many PCs per user do you have? Will you carry over the same ratio with Vista? 5. How many applications are in the network? 6. How many of these applications will need to be carried over into the deployment? 7. Where are the PCs located? These core questions help your team determine how much effort is required to perform the migration and how much it will cost. Reports should ideally be Web-based and dynamic so that users with different levels of authority can access and view them easily. They should also include graphics if possible—charts and graphs that can easily be copied into Microsoft Word documents or PowerPoint presentations to augment the value of the message you need to convey. In fact, this should be part of your selection criteria for the inventory tool. It is the goal of the systems administrators to assist project staff in collecting this initial data, whether it means deploying a new tool or not. Ideally, you’ll already have this under control. 119 Chapter 5 Server-based Operations in the Lab These activities are part of the Understand phase of the QUOTE System. Once bulk inventories are captured, the project team has enough information to drive the project forward. This all occurs within the Question Phase of the QUOTE System. Then, once the business case is presented and approved, you’ll move on to the Understand Phase. This is where server administrators will be called upon to assist in two major activities: • The preparation of the central services the laboratory will rely on. • The preparation of the logical solution design. As outlined in Chapter 3, the testing laboratory should be relying on virtualization technologies. As such, the server team will be called upon to prepare the host servers that will drive the virtual machines as well as preparing any virtual machine that will act as a server in testing. If you already use virtualization technologies, you can start with the preparation of the core virtual machines that will seed all of the other servers required to support the testing. If you don’t use virtualization technologies yet, you’ll need to begin with their installation. Build the Host Servers Host servers should be beefy machines that have a lot of power since their main purpose is to run virtual machines. This means lots of RAM, lots of disk space and several processors, ideally multi-core processors. The server hardware should also be 64-bit if possible as it will give you access to more memory than a 32-bit machine and it will let you create 64-bit virtual machines if you are using the right virtualization technology. Refer to Chapter 3 for the recommended configuration of the host server as well as for the virtual machines. To prepare the host server: 1. Begin with the preparation of the server hardware, locating it in a rack if it is a rack- mounted server or in a blade casing if it is a blade server. Smaller shops will use a tower casing. Connect all required components. 2. Install Windows Server 2003 (WS03) R2 Enterprise Edition. This edition lets you run up to four virtual machines running Windows operating systems for free as their cost is included in the license for the host server OS. Remember to create three disk volumes: a. C: drive with 30 GB for the OS. b. D: drive with the bulk of the space for data. c. E: drive with 30 GB for volume shadow copies. Replace WS03 with “Windows Server Codenamed Longhorn” once it has been released, especially the version that includes Windows Virtualization. This version is the ideal Windows operating system for host servers. 3. Prepare the server OS according to your standard configurations. Make sure you update the OS and install anti-virus and backup software. 120 Chapter 5 4. Configure Volume Shadow Copies (VSS) for drive D:. Place the shadow copies on drive E: and use the default schedule. Shadow copies protect any data that is on shared volumes. Since the D: drive is automatically shared as D$ by the system, the data it contains is shared by default. For information on how to configure shadow copies, look up 10-Minute Solution: Using Volume Shadow Copy at http://www.resonet.com/download.asp?Fichier=A64. If, by the time you’re reading this, Microsoft has released System Center Virtual Machine Manager (VMM) and you want to use Microsoft virtualization technologies in your lab, then rely on this tool instead of Microsoft Virtual Server because VMM can deploy Virtual Server without requiring the installation of IIS. More information on VMM can be found at http://www.microsoft.com/systemcenter/scvmm/default.mspx. 5. Install the virtualization software. If you’re using Microsoft Virtual Server 2005 R2, then you’ll need to install Internet Information Services first; remember this is done through adding and removing Windows components in the Control Panel. If you’re using VMware server, then you just need to install that product. 6. Once the virtualization software is installed, you can begin to create your virtual machines (VM). This basically uses the same process as with the installation of the host server. If you use multiple editions of WS03 in your network, you’ll want to create at least two core VMs, one for the Standard Edition and one for the Enterprise Edition. Then, use these VMs as the seeds for every server role you need to configure. 7. Don’t forget to copy the seed servers and run Sysprep on them to generalize the installation. This way you can use and reuse the machines as much as needed. The original VMs should be created as soon as possible because Unit testers will need to have access to server technologies, most likely a multi-purpose server image that includes Active Directory, file sharing, a database server, deployment services based on the technology you choose to use and so on. Once these machines are ready, they should be loaded onto external USB hard drives and delivered to the testing teams—one of which will be the server team as there will be new server-based technologies and configurations to test. If you want to fast-track this aspect of your project, you can rely on virtual appliances—pre-built VMs that include all of the required features to support each testing level—that have been prepared by third parties. Go to http://www.reso-net.com/livre.asp?p=main&b=Vista to find out more about virtual appliances in support of the Desktop Deployment Lifecycle. 121 Chapter 5 Build Central Laboratory Services Now that some core VMs are built and other technical teams can go on with their work, you can begin to build the systems that will support both the project and the lab itself. These systems can be built inside virtual machines as they are protected by VSS and other backup technologies. The systems or server roles the lab and the project require include: • A directory service which may be the same as your production directory. In most cases, it is best and easiest to create either a separate forest as you would in the case of all of the testing levels you need to use—Unit, Functional, Integration and Staging. But, for the laboratory’s own use, you might just create a separate domain within your production forest or just create organizational units (OU) inside your production domain. It all depends on the level of isolation you need for this project. Our recommendation: use a separate domain in your production forest. This will automatically create trusts between the production domain and the project domain so users can continue to work with their normal, production user account, but grant them different privileges within the project domain. This is something you cannot do when placing them in OUs within the same domain. Remember that you will need at least two domain controllers to protect the information contained in the domain. • A database server which will be used to host data from a number of different technologies, namely the software packaging system, the management system, Microsoft’s Application Compatibility Toolkit if you decide to use it, Windows SharePoint Services and any other structured data the project requires. Our recommendation: install SQL Server 2005 SP1. SQL Server is a comprehensive database tool that doesn’t break the bank when you acquire it and will provide a series of different protection services for the data it stores. In addition, SQL Server 2005 SP1 supports data mirroring which will let you automatically transfer data from the lab environment to a production database server when you’re ready. • A server running Windows SharePoint Services version 3.0 (WSS) which will be used to host the project’s collaboration team site. WSS can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=d51730b5-48fc-4ca2b454-8dc2caf93951&DisplayLang=en. You will need to install version 3.0 of the .NET Framework in support of this tool. You can find a link to the Framework on the same page as the WSS download. To speed the preparation of the team site, upload the team site template from the companion Web site (www.resonet.com/livre.asp?p=main&b=Vista) and follow the included instructions to load it into your WSS environment. Assign a WSS administrator to begin granting access to team members. Most members should be contributors while the project manager and the project assistant should be site owners. The lab coordinator and the lab administrator should be owners of the lab subsite. Data for this site should be stored in the SQL Server you prepared earlier. This should be enough to get the project and the technical teams going at this stage. 122 Chapter 5 Note: All project documentation—plans, presentations, communiqués, technical documentation, training materials, everything—should go into the SharePoint team site and should be protected by proper backup technologies and systems as well as proper security settings. In addition, technical tasks should be drawn out from the project plan and should be assigned to team members on the site. This will give you an excellent tool for tracking project progress as well as storing all project data. Participate in the Solution Design The server team also needs to provide support to the design of the solution the project will implement. As outlined in Chapter 2 and in the QUOTE System, you begin with a logical solution design, focusing on the new features of the technology you will implement to draw out how your organization will benefit from them. This is done by examining several sources of information: help desk logs for the most common problems, new feature information for the technology to be implemented, industry sources for best practices and recommendations and so on. The server team will focus on anything that is centrally based and that will provide enhanced support for the new technology. This involves items such as modifications to existing infrastructures, not in support of the operation of the project, but rather in support of the migration itself and the operations the organization will need to perform once the deployment is complete. The items that need to be covered in this initial solution are outlined in the remainder of this chapter. Prepare the Detailed System Inventory The next step is to provide support for the collection of detailed inventories. Remember that the initial inventory was designed to provide bulk information. Now you need to assist the project in obtaining detailed information on each system to be migrated. One good place to start is with a detailed topology map of the network. Ideally, this map will identify which machines, printers, servers and switches are connected to each other. This will assist in the redeployment of the PC OSes as well as help determine if switches and routers are properly configured to support the deployment process. One great tool for this topology map is Microsoft Visio. Visio can generate topology maps from network scans and even better, can rely on Microsoft Baseline Security Analyzer (MBSA) to scan systems and then provide the information to Visio to generate the image of the network. The Microsoft Office Visio 2003 Connector for MBSA can be found at http://www.microsoft.com/technet/security/tools/mbsavisio.mspx. At this stage you need to make sure you have inventory data for each and every system in the network either connected or not. This inventory needs to determine everything that will be required to rebuild the system as close to what it was as possible. One of the best ways to do this is to rely on User or PC Data Sheets. These sheets list everything about a system: applications, principal user(s), printer connections, optional hardware, peripherals and so on. A sample User Data Sheet is available on the companion Web site at http://www.resonet.com/livre.asp?p=main&b=Vista. New visitors must fill out a onetime registration to access these downloads. 123 Chapter 5 Validating Inventories In order to minimize the amount of work required to rebuild a PC, it is important to validate all of the content of the User Data Sheet. One of the most difficult items to validate is the list of installed applications. This is because many organizations do not use a proper application licensing strategy and will install applications on systems when needed, but never remove them when obsolete. In order to avoid reloading applications that are no longer required and in order to improve your licensing compliance once the project is completed, you want to validate this list as much as possible before you deploy the system. One good way to perform this validation is to use a software metering system which monitors the use of software applications on each computer system. Applications that are not used are marked off and are not reinstalled on the migrated system. But, if you don’t have such a tool, you’ll need to validate the inventory with the principal user of the machine. This takes time and is best done by administrative staff that have been trained to understand what should and what shouldn’t be on a system. The goal is to update the User Data Sheet as much as possible. Rationalize Everything The concept of rationalization has been covered several times before because it is a process that is vital to the success of the project. It will also greatly reduce project costs as it cuts costs in licensing as well as reducing the time to prepare and perform the deployment. The activities you need in support of this process involve the following: • Define clear rationalization guidelines and rules. • Commit to the rationalization guidelines and rules as a project. • Obtain organizational, read ‘management’, buy-in to the rationalization process. There will be resistance and if you don’t have this buy-in, you won’t succeed. • Prioritize software rationalization as much as possible. If your users have more than one machine, then also prioritize PC rationalization. With the advent of virtualization, there are very few reasons for having more than one system per user. • Initiate a communications plan to all users on the benefits of rationalization. This will help reduce resistance. • Request an initial inventory purge by all IS and IT directors. They will be able to identify obsolete systems immediately. • Involve users and user representatives in the rationalization. They have their say and will be happy to be consulted. • Request an inventory purge by users themselves. They often know best. • Establish a User Representatives Committee (URC). The URC will represent users when contentions arise and will be the project’s representative with respect to users. • Obtain a Rapid Decisional Process from executives so that you can cut short any rationalization debate. 124 Chapter 5 Once the inventory is validated, proceed through the rationalization process using the following guidelines: • Remove all applications that are not actually installed on a PC. • Remove server and administrative applications. They should be stored on servers and administrators should use remote desktop consoles to servers for this. • Remove any non-PC applications. • Remove multiple versions of the same application. • Remove games and utilities such as music software or anything that is not corporate in nature. • Remove all applications that will be replaced by the software kernel or the core image that will be installed on all PCs (for more information, see Chapter 7). • Remove applications fulfilling the same function. This means one single drawing program, one single financial analysis program and so on. • Identify number of users for each remaining application. This will help in the design of application groups and user roles. • Identify value to business for each application that is retained. If value is low, remove it. • Begin negotiation with users early. This is best done through the communications program. • Ensure that an application and data conversion strategy is in place for rationalized applications. For example, if you are removing a drawing program, then you need to be able to convert existing drawings into the format of the retained tool. • Ensure that software obsolescence and lifecycle guidelines are in place so that this does not have to be done again once the project is complete. Once the list of applications, devices and peripherals has been reduced, you can move to the creation of groupings. For example, you should group applications into the following categories: • Mission and business critical applications • Common commercial applications • Limited use packages • In house applications • Non standard hardware 125 Chapter 5 These groupings will help structure how you manage these applications. Finally, use a risk management strategy to reduce the impacts of rationalization. This means: • Prepare common applications first since you will be able to deploy them to the largest user base. • Group role-specific applications into IT user roles and target the largest groups first. • Keep limited use packages for the end of the deployment since their audiences are small. • Do not provide conversion for applications that are not Windows Vista compatible; run them inside virtual machines running older OSes if they absolutely need to be retained. • Provide shared virtual machines with older OSes for applications that users will not give up but are obsolete. This strategy will help reduce the carryover from the existing to the new deployment. The last two strategies are hard core and should be applied to anything you really want to get rid of. If you can’t and you can afford it, convert the applications to Vista. Perform the Inventory Handoff Now that everything has been validated and approved, you are ready to hand off the User Data Sheets to the release manager. This hand off is critical because it controls how the deployment will be structured. The release manager will then use the network topology map along with the User Data Sheets to determine which sites will be deployed first and how each PC will be built. Ideally the information in the data sheets will have been input into a database that can help the release manager control the deployment. As the deployment occurs, this manager will need to select replacement users for deployment as targeted users are unavailable or don’t show up for their portion of the migration activities. Having a bank or pool of users that you can draw from during the migration will help maintain deployment rates and keep the project on time and on track. Otherwise, dates will slip as it becomes impossible to deploy as many PCs as targeted during each day of the deployment. This gets the release manager ready for the Transfer phase of the QUOTE System. 126 Chapter 5 Perform a Profile Sizing Analysis One other aspect of the migration that will be critical is personality protection. Remember that users will not be pleased if their favorite desktop background does not appear or they lose their custom Word dictionaries once they have migrated to a new OS. But profiles tend to be rather large and will require some form of protection during the migration. Because of this, server administrators must assist the personality protection team to determine where these profiles will be stored and how they will be protected. Several tools today allow the storage of the profile on the local hard disk during the actual OS deployment. If you decide to use this strategy, then server administrators will have little to do here, but if you determine that you want to raise the quality assurance level of this process and you have enough bandwidth to do so, you should store profiles on a network location. There are several ways to do this. The most common is to simply use the migration tool to copy the profile to a server before the migration, migrate the PC, and then restore the profile from the server once the migration is complete. Other strategies involve the use of technologies such as folder redirection or roaming profiles to protect user data. Whichever method you decide to use, if you choose network protection then two tasks will fall to server administrators: • Estimating storage sizes for profile migration during the deployment and preparing network shares that can support these storage requirements. • Implement a retention policy for the profiles where the profiles are backed up for protection, retained on disk for a period of time and archived once the time period runs out. The retention policy quickly becomes a rotation policy that will prove essential if you do not want to find yourselves running out of space during the migration. You’ll also want to look to creating local shares if you have remote sites and implement replication technologies to bring remote data back to central locations for long-term storage. More on personality protection is covered in Chapter 8. 127 Chapter 5 Perform Project Engineering Activities These activities are part of the Organize phase of the QUOTE System. While the Understand phase focuses on logical solution design, the Organize phase of the QUOTE System focuses on engineering tasks or the actual implementation of the solution. To date administrators have had the opportunity to test and play with different server-based technologies as affected by the deployment and the coming of a new PC operating system. Now, it is time to define how this solution will actually take shape. As such you now begin to implement several additional technologies, usually in the Integration and Staging test environments. This is one reason why documentation of each parameter and setting used to deploy the solution components is so essential at this stage. You’ll need to work on the following systems: • Support for the deployment/management tool: Begin with at least one server running the management tool role. Depending on the tool you selected or even if you already have a tool, this process will allow you to learn how this tool will support your migration. Link this tool to the database server you created earlier. If you have multiple sites, you’ll have to look to secondary servers for this tool if required. If you already have a management tool in place, then look to how it needs to be adapted—deployment of an upgrade or deployment of a service pack—to support the Vista migration. • Support for software installation: Your project will need to choose whether you will be using traditional Windows Installer packages or whether you will aim for software virtualization or even a combination of both. This topic is discussed at length in Chapter 6. If you decide to use Windows Installer or MSI packages, then you will need a packaging tool. These tools require installation on a server, the creation of file shares in support of their use and linkage to a database server. If you opt for software virtualization, you’ll find that these solutions usually require an agent on the PC and often rely on either server shares or server streaming services to deploy the applications. You can also choose both and use the packaging tool to integrate your applications to the software virtualization engine. • The Microsoft Application Compatibility Toolkit: If you choose to use it, this tool will require installation on a server as well as linkage to a database. ACT collects information about applications, including usage information which can be quite handy in support of the rationalization process. Keep in mind that ACT works through the creation of packages in the form of executables that must be deployed and delivered to PCs. The PC package requires administrative rights for execution so you will need to come up with a solution for deployment. More on this is discussed again in Chapter 6. • File sharing services: You’ll need to deploy file sharing services, usually in the form of a file server which will be used to store vast amounts of information. Remember that it is always best to secure file shares through NTFS permissions than through share permissions. Required shares include: 128 Chapter 5 o Virtual machine source: The source virtual machine images which must be shared as read only for technicians that want to access copies of the machines for testing on their own systems and read-write for server administrators that create and modify the machines. o Software installation media: A source folder for software installation media. The lab coordinator and administrator should have read-write privileges and packaging technicians should have read privileges. o Software preparation: A working folder for software packages where packaging technicians have read-write access. They use this folder as they prepare packages. o Software release: A repository that is the official final repository of quality controlled software packages. Technicians should have read access and only the lab coordinator and administrator should have read-write access as they are responsible for the final release of these products to the project. o OS installation media: You also need a source folder for OS installation media, updates and device drivers. The lab coordinator and administrator should have readwrite privileges and imaging technicians should have read privileges. o OS custom media: Imaging technicians will need a working folder for OS system images where they have read-write access. o Custom OS releases: A repository where final OS image(s) are released. This should have the same access rights as the software release folders. o Data protection: A folder with read-write access for personality protection technicians will also be required as they test out the tools they will use to protect profiles. • Unique namespaces: Another useful technology organizations with multiple sites should include in the preparation is namespaces. Namespaces are very useful because they eliminate the need for customization inside the individual packages you will deploy. That is because namespaces such as those based on the Distributed File System (DFS), especially the DFS service from the R2 release of WS03, provide the ability to map to one single UNC name inside every single package no matter which site you are located in. That is because a DFS namespace uses a \\domainname\sharename format instead of a \\servername\sharename format when publishing shared folders. With DFS namespaces, you map this unique name to different targets within each site. This way, when a package needs to refer back to a server share either for installation or for self-healing or updates, it will always work. Namespaces are mapped to Active Directory and because of this are available in any site in the domain. They are much easier to work with than mapped drives because they always refer to the same name structure. The directory service is responsible for linking each endpoint with the appropriate target share, eliminating the possibility of error. 129 Chapter 5 • Replication services: DFS, once again, the DFS service included in WS03 R2, also provides delta compression replication (DCR). This means that once shared folders are synchronized through an initial replication, DFS replication (DFSR) will only replicate modifications to any of the contents. If one single byte changes in a 1 GB file, then one single byte is replicated. In addition, DFSR is really easy to implement, taking literally lest than five minutes to set up. If you have more than one site, you should definitely look to DFSR. It is included by default in any version of WS03 R2 and it just works. Linked with namespaces, it becomes a very powerful engine in support of migrations. Replications with namespaces should be set for: o Custom OS releases since they need to be available in all sites. Replication should be set one-way only from the lab’s release folder to production servers. If multiple sites exist, replication should also go one-way from the central production site to all other sites. o Software releases since they will be required for the deployment. Once again, oneway replication from the lab to production servers is all that is required. If multiple sites exist, use the same strategy as for OS releases. o Profile protection should be captured from their location, stored on a local server and replicated to a central site for backup and protection. If a namespace is also used, then the profile protection scripts only need reference one single share name. Both of these scenarios are provided by default in the File Server Management console of WS03 R2 (see Figure 5.7). Setting these scenarios up is very straight forward. • Data mirroring: SQL Server 2005 SP1 offers data mirroring services which are pretty straightforward to set up. As the project proceeds, you’ll find that there is data held within the various SQL Server databases that should be available in production. Using the data mirroring feature of SQL Server 2005 SP1, you can simply replicate this data from the lab to production servers. Data mirroring in this case is usually targeted one-way from the lab to the central production environment only. • Switch and router configuration: In some instances, organizations modify the default settings of their switches and/or routers to block multicast traffic. Many network administrators do so to stop users from watching or listening to streaming feeds from the Internet. But, even if this is necessary, this traffic should be blocked only at the gateway to the Internet, not on the links to the internal network. Make sure your routers and switches will support the ability to stream multicasts to PC endpoints so that you can save considerable time and effort during your deployment as you should be using a multicasting tool for deployment. Or, if you can’t or don’t have access to their configuration, then select a tool that will rely on proxies to perform WAN multicasting, bypassing routers and switches altogether and keeping all multicasting traffic on the LAN. These different activities will ensure that the deployment project has all of the server-based support it needs to complete smoothly. Other activities are also required, but these will be in support of operations, not deployment. 130 Chapter 5 Figure 5.22. Creating replication scenarios in WS03 R2 is as easy as following a simple wizard Vista OS Management Infrastructures With Windows Vista, Microsoft elected to change and modify several different aspects of Windows management. Many of these will not be fully effective until Windows Server Codenamed “Longhorn” is released later this year. For example, even though the network access protection (NAP) client is built into Vista, Microsoft does not currently offer any NAP server service. But some of the technological improvements are available now. Active Directory can manage Vista Group Policy Objects (GPO), WS03 can manage folder redirection, WS03 can manage Vista licensing and you can take advantage of some of the new security features built into the PC OS. These activities will require server administration assistance since they will impact central services. 131 Chapter 5 Manage Vista GPOs Any organization that has taken the time to design and deploy an Active Directory forest and domain structure within its network has already realized the power and potential of this tool. That’s because AD is not only designed to provide authentication and authorization as was the domain in Windows NT, but it is also designed to provide a complete infrastructure for the management of users, groups, printers, servers and PCs. All of these objects are managed through GPOs—directory objects that are designed to define the way a user’s computing environment appears and behaves. GPOs were first introduced with Windows 2000 and are supplemented each time a new operating system (OS) or a significant update to an operating system is released. For example, Vista brings more than 800 new settings to Group Policy among other changes. For best practices information on how to design an Active Directory for object management, download this free chapter from Windows Server 2003: Best Practices for Enterprise Deployments published in 2003 by McGraw-Hill Osborne at http://www.resonet.com/Documents/007222343X_ch03.pdf. With its extensive settings and controls, Group Policy provides an extremely powerful engine for the management of every aspect of a system’s configuration from compliance to security baselines. GPOs can control registry hives, assign scripts, redirect data folders, deploy software and manage security settings. And, if you don’t find the one setting you need to control, you can always add a custom administrative template to the mix and make your own modifications. Most organizations using AD will use GPOs extensively, but will ensure that each GPO is designed to manage a single object type. This means that some will be designed to manage users, others will manage PCs and still others will manage servers. Segregating GPOs in this manner will not only improve the speed with which each GPO will be processed, but will also help in your delegation of administration structure. Group Policy is an excellent vehicle for system administration, but it is possible to overdo it. Begin your Vista GPO strategy by inventorying the GPOs you have in place and then look them over to see if there is room for rationalization. Since Vista brings so many new settings, you don’t want to find yourself in a situation where you are proliferating GPOs. Microsoft provides a good tool to inventory Group Policy which can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=1d24563d-cac9-4017-af148dd686a96540&DisplayLang=en. To learn how to rationalize the number of GPOs in your network while providing compete management services, download Redesigning GPO Structure for Improved Manageability at http://www.reso-net.com/download.asp?Fichier=P73. While in previous versions of Windows, GPO processing occurred through the WinLogon process, in Vista, Group Policy processing has been decoupled from this process to run on its own, providing a more robust processing model. In addition, Microsoft has added several classes of objects that were previously difficult if not impossible to manage through GPOs (see Figure 5.7). 132 Chapter 5 Figure 5.23. New GPO settings in Windows Vista Some important new settings include: • Device Installation to control whether or not users can plug in devices such as USB drives. • Folder Redirection which has been vastly improved to protect a complete user’s profile. • Print Management which is tied to the WS03 R2 ability to publish printers through GPOs. • Local Services which allow you to automatically change settings on PCs to match an employee’s language settings. • Logon and Net Logon to control the logon behavior. • Power Management to help reduce the power consumption of PCs in the enterprise. • User Account Control which lets everyone run with a standard user token. 133 Chapter 5 • Wireless client controls to ensure that wireless connectivity conforms to organization policies. • Windows Components including everything from Movie Maker to the Windows Sidebar. • Windows Firewall which controls the state of the firewall both when connected to the internal network and when roaming outside the office. There are many more settings. Take the time to review all of them and determine which ones should be set. Since these settings control mostly PCs, it will be the PC team that will identify which settings to apply along with recommendations from the server team. But one aspect of GPOs for Vista that affects server administrators is the new format Vista uses for administrative templates. For guidance on deploying Group Policy with Vista go to http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c14be6ac7cf7631033.mspx?mfr=true. Prior to Windows Vista, all GPO definition templates used an ADM file format—pure text files that were organized in a structured manner. With Vista, Microsoft is introducing the ADMX format—a format based on the Extended Markup Language (XML) which provides much richer content for GPO templates. ADMX templates are now language independent, globalizing Group Policy settings. Each ADMX file is accompanied by one or more ADML files which include language-specific content. Global organizations will want to include an ADML file for each language their administrators work in. In addition, ADMX files can be centrally stored as opposed to the distributed approach used by ADM files—one on each domain controller in a particular AD domain. And, because of the increased number of policy settings in Vista, 132 ADMX files are included in the release version of Vista. Because of the changes to Group Policy in Vista, the ADMX format is incompatible with the ADM format meaning that environments managing a mix of Windows 2000 and/or XP with Vista will need to either translate their existing templates to ADMX format or create new ones. Organizations that want to make sure critical settings are applied to all of their Windows clients will need to put in place a strategy that will support the translation of ADM to ADMX and vice versa, but of course, only for the settings that apply to any Windows version. AMD/ADMX Conversion Tool Microsoft licensed an ADM to ADMX conversion tool from FullArmor Corporation. This free utility is available at http://www.fullarmor.com/ADMX-download-options.htm . 134 Chapter 5 While server administrators will not be involved as of yet with the conversion of ADM to ADMX templates, they will be involved with the creation of the central store for ADMX templates. In previous versions of Windows, each time a new ADM template was created it would be copied from the local system to the SYSVOL share on the domain controller. It would then be copied to every DC in the domain. With Vista, ADMX templates are referenced locally on the PC they were generated from, but if you have several PC administrators working on these templates, you’ll want to create a central storage container that everyone will reference when working on new or existing templates. Creating a central store is easy, but it needs to be planned and performed by server administrators. 1. Log on with domain administrative rights. 2. Locate the PDC Emulator domain controller in your network. The easiest way to do this is to open the Active Directory Users and Computers console and right-click on the domain name to choose Operations Masters, click on the PDC tab to find the name of the DC. Then use Explorer to navigate to its SYSVOL shared folder. You use the PDC Emulator because it is the engine which drives GPO changes in the network. 3. Navigate to the SYSVOL\domainname\Policies folder where domainname is the DNS name of your domain. 4. Create a new folder called PolicyDefinitions. 5. Copy the contents of the C:\Windows\PolicyDefinitions from any Windows Vista PC to the new folder you created in step 4. 6. Include the appropriate ADML folders. For example, US English systems would use the en-US folder. 7. Launch the Group Policy Editor (GPEdit.msc). It will automatically reference the new central store as will all editors on any Vista PC in your domain. Test this in the laboratory and then introduce the change to production when you begin the deployment. Note: There is no Group Policy interface for loading ADMX files into a GPO. If you want to add new settings based on an ADMX file, create the ADMX file and copy it to your central store. It will appear in the Group Policy Object as soon as you reopen the GP Editor. A spreadsheet listing all of the new GPO settings in Vista can be found at: http://www.microsoft.com/downloads/details.aspx?FamilyID=41dc179b-3328-4350-ade1c0d9289f09ef&DisplayLang=en. 135 Chapter 5 Manage Vista Folder Redirection As with former versions of Windows, Vista includes the ability to automatically redirect common user folders to central locations. This policy is much better than using roaming profiles because it will automatically reconnect users without having to download a vast amount of content and it is transparent to the user. In addition, Vista can localize the experience, automatically renaming common redirected folders into the appropriate language the user prefers. This means that folders such as Documents are named in the proper language when localization is enabled. Other folder redirection enhancements include better synchronization. Vista includes a new synchronization engine that relies in delta compression replication—that’s right, the same DCR that is available in WS03 R2 with DFSR. This provides a much better performance enhancement than with any previous version of Windows. These enhancements make folder redirection the best choice for protection of user documents and preferences. In addition, if you implement folder redirection with your launch of Vista, future migrations will make personality protection much simpler and easier than when profiles are stored locally. Server administrators need to be involved in this activity because folder redirection relies on central folder shares. The biggest concern here is providing proper amounts of folder space for each user as well as making sure there is a strong backup and protection policy for these folders. Manage Vista Security There are several different aspects of security that you need to manage with Windows Vista— networking, wireless, User Account Control, and more—but one of the most important is the ability to run more than one local Group Policy Object on a system, up to three in fact. Vista applies these local GPOs in layers. As in previous versions of Windows, the first layer applies it to the computer system. The second applies it to a local group, either the Administrators or a Users group. The third can apply a local policy to specific local user accounts. This gives you a lot more control over computers that may or may not be connected to an AD structure. The use of multiple local policies can make it easier to ensure that highly protected systems use different settings based on who is logging on, something that was a challenge in previous versions of Windows. To create multiple local GPOs, use the following steps: 1. Log on with local administrative rights. 2. Launch a new Microsoft Management Console using Run, mmc /a. 3. In your new console, go to File, Add/Remove Snap-in. 4. In the left pane, scroll down until you find the Group Policy Object snap-in and click Add. 5. For the first GPO which is applied to the local computer, click Finish. 6. Add another GPO snap-in. 7. In the Select Group Policy Object dialog box, click the Browse button. 8. In the Browse dialog box, click on the new Users tab (see Figure 5.9). 9. Select Administrators or Non-Administrators and click OK. Click Finish to add this GPO. 10. You can repeat steps 6 to 9, this time selecting a specific user account if you need to. 136 Chapter 5 Edit each GPO setting as needed. Then, in order to apply these policies to multiple systems, copy them into the PC system image that you will be creating for these system types. Figure 5.24. Applying a Local GPO to the Administrators group. There is a lot of information related to Vista security and one of the best sources for this is the Vista Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=A3D1BBED-7F35-4E72BFB5-B84A526C1565&displaylang=en. Manage Vista Event Logs The Event Log is one of the best ways to discover if anything untoward is going on in your system. And, if you’re using Vista, you’ll soon discover that its Event Log records a host of events that were unheard of in previous versions of Windows. In these previous versions, Microsoft used a number of different mechanisms to record events. Many products and subfeatures of Windows recorded information in their own logs as if they didn’t even know the Event Log existed. It’s no wonder that most administrators didn’t even bother to verify any logs unless a specific event occurred or they were spurred on by others: security officers for example. It was just too much work. With Vista, most of these tools now record events properly and store them into the Event Log (see Figure 5.10). This is bound to make administration of Vista PCs easier, but of course, only when all your systems have been upgraded to Vista. 137 Chapter 5 Vista’s Event Viewer now categorizes events to make it easier to understand what changes have been performed on the system. Vista also provides detailed information on events, demystifying those arcane numbers and messages you could never understand. In addition, Vista can forward events to a central collector. Right now, that collector is another Vista PC since Windows Server Codenamed “Longhorn” is not released yet, but it is still a step forward. Server administrators should be aware of these changes in preparation of the release of Longhorn Server. This is one reason why they should assist the PC operations team with Event Log configuration. This will get them ready for event management when Longhorn Server is released. Figure 5.25. The Vista Event Viewer is rich with information. Manage Vista Licenses Organizations with volume license agreements with Microsoft will find they will need to implement a central Key Management Service (KMS) to activate and maintain Vista PC activation in their network. As mentioned in Chapter 2, anyone using a volume activation key (VAK) will need both activation and re-activation in order to maintain a proper level of user experience with the system. This protects volume activation keys in ways that have never been possible before. Organizations using multiple activation keys can also rely on KMS to provide activation services. The major difference between the MAK and the VAK is that the MAK requires only a one-time activation. The VAK requires constant re-activation (every 180 days). In addition, the MAK requires a communication with Microsoft at least through the proxy service if not from each machine using a MAK whereas VAKs never require access to Microsoft’s activation Web site. You can set up the Key Management Service on either Vista, Windows Server 2003 with SP1 or Longhorn Server. At the time of this writing, Longhorn Server was not available and, since you would not want to put this essential service on a workstation, Vista is not an option. Therefore, you should install this service on WS03 SP1. Make sure you run it on at least two servers to provide redundancy, 138 Chapter 5 For more information on Volume Activation in general and to set up a KMS service, go to http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx. To download KMS for WS03 with SP1, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=81d1cb89-13bd-4250-b6242f8c57a1ae7b&DisplayLang=en. Support the Operations Team As you can see, there are several different operations which need to be performed by server administrators in the Vista PC migration process. Several are outlined here and you will no doubt discover more as you work on your own migration project. This is why it is so important for the server team to take an active role in the outline, preparation, and delivery of the technical solution you will create to manage this new operating system. Server team members should be ready to assist with any operation and should ‘audit’ non-server operations such as PC system image creation as this process will be carried forward to the coming Longhorn Server release. This will help give them a heads up for when it is their turn to deploy new technologies and new services. In addition, server team members will be called upon to assist in the transition of project administration and operations procedures to production operations staff. If server team members participate early and eagerly in this process, then they can guarantee that there will be no administrative ‘surprises’ once the project is complete. 139 Chapter 6 Chapter 6: Preparing Applications Application or software management is one of the most challenging activities related to PC management and migration. Application incompatibilities, application conflicts, application installations, application delivery, application license management, application retirement are only a few of the issues you must master if you want to be in complete control of your desktop and mobile network. In fact, an entire science has been built around the management of software and applications with both manufacturers and experts weighing in to add their grain of salt. As you might expect, the focus of this chapter is to help you make sense once and for all of how to prepare, distribute, manage and control applications in your network. First, some definitions: • The term program refers to compiled code that executes a function. • The term application software refers to programs designed to operate on top of system software such as an operating system. This differentiates between the OS and the programs that run on top of it. • The term software usually refers to an off the shelf commercial program. This category includes items such as Microsoft Office, Adobe Acrobat, Corel Draw, Symantec Corporate Antivirus, and so on—all commercial products you can buy discretely for your organization. • The term application usually refers to custom in-house development. This category includes anything that you develop in-house or that you have developed through outsourcing, but is a custom version of a tool that will only be used by your organization. It includes items such Web applications, line of business systems, or anything that is generated by tools such as Microsoft Visual Studio. It also includes user-developed programs such as those created with Microsoft Access or even just macros and templates created in Microsoft Office. Many sources use the terms software and application interchangeably, but in an effort to avoid confusion as much as possible, this guide will use the term applications to refer to both applications and software. If a specific reference is required to either commercial software or inhouse applications, they will be addressed as such. You might wonder why applications are discussed before operating system images in this guide. In any migration project, the bulk of the engineering work is focused on application preparation and the larger the organization, the greater the effort required. This is why it is so important to stringently apply the rationalization principles outlined in Chapter 5—they help reduce this massive level of effort and keep it as minimized as possible. Since applications take considerable time to prepare, it is a good idea to begin this preparation process as soon as possible in the project. This way, applications will be ready if and when they are needed by the OS team as they build the standard operating environment (SOE) that will be deployed in your network. There is no better time to build and implement a structured application management strategy than during a migration project. Each and every application in your network must be examined for compatibility, it must then be packaged, and then delivered to endpoints along with the new OS. Since you’re making all this effort, why not take the time to revise your application management strategy and reconsider your approaches to application deployment? 140 Chapter 6 If you will be doing in-place upgrades, you will not have to redeploy every application to your desktops. Of course, few people opt for the in-place upgrade as it has a very poor reputation from previous versions of Windows. While the in-place upgrade actually works in Vista, you still need to remove and replace key applications such as anti-virus or other system utilities and you may need to provide corrections for some of the applications that exist on the upgraded systems. Whichever OS deployment method you choose, you need to review your application strategy during this deployment as you should in every deployment. This is the goal of this chapter: to help you develop a structured application management strategy that will help ensure you are always compliant in terms of usage and licensing as well as responding to business needs. To do so, this chapter provides a structured look at each activity related to application management. These include: • Windows Vista features in support of application operation • Tools which assist in application compatibility testing • The components of a structured application management strategy • The components of a structured system management strategy • Application packaging activities • Application virtualization and application streaming • Application distribution mechanisms • Preparation for system and application deployment Each of these items forms a cornerstone of a structured application management strategy. You are now at application preparation in the deployment process (see Figure 1). Activities in this part of the project are performed by the PC team (see Figure 6.2). In fact, the PC team now begins several engineering activities that will continue throughout the Organize phase of the QUOTE system until every element of the solution is brought together for integration. 141 Chapter 6 Figure 6.26. Moving through Step 6 in the DDL Figure 6.27. Activities in this step focus on the PC team 142 Chapter 6 Application Support in Vista By now, you have had a chance to play with and examine Windows Vista and are becoming familiar with its core feature set. You should also be aware that many, many things have changed in Vista and no longer work as they did in previous versions of Windows. This is the case for application support. Microsoft has changed the very structure that Windows uses in support of applications. Of course, Windows Vista still offers a central control environment that exposes all hardware and system resources to applications, but the way applications interact with the system is once again, different from previous Windows structures. • For an overview of application compatibility in Vista, see Application Compatibility in Vista, Working as a Standard User available at: http://www.reso-net.com/presentation.asp?m=7. In addition, like every version of Windows since Windows 2000, Vista includes the Windows Installer service (WIS). In Vista, WIS has been upgraded to version 4.0—a version that is only available for Vista or Longhorn Server. Ideally, each application you install on Vista will be able to take advantage of this service to integrate properly to the operating system. • For more information on Windows Installer in general and Windows Installer 4.0, download Working with Windows Installer, a free white paper from Resolutions Enterprises Ltd. and AppDeploy.com from either http://www.reso-net.com/articles.asp?m=8 or www.appdeploy.com/articles. Several other items have changed in Vista and each of them affects applications in some way. • Release-related changes: 1. Version numbers have changed for Windows Vista. It is now version 6.0. Applications that look for specific versions and have not been updated to include version 6 of Windows will fail. 2. Vista also includes a 64-bit version which is highly compatible to 32-bit, but has some key changes that affect application operation. Microsoft has not made any official statement to this effect, but Vista may well be Microsoft’s last 32-bit desktop OS. • Changes focused on security: 1. User Account Control (UAC) now runs all processes with a standard user token. Applications that require elevated rights will fail unless they are Run as Administrator. 2. Windows Resource Protection (WRP) has been enhanced to include registry keys as well as critical files and folders. Applications that write to protected areas of the registry or the Windows folder structure will fail. 3. Session 0 is now completely restricted. Session 0 includes only kernel mode processes. Applications now run exclusively in user mode. Applications that need to operate in kernel mode will fail. 4. The Windows Firewall has been enhanced. It now relies on the Windows Filtering Platform, a new system that filters at several layers in the networking stack and throughout the operating system providing better system protection. Applications that cannot take into account firewall restrictions will fail. 143 Chapter 6 5. The Vista Web platform has been upgraded to Internet Information Services (IIS) version 7. IIS 7 now includes a completely componentized structure letting administrators install only those components that are required to deliver Web services. The logic is that a component that is not installed does not need patching and cannot become a security risk. Applications that have not been updated to operate with IIS 7 will fail. 6. The .NET Framework for Windows Vista has been upgraded to version 3.0. Managed code that is not compatible with .NET Framework 3.0 will fail though older versions of the .NET Framework can be installed on Vista. 7. The assembly identity grammar for managed code has been modified in Vista. The best example of this is the new logon screen and logon structure. Vista no longer relies on the Graphical Identification and Authentication (GINA), but uses the Credential Manager for logons. Applications that do not take this into account will fail. • Changes that may hinder the user experience: 1. Vista now supports Fast User Switching (FAS) even when joined to an Active Directory. Applications that do not support FAS may cause compatibility issues for end users. 2. Windows Vista sports a new Desktop Window Manager (DWM). DWM is designed to support several new features—Flip3D, a new structure for switching windows which includes content previews and content previews of open applications on the task bar—all of which will cause incompatibilities or at the very least inconveniences to users when applications do not support these new features. 3. Vista includes some shell or Windows Explorer changes that may affect applications. For example, the Documents and Settings folder has been replaced and split into two. The Users folder now includes all user data and the Program Data folder includes application settings. Applications that do not rely on variables and use hard-coded values will fail. Vista also includes new user interface themes. Applications that do not take advantage of these themes will cause operational issues. • Other changes that affect users: 1. Vista no longer supports kernel mode printer drivers, only user mode drivers are allowed. 2. Some components are deprecated and no longer available. These include FrontPage Server Extensions, Point-to-Point (POP3) services and Services for Macintosh. Other strategies are in place for these features. Windows SharePoint Services replace the FrontPage extensions and Services for UNIX replace the previous Macintosh services. 3. Two older Help File formats are also being deprecated. Vista will no longer use the CHM or HLP Help File formats. Help is now all based on XML data structures. 144 Chapter 6 These fifteen system changes all affect application compatibility to some degree, but in many cases, there are workarounds. Here are the most common: • Version checking can be corrected in a number of ways. It may be possible to edit the installation file to include the new Windows version, but in some cases this may not be enough especially if the application includes internal version checking that it relies on before operation. If you cannot change the internal version for the application, you might be able to run it in a Windows OS compatibility mode. Vista includes support for Windows versions from 95 to XP SP2. • 64-bit versions of Vista will require applications that are at the very least 32-bit. That’s because 64-bit versions no longer include any support for 16-bit applications. In some cases, Vista will automatically replace 16-bit installers with their 32-bit equivalents, but the ideal mitigation strategy is to run 64-bit applications on x64 versions of Vista. • User Account Control will generate most of the compatibility problems you will face, especially during application installation. Applications may not install or uninstall properly because they cannot use elevated rights to do so. You can modify the installation logic of the application to make sure it requests elevation properly. This is done in the Windows Installer file for the application. Another option is to run the installation interactively with administrative credentials, but this would obviously only work in very small shops. Finally, if you cannot change the code, then you may have to use one of two options. The first is to give elevated rights to your users which is not recommended. Why bother having UAC if you don’t use it? The second is to look to commercial application compatibility mitigation tools. • Windows Resource Protection will also generate a fair share of compatibility issues. Applications that persist data in either the Program Files or the Windows folders fail because they do not have write access to these locations. The same goes for applications that try to replace system dynamic link libraries (DLL). WRP does not allow any changes to these key components. Mitigation strategies include running the application in compatibility mode; modifying the application so that it will write to the new C:\Users and C:\Program Data folder structures as well as in the HKEY_Current_User section of the registry; or once again, look to commercial application compatibility mitigation tools. Note: Several products are designed specifically to overcome application access rights limitations. These products provide appropriate access rights on a per user basis when otherwise the application would fail due to WRP or UAC. They either use a local agent to do so or use Group Policy extensions to apply rights through Active Directory. These tools are better than modifying access rights directly for an application to run because of several reasons. First, the modifications they make are not permanent and do not affect the system for the long term. Second, the modifications are on a per user basis and therefore are not available to every user of the system. And third, these tools are policy-driven and centrally-controlled. This makes them good stop-gap measures when modifying the structure of an application is not possible. Vendors of application compatibility mitigation tools include: Altiris Application Control Solution: http://www.altiris.com/Products/AppControlSol.aspx BeyondTrust Privilege Manager: http://www.beyondtrust.com/products/PrivilegeManager.aspx 145 Chapter 6 • Session 0 issues or issues related to user versus kernel mode operation are also a cause of incompatibility. These issues are rare, but when they do occur, they break applications completely. In Vista, only services can run in session 0. In addition, session 0 does not support any user interface. Applications fail or worse crash when they try to display a user interface in session 0. To mitigate this issue, Vista includes the ability to redirect user interfaces from session 0 to user sessions. But the ideal mitigation is to update the application to use global objects instead of local objects and have all user interfaces displayed in user mode. Other issues will be discussed as we address them, but you can see that there are a number of potential issues with applications running on Vista. Of course, if you have the means to upgrade every commercial application in your network and run at least proper 32-bit versions, then your issues will be limited, but few organizations have the ability to do this. In our experience, organizations running deployment projects will have budget for the upgrade of some, but not all applications. Applications such as productivity suites, antivirus applications and perhaps backup applications will be upgraded as part of the OS deployment project, but every other application will need to have a separate budget to pay for their upgrade. In most cases, they are not upgraded and are transferred over in their current state. This is another reason for rationalization. It will often be custom in-house applications that will cause the most grief. Of course, if you use proper development strategies and program applications according to best practices and Windows Logo—the recommended structure Microsoft provides for applications running on Windows—guidelines, then you will have few issues, but this is not always the case. If you don’t want to end up running a parallel redevelopment project for mission critical corporate systems, then you’ll turn to the application compatibility mitigation strategies outlined in this chapter. • For more information and access to a list of tools for application compatibility, go to the Vista Application Compatibility Resource Guide at http://technet.microsoft.com/enus/windowsvista/aa937621.aspx. Vista Application Compatibility Features From the previous list of the fifteen system changes in Vista, you’d think that all you’ll run into are application compatibility issues. Surprisingly, or perhaps not as Microsoft planned for it, very few applications have issues with Vista. Of all of the applications we run here at Resolutions, none of them had any issues. Of course, we had to upgrade anything that interacted at a low level in the operating system such as antivirus, disk defragmentation, or other utilities, but once that was done, most other applications worked just fine. In most cases, this is exactly what you’ll find in your own networks. 146 Chapter 6 • Microsoft is keeping track of each application that passes either the designed for Windows Vista or the compatible with Windows Vista bar and is providing weekly updates through Knowledge Base article number 933305. See http://support.microsoft.com/kb/933305 for more information. At the time of this writing this article listed 129 designed for Vista and 922 compatible with Vista applications. • Microsoft recently released an application compatibility update for Windows Vista. It is documented in Knowledge Base article number 929427 and can be found at http://support.microsoft.com/kb/929427. Make sure your systems include this update before you deploy them. • Also, the ieXBeta site includes a list of applications that work, that have issues and that don’t work with Windows Vista at http://www.iexbeta.com/wiki/index.php/Windows_Vista_Software_Compatibility_List. • The University of Wisconsin also publishes a list of compatible applications for Vista at http://kb.wisc.edu/helpdesk/page.php?id=5175. Microsoft has documented known issues with applications in several tools they have made available for application and system compatibility checking. Chapter 1 introduced the Vista Upgrade Advisor (VUA). This tool installs and scans one machine at a time so it’s not an enterprise tool by any means, but if you run it on some of the most typical and even the most challenging PC configurations in your network, it will give you a very good idea of the issues you’re likely to run into. VUA requires administrative rights for both the installation and the scan you run—very weird things happen with VUA if you run it as a standard user. If you want a quick peek at how challenging your application picture will be, then run the scan on a few systems and print out the report. For a more advanced application compatibility analysis, you’ll want to use the Application Compatibility Toolkit (ACT) which is discussed below. Among other things, ACT can provide a systems-wide scan of all PCs and report on the state of their applications. But, it is also important to know which features Vista itself includes for application compatibility. There are several: • File and Registry Virtualization • 64-bit Support for 32-bit Applications • Program Compatibility Assistant • Windows Installer version 4.0 In addition, Microsoft has provided additional tools to assist in-house development projects in analyzing potential compatibility issues. 147 Chapter 6 Vista File and Registry Virtualization Because of some of the changes in the operating system and because of the implementation of Windows Resource Protection, Microsoft has instituted a small form of file and registry virtualization in Windows Vista. This is a small form of virtualization because Microsoft elected to provide only basic support for virtualization. For full application virtualization, organizations must look to commercial tools. Vista’s file virtualization is designed to address situations where an application relies on the ability to store files in system-wide locations such as Windows or Program Files. In these cases, Vista will automatically redirect the file to a folder structure called C:\Virtual Store\SID\Program Files\... where the SID is the security identifier of the user running the application. Similarly, Vista’s registry virtualization redirects system-wide registry keys. Keys that would normally be stored within the HKEY_Local_Machine\Software structure are redirected to HKEY_Classes_Root\VirtualStore\Machine\Software. Vista-based virtualization does not work with every application but it does work. You’ll have to test each suspect application to determine whether it interacts properly with this level of virtualization or if it needs repairs. 64-bit Support for 32-bit Applications As mentioned earlier, x64 versions of Windows Vista do provide support for 32-bit applications but no longer run 16-bit applications. Each x64 system includes a Windows on Windows or WOW64 emulator which runs 32-bit applications. This WOW64 emulator will also be able to convert some well-known 16-bit installers into their 32-bit equivalents. This is done through the inclusion of some installer mappings within the registry. But x64 systems do not support the installation of 32-bit kernel mode drivers. If kernel mode drivers are required, they must be 64-bit and they must be digitally signed. Digital signature of drivers ensures they are the actual drivers provided by the manufacturer and they have not been tampered with. In addition, x64 systems make it easy to identify x86 processes—each process includes a *32 beside the executable name in Task Manager. They also include a special Program Files (x86) folder along with the standard Program Files folder to differentiate between installed 32 and 64bit applications. For files installed in the Windows folder, a special SysWOW64 folder is used instead of the System32 folder. And the registry includes a special key called HKEY_Local_Machine\Software\Wow6432Node to store 32-bit information. The WOW64 emulator automatically redirects all 32-bit application requests to the appropriate supporting structure. x64 systems offer better memory support than their x86 counterparts accessing up to 32 GB of RAM and 16 TB of virtual memory and because they do not have the operational limitations of 32-bit processors, 64-bit processors can grant a full 4 GB of memory to running 32-bit applications, something they will never be able to obtain on a x86 system. 148 Chapter 6 Because of these support features in x64 systems, moving to an x64 platform does not have to occur all at once. You can begin with the move to the OS itself along with low level utilities and continue to run 32-bit applications. Then you can migrate your applications one at a time or on an as needed basis until your entire infrastructure is migrated to 64-bits. You should normally experience noticeable performance improvements as soon as you begin the process. • For an overview of a migration to x64 systems, see Move to the Power of x64, a session presented at Microsoft Management Summit 2007 available at: http://www.reso-net.com/presentation.asp?m=7. Program Compatibility Assistant Microsoft also introduced the Program Compatibility Assistant (PCA) in Vista. PCA replaces the Program Compatibility wizard in the Help and Support as well as in the Compatibility tab of an executable’s file properties in Windows XP. PCA is designed to automate the assignment of compatibility fixes to applications when they are required. PCA runs in the background and monitors applications for known issues. If an issue is detected, it notifies the user and offers solutions. Note that PCA is a client-only feature and is not available for servers and as such will not be in the Longhorn Server OS. PCA can detect and help resolve several issues: • Failures in setup programs • Programs failures while trying to launch installers • Installers that need to be run as administrator • Legacy control panels that may need to run as administrator • Program failures due to deprecated Windows Components • Unsigned drivers on 64-bit platforms In addition, PCA manages its own settings in the registry and will automatically inform users about compatibility issues with known programs at startup. PCA can also manage application Help messages. Programs can be excluded from PCA through Group Policy. Group Policy can also be used to control the behavior of PCA on PCs. After all, you don’t want users being pestered by PCA messages once applications are deployed. PCA automatically pops up when issues arise (see Figure 6.3) and will automatically reconfigure application compatibility settings based on known issues. These settings appear in the Compatibility tab of a program executable’s file properties (see Figure 6.4). 149 Chapter 6 Figure 6.28. A Program Compatibility Assistant Message Figure 6.29. The Compatibility Tab demonstrates that Vista supports several compatibility modes PCA modifications are applied at the individual user level in keeping with the user mode approach used by Vista. Settings can be modified for all users, but elevated privileges are required to do so. This lets PCA work even with standard user accounts. Of course, PCA is not the solution for all applications, but it is a start and will make sure many applications that would normally fail will work properly in Vista without modification. 150 Chapter 6 Windows Installer version 4.0 As mentioned earlier, Vista also includes a new version of Windows Installer, version 4.0. There are strong arguments made for the inclusion of all software installations to this service, mostly because of the powerful feature set it offers. WIS offers many features, but the most important are: • Application self-healing—if untoward events occur in the structure of an installed application, WIS repairs it before it starts. • Clean uninstallation and installation rollback—Because WIS relies on an installation database, it can undo any changes it makes to a system and do so cleanly in the event of a failed installation or in the event of a complete removal of an installed application. • Elevated installation rights—WIS is designed to work with Group Policy Software Delivery to provided automatic rights elevation when applications are installed. • Integrated patching capabilities—WIS will support in-line patching of installed applications as well as the update of installation logic to include patches prior to application installation. There are many more features and readers interested in knowing more should look up the white paper mentioned at the beginning of this section (Application Support in Vista). Anyone using a standard application management strategy in Windows should endeavor to integrate all applications to WIS and many organizations have already done so. But, application installation packages that are designed as MSIs—the WIS file format—will not necessarily work with Vista because of the enhancements to WIS 4.0. Many commercial application packaging tools support the evaluation of existing MSIs against the requirements of WIS 4.0 through the application of internal consistency evaluator (ICE) rules provided by the WIS 4.0 software development kit and report on required changes. WIS now supports several Vista features: • The Restart Manager, a tool designed to stop and restart applications while patching occurs instead of causing a system restart. • User Account Control to properly elevate rights during silent installations. • User Account Control patching to ensure patches use proper rights elevation when applied. • Windows Resource Protection to properly redirect files and registry settings when applications are installed. The support of these new features should be carried through to all MSI packages. And, to make sure packages work properly, each MSI should include a manifest that describes the application components to the OS. It also might be easiest for organizations to digitally sign all software packages if they haven’t already been signed by manufacturers to avoid future issues related to UAC once the application is deployed. For example, software packaging products such as Altiris Wise Package Studio (http://www.altiris.com/Products/WisePackageStudio.aspx) allow organizations to not only upgrade existing packages to function with WIS 4.0, but also allow them to capture legacy installations and transform them into WIS 4.0 compatible installations. 151 Chapter 6 Microsoft ACT version 5.0 Since applications form such a big part of every OS deployment project, Microsoft has endeavored to build tools that help mitigate migration efforts. The Application Compatibility Toolkit is one such tool. ACT has been around for several generations, but Microsoft took special care to provide as many features as possible in ACT version 5. As has been mentioned before, ACT requires a SQL Server database to store data. The server team should already have been preparing this database service in support of the migration effort. So, if you decide to use ACT, you can simply make use of the existing database service at installation. ACT uses a simple three step process for compatibility evaluation: First, it inventories applications and gathers application compatibility data through its built-in evaluators. 69. Then it lets you analyze applications, letting you prioritize, categorize, rationalize and otherwise consolidate applications. This is done partly through the tracking data that ACT can collect from end user systems. Additional data can be collected by synchronizing your local ACT database with the online Application Exchange. 70. Finally, it lets you test and mitigate compatibility issues if they arise by packaging fixes and corrections for the applications. ACT includes several compatibility evaluators: • User Account Control Compatibility Evaluator (UACCE) which runs on XP and detects when applications attempt to modify components a standard user does not have access to. It can also tell you whether the file and registry virtualization included in Vista would correct this behavior. • Internet Explorer Compatibility Evaluator (IECE) which runs on both XP service pack 2 and Vista to detect issues related to IE version 6 and IE 7, especially the latter’s execution in protected mode. • Update Compatibility Evaluator (UCE) which runs on Windows 2000, XP and WS03 to detect applications that depend on files or registry entries that are affected by Windows Update. • Windows Vista Compatibility Evaluator (WVCE) which enables you to evaluate issues related to the GINA deprecation, session 0 and other Vista deprecations. ACT includes an Inventory Collector which is in the form of an executable package that must be installed on each local machine. Installation of the collector requires elevated rights. In managed environments where everyone is running as a standard user, you will need to use a deployment method to install this package. Once installed, the package runs for several days or weeks, inventorying the applications on a system, analyzing potential compatibility issues, and analyzing application use. It then reports back to the central ACT database, creating an entry for each system (see Figure 6.5). 152 Chapter 6 Several tools are available for the remote installation of the collector package on a system. These tools are required because administrative rights are required for installation. If you already have a systems management system in place such as Altiris Deployment Solution or any other product, then you can rely on this tool for the deployment of the ACT package. If not, then you can either look to the recommendations in Chapter 4 to select one. But, deploying a systems management infrastructure may be overkill at this point. After all, you only want to install this one component and a deployment of a systems management infrastructure, if it is part of your project, will come as you deploy new OSes. Several more discreet tools can support this installation. For example, iTripoli (www.iTripoli.com) offers AdminScriptEditor (ASE). ASE allows you to generate scripts that can run in different administrative contexts, encrypting the credentials to protect them. You can therefore create a logon script that will run the installation with elevated privileges in complete confidence, letting you make use of ACT without having to relax any security measures. Figure 6.30. ACT provides a central repository of application compatibility data The usage analysis is especially useful as you wouldn’t want to spend any time with applications that are installed but not used. And, if you’re so inclined, you can share your application data with the Microsoft Compatibility Exchange (MCE). MCE is a system that collects anonymous data on application compatibility. It relies on administrators like you to provide information to others. In return, you receive information others have shared on the applications that are found in your network. Microsoft also collects information from commercial application testing and the Microsoft Logo Certification program. 153 Chapter 6 While the MCE is a great idea, its value is only as good as the data it stores. There are no real standards in regard to the structure of this data or the evaluation ratings organizations will submit to this program and it is unlikely organizations will submit data on their own internallydeveloped systems. But, in regards to commercial applications and the potential issues you may encounter in relation to them, it is a valid resource. • More information on ACT can be found at http://technet.microsoft.com/enus/windowsvista/aa905072.aspx. You can also rely on the BDD 2007 guide for Application Compatibility: http://www.microsoft.com/technet/desktopdeployment/bdd/2007/AppCompact.mspx. In-house Development Compatibility Tools ACT doesn’t only include tools for IT professionals. It also includes tools for developers. ACT includes three tools for developers—tools for testing application setups, tools for testing Web sites with IE7 and tools for testing applications with UAC. Specifically, these tools are: • The Setup Analysis Tool (SAT) which will verify that installers will work correctly and avoid the issues that make them fail such as kernel mode driver installation, 16-bit components, GINA components or modification of components protected by WRP. • IE Test Tool which collects any issues related to Web sites and will upload the data to the ACT database. • Standard User Analyzer (SUA) which identifies any issues related to applications running under UAC. But ACT isn’t the only source of information for developers. Microsoft has put together the Application Compatibility Cookbook which was mentioned in Chapter 1 as well as the Windows Vista Application Development Requirements for UAC Compatibility guide. The first details application compatibility changes in Vista while the second identifies how to design and develop UAC compliant applications. A third guide outlines Best Practices and Guidelines for Applications in a Least Privileged Environment. • The Application Compatibility Cookbook can be found at http://technet.microsoft.com/enus/windowsvista/aa905072.aspx, the UAC Compatibility guide can be found at http://msdn2.microsoft.com/en-us/library/aa905330.aspx, and the Best Practices and Guidelines for Applications in a Least Privileged Environment guide can be found at http://msdn2.microsoft.com/enus/library/aa480150.aspx. Microsoft also produced a Vista Readiness Hands on Lab which works on a Vista virtual machine and runs you through the most common issues you’ll face with Vista. This lab helps you learn how these potential issues can affect your own applications. • The Vista Readiness Hands on Lab can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=5F0C8D20-A8D5-4DA3-A977E039A40D67D5&displaylang=en&mg_id=10049. 154 Chapter 6 Finally, Aaron Margosis, a senior consultant with Microsoft Consulting Services, has developed a nifty little tool to test application compatibility with User Account Control. The Limited User Access (LUA) Buglight is a free tool that scans an application as it runs to identify any activity that requires administrative rights. Once these activities are identified, it is easier to either correct the code, correct the application’s configuration or try running it in a compatibility mode because you know what specifically needs to be fixed. Aaron’s blog also provides a lot of information on potential solutions for running applications in ‘non-admin’ mode. LUA Buglight and Aaron’s blog can be found at http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx. Relying on these resources should greatly reduce the likelihood of running into issues when you try to run your custom applications on Vista. Develop a Structured Application Management Strategy With all of these resources to assist your assessment of compatibility for your applications, the process should be relatively smooth. Next, you’ll need to prepare the applications themselves. This is a fairly complex process as you run through each application, evaluate its compatibility, prepare mitigations if required, package the application, test deployment and uninstallation and then have the application validated by a subject matter expert prior to deployment. Considering that organizations often have a large ratio of applications per users—a ratio that tends to increase with the number of users in an organization—it is easy to understand why this process is the process that will require the largest amount of effort and resources in the project. Fortunately, there are ways to reduce this level of effort. One of the best ways to do this is to implement a lifecycle approach to application management. The Application Management Lifecycle Few organizations know offhand what software can be found in their network. Fewer still can guarantee that there are no unused software products on their users’ PCs. This issue stems from the very nature of distributed systems, but it can be circumvented with the introduction of an application lifecycle management process. This lifecycle is based on four major phases and can be applied to both commercial software products and corporate applications, though there are slight variations in the initial phases. The four phases include: • Commercial Software Evaluation or Application Preparation: This involves the identification of the requirement followed by the selection of a commercial software product and/or the design of a corporate application. • Software Implementation: This phase focuses on software packaging, quality assurance testing and deployment. • Maintenance: This phase focuses on ongoing support activities for the product. It will involve the preparation, testing and distribution of scheduled updates. • Retirement: The final phase is focused on removal of the product from the network due to obsolescence or on the reallocation of the product to someone else. A removal may be followed by a replacement which would initiate the lifecycle process once again. 155 Chapter 6 Every application has a lifecycle. It begins the moment the software development project is initiated by a manufacturer until the moment the software is retired from the marketplace. For user organizations, the lifecycle focuses more on when it is acquired, when it is deployed, how it is maintained and supported and when it is retired from the network. In the case of custom corporate applications, it begins the moment corporate developers begin to work on the project until the product is retired from use (see Figure 6.6). Every application also requires patching during its lifecycle in the network. If you adopt an application early in its lifecycle, you will need to patch it once it is deployed. If you adopt it later in its lifecycle, you will most likely be able to patch it before it is deployed. Whichever method you use, you will need to make sure your application management processes take both predeployment and post-deployment patching into account. Figure 6.31. The Application Management Lifecycle 156 Chapter 6 Manage Commercial Software Licenses You also need to include licence management as well as performance assessments in your maintenance task list. With the advent of compliance regulations for organizations of all sizes, licence management takes on a much more important role in application management today. The easiest way to perform license management is to use a proper application allocation process and make sure that it runs through the entire lifecycle, especially all the way to removal when the product is no longer needed by the user it was deployed to. There is no justification today for an incomplete or inadequate application lifecycle management strategy. Application removal is probably the most unused portion of the entire software lifecycle, yet it is the most important if organizations want to maintain a legal and compliant network. The issue is simple. When users move from position A to position B, they change their role within the organization. With new roles come new tasks, IT groups are quite adept at making sure users’ PCs are updated with the applications required to meet their new requirements because if they don’t users will be quick to log a support call. However, the same IT groups are not quite so adept when it comes to removing unused applications from the same PC. That’s because application removal is viewed as complex and cumbersome. This myth needs to be dispelled. Many IT professionals still think that the problem with application removal is that it is seldom effective. Modern applications are made up of a series of private and shared components. Removing any of these components can affect the stability of the system. Because of this, IT often makes the decision to opt for stability at the expense of legal compliance. After all, systems undergo regular hardware maintenance at which time they are reinstalled anyway. If the system isn’t compliant, it is only for a short period of time. This is one more justification for packaging applications to work with the Windows Installer service. WIS is just one feature that Microsoft has embedded into Windows operating system in support of application stability, but it is the one with the most impact because you can control the interaction of your applications with this service. WIS fully supports the complete and effective removal of every application component from a system so long, of course, as the application was installed using WIS in the first place. Proper application packaging methods will involve complete package testing and quality assurance including proper and non-damaging removal of packaged applications. This is why packaging is such an important part of application preparation in migration projects. Develop a Structured System Management Process Migration projects could not work without some form of automated application delivery to go along with the automated OS delivery the project will support. Much has been said to date about the various tools or suites you can use to do this. The fact is, medium to large organizations often run from 200 to 500 applications both in-house and commercial within their network. Managing application installations and maintenance for several hundred products can be complex. While the application lifecycle will help because it lets you understand all of the activities required to manage the application in your network, you’ll find that it also requires another model to help simplify management issues: the system stack. 157 Chapter 6 Work with a System Stack Using a system stack simplifies the application management process because it structures how computer systems are built. Few organizations will ever need to install 200 to 500 products on the same computer. Using a model for system design will ensure that applications are categorized properly and regrouped into families that work together to provide the functionality required to fulfill specific job roles within your organization. Resolutions has been promoting the Point of Access for Secure Services (PASS) model for more than 10 years (see Figure 6.7). Organizations relying on this system stack have a proven track record of proper system and application management. Figure 6.32. The PASS System Stack 158 Chapter 6 This system stack is based on the construction of a computer system that responds to corporate needs in three ways: • The PASS system “kernel” is designed to meet the needs of the average or generic user. It contains all of the software components required to perform basic office automation and collaboration tasks. In addition, it is divided into a series of layers similar to the OSI Networking Model. Like the OSI Model, it uses seven layers to provide core corporate services. Because its functionalities are required by all personnel, this kernel is installed on all computer systems. More on the kernel will be discussed in Chapter 7 as we prepare the OS system image for deployment. • Role-based applications and commercial software are added on top of the kernel to meet the requirements of the special Information Technology roles every person plays within the organization. • Finally, an ad hoc layer responds to highly specialized IT requirements that are often expressed on an individual basis. This ad-hoc layer can be applied at any time and traverses traditional vertical IT roles. In the PASS model, the kernel is considered as a closed component that is reproduced on all systems. Layers that are located beyond the kernel are considered optional for all systems. Constructing systems based on a system stack such as the PASS model greatly reduces system management efforts because it reduces the number of programs that must coexist on any system. First, a good portion of systems, sometimes up to 50 percent or even more, will only require the system kernel. Remember that the kernel should contain every single program that is either royalty-free and required by the entire organization (for example, Adobe’s Acrobat Reader or the new Microsoft XPS Document Reader), every program that is mandated by internal polices— antivirus tools for example, or every program for which the organization obtains an enterprisewide license (for example, many organizations obtain an enterprise license of Microsoft Office). Second, by grouping programs into role-based configurations, organizations are able to reduce the number of applications that must coexist on a system. Role-based configurations include every program that is required by every member of the IT role grouping. For example, Web Editors would require a Web editing tool, a graphics tool, a Web-based animation tool, and other Web-specific utilities. This group of tools can be packaged separately, but should be delivered as a single unit on all systems belonging to the IT role. Role-based configurations often include no more than 10 to 30 individual programs depending on the role. Only these groupings need to be verified with each other and against the contents of the system kernel. There is no requirement to verify or test the cohabitation of programs contained in different configurations because they are not likely to coexist on the same system. Third, ad hoc programs reduce system management efforts even further because they are only required by very few users in the organization. They are still packaged to enable centralized distribution and automated installation, but once again, they only require testing against both the kernel and the configurations they will coexist with but, because of their ad hoc nature, they may coexist with all possible configurations. 159 Chapter 6 As discussed earlier, each application has a lifecycle of its own that is independent of its location within the system construction model. The difference lies in the rate with which you apply lifecycle activities to the application. Components of the kernel will have an accelerated lifecycle rate—since they are located on all systems, they tend to evolve at a faster pace than other components because they are supported by corporate-wide funding—while products within the outer layers of the model will have slower lifecycle rates which will be funded by the groups that require them. Ideally, the rate of evolution of these products will be monitored by the subject matter experts or application sponsors your organization identifies for each non-kernel application. Application sponsors are responsible for several activities, four of which are: - Subject matter expertise for the application. - Acceptance testing for the application package. - Application monitoring or watching for new versions or patches. - Rationalization justifications or justifying why the application should be in the overall software portfolio. Maintain Constant Inventories Another key aspect of the application management lifecycle process is the maintenance and upkeep of corporate inventories. This is another area where a system stack like the PASS model can play a role because of the way it is designed to work. With a system stack, maintaining an inventory need only focus on identifying role groupings for role-based configurations. Applications that are contained in the kernel already have corporate-wide licenses so they are easy to track. Similarly, ad hoc products are only located on a few machines which also makes them easy to track. This leaves the vocational groupings as they become the mainstay of the inventory system. Constant application inventories should be directly integrated to application management practices which should include several elements (see Figure 6.8). • Package Repository: A central deposit for all authorized applications for the network. This repository is the source for all application distributions within the organization. • System Kernel Inventory: The system kernel must be completely inventoried. This inventory will be linked to the Package Repository because many of its components will be stored in packaged format to facilitate automated system construction and conflict resolution. • Role-based Configuration Deposit: This deposit identifies each of the packages found within each configuration. It is tied to the Package Repository to support system construction and vocational changes. • Vocational Groupings: This deposit regroups all of the users belonging to a given IT role. It is tied to the Role-based Configuration Deposit because it identifies which configurations systems require on top of the system kernel. Ideally, these groupings will be stored within your organization’s directory service (for example, Active Directory) since each grouping contains only user and machine accounts. 160 Chapter 6 • Core Inventory Database: The core inventory database brings everything together. It includes inventories of all computer systems in the network, all user accounts, all application components, and much more. It is used to validate that systems contain only authorized components as well as assign ad hoc product installations since these are mostly performed on a case-by-case basis. This database is maintained by the organization’s systems management tool and forms the core configuration management database (CMDB). • Web-based Reporting System: Another function of the organization’s systems management tool is to provide detailed information on the inventories that have been collected as well as provide consistency and compliance reports for all systems. Figure 6.33. A Structured Inventory Management and Systems Management System System staging and application distribution can be performed on the basis of the inventories your organization maintains. In addition, when systems change vocations (i.e., a user changes IT roles), the inventories are used to remove applications that are no longer required and add applications required by the new role-based configuration. This means that there must be a very tight relationship between the inventory process and the application distribution tools and mechanisms. 161 Chapter 6 Locked Systems and the Standard User For processes based on system construction and inventory management to work, organizations must ensure that software installations originate only from centralized and authorized sources. When employees work as a Standard User, they cannot install applications on their own. Package Applications for Windows Installer Because they need to be installed silently and in the background, especially during system reconstruction, applications must be packaged to automate the installation process. Yet, application packaging is often one of the most overlooked processes in IT. But, because it is the process that controls application installations, it is one of the most important processes in any application management strategy. Few people in IT haven’t performed an interactive software installation. The installation experience can range from good for an advanced user to very bad for a novice. The simplest installation will ask only a few basic questions but some of the more complex installations are enough to stymie even the most sophisticated PC technicians. The best installation is the automated installation—the one where no user input is required. And the best of these is the customized version of the automated installation—the version that is designed to work within the specifications your organization outlines for its network. In comes enterprise software packaging (ESP). ESP deals with the preparation of standard, structured automated installations for deployment within a specific organizational environment. These automated installations or packages take into consideration all of the installation requirements for the organization: organizational standards for software usage and desktop design, multiple languages, regional issues, and especially, application-related support issues. In addition, packaging should cover all applications including both commercial software and inhouse applications. There is a difference. Most commercial software products already include the ability to automate their installation. Unfortunately, there are no official standards in the plethora of Windows-based commercial software products for installation automation. Fortunately, this state of affairs is slowly changing with the advent of Windows Installer. With WIS, it is now possible to aim for a standard, consistent installation methodology for all software products within an organization. This standard approach is at the heart of Enterprise Software Packaging. There are a whole series of different software packaging tools on the market. These tools are designed to assist IT personnel in the preparation of automated, interaction-free application installations. The focus of these tools is simple: allow IT personnel to perform an application installation and configuration, capture this customized installation and ideally, reproduce it successfully on every PC in the enterprise. • Two of the most famous software packaging tools on the market are: Altiris Wise Package Studio: http://www.altiris.com/Products/Packaging.aspx and Macrovision AdminStudio: http://www.macrovision.com/products/adminstudio/adminstudio/index.shtml. But application packaging must be structured if it is to succeed. Standards must be set and maintained. Application packages must be documented and detailed in the same manner no 162 Chapter 6 matter who performs the packaging process. Quality assurance must be high; installations must work in every instance even if the configuration of destination computers varies. Package repositories must be maintained and updated according to organizational application acquisition policies. All of these activities are part and parcel of the ESP process. 163 Chapter 6 In addition, there are several secondary reasons to perform packaging. One of the most important is application conflicts. Applications in a Windows environment are composed of several different components which are either private or public. Public components are shared between different applications. In fact, Windows Resource Protection was designed by Microsoft to help alleviate the transport and installation of public or shared components by applications because of its potential for disrupting system stability. This is why one of the strongest features of application packaging tools is conflict management—the ability to inventory all of the components in a system stack as well as all of the components in each and every application package. You then use this conflict management database to identify potential conflicts and circumvent potential issues before they occur. This is one more reason for a standards-based packaging approach (see Figure 6.9). Packaging tools include support for this standards-based approach in the form of packaging templates and workflow templates. Packaging templates let you create Windows Installer templates that are applied with default settings each time you prepare a package for WIS integration. For example, if you decide to digitally sign every package in your network, you could insert a digital certificate within your template and have it automatically apply to every package you create. The preparation of these templates must be done with care before you begin the packaging process. There are several reasons why the inclusion of digital certificates into application packages is a great idea. First, if your packages are digitally-signed and you sign any application patches with a similar signature, standard users will be able to install patches without administrative rights in Windows Vista. Second, if you digitally sign your packages, then you can control their use through Group Policy via the Software Restriction Polices Windows Server supports. These policies ensure only approved software is installed and runs in your network. You should look to both practices during application preparation. After all, the only thing you need is one single digital certificate which is quite easy to obtain. Workflow templates control the process your packaging team uses during the creation of a package. If you design your templates before you begin packaging, then you can guarantee that every package will be created in the same way. For example, you can structure the process to follow the workflow example illustrated in Figure 6.9. This means you can assign junior packagers to most applications and rely on expert advice only for tricky applications which require more knowledge to work. Packaging tools also include lots of guidance and some sample templates to work with. But, if you feel you need additional packaging expertise, rely on tools such as the AppDeploy Library from www.AppDeploy.com. This library includes the use of a tool called Package Cleaner. Package Cleaner will automatically scan your WIS packages and provide advice as to its contents, especially identifying items which can and should be removed. What makes this tool great is that it does not remove the contents of the package you select, it just marks them as non-installable. This way if you find that you needed a component you removed, you can simply run it through Package Cleaner to mark it for installation again. 164 Chapter 6 Figure 6.34. A Structured Packaging Approach Packaging tools will also scale well. If your organization has multiple sites with technical staff in each site, you can easily set the tool up in each site and have its packaging database replicated to a central location. This allows distributed teams to work together to build the package repository. • A good source of information on packaging is the BDD 2007 Application Management guide: http://www.microsoft.com/technet/desktopdeployment/bdd/2007/AppMgmt_2.mspx. 165 Chapter 6 Finally, to perform your packaging, you will need to categorize all applications—identifying which type each application falls into. Usually there will be three or four types in each organization: • Native Windows Installer commercial applications—applications designed to work with WIS. • Legacy commercial applications—applications that must be repackaged for WIS. • Native Windows Installer in-house applications • Legacy in-house applications. Some organizations may further subdivide these categories to Win32, Win64 or .NET applications. Categorization will greatly facilitate the packaging activity because each application type requires a different approach. For example, you should never repackage a native Windows Installer application. Instead, you should create transforms which will modify the Windows Installer process to meet organizational standards. You will however, want to repackage all legacy applications to turn them into MSIs. • For more information on application management and packaging in general, refer to http://www.resonet.com/articles.asp?m=8 and look up the Application Lifecycle Management section. Of special interest will be the 20 Commandments of Software Packaging, a guide which has now become the leading authority in the industry, as well as Enterprise Software Packaging, Practices, Benefits and Strategic Advantages which offers a complete overview of application packaging. Explore Application Virtualization Options As you can see, application packaging and general application preparation is a lot of work and forms the bulk of the PC preparation activities. Now, wouldn’t it be nice if you could vastly reduce this amount of work while ensuring that applications always work even when applications that are known to cause conflicts operate together on the same PC? Don’t believe it? Well, welcome to application virtualization. Application virtualization tools isolate or abstract application components from the operating system and other applications yet provide full capabilities for application and operating system interaction. Think of it as Vista’s file and registry virtualization capabilities on steroids. In and of itself, application virtualization offers many benefits and may warrant an immediate implementation, but because of its nature, it requires redeployment of all of the applications you run in order to take full advantage of the virtualization capabilities. This is why it is ideal to adopt this technology during a migration project. Otherwise, you would have to replace all of the applications that are already deployed in your network—uninstalling the application and then redeploying it as a virtual application. If you haven’t been working with Windows Installer packages, then uninstalling may leave behind traces of the application leaving the operating system in a potentially unstable state. This is why the best time to do this is when you are deploying a brand new, “clean” PC. 166 Chapter 6 There are several different types of application virtualization technologies, but all of them basically produce a similar feature set: • All applications are isolated from the operating system to the point where the application thinks it is interacting with the system, but when you look at the system directly, you see that no changes are made to system files, folders or registry keys. • All applications are isolated from each other, letting you concurrently run applications that are known to cause issues and conflicts when on the same system. Manufacturing applications which are often never updated can run together. Different Microsoft Access versions can run on the same PC at the same time and even interact with each other through cut and paste and other system services. The potential is unlimited. • Device drivers or hardware components cannot be virtualized and must be integrated directly to the system. • Applications that interact at a low level in the operating system cannot be virtualized. For example, antivirus software should not be virtualized. Many also include Internet Explorer in this category, but several organizations have been able to properly virtualize IE and have it run on their systems. • Virtualized applications are often structured for data streaming or if they are not by default, can be teamed with streaming technologies to provide the same effect. Just like a video that is streamed over the Internet, streamed applications are divided into small blocks of data that can start working as soon as enough content has been delivered to the system. The remainder of the content is then streamed in the background. • Virtualized applications do not capture an installation, but rather an installed state. This means that the application need only be copied to the system for operation and does not need to run through an installation process as with applications packaged for Windows Installer. In fact, the crudest form of installation is the XCopy which just copies the application’s files to a system. • Users do not need elevated privileges to “install” a virtualized application. Since the application does not need to reside in folders protected by WRP, no elevated rights are required. • Application virtualization platforms include the ability to integrate application access with specific user groups, groups that can be managed and maintained within a central directory such as Active Directory. • Application virtualization follows Vista’s operating model because when virtualized, applications only interact with the system in user mode. • Applications that have been packaged in virtualized layers will work on both Windows XP and Windows Vista because the virtualization layer is in charge of translating systems calls and operations in the appropriate manner for interaction with the OS. In some cases, virtualized applications will work with any version of Windows from NT on. • Application virtualization supports the ‘software as a service’ model since no installation logic is required to run a virtualized application on a PC. Applications are copied to systems in their running state and can therefore support an on-demand delivery strategy. 167 Chapter 6 These reasons and especially, the last reason, make application virtualization very attractive. And since you are in the midst of a migration project to Windows Vista, then this is the ideal time to be looking to the adoption of application virtualization. • As mentioned in Chapter 4, there are several versions of application virtualization. Make sure you review each product’s technical feature set before you select the one you wish to go with. 71. Altiris offers Software Virtualization Solution (SVS) which is a filter driver that is installed on the OS. The filter driver manages the virtualization process. More information on SVS can be found at: http://www.altiris.com/Products/SoftwareVirtualizationSolution.aspx. SVS applications can be combined with AppStream’s AppStream 5.2 server to offer streaming capabilities. More information on AppStream and SVS can be found at: http://www.appstream.com/products-applicationvirtualization.html. 72. Citrix offers the integration of its Tarpon beta technology within its Presentation Server version 4.5. Tarpon uses a principle similar to Microsoft’s SoftGrid and streams applications to desktops. Presentation Server 4.5 supports Windows XP application virtualization but not Vista. More information can be found at: http://www.citrix.com/English/ps2/products/product.asp?contentID=186. 73. Microsoft offers SoftGrid as part of the Desktop Optimization Pack for Software Assurance (DOPSA). Microsoft acquired SoftGrid in mid-2006 and has since been reprogramming the SoftGrid client to get it to run with Windows Vista and x64. Support for Vista is slated for release in mid-2007 while support for x64 will be in 2008. More information on SoftGrid can be found at: http://www.microsoft.com/windows/products/windowsvista/buyorupgrade/optimizeddesktop.mspx. 74. Thinstall offers the Thinstall Virtualization Suite (ThinstallVS). Thinstall incorporates its virtualization engine directly into the software package it creates. As such no pre-deployment preparation is required. More information on ThinstallVS can be found at: http://www.thinstall.com/. 75. At the time of this writing, the only two solutions that worked with Windows Vista were Altiris SVS and ThinstallVS and both worked very well. Keep this in mind when you choose the application virtualization solution you want to implement. 76. Pricing for each solution is relatively similar as some require direct acquisition costs and others are subscription based. In time, all costs become equivalent. Do away with Application Conflicts Despite Microsoft’s best efforts, application conflicts still exist in Windows. This is partly due to the sheer number of applications organizations must run in order to support their operations. While small organizations may get away with running small numbers of applications to operate, medium to large firms often find themselves running hundreds of different applications with all sorts of functionalities and features, each one requiring some specific component to run properly within Windows. Using application virtualization, you can do away with conflicts once and for all and never have to worry about them again. Just package the application in the right format and then deliver it on an as needed basis. Unlike installed applications, virtualized applications do not embed themselves deep into the OS structure (see Figure 6.10). The virtualization layer protects the OS from any changes affected by applications. 168 Chapter 6 Figure 6.35. Application Virtualization protects operating systems from modifications Consider your strategies. If you decide to include software virtualization into your deployment project, you will be able to obtain considerable savings in both time and effort. Virtualization reduces the time required to package applications since you know you no longer have to verify potential application conflicts. You still need to affect proper quality assurance on each package, but still, each package should take considerably less time to prepare. One of the most demanding processes for software packaging is the need to constantly return to a ‘clean’ system image to ensure the package is as clean as possible, but if you capture applications into virtualization layers, the machine is not affected at all. Therefore, no need to return to a pristine OS—the OS is always pristine. This alone will save considerable time and effort. In addition, since application virtualization does not require significant infrastructure modifications, especially when the virtualization technology consists of either a driver or is included into the package itself, you can take advantage of it immediately. As soon as an application is packaged for virtualization, you can use it in either XP or Vista. Because of this, you might consider packaging your most troublesome applications immediately and deliver them to existing systems without waiting for the deployment project to update the OS. Several examples are available: • • Access applications. Most organizations cannot afford to upgrade the multitude of Microsoft Access applications their user community has developed. Properly converting these applications to a client-server structure, using back end databases and front end screens which can operate through the Access runtime is the best way to deal with this issue, but if you haven’t taken this step, then virtualize them! This will completely isolate them from the latest version of Access you need to deploy. More information on running and managing Access applications in-house can be found at http://www.reso-net.com/articles.asp?m=8 under Decentralized Development Strategies. • Custom in-house applications. If you have custom applications that just won’t cohabitate with any other, you can virtualize them and have them finally cohabitate with any other on any system. 169 Chapter 6 • Custom industrial applications. If you have custom industrial applications, for example, manufacturing applications, that require different settings for each manufacturing plant you run, you can now easily virtualize them to run them all on the same system. This approach will let you get your feet wet with application virtualization and learn what advantages it truly brings to application management while you’re waiting for the deployment project to complete. Review your System Construction Strategy When you’re ready to integrate application virtualization with your operating system deployment, you might change the way you perform this deployment. For example, you might change the way you create your machine build. Before, organizations tended to create a massive system ‘kernel’ that included all of the most common applications and utilities found within the organization (remember Figure 6.7?). This ‘fat’ kernel is difficult to build and even more difficult to test because it requires the integration of vast numbers of components. In addition, using a fat kernel makes it more difficult to deploy because massive amounts of data must be sent to each machine. Using multicasting technologies reduces the time to deploy to each machine, but if there is a way to thin down the image, then why not take advantage of it? Finally, using a fat kernel means more work when it is time to update its core components. The sheer number of components means more updates more often. Using application virtualization is the best argument for a ‘thin’ kernel. Application virtualization lets you create a new layer in the PASS system stack: the Generalized Layer. Each application in this layer is virtualized, but still distributed to each user in the organization. The kernel itself becomes much thinner because it no longer needs to include these applications (see Figure 6.11). Your thin kernel is composed of the core operating system along with any required updates, adding core utilities such as antivirus, anti-spyware, firewalls, management agents, and virtualization agents if required. You still create a single core image that will include everything that is common to all desktops, but now, you can focus on the proper construction of your core operating system and expect it to maintain its pristine state for the duration of its existence within your organization. Just imagine the benefits! 170 Chapter 6 Figure 6.36. Application Virtualization affects several layers of the PASS model and supports a Thin Kernel Reference computers are now much easier to construct. Very few applications or non-OS components are included in the kernel making it simpler to update, maintain and deploy. In addition, many virtualization platforms let you convert MSI installations to virtual applications, saving you time and effort during your migration project. This is the case with Altiris’ SVS since it integrates directly with Wise Package Studio. 171 Chapter 6 Chapter 7 will focus on the creation of a Thin PASS Kernel. Software virtualization is here to stay and should be used by every organization that wants to reduce application management overhead costs. This is one of the core recommendations of this guide and the processes it recommends will reflect this recommendation. Integrate Application Virtualization to the Migration Process In addition to changing the way you construct systems, using application virtualization will also change the way you deploy systems, especially if you include streaming technologies. You can continue to rely on multicasting technologies to deploy the system kernel and then, you can immediately stream the applications in the generalized layer to each system as soon as the system is up and running. Because the applications are streamed, you don’t need to worry about bandwidth issues as much. Users get the components they need to begin working immediately even if the streaming is not complete. Then once the generalized layer is delivered, you can begin the deployment of the role-based layers if they are required. Again, it uses the streaming process so there is little impact on bandwidth. You can also use the same process for ad hoc applications. Streaming technologies rely on Quality of Service (QoS) as a control mechanism to provide different priorities to users or data flows in routers and switches. Because of this, you may want to involve your networking group in preparation of the deployment to make sure you don’t run into network bottlenecks. Application virtualization and streaming running on thin kernel systems makes a lot of sense in the modern datacenter—more sense than using massive servers to offer desktop services to end users, mostly because to avoid a single point of failure, you’ll always need more than one server to provide the service. Each endpoint has its own resources—CPU, RAM, hard disks and other peripherals. Streaming servers are nothing but file servers and do not require massive amounts of memory or processing capabilities unlike Terminal or Citrix Servers which in fact replace the processing power of the endpoint. Endpoints are also easier to manage since the only thing they contain is the thin kernel and can therefore be reimaged with little impact. After reimaging, the applications the user needs are streamed back onto the system. And, since applications are stored in a central repository and streamed from there to endpoints, you only have to update one single source when patching is required. They will automatically be re-streamed to each one of the endpoints that requires them. 172 Chapter 6 Of course, you need more services in support of such a strategy. For example, if you want to be able to freely re-image PCs, then you need to make sure user data is protected at all times. The best way to do this with Vista is to use Folder Redirection Group Policy Objects (GPO). Folder Redirection automatically redirects key user folders such as Documents, Pictures, Application Data and more to server-based file shares. These file shares are configured with offline caching to ensure a copy of the data is always local to the PC, but since the original data is on the server, it is protected and backed up on a regular basis. This also means you need to fully support user data and to do so, you will need lots of backend storage, but disks are cheap today unlike massive processing servers. Another useful technology is the Distributed File System Namespace (DFSN). DFSN maps local shares to a global share name stored in the directory. Then, the directory redirects users to a share in the local site whenever they try to access the global share. And, to make sure the same content is in each local site, you can use DFS Replication (DFSR)— Windows Server 2003 R2’s remote differential compression (RDC) replication engine—to keep each share in synch without breaking your WAN bandwidth. This makes it much simpler for users to access data throughout your network. More on the Folder Redirection, DFSN and DFSR strategy will be discussed in Chapter 7 as you build the system image and prepare the services required to support it. In addition, streamed applications are cached locally for better operation. Most streaming solutions will let you control the duration of the cached application, letting you control license costs and making sure mobile users have access to applications even when they are not connected (see Figure 6.12). And, if you don’t have a streaming solution, you can always place the virtualized applications on a network share configured for offline caching. Figure 6.37. A Simple Application Virtualization and Streaming Architecture Application virtualization may not apply to every single situation, but in many cases, it can be considered the Terminal Services ‘killer’ and do away with virtual desktop infrastructures (VDI) where you store virtualized OS images on massive servers and use them to provide services to users. In each scenario, the user requires access to an endpoint anyway. Why not make an intelligent choice and do away with the requirement for a massive server? Better yet, why not take the monies you would spend on monster servers and use it to pay for your application virtualization solution? Application virtualization finally lets you use the client-server model to its fullest. Don’t miss this opportunity to upgrade your data center to the 21st Century! 173 Chapter 7 Chapter 7: Kernel Image Management Each time you perform a PC operating system (OS) deployment, you need to figure out how the installation will proceed. For this, you must discover exactly how the OS installation process works and then, you determine how you can automate the process. With Vista, Microsoft has introduced a completely new installation process called Image-based Setup (IBS). Basically, each version of Windows Vista includes a system image file—called a .WIM file—that contains the installation logic for different editions of Vista. During the IBS installation process, this system image file is copied to the system disk and then expanded and customized based on the hardware that is discovered during the process. WIM images contain several different editions of Vista. Common files are not duplicated within the WIM as it relies on a single instance store (SIS) to include only one copy of each common file as well as individual copies of the additional files that build different editions. The edition you install is determined by the product key you insert during installation. This lets Microsoft ship every edition of Vista on a single DVD. Of course, two system images are required: one for 32-bit and one for 64-bit systems as the architecture for the x86 or the x64 version is incompatible with the other and cannot be contained within the same image. Despite this, having to manage two DVD versions of Vista is a vast improvement over previous versions of Windows where each edition was contained in a different CD or DVD. Of course, you’ll have to use a preparation process to create these images (see Figure 7.1). Figure 7.38. The OS Deployment Preparation Process 174 Chapter 7 The preparation process for OS deployment involves several steps which include: • Defining the Logical OS Configuration • Discovering the Installation Process • Determining the Physical OS Configuration • Determining the OS Deployment Methods This is the focus of the PC Image Development portion of your deployment project or the Desktop Deployment Lifecycle (see Figure 7.2). Once again, the focus of these activities is the PC Team and the bulk of the work will be performed in the Organize phase of the QUOTE system. But, as in other processes, some activities must be performed in previous phases. For example, the Logical OS Configuration is usually defined during the Understand phase of the QUOTE as is the discovery of the installation process. And, as is the case with all other engineering aspects of the solution you are preparing, the prepared system image and deployment process you select must go through a final acceptance process before it can move on to other phases of the QUOTE and be deployed through your network. Each of these activities and their related duties are discussed in detail through this chapter. And, as discussed in Chapter 6, the focus of this chapter is to create a system image which will support both application virtualization and standard software installations though you should aim to move to application virtualization since it provides a completely new way of managing applications and maintaining stability within deployed PCs. Virtualization protects the OS at all times and provides significant cost reductions for managed systems. Figure 7.39. Moving through Step 7 of the DDL 175 Chapter 7 Defining the Logical OS Configuration This activity is part of the Understand phase of the QUOTE system. Designing a computer system for end users is more than just a technical task. After all, end users will be working with the design IT produces every working day. Remember that the goal of end users is to produce work related to the organization’s business goals, not to work with or troubleshoot computer systems. With that in mind, IT needs to consider exactly how it can configure a PC operating system to provide the fullest and most user-friendly support for the work they do. To do this, IT must have a sound understanding of the business their organization is in and must design the structure of the OS to be deployed with this business architecture in mind; thus, the need for a logical OS configuration and design. • For information on how business architectures drive IT services, see the Architectures article series at http://www.reso-net.com/articles.asp?m=8. This set of seven articles was designed to assist organizations and IT professionals understand the different cogs that make up enterprise architectures. Chapter 6 introduced the concept of a system stack: the PASS model. This model lays out the logical organization of deployed components on a PC. While chapter 6 focuses on the application-specific layers of this system stack, this chapter focuses on the components that make up the system kernel—or the elements that are deployed on every single PC in your network (see Figure 7.3). Figure 7.40. The Seven Components of the PASS System Kernel 176 Chapter 7 In addition to the seven layers of the kernel, the PC team responsible for system image creation and deployment will need to be involved with the physical layer. That is, they need to participate in the creation of your baseline computer systems for the Vista operating system. The content and the implications of each of the kernel layers as well as the physical layer are discussed below. Physical Layer The physical layer covers PCs, laptops, tablet PCs, cabling, printers, scanners and all other physical components of the PC infrastructure. Standards should be set for baseline systems. Each model you elect to support should conform to these minimal standards. The breadth of this layer for should cover: • Processor and speed. • RAM capacity and minimum RAM requirements. • Drive bay capability, minimum hard disk storage as well as minimum required amount of free disk space. • Networking components. • Power management (ACPI). • Video capability. • Additional input and output components (CD/DVD readers and writers, keyboard, mouse, USB and Firewire ports, and so on). • Security components such as Trusted Protection Modules (TPM), biometric or smart card authentication devices and processor-embedded antiviral capabilities. Ideally, all the hardware you will purchase will be based on industry standards such as those proposed by the Distributed Management Task Force (http://www.dmtf.org/home). One of the great standards to emerge from the DMTF is the ability to remotely deploy hardware-specific components such as the computer basic input/output system (BIOS) and other firmware. Make sure you select systems that support this ability and that your provider either delivers its own tool for firmware management or delivers firmware upgrades that are deployable through systems management tools. 177 Chapter 7 Operating System Layer The operating system layer focuses on the components that make the OS run on a system. This means: • The Windows OS, in this case, Vista, but also which editions of Vista you choose to support. • Appropriate levels of service pack and/or hot fixes; ideally, these are included in the system image you deploy. • Manufacturer-certified drivers for all peripheral equipment. Certified drivers are a key component of your roll-out. Driver signing is configured through Group Policy. If you can, you should aim to use only certified drivers on all hardware because they are proven to work with Vista. If you need to include non-certified drivers make sure you test them fully. • The dynamic link libraries (DLL) required in support of organizational applications. For example, this could include runtime versions of libraries such as Visual Basic, Microsoft Access, and any other engine that is required to run your applications on client PCs. • Organization-wide operating system complements such as typefaces or fonts, regional settings, perhaps language packs if they are required and so on. Make this layer as complete as possible. For example, if this layer includes the Access runtime, then you will not need to deploy the full version of Access to people who only make use of Access applications and do not develop them. Networking Layer The networking layer covers all of the components that tie the network together including: • Unique networking protocol: This should be TCP/IPv4 and/or IPv6. • Networking agents: Any agent or driver that is required to let the PC communicate over local area or wide area networks as well as wireless networks or Bluetooth devices. • LDAP directory structures: For Windows networks, this means a standard Active Directory structure for all domains, groups and organizational units—this controls what users “see” when they browse the network. • Unique object naming structure: Every network object—PCs, servers, printers, file shares—should have a unique and standard naming structure. • Unique scripting approach: Every script should be unified and should be based on a single scripting language. Ideally, scripts should be digitally signed and should be tied to Windows’ Software Restriction Policies so that only authorized scripts can be executed in the network. 178 Chapter 7 • Legacy system access: A unique set of components should be used to access legacy systems such as mainframe computers. • Remote access and virtual private networking (VPN): This layer should include the components for either remote access or VPN access to the corporate network and any other external system required by users. • Remote object management: Every component required on PCs for remote management and administration should be part of this layer since the network is what ties the distributed system together. With the advent of Active Directory and the control it offers over PCs, this now includes the Group Policy processing agent which is part of Windows by default. This should also include agents for PC management such as those provided by your deployment mechanism or even BIOS or firmware distribution agents. Basically, the networking layer includes every component that lets you communicate with the PC and lets the PC communicate with the external world. Storage Layer The storage layer deals with the way users interact with both local and remote storage. It covers: • Physical components: Disk sub-systems, network storage systems, backup technologies. • Storage software: The systems that must administer and manage storage elements. In some cases, you may need to use third party tools in support of custom storage requirements. A good example is custom DVD burning software. • File services: File shares, for Windows this also means Distributed File Services (DFS), a technology that integrates all file shares into a single unified naming structure making it easier for users to locate data on the network. DFS also includes replication technology to provide fault-tolerance in a distributed environment. • Indexing & Search services: All data must be indexed and searchable. For Windows Server 2003, this refers to the Indexing service. For Vista and Longhorn Server, this refers to the integrated Search service. • Databases: Since data has many forms, the storage layer must support its storage in any form. Structured and unstructured. • Transaction services: This layer should control transaction services because these services validate all data stored within databases. • Data recovery practices and technologies: All data must be protected and recoverable. The Vista OS includes both Volume Shadow Copies and the Previous Versions client. This lets users recover their own files. These tools should be integrated to your overall backup and data protection strategy. • File structure: The file structure of all storage deposits, local (on the PC) and networked, must use a single unified structure. This structure should support the storage of both data and applications. 179 Chapter 7 • Data replication technologies: Data that is stored locally on a PC to enhance the speed of data access should be replicated to a central location for backup and recovery purposes. For Windows Server, this means putting in place an offline storage strategy and relying on folder redirection to protect data that is local to the PC. • Temporary data storage: The PC disk drive should be used as a cache for temporary data storage in order to speed PC performance. This integrates with the offline caching strategy. • Single unified tree structure: All PC disk drives should have one single unified tree structure so that users do not have to relearn it. In addition, all PC management tools should be stored as sub-directories of a single, hidden directory. Users should not have access to this folder. In addition, you may need to incorporate a special local folder structure for unprotected data—data that belongs to users only and that the organization is not responsible for. The objective of the storage layer is to simplify data access for all users. If all structures are unified, then it becomes really easy for all users, especially new users, to learn. Security Layer The security layer includes a variety of elements, all oriented towards the protection of the organizational business assets: • Ownership of IT assets: The first part of a security strategy is the outline of ownership levels within the IT infrastructure. If a person is the owner of a PC, they are responsible for it in any way they deem fit. But if the organization is the owner of an asset, people must follow unified rules and guidelines concerning security. This should be the first tenet of the security policy: every asset belongs to the organization, not individuals. • User profiles: Each user has a personal profile that can be stored centrally if possible. This central profile can be distributed to any PC used by the person. Ideally, this is performed through folder redirection Group Policies instead of roaming profiles. Roaming profiles are an outdated technology that put a strain on network communications. Folder redirection link with offline caching to better control bandwidth utilization. Profiles are part of the security layer because by default, each profile is restricted to the person who owns it. Security strategies must support this exclusive protection. • Group Policy: Group Policies, both local and remote, allow the unification and enforcement of security approaches within a distributed environment. By applying security through policies, IT departments ensure that settings are the same for any given set of users. • Access rights and privileges: Each individual user should be given specific and documented access rights and privileges. Wherever possible, access rights and privileges should be controlled through the use of groups and not through individual accounts. • Centralized access management: Security parameters for the corporate IT system should be managed centrally through unified interfaces as much as possible. Local security policies are available but they should be stored centrally and assigned to each PC. 180 Chapter 7 • • For more information on the use of PKI in organizations of all sizes, see Advanced Public Key Infrastructures at http://www.reso-net.com/articles.asp?m=8. • • Non-repudiation technologies: Every user of the system should be clearly identifiable at all times and through every transaction. For Windows, this means implementing using specific, named accounts—not generic—for each user in the organization. For true nonrepudiation, a Public Key Infrastructure should be implemented for the distribution of personal certificates which can then be used in emails, documents and other data signed by the individual. Internal and external access control: Access to the organizational network should be controlled at all times. This should include every technology that can assist this control such as firewall agents, smart cards, biometric recognition devices, and so on. For Internet access control with Windows, this can mean implementing Microsoft Internet Security and Acceleration Server (ISA) with Whale technologies. For more information on the use of ISA Server in organizations of all sizes, see http://www.microsoft.com/isaserver/default.mspx. • Confidential storage: Since PCs, especially mobile systems, are not permanently tied to the network, it is important to ensure the confidentiality of any data stored locally. With Windows Vista, this means implementing either the Encryption File System (EFS) or BitLocker. Security is at the heart of every IT strategy. This is why this layer is so important and so allencompassing. Make sure your security policy is public and properly broadcasted to every user in your organization. If you have outsourced personnel, make sure the security policy is one of the first elements they are presented with when they come to work in your organization. 181 Chapter 7 Communications Layer The communications layer deals with elements that support communication in all of its forms: • • Instant and deferred communications: These technologies include a variety of electronic communications tools such as electronic mail, instant messaging, discussion groups, IP telephony, video communications, and more. Ideally, you will provide a unified communications strategy to users. • Workflow and collaboration: Workflow and collaboration is an essential form of online communication today. Your IT infrastructure should support this powerful mechanism. In Windows, this usually involves either the free Windows SharePoint Services (WSS) or Microsoft Office SharePoint Server (MOSS). More information on WSS can be found at http://www.microsoft.com/technet/windowsserver/sharepoint/default.mspx. Information on MOSS is at http://office.microsoft.com/en-us/sharepointserver/FX100492001033.aspx. • Shared conferencing: Virtual conferencing is a tool that should be available to users to reduce physical meeting costs. More and more providers offer this kind of technology. IT will have to choose whether these sessions are hosted internally or through external Web Services. • Internet browser: The browser is an essential part of any communications strategy. It must be customized to organizational standards and must be run in protected mode as much as possible. • Broadcast technology: IT, the organization and individual departments must have a means of communicating vital and timely information to their respective users. This requires some form of broadcast technology. This can be in the form of Windows Media Services or through simple means such as network message broadcasts. In Vista, this can be done through Really Simple Syndication (RSS) feeds delivered to Gadgets displayed on the desktop. • Group and individual agenda scheduling: Since time management often incurs a communication process, the network infrastructure should support agenda scheduling at both the individual and the group level. This should also include the ability to schedule objects such as meeting rooms, video projectors, and so on. • Legacy system access: If Terminal Emulation is a requirement; this should include a single unified Terminal Emulator application. Ideally, this will be integrated to the selected browser technology. Communications is essential to make the organization work. After all, users must communicate with each other and with external resources to perform their work. It is responsible to ensure that these communications are facilitated as much as possible and secure at all times. 182 Chapter 7 Common Productivity Tools Layer Since most office workers need to rely on productivity tools to perform their work, this layer is an essential part of the core system image you will be deploying to all users. It should include both common commercial tools as well as any organization-wide internally-developed tools required by your organization. • Information production tools: Office automation tools such as Microsoft Office should be available to every user that requires its use. Most commonly, these are deployed to every single user. But, these tools should be deployed intelligently. If users do not require specific components of the suite, then these components should not be deployed to them. For example, most users will require Word, Excel, PowerPoint and Outlook, but not necessarily require the other components of the suite. Deploy only what is required. • Generic graphics tools: All users should be able to illustrate concepts and create drawings. Illustration is a basic communications tool; it must be part of a core set of PC tools. The office automation suite you deploy includes these basic illustration tools. But, you may also need to deploy graphics file viewers such as the Microsoft Visio viewer to let users view illustration produced by more professional illustrators in your organization. This also means implementing server-based technologies that allow the indexing and sharing of illustrations. In some cases, this will mean integrating custom filters to the Indexing service. • Service packs: Common tools should be regularly updated as service packs and hotfixes are released for them. • Lexicons and vocabularies: Lexicons and corporate vocabularies should be unified to ensure the consistency of all output. • Commercial utilities: Common commercial utilities such as Adobe Acrobat Reader, file compression and search engines should be included here. Vista already includes many of these, including a new XPS document writer and reader. • Corporate or organizational applications: Organizational tools such as time sheets, expense reports or even enterprise resource planning clients should be included in this layer. The goal of this layer is to ensure that every tool that is required by the entire user base is made available to them. The objective of the kernel is to provide a fully functional PC system to users. If this layer is designed properly, it will often satisfy the requirements of a majority of your user base. 183 Chapter 7 Presentation Layer The presentation layer is the interface layer. For users, it most often means the design of the organizational desktop. One of the advantages of Microsoft Windows is that its design is entirely based on one principle: common user access (CUA) guidelines. This is a defined set of rules that outlay how people interact with PCs. CUA defines menu interfaces, keyboard shortcuts, and mouse movements and sets standards for their method of operation. For example, users who are familiar with Microsoft Word, have since its inception in the early 1980s, used the same set of keyboard shortcuts. None of these users has had to relearn any major keystroke since it first became popular and these keystrokes still work today. Good user interfaces are designed to make it easy to transfer from one version of an application to another. Of course, Vista and Microsoft Office 2007 both offer new interfaces, but since they are still based on the CUA, they are relatively easy to learn. You can browse articles on the subject of user interface design at http://msdn2.microsoft.com/enus/library/aa286531.aspx. The advantage of Microsoft’s approach is that there is a standard interaction mode within Windows’ own presentation layer, but organizations should move beyond the default Windows desktop and specifically enhance Windows’ defaults with their own desktop design. This custom design should include: • Desktop design: The desktop should offer a single unified design to all users. All users should be familiar with this design because it is the default design activated at any new logon within the network. This design should be divided into specific desktop zones that contain different information. • Local versus central desktop control: Users should be aware of the elements they are allowed to modify on the desktop and which items are locked from modifications. • Common shortcuts: Every basic shortcut on the desktop should be the same on all systems. Users can add their own, but should not be able to remove the most common shortcuts. • Common menus and Quick Launch Areas: Tool access should be standardized and all menu sub-categories should be reduced as much as possible. When applications install, they tend to install a series of extraneous shortcuts such as “Visit our Web Site for Free Offers”. These are not required within the organizational networks. The focus of this layer is to introduce a common desktop for all users. Some areas of this desktop are locked so that users in your organization can quickly find what they need on any PC. Others are open so that users can personalize desktops to some degree. Vista includes a host of features that are now controllable by standard users and were not available in previous versions of Windows. This facilitates the design of the PC’s presentation layer. The key to the construction of a common presentation layer for all systems is the update of the Default User Profile on the Reference PC before capturing its content into a system image that will be deployed to all systems. 184 Chapter 7 Non-Kernel Layers Chapter 6 discussed the non-kernel layers extensively. These layers are created over and above the kernel and are designed to address specialized as opposed to generalized user needs. Ideally, you will be able to group the IT roles your specialized users play to deliver non-kernel applications in groups. Structuring your PC construction or system stack in this manner lets you reduce system construction costs because of the following benefits: • Specialized applications are grouped into IT roles. This means they will coexist on a system with a smaller group of applications, including the applications hosted by the kernel. If you are using traditional application installation methods, then this reduces the possibility of conflicts. • Since applications are grouped into IT roles, they are easier to track. An IT role automatically incurs the cost of the specialized applications it contains, thus departments and other groups within your organization can be charged for these applications. Kernel applications usually have organization-wide licenses so they are also easy to track. • Since applications are grouped into IT roles, they can be delivered as a group and removed as a group should the primary function or user of a PC change. • And, if you are using application virtualization as suggested in Chapter 6, you can easily deliver applications in groups, activating them or deactivating them from target PCs through simple mechanisms such as Active Directory (AD) security group membership. Overall, the PASS system stack provides a structured approach to PC construction and long-term management. This layered approach to IT services provides a simpler model to follow than the traditional ad hoc approach because it relies on familiar imagery. Graphically, the PASS kernel represents a design that is very similar to the OSI Reference Model. This model begins to demonstrate how we can construct and present IT systems in an understandable manner. Identifying Kernel Contents The makeup of your own Kernel will depend entirely upon the needs of your organization, but what you need to do at this stage is to run through the different functions and operations of your organization to determine how you can best support it with a system kernel. Some choices are obvious—everyone needs antivirus, anti-spam, antispyware tools and most everyone needs a productivity suite such as Microsoft Office—while others are a bit more complex, mostly because they are particular to your own organization. Ideally, you would create a data sheet listing each of the seven layers of the PASS kernel and identify the contents of each. Then, when you’re satisfied with your selections and have received acceptance and approval on the structure of your new kernel, you can proceed to the next phases of system image preparation. 185 Chapter 7 You might also add the physical layer to this data sheet as it will be important to keep the contents of this layer in line with the expected performance levels your systems will provide when running Windows Vista. More on the contents of this layer will be discussed as you prepare the physical solution that matches the logical solution you just created. Additionally, you will need to keep two other factors in mind as you prepare to construct your system kernel. The first deals with actual image content: will you be using a ‘thick’ or a ‘thin’ system image? The second mostly concerns global organizations or any organization that has employees who work in different languages. Will you build a single worldwide image or will you create more than one image. The more images you create, the more your maintenance costs will be. PCs should be acquired both centrally and in lots as much as possible. Organizations that allow departments to purchase their own PCs are only asking for increased headaches when it comes to PC management. When departments are allowed to purchase their own PCs, there are no standard configurations or even standard suppliers. Diversity is NOT a good thing when it comes to PC management within an enterprise. You should always strive to limit the number of suppliers you purchase from as well as limiting the types of PCs you purchase from these suppliers. Even with these standards in place, you’ll find that the same manufacturer will ship the same PC with different components depending on the ship date. But at least, if you implement purchasing standards for PCs, you will have some measure of control over what you will be managing and you will be able to simplify your OS deployments. “Thick” versus “Thin” Images While it is important that you include all of the proper content into the logical design of your system kernel, you also have to decide whether your physical system image will be thick or thin. Traditionally, organizations have been relying on thick or fat images. It makes sense in a way. Fat images contain everything that should be within the system kernel. Since the preferred deployment method for operating systems is the disk image or system image—a copy of the contents of a reference computer prepared through custom processes and to be duplicated on any number of PCs—it makes sense to make this image as complete as possible. Then, through the use of technologies such as multicasting—the ability to send a stream of data to multiple endpoints in one single pass—you could deploy this fat image to as many PCs as your staging infrastructure could support. In this way, one technician could easily deploy up to fifty PCs in one half day. And, since the PC contained all of the generic content your users required, many of these PCs—sometimes more than 50 percent—were ready to go as soon as the core image was deployed. Chapter 6 introduced the concept of a ‘thin’ image. This concept was introduced in conjunction with the use of application virtualization for software management and distribution. This meant deploying a smaller OS system image, and then, deploying a generalized application layer (GAL) to achieve the same result you would obtain with a fat image (see Figure 7.4). 186 Chapter 7 Figure 7.41. The Thin Kernel with the GAL Consider the following points as you determine whether you should use a fat or a thin image: • If you use a fat image, you can use multicasting technologies to deploy it in a single pass to multiple endpoints. • If, however, you use a fat image, then, maintaining and patching the content of this image can be challenging because it contains so many different components that all have their own update cycles. • If you use a thin image and you are relying on traditional application installations, for example, through the Windows Installer service, then deploying the GAL will take time. Office itself is usually in the order of 300 to 400 MB and the entire layer can easily be well over ½ GB. Since multicasting is no longer available for this deployment—at least not through traditional software deployment tools—you then need to perform unicast or point to point deployments to each endpoint, adding considerable time to the installation. This will impact a technician’s ability to deploy 50 PCs per half day. 187 Chapter 7 • If you use a thin image and you are relying on application virtualization with streaming, then you only need deploy the thin kernel to a PC, deliver the PC to the end user (if you are using a staging area), and then have applications from the GAL stream to the PC as soon as the user logs on for the first time. Since applications are streamed, they do not negatively impact network bandwidth. Since applications are controlled through security groups in AD, the process can be transparent and initiated only at first logon. You can also ensure that users are aware of this process through the training program you provide. • If you are using a thin image—whether you are using traditional or virtualized applications—it will be a lot easier to maintain the system image in the long term because it will include less content. Then the contents of the GAL can be maintained either individually or as a group, but since the GAL is made up of individual packages, each can be maintained on its own. In the end, it makes sense to work with a thin image as much as possible. In the long term, the thin image will be much easier to maintain and support. It is however, highly recommended that you supplement this management strategy with application virtualization and streaming to reduce application and PC management costs. Using a Single Worldwide Image Traditionally, system images were limited to one specific system type because of the integration of the hardware abstraction layer (HAL) within the image. This meant that organizations needed to create multiple images—in the case of some of our customers, up to 80 images—depending on the size of their network and the number of different PC configurations they had to deal with. But, with Windows Vista, system images are now HAL-independent since the HAL can be injected during the configuration of the image on a PC. Coupled with other Vista features, this HAL independence has several implications in terms of image creation: • One single image per processor architecture—32- or 64-bit—can now be created. • The reference computer—the computer you use as the source of the image—can now be a virtual machine since the HAL is no longer a key factor in image creation and deployment. This reduces the cost of maintaining the reference computer and this also makes it easier to keep it in a pristine state. • Custom hardware drivers can be injected into system images so that your image can be compatible with all PC types in your organization. • Vista is now language agnostic. The core OS does not have a language installed. The language pack for the installation is selected during the installation process. This means that one single image can now be matched to any of the languages Vista supports. Creating one single worldwide image per processor architecture is now entirely possible whether you use the WIM image format or not. 188 Chapter 7 Discovering the Installation Process This is the core function of Unit Testing for the members of this PC team. As you prepare your logical system design and get it approved, you can begin the discovery process for the Vista installation. These pre-imaging processes are necessary as you need to fully understand how Vista’s installation works to be able to learn how it will be automated in later project phases. These pre-imaging processes include: • Identifying the hardware requirements for Vista’s installation • Identifying the installation methods Vista supports • Documenting the installation process you select • Using an installation preparation checklist • Performing post-installation configurations Then, when you’ve fully understood how Vista’s installation proceeds and what you need to do to prepare your physical OS kernel, you can proceed to the creation of a reference computer and the generation of the system image. Identifying Hardware Requirements Before you begin testing installation methods, you need to determine which hardware configurations you will support. This is derived from a series of information sources including both your network inventories and Microsoft’s recommended minimum hardware requirements for Vista. Base hardware requirements for Vista were introduced in Chapter 1 and are reproduced here as a refresher (see Table 7.1). Two sets of requirements are defined: Vista Capable and Vista Premium PCs. The first allows you to run the base-level Vista editions, and the second lets you take advantage of all of Vista’s features. Since you’re preparing a deployment for long-term management, you should really opt for Vista Premium PCs. Vista Mode Component Requirement Vista Capable PC Processor At least 800 MHz Minimum Memory 512 MB Graphics Processor Must be DirectX 9 capable Processor 32-bit: 1 GHz x86 64-bit: 1 GHz x64 Memory 1 GB Graphics Processor Support for DirectX 9 with a WDDM driver, 128 MB of graphics memory, Pixel Shader 2.0 and 32 bits per pixel Drives DVD-ROM drive Accessories Audit Output Connectivity Internet access Vista Premium PC 189 Chapter 7 * If the graphics processing unit (GPU) shares system memory, then no additional memory is required. If it uses dedicated memory, at least 128 MB is required. Table 7.1 Vista system requirements. • Information on compatible systems can be found at http://winqual.microsoft.com/hcl/. Next, you need to identify which editions of Vista you will support. For business, the Business, Enterprise, and Ultimate editions are available. Each of these business editions requires a Vista Premium PC to run and includes: • Vista Business Edition: This is the base edition for small to medium business. It includes the Aero 3D interface, tablet support, collaboration tools, advanced full disk backup, networking and remote desktop features. • Vista Enterprise Edition: This edition is only available to organizations that have either software assurance or enterprise agreements with Microsoft. It adds full drive encryption, Virtual PC Express, the subsystem for UNIX and full multilingual support. • Vista Ultimate Edition: This edition is for small businesses or others that want to access the full gamut of new Vista features but do not necessarily want software assurance or an enterprise agreement. It includes all of the features in the Enterprise Edition, but also entertainment tools such as Photo Gallery, Movie Maker and Media Center. Though you might not want these programs on business computers, this edition might be the only choice for any organization that wants full system protection and does not want to enter into a long-term software agreement with Microsoft. Remember that through its single instance store capability, a Vista image may contain more than one edition. If you need to rely on several editions, you can still store them into one single image. • To learn more about each of the different Vista Editions, go to http://www.microsoft.com/windows/products/windowsvista/editions/default.mspx. Also, since you will be relying on virtualization software to create and manage the reference PC, you should configure this VM according to the capabilities outlined in Chapter 3. In fact, the virtual machines for Unit testing should already be available to your team. Identifying Installation Methods Now that you have identified your logical system configuration and you have selected the base PC configuration, you can proceed to the examination of Vista’s installation methods. The first and the easiest method to examine is the interactive installation. No matter what you choose to do in the end to automate your installation, you will definitely need to perform at least one and most probably several interactive installations so that you can fully understand what happens during this process. 190 Chapter 7 The objective of this process is the documentation of each step of the installation and specifically, the build of your entire kernel. • Begin by choosing the edition of Windows Vista to install. • Perform the initial installation to discover the process. • Document every configuration requirement and each modification you need to perform. • Document the finalization steps to create your thin system kernel. • Document each step to create and configure the GAL. First, you need to understand how the basic interactive installation works. With Windows Vista, Microsoft simplified the installation process to ensure there were no more blockers for the installation to complete. In previous versions of Windows, there were several instances during the installation where you had to provide input: CD keys, time zone, keyboard layout, regional settings, administrative password, networking configuration, and more. Now, Microsoft has modified the installation to collect all information at the very beginning of the process and then have you finalize the configuration once setup is complete. This means you can start multiple interactive installations and do something else while they run, returning to them once they have completed. And, since machines are setup in a locked down state, you don’t even need to worry about the setups being vulnerable when you’re not there. Unlike previous versions, the Vista installation is completely graphical. The installation now boots into the Windows Preinstallation Environment (Windows PE) if there is no operating system on the PC. And if there is a previous operating system and the upgrade is supported, the installation will run in graphical mode anyway. The first splash screen will ask three questions: • Language to install • Time and currency format • Keyboard or input method These settings determine in which language the installation will proceed as well as which language pack will be installed. Vista uses a language-agnostic core installation that is then converted into whichever language you select during installation. Next, you are presented with the Install now screen. Note that this screen also includes two additional options in the lower left corner: • What to know before installing Windows • Repair your computer 191 Chapter 7 The first provides you with up to date information on system requirements and procedures for installing Vista. It is always a good idea to review this information, especially during the installation discovery process. The second is used to repair systems that may be damaged. It lets you choose an existing system partition, and then when you click Next, you are presented with a series of choices for system repair (see Figure 7.6) including: • Startup Repair: to fix problems related to the startup of Windows. • System Restore: to restore Windows to an earlier point in time. • Windows Complete PC Restore: to restore Windows from a backup image. • Windows Memory Diagnostic Tool: to verify the system’s memory. • Command Prompt: to launch a Windows PE session with an open command prompt. Figure 7.42. System Repair Options But, since your goal is to discover how the installation works, click on Install now. This moves you to the next screen where you need to input the product key to use for the installation. The version you install will be determined by the product key you enter. Note that this screen also includes an automatic activation check box. If you are only exploring the installation and may repeat it several times, you will probably not want to turn this option on. 192 Chapter 7 The next screen is where you accept the license agreement, click Next and you are then moved to the installation type selection screen. Two main options are available: • Upgrade: select this option if there is already a supported operating system on your PC. • Custom (advanced): select this option if you are installing a new PC or if the PC you are upgrading is not running a supported operating system for upgrade. The upgrade process in Vista actually works! That’s because every installation of Vista uses an image to perform the installation. Remember IBS? Because of IBS, the upgrade actually removes all previous operating system components, protects all data and application settings as well as all installed applications, and then installs Vista by decompressing the installation image and customizing it to the hardware you are installing it to. You should investigate this process if you are running supported systems for upgrade. If you are installing on a bare metal system or a bare metal virtual machine, then select the second option. This will lead you to a screen where you can select and create the disk partition that will run the OS. This screen also gives you access to partitioning and formatting tools as well as giving you the ability to load new drivers. Examine each option and then proceed with the installation. BitLocker Partitions: If you intend to run BitLocker and encrypt the system partition, then you need to create two partitions. The first should be at least 2 GB in size, should be formatted as NTFS and should be marked as active. This will be the boot partition once BitLocker is activated. The second should also be NTFS and should normally use the remaining space on the system disk. WinRE Partitions: You can also install a Windows recovery environment (WinRE) on the PC. In our opinion, these partitions should be reserved for critical systems and shouldn’t be installed on each system because they are used to repair installations (remember that you can get to this with an installation DVD). After all, once you’ll be done with your system kernel, you’ll be able to deploy it to any PC within half an hour. It usually takes longer than that to repair a PC. But, if you want to use WinRE anyway, consider these options: WinRE Partitions without BitLocker: If you intend to install WinRE on the PC, then you’ll need the same kind of partition as you would for a BitLocker system. WinRE Partitions with BitLocker: If you install both BitLocker and WinRE, then you need to install WinRE into the OS partition to protect the system from tampering through WinRE. Do this once the OS and BitLocker are installed. Once the partition is created or selected, Windows begins the installation process. From this point on, there is nothing to do until the installation is complete. The installation will copy the Windows installation files, expand them, install features, install updates and then complete the installation. During this process, Windows will install and reboot into an open session once the installation is finished. 193 Chapter 7 Installing x64 Operating Systems If you’re installing an x64 version of Vista, you will run through the same process as for x86 versions with minor differences. For example, the x64 OS will support a non-destructive upgrade from x86 OSes—that is, replacing the existing OS and maintaining data on the system—but the end result will retain all data as well as application folders except that applications will be non-functional and will need to be reinstalled. The best way to perform this type of installation is to actually move the data off the system if there is data to protect, then reformat the OS partition and install a fresh version of the x64 OS. The installation process includes five (5) steps. The system will restart several times during the installation: • Copy Windows files • Expand files • Install features • Install updates • Complete the installation There is no time-to-finish information display anymore; instead it displays the percentage of each step. It can take between 20 to 40 minutes for an installation to complete, depending on system configurations. Once the installation is complete, Vista displays a Set Up Windows dialog box requiring a user name and password. Remember that Vista automatically disables the default administrator account. Therefore a core account is required. Though this account will be a member of the local administrators’ group, it has a different security identifier (SID) than the default administrator’s account and will therefore be subject to User Account Control (UAC). Type the username, then the password, confirm the password and type a password hint if you need it. Click Next when ready. The next screen requests a computer name and description. Type these values in and click Next. The third setup screen lets you set up the update configuration. Choose the configuration that suits your environment. Now, you need to indicate the time zone, time and date. Click Next when ready. The last screen lets you identify which network you are connected to. Each choice sets different parameters in the Windows Firewall. Choose Work and then click Start on the Thank You! Screen. Vista completes its configuration, checks your computer’s performance, and displays the log on prompt. When you log on, Vista displays the Welcome Center (see Figure 7.6). This center displays a summary of the results of your installation. The first part displays a summary of the computer’s configuration. The second lists tasks to complete in order to finish the installation. And the third displays offers from Microsoft. For example, this is where you would download and install Windows Live Messenger. The most important part of this screen is the second part because it deals with activities required to complete the system’s configuration. Usually thirteen items are listed in this section, but of course, since this is a summary, not all items are displayed. To display all items, you need to click on Show all 13 items. This expands the section and lets you see each item in the list. 194 Chapter 7 This Welcome Center is oriented mostly towards the home user, but it can be useful for newcomers to Vista installations and configurations to peruse through the choices it offers in order to become more familiar with Vista itself. Figure 7.43. The Vista Welcome Center Using Installation Documentation Now that you are familiar with the installation process, you can begin the configuration process for the remainder of the kernel layers. This is an ideal time to implement installation documentation and begin your installation documentation process. Focus on three activities: • Installation Preparation • OS Installation • Post-Installation Configuration Each requires specific documentation. 195 Chapter 7 The Installation Preparation Checklist In this type of migration project, you want to make sure that everyone performs the same operations all the time. The best way to do this is to prepare specific checklists for operators to follow. For example, you should use a recommended checklist for installation preparation (see Figure 7.7). It is possible to upgrade from Windows 2000 or XP to Vista. This checklist takes this consideration into account. Figure 7.44: The Installation Preparation Checklist The installation checklist takes a few items into account: • In the Upgrade, remember that there is no upgrade path from 32-bit to 64-bit. • Vista Editions are selected based on whether the PC will remain in the office (in house). If this is the case, you can use Vista Business because it does not include BitLocker. • If the PC is mobile, then you may need a Vista edition that includes BitLocker. If you have volume licensing or an enterprise agreement (EA), then you can use Vista Enterprise. If not, then you must use Vista Ultimate. • If you upgrade and retain the existing partition, you cannot install BitLocker as it requires an extra partition. • If you are performing a new installation, then you can partition the system for either BitLocker or WinRE. These considerations will help you prepare for your own installations. This checklist is not a checklist for PC replacement or deployment. It is intended only for PC technicians working to discover the installation process. 196 Chapter 7 Documenting PC Installations In addition, you’ll need to document the PC installation itself. The best way to do this is to use a standard PC Data Sheet. This sheet should include vital information such as: • System Name • System Role • System Location • Hardware Specifications • BIOS Version • Disk Partition(s) • Kernel Version (including Operating System Versions, Service Packs and Hot Fixes) • Installed components • Any additional comments or information you feel is required Ideally, this data sheet will be in electronic format so that data can be captured as the installation proceeds. It can also be adapted to database format. In support of the PC installation, you might also create a Kernel Data Sheet outlining the contents of the PC kernel for this particular version of the kernel. Each sheet should provide detailed and up to date information to technicians. Post-Installation Processes After the installation is complete, you’ll want to perform a post-installation customization and verification (see Figure 7.8). Use a post-installation checklist to customize the system and to perform a quality assurance verification of the installation. This checklist also lets you complete the installation and preparation for the system kernel. 197 Chapter 7 Figure 7.45: The Post-Installation Checklist The activities outlined in this checklist are detailed further in this chapter. 198 Chapter 7 Supported Installation Methods Windows Vista offers four installation methods: • Interactive • Unattended with an Answer File • System Imaging with the System Preparation Tool • Remote OS Installation through Windows Deployment Services You may end up using each of these as you proceed through the preparation of your installation process. For example, you need to use the interactive installation to perform the discovery process. Then, the unattended installation will be required in two instances: the upgrade, if you choose to use it, and the build of the reference computer. You’ll use system imaging for both computer replacements and for bare metal—computers with no OS installed—installations. And, if you need to support remote deployment of the OS, you may use Windows Deployment Services. In fact, this is one of the decision points that must arise from this discovery process: choosing which installation methods you will decide to support (see Figure 7.9). Figure 7.46. Selecting an Installation Method 199 Chapter 7 Selecting an Installation Process Based on these different options, you can select which installation scenarios you will support: • Upgrade which aims to replace the existing operating system without damaging data or installed applications. • Refresh which is a wipe and load approach where the system disk is wiped out, reformatted and a new operating system is installed. • Replace where a brand new or bare metal system with no existing operating system is prepared and a new OS is installed. Each scenario focuses on a specific massive installation method. Few people have supported or opted for the upgrade path in the past. This may once again be the case because of the limitations of the upgrade path. For example, if you want to enable BitLocker drive encryption, then you cannot use the upgrade because you need to repartition the disk drive. Of course, you could use a disk partitioning tool, but it is easier to just perform a new installation. Another instance where the upgrade does not work is upgrading from a 32-bit OS to a 64-bit OS. In the end, you will decide if the upgrade process is useful for your organization. If not, then you will focus on the other two scenarios. In every case, you need to create a physical OS configuration before you proceed. Determining the Physical OS Configuration At this stage, you should be moving into the Functional testing level. Now that you’ve discovered the installation process and you have documented the steps you need to perform it, you can move to the creation of your physical OS configuration. This focuses on the creation of the reference computer. Keep in mind that when you do this, you need to make sure undoable disks are enabled in the virtual machine (VM) you will be using. This way, you can be sure to capture only settings that you are absolutely happy with. If you make a mistake, reset the VM and start the step over. This activity focuses on the post installation configuration tasks. You’ll also need to use other tools to finalize the preparation process for the reference PC. Be sure to document all configuration modifications you retain. This will be important for when you need to reproduce the reference PC later on. Your documentation must also be specific; i.e., you must specifically detail the steps you need to perform to complete the core system’s configuration. 200 Chapter 7 Applying the Post-Installation Checklist This process should include all the steps in the Post-Installation Checklist, but special attention should be paid to the following: • Setting a strong password for the default administrator account • Configuring networking • Enable updates • Download and install updates • Enabling the Remote Desktop • Configuring the Windows Firewall • Configuring the Windows Vista Interface • Updating Default User Settings Perform the tasks as they appear in the Post-Installation Checklist. Begin with the default administrator account password. Launch the Computer Management console using Run as Administrator. To do so, type Computer Management in the Search bar of the Start Menu, then right-click on Computer Management to select Run as Administrator. Approve the UAC prompt. Then, move to Local Users and Groups, then Users and right-click on the Administrator account in the details pane and choose Set Password. Assign a complex password. This password should include at least eight (8) characters and include complex characters such as numbers, uppercase and lowercase letters, as well as special characters. If you have difficulty remembering passwords, you can replace letters with special characters. For example, replace the “a” with “@”, replace the “o” with “¤” and so on. This makes passwords more difficult to crack. Even so, if a hacker or an attacker has access to the system, they can use password cracking tools to display the text of the password. If this is an issue, you can use a combination of Alt plus a four digit Unicode key code to enter characters into your password (for example, Alt 0149). The advantage of this method is that these characters often display as a blank square or rectangle () when displayed as text by password cracking software. If you’re really concerned about password security, then either use more than 14 characters— password-cracking tools stop at 14—or implement a two factor authentication system for IT administrators. It might also be an idea to rename this account. Make sure you keep it disabled. The default administrator account in Windows Vista is a special account that is not subject to User Account Control. Other accounts that are members of the local administrative group are, on the other hand, subject to UAC. If you develop a policy around UAC use on your network, leaving the default administrator account disabled will ensure that every user—administrative or standard—will be subject to the rules of your UAC policy. In addition, you want to avoid the use of generic accounts such as this one because even though its activity is tracked as will all other accounts, you cannot ‘know’ who is using it since it is not a named account. Every administrator and technician in your network should use named accounts for high privileged operations. 201 Chapter 7 Next, use the Control Panel to access the Network and Sharing Center. Click on View status and then Properties for the connection you want to configure. By default, Vista installs and enables two versions of the TCP/IP protocol: IPv4 and IPv6. IPV4 is set to receive an automatic address from a server running the Dynamic Host Configuration Protocol (DHCP). IPv6 is set to a private address by default. If you decide to use IPv6 in your network, you’ll need to change this address. The Network Properties dialog box is the same as in Windows Server 2003 so it should be familiar to most administrators. Use your corporate guidelines to assign settings to both IPv4 and IPv6. Close the Network Connections window when done. If you plan to use IPv6, and you should because Vista networks can rely on this new communications protocol, you will need to obtain an IPv6 address scope either from your Internet provider or for your own use. IPv6 is enabled and configured by default in all installations of Windows Vista. But this configuration uses a link-local address with the default fe80::/64 address prefix. Link-local addresses are only used to reach neighboring nodes and are not registered in DNS. More useful IPv6 connectivity must be configured either manually or through DHCPv6 which won’t be available until Windows Longhorn Server ships later this year. IPv6 scope addresses can be obtained from Regional Internet Registries (RIR). The most common five RIRs are: — American Registry for Internet Numbers (ARIN) for North America (www.arin.net) — RIPE Network Coordination Centre (RIPE NCC) for Europe, the Middle East and Central Asia (www.ripe.net) — Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region (www.apnic.net) — Latin American and Caribbean Internet Address Registry (LACNIC) for Latin America and the Caribbean region (www.lacnic.net) — African Network Information Centre (AfriNIC) for Africa (www.afrinic.net) Once you obtain your scope, you can use it to configure your servers. Configuration of IPv6 settings is very similar to that of IPv4. You need to configure the following settings: — IPV6 unicast address — Subnet prefix length—by default this is 64 — Default gateway—again in IPv6 unicast format — Preferred & alternate DNS servers —again a unicast address You can use the advanced settings to add either multiple IPv6 addresses or additional DNS servers. There are no WINS servers for IPv6 since it does not use NetBIOS names. You should also enable updates according to the settings in your organization. Select Control Panel, Security, Windows Update, Change Settings to modify the update settings. Make sure you have enabled updates for more products and then set the update value according to your organizational standards. It is a good time to apply all available updates to this system. Reference Computer: The networking properties for the reference computer might best be left at default values unless you have specific values you can use for default settings. Remember that whatever is configured in the reference computer will be retained in the system image you create from it. 202 Chapter 7 Use Control Panel, System and Maintenance, System, Remote Settings to enable the Remote Desktop option. Click on the Remote tab and select the appropriate setting. The most secure setting uses Network Level Authentication, but requires connections from systems running the Remote Desktop Connections 6.0 client update. Make sure this update has been deployed in your network before you deploy Vista systems. You also note that Remote Assistance is on by default. Use Control Panel, Security, Windows Firewall to set the default Firewall behavior. The Firewall is an element of Windows that can be controlled through Group Policy. Make sure this configuration is in the base configurations for all Vista systems. Now configure the Vista interface. Turn on the Windows Sidebar and apply the gadgets you need. Then, customize the Quick Launch Area. You want to do this to ensure that every user in your organization will have the same or at least a very similar experience whenever they access a PC. Begin by doubling the size of the Taskbar. Do so by moving the mouse pointer to the top of the Taskbar beside the Windows Start button until the pointer transforms into an up-down arrow. Click and drag upwards to expand the Taskbar. Using internal Really Simple Syndication (RSS) feeds You can rely on the RSS feeds gadget to send internal communications messages to end users through the Vista Sidebar. This way, organizations can send internal messages to all users. All you need is a Web page that provides RSS feed information, a subscription to this feed in the Vista PC and the appropriate feed displayed in the gadget. One gadget can be used to connect to each feed you want to use. Departments, the organization as a whole and IT can all use these feeds to display key information to the user base without clogging the desktop. This is a simple and easy way to communicate with users without having to implement complex communications systems. The Taskbar includes running programs as well as the Quick Launch Area. Each area is preceded by a row of four series of dots at the very left of it. Move the pointer on top of this row for the running programs list until it turns into a left-right arrow. Click and drag the running programs bar to the bottom left of the Start button. Now you should have running programs displayed below the Quick Launch Area. Right-click on the taskbar and select Lock the Taskbar. Next, click on the Start button, then on All Programs and run through the default programs to add the ones users will use the most to the Quick Launch Area. To add each program shortcut, right-click on it and select Add to Quick Launch. 203 Chapter 7 Add the following items: • Under Accessories: o Calculator o Command Prompt o Notepad o Windows Explorer • Under Accessories | System Tools: o Character Map o System Information The resulting Taskbar should include most of the tools anyone will need to use to interact with PCs in your organization. The Quick Launch Area should be updated each time a new common tool is added to the system. Order the tools in the order of most used from left to right (see Figure 7.10). Your interface is set. Figure 7.47: A well-managed PC Taskbar Update the Default User Profile Whenever a new user logs on to a system for the first time, Windows generates a new profile for them by copying the contents of the default user profile. If you customize your environment and then update the default user profile from your customized environment, you can ensure that each time a new profile is generated it includes a core set of tools and interface enhancements. In an organization that wants to ensure that all of their users rely on a standard computing environment, updating the default user profile is absolutely essential. Return to the Computer Management console to create a second administrator account. This account may or may not be required according to your organization’s security policy, but it is required at least temporarily to update the default user profile. Expand Local Users and Groups, then right-click on Users to select New User. Name the account BUAdmin—or use your organizational standard—give it a full name of Backup Administrator, add a description, give it a strong password and assign the Password never expires right. Click Create, then Close. Next, right-click on BUAdmin and select Properties. Move to the Member Of tab, select Add, once the dialog box opens, click Advanced, then Find Now, double-click Administrators and OK. Click OK to close the dialog box. Your account is ready. 204 Chapter 7 Vista does not allow you to copy an open user profile to another because many of the open features are volatile and are therefore stored in RAM and not persisted until the user logs off. So to update your default user, you must use the backup administrative account created earlier. Use the following procedure 77. Log out. 78. Log into your backup administrator account. Vista creates a new profile based on old settings. 79. Open Windows Explorer and set Folder Options to view hidden files. 80. Use Control Panel, System and Maintenance, System, Advanced system settings and the Advanced tab to click on the Settings button under User Profiles. Select the profile you customized and click the Copy to button. 81. Use the Browse button to navigate to the Users folder on the C: drive to find the Default profile. Click OK. 82. Click Yes to replace existing files. 83. Close all dialog boxes and log off of the backup administrator account. 84. Log back into your original account. 85. Launch the Control Panel and select System and Maintenance, System, Advanced System Settings and click on the Settings button under User Profiles. 86. Select the backup administrator’s profile and delete it. Confirm deletion. 87. Close all dialog boxes and go to the Start button and use the right arrow beside the lock to select Switch Users. 88. Log into the backup administrator’s account. This will test the default user profile. Note that you now have a copy of the customized profile. Log off BUAdmin. You’re done. You still need to complete the discovery process, especially with reference to the GAL components. Remember, each time you add a new component to the system kernel, you should make sure the Quick Launch Area and the default user profile are both updated. 205 Chapter 7 Keep the reference PC in a workgroup. This will make it easier to manage. Also, keep the BUAdmin account on the reference computer so that you can use it in the future to update the default user profile. Remember to remove it from the copy of the reference PC you will use to create your system image If you use application virtualization for the components of the GAL, you can make sure the proper shortcuts appear in the Quick Launch Area by including them in the application capture you perform. This way, they will automatically update the user’s profile when the virtualized application is streamed to their system. You should repeat the process to create a new reference computer. If you’ve documented each of these steps, you should be able to repeat this process without flaw. This reference computer will be the model you use for your massive installation method. Windows Activation: Do not activate the installation as you are performing discovery. You have thirty (30) days to do so which is ample time to perform the discovery. You can, however, activate the reference computer since it will be a machine you keep on a permanent basis. Determining the OS Deployment Method This activity is part of the Organize phase of the QUOTE system. Now that you fully understand how the interactive installation process occurs and you know how to build your reference PC, you can proceed to the next step: determining how you will be performing massive deployments of this OS. As mentioned earlier, there are several tools and processes you can use. Microsoft has delivered a series of tools in support of the image-based setup Vista supports. Other vendors have updated theirs to work with Vista. Both Microsoft and third parties tools support one interactive and three automated deployment strategies. • The first is the interactive installation. In organizations of all sizes, this installation process is really only used for discovery purposes. After all, no one wants to have their technicians go from PC to PC installing Vista interactively. Even with a very well designed instruction sheet, this method would definitely give you mitigated results. Only very small shops would use this method. But even then, they will not have a method for system rebuilds since everything is manual and interactive. In the long run, it is always best to use an automated method. • The second is the unattended installation based on a response file. With Vista, Microsoft has reduced the number of response files to one; well two really, but they are the same file. Response files are now in XML format and are named Unattend.XML. Using a response file automatically feeds input to Vista during its installation, letting you go on with other tasks as the system installs itself. The second response file is the AutoUnattend.XML. This file uses the same content as the original file, but its name allows it to be automatically applied when it is provided either through a USB memory stick or through a floppy drive during installation. Just insert the Vista DVD, insert the memory stick or the floppy and boot the machine. 206 Chapter 7 o Unattended installations are usually valid for organizations with very few computers. o Larger organizations will rely on this unattended installation method to reproduce their reference computer when they need to rebuild it. o Unattended installations are also useful for in-place upgrades. Even today, few organizations choose to perform these and take advantage of OS migrations to ‘clean’ house and reset each and every one of their PCs. • The third method is the system image. This system image relies on the capture of a copy of an installed system. This copy is depersonalized first through the use of a special command: Sysprep.exe. This tool is now part and parcel of every Vista system. Sysprep is located in the %SYSTEMROOT%\SYSTEM32\SYSPREP folder. This tool is designed to prepare a configured system for redistribution. Then, you capture the system image with another tool to reproduce it on other computers. • The fourth method is the remote OS installation. With Microsoft, this means using Windows Deployment Services (WDS), an update which is available for Windows Server 2003 through Service Pack 2. WDS replaces the previous remote installation services delivered with Windows 2000 and supports the remote deployment of Windows XP, Windows Server 2003 and Windows Vista. WDS requires a complex support architecture including Active Directory, DHCP, and DNS to operate. Special procedures must be used to put it in place. If you already use or have selected third party OS deployment tools, you will not use WDS, but rather rely on these more comprehensive tools for this type of deployment. But one thing is sure, the remote OS deployment method is by far the most popular since it relies on the creation of a system image first, and then, provides you with a tool to remotely deliver this image to any PC endpoint whether you rely on WDS or a true systems management tool. The selection of the appropriate deployment method is a key activity for the PC team responsible for system imaging. Microsoft has also released other tools that will make the preparation of your system images easier to work with. They include: • The Windows System Image Manager (Windows SIM) which is used to build and customize automated installation answer files. • WinPE which is a 32-bit operating system that has only a 24-hour duration at any given time—it can only run for a maximum of 24 hours at a time, though it can be rebooted any number of times—and includes a limited set of services. WinPE is aimed at preinstallation and deployment of Windows Vista. • ImageX which is a command-line tool that supports the creation and manipulation of system images for installation and deployment. ImageX is limited in that it is commandline only and does not support image multicasting. Deployments using ImageX have to rely on unicast image transfers which can have a negative impact on bandwidth utilization. If you already have or have selected a third party tool for OS deployment such as Ghost Solution Suite or Altiris Deployment Solution, it will have its own system image creation tool and you will not use ImageX. 207 Chapter 7 These tools are contained in the Windows Automated Installation Kit (AIK) which can be obtained from the Microsoft download site at www.microsoft.com/downloads. Make sure you obtain the latest version of this kit before you begin to prepare for installation automation. • The Windows AIK is also contained within the Microsoft Business Desktop Deployment (BDD) toolkit. This BDD toolkit can be obtained at http://www.microsoft.com/downloads/details.aspx?FamilyId=13F05BE2-FD0E-4620-8CA61AAD6FC54741&displaylang=en. Preparation and Prerequisites In order to build and test OS image deployments, you’ll need a series of other items: o The reference PC you’ve prepared. This should be running inside a virtual machine since you’ll only need it to create the automation system image. o The Vista installation media you want to create images for. Remember that installed versions are controlled by product key so one installation DVD should be enough. o The Windows AIK which you should have already downloaded. o A management system where you will be installing the Windows AIK and perhaps your third party OS deployment tool. You’ll use this system to create the system image. This should also be a virtual machine or several virtual machines depending on the prerequisites of the tools you are using. o Your build environment should also be able to simulate a deployment situation. This means a small network. This is one reason why this testing will be performed in the Integration and Staging testing levels because they provide you with a network foundation. o A shared folder on a server to store system images. o Your physical machine will need to include a DVD writer and of course, you’ll need blank DVDs to store the new image you create. The Windows AIK is a CD/DVD image. If you are working on a physical machine, transform the image into a CD and then load it into the CD drive. If you are working with a virtual machine, simply link the ISO file to the CD/DVD drive of the machine and launch the VM. The Windows AIK is in .IMG format. If you do not have software that understands CD images in this format, rename the file to an .ISO. It is the same format. Now you can begin the automation of your Vista setups. Use the following order: 89. Build your reference computer. 90. Copy the files that make up the reference PC virtual machine. Use the copy to create the system image. Remember to remove the backup administrator account before you generate the system image. 91. Create one or more system images. 208 Chapter 7 92. Create an automated response file. Include the product key, system name, custom device drivers, the domain join and language packs in the response file. 93. Deploy the images. There are hundreds of settings and features you can modify during setup through the response file. Ideally, you will keep these to a minimum and capture information from your reference computer as much as possible. This is the benefit of a system image—it includes all of the configuration parameters you set up on the reference PC. The response file should only include items aimed at customizing your standard image and personalize it as you apply it to each PC. Once your base image is ready, you’ll need to roll it out through a management platform. Most business systems shipped over the last 5 years adhere to the Wired for Management (WfM) specification. These machines support powerful management technologies like Wake-On-LAN (WOL) and Preboot Execution Environment (PXE). Together, these technologies offer support for centrally managing the deployment and configuration of networked computers. Imaging tools that support PXE and WOL can remotely power on machines and rollout images after hours while users are away. Some solutions can actually group disparate tasks together and execute them as single workflow—they can schedule a personality backup, image rollout and personality restoration to occur in a single, sequenced and automated event. Users arrive the following day and resume work as usual with little impact on their productivity. This is the focus of the image capture and deployment testing process: identifying each and every step that is required to install a system image on a variety of PC configurations and reproducing this process on an ongoing basis. Make sure the tools you use support this approach. You should also rely on multicasting for image deployment. Ideally, the image deployment tool you use will support the use of multicasting proxies. Proxies let you designate a target system in a remote LAN as the source for the multicast broadcast to that LAN. This avoids the need for modifying router and switch configurations so that they can support multicasting over the WAN. Build a Smart Solution System imaging is the key to the entire OS migration project. It is the most important aspect of this project as it outlays the foundation of your future network. Building a system and then capturing it for reproduction must be done carefully and with great precision. This is why the preparation of your logical solution is such an important step in the process. This lets you properly design the systems you will deploy. Using application virtualization along with a thin PASS system kernel will let you build smart stability within your network. Each PC will have a pristine copy of the system kernel and you will have the ability to maintain this pristine state on each and every system in your network. Your management solution will maintain the OS kernel, patching and updating it as necessary. Your application virtualization and streaming solution will manage the state of each application on the deployed OS. Your technicians will have fewer issues to deal with—if something doesn’t work right, just redeploy the system image. Since applications are streamed and only cached locally, they will automatically reinstall themselves. And, with the proper personality protection approach, your users’ data will also be protected. It’s that simple. Make sure that you thoroughly test each aspect of your PC image creation and deployment process. Using the highest quality standards will ensure you make this the best deployment ever. 209 Chapter 8 Chapter 8: Working with Personality Captures Personality protection is probably the most important aspect of any operating system (OS) deployment project; not, of course, from the technician’s point of view, but rather, from the end user’s point of view. After all, while we, as technical IT professionals, view a computer as a system we need to build and maintain, end users view it as a necessary evil they need to work with to perform their job functions. And personalities—the collection of data, favorites, desktop settings, application customizations and more—are the most important aspect of any OS migration for them. That’s because users perceive their computer’s personality as part of their workspace and many of them will spend considerable time optimizing it for the work they do. If computer personalities are not preserved in the course of a migration project, users lose productivity as they take time to either relearn or recreate the aspects of their old computer personality that they depended on to get their work done. For many users, losing printer settings, email configurations, Microsoft Word templates or even the placement of shortcuts on their desktop can compromise their comfort level and effectiveness with a new machine and/or operating system. This disorientation decreases productivity and increases the helpdesk workload because it leads to unnecessary end-user support calls and training. Therefore, preserving the personal computing environment of each user is a critical step in mitigating the productivity impact of an OS migration and controlling its costs. As with the other engineering processes that are required to complete an OS migration project, this process includes several steps (see Figure 8.1). • Begin with defining the administrative policy you will use to provide this protection. For this, you’ll need to fully understand the differences between profile structures in Windows XP and their counterparts in Windows Vista since these profiles are not compatible with one another; profiles are the OS components that store personalities. Then, you’ll need to determine which mitigation strategies you intend to use as well as how you will protect profiles once they are captured. • Next, you need to perform an analysis of your network. You’ve already performed inventories to determine your hardware and software readiness status. Now, you need another inventory to determine how many profiles you need to protect and how much central storage space you need if you choose to copy the profiles you decide to protect to a network share. • Then, once this is established, you can begin to prepare your protection mechanisms. Of course, this will be closely related to your tool selection as the tool you selected for this purpose will provide many of the features you’ll require for this protection. • Once the mechanisms are in place, you can move on to testing. Make sure you test this process fully and make sure you involve end users in the acceptance testing to guarantee that the level of protection you provide will meet and perhaps exceed their expectations. • When everything is as you expect and you have approval from end users, you can sign off on the personality protection strategy and begin its integration into the overall migration process. 210 Chapter 8 These steps form the basis of this chapter. Once again, they are mostly performed by the PC team with support from the server team if network protection and backup has been included in the protection policy. Figure 8.48. The Personality Protection Process 211 Chapter 8 Define your Profile Policy This is part of the Understand phase of the QUOTE System (see Chapter 2 for more information). In order to define your protection policy, you first need to understand personalities or profiles and how they work, and then you’ll want to categorize the profiles in your network to help determine which you will protect (see Table 8.1). A profile is generated the first time a user logs onto a system. Basically, the first time the user logs on, the contents of the default user profile are copied and personalized for the user. The system automatically resets the security parameters of these contents so that the user has exclusive access to them. This is one reason why it is so important to properly manage the contents of the default user profile when you create your system image as discussed in Chapter 7. By creating one single default user view, you standardize how end users access and interact with the computer systems you deploy to them. Of course, they will make this profile evolve, but you can at least ensure that key elements remain common in all profiles. Users can log on through a domain, relying on an Active Directory (AD) authentication, or through the local system, relying on the local security accounts manager (SAM) database that can be found on every Windows system. Each first-time logon will create a profile. This means that technicians who log onto a system for repair purposes will automatically generate a profile as will any other user logging on for other purposes. Most local logons are volatile because few organizations run their network without a central authentication database such as AD provides. This means that in most cases, you can discard any local profiles from your protection strategy. That is, unless you have custom systems that operate in a workgroup only. Many organizations use such systems to monitor and maintain systems connected to a demilitarized zone (DMZ) such as those found in a perimeter network. You can evaluate the opportunity to protect such local profiles versus having administrators and technicians recreate them when these machines are upgraded. If your default user profile is properly created, the value of protecting any local profile will be minimal. Therefore, your protection policy should concentrate on profiles that are generated through domain logins. If your network offers a single PC to a principal user, then you’ll have it relatively easy since all you will need to do is identify the principal user’s profile on a system, protect it and discard all other profiles. If your network uses shared computers, then it will be slightly more difficult. Domain login profiles can also be protected by other means such as roaming profiles—profiles that are stored on the network and downloaded to each PC as the user logs on—or folder redirection policies—Group Policy objects (GPO) that move the contents of local folders found in the profile to network locations. Your analysis will need to take these factors into account if you want a protection policy that will meet the needs of every user in your network. Some organizations, especially those that must operate 24/7, will also have generic accounts in their network. Generic accounts are shared accounts that allow operators to share a machine without needing to log on or off at the end of their shift. There are two types of generic production accounts. The first deals with 24/7 operations and is required as mentioned above to run a machine without the need to log on or off. Operators share the password to this account and can thus change shifts without closing the session. 212 Chapter 8 The second type is for environments that have a high personnel turnover. A good example of this is on naval vessels. Since officers and staff change almost every time the ship docks and crews are rotated, some organizations choose to use generic role-based accounts instead of named accounts. For example, a first officer would use the First Officer account instead of one named after him or herself. In this situation, the password may or may not be shared. It depends on the amount of effort the administrative staff is willing to undertake at each crew change. They can either reset the passwords of each generic account or not, as they wish. Obviously, a policy that would require either named accounts that could be renamed each time a crew member changes or password changes at each crew change would be much more secure than one where passwords are shared. With Windows Vista, organizations that are currently using generic production accounts can mostly do away with them because Vista supports Fast User Switching (FAS) even in a domain environment. Organizations that rely on shared accounts to run operations and machinery can now use named accounts because their operators can each be logged on personally while others are using the same machine. There is no downtime for the machine as shifts change and users each have their own account and a private password. This creates a much more secure environment. If your organization decides to move from generic to named accounts during its migration, then your protection policy will have to support the capture of a shared profile and its restoration to multiple users, something few organizations face today. Profile Type Comments Default User Used to generate new profiles at first log on. Network Default User Stored on the network under \\domaincontrollername\Netlogon share. Used to generate new profiles on domain-joined computers. Mandatory Profile Read only profile that is forced on users. This profile is not saved at log off. Super Mandatory Profile Like the mandatory profile except that it will force log off if the profile cannot be loaded from the network. Roaming Profile Profile that is stored on the network and loaded at log on. Changes are saved at log off. Local Logon Profile generated when logging on to the SAM. Usually volatile profiles. Network Logon Profile generated when logging on to Active Directory. Usually permanent profiles. Principal User Profile Profile of the main user of a machine. Generic Account (24/7) Account used in 24/7 operations to ensure no log off is required at shift change. Generic Account (Shared) Account used in situations where there is high personnel turnover. Accounts are named by position and shared among 213 Chapter 8 Profile Type Comments users who hold this position. Table 8.1 Different Profile Types. Choosing the Profiles to Protect You need to have the means to determine which profiles to protect. The best way to do this is to use a flowchart that identifies which profiles to protect and under which circumstances (see Figure 8.2). We’ve already discussed some of the reasons why you would or would not protect a given personality. Figure 8.49. Using a Decision Chart to determine the Personality Protection Policy This means your decision flow should include the following guidelines: • Local profiles are only protected if they are situated on special machines that are not part of the domain and cannot be replaced by a custom default profile. • Domain profiles are protected if they have been used recently and on a constant basis. • Only profiles with actual content are protected (based on profile size). • Only active profiles are protected. • If your machines have principal users, then their domain profiles are protected at all times. 214 Chapter 8 There are of course, other considerations, but these decisions should form the main crux of your personality protection policy. 215 Chapter 8 Differences between Windows XP and Vista Profiles are designed to store several different types of content: • The first is user data which ranges from user-generated documents to desktop preferences to Internet favorites and more; basically, anything a user generates when they are working with their PC system. • The second is user application data. This includes custom dictionaries, custom toolbars in applications, custom settings for one particular application and so on. • The third is application data that applies to any user of a system. In XP, this system-wide data was stored in the All Users profile, a profile that was shared as its name suggests by all users. In Vista, the All Users profile disappears and becomes the Public profile. Each data type has its own particularities and each requires a slightly different treatment. In addition, profile data is stored not only in the file system, but also within the Windows registry under the HKEY_USERS Structure. The profile of the user that is currently logged on is stored under HKEY_CURRENT_USER, a volatile registry structure that is designed to store in memory profile contents. Finally, profiles contain volatile information within a special profile file: NTUSER.DAT which is located in the root of the user’s profile folder. This file contains the in-memory information related to a user’s login session. Because of this, it is difficult to protect when in use. All of these elements must be captured to protect a given personality. Many organizations use roaming profiles—profiles stored on a network drive and which are downloaded to the PC when the user logs in. This strategy is great for users that roam from one PC to the other in a network, but roaming profiles is an outdated technology because, depending on the profile size, it will take some time for the profile to be downloaded to a system and, should the network not be available, then the profile won’t be either. In addition, profile changes are only saved at log off. If the user has not logged off from one machine but wants to use another, they will get an older copy of their profile. XP roaming profiles are not compatible with Vista. You can however mix the use of roaming profiles with folder redirection as discussed further in this chapter. This reduces the contents of the roaming profile and increases roaming profile performance while giving users access to their profile anywhere in the organization. If, however, you choose to use a different strategy, you should turn roaming profiles off before the migration. If you do not use roaming profiles, then use the more traditional profile protection strategy discussed here. But, the first place to start to make sure all information is protected is to take an in depth look at the differences in profile structures between Vista and XP. 216 Chapter 8 There are seven major differences between Windows XP and Windows Vista profile structures: 94. Profile location is the first. In Windows NT, profiles were stored in the WINNT folder, allowing users read and write privileges to this most important folder. With Windows 2000 and Windows XP, profiles were moved to the Documents and Settings folder structure. Of course, with Vista, this has been changed once again (third time lucky?) to become the Users folder structure (see Figure 8.3). Figure 8.50. The Evolution of the Profile Location 95. The User folder structure is the second. Several different elements of the User folder structure have changed and have been relocated for several different reasons, one of the main which is the need to provide better support for roaming users through a better structured profile folder structure. 96. Microsoft has now begun using junction points or redirection points which appear as proper folders but are there only for compatibility purposes (see Figure 8.4). Several different folders both within and without the User folder structure act as junction points and provide support for the operation of applications that are not Vista aware. Two types of junction points are included in Vista: per user and system junction points. Figure 8.51. Displaying Junction Points in the Command Prompt • More on junction points can be found in the Vista Application Compatibility Cookbook at http://msdn2.microsoft.com/en-us/library/aa480152.aspx. 217 Chapter 8 97. The Application Data folder structure has also been modified. It is now comprised of a series of junction points along with actual folders (see Figure 8.5). Figure 8.52. Linking the XP and the Vista Profile Structures—New Vista Folders are shown in boxes 98. A new ProgramData folder has been introduced. ProgramData works along with Program Files to store system-wide application information or what is also normally found under the HKEY_LOCAL_MACHINE registry hive with legacy applications. 99. As mentioned before, the All Users profile has now been renamed Public. In addition, the Default User’s profile is now renamed Default. Folder redirection, or the ability to control the location of a folder within the user profile structure through Group Policy objects (GPO), has been updated significantly and now provides real protection for all user data. 100. 218 Chapter 8 Two new subfolders, Local and LocalLow are used to store application data that remains local at all times. Data in these folders is either specific to the machine itself or is too large to be stored on the network. For example, Outlook personal storage files (.PST) are located under the Local folder structure. This is why it is important to supplement any folder redirection or roaming profile strategy with a full profile backup. This way, there is no possibility of data loss during machine upgrades. Other changes are included deeper in the profile structure. For example, the Start Menu is now buried in the AppData\Roaming folder structure under the Microsoft, then the Windows folders (see Figure 8.6). This is where you will find other corresponding contents such as printer settings, recent documents, network connections and so on. These latter changes to the Vista profile structure were specifically performed to support the seventh element in the previous list, folder redirection. Figure 8.53. The Contents of Vista’s AppData\Roaming Profile Structure Each of these has an impact on the migration of personality content. For one thing, the tool you use for migration must support the conversion of a profile from Windows XP and perhaps earlier to Windows Vista. Completing the Personality Protection Policy Now that you are more familiar with the structure of the Vista user profile, you can complete your personality protection policy. Two items are left to complete: • Identify the migration strategy • Define the profile backup policy 219 Chapter 8 The first will depend on the tools you selected. There are several tools on the market for personality protection. Hopefully, you elected to select a comprehensive tool that supports every part of the OS migration process and especially, one that has been upgraded to support Vista migrations. As far as profile migrations are concerned, your tool must support the translation of XP or earlier profiles to Windows Vista. In addition it should include several other features: • Store the profile(s) to migrate either locally or remotely on a network share. • Compress all profile contents to reduce space requirements, network traffic and migration time. • Support a profile collection analysis to help determine how complicated your personality protection strategy will be. • Support the application rationalization process through the migration of application settings from one version of an application to another. • Support the creation of profile migration templates so that you can premap migration settings and therefore automate profile migration processes. • Support the integration of the profile collection and restoration process to the overall OS migration process. The degree of support your tool will offer for each of these elements will help determine the contents of your personality protection policy. Profiles can be stored either locally or remotely. If you decide that you do not want to reformat disk drives during the OS migration, then you can store profiles locally. Remember that the Vista image-based setup (IBS) is non-destructive and supports proper upgrades. Tools such as the Symantec Ghost Solution Suite and Altiris Deployment Solution support local profile storage even if a disk wipe is performed. Storing the profile locally will definitely save you time since profiles tend to be large and take time to transfer over the network. But, storing the profiles locally can be a risk to the project because there is no backup for them. If something goes wrong, you won’t be able to go back and recover information from a locally stored profile. If, on the other hand, you choose to store profiles on a network share, you will then be able to back them up and protect them for the long term. Remember, as far as an end user is concerned, the protection of the personality of their computer is the most important aspect of the project for them. During one of our migration projects, the project team lost a single profile out of more than 2,500. Unfortunately, it happened to belong to a developer who was in charge of the single, most important application the organization was running. It turned out this user had never backed up anything from his computer before and had never stored any single piece of code onto the network. More than five years of work was lost. Your project will not face such a disastrous situation, but keep in mind that a protection policy for the data in every profile is critical to the perceived success of the project. Imagine losing any profile from upper management—these are the kinds of pitfalls that are really easy to avoid through proper preparation and structure. 220 Chapter 8 If profiles are to be carried across the network, then you need to have them compressed as much as possible. This is one more reason why they should be cleared of all useless data beforehand. One good way to ensure this is done is through a pre-migration analysis of both profile contents and approximate profile sizing. Use the flowchart in Figure 8.2 to help determine what you are looking for in this analysis. Your objective is to make the best possible use of bandwidth during the protection. Be sure to communicate with users before the migration to have them clean up their profile data as much as possible. There is no need for your project to transport outdated data and favorites across the network. Integrate this into your communication strategy and provide this as one of the actions users are responsible for before your project reaches them. Most profile protection tools will support this analysis through some form of pre-migration inventory. For example, Microsoft’s command-line User State Migration Tool (USMT) supports this type of pre-analysis, but since its findings are not stored in a database, you will need to record them in some manner to get a global picture of the status of your network. It does provide results in Extended Markup Language (XML) so it may not be too complicated to program some form of automated collection tool, but why burden your migration project with this additional task if you don’t need to? • For more information on the USMT, read Migrating to Windows Vista Through the User State Migration Tool at http://technet.microsoft.com/en-us/windowsvista/aa905115.aspx. • Commercial tools provide graphical interfaces for profile management. See Ghost Solution Suite at http://www.symantec.com/enterprise/products/overview.jsp?pcid=1025&pvid=865_1 or Altiris Deployment Solution at http://www.altiris.com/Products/DeploymentSolution.aspx. In addition, the personality protection team must work closely with the application preparation team to determine which applications will be transferred over to the new OS. You don’t want to capture settings for applications which will not be carried over during the migration. The application preparation team will also be performing an application rationalization to reduce the level of effort required to prepare applications for the migration and help streamline operations once the migration is complete. Part of this effort will involve the removal of multiple versions of the same application when possible. Therefore, your migration tool must support the migration of application customizations from one version to another. For example, an organization with multiple versions of Microsoft Office should standardize on one single version. This means that the personality protection tool should be able to capture settings from older versions of Office and convert them to the version you have elected to standardize on (see Figure 8.7). 221 Chapter 8 Figure 8.54. Symantec Ghost Solution Suite can capture setting from multiple versions of Microsoft Office If your organization is like most, you will rely on at least one in-house or custom developed application. Make sure your migration tool can support the capture of data and settings for any proprietary programs and not just standard programs like Microsoft Office. You should also be able to create personality capture templates that can be optimized for different departments or groups. Users in marketing appreciate having settings for Microsoft Office transferred to their new machines while developers will want to keep their Visual Studio .NET configuration. Advanced tools support the ability to create a template to capture the unique settings of each user type (see Figure 8.8). 222 Chapter 8 Figure 8.55. Altiris Deployment Solution support the creation of personality protection templates on a per group basis The personality protection tool must seamlessly integrate into the overall OS migration process. Command-line tools such as USMT let you script the process and integrate the script into both the pre-migration and post-migration stages. More sophisticated tools let you remotely and silently capture personalities from end user machines through a central administrator console. In sensitive environments, you might also want to protect profile contents through the assignment of a password to the profile package. In addition, since the ability to capture a profile requires high-level administrative rights on the machine, you will need to make sure the profile capture and restoration occurs in the proper security context (see Figure 8.9). Using a tool that lets you integrate both levels of security through a central console will certainly facilitate the overall process. 223 Chapter 8 Figure 8.56. Altiris Deployment Solution support the protection of profile contents as well as the assignation of a security context for profile capture and restoration Some users may require more personal interaction in which a project member sits down with the user and walks them through a wizard-based, highly customized personality capture. An easy-tounderstand, wizard-based personality capture is also helpful with remote users who may need to do the job on their own. Any user whose settings have been saved and properly restored will remember the project team with fondness and will not fear future migrations. Keep this in mind at all times when you are working on this aspect of the project. You should also consider how the personality data is stored and then reapplied. Ideally, all personality settings should be rolled into a single compressed executable package. This helps with remote users who may have to restore their own settings. Just double-clicking the executable on the new machine is all that it takes to re-apply the personality data. Finally, your protection strategy should include the ability to store personality data across different removable media—such as a CD, DVD or USB flash drive—which will also be useful for remote users who have to both capture and restore personalities on their own. An undo option to remove the personality in case it is applied to the wrong machine is also a very helpful feature. 224 Chapter 8 If you decide that your personality capture efforts will be limited to only official data types, be sure to communicate it to end users. Give them plenty of time to archive anything that won’t be migrated by IT so they can access it later if need be. Many organizations tend to capture a complete image of the legacy machines before performing a migration. This provides a failsafe method of retrieving user data not included as part of a migration for the users that did not have time to backup their own data or simply did not know how. This also provides a great solution for rolling back to a previous state if an in-place hardware refresh was not completed successfully. Determine your Backup Policy Personality protection is, as mentioned earlier, the most important aspect of the migration for end users. This is why most organizations opt to take the time to transfer profiles over the network and create a centralized backup of each personality they protect. It is true that moving profiles over the network will take time and will slow down the overall migration process, but the good will it will buy you from users will make it worthwhile. You should aim to back up all profiles if you can. Some organizations even choose to back up the entire PC image just in case the profile protection misses something. This begs a discussion of the actual migration process itself. There are several approaches: • The in-place migration • PC rotations • Hardware attrition Each involves its own benefits and potential issues. If you decide to perform in-place migrations, then you will be leaving PCs where they are and perform the system replacement—whether it is an actual upgrade or a complete OS replacement including a system disk wipe. To do so, you will need high-speed network connections and your technicians will either have to work at night or during weekends to minimize the disruption to the business. High-speed links and proper network storage should not be a problem in large central offices but they may be an issue in remote offices. Many organizations use portable servers for this purpose. These servers are designed to support many processes such as OS system image deployment, protection for personality captures, software deployment and so on. Performing upgrades—replacing the OS without wiping the system disk—is often the very easiest migration process to choose. Upgrades are non-destructive so no profile migration is required. Of course, few organizations choose to use upgrades because it does not give them an opportunity to ‘clean up’ their systems as they perform the OS migration. PC rotations use a different process. When organizations perform OS migrations, they often have to replace a significant portion of their PC systems. This new batch of computers are often much higher-powered than the other systems in the network, especially if you choose systems that will support all of Vista’s features. With this new pool of computers, the organization can set up a rotation system that removes existing systems from the network and replaces them with systems from the replacement pool. This often involves a cascade where each user will receive a PC that is better than the one they were using before, once again using the systems from the original purchase to begin the cascade. Since many users will be receiving used systems, the migration 225 Chapter 8 team also implements a cleaning process to make sure that each user has the impression of getting a nice new and clean computer. The point of this discussion is that when rotations are performed, each computer is taken away from the network and moved to a staging area for the OS replacement. This means that the mechanisms you need to protect personalities need only be in the staging area, reducing the cost of performing the migration and reducing the impact on production networks. You may still need to have a solution for remote sites, but this can often be nothing more than a mobile staging center. Do not confuse the staging area with the staging test level. While some organizations merge the two roles together, many choose to maintain the staging area—the area where new computers are prepared—within the production domain and the staging test level—the last level of testing before moving into the production network—uses its own, independent domain. If you choose to rely on hardware attrition for the migration, then you should use a staging area for system preparation. Of course, you may choose to perform the personality capture from user systems while they are still in the network. Ideally, you will try to perform all migration activities in a staging center because this approach has the least impact on productivity. Whichever method you use to protect profiles in central and remote offices, once the profile is on the network, you’ll want to back it up to permanent storage. Many organizations choose to protect the personality, moving it to a network drive, back it up top permanent storage and then, leave it on the network share for a period of about two weeks. This lets you define your backup policy: • Profiles are stored on network shares for a period of two weeks. • Profiles are backed up to permanent storage. • Any missing contents from the restored system can be retrieved from the profile stored on the network share during the first two week period. • After two weeks, the profile contents are removed from the network share. • Missing contents that are discovered after the two week period must be restored from permanent backups. This strategy provides a compromise between a personality protection guarantee to end users and the amount of storage space required for this aspect of the migration process during the actual migration. Make sure you communicate this strategy to your end users before you begin the migration. Prepare your Protection Mechanisms This is part of the Organize phase of the QUOTE System. Now that you have determined your overall protection policy, you can move on to the preparation of all of the engineering mechanisms required to support it. Here, the PC team will have to work with their server counterparts to complete these engineering activities. 226 Chapter 8 Perhaps the first place to start is to describe to the server team how you intend to proceed and indicate to them the protection flowchart you intend to use. They can then provide the best assistance based on your protection choices. Basically, this is what you should detail to them (see Figure 8.10): You’ll begin with a profile analysis to help determine storage sizing and determine network bandwidth requirements. 101. If you are using roaming profiles in Windows XP and you don’t want to implement joint folder redirection and roaming profiles, then you’ll need to turn them off prior to the migration of each system. 102. Then, you’ll create templates to meet specific protection goals. Work with the application preparation team to identify the applications you need to protect. 103. 104. You’ll use the templates to protect each system’s core profile (see Figure 8.2). If you’ve decided to back up the entire system, then this will be done after the personality has been protected. 105. You’ll store the system backup offline, backup the profile and keep it available for 2 weeks. 106. 107. Profiles will be available from offline backup after 2 weeks. Profiles will be restored after the OS migration has been completed. This should occur after applications have been reloaded on the system. 108. 109. Your profile protection guarantee will include the following: a. Profile implementations can be rolled back in the case of problems. b. Machine OS upgrades can be rolled back if serious issues arise after the migration. c. If generic profiles were in use, they will be migrated to individual profiles. In this case, the same generic profile is migrated to multiple individual profiles. Users will rely on Fast User Switching to provide continuous operations. A 20 working day support guarantee will be provided to each user after the migration. 110. Storage resources will be liberated once the migration has been successful. The personality protection team members will be responsible for automating both the capture and restoration of the profiles. If you have the right tools, this should involve nothing more than providing the appropriate answers and settings to wizard-based interfaces. If you decide to work with application virtualization and stream them to each desktop, you will need to integrate the streaming process with the personality restoration. More on this topic will be covered in chapter 9 as we discuss how you bring every element of the migration together. 227 Chapter 8 Figure 8.57. The Personality Protection Policy Flowchart Be sure to perform end-to-end testing of each phase of the personality protection process and be sure to have end users sign off on acceptance testing for the solution you propose. This will avoid any nasty surprises during the project. Then, once all testing is done, you can sign off on your personality protection strategy. 228 Chapter 8 Long-term Personality Protection Mechanisms As you can see, preparing a personality protection strategy involves a lot of different steps. And, you might think the personality protection team’s efforts stop when this is achieved, but what do you do once the OS migration is complete and the new OS is in production? Microsoft has put in a lot of effort to make personality protection an everyday process. That’s right; the entire User folder structure has been revamped in order to provide support for one thing: folder redirection and general profile protection. Folder redirection is an aspect of Group Policy that will automatically redirect user folders to central locations. When coupled with offline folder caching, folder redirection can provide the best of all worlds for users whether they are roaming or not: folders are located on network shares where they can be backed up and made available at all times. Their contents are cached locally so even mobile users have access to their data even when disconnected. If any changes are made locally, they are automatically synchronized the next time the network connection is available. This means that both connected and disconnected users have constant access to their data. You can combine folder redirection with roaming user profiles to gain the best of both worlds. Volatile items such the NTUser.DAT file are not contained in folder redirection. This means that relying on folder redirection alone may provide a less than complete experience for users. In addition, relying on roaming profiles alone limits the experience because data is not available in real time as it is with folder redirection. Combine both to have folder redirection manage the data within the profile and roaming profiles manage the rest. The result is a profile that loads really fast because its contents are small and users that have access to data at all times through folder redirection. An additional advantage is that combining the two lets you support roaming users in both Windows XP and Vista. This is great for the duration of the migration when you will be managing a mix of operating systems. But, for many, this means rethinking how they provide protection for user data. Many organizations have relied on the user home directory and/or roaming profiles to provide this type of protection. The home directory was originally designed to provide a simple way to map user shares on a network. In Windows NT, 2000 and Windows Server 2003, using the %username% variable in a template account automatically generates the home directory folder and applies the appropriate security settings giving the user complete ownership over the folder when you create a new account. When the user logs on, this folder is automatically mapped to the H: drive or any other letter you assign. But today, you shouldn’t be relying on mapped drives anymore. You should be relying on the Distributed File System (DFS), especially DFS namespaces. DFS namespaces use universal naming convention (UNC) shares to map resources for users. But, instead of using the \\servername\sharename approach, DFS namespaces use \\domainname\sharename and each namespace is mapped to an appropriate target in each site of your organization’s network. DFS replication keeps the content of these target shares synchronized over the WAN. • Find more information on DFS at http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/default.mspx. 229 Chapter 8 Since Windows 2000, Microsoft has focused on the use of the “My Documents” folder as the home of all user documents. This folder is part of the security strategy for all Windows editions beyond Windows 2000 even though it has been renamed to “Documents” in Windows Vista. This folder is stored within a user’s profile and is automatically protected from all other users (except, of course, administrators). In Windows XP, folder redirection could manage four critical folders and assign network shares for each. These included: • Application Data which stores all application-specific settings. • Desktop which includes everything users store on the desktop. • My Documents which is the user’s data storage folder. Storing the My Pictures sub-folder on the network is optional. • Start Menu which includes all of a user’s personal shortcuts. When redirection is activated through Group Policy, the system creates a special folder based on the user’s name (just like in the older home directory process) and applies the appropriate security settings. Each of the above folders is created within the user’s parent folder. Data in these folders is redirected from the desktop PC to the appropriate network folders. But, the user profile includes much more than these four main folders. In fact, highly volatile information such as Local Data and Favorites were not protected. Because of this, you can’t rely on Windows XP’s folder redirection to properly protect a system’s personality. For users that roam to remote offices, you can combine folder redirection with DFS namespaces and replicate the contents of their folders to DFS target shares in remote offices. Make sure you are running Windows Server 2003 R2 to take advantage of the new delta compression replication engine in DFS replication. Relying on Vista’s Folder Redirection All of this changes with Windows Vista because it finally provides a mechanism for true folder redirection and personality protection. This is evidenced in the settings available for folder redirection in the Vista GPO (see Figure 8.11). As you can see, it includes redirection for much more than XP ever did. This makes folder redirection an excellent choice for long term personality protection. It is completely transparent to the user. While they think they are using the Documents folder located on their PC, they are actually using a folder that is located on the network. This way you can ensure that all user data is protected at all times. • Microsoft provides a guide for Vista roaming user management at http://technet2.microsoft.com/WindowsVista/en/library/fb3681b2-da39-4944-93addd3b6e8ca4dc1033.mspx?mfr=true. Rely on the online version because the downloadable document does not contain as much information. 230 Chapter 8 Using a folder redirection strategy rather than using a home directory simplifies the user data management process and lets you take advantage of the advanced features of the Vista network. For example, even though data is stored on the network, it will be cached locally through offline files. Redirected folders are automatically cached through client-side caching when they are activated through a GPO. Data in these folders can also be encrypted through the Encrypted File System (EFS). In fact, all offline files can be encrypted. Vista lets you redirect ten different folders. When you combine the redirection of these folders with roaming profiles, you offer the best roaming experience to users with a lower impact on network traffic than with roaming profiles alone (see Table 8.2). Figure 8.58. Vista’s Folder Redirection GPO Vista folder redirection policies include more settings. For example, you can automatically delete older or unused user profiles from your PCs (see Figure 8.12). In addition, the settings you can use for personality protection are much more granular than ever before. Music, pictures and video can all be set to automatically follow the policy you set for the Documents folder. In addition, you can use the same policy to manage folder redirection for both Windows XP and Windows Vista (see Figure 8.13). This provides powerful system management capabilities. 231 Chapter 8 Figure 8.59. Windows Vista lets you control the behavior of User Profiles on each PC Profile Type Comments AppData (Roaming) This folder contains all roaming application data. Redirecting this folder will also support Windows XP clients with limitations. Desktop Users should not store data or any other items on their desktops; they should rely on the Quick Launch Menu instead. This reduces the size of the folder to redirect. Include this in your communications to them. Redirecting this folder will also support Windows XP clients. Start Menu The contents of the Start Menu are redirected. If you use application virtualization, then users will always have access to their applications on any PC even if they are not installed. Redirecting this folder will also support Windows XP clients. Documents This contains all user data. Make sure your storage policy and quotas support today’s large file sizes and give users enough room to breathe. Redirecting this folder will also support Windows XP 232 Chapter 8 Profile Type Comments clients. Applying this policy to pre-Vista OSes will automatically configure Pictures, Music and Videos to follow Documents even if they are not configured. Pictures Determine if your organization wants to protect this folder. If you do, use the Follow the Documents folder option or rely on the setting in Documents. Redirecting this folder will also support Windows XP clients. Music Determine if your organization wants to protect this folder. If you do, use the Follow the Documents folder option or rely on the setting in Documents. Using this option will also support Windows XP clients. Videos Determine if your organization wants to protect this folder. If you do, use the Follow the Documents folder option or rely on the setting in Documents. Using this option will also support Windows XP clients. Favorites Only applies to Vista. Contacts Only applies to Vista. If you are using Outlook, then this Contacts folder is not necessary. Downloads Only applies to Vista. You will need to determine if your organization wants to protect downloads users obtain from the Internet. Links Only applies to Vista. Searches Only applies to Vista. Saved Games Only applies to Vista. The contents of this folder are very small and apply mostly to the games included in Vista. Your organization will need to determine if you want to spend network bandwidth and storage space on this content. Table 8.2 Recommended Settings for combining Vista Folder Redirection with Roaming Profiles. 233 Chapter 8 Figure 8.60. Folder Redirection in Vista offers several more choices than in Windows XP If you choose to use folder redirection to provide a bridge between XP and Vista during the migration, you will need to supplement this approach with some form of local content capture because many key profile folders are not protected by Windows XP folder redirection. You don’t want to find out after the fact that users are missing their favorites or even worse, their Outlook data files. Enabling Folder Redirection with Roaming Profiles There are special considerations when enabling folder redirection. First, you need to ensure that each user is redirected to the appropriate server. It wouldn’t do to have a user in New York redirected to a server in Los Angeles. To do this, you must create special administrative groups that can be used to regroup users and ensure that each user is assigned to the appropriate server; you most likely already have security groups you can use for this. You must also ensure that offline settings are appropriately configured to guarantee that users are working with the latest version of their offline files. Make sure you assign appropriate amounts of storage to each user for folder redirection. There is no point in making this effort if you limit their disk space access to something that is unacceptable. Redirecting folders through user groupings is in fact very similar to creating regional or rather geographically-based user groups. Since each server is in fact a physical location, you will need to create a user group for each server. Begin by enumerating the location of each file server that will host user folders, and then name each global group accordingly. Once the groups are created, you can begin the redirection process. Using groups allows you to limit the number of GPOs required for the folder redirection implementation. 234 Chapter 8 In chapter 7, we discussed how to create the default user profile. With Windows, you can store this profile under a folder named Default User in the Netlogon share of your domain controllers— use \\domaincontrollername\netlogon to access the share; Active Directory replication will automatically make this folder available on every domain controller in your domain. Placing the default profile in this location will let each PC load the default profile from the network instead of from the local machine. Since profiles are not compatible between Vista and XP, you need to name the Vista network profile folder to Default User.v2 (the v2 identifies Vista); this will separate the Vista profile from its XP counterpart. Be sure to fully test this strategy with both Vista and XP systems to make sure nothing untoward occurs when default profiles are created. Vista also supports mandatory profiles, but since it relies on version 2 profiles, you must name the network folder containing this mandatory profile with the .v2 extension as with any other profilerelated folders in Vista. Use the following procedure to prepare your folder redirection with roaming profiles strategy. Make sure you are running Windows Server 2003 Service Pack 1 or R2 as your server OS. Make sure all GPO settings are prepared and modified from a Vista PC. 1. Begin by creating the shares that will support redirection and roaming. You will need a minimum of two shares: one for the user profiles (for example, User_Profiles) and one for folder redirection (for example, Folder_Redir). If you are already using XP roaming profiles, then use this share for the profiles. 2. Next, create a folder for each user in your organization under the profiles section. Name each folder with the user’s account name followed by a .v2 extension. Vista will rely on this folder to enable the Vista roaming profile. Assign full control to each folder for the user and for the System accounts. You can generate a script to do this by exporting your user list from AD and adding the appropriate command line settings in a program like Microsoft Excel. Vista will populate these folders when users first log on to the system. 3. Because Vista does not display much user information during log on and log off, you might want to change this default behavior. Apply a GPO to all Vista PCs and set the Administrative Templates | System | Verbose vs normal status messages option under Computer Configuration. This will let users know what is happening during logon and it might also be useful for debugging issues. 4. Verify that roaming profiles have been set up in user account properties in AD. Each user will have two profiles during the migration—version 1 for XP and version 2 for Vista. 5. To reduce the content of the roaming user profile and therefore limit network traffic and logon times, exclude key folders from the roaming profile contents. Use the Administrative Templates | System | User Profiles | Exclude directories in roaming profile option under User Configuration. List each of the ten folders supported by Vista’s folder redirection (see Table 8.2). Type the name as it appears in Windows Explorer and separate each name with a semi-colon (;). 6. Rely on the suggestions in Table 8.2 to set your folder redirection policy. Use Windows Settings | Folder Redirection options under User Configuration to do this. Change the property of each folder. Redirect them to your folder redirection share. There are a couple of caveats: 235 Chapter 8 a. When you set the folder properties for folders that are supported by both Windows XP and Vista, use the Also allow redirection policy… option under the Settings tab (see Figure 8.13). b. When redirecting AppData (Roaming), you will get a compatibility warning message (see Figure 8.14). This is because older Windows OSes do not support the full functionality of Vista in terms of folder redirection. c. When redirecting the Documents folder, you will also get a warning message. In this case, it tells you that by selecting to support older OSes, you automatically change the behavior of the Pictures, Music and Video folders; they will be protected by default and set to Follow the Documents folder. If you do not want to protect them, then set the policy explicitly for each folder. 7. When Windows XP systems are no longer in use, archive all XP profiles (the ones without the .v2 extension) and remove them from your servers. Test the strategy in the lab before deploying it to production. Once again, have users sign off on it through acceptance testing to make sure they are also happy with its operation. You will need to warn users that their first logon will take time as Vista downloads the contents of their profiles. Figure 8.61. Vista’s compatibility warning message for the AppData folder. 236 Chapter 8 Figure 8.62. Vista’s warning message for the Documents folder. Finalizing the Personality Protection Strategy Take the time to preserve what makes your users feel successful and comfortable in doing their jobs and it will pay dividends. When mapped drives are restored, printers appear just as they did previously, and data, shortcuts, and favorites are exactly as the user left them, the focus of the user shifts toward learning the benefits of their new hardware and operating system. You can spend less time training users on how all the old features in Windows XP are still in Vista and focus instead on more advanced topics such as new multi-tasking features, advanced searching and using new peripherals. In addition, if you take the time to prepare a proper long term protection policy through folder redirection, you’ll also be ready for the next migration when it comes along. Make this a smart profile protection policy! 237 Chapter 9 Chapter 9: Putting it all Together So far, each technically-focused team has been working on their own as they prepare their portion of the technical solution. By now, you should be in the middle of the Organize phase of the QUOTE System with each team progressing towards completion of their engineering activities (see Figure 9.1). It is now time to first, review the status of each solution component, mapping them out to the original logical solution design, correct any defects or deviances if they appear and then, begin integrating each solution component into one cohesive whole that will provide one single flow of operations during the rollout. The objective of this activity is to make sure that each and every engineering aspect of your solution works as expected in every situation and have it accepted by your peers, especially those that will be responsible for these aspects of IT operation once the solution is in place. Figure 9.63. The Organize Phase of the QUOTE System 238 Chapter 9 Of course, other personnel have also been working through the activities in the project plan as outlined in Chapter 2—activities that are more administrative in nature such as training and communications preparation—and these activities are soon to be tested and integrated into the migration process, something that will be covered in the next chapter as we run through the Pilot project. But, before you can focus on the overall migration picture, you need to make sure all engineering aspects are up to snuff. To date, you’ve had five technically-focused teams working out pieces of the solution. They include: • Infrastructure remediation • Security design • Application preparation • System imaging • Personality protection In fact, the technical team has been following the Desktop Deployment Lifecycle (see Figure 9.2). Though they have not been working in a vacuum—if you planned your project well, team members have been shared between the different technical activities so that they can share their expertise with others—they have, however, been focused mostly on their own aspect of the solution. Figure 9.64. The Desktop Deployment Lifecycle As each team progresses through its solution design, they also progress through the testing levels. This means that they are now arriving into the Integration and Staging testing levels— levels that require more structure and precision than their predecessors. Remember that one of the features of the Unit and Functional testing levels is that they support undoable virtual disk drives, letting the teams ‘go back in time’ as they work with the preparation of their portion of the solution. But, Integration and Staging no longer offer this feature. Therefore, the teams must have more precise implementation strategies as they arrive into these environments. 239 Chapter 9 At this point, these teams must also have produced preliminary versions of their technical deliverables. These deliverables should include detailed procedural documentation for the implementation of each part of the solution (see Figure 9.3). These deliverables will provide you with the roadmap for the actual implementation. The Integration testing level provides a first fully-functional network level for this first integration test. Staging provides a much more comprehensive testing level that simulates as many aspects of the production network as possible. For example, if your organization has remote sites, then the Staging level will simulate these remotes sites and allow you to test the solution over simulated or real WAN links. Also, because it is the last level before you get into the actual production network, there should be as few mistakes as possible when you get to Staging. Staging is also the level where you will be performing the last level of acceptance testing. In fact, you must have each portion of the solution accepted by the appropriate authority before you can move out of the Staging testing level and move into the production environment. Part of this acceptance testing will require you to perform a proof of concept, migrating or perhaps re-migrating at this stage, the systems of each member of the project team and perhaps even some key members of the organization, though they should normally wait until the Pilot project. Figure 9.65. The Technical Deliverables Roadmap 240 Chapter 9 Bring the Teams Together To bring all teams together and perform the deployment of the solution within both Integration and Staging, you’ll need once again to rely on the PC Migration Cycle (see Figure 9.4) since everything needs to be implemented in the proper order to provide the best level of integration. Figure 9.66. The PC Migration Cycle As illustrated in the PC Migration Cycle, everything starts with Systems Readiness; this means that you will need to look to your server team to begin the integration process. Let’s see what it entails. No matter what the size of your organization, it is always best to rely on a systems management tool for your migration. It’s true, as pointed out in Chapter 4, Microsoft offers several free tools for desktop migration, most notably the new tools available for Vista through the Windows Automated Installation Kit (http://www.microsoft.com/downloads/details.aspx?familyid=C7D4BC6D-15F3-4284-9123679830D629F2&displaylang=en)—which you will need in any case—and through the Business Desktop Deployment Workbench (http://technet.microsoft.com/en-us/library/53fa01fb-6aae-4230ac26-4ed036a50908.aspx). But even though these tools are a vast improvement over their predecessors, they still rely on several command-line interfaces which make the process more complex by default. If at all possible, we highly recommend that you obtain and rely on a real commercial systems management product. Once again, Chapter 4 listed several of these—Altiris, LANDesk, Microsoft, Special Operations Software, Symantec and more—and we do hope that by now, you’ve seen the true value these products offer and you have integrated the appropriate one into your project. After all, this migration is not a one-time event. Once you’re finished moving to Vista, you’ll need the right tool to manage ongoing system changes. Batch files and command-line systems just don’t cut it in the long run. 241 Chapter 9 Move into the Integration Testing Level As detailed in Chapter 3, the Integration environment already offers several different system features (see Figure 9.5): • A directory server running services such as Active Directory • A database server running a version of SQL Server (ideally, version 2005) • A file server running the file services role • A deployment server • An inventory server Depending on your situation, your deployment and inventory servers may or may not be configured. If you already had a systems management product and you were satisfied with it, then these servers should be running the same version of these services that you have in your production network. If you did not have a systems management tool and you made the (right!) decision to obtain one, then these servers are just member servers awaiting the installation of the roles on them. Figure 9.67. The Content of the Integration Testing Level 242 Chapter 9 Note that this testing level includes separate servers for database, deployment and inventory. Depending on the size of your organization and the type of systems management tool you purchased, you may only need a single server for each of these roles. Many organizations that deploy Microsoft’s System Center Configuration Manager (formerly Systems Management Server) often do it on a single server even if they have larger organizations because it is the easiest way to deploy and manage this complex product. What is most important here is that this environment must have divided roles as much as possible. Each of the previous environments—Unit and Functional—have all of the server roles integrated into a single server. Many, many people make the mistake of developing a solution that runs fine when a single server runs all the roles, including the domain controller (DC), because they test everything with ‘god’ rights. It is admittedly hard to avoid when you are on a DC. This is why it is so important to start separating roles as much as possible in the Integration level. When roles are separated, you have to use proper delegation of authority to run your tests and if they don’t work here, then you know they won’t work in production. This is the main goal of this testing level. The first place to start the integration process is with the servers. Chapter 5 outlined all of the different processes that were under the aegis of the server team. This is the team that will begin the integration process. To do so, they will need to perform the following activities: • Install/update the inventory tool • Install/update the profile sizing inventory tool • Install/update the OS deployment tool • Install/update the application deployment tool or install an application streaming tool • Prepare the application packaging or application streaming environment • Prepare the central repository for Vista Group Policy templates (ADMX files) • Prepare Vista Group Policy objects (GPO) • Prepare required shared folders and assign appropriate security rights to them • Prepare Distributed File System (DFS) namespaces and replication systems • Prepare the central Key Management Server to manage Vista licenses Because they have had the opportunity to work on this in two previous testing environments, the server team should have documented processes and perhaps even automated processes for these implementations. As you have seen in previous chapters, some of these operations are relatively straightforward while others are more complex. For example, if you already have a systems management tool in place, you’ll need to simply update it. This means that it should be installed and configured according to your existing standards and strategy and then, it should be updated to include Vista support. This update procedure is what needs to be fully documented so that it works without a hitch. If you don’t have an existing systems management tool, then you’ll need to have a full-fledged architecture designed for the implementation of the new tool. This architecture and the procedures that support it is what you’ll want to test at this stage. 243 Chapter 9 When the server components have been updated, then the other team members can begin their own integration. As mentioned earlier, the Integration environment will already include several components that will allow these PC-focused team members to work with their own solution components. These activities will include the following: • Implementation of the personality protection system • Implementation of the OS imaging system • Packaging or sequencing of the applications that were retained after the rationalization process • Implementation of the application deployment or streaming mechanism • Implementation of the Vista security policy as was designed by the security-focused team Once each of these systems is in place, you move to an end-to-end test of the PC Migration Cycle. Here all team members learn to ‘play nice’ with each other as each part of the process is tested. You’ll need to test each of the migration scenarios you’ve elected to support: upgrade, refresh and/or replace. The Integration environment should include the appropriate machine types—Windows XP and bare metal systems—to let you test whichever scenario you selected. The purpose of these tests is to make sure everything works as expected and to refine any procedural documentation you need to rely on. Maintain the Deviance Registry It is also be very important to manage the deviance registry at this level. This is where you begin to map the logical solution design to the actual physical design as it is implemented. For example, you will want to compare the logical description of the PASS System Kernel against the actual contents of an installed Vista system. You can also compare the personality protection policy against the actual results of a personality capture and restoration. You can compare the structure of the Generalized Application Layer (GAL) against the actual results installed on a system once it is deployed. Each time you find a change or a result that is not as expected—a deviance, in fact—you need to run it through the paces. How important is it? Is it a show-stopper or is it nice to have? Who defines these categories and do they have the proper authority to do so? In the end, you’ll end up compromising—every project does—as project resources, costs, scope and quality begin to affect the delivery timeline. Managing the deviance registry is one of the toughest jobs in the project. That’s because it is this registry that will help define the final solution you will be putting in place. This is why it is so important to try to test out as many potential situations as possible while you’re in the Integration environment. Try to simulate every possible situation you will be facing in the actual deployment. Record the results, provide corrections, and then, when you’ve signed off on all of these tests, you can move on to the Staging test level. 244 Chapter 9 Move to the Staging Testing Level As mentioned earlier, the purpose of the Staging level is to simulate production as much as possible. This is why it contains more than the Integration level (see Figure 9.6). In fact, it includes everything you can find in Integration plus the following items: • Multiple domain controllers • Multiple file servers • Multiple management servers • A simulated remote site to simulate WAN deployments In addition, this level includes the possibility of a test that cannot be done in other levels: the proof of concept (POC). This proof of concept is a live test that is performed against the systems in use by the project team. Their systems are upgraded through the use of the new deployment mechanisms integrated into the Staging testing level. This lets you perform an end-to-end test that will ensure the technical solution actually works as expected in a live setting. 245 Chapter 9 Figure 9.68. The Content of the Staging Testing Level But before you perform the POC test, you need to test anything that you could not test in the Integration level. Focus on those features that are included in the Staging level, but are not in the Integration level. This involves Group Policy replication between multiple DCs, migration repository replication between sites, capture of personality data in remote sites and then replication to the main site for backup purposes, and simply testing WAN load for the migration. This should help flesh out your solution to meet real-world needs. 246 Chapter 9 Make sure all servers are running Windows Server 2003 R2 so you can take advantage of its new and updated DFS features. For some of you, this may mean that you need to perform server upgrades as well in your production infrastructure. Review the Migration Workflow When you feel you’re ready, you can move on to the POC. To perform this test, you’ll need to run through the migration workflow (see Figure 9.7). This workflow is the process you use to perform any single migration. Of course, it relies very heavily on the PC Migration Cycle, but because it involves migrating a real computer that is in use, it also involves other activities. Each is covered in the workflow. As you can see, this workflow begins well before the actual migration. It includes the following activities: Everything begins with a communication to the user to inform them of the upcoming change. The details of this communication will be discussed in Chapter 10 as we discuss the administrative aspects of the deployment. 111. The technical aspects of the migration begin with a detailed inventory of the PC to be migrated. This includes an inventory of existing profiles. 112. Next, you apply rationalization principles to what is found on the original system. Rationalize applications, hardware and profiles. This may require a visit to the user to validate the rationalization results. 113. 114. Produce the final system datasheet for this PC. Hand off this datasheet to the release manager who will assign the task to the deployment team. 115. The deployment team will determine if any hardware modifications are required—upgrades or even a PC replacement. 116. 117. Map out the applications required for this user post-OS install. Perform the personality capture. Validate the data. Optionally perform a full PC backup. 118. 119. Perform any required hardware modifications. Deploy the OS to the system. This can involve a disk wipe, possible repartitioning to take advantage of features such as BitLocker and then an OS installation of the thin kernel. 120. 121. Stream the Generalized Application Layer to the system. 122. Stream any role-based or ad hoc applications. 123. Restore the personality to the system. 124. Validate the deployment and produce the PC migration report. 125. Inform the migration support team that this PC is now migrated. As you can see, there are several steps to a single PC migration. 247 Chapter 9 Figure 9.69. The Migration Workflow 248 Chapter 9 Perform the Proof of Concept Project Team Migration You should now be ready to perform your POC with the project team. This requires a few prerequisites: • Since you will be using the Staging environment as your source for the migration, the PCs used by your project team should be joined to the Staging domain to fully support the migration. Be sure to be extremely careful with their profiles when you do this. You might consider using your profile protection system to make sure users continue to have access to all their data. • While the Staging environment does simulate production as much as possible it may be missing some services. For example, you may not have an Exchange server in Staging, therefore, you will need to have users connect to the production Exchange server. This can easily be done through the use of RPC over HTTP. You might also not have all of the file shares users are used to working with. Show them how to remap these shares and make them persistent with their production domain accounts. • If users are working with Windows SharePoint Services (WSS) between the Staging and the production domains, show them how they can avoid logon prompts by placing these Web sites into the Intranet Zone of Internet Explorer. The goal is to make the experience as normal as possible for all project team members while performing a full end-to-end technical test. This means you might omit some applications on purpose for some systems so you can test your migration support strategy. This support strategy should include the ability to fast track application deployments to users when they are found missing among other items. Don’t do this test until you have fully tested each other technical aspect in the Staging environment. Your solution should be as ready to go as possible before you get to this stage otherwise you will have to repeat it several times. You can imagine how annoying this would be for your team members. You also need to run this POC for some time. A minimum of two weeks is required and if you can make it longer, then you will find out much more. The project team will have advice about all sorts of things from the position of one icon to the structure of the file system on the desktop. Make sure you capture each comment—once again the Project Team Site in Windows SharePoint Services is probably the best location for this type of feedback. Use a triage system just like the one used for the deviance registry to identify what is important and what is not. Once again the goal is to perform a very tight quality assurance (QA) on each and every technical aspect of the project. Also, make sure the in-process reporting works as expected through the migration. And, of course, make sure the end result is as expected. Simulate as many problematic situations as possible. For example, begin the deployment and cut of the network connection in the middle of the operation to see how you can recover from this situation. If you’re ready for any situation, your deployment project will provide much better results. 249 Chapter 9 Obtain Acceptance from Peers The last thing to do before you can be deemed ready to exit from the Staging environment and move on to the final stages of your project is to obtain final acceptance from your peers. This involves the following groups: • Architectural team: the internal architectural team needs to approve all changes to both server and workstation architecture. • Support team: the support team needs to approve and accept the new support methods proposed by the project for the new OS. Of course, the project will be responsible for immediate migration support for the duration of the project warranty period (usually 20 working days), but after that, the systems pass on to normal support operations. • Subject matter experts (SME) and software owners: each application package, custom or commercial must be accepted by the designated SMEs in your organization. Remember that the project team cannot take on this responsibility since it cannot possibly include experts on every product in use in your organization. • Operations team: the operations team needs to approve the change in operations and the new operational strategies designed by the project before the project can move full steam ahead with the migration. This is probably the most important technical approval level required by the project because it is the operations team who will live with these changes once the project is complete. Because of this, more on this subject is covered at the end of this chapter. • Internal developers: this team needs to approve the changes to their applications and their programming strategies. Make sure they are involved early on in the project. • End user developers: these developers work with applications such as Word macros, automated Excel spreadsheets, and Access databases. If you did the smart thing, you will have made sure they use proper client server programming practices to ensure you do not need to deploy a full version of Access to every end user, saving the organization both time and money. • Management: upper management must approve the results of the project since they are funding all of the efforts. • Project management sign off: the project management team must also sign off on the final results of your technical solution. Since they will have used the system for some time through the POC, they will be in the ideal situation to determine if the solution is mature enough for sign off. If you don’t get each of these sign offs, then you must return to the drawing board and revisit your strategies until you get them right. 250 Chapter 9 Validate your Operational Strategies One of the most important technical aspects of this project is the operations hand off—the hand off of the operational strategies that will be in use once the migration is complete. The operations team will be responsible for the ongoing management of all of the tools you put in place and use during the migration project. Your goal is to make sure the duties they will take on are easier and simpler to perform than what they are doing now. Depending on the type of migration project you decide to run—for example, forklift versus attrition migrations—your project will either run for a very short period of time and then move into ongoing operations or, it will last a very long time because it is waiting upon your normal PC replacement cycle to complete. We would argue that both types of projects should run for the same duration. In the traditional approach, forklift migrations perform a massive replacement of the operating system on all of the PCs in the network in one fell swoop. While the project takes about nine months to complete overall, the actual massive migration should only take about three months (see Figure 9.8). Then, once all of the systems are modified, you hand off to operations and the organization goes about its business as usual. 251 Chapter 9 Figure 9.70. The Traditional versus an Attrition Migration Approach In an approach based on attrition, the migration project will last as long as it takes to replace every PC in the network. For some, this may take three years while others may take four or even five years to complete the process. Each time a new batch of PCs comes in, the project picks it up and migrates them. But, there is a lot of opportunity for change during this process. For example, there will be a considerable number of updates and service packs to Windows Vista during a three to five year period. But most importantly, no single organization can run a project—any project—for three to five years and actually have it succeed. Well, let’s say that very few organizations can hope to succeed at this level. 252 Chapter 9 We would suggest that instead of running the project for this period of time, you should use the same timeframe as the forklift project and migrate only the first batch of PCs through the project. What needs to change is the nature of the project deliverables. This is where the operations hand off comes in. This hand off is important for both approaches, but it is much more important for the attrition approach because of its very nature. The operations hand off for either project must include the following deliverables: • Kernel Image Management Strategy • Application Management Strategy • Personality Protection Strategy • Vista Security Management Strategy In addition, both types of projects should include the following deliverables, but these are most important for the attrition project: • New PC Integration Strategy • PC Migration Strategy To make the most of your current migration project, you should aim to transfer its overall operation into production at its end. Since it is unreasonable to expect that a migration project could possibly run for a number of years, you should make sure that you transition all migration processes into production. This way, the idea of an OS migration becomes part and parcel of normal, ongoing operations. When a new batch of PCs comes in the year following the closure of this project, the operations team is ready and knows how to transition these PCs with the new OS into production. Because you have provided a structured process for PC migration, the operations team does not need to do anything out ordinary and can proceed with business as usual. This is the best and easiest way to ensure success for such a long term project. Let’s look at some of these strategies. Kernel Image Management Strategy One of the outcomes of your project is the use of a system stack such as the PASS System Kernel. As you know, this kernel includes several different layers that are designed to provide service levels to end users. Because they include several different components and because of the nature of operating systems, Windows and others, you know that you will need to put a kernel update management system in place once the deployment is complete. Therefore, one of the technical deliverables you should expect is a Kernel Image Management Strategy. 253 Chapter 9 This strategy must include how and when you update the kernel. As time goes by, you will be relying on the kernel to install and update systems on an ongoing basis. Of course, you don’t want to find yourself in a situation where you need to deploy the kernel, then spend inordinate amounts of time waiting for it to update once installed. Conversely, you don’t want to have to find yourself in a position where you are constantly returning to the reference computer, opening it up, updating it and then running it through Sysprep to depersonalize it again. This means you need to find a happy medium between updating the kernel remotely and updating the actual kernel image. The best way to do this is to implement a formal update strategy. This strategy should be based on a formal change request process. This change request process would rely on the rationalization guidelines that emerge from this project to evaluate the validity of the request. If approved, the change would then be delivered in the next kernel update (see Figure 9.9). Figure 9.71. The Kernel Update Process 254 Chapter 9 Given the rate of change in the software industry and the number of different software components that often reside in the kernel, it is essential to manage this process on a three-month basis at the very most. Waiting longer for update collection creates packages that are too unruly. Updating the kernel more frequently can become too expensive. In the meantime, the deployed copies of the kernel are updated through a centralized update management tool. Each time the kernel is updated, its version number changes. Four updates per year have proven to be the optimum rate of updates for the kernel in every organization using this process to date. Two weeks before release, a freeze is applied to change requests in order to allow for the preparation of the update. Because Vista supports a single worldwide image, this process should be relatively simple to perform. In fact, you’ll have at least two images if you include one for the x64 platform. It should therefore be much simpler than what you do today. In addition, if you maintain the reference computer inside a virtual machine, you will be able to greatly reduce the effort required to maintain the kernel since you won’t have to rebuild the reference computer each time you need it. Application Management Strategy In addition to kernel updates, your new certification center is responsible for each application update validation and preparation. This means applying the same processes used with the kernel to every managed software product. Figure 9.72. The Traditional Application Preparation Process 255 Chapter 9 If you are using traditional application installations, then you will need to perform conflict management—managing the potential conflicts caused by dynamic link libraries (DLL) included in the software product that may overwrite or otherwise damage existing system or application DLLs. To do so, you need to run each product through a testing phase similar to that of the kernel (see Figure 9.10) and you need to prepare and maintain an inventory of every single component that can exist on a PC. This is a very heavy management process; one more reason why having software owners is important because they at least take on the burden of software vigilance by watching for potential upgrades and new versions. But, if you move to software virtualization, you’ll still have to package and prepare applications and have them approved by the SMEs, but at least you won’t have to worry about two aspects that are part of the traditional process: • DLL management because the DLLs are all managed by the virtualization agent. • Application deployment because when applications are streamed, they are only cached locally; change the central source of the stream and it will automatically be restreamed to all clients. These are compelling reasons for this move. Another reason which we feel we don’t tout often enough is the fact that all of your system kernels are going to be pristine at all times (see Figure 9.11) because the local application cache holds all of the deltas beyond the thin kernel. And, because it is a cache, it can be flushed at any time, returning your system to its pristine state, This has to be worth its weight in gold to you and your operations staff. Figure 9.73. Working with Application Virtualization, Streaming and Pristine Kernels 256 Chapter 9 Technical Outcomes of the Project A migration project, especially a PC migration project, is a transformation project that lets you clean house and close the door to unwanted content. That’s what the rationalization process is all about: get the dust out of the corners and make sure it doesn’t come back. If this is not what you will get at the end of this project, then you wasted an excellent opportunity to take complete control of your PC environment. We believe you should, at the very least, expect the following technical results from this project: • Managed systems: you should be deploying a complete infrastructure and strategy for long-term management of your PCs. • Thin system kernels: the only software that actually installs on your PCs should be the operating system and anything that does not support application virtualization such as antivirus and low-level utilities. These systems will be pristine at all times and should be very easy to reset back to the standard should any issues arise. • Application virtualization and streaming: you should be virtualizing everything from the GAL to ad hoc applications, anything you can in fact. This will avoid all potential conflicts, ensure any application will work at the same time as any other, facilitate software updates, facilitate software license management and prepare you for the longterm future of Windows PC evolution. • Locked-down systems: your PCs should now be completely locked down. After all, if you put in the effort it requires to move to an application virtualization and thin kernel strategy, and then let users have administrative rights on their PCs, you will definitely not be able to take advantage of a pristine kernel at all times. • PC migration strategy: you should have a defined PC migration strategy that not only supports actual migrations but also any PC replacement that occurs during normal operations. • Personality protection: you should have a complete personality protection system that saves end user data and lets you back it up at any time. After all, with all of the new compliance regulations affecting almost any type of organization, it is a really good idea to have a central copy of all user data at all times. This way, you have access to any data whenever you need it. • Constant inventories: you should have learned your lesson this time and made sure you have a constant and complete inventory system in place. Isn’t it time you covered all your assets? • Secure infrastructure: with Windows Vista’s new security features, you should have a much more secure PC infrastructure once all systems are migrated. • Greener PCs: using the new power-savvy Group Policy settings in Vista, you should be able to save considerably on power consumption for each PC in your network. • Reduced support costs: because your systems are locked down and are now managed, support calls for PC issues should be greatly reduced. One of our customers who moved to locked-down PCs in 1998 reduced their PC-related help desk calls by more than 800 percent! You might not have this dramatic a drop, but you should definitely have to deal with less than ever before. 257 Chapter 9 • Lower overall Total Cost of Ownership (TCO): putting a new managed PC infrastructure in place based on Vista and application virtualization should provide considerable savings in terms overall costs for the operation of PCs, savings like you have never seen before. • A smart PC management strategy: PCs have been a thorn in the side of IT professionals for years. Now, with the strategy outlined here, you can finally gain control of this aspect of your network once and for all. Be smart, get it right this time! These aren’t the only benefits you will derive from this project. One will be a complete change management strategy if you continue to use the QUOTE System for your other IT projects. Others will be derived from the other, administrative processes that are tied to the deployment. These will be covered in the last chapter of this guide. Whatever you do, at this stage you need to make sure your technical expectations—those that were outlined so long ago in your original business case—are fully met and, if possible, exceeded. Then and only then will you feel you’ve made the proper investment and moved to the very best of platforms. 258 Chapter 10 Chapter 10: Finalizing the Project The project is almost complete. Two phases of the QUOTE System are left. The Transfer phase will focus on the manufacturing activities of the project, running through the pilot project, and then migrating all systems to Vista. The Evaluate phase will focus on project closure, running through the hand off to internal support teams, performing the project post-mortem, and preparing for system evolution. In order to complete these phases, you need to run through a series of activities which include (see Figure 10.1): • Oversee administrative activities to ensure that each aspect of the process that will support the deployment is ready for prime time. • Run the pilot project which will include more than the proof of concept (POC) that was run at the end of the Organize phase. While the POC focused on the technical activities to ensure every engineering process was ready to roll, the pilot project’s goal will be to bring both administrative and technical processes together for a complete end to end test. Then, it will aim to report on each aspect of the deployment process to make sure all is ready. If changes are required, then, the project team needs to perform required modifications before they can proceed. • Once all is deemed ready, the massive deployment begins and the project enters a manufacturing mode where it runs through the repetitive processes required to migrate each system. If the organization has opted to use a forklift migration—migrating each system in one fell swoop—then, this process runs until all systems are deployed. If the project has opted to use attrition—migrating systems through their hardware refresh program—then, the deployment will only affect those systems that are upgraded this year. It will also need to prepare for migration recurrence: re-running the migration processes each year until all systems are running Vista. • Once the mass production is complete, a hand-off to internal support teams must be performed before project mechanisms are integrated into every day operations. Project mechanisms should not be completely dismantled because the migration of systems is an everyday task that must be integrated into normal operations. • A project post-mortem must be completed to ensure that project wins are captured and project failures are trapped. This helps ensure that projects of this type keep improving as the organization runs them. The very final phase of this project is the preparation for system evolution. Each migration project can only take on a certain amount of work, aiming to get the best quality based on available resources. But, once all systems are migrated, the organization can begin to invest more fully into the benefits inherent in the new OS and add functionality to its deployment as operations teams begin to master the elements that make up the overall solution. 259 Chapter 10 Figure 10.74. Running Final Project Phases Closing the Organize Phase At the end of the Organize phase of the project, the engineering team has been working feverishly to close off all of the technical aspects of the solution. Meanwhile, the administrative team has also been at work. Their goals were to finalize several other aspects of the process the project will use to actually perform the deployment. End user representatives have been working directly with the end users themselves to validate inventories and prepare final user and PC datasheets—datasheets that will handed off to the release manager and used by the deployment team to build new PCs. Training coordinators have been working with operational teams to make sure they have the appropriate technical training in time for the deployment. Trainers have been working to finalize the end user training programs, be they either simple presentations of new features or complete programs covering each and every new feature. Support teams have been assisting users to convert their documents and applications for operation with the new PC environment. They have also been working to finalize the support program that will be put in place to back the deployment and ensure everything works as expected as far as the end users are concerned. Document the official support program for the deployment. This will make it easier for everyone involved as everyone will know exactly what they can expect from it. 260 Chapter 10 Communications teams have been working at continuing the promotion of the new PC environment to create a feeling of good will towards the project. They have also worked at preparing the communications that will be used to inform users during the deployment itself. These communications will be critical since users must know when and how they will be affected as well as how they can expect to continue business as usual during the deployment process. The fear of change is probably the biggest obstacle the project will face. In the ideal project, everyone will be ready for the coming of new technologies, but, as you know, there is no such project. Everyone—IT personnel, end users, managers, support teams—fears change to some degree. While some hide it well, others do not and, in extreme cases, will do everything in their power to stop or even block the coming change. This is why the good will communications program is so important. Given this, it is hard to understand why it is so often forgotten or even worse, cut from the project. If you want to make this project a success, you will invest in an appropriate change management program—a program that will foster desire for change through the identification of solutions to ongoing issues your organization faces at all levels because of the system you are currently using. When change has been properly positioned, people will still fear it, but will be more comfortable with it because they will at least understand how it will affect them. The project management team has been working at finalizing the actual deployment strategy and preparing the actual deployment plan—the detailed plan that identifies each user to be migrated and how many users are to be affected each day. In addition, they have had to prepare mitigation strategies—strategies that identify what will be done in the event that prospective users are not available the day they are to be migrated. This strategy is critical to the success of the project otherwise the project will not be able to meet its production goals of deploying a given number of users per day. Finally, the project team has launched the final acquisition program required to obtain the systems that will be used to seed the deployment. Acquisitions are an essential component of the deployment of a new operating system. If you are relying on attrition to migrate to Vista, then you will need to acquire new systems to begin the deployment in your organization. If you decided to perform a forklift migration, then you also need to use acquisitions to create a seed pool of systems that will be used to support the deployment. In either case, you will want to identify who will be migrated and how you will allocate these new computer systems. In attrition deployments, you will already have an identification program since you will already know who will receive the new systems. In forklift deployments, you will use the new acquisitions to start a rotation program, cascading newer, more powerful systems throughout the organization and eventually replacing PCs for each and every user. If you use a cascading rotation program, make sure you clean each PC case, keyboard, mouse and screen as they run through the migration process. This will give each user in the organization the impression of acquiring a new, more powerful PC than the one they had before. Cleaning programs of this type buy enormous amounts of good will and greatly assist with the success of the project. 261 Chapter 10 Running the Transfer Phase The Transfer phase is the phase that runs the mass-production deployment operations (see Figure 10.2). By now, everything should be in place to run the actual deployment. Your staging areas should be complete, the technical solution is fine-tuned, your support mechanisms are in place and your administrative processes are ready. You’ll begin with the pilot project and then when you’ve collected information, analyzed the results of this full end-to-end test, and made appropriate modifications, you’ll be ready to perform the actual deployment. Figure 10.75. The Activities of the Transfer Phase Run the Pilot Project The actual deployment begins with the Pilot Project which is a complete simulation of every step of the deployment. Everything, that is everything, must be tested. You’ll need to preselect pilot project users, run the pilot, and thoroughly analyze the full operation of the process. One goal of this project is to do everything right so that you do not need to redeploy the pilot population when it is time to perform the actual deployment. The only way to achieve this is to be as ready as possible. If too many things go wrong, you’ll have to return to the drawing board and then, when you’re ready for the actual deployment, begin with the pilot population. Begin by selecting the users for the pilot project. 262 Chapter 10 Identify Pilot Users Pilot users should be actual users as well as your own project team. The pilot population should represent about 10 percent of the population of your organization. Include both central and regional users if you have them. Include users from as many different levels in the organization as possible. Include users that require only the OS kernel to operate as well as users requiring role-based application groups. Include novice as well as experienced users. Consider choosing users who will not be available during the deployment as well. This is one situation that must be planned for as it occurs quite often during the actual deployment. This will let you test the administrative process you put in place to replace users on the fly when they make themselves scarce the day of the deployment. Basically, the pilot population should represent as many aspects of the actual deployment as possible so that you won’t be caught unawares when you’re doing this for real. One aspect which may be different is the actual number of deployments you will begin with. Many organizations decide to start small and build up to a production schedule. For example, if your goal is to deploy 100 PCs per day, your pilot project could start with 10 per day for the first couple of days, move up to 20 when you feel ready and gradually bring up the production to expected levels. Many users will be happy to participate in the pilot project while others will be reluctant to do so. Users must be made aware that there is risk involved in participating in this aspect of the project. There are also many advantages, the least of which is the delivery of your new solution to pilot users before it hits the general population of your organization. If you’ve done your homework right, people will flock to this aspect of the project just to obtain the pre-delivery of your new OS. If this is the case, you might have to be very selective when choosing users. Make sure you select the right mix of users. Build a Deployment Schedule One of the key aspects of the deployment and one which will prove to be a major contributing factor to its success is the deployment schedule. This schedule lists each system to be deployed, its configuration, the target user, the actual location of the system, hardware upgrades if required and any other detail that will make the deployment a success. Several techniques are used for deployment schedules. Some organizations rely on a building by building, floor by floor approach, deploying to users based on their geographical location. Others rely on departmental groupings, deploying to each user within a specific department. Often a combination of both is the best approach. Ideally, users to be deployed will be regrouped physically in the same area. In addition, if they all belong to the same department, then the deployment is that much easier because each system is very similar in configuration. Organizations will often keep the most complex and demanding users for the very end of the project because by that time, the deployment team is fully experienced and ready to handle even the most difficult situations. 263 Chapter 10 This schedule must be managed by a person with very strong coordination skills as their job is to make sure the project continues to meet its rate of production—so many PCs per day—even if the target users are not available the day of their scheduled migration. One good support tool for this situation is the preparation of a pool of ‘spare’ users that can be migrated at any time with little warning. When someone is not available for deployment, you just pull a name from the pool of spare users and therefore maintain your production rates. Initiate Communications to End Users Once the schedule and all other project aspects are ready, you can begin the pilot project. Remember, this is a full end-to-end test so it must be just as if you were doing an actual deployment. You can cut some corners, but try to keep them to a minimum. Just as your deployment project will begin with initial user communications, your pilot should begin with a communication to the target user. Rely on the deployment schedule to identify which users to communicate with. User communications should begin well ahead of the actual deployment date. In many cases, you give each user at least one month’s notice as they will be responsible for tasks on their own before they are ready to be deployed. Then you can remind them each week as the deployment approaches. While users will have their own responsibilities during the project, you can expect that a good number of them will not perform them beforehand. Make sure you are ready for this eventuality in your project processes and infrastructure requirements. This will let you give them the opportunity to clean their files before you migrate their system. Depending on the strategy you used to protect their files, you may or may not offer them a backup system for files that will not officially be recovered. This way users can back up personal files on their system and restore them on their own once the system is migrated. A typical user communication would include a description of the deployment process in laymen terms as well as a description of the activities the users will be responsible for (see Figure 10.3). The description of user activities should be as detailed as possible to make it as easy as possible for users to protect their data. 264 Chapter 10 There are several different types of training programs available for end users. One of the most efficient programs is one that consists of a presentation that focuses on the changed features of the OS. It should provide demonstrations of each new feature and should include a course book users can take away with them. If you marry this program with the actual deployment, this frees the user’s PC for deployment operations. While the user is in training, you can perform deployment activities on the PC with no interference from the user and no disruption to their work. Many organizations are moving to online training. This has extensive value and Microsoft has made the Enterprise Learning Framework (ELF) available with this purpose in mind. More information on the ELF can be found at http://technet.microsoft.com/en-us/library/bb456408.aspx. In fact, you should strive to rely on online resources as much as possible. Many of these are already available for your project through the Windows SharePoint Services Team Site the project has been relying on. Using target audiences, you can easily create a version of this site that provides public information on the project. But consider this. The actual training program you will use for the deployment will depend on your deployment strategy. If you choose to deploy during the daytime when users are away from their desk, then you should use a live presentation that is provided in a conference room of some sort. This has several advantages. You have full access to the user’s PC while they are away; the user is regrouped with peers they can rely on to assist in the learning process; and the user begins their move to Vista as soon as they enter the training room since they will have Vista on their PC when they return to their desk. If you choose to deploy at night without classroom training, then you should include logon instructions for Vista in the user communiqué and then a link to the online training that pops up once the first session is open by the user. This approach is more demanding of users, but can also provide good results. At the very least, you should have an online resource center for users moving to Vista and you should make sure users are fully aware of it. You should also include printable tip sheets that will help users make the move to Vista. 265 Chapter 10 Figure 10.76. A Typical Pre-deployment User Communiqué On site assistance is also a very good way to make the deployment smoother. By providing assistants that ‘walk the floor’ of deployed areas to provide direct assistance to users, you can buy enormous good will and make the transition to Vista even easier. Perform the Deployment When D-Day comes, the deployment team will migrate the PC. This involves running the engineering tasks—user data protection, OS installation, application deployment, user data restore, and so on—on the user’s PC. Once again, the actual tasks will depend on the migration strategy you selected. For example, if you decided to perform a forklift migration and are replacing each PC through a general cascade of more powerful systems to each user, then you will be using a staging area for the preparation of the PCs. This means moving each PC from its present location to the staging area and back. In regions, this will mean having a mobile staging area that can go from site to site. If you are doing an attrition migration, then you will migrate only those PCs that are upgraded this year. Your pilot project will need to take this into account. If you are using a forklift migration, then you will rely on a pool of systems to start the process. When you deliver this initial pool, it will liberate more systems and rebuild the pool. This means you can build systems beforehand in a staging area and when it comes time to deliver them, your team only needs to replace the systems at user’s desks, making it quick and efficient. 266 Chapter 10 Ideally, whether you will be migrating all PCs or only a portion of them, you will be using remote deployment strategies to simplify the migration. Test each aspect of this process during your pilot project. Make sure you get full reports on the progression of the migration. These reports of migrations in progress, completed migrations, systems still to go and so on will be essential for the proper coordination of the project when the full deployment is in operation. You’ll also need to test your support strategy to make sure your support team is ready for anything and can respond to emergency situations with a minimum of disruption to end user operations. Don’t forget the regular team meetings. These are essential because they provide direct feedback on the actual performance of the project and they offer opportunities for pep talks and mutual feedback. Collect Pilot Data Pilot users are lucky because they get an early release of the new system, but there is a payment involved. Each pilot user must fill out an evaluation of their pilot experience. But they’re not the only ones. Every other person that is involved in the pilot, from technicians to trainers to communicators, must fill out the pilot evaluation as well. You must evaluate each and every aspect of the project including: • Initial user communications • Deployment schedule • Project management • Technical installation and deployment • Personality protection • End user training • Technical training • Support process • Overall solution design • Desktop presentation and look & feel • Risk management strategy And anything else that makes up this end-to-end test. The more information you collect, the more feedback you will get. Since the pilot is a complete test of all processes both administrative and technical for the deployment, it is important to obtain information about each step of the process and from each one of the people involved in the delivery and operation of the solution. Basically, you need to poll every aspect of the pilot project. Once again, the project’s team site is by far the best location to both collect and process this data. 267 Chapter 10 Perform the Pilot Evaluation The project must first have taken the evaluation period into account—this is usually a period of two weeks—so that there is ample time to collect and evaluate the feedback provided by both the project team and the end users of the solution. In addition, pilot users should be given another two weeks to test and use their new systems. Much of this feedback has already been collected throughout the proof of concept, but since most of the people providing feedback during this process were technically-savvy personnel, it often tends to be more technical in nature. It is often possible for these highly trained teams to overlook some things that seem totally obvious to a normal end user. Therefore, this is the type of information the project team should concentrate on during the evaluation of the pilot. It does sometimes happen that some technical component goes wrong at this stage. This is often due to improper testing techniques and/or improper simulation of the production environment. Hopefully, this will not happen to you and your project, but if it does, the buffer time zone you created in the project plan to perform the evaluation may need to be extended, depending of course, on the complexity of the issue you need to deal with. If modifications are extensive enough, you may have to redo the pilot. This is usually performed at the very beginning of the deployment and requires input into the deployment schedule. Most likely, you will be able to create a system update or patch that can be deployed with little impact to each pilot system. If any issues are found, they must be dealt with thoroughly. This means performing any required corrections. They may range from simply rewriting the end user communications to rethinking the actual deployment process. Most likely the modifications will be minor. You should still take the time to make each one to ensure you have a product of the highest quality. Then, when all modifications are completed, you need to get a sign off from upper management or project sponsors on the overall solution. Once this sign off is obtained, you can hand off the complete process to the deployment team and give the go ahead for the production deployment to begin. The impact of using an attrition program is that your operations staff will need to support multiple PC OSes during a long period of time. This is expensive and cumbersome. There is no better way to provide top quality support than when you have a completely homogeneous PC environment. Make sure you consider this additional cost in your budget evaluations and in your long-term project strategy. Performing the Final Deployment Once you’ve completed the pilot project to everyone’s satisfaction, you can move on to the meat of the project, the actual deployment. Everything you’ve done up to now has been leading to this point. Now, you’ll focus on deployment coordination. This is perhaps the trickiest part of this operation: making sure that the deployment meets its performance goals and ensuring that every deployment experience is a good deployment experience. This is where deployment reporting will be crucial to the operation. Proper reports need to provide detailed information on the status of each installation, the number of installations per day, the number of remaining installations and the installation progression. These will prove to be invaluable planning and management tools as you progress through the deployment (see Figure 10.4). 268 Chapter 10 Commercial tools such as Altiris Deployment Solution can provide comprehensive information at any time in your deployment. For example, Figure 10.4 displays a combination of both preand post-Vista migration reports through custom Web parts (not to be confused with SharePoint Web parts) in a quick glance dashboard view. As you can see, it shows you the entire migration job from beginning to end in one single dashboard. The first Web part shows the mix of machine types in an environment, including the processor architectures (Win32 versus Win64). The next Web part on the lower left shows the count of computers by operating system. The next Web part in the upper right shows a pre-assessment report, including computers that need to be upgraded and the costs associated with the upgrade. The next shows the most popular software installed, again, from the pre-assessment report. The final part on the lower left shows the real-time data from Deployment Solution and which migration jobs have completed along with any failures. Reporting is closely tied to inventory and relies on the inventory solution you implemented or relied on to obtain your assessments before the migration program was launched. This solution should include canned reports that tell you how many computers are running the new OS, how many are still waiting for applications, the status of personality restores on each system, and the overall status of the deployment itself. Web-based reports are often the best because everyone who needs them has access to them without special tools and you can link them to the team site hosting your project’s information. Figure 10.77. Altiris Deployment Solution provides comprehensive reporting in real time 269 Chapter 10 As mentioned earlier, you should have a risk management strategy in place to ensure that you have sufficient numbers of users and PCs to deploy each day so you can meet production goals. After that, everything is nothing but a series of repetitive tasks that run over and over again until the deployment—whether forklift or attrition—is complete. In the meantime, you can complete the technical training program to operations staff, bringing them up to speed on both the actual solution you are deploying and the general features of Vista and Office 2007 if you’ve elected to deploy a new productivity suite along with the OS. This general training program should address each and every technical professional in your organization, making sure they are all up to speed on the solution. You can marry this training program with the deployment and train operators as they are migrated to the new OS. This way, they can apply their knowledge as soon as possible. Training operators too early can lead to poor retention of new skills. Make sure you use focused technical training programs. Most technical training programs cover every feature that is available in a product. But your solution does not. This means you need to have trainers review the contents of your solution and modify training programs to remove anything that you did not implement. This will reduce training times and make it much more practical for your staff. You’ll also want to include a hardware disposal program in the deployment. If you are replacing hardware through an attrition program, then you can rely on your normal disposal program. If you are cascading all systems and re-issuing them into production through a forklift migration, then you’ll only need a disposal program for those systems that are completely obsolete. Make sure you wipe the disks appropriately through either low level formats or actual wipe operations. It’s amazing what hackers can find on disks that have been wiped improperly. • Disk wiping programs abound and don’t require you to put a spike through the hard drive. Many provide completely secure disk wiping. Some are free and others are not. Just search for ‘disk wiping’ as the key words in your favorite online search engine to locate the program you need. But, if you want completely compliant wiping, then look to Symantec Ghost which supports secure system retirement that is compliant with the Department of Defense requirements or Altiris Deployment Solution which also includes similar capabilities. Finally, your deployment will take some time, perhaps months. Because of this, you need to have the proper infrastructure in place to allow you to manage updates and patches for deployed systems as well as updating the OS image itself. You’ll want to make sure that all systems are up to date at all times. These tools will also verify that your systems stay pristine as per your original goals. Since you’ve aimed for a complete system lock down according to industrystandard best practices, you’ll want to monitor each system to make sure it stays this way. The deployment portion of the Transfer phase will take longer than the deployment itself. That is because of the project’s support policy which needs to run its length after the final PC has been deployed. You can still move on to the next phase of the QUOTE System while this support program is running its length (see Figure 10.5). 270 Chapter 10 Figure 10.78. The Deployment Timeline Running the Evaluate Phase The Evaluate phase—the last phase of the project—is used to close off the project and pass each activity on to recurring operations (see Figure 10.6). In fact, it focuses on three key operations: • Handoff to ongoing operations staff • Project post-mortem analysis • Preparation for solution evolution Each requires special care to make sure the project is as complete a success as possible. 271 Chapter 10 Figure 10.79. The Activities of the Evaluate Phase Project Handoff to Operations When the project is closing down, it needs to hand off all of its internal processes to ongoing operations. This usually involves three key activities: • Final documentation delivery • A final transfer of knowledge to operations staff • Deactivation of project support mechanisms The first portion of the handoff to operations is the finalization and delivery of all project documentation. Technical documentation should be provided to operations staff while project documentation will be handed off to your organization’s project management office. Technical documentation should be customized to include the details of the solution you implemented. The delivery should also include an update program and schedule for each document. Each time a portion of the solution is modified or updated, the documentation should be updated as well. 272 Chapter 10 Technical documentation is often one of the most difficult deliverables to obtain. For some reason, technical staff members don’t like to write. But it doesn’t have to be complicated. Many technical resources on Vista exist already and are available from Microsoft at http://www.microsoft.com/windows/products/windowsvista/default.mspx. Since your documents are for internal publication only, you can use this information as a starting point and retain only those elements you included in your solution. In addition, you can use tables and spreadsheets to document the features you implemented. Several of the links provided throughout this book pointed to resources you can use as sources for your own documentation. Don’t make the mistake of providing too little documentation. And, worse, don’t wait until the end of the project to begin your documentation. It is best to identify an owner for each of the documents in this delivery. If owners are not identified, then documentation falls by the wayside and quickly becomes out of date. Then, you have a corresponding loss of connection to the state of your systems and structure of your network. Make sure you don’t fall into this trap: maintain your documents at all time. The second portion of this handoff is usually delivered in the form of a custom training program that relies on a presentation format and open discussion between operations staff and project staff. The presentation should focus on the deviance registry—the bug tracking system used by the project—to cover the most common situations faced by support teams during the preparation of the technical solution and those faced throughout its delivery to end users. It should also identify the solutions used to resolve these issues as well as the tools used during the project support program to ensure that the systems were up to date. This training should also provide a map to all of the documentation delivered by the project, identifying where each deliverable fits into the solution as well as when and how it should be applied. Depending on the type of technical training that was provided to operations staff, this handoff training program can take as little as one day per training group. If, however, operations staff did not receive a full complement of technical training covering every aspect of the solution, then your handoff program will need to be more complete and will require a longer time to deliver. The third portion of the handoff deals with the support mechanisms put in place for the deployment. Just like the mechanisms for actual deployment, the support mechanisms shouldn’t be dismantled at all. Instead, they should be merged into ongoing support mechanisms. Remember, new PC installations, PC re-installations and personality protections are ongoing operations that organizations must master at all times. Since you’ve gone through the trouble of putting all of these technologies together for the deployment, don’t make the mistake of getting rid of everything just because the deployment is complete. Operations staff will now be responsible for constant inventories, operating system and software deliveries and updates, as well as maintaining user data protection mechanisms. In addition, if you implemented a locked down environment as we recommended, then your staff will be responsible for monitoring the steady state of this lock down. Because of this, they will need to protect high privilege accounts and make sure they are secure at all times. If this is the first time they do this, they will need to be even more vigilant just to make sure your systems stay protected. This is a significant change for your staff. They can no longer ask for user passwords and must use proper security practices both in their own work and when they deal with end users. This will take some time before it becomes a habit. 273 Chapter 10 This is one very good reason for using your own internal staff for the project as much as possible. This way, they begin to get used to the new technologies as they work through project activities. This makes for a much better transfer of knowledge. Project Post-Mortem Once the deployment is complete, upper management will want to evaluate the completeness and effectiveness of the rollout. How many machines in total are up and running on the new OS? Or, perhaps more importantly, which machines have not yet been successfully transitioned and what is being done about them? In addition, you can rely on application metering tools to confirm an efficient use of all software licenses. Confirm that licenses have been allocated efficiently and take the time to calculate the percent improvement in ratios of what has been deployed versus what is in use for each application. This type of report will go a long way towards buying and maintaining good will with your management. You should also review each of the project structures you put in place and identify which worked well and which didn’t. This will let you identify which processes you can improve and where your strengths lie. It is also a very good idea to perform an actual costs versus projections analysis to see how you did overall in project budgeting. Finally, you should examine your projected timelines with actual deliverables to see how your projections fared. All of these are elements you need to review to make sure your projects constantly improve. Include each of these findings in your standard project start up guide. Don’t be a statistic. Make sure your projects are delivered on time and under budget. And in the end, you’ll be able to build a set of customized best practices—practices that can make all of your future projects profitable and timely. Rely on the QUOTE System for future projects. Now that you understand how the QUOTE System works, make it your change management strategy. It will help with IT projects of all types. Calculating Return on Investment (ROI) You might also consider the value of conducting a formal return on investment (ROI) study based on the project. What were your costs for rolling out an OS before this project? Which tools provided the best help to automate the process? How much did you save in terms of hard dollars and reduced deployment resources using these tools? How did application virtualization help? Are the issues you identified at the beginning of the project resolved? In a standard environment, IT staffs spend much of their time dealing with the deployment of new machines, operating systems and applications. If you remember Figure 1.10 from Chapter 1, you’ll remember that according to research firm Gartner, organizations implementing a wellmanaged PC platform can reduce costs by up to 40 percent. Did your savings match or even beat this projection? Creating an official ROI report is another way to generate positive visibility throughout your organization for the project you just completed. 274 Chapter 10 Future Systems Evolution The project is coming to a close as you finish the final phase of the QUOTE System. Now that Vista is deployed on all of your systems, you can begin the move towards systems evolution. You should first identify if you’ve met your systems management goals. Use the following strategies. • Review support calls: Identify if the number of calls has been reduced or if their nature has changed. The number of calls should be significantly smaller and calls should be focused on usage tips, not system problems. • Poll users: Are they satisfied with the level and quality of IT service? Were they satisfied with the deployment? • Review procedures: Are IT staff using standard operating procedures and has it reduced the number of incidents they need to deal with on an ongoing basis? • Manage change: Is your organization now ready to manage IT change on an ongoing basis? The implementation of a project of this magnitude isn’t an easy process, but with the principles and practical examples of this guide along with industry best practices, you will be able to put in place a complete continuous change management process for PCs within your organization. Change is an ongoing process. It is the very nature of IT and anything technical in nature, especially computer technology. Vista is only the beginning. Next, you’ll want to deploy Windows Server 2008 to take advantage of even more of Vista’s feature set. Many of the practices and strategies you used here will be reusable for that process. • For more guidance on migrating to Windows Server 2008 and taking advantage of its new operating system virtualization capabilities, look for Windows Server 2008: The Complete Reference by Ruest and Ruest from McGraw-Hill Osborne, ISBN-10: 0-07-226365-2, ISBN-13: 9780072263657 which should be available in bookstores by November 2007. But change is something that can be controlled as you’ve seen throughout this project (see Figure 10.7). There are a number of different drivers for change, but if you apply structured practices and risk management, you will be able to move from point A to point B without too many disruptions to your organization. That’s because now that you have a structured systems management strategy, you’ll always know where you are starting from. With your new inventory systems, you should have and should always maintain proper information on your current situation. Change management starts at the current situation, reviews new product features, identifies industry and manufacturer best practices, identifies modifications to existing standards and potential problems and uses these elements to perform the change in a structured manner. 275 Chapter 10 Figure 10.80. The Change Management Process Taking Baby Steps As you’ve seen, the QUOTE System is a cycle—a cycle that begins again once it is complete. The goal of your project has been to implement a single standard operating environment. Now that it is in place, you can add functionality and capability, as you need it, and at the pace you need it (see Figure 10.8). Many organizations see the move to Windows Vista as a major undertaking. And such it is. But if you take it in stride and design your initial implementation project with more reasonable objectives, you can take smaller steps towards the migration. How do you do this? It’s simple. Windows Vista includes a host of new and improved features. You don’t need to put them all in place at once! Design your initial project with the objective of putting in place half or less of the new feature set. Then, once the new technology is in place, scale your network by introducing specific features through mini-projects. 276 Chapter 10 Figure 10.81. Taking Baby Steps towards a Migration The ancient Chinese philosopher, Sun Tzu, stated in The Art of War one of the world’s most famous proverbs: ‘Divide and conquer.’ This is exactly what you should do when implementing major technological change. Divide it into smaller pieces or ‘baby steps’. It will be much easier to conquer. Taking small steps is just what the QUOTE System is all about. In this guide, you use the QUOTE to perform your initial implementation of Windows Vista. Then, you use the Evaluate Phase to begin systems evolution. It is at this point that you begin to recover and re-use your migration investments by starting to add functionalities to the network environment. And since you now have a controlled IT environment, the changes you bring to your new network should no longer disrupt business operations. In fact, you begin a new QUOTE each time you start a mini-project to add new functionality. Lessons Learned During this project, you learned quite a bit of information about yourself and your organization. Here are a few final tips to assist your new evolutionary phase. Be sure you have clear objectives. And if you use teams that include both internal personnel and external consultants, be sure that these objectives are completely clear to both teams. Ensure that each team’s own objectives are identified and communicated to the other. 126. a. Be sure to make it clear to your internal team what ‘project mode’ means. Often, external project teams are in project mode while internal teams are still in recurrent management mode. Project mode means deadlines, deliverables, acceptance processes and accountability. You can’t put everything off until tomorrow when you are in project mode. b. Your internal team may be disturbed by the external team because they will not necessarily have the same objectives or work at the same pace. It may be a very good idea to ensure that internal teams have a small ‘project management’ course at the beginning of the project to ensure the smooth integration of both teams. This should be part of the Project Welcome Kit. 277 Chapter 10 If your internal teams have specific objectives that may not necessarily be covered by the project, make sure that these are identified at the very beginning of the project. If there can be any synchronicity between these specific objectives and the project’s own, map it right away. 127. Make sure you design and use Project Welcome Kits for each project you implement. These are seldom created yet they can provide so much help because, at the very least, they clearly identify everyone’s roles and responsibilities. 128. Make sure that your current situation analysis provides a summary report. The current situation is the starting point for any change. If you don’t have a complete summary of the situation, it will be very hard for external consultants to be able to grasp the complexity of your environment. The summary will also provide a clearer picture of your organization to internal team members. 129. Make sure you have regularly scheduled update meetings during your implementation project. Communications is the key to both change and risk management. These updates are crucial to the complete success of your project. Also, don’t forget communications to users. Good will generation is part of every change project. 130. When you design the operational mode of your project, document it and make sure everyone sticks to it. If deliverables have a set timeframe for acceptance, accept them within this set timeframe. If escalation procedures work in a specific manner, use them in this manner. Do not deviate from set practices unless it becomes critical to do so. 131. Make sure you have a very tight grasp on project activities. Slippage can put the project at risk. It’s up to your team to make sure this doesn’t happen and if it does, that you’re ready for it. 132. Select the right project manager and technical architect. These roles are probably the most critical in the entire project. 133. Learn to delegate! Too many projects use key internal personnel for every single critical activity. If you find yourself in this situation, learn to identify what is the most important to you and delegate other tasks. Many projects put themselves at risk by relying on the same persons for every critical activity. This is one good way to burn out and fail. 134. Once you have rationalized technologies within your network, make sure department managers stick to the rationalization processes. Make them understand the dollar value or extra expense associated with their acceptance of non-standard products. 135. If you use external consultants, make sure you team them up with internal personnel. Ask them the right questions and have them document their answers. Make sure you make the most from the knowledge transfer process. 136. 278 Chapter 10 Learn to recover and re-use your investment in your migration project by continuing to scale your IT environment once it is completed. 137. Once you’ve implemented systems management practices, don’t lose them! Systems management is an ongoing process. Ensure that you follow its growth and learn to adapt it to changing business needs and technological environments. 138. Don’t forget that the first time is always the hardest time. Practice lets you learn from your experiences. 139. One final recommendation: in your implementation, don’t try to adapt people to technology, adapt technology to people. That’s what it’s made for. 140. This project involved a lot of activities, but the results make up for them. Managed systems are about increased productivity, reduced support costs and constant evolution. They are about constantly being up to date in terms of the technology you use in your network. They are about using IT as a strategic business tool. But, to do so, you need to provide continuous learning environments for continued increases in people skills. You also need structured change management practices. Make the project team site evolve. It can easily become the source for a continuous learning center for Vista and other technologies. Evolution doesn’t stop with the end of the project. Make sure you continue to foster knowledge and advanced usage of the technologies you took so much time to implement. Relying on technology is about three factors—People, PCs and Processes—interacting in your own IT environment to the profit of your organization. Make the most of it now that you control your PC assets. Moving on to other QUOTEs We finish the QUOTE for Vista with a move to other feature implementations and, eventually, other migration projects. But now, they should be considerably easier to perform. You will determine the success of your own implementation. The value you place on IT will help determine the level of benefits you will draw from the systems you use. Technology is an asset that you control, not the other way around. This guide brings together the sum of our experience with migration projects. We’ve tried to make it as useful as possible, but there is always room for improvement. If you find that there are links missing or even if you have comments on its contents, don’t hesitate to communicate with us at [email protected] Good luck with your migration! 279
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021