Remote Os Installation

Remote OS Installation In Windows 2000, Remote OS Installation is part of change and configuration management. Remote OS Installation simplifies the task of installing the Windows 2000 Professional operating system on PXE-based remote boot–enabled client computers throughout the organization. It allows computers to connect to a networked server during initial start-up, and then it allows the server to perform a local installation of Windows 2000 Professional. Remote Installation Services (RIS) is the technology that is used during initial start-up before the resident operating system loads. RIS supports clients without an initial operating system or failed computers that need to have the operating system restored. RIS allows computer hardware connected through a LAN to find a networked RIS server and request installation of a new copy of Windows 2000 Professional appropriately configured for the user and computer. Remote OS Installation cannot be used to upgrade an existing operating system. Remote OS Installation uses these key technologies to install Windows 2000 Professional on a computer:

• • • • • •

Active Directory Group Policy Dynamic Host Configuration Protocol (DHCP) Domain Name System (DNS) PXE-based remote boot technology Remote Installation Services

Using RIS servers to deploy and upgrade operating systems throughout a company reduces the costs incurred by either preinstalling the client computer or physically visiting each client to install the operating system. Automatically installing the operating system by using Remote OS Installation and Group Policy can reduce the IT staff support overhead in adding new computers to a network and reinstalling operating systems. You use a RIS server as a remote source, to install the network equivalent of a CD-based installation of either Windows 2000 Professional or a preconfigured Windows 2000 Professional desktop image. The following are descriptions of these two methods. CD-Equivalent Installation

This is similar to setting up a client computer that directly uses the

unattended installation options available on the Windows 2000 Professional operating system CD. The source files, however, reside across the network on available Windows 2000–based servers rather than on a local CD. Preconfigured Desktop Image Installation

This allows you to reproduce a working copy of a

corporate desktop configuration, including operating system configurations, desktop customizations, and locally installed software. After the reproduced image is configured, it is stored on Windows 2000 RIS servers. On request, the server downloads these images to new computers. The new computer does not need to have identical hardware to the computer on which the image was created. Windows 2000 Professional support for Plug and Play can adjust for hardware differences. It is important that your DHCP, DNS, and Active Directory servers are configured appropriately to work with Remote OS Installation. These services can be installed either on individual servers or the

same server, and these services must be active and available in order to use RIS. RIS uses these components in several ways to detect client computer requests for service. For more information about DHCP technology and its use, see "Determining Network Connectivity Strategies" in the Deployment Planning Guide and "Dynamic Host Configuration Protocol" in the Microsoft ® Windows ® 2000 Server Resource Kit TCP/IP Core Networking Guide . For more information about DNS technology, see "Introduction to DNS" in the TCP/IP Core Networking Guide . For more information about Remote OS Installation, see "Remote OS Installation" in this book.

Remote OS Installation Overview

Remote OS Installation and the IntelliMirrorSUP>™technologies are combined to form the change and configuration management features included in Microsoft® Windows® 2000 Server. Using Remote OS Installation you can customize and enable automated installation of Microsoft® Windows® 2000 Professional on new or replacement computers. You can experience better disaster recovery with easier operating system and application management by combining Remote OS Installation with the user data management, software installation and maintenance, and user settings management features that make up IntelliMirror. For more information about IntelliMirror, see "Introduction to Desktop Management" in this book. This chapter focuses on implementation of Remote OS Installation by using Remote Installation Services (RIS) technology for the installation of Windows 2000 Professional on remote boot–enabled clients. RIS supports clients without an operating system or failed computers that need to have the operating system restored. When using Remote OS Installation with the default settings, everything is deleted from the hard disk and a new operating system is installed. Previous user profile and configuration settings are also removed when installing the operating system. Note Remote OS Installation cannot be used to upgrade an existing operating system on computers currently running Microsoft® Windows® 95, Microsoft® Windows® 98, Microsoft® Windows NT® Workstation version 3.51, or Microsoft® Windows NT® Workstation version 4.0. If you want to maintain your existing user profiles, there are a few additional methods that Windows 2000 supports for installing and upgrading an operating system on clients. These include the following:

• • •

Performing disk duplication with the System Preparation (SysPrep.exe) tool Using Microsoft® Systems Management Server Using a bootable CD

These methods are not discussed in detail in this chapter. For more information about installing and upgrading an operating system by using these methods, see "Automating Server Installation and Upgrade," "Automating Client Installation and Upgrade," and "Using Systems Management Server to Deploy Windows 2000" in the Microsoft ® Windows ® 2000 Server Resource Kit Deployment Planning Guide . For more information about upgrading Windows 2000 on an existing Windows 2000 Professional client, see "Software Installation and Maintenance" in this book.

Remote OS Installation Requirements

Remote OS Installation requires other services and capabilities on both the server and client to run. Figure 24.1 shows the Remote OS Installation requirements.

Figure 24.1 Remote OS Installation Server and Client Requirements

Server Software Requirements

Remote OS Installation requires you to install these server technologies included with Windows 2000 Server. You can install these services on individual servers or all on one server: Remote Installation Services (RIS)

RIS is an optional component of Windows 2000 Server

that provides the services that allow you to install Windows 2000 Professional from a RIS server. Domain Name System (DNS)

RIS servers rely on DNS for locating Active Directory directory

services and for completing domain operations. You can use Windows 2000 DNS and receive the benefit of dynamic updates for your DNS server. However, using the Windows 2000 version of DNS is not required for RIS to function. The DNS server you use must support the SRV RR (RFC 2052) and needs to support the dynamic update protocol (RFC 2136). For more information about DNS, see "Introduction to DNS" and "Windows 2000 DNS" in the Microsoft ® Windows ® 2000 Server Resource Kit TCP/IP Core Networking Guide . Dynamic Host Configuration Protocol (DHCP) Server

RIS servers require a DHCP server to

be present and active on the network. Remote boot-enabled clients receive an IP address from the DHCP server prior to contacting a RIS server. You can install the version of DHCP that is included with Windows 2000 Server, or you can use an existing version of DHCP running on Microsoft® Windows NT® Server version 4.0. You can also use a third-party DHCP. For more information about DHCP, see "DHCP Options" and "DHCP Message Formats" in the TCP/IP Core Networking Guide .

Active Directory

RIS servers must be installed on a Windows 2000 Server that has access to

Active Directory. This can be a domain controller or a server that is a member of a domain with access to Active Directory. RIS uses Active Directory to locate existing clients and other RIS servers. You can administer RIS by using extension property pages that reside on specific computer objects within Active Directory. For more information about Active Directory, see "Active Directory Logical Structure" in this book. For more information about installing and configuring a RIS server, installing and configuring the DNS service, and installing the DHCP service, see Windows 2000 Server Help.

Hardware Requirements

Ensure that both your server and client hardware meet the minimum installation hardware requirements for Windows 2000. For more information about Remote OS Installation hardware requirements and compatible computers or network adapters, see the Hardware Compatibility List link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . In addition, be sure that your server and client hardware meet the requirements in the following sections.

Server Hardware Requirements Windows 2000 Remote OS Installation requires the following server hardware:

• •

Pentium or Pentium II 200 megahertz (MHz) or faster processor (Pentium 166 MHz minimum).

• • •

2-gigabyte (GB) disk drive for the Remote Installation Services servers folder tree.

96 to 128 megabytes (MB) of random access memory (RAM) needed to run when services such as Active Directory, DHCP, and DNS are installed. 10 megabits per second (Mbps) network adapter (100 Mbps recommended). CD-ROM drive or access to a network share containing Windows 2000 Professional.

RIS requires a significant amount of disk space to store operating system images. Dedicate an entire hard disk drive partition specifically to the directory tree of the RIS server. Small computer system interface (SCSI)–based disk controllers or disks are preferred. Format the drive where you want to install RIS with NTFS. You cannot install RIS on the same drive as the system volume. RIS does not support the installation of images on to Encrypting File System (EFS) or the Distributed file system (Dfs) volumes.

Remote Installation Services

RIS provides software services that allow an administrator to set up new clients remotely, without having to visit each client. There are several administrative options that you can control to configure how the RIS server services clients. You can accept the default configuration settings and begin offering users operating system installation images. You can also customize the settings to define your automatic computer naming policy, to define the Active Directory container in which computer accounts are created, and to define the operating system images to which users have access.

RIS servers can be set to respond only to service requests from clients that have already had their computer account objects created in Active Directory for a forest, or have been prestaged in Active Directory. RIS technology allows the coexistence of RIS servers from multiple vendors on the same physical network. When set to ignore boot requests from unknown clients, RIS servers can be introduced into a network without interfering with pre-existing RIS servers that use the same remote boot protocols. Important The entire ROM sequence is not secure with packet type encryption, client, or server spoofing, or wire sniffer–based mechanisms. Use caution when using RIS on your corporate network. Ensure that you only allow authorized RIS servers on your network and that the number of administrators allowed to install or configure RIS servers is controlled.

RIS Components

The following are the various components that you use to install, configure, and implement RIS within your organization: Remote Installation Services Setup (RISetup.exe)

You can install RIS at the same time or

after you install Windows 2000 Server by using Add/Remove Programs in Control Panel . Remote Installation Preparation Wizard (RIPrep.exe)

RIPrep allows you to create a

customized image of a Windows 2000 Professional computer. Imaging Windows 2000 Professional means creating a replica of a hard disk that you can then install on other computers in your organization. You can use this wizard to prepare an existing Windows 2000 Professional installation image and to replicate that image to an available RIS server on the network. The image can include the operating system alone or it can be a preconfigured desktop image, including the operating system and standard locally-installed desktop applications. Client Installation Wizard (OSChooser)

OSChooser is the client-side (the part that is

downloaded to the client) text-based program that communicates with the RIS server. The Client Installation Wizard is a default set of screens that the Boot Information Negotiation Layer (BINL), the server-side service, sends to the client to guide the user through the remote installation process. Users of remote boot–enabled clients use the Client Installation Wizard to log on and select from operating system installation options. You can customize the setup screens to meet the needs of your organization.

RIS Services

RIS comprises individual services that have been combined to enable the remote installation of Windows 2000 Professional. The Remote Installation Setup Wizard (RISetup) configures and starts the following services: Boot Information Negotiation Layer (BINL)

This service listens for and answers DHCP (PXE)

requests. It also services Client Installation Wizard requests. BINL directs the client to the files needed to start the installation process. This service also checks Active Directory to verify credentials, determine whether a client needs service, and whether to create a new or to reset an existing computer account object on behalf of the client.

Trivial File Transfer Protocol Daemon (TFTPD)

A RIS server uses TFTP to download the initial

files needed to begin the remote installation process to the client. This includes the Client Installation Wizard and all files needed to start Windows 2000 Setup. The first file downloaded to the client using TFTP is Startrom.com. Startrom is a small bootstrap program that displays the Press F12 for Network Service Boot prompt. If F12 is pressed within three seconds, the Client Installation Wizard (OSChooser) is downloaded to begin the remote installation process. When it resides on the server side, it is called the Trivial File Transfer Protocol Daemon (TFTPD), and when it resides on the client, it is called Trivial File Transfer Protocol (TFTP). Single Instance Store (SIS)

SIS services consist of an NTFS file system filter and a service that

acts on the volume on which the RIS images are kept. SIS services reduce the storage requirements needed to store these images by combining duplicate files.

Installing RIS

You can install Remote Installation Services either on a Windows 2000 server that is already on a network or on a stand-alone server that you want to add to the network. To install the RIS component 1. 2. 3. 4. 5.

From the Start menu, point to Settings , and then point to Control Panel . Double-click Add/Remove Programs, and then click Add/Remove Components. Check the box for Remote Installation Services . Click Next . Click Finish , and then Restart your server. After the server has restarted, complete the

Configure Remote Installation Services wizard. RISetup locates the first NTFS volume that does not contain the system volume (boot.ini file) or the boot volume (%windir%). You then define image properties such as directory name, friendly description, and Help text for the end user. None of these properties can contain any non-ASCII characters. For more information about the Client Installation Wizard variables, see "OSCML and Client Installation Wizard Variables" in this book. This process also creates the RIS directory structure and copies the files required for a CD-based "flat" installation image of Windows 2000 Professional. This process also copies the default Client Installation Wizard screens and configures and starts all of the services required for RIS (BINL, SIS filter, SIS Groveler, and TFTP). For more information about installing and configuring RIS servers and DNS, see Windows 2000 Server Help. Windows 2000 Server Help also provides instructions for promoting a stand-alone server to a domain controller and installing and configuring the DHCP service. For more information about the Client Installation Wizard, see "Client Installation Wizard" later in this chapter.

Deploying RIS Servers

RIS servers are dependent on your network configuration. The way you deploy and manage your RIS servers on the corporate network determines how your RIS servers perform. By using RIS servers, you can have one operating system image that supports multiple sites, domains, and organizational units, or you can customize each image to meet the needs of the users and computers being served.

You might need multiple RIS servers to support your corporation, or only one RIS server if you are deploying Windows 2000 on a small localized network or network segment. As a general guideline, place a RIS server near the client computers that it services. The amount of traffic the RIS server produces is similar to that of other servers performing as software distribution points on your network. Generally, the traffic for RIS servers is predictable. RIS-generated traffic is higher when many users are installing their initial operating system image, for example, during a deployment of new operating system images or when a group of new computers is being added to the network. After the operating systems are installed, the daily RIS server traffic will be lower. Depending on the size of your network, you might need to adjust the distribution and management of client access to RIS servers to streamline access or support multiple operating system requirements. Determine your corporate needs before deploying automated customized versions of Windows 2000 and prior to imaging a standard desktop–configured computer. The number of RIS servers that you need to deploy is determined by the demand for new, upgraded, and customized operating system installations; the speed of your network; and the hardware you use to support your RIS images. Figure 24.2 shows one way to place your RIS servers and optional referral servers in relation to clients for a large organization deployment strategy.

Figure 24.2 Sample RIS Server Layout Within a Large Organization As illustrated in Figure 24.2, a new remote boot–enabled client requests a remote operating system installation. This request is passed to the RIS referral server, which has the Do not respond to unknown client computers option enabled. Clients that have been prestaged in Active Directory ahead of client servicing can access this RIS server. A prestaged client is a client that already has its computer account object created in Active Directory within a forest. The referral RIS server checks Active Directory to verify whether a computer account object exists for this client. In this example, the client was prestaged by the administrator, therefore it has a corresponding computer account object in Active Directory, and it is assigned to be serviced by RIS Server 3. The RIS referral server passes the request on to RIS server 3, from where the client then begins installing the operating system.

Figure 24.2 shows how one RIS server layout works in a large corporate setting. For this scenario there is close control on which clients can access which RIS servers. When the computer account object is created, the computer account object is assigned to a specific RIS server. Depending on your corporate environment, you can configure your RIS servers so that all RIS servers can respond to all clients. In the network design in Figure 24.2, the only purpose of RIS servers 1, 2, and 3 is to provide images of the operating system. These servers do not respond to initial client service requests. The referral RIS server does not provide image support, however, it does answer client service requests, checks Active Directory for the existence of a prestaged computer account object, and then refers the client to the specified RIS server. By pre-staging clients to Active Directory and distributing various image files over different distribution points, you can control network traffic and speed up the installation process. Slow connections to your RIS servers can slow down the entire network if they are not designed and distributed appropriately or if the hardware utilized by the RIS server cannot support network demands. If your organization has branch offices, it is best to place a RIS server in each branch location and not attempt to install software over a slow network connection. Note RIS does not detect slow links. RIS times out only if it does not receive a DHCP packet from the server. For more information about optimizing performance of RIS servers, see "Automating Client Installation and Upgrade" in the Deployment Planning Guide.

Authorizing RIS Servers in Active Directory

To manage and control the way a RIS server interacts with existing and potential clients, you can configure the server properties, which allow you to determine how this RIS server responds to clients requesting service. You can administer the majority of the RIS configuration settings from a Windows 2000 Professional client by installing the Administrative Tools (Adminpak.msi) package that is included with Windows 2000 Server. Note The Administrative Tools package (adminpak.msi), can be installed from the directory % Windir %\System32 where % Windir % is equal to the WINNT directory created during Windows 2000 Server installation. To install the Administrative Tools package on a workstation, run the file adminpak.msi that is located on the Windows 2000 Server operating system CD. By using RIS you can designate which RIS servers can accept and process requests and designate which RIS servers can only service clients on the network. Before a RIS server can accept requests, it must be authorized to run in Active Directory. Before a RIS server can accept requests, it must be authorized to run. To authorize a RIS server in Active Directory, you must log on with an account that is a member of the Enterprise Admins group in the forest where you want the RIS server to be authorized. By default, members of the Enterprise Admins group are the only users who can authorize DHCP/RIS servers. You can perform the procedure in this section on a domain controller, member server of the domain, or a Windows 2000 Professional–based computer that has the Administrative Tools package installed.

If the RIS server is not authorized in Active Directory, the RIS server cannot respond to clients requesting service. If you install RIS on a server that is not an authorized DHCP server, or if you add it to a DHCP server that is not authorized in Active Directory, perform the following procedure. Note If RIS is installed on a DHCP server that is already authorized in Active Directory, you do not need to perform the following procedure. To authorize a RIS server in Active Directory 1.

Log on to the domain where the RIS server resides. (The account used must be a member of

2.

the Enterprise Admins group.) From the Start menu, point to Programs and Administrative Tools , click DHCP from the

3.

list. This starts the DHCP Management snap-in. Right-click the DHCP root node in the scope pane, and then click Manage Authorized Servers

4.

. Click Authorize , enter the IP address or name of the RIS server, and then click OK . When

prompted, to ensure that this is the correct RIS server to authorize, click Yes . Now your RIS server is authorized in Active Directory and can respond to clients requesting service. If your server is not responding to requests, the changes to Active Directory might not have taken effect. For these rights to apply immediately, on the domain controller on which you set the user rights, from the Start menu, click Run , type CMD, and at the command prompt, type: secedit /refreshpolicy /MACHINE_POLICY Or, if applicable in your network environment, you can restart the server so that Active Directory and Group Policy settings take effect.

Configuring RIS Servers

With RIS, you can designate which RIS servers can accept and process requests and also designate which RIS servers will only service clients on the network After you have successfully installed RIS and authorized it in Active Directory, configure your RIS settings. These settings are required to service clients on your network. From within the Active Directory Users and Computers snap-in, use the RIS Administrative Tools to do the following:

• • •

Reset and create computer account objects.

•

Configure the server.

Browse Active Directory. Search for computer accounts by name, globally unique identifiers (GUIDs), and dedicated servers.

These settings allow clients to locally install Windows 2000 Professional from RIS servers. RIS does not provide a mechanism for replicating operating system images from one RIS server to another, such as from RIS server 2 to RIS server 3 in Figure 24.2. However, you can use third-party replication tools for operating system image replication. Make sure that the replication mechanism supports the file maintenance attributes, extended attributes, and security settings of the source images.

Restricting Client Installation Options by Using Group Policy Group Policy applies to sites, domains, and organizational units. It is important that you understand the effects of Group Policy in your organization before setting specific policies for your users or

computers. You can determine which choices the Client Installation Wizard displays to a particular user or user group by using the Group Policy snap-in. For more information about Group Policy, see "Group Policy" in this book. To restrict the Client Installation Wizard options for users of RIS in your organization, set the desired Group Policy settings for the RIS servers on your network by using the following procedure. To set RIS policy to restrict the installation options for a particular user or security group 1.

Locate the Active Directory container where you want to set the RIS policy settings. By default, the RIS policy settings are applied in the Default Domain Policy Object , which is located at

2. 3.

the root of your domain. Right-click your domain root name, click Properties , and then click the Group Policy tab. In the Group Policy Object Links window, select your Default Domain Policy object, and then

4.

click Edit . Click User Configuration , double-click Windows Settings , and then click Remote

5. 6.

Installation Services . Double-click Choice Options in the right pane. On the Policy tab, set the Automatic Setup , Custom Setup , Restart Setup , and Tools settings. Set the policy for the options available to users in the Client Installation Wizard from the following choices:

• •

Allow Users who are affected by this policy are allowed to access that installation option in the Client Installation Wizard. Don ' t Care Users receive the policy settings of the parent container. For example, if the administrator for the entire domain sets a RIS-specific policy, and the administrator of this container chooses the Don't Care option, the policy that is set on the domain is applied to all

•

users who are affected by that policy. Deny Users who are affected by this policy are not allowed to access that installation option

in the Client Installation Wizard. For more information about the Client Installation Wizard, see "Using Client Installation Wizard to Install Clients" later in this chapter. Top of page

Defining a Computer Naming Policy The computer naming policy that is used during operating system installation provides the computer with a unique name. The computer name identifies the client on the network, similar to the NetBIOS name used in Microsoft® Windows NT® version 4.0. If you have an existing computer naming policy, you can set this format prior to users turning on their computer and requesting an operating system installation. You can determine the computer naming format and the Active Directory container in which client accounts are created. In a large organization where multiple RIS servers are available, it is beneficial to define a computer naming policy to use to prestage clients and define which RIS servers that a client can access. To define computer naming policy 1. Start the Active Directory Users and Computers snap-in. 2. Right-click the RIS server. 3. Click Properties , and then click the Remote Install tab. 4. Click Advanced Settings . 5. Click New Clients . 6. Define computer naming and where the computer account object is created for new clients. The New Clients page of the Advanced Settings property sheet allows you to control the name that the client is assigned when a user selects the Automatic Setup option within the Client Installation

Wizard and where the computer account object is created in Active Directory. The naming format defaults to the user name of the account entered in the Client Installation Wizard with an incremental number (#) appended. You can customize this format. Table 24.1 lists the RIS computer naming options. Table

24.1 RIS Computer Naming Options

Naming Options

Property

%first

User's first name

%last

User's last name

%Username (Default) User's logon name %MAC

Media access control (MAC) address of the network adapter

%#

Incremental number

%nField

Number of characters to be used in indicated field

Note You cannot use all Active Directory object attributes to create a naming format for use with the RIS automatic computer naming feature. For example, if you create a name with the following format: %5Username%3# Where Username = JoeUser, %nField = %5, and %# = %3. This yields the name: JoeUs123 For %5, it uses the first five characters of "JoeUser", which results in the "JoeUs" characters in the account. The "123" is determined by scanning Active Directory for existing computer account objects. The %3# specifies to use a three-digit number for the number. In this case, it had to go up to 123 to find a number opening, hence "JoeUs123". By changing the number in "#3", you can restrict or broaden the search from 0-9 to 0-999999999. It is best to keep your incremental number to as few digits as possible. The default is 2 if no specification is given. Using the New Client page, you can also control the organizational unit in which the computer account objects are created. The default is the default account creation location as set in Active Directory. The following are your options: Default directory service location

This creates the computer account object for the client in an

Active Directory location where all computer accounts are created by default during the domain join operation. The default Active Directory location is set to the Computers container in Active Directory. The client becomes a member of the same domain as the RIS server installing the client. Same location as the user setting up the computer

This creates the computer account object

in the same Active Directory container as the user who is setting up the computer. For example, if you log on in the Client Installation Wizard and your user account currently resides in the Users Active Directory container, the client computer account object is created in the Users container in Active Directory. A specific directory service location

This creates the computer account object in a specific

Active Directory container that you predetermine. It is assumed that most administrators will select this option to specify a container for all remote installation client computer account objects. Top of page

Client Response Options The RIS settings on the Properties page control how the RIS server responds to remote boot– enabled clients requesting service. You can set the RIS server to Respond to client computersrequesting service or only respond to known clients. When the RIS server is set to Do not respond to unknown client computers , it only responds to clients with a prestaged computer account object in Active Directory. This setting allows you to limit access to authorized clients that are prestaged in Active Directory, thereby increasing the security on your network. The Do not respond to unknown client computers setting also provides support for multiple thirdparty remote boot or installation servers on one physical network. For example, if your company already uses another vendor's remote boot or installation server, you cannot control which vendor's server answers the client's request. By setting the Do not respond to unknown clientcomputers option in conjunction with pre-staging clients, you make sure that only those prestaged clients are serviced by authorized RIS servers. Note If a user sets up the client, the user needs to have the appropriate rights to create the computer account in the domain or organizational unit chosen. For more information about granting computer account creation permissions to users, see Windows 2000 Server Help. Top of page

Pre-staging Clients in Active Directory Using GUID You can also use the computer's GUID for pre-staging clients and making sure that each computer is uniquely identified. This unique ID is stored with the computer account object that is created when pre-staging the client. In most cases you can find the GUID for clients that are PC98 or Net PC–compliant in the system BIOS of the computer or on the outside of the computer case. Top of page

GUID Format Valid characters for the client GUID are restricted to the hexadecimal characters 0-9 and A-F (uppercase or lowercase). You can enter the GUID in either "pretty print" or "raw byte order" format. However, combining the two formats causes RIS to not recognize the client. Top of page

Pretty Print Pretty print format is as follows: {dddddddd-dddd-dddd-dddd-dddddddddddd} where d is a hexadecimal character. For example, {921FB974-ED42-11BE-BACD-00AA0057B223}. The dashes are optional and spaces are ignored. Top of page

Raw Byte Order You can also enter GUIDs in raw byte order, such as the byte order you get from a packet sniffer. In this case, do not include the curly brace and enter only the hexadecimal characters. The following GUIDs have exactly the same value:

•

Pretty print: {12345678-1234-1234-1234-1234567890AB}

•

Raw byte order:

78563412341234112341234567890AB Notice the first three parts of the pretty print GUID are in a different order than the raw byte format. This is how the computer stores the information internally and how it is sent on the network. If you are having trouble with a prestaged client not being answered by a RIS server, make sure the GUID entered is either in pretty print format or raw byte order. Top of page

Clients Installing Operating System Images Clients can also be granted permission to create their own computer account (non-prestaged) and install an image. This allows users to turn on their system, connect to the RIS sever, log on with their domain account, and be able to install an operating system image without assistance. To do this, the user needs the following permissions to the organizational unit that you have specified to hold the newly-created computer account:

• •

Read permissions Create computer

objects Users can also install an operating system image on their prestaged client if they have been granted the ability to read and write all properties on the specific computer object (not the container) that was created when the client was prestaged. The user also requires the ability to reset and change password rights on the computer object. (An administrator might need to reset the user account.)

Preboot Execution Environment

RIS uses the new Preboot Execution Environment (PXE) extensions to DHCP to initiate the installation of an operating system from a remote source to a client's local hard disk. The PXE environment is built on a foundation of Internet protocols and services that are widely used in the computer industry. These include TCP/IP, DHCP, and TFTP. The PXE extensions to the DHCP protocol allows for information to be sent to network-bootable systems and allow these systems to find RIS servers.

RIS Server PXE Environment

RIS uses DHCP as part of what is defined in the PXE architecture to initiate the process of remotely installing an operating system on a client. In other words, because PXE uses DHCP, so does RIS. When a new DHCP PXE-based remote boot client is turned on for the first time, the client requests an IP address and the IP address of an active RIS server through the DHCP protocol and the PXE extensions to the DHCP protocol. As part of the initial request, as a DHCP option, the client sends out its GUID, which is used to identify the client in Active Directory. The client receives an IP address from the DHCP server and the IP address of the RIS server that services the client. In the RIS server's response, the client is given the name of a boot image that it must request when contacting the RIS server for initial service. When the client makes its initial request for service, TFTP is used to download the boot image file to the client. In the case of RIS, this file is Startrom.com. Startrom.com prompts user to press the F12

key. If the user presses the F12 key, Startrom.com uses TFTP to download OSChooser, and presents the user with the Client Installation Wizard. The process of initial communication between PXE clients and RIS servers can differ depending on how RIS is deployed in relation to DHCP services.

DHCP and RIS on Separate Servers If you have DHCP and RIS on separate servers, the initial interaction between PXE clients and RIS/DHCP servers proceeds as follows: 1. 2. 3. 4. 5. 6. 7.

DHCP DHCP DHCP DHCP DHCP DHCP DHCP

discover from client (asking for IP address and PXE boot server). offer from DHCP server (offers IP address and other network configuration settings). offer from RIS server (offers PXE boot server). request from client to DHCP server (requesting IP address). acknowledge message from DHCP server (you can have this IP address). request from client to RIS server (requesting the boot server). acknowledge message from RIS server (this acknowledgment contains the address to the

RIS server and the first file that the client needs to send a TFTP request to start the boot process). Note If you configure the RIS server to respond only to known clients — that is, clients prestaged in Active Directory or previously installed computers — and the computer object is not located in Active Directory, the RIS server fails to respond to the client's DHCP request. If the RIS server is not on the same server as the DHCP server, and the server does not respond because the client is unknown, then the DHCP offer from the RIS server (in step 3 in the previous process) is not sent and therefore step 6 and step 7 do not occur. Top of page

DHCP and RIS on the Same Server If the RIS server and the DHCP server are on the same computer, the conversation is as follows: 1. 2. 3.

DHCP discover from client (asking for IP address and PXE boot server). DHCP offer from DHCP/RIS server (offers IP address and PXE boot server). DHCP request from client to DHCP server (requesting IP address, network configuration

4.

settings, and PXE boot server). DHCP acknowledge from DHCP server (contains IP address and the RIS server IP and the first

file to download). Note If you configure the RIS server to respond only to known clients, and the computer object is not located in Active Directory, the RIS server fails to respond to the client's DHCP request. If the RIS server and DHCP server are on the same computer, the DHCP offer from the DHCP/RIS server (in step 2 in the previous process) only contains IP information and no information about any available servers to support the client's network boot process.

Verifying the Correct PXE ROM Version

When your Net PC or client containing a remote boot ROM starts, you see the PXE ROM message appear on the screen. The version of the PXE ROM code is displayed during the boot sequence of the client. RIS supports version .99c or later PXE ROMs. You might need to obtain a newer version

of the PXE-based ROM code from your original equipment manufacturer (OEM) in case you do not succeed by using the existing ROM version.

Creating Operating System Images

Remote OS Installation allows the installation of operating system images on clients. You can create two types of images using RIS:

• •

CD-based images (using RISetup). CD-based images are similar to setting up a workstation directly from the Windows 2000 Professional compact disc; however, the source files reside across the network on available RIS servers. Remote Installation Preparation Wizard (RIPrep) images using RIPrep. RIPrep images allow a network administrator to clone a standard corporate desktop configuration, complete with

operating system configurations, desktop customizations, and locally installed applications. These two types of images are suitable for use in different situations. The benefits and limitations, as well as considerations and how to use RISetup and RIPrep are discussed in the following sections. Note RIS only supports Windows 2000 Professional images, it does not support Windows 2000 Server or previous operating systems, including Windows 95 and Windows 98. RIS also does not support remote installation of the CD or RIPrep operating system images of Windows 2000 Server.

Using CD-based Images

A CD-based image is a copy of the contents of the Windows 2000 Professional operating system CD on the RIS server. Creating CD-based images is similar to creating a distribution share on a server that can be used to install the operating system over the network. The benefits of using CD-based images are as follows:

• • • • •

Easy to use.

• •

Images cannot contain preinstalled standard desktop applications.

Enables standard, automated installation over a network. Can be customized by using answer files. Multiple answer files can be associated with a single CD-based image. Can be used for installation of all Windows 2000–compatible systems, regardless of hardware

configurations. The limitations of using RISetup are as follows:

Takes longer to install on equivalent hardware than RIPrep images.

Creating New CD-Based Images An initial CD-based image for Windows 2000 is created during the installation of RIS on a RIS server. To add a new CD-based image to a RIS server 1.

You must be on the RIS server, where you want to add the CD-based image. In Active Directory Users and Computers , locate your RIS server by selecting the appropriate

2.

container, like the Domain Controller container. In the right pane, right-click your RIS server, click properties, and then click the Remote

3. 4. 5.

Install tab. Click the Advanced Settings button. Click the Images tab, and then click Add . Click Add new installation image . This option copies a Windows 2000 Professional CD-based

6.

image. Click Next. In the Remote Installation Services Setup Wizard , click Next , then enter the installation

source files location and proceed through the Wizard. Or you can run the risetup -add command. Figure 24.3 shows the directory structure where CD-based images are stored. You can define the name of the root folder ( imagename ) where the CD-based images are stored.

Figure 24.3 CD-based Image Directory Structure Note CD-based images support additional directories. For example, you can add an \i386\$OEM$ directory so that you can locate additional device driver files if you add additional hardware to a RIS client. For more information about creating an $OEM$ subfolder, see "Automating Client Installation and Upgrade" in the Deployment Planning Guide. For more information about creating a CD-based image, see Windows 2000 Server Help. The Templates folder under each image contains the answer files for that image. By default, RIS creates a standard unattended answer file called Ristndrd.sif for each CD-based image, but multiple answer files can be associated with a single CD-based image. The default answer file can also be customized. For more information about working with answer files for CD-based images, see "Working with Answer Files" later in this chapter. Note The \i386\lang directory is not copied to the RIS server as part of a CD-based image. This directory is needed by any client system that attempts to add the ability to read or write files in a language that is different than the default language that is installed. To allow client systems to be able to install language packs, copy \i386\lang and all subdirectories from the Windows 2000 Professional operating system CD to \\ RISServername \Reminst\setup\ clientlanguage \images\ imagename \ i386 \ lang Top of page

Modifying Properties of a CD-based Image You can associate one or more answer files (.sif) to an existing CD-based image on the RIS server. This allows you to offer a variety of unattended Windows 2000 installation types from the same source image on the RIS server. You can also modify the settings within the answer file by using the setupmgr.exe tool. For example, you can change regional settings, video resolution, and network settings with answer files. For more information about modifying answer files, see "Working with Answer Files" later in this chapter.

Important If you purchased Windows 2000 from an authorized reseller, you must automate the process of entering the CD key. See "Specifying a CD Key in the Answer File" later in this chapter.

Using RIPrep Images

RIPrep images allow a network administrator to clone a standard corporate desktop configuration, complete with operating system configurations, desktop customizations, and locally-installed applications. After installing and configuring the Windows 2000 Professional operating system, its services, and any standard applications on a computer, the network administrator runs a wizard that prepares the installation image, and replicates it to an available RIS server on the network for installation on other clients. The benefits of using RIPrep.exe are as follows:

•

Allows for the creation of standard environment images including the operating system, standard

•

Faster overall install times than CD-based images.

•

Does not support multiple disks or multiple partitions on the source computer used to create the

• •

Works only with the Windows 2000 Professional operating system.

• •

Target system must also have the same hardware abstraction layer (HAL).

desktop applications, and settings.

The limitations of using RIPrep.exe are as follows: RIPrep image. The destination client must have a hard disk that is the same size or larger than the system partition on the hard disk of the source computer used to create the RIPrep image. A CD-based image of the same version and language as the RIPrep source computer must also be installed on the RIS server.

RIPrep Considerations If you plan to use RIPrep to create operating systems in your organization, keep the following considerations in mind:

•

RIPrep supports replication of a single disk, single partition (the boot partition, which is usually drive C) of Windows 2000 Professional. Because of this, the operating system and all of the applications that make up the standard installation must reside on the boot partition prior to running the RIPrep wizard. By creating a RIPrep image, you can install and configure the operating system, locally-installed applications and configuration settings once for deployment to

• •

many clients. RIPrep-based images generally use more hard disk space than CD-based images because they contain an uncompressed copy of the client system's hard disk stored on the server. CD-based flat images still contain the compressed installation files that the CD contains. To store a RIPrep image on a server, you must also have a CD-based image that is the same version and default language stored on the same RIS server. This is because the answer file used for the RIPrep image also refers the client to the CD-based image for access to network adapter and text-mode boot drivers, in case the drivers required for the client installing the RIPrep image are different from those in the system used to create the RIPrep image. The text-mode setup then does an advanced Xcopy of the client's image to the client's hard disk drive. (Text-mode setup is the normal blue screen you see when installing Windows 2000 Professional that moves or

copies all the files over before the graphical user interface setup begins.) One of the beneficial features of the RIPrep wizard is that the destination client, that is, the

•

computer that is installing the RIPrep image, does not need to contain identical hardware as that of the source computer used to create the image. However, the hardware abstraction layer (HAL) drivers must be the same. The RIPrep wizard uses the new Plug and Play support that is included with Windows 2000 for detecting any differences between the source and the client hardware during image installation. To create a RIPrep image, a source computer is required. The source computer contains the

•

Windows 2000 Professional operating system, locally-installed applications, and any configured system settings that represent a standard client configuration you want to deploy to the specific clients. Carefully configure and test this image before running the RIPrep wizard to create the RIPrep image. After the image is replicated to the RIS server, you cannot alter its configuration without rerunning the RIPrep wizard against the existing image.

Top of page

Configuring a RIPrep Source Computer To prepare and configure a source computer for a RIPrep image, use the following general steps: 1.

Install Windows 2000 Professional on the boot drive of a newly formatted computer. Any of the

2.

common methods of performing a standard installation can be used. During setup, create a single partition, and then set the partition to the minimum size required for support of the base operating system and any required applications. The size of the partition used on the RIPrep source computer determines the minimum disk size required on computers

3.

installing the resulting RIPrep image. Configure all components and settings that represent the standard client configuration for this image, including:

• • • •

Network settings Security settings User settings Desktop settings

Configure the source computer to adhere to any company configuration policies. For example, you might choose to define specific screen colors, set the background bitmap to a company4.

based logo, and set intranet proxy server settings in Microsoft® Internet Explorer 5. Install all applications that you want to be a part of this image. If you have applications that are Windows Installer (.msi) packages and you want the applications to be installed in a managed state, see the following section. Install all the applications from the location that should be used when looking for updates or additional files, rather than a temporary location such as a local CD-ROM drive that is not available on clients installing the RIPrep image. For example, you can install Microsoft® Office 2000 and virus protection software for all users who require these

5.

applications on the computer. Test the source computer to ensure that the configuration is exactly how you want it to be for the group of users who will access this image. RIPrep images cannot be modified after they are created, so if your image fails your test process, you must recreate the image or restore the existing RIPrep image, make the necessary adjustments, and run the RIPrep wizard again to create a new image that contains the additional changes. If it is appropriate, you can overwrite

6.

the existing image on the RIS server when you create the new image Run the RIPrep wizard to create the RIPrep image on the server.

7.

Configure user access to the image by setting permissions in the ristnrd.sif file in the Templates folder of the new RIPrep image. For more information, see "Setting Security Permissions in Answer Files" later in this chapter.

Top of page

Using Software Installation and Maintenance with RIPrep By using the Windows 2000 Software Installation and Maintenance features, you can install and manage key software in a RIPrep image by using the same methods you use to install the software on other computers in the organization. Consider an organization that wants to bring in new computers and customize both the Windows 2000 operating system and the Office 2000 suite of applications. The organization has existing Group Policy objects to manage the computers in the organization, and the administrator has assigned Office 2000 to the computers in the appropriate Group Policy objects. Note Be sure you configure the RIPrep source computer with applications from the same Group Policy objects that apply to the destination computers (those that install the RIPrep image) when they are deployed. The applications might be removed, or removed and reinstalled, if a different policy is applied to the computer when it is deployed. The administrator installs the Windows 2000 operating system on a computer (that has the same HAL as the wanted target systems), and then configures the operating system the way that they want it. When Windows 2000 is installed and configured, the administrator adds it to the same Active Directory container where it stays after it is deployed. This container has a Group Policy object with Office 2000 assigned to the computer. Note When you install Office 2000 as part of an RIPrep image, you must turn off 8.3 name creation. Change the value of the NtfsDisable8dot3NameCreation registry entry from 0 (default) to 1 in order to turn off 8.3 name creation. NtfsDisable8dot3NameCreation is located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem. See the following procedure. To turn off 8.3

name creation

1. 2. 3.

From the Start menu, click Run . Type regedt32.exe or regedit.exe , and then click OK . In the registry editor, navigate to

4. 5.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Select the NtfsDisable8dot3NameCreation entry. To turn off 8.3 name creation, change the value of the NtfsDisable8dot3NameCreation registry entry from 0 (default) to 1. In Regedit.exe, right-click the entry, and then click Modify . -Or-

In Regedt32.exe, click the entry, click Edit , and then click the appropriate menu choice. Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or

customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible. The administrator restarts the computer, and Software Installation and Maintenance installs Office 2000 (applications assigned to a computer install when the computer starts). After Office 2000 installation is complete, the administrator can take the computer running Windows 2000 with Office 2000 installed, and use RIPrep to build a Remote OS Installation image and put the image on a RIS server. When the resulting RIPrep image is installed on destination clients, as long as the same Group Policy objects are applied to the destination computers, the applications remain in a managed state and can be managed, updated, or patched using the Software Installation and Maintenance features. It is recommended that you use Software Installation and Maintenance to install, update, and manage all applications that you install in RIPrep images. For more information about software installation, see "Software Installation and Maintenance" in this book. Top of page

RIPrep and User Profiles When creating RIPrep images, it is important to understand the relationship of user profiles, the changes made to a RIPrep source computer, and the wanted result for users who log on to computers that are installed by using the RIPrep image. Windows 2000 Logo–compliant applications properly separate user-specific and computer-specific configuration settings and data. Installing such applications for all users of the computer as part of a RIPrep source computer allows the applications to then be available to all users of clients that have the resulting RIPrep image installed later. Non-Windows 2000–compliant applications might perform or rely on per-user configurations that are specific to the profile of the user actually installing the application prior to running RIPrep (typically a local administrator), rather than to all users of the client. Such configurations remain specific to that user, which can result in the application or configuration setting not being available or not functioning properly for users of computers installed with the RIPrep image. In addition, some non-application configuration changes, such as the wallpaper specified for the user desktop, are applied only to the current user's profile by default, and are not applied to users of systems installed with the RIPrep image. Thoroughly test any applications or configuration settings that you want to use in a RIPrep image to ensure that they will work properly with your organization's implementation of user profiles. To perform the test, make the change as one user (typically a local administrator of the computer), log off, and log on as a user account that is representative of your organization. If the changes you made are applied to the second user, the changes should also apply to users who log on to systems installed with an RIPrep image that contains the same change. To complete the test, create an RIPrep image, restore it to a different computer, and log on as a different representative user. Verify that the changes are applied and fully functional. Some configuration settings can be copied directly from the profile to which they were applied (the local administrator in the previous example, for instance) to the All Users profile (such as the desktop wallpaper) some Start menu options, and shortcuts. However, all such changes must be tested carefully to verify that the profile copy process does not affect their functionality. To copy the Administrator ' s profile to the Default User profile on the source computer 1.

Log on to the source computer as Administrator. Right-click My Computer , and then click

2.

Properties . In the System Properties property page, click the User Profiles tab, select the local

3.

Administrator profile from the list of profiles on the computer, and then click Copy To . In the Copy To dialog box, enter the path to the All Users profile folder (typically C:\Documents

4.

and Settings\All Users), and then click Change . Select the appropriate group from the User or Group dialog box, typically the Everyone

5.

group, and then click OK . Click OK , and then click OK again to exit the System Properties property page.

Top of page

Running the RIPrep Wizard After the client source computer is configured and fully tested, you are ready to run the Remote Installation Preparation Wizard (RIPrep.exe) from the RIS server that you want to receive this RIPrep image. To run the RIPrep wizard, from the source client computer's Start menu, click Run , and then type: \\\Reminst\Admin\i386\RIPrep.exe Then click OK . The RIPrep wizard does the following:

• • • • • • •

Asks for the name of the RIS server on which to store the image. If none is selected, it defaults to the server name from which RIPrep.exe was run. If RIPrep.exe is run from \\ Server \Reminst\Admin\i386\Riprep, server becomes the default location. Prompts for a subdirectory name to which the new image is created. The directory specified is created under the \RemoteInstall\Setup\ OS Language \Images directory on the specified RIS server. Prompts for a description and Help display text. These values are written to the answer file for the RIPrep image and used for display to users in the Client Installation Wizard. Prompts you to stop services and close applications on the client that RIPrep does not recognize. (This page does not prevent you from continuing, but you need to attempt to stop any services that RIPrep does not recognize as well as close any open applications.) Removes unique security identifier and other unique registry settings to prevent conflict between clients. Replicates the source client's system partition to a folder on the RIS server. Creates a default answer file named Riprep.sif. This associates a specialized unattended answer

file with the image to ensure that the user is not prompted during image installation. To create an image on the server, you must be logged on to the source client with an account that has backup privileges on the source computer. (If you are a member of the domain administrators group, you have this privilege.) Otherwise you need to log on as the local administrator. Figure 24.4 shows the directory structure that exists after the RIPrep image is copied to the server. You can define the name of the root folder ( imagename ) where the RIPrep images are stored.

Figure 24.4 RIPrep Image Directory Structure After creating the new image, the important files to note are RIPrep.log, Bootcode.dat, and Imirror.dat. These files contain the following information about the RIPrep image: RIPrep.log

This file contains log information about RIPrep.exe. RIPrep.log contains any errors

that occur, such as encrypted files encountered or files in use. It also notes other information such as server name and description. This file resides in the \i386 directory on the server. Bootcode.dat

This file contains the boot sector for the system. Bootcode.dat resides in the

\i386\Mirror1 directory. Imirror.dat

This file contains information, such as the drive letter, installation directory, and

hardware abstraction layer (HAL) type, about the system that was cloned by using RIPrep. Imirror.dat resides in the \i386\Mirror1 directory. These files contain some binary data, and therefore cannot be completely read by using a simple text editor or word processing application. After RIPrep is run, the source computer is shut down. If the source client is restarted, a mini-wizard runs and prompts the user for the unique configuration items that were removed when RIPrep was run. After the replication of the image is complete, any DHCP PXE–based remote boot–enabled client, including those clients using the RIS boot floppy disk, can be used to access this image through RIS.

Relationship of SysPrep to Remote OS Installation

The System Preparation (SysPrep) tool works in conjunction with a third-party disk imaging process to prepare a source computer's hard disk for duplication to other computers. SysPrep is used to remove configurations unique to the computer, such as its computer name and security identifier (SID), so that the resulting computer image can be safely reused for installation on other computers. SysPrep cannot be used with Remote OS Installation. However, the Remote OS Installation RIPrep wizard performs similar functions as SysPrep, which are combined with the other Remote OS Installation features to provide a full desktop imaging solution. A comparison of using Remote OS Installation and SysPrep for creating system images follows.

TheBenefits of Using Remote OS Installation with RIPrep • Supports use of different hardware between the source and destination computers (both computers must have the same hardware abstraction layer).

•

Does not require additional imaging software.

•

Provides full support for replicating the source image to a server and restoring it onto destination computers. Top of page

Limitations of Using Remote OS Installation with RIPrep • Does not support replication of RIPrep images to sources other than RIS servers, such as removable media.

•

Does not support creating Windows 2000 Server images. Top of page

Benefits of Using SysPrep • Supports creating both Windows 2000 Professional and Windows 2000 Server images. • Supports use of third-party disk imaging and replication products. Top of page

Limitations of Using SysPrep • Requires the same hardware abstraction layer and mass storage controller on both the source

•

and destination computers. Does not provide support for drive imaging, additional third-party tools are required for the imaging and replication processes.

Removing RIS Server Operating System Images

The Remove option, found on the Images tab of the Advanced Settings property page, only removes the unattended setup answer file (.sif) that is associated with the operating system image. To completely remove the operating system image from the RIS server, use Windows Explorer to delete the directory and subdirectories containing the image that you want to remove. You can do this from the console of the server or by browsing the Reminst share on the RIS server. Note Do not remove the physical operating system image completely until all clients have upgraded to the new version of the operating system. Be sure that you back up the unattended setup answer file (.sif) prior to removing any setup answer files.