Remotely Deploy Windows 2000
Learn how RIS works and how to set up and configure this new tool, and you’ll be well on your way to a successful RIS implementation.
March 23, 2000
RIS makes remote installation a snap
How much time have you spent in front of a computer, trying to install a new OS? Windows 2000 Server's (Win2K Server's) Remote Installation Services (RIS) cures installation headaches.
RIS, partnered with Active Directory (AD), DHCP, and DNS, can eliminate the need for you to go to each workstation to install Windows 2000 Professional (Win2K Pro). RIS is easy to install, but it requires a well-designed AD, DHCP, and DNS infrastructure to work properly. If you configure RIS properly, when users log on the first time, they can provide their username, password, and domain name and RIS will install Win2K Pro. After you understand how RIS works and explore how to set up and configure this new tool, you'll be well on your way to a successful RIS implementation.
RIS Technology
The Preboot Execution Environment (PXE) architecture is the technology behind RIS. PXE is part of Intel's Wired for Management (WfM) initiative. (For more information about PXE, see "Related Articles in Previous Issues," page 78, or go to http://www.intel.com/ial/managedpc.)
PXE lets a NIC use a universal network driver to download a boot image from a PXE-based server. By interfacing with a PC's BIOS, a PXE-enabled NIC can become a PC's boot device. When a user turns on a PC, the boot ROM sends out a DHCP request for an IP address and the name of a boot server. The DHCP server answers this request with the boot server's IP address and additional information. The boot ROM uses this information to send a request to the boot server for the bootstrap program. To respond, the boot server uses the Trivial File Transfer Protocol (TFTP) to send the bootstrap program. This course of action lets the PC begin the boot process. The client system doesn't require a vendor-specific driver because PXE-capable NICs use the Universal Network Driver Interface (UNDI). After the server sends the bootstrap program to the client PC, the server sends additional programs such as RIS's Client Installation Wizard, which provides a menu of OS images for the user.
RIS's Hardware and Infrastructure Requirements
Now that you have an overview of RIS technology, let's look at the hardware and infrastructure requirements necessary to implement RIS. The server on which you install RIS must have a 400MHz Pentium II processor or better and 128MB of RAM or more. If you plan to store several custom OS images on the server, you might want to start with more disk space. In addition, Microsoft recommends 256MB of RAM if your RIS server will pull double duty as your DNS or DHCP server. RIS has a big appetite for disk space, so your system files need to be on a separate partition, and you need at least a 2GB NTFS-formatted partition for the remote installation directory tree. I recommend that you err on the side of too much horsepower for your Win2K Server systems.
The client systems on which you're using RIS to install Win2K Pro must have at least a 166MHz Pentium processor, 32MB of RAM, and a 1.2GB hard disk. In addition, these systems must have PXE-enabled NICs.
If your server and clients meet these specifications, you're ready to set up the infrastructure. If you've built your Win2K network, you already have the necessary components for RIS: AD, DHCP, and DNS. RIS uses AD to locate and authenticate users and computers, DHCP for IP addressing and providing the RIS server's location to clients, and DNS for AD name resolution. After you meet these hardware and infrastructure requirements, you can build and configure the RIS server.
Setup and Configuration
You can use two methods to install RIS: You can install it as one of the Win2K Server add-in components when you install Win2K Server, or you can use the Control Panel Add/Remove Programs applet to install RIS on an existing Win2K Server installation. After you install RIS, run risetup.exe to start the Remote Installation Services Setup Wizard.
The wizard first asks you to specify the location of the remote installation folder, as Screen 1 shows. As I previously mentioned, RIS's files and images must be on a separate partition from the Win2K system files, and RIS must be on an NTFS-formatted partition. Microsoft recommends a RIS partition larger than 2GB.
Next, the wizard presents you with the Respond to client computers requesting service and Do not respond to unknown client computers options, as Screen 2 shows. If you don't select the first option, you'll have to turn on the service later. The second option tells RIS to deny service to unknown computers (i.e., systems that you haven't pre-staged in AD). I don't recommend enabling this option at this point—enable this option after you've tested the system and you're confident that it works.
When the wizard prompts you for the source file location and destination directory, point the wizard to the CD-ROM or network share that contains the Win2K Pro source files. The destination directory is the name of the folder on the RIS server to which the wizard will copy the images. By default, the wizard names this folder win2000.pro. After you specify a directory name, you can provide a friendly name for the image, as Screen 3 shows. This name will appear in the Client Installation Wizard as a menu option. You also can enter an image description that the Client Installation Wizard will display when users select the image.
Finally, the wizard lets you review and verify your settings, as Screen 4 shows. When you select Finish, the wizard will begin to copy the files and create the first OS image on the RIS server.
Authorize the RIS Server
After you create the OS image, you need to authorize the RIS server in AD. The authorization process is a new security feature in Win2K that helps reduce the number of rogue DHCP and RIS servers on the network. When you first start a RIS server, it contacts AD. If Win2K Server has authorized the server, AD lets RIS provide its services on the network. If Win2K Server hasn't authorized the server, AD instructs RIS to remain disabled.
For Win2K Server to authorize your RIS server, open the DHCP Microsoft Management Console (MMC) from the Administrative Tools menu, right-click DHCP, and select the Manage authorized servers option. Input your RIS server's name or IP address, and click OK. Verify that you typed the correct information, and click Yes to add your server to the list of authorized servers.
Additional Configuration
By default, Win2K Server will create your RIS server's account in the AD Computers container. If your server is a domain controller as well as a RIS server, Win2K Server will create the account in the Domain Controllers container. For additional configuration options, open the Properties dialog box of your RIS server by right-clicking the server in AD and selecting the Remote Install tab, which Screen 5 shows. In this dialog box, you can instruct the server to respond to requests from clients and ignore requests from unknown clients (the Remote Installation Services Setup Wizard presents these options during setup), and you can verify that your server is functioning correctly.
Clicking Advanced Settings and selecting the New Clients tab presents you with a variety of preset and custom choices for naming the new computer accounts and three choices for account location, which Screen 6 shows. You can put new computer accounts in the default Directory Services container, the same location as the user installing the image, or in another location that you specify. The Images tab lists the OS images available on the RIS server. From this window, you can add new CD-ROM-based images to and remove images from the server. The Tools tab lists the preboot tools that you have installed on the server.
At this point, your RIS server is ready to provide OS images to new clients. Let's look at how to set up your client PCs.
Setting Client PCs' Boot Devices
When your computer has a PXE-enabled NIC, the NIC becomes a boot device, such as a 3.5" disk drive, CD-ROM drive, or hard disk. Therefore, you must designate the NIC as the primary boot device in the client PC's BIOS. After you make this change, reboot the system. Upon restart, the system will present you with a message similar to the message that Screen 7 shows. The PXE-enabled NIC gets an IP address and the RIS server information from the DHCP server, then downloads the boot image. The message that appears when you reboot shows this process in action. After the system presents you with instructions to Press F12 for network service boot, you're ready to start the Client Installation Wizard.
If your system has a newer, but non-PXE-enabled NIC, you might be able to use a boot disk to connect to RIS and run the Client Installation Wizard. To create the boot disk, select Start, Run and enter rbfg.exe to run the Remote Boot Floppy Generator tool. This program creates a boot disk that lets a few (i.e., approximately 20) non-PXE-enabled NICs boot to the RIS server.
Microsoft intends to update the list of supported cards as more become available. If you're using a system that has a PC Card, you can't use RIS to install Win2K Pro because PC Cards don't support PXE or boot disks created with the Remote Boot Floppy Generator tool.
Pre-staging and Assigning Permissions
Two final steps are necessary before you use RIS to build a client PC. First, you must give users the appropriate permissions within AD to modify their computer account. By default, only members of the Domain Admins group can add a computer to AD. Instead of making all users members of this group, you can give them limited rights to modify the computer account. However, this setup requires you to pre-stage users' systems in AD and give the users permissions to modify their computers' accounts.
Pre-staging client systems is a quick process. Open the AD Users and Computers console, navigate to your domain, and choose the container in which your computer accounts reside. (By default, Win2K puts computer accounts into the Computers container.) First, add a new computer account by right-clicking the container, clicking New, Computer, and adding the computer account. Next, go into the account's Properties by right-clicking the account and selecting Properties, and select the This is a managed computer option. In the text box below this option, input the computer's universally unique identifier (UUID), which is a unique 128-bit value. According to Microsoft, this number should be on the computer's case. If you can't find the UUID on the case, Microsoft suggests looking in the BIOS. If all else fails, Microsoft recommends using Network Monitor or another packet sniffer to uncover your computer's UUID in client/server communications.
After you create the computer account, you must give users permission to modify the account when they run the Client Installation Wizard. To give users permission, go into the new account's Security properties by right-clicking the account, selecting Properties, and selecting Security. Next, add the user (or a group that contains the user), and give the user Read, Write, Change Password, and Reset Password permissions. After you complete this process, you're ready to run the Client Installation Wizard.
The Client Installation Wizard
After the client PC boots from the network, the Client Installation Wizard starts. This wizard is responsible for authenticating the user in AD, presenting the available OS images, and starting the installation process. After the user selects the image to install, the wizard will start the installation process. A basic Win2K Pro build takes between 15 and 30 minutes to complete, depending on your network connection.
To simplify the setup process, you can customize the screens that the wizard displays. The most useful screen to modify is the welcome screen, welcome.osc, which the wizard displays when it starts. Welcome.osc is a text file in a format similar to HTML. If you replace the default text with new text, the file will work fine. Welcome.osc is in \riserverrishareOSChooser, where riserver is the name of your RIS server and rishare is the name of the RIS folder share on the server.
This process uses basic RIS features to install Win2K Pro. But RIS offers many advanced features that can also simplify remote OS installation.
Creating New Custom OS Images
After you have experience using RIS to build a Win2K Pro machine, you can begin making custom OS images. The riprep.exe utility takes a snapshot of a customized Win2K Pro installation and copies that image to the RIS server so that you can install the custom OS image to client computers.
To run riprep.exe, you must first use a RIS CD-ROM-based image to build a computer. You can also run riprep.exe after you install Win2K Pro from the CD-ROM, although Microsoft doesn't recommend this method. After you install Win2K Pro, customize the image by installing your business applications and configuring the system to run in your environment. After you complete this setup and configuration, run riprep.exe from \riserverrishareAdminriprep.exe, where riserver is the name of your RIS server and rishare is the name of the RIS folder share on the server. And specify on which server you want to store the new image. By default, Win2K stores riprep.exe on the RIS server on which you're running the utility, but you can specify any RIS server on your network. Next, specify the folder name that will hold the RIS files. Riprep.exe also asks you to input a friendly display name and descriptive Help text for the new image. Finally, riprep.exe asks you to verify the information that you provided. If everything looks correct, choose Next to begin the copy process. After this process completes, the new image will be available for users to install.
To reduce the number of redundant files stored on the server, Microsoft uses a technology called Server Intelligent Storage (SIS). This feature checks the RIS directory tree for duplicate files. When SIS finds a duplicate, it copies the duplicate file to the SIS store and leaves a pointer in place of the file.
Restricting Users
You can use the images that riprep.exe creates on systems with different hardware, but the hardware abstraction layer (HAL) must be the same. For example, you can't use Advanced Configuration and Power Interface (ACPI) to install a desktop image on a laptop. Therefore, restricting desktop users' access to images makes sense. To restrict users' access, you can set ACLs for the unattended setup installation file (i.e., .sif) that riprep.exe created. A riprep.exe image usually has only one .sif file, whereas a CD-ROM-based OS image might have multiple .sif files. By default, the .sif files assign everyone permissions. If you remove the Everyone group and explicitly give permission to an individual user or group, you can control what image choices the Client Installation Wizard presents. This restriction is one of the reasons that clients must log on to continue with the wizard.
Another reason for authentication is to determine what installation options the user has. The wizard offers four options:
Automatic Setup—This option uses the computer naming conventions and computer account location that you specified in the RIS server configuration and jumps directly to the list of OS image choices. If you've authorized the user to see only one OS choice, the wizard won't display the menu of OS image choices. Instead, the user will log on, and the wizard will ask the user only to confirm that the OS image RIS is installing is the correct one.
Custom Setup—This option lets the user define the computer name and account location before the wizard presents the OS image options. Then the wizard displays the OS image choices in the same manner as in the Automatic Setup option.
Restart a previous setup attempt—This option lets users restart a failed installation. The wizard won't prompt the user for computer names or locations.
Maintenance and Troubleshooting—This option displays a list of installed tools that users can use in the preboot environment.
To control the display of these choices, you can set a group policy for the RIS Choice Options. To modify RIS settings in the default domain policy, open AD, right-click your domain, select Properties, and select the Group Policy tab. The tab will display a group policy called Default Domain Policy. Highlight this policy, and click Edit. The left pane of the resulting window will display a Windows Settings folder. In this folder, select Remote Installation Services and double-click Choice Options. This action opens the RIS Choice Options screen.
Related Articles in Previous Issues |
---|
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com/articles.ZUBAIR AHMAD"Windows 2000 Professional Deployment," Winter 1999/2000, InstantDoc ID 7431MARK MINASIInside Out, "Using Win2K's Remote Installation Service," September 1999, InstantDoc ID 7109"Windows 2000 ZAW Update," August 1999, InstantDoc ID 5701 |
For each option, you can specify to allow or deny a policy or specify that you don't care about a policy. If you set an option to Allow, the Client Installation Wizard will display it. If you set an option to Deny, the wizard won't display that option. And if you set an option to Don't Care, the wizard uses the group policy from the parent container to determine which options to display.
In my environment, I left the default domain group policy set to Don't Care. For my RIS clients, I created a second Group Policy Object (GPO), set the Apply Group Policy permissions for the security group that contains the clients, and set the Deny flag on every option except Automatic Setup. When clients in my environment log on to the Client Installation Wizard, they see only the Automatic Setup option, and the wizard continues straight to the OS image menu.
Is RIS Right for Your Environment?
Why would you want to use RIS in your infrastructure? From the initial build of a Win2K workstation to disaster recovery after a user deletes a crucial file, RIS can install Win2K Pro in a fast and efficient manner. When you combine RIS with Win2K's other Change and Configuration Management (CCM) components, such as IntelliMirror and the Windows Installer Service (WIS), you have a powerful solution for simplifying desktop management.
However, RIS has some drawbacks. First, RIS lets you install only Win2K Pro. Microsoft has announced that the company will add support for other OSs in the future. Other remote OS installation products (e.g., ON Technology's ON Command CCM) use PXE technology to install most Windows OSs, as well as provide preboot troubleshooting. Another limitation of RIS is its inability to handle multiple partitions. Disk imaging products have matured substantially in the past few years, and competing products have been able to work with multiple partitions for a while. Despite these shortcomings, RIS is still a good tool for deploying Microsoft's newest OS.
About the Author
You May Also Like