Advanced RIS Management
To get the most from RIS, you must go beyond basic management activities and customize your RIS deployments to improve their functionality, automation, personalization, and security.
February 13, 2001
Automate, customize, and enhance your RIS deployments
EDITOR'S NOTE: Portions of the following article were adapted from Sean Daily and Darren Mar-Elia's The Definitive Guide to Windows 2000 Administration (Realtimepublishers.com).
In "Understanding Remote Installation Services," February 2001, I explained the basic steps involved in setting up Microsoft Remote Installation Services (RIS) servers and clients and performing essential RIS management tasks such as adding servers and images. However, to get the most from RIS, you must go beyond these basic management activities and customize your RIS deployments. Fortunately, Microsoft provides several ways for you to customize your RIS deployments.
Managing RIS Answer Files
Each Windows 2000 deployment technology can each stand on its own, but these technologies are more useful when you put them together. For example, RIS can use unattended setup answer files to create automated installations. Answer files are text files associated with typical Win2K installations (i.e., winnt or winnt32 Setup-based installations) that use the /U:answerfile parameter. An answer file, which you can create manually or by using the Win2K Setup Manager utility (i.e., setupmgr.exe in the supporttools folder of the Win2K CD-ROM), automates a Win2K installation by answering questions that Win2K Setup asks during installation. You can use answer files for more than standard Win2K installations. RIS can automatically create an answer file for each new image you place on the server.
By default, Win2K names the answer file for each RIS image ristndrd.sif, and each RIS answer file has a format similar to standard unattended setup answer files. (For more information about answer files and unattended installations, see "Related Articles in Previous Issues.") The ristndrd.sif file for a RIS image is in the i386templates subfolder of the image's main folder. For example, if a RIS image folder is on the server's D drive in an image folder called win2000.pro, the image's ristndrd.sif file would be in a folder called remoteinstallsetupenglishimageswin2000.proi386templates.
To customize your RIS installation, you can modify ristndrd.sif or create additional RIS answer files. You can also use the Win2K Setup Manager utility to customize RIS answer files. One of the utility's first dialog boxes asks which type of unattended setup answer file you're creating, and, as Figure 1 shows, offers Remote Installation Services as a choice. If you want to use Setup Manager to customize a RIS answer file, selecting this option is important because a RIS answer file contains settings that aren't in other answer file types. If you decide to manually create a RIS answer file, make sure that the file contains the following settings (you need to use the exact capitalization that the example shows):
[data]floppyless = "1"msdosinitiated = "1"OriSrc = \%SERVERNAME%RemInst%INSTALLPATH%%MACHINETYPE%OriTyp = "4"LocalSourceOnCD = 1[SetupData]OsLoadOptions = "/noguiboot /fastdetect"SetupSourceDevice = "DeviceLanmanRedirector%SERVERNAME%RemInst%INSTALLPATH%"
After you've created your customized answer file, you need to associate the file with a RIS image. The following process walks you through how to do so:
Run the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on a RIS server.
In the left pane, right-click the RIS server that contains the image for which you're associating an answer file, and select Properties.
On the Remote Install tab of the Properties dialog box, click Advanced Settings.
On the resulting Images tab, click Add to launch the Add Image Wizard.
Select the Associate a new answer file to an existing image option, as Figure 2 shows, and click Next.
The next dialog box lets you select the source location of the answer file, which can be a Windows image sample answer file or a file on another RIS server or in an alternative location. Select the location and answer file, and click Next.
The wizard will display a list of images that are on the RIS server. From the list, select the image you want to associate with the answer file, and click Next.
In the resulting dialog box, enter a descriptive name for the image and answer file combination, and click Next.
The final dialog box lets you review and confirm your previously selected settings. If you're satisfied with your settings, click Finish.
This process adds a new image selection to the menu of RIS images on the server and copies the selected answer file to the image's i386templates subfolder.
Specifying CD-ROM Keys
To fully automate your RIS deployment, you might need to add a CD-ROM installation key to your RIS answer files because the default ristndrd.sif answer file doesn't include keys. Retail and OEM Win2K installations require CD-ROM keys. If you have a Win2K Select CD-ROM, you don't need to worry about CD-ROM installation keys.
You add CD-ROM keys to a RIS answer file as the ProductID value in the [UserData] section, as the following format shows (where x stands for the CD-ROM key integers):
[UserData]ProductID = "xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
Although this field is called ProductID (rather than CDkey), Win2K uses the ProductID value in the [UserData] section for only the CD-ROM installation key value and generates a unique Product ID for each installation you create using the RIS image. Adding this information to the answer file is important because it prevents Win2K from prompting the user for a CD-ROM key.
After you've created or modified the answer files you want to use with a RIS image, the next step is to associate the additional answer files with an image so that RIS uses the answer files during the deployment process. By default, all RIS images have the default ristndrd.sif answer file associated with them. The Client Installation Wizard includes that combination of a RIS image and its default answer file as an installation option for users installing from that RIS server. (The nine-step process in the previous section walks you through how to create this image-and-associated-answer-file combination.) When you associate an additional (i.e., not the default) answer file with an image, you're creating an additional image selection on the server. This installation option will appear in the list of images on the server on the Remote Install tab of the Active Directory Users and Computers snap-in and in the image selection menu that the Client Installation Wizard displays to the client. Thus, if you associate many different answer files with the images on a server, the server might contain only a few image folders but many image menu selections.
You can associate answer files only with RIS images that you generated from a CD-ROM or disk-based installation source folder. Images that you created by using the RIPrep utility can't use answer files. (For more information about RIPrep, see "Related Articles in Previous Issues.")
Customizing Client Installation Wizard Choices
You can use Group Policy Objects (GPOs) to set RIS policies that control which users and groups have access to which menu options within the Custom Installation Wizard, which the setup process presents to users. (For more information about GPOs, see "Related Articles in Previous Issues.") You can use the following method to set RIS policy:
In the left pane of the Active Directory Users and Computers snap-in on a Win2K Server system, right-click the domain in which you're setting policy, and select Properties.
On the Group Policy tab of the resulting Group Policy Object Links dialog box, select the GPO that you want to add the RIS policy settings to, and click Edit. This action opens the Group Policy Editor management console with the context set to the selected domain. The default policy for a domain is called Default Domain Policy Object, and you can store this policy at the domain, site, or organizational unit (OU) level.
In the left pane of the console, click User Configuration, Windows Settings, Remote Installation Services.
Double-click the Choice Options icon, which appears in the right pane.
In the resulting Choice Options Properties dialog box, which Figure 3 shows, set the selections you want for each of the Client Installation Wizard's configurable options: Automatic Setup, Custom Setup, Restart Setup, and Tools. The choices available for each option are Allow, which lets users whom this policy affects access the option; Don't care, which tells the wizard to ignore the policy settings for users whom this policy affects and to refer instead to the policy settings of the parent container; and Deny, which prevents users whom this policy affects from accessing the option.
You can extensively customize most aspects of the RIS Custom Installation Wizard; however, a detailed discussion of this capability is outside the scope of this article. A RIS server stores each of the Client Installation Wizard menus as .osc files, and the menus use an HTML-like markup language called OSCML to define the screen display and input fields. By editing these .osc files, you can customize the screen display or query users for ad hoc data through input fields and use the collected data to control and customize an unattended RIS installation.
Using Prestaging to Manage RIS Server Selection
RIS also lets you specify, or prestage, which RIS server will handle a particular client's request. This capability is especially useful if you want to ensure that a specific server that has the image the client needs responds to a given client. To accomplish this feat, you create a computer account for the client in Active Directory (AD) before you install the client through RIS. In this account, you specify a unique ID, which identifies the client and server.
How do you uniquely identify a machine? Most PC98- and NetPC-compliant machines have a globally unique ID (GUID) that the machines' BIOS configuration screens display. If you create a computer account and associate it with the client's GUID and a RIS server, the client will automatically contact that RIS server when the client boots from the network using its Preboot Execution Environment (PXE)-enabled BIOS.
You can use the following method to prestage a RIS client and specify a particular RIS server to service that client:
On the server, use the Active Directory Users and Computers snap-in to create a computer account object for the client in the appropriate AD OU.
On the Remote Install tab of the client object's Properties dialog box (which you access by right-clicking the client's computer name and selecting Prop- erties), input the RIS server that you want to service this client in the Remote Installation server text box. (Figure 4 is an example of a client's Remote Install tab. This Remote Install tab is different from the one that appears on the computer object that represents the RIS server.)
In the Computer's unique ID text box, enter the client's GUID. You can use one of two formats to specify the GUID: "pretty-print format" or "raw-byte order." Which format you choose depends on how the client PC's BIOS provides the number. Pretty print is a more readable format and encloses the GUID in curly brackets (e.g., {12345678-1234-1234-12341234567890AB}). Raw-byte order has no text and uses a partially reversed byte order (e.g., 7856341234123411234 1234567 890AB).
Most problems that occur with RIS client prestaging are a result of errors in the entry of the client's GUID. Be careful when entering these numbers, and check this field first when you're troubleshooting client-connection problems.
Securing Client Image Selections
RIS provides several security features that let you control which users have access to which RIS servers in your network and which images on each server. For example, as I discussed in "Understanding Remote Installation Services," RIS lets you configure whether a RIS server will serve images to clients that haven't been authorized against AD. (By default, clients must authenticate during the Client Installation Wizard's setup process.)
Another security measure you can configure relates to RIS answer files (i.e., ristndrd.sif) that Win2K creates and uses by default for all non-RIPrep RIS images. You can set ACLs on individual answer files within each image folder. These settings will determine whether a user operating from the Client Installation Wizard will be able to use a particular image. To secure images in this manner, set the ACLs on each answer file by right-clicking the file, selecting Properties, and editing the file's ACL. Remove the Everyone group access control entry (ACE), and add Read permissions for each group or user that can access the image. You can find the answer files associated with each image in the i386templates subfolder of each image folder. You can access these folders from the RIS server or over the network through a Uniform Naming Convention (UNC) pathname that points to the RemInst share on the RIS server.
Tricking RIS into Deploying Servers
One of the most frustrating and limiting aspects of Win2K's RIS technology is that it supports only the deployment of Win2K Professional images. Although Microsoft originally promised to support deployment of Win2K Server products, the company reneged on this promise. This lack of support is unfortunate because many network administrators want to use RIS to deploy servers.
However, you can easily trick RIS into imaging and deploying Win2K Server, Win2K Advanced Server, and Win2K Data- center Server to remote systems. To fool RIS into deploying a Win2K Server machine (or another server-family product), copy the i386 folder of the product's installation CD-ROM to a hard disk. (At this point, a good practice is to perform an integrated installation of the most recent Win2K service pack to the distribution folder. For the technique to perform this installation, see "Understanding Remote Installation Services.") Next, edit the txtsetup.sif file, which is in the i386 folder in the hard disk copy of the installation files. To edit the file, use a text editor, and search for the keyword ProductType, which will bring you to a line that reads
ProductType = x
as Figure 5 shows. Change the value to 0; this value tells the OS that this installation is Win2K Pro. Next, create a new RIS image based on this customized hard disk-based distribution folder. After you name the new image folder and give it a descriptive name, edit the txtsetup.sif file in your hard disk-based distribution folder and change the ProductType value back to the original value. At this point, your new server image is ready for your RIS clients.
Microsoft hasn't documented this trick very well (the company mentions it only once in the article "How to Create a Remote Installation Share for Windows 2000 Server" at http://support.microsoft.com/support/kb/articles/q214/7/94.asp), and the company doesn't officially support this procedure. Therefore, don't expect Microsoft Product Support Services (PSS) to help with Win2K Server machines that you create using this method.
Room for Improvement
RIS doesn't sport the most sophisticated set of management tools—it doesn't even provide it's own MMC snap-in. In addition, although RIS's deployment and customization features are fairly robust, the online manuals that accompany Win2K Server don't document these features' capabilities well. Therefore, how to take advantage of what RIS has to offer isn't always clear. However, using the techniques in this article, you can improve RIS's usefulness in your network.
Related Articles in Previous Issues |
---|
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.SEAN DAILY"Understanding Remote Installation Services," February 2001, InstantDoc ID 16432"Customizing Unattended Win2K Installations," January 2001, InstantDoc ID 16219DARREN MAR-ELIA"Introducing Group Policy," September 1999, InstantDoc ID 7066MICHAEL D. REILLYGetting Started with NT, "Group Policy," March 2000, InstantDoc ID 8144 |
About the Author
You May Also Like