Rhonda J. Layfield RJL, INC. Session Code:CLI315 Rhonda Layfield IT industry 25+ years Contribute articles to Windows IT Pro mag Setup and Deployment MVP Desktop Deployment Product Specialist (DDPS) Co-Author Windows Server 2003 R2 and Windows Server 2008 books NEW Microsoft Deployment Book Offer hands on deployment class What Ill Cover Managing the WDS Server Installing and Configuring WDS 10) Permissions 9) 2K8 Deployment Failure 8) Renaming/Moving the WDS server Creating an Image to Deploy 7) WDSCapture Overview Deploying an Image 6) Pre-staged settings do NOT take affect 5) WinPE Problems 4) Multicast Automating the Deployment 3) Unattend Answer Files Infrastructure Issues 2) DHCP Issues 1) PXE Issues WDS Requirements WDS server must be a member of an Active Directory domain DHCP DNS NTFS partition on which to store images WDS Requirements DHCP WDS AD/DNS Bare-MetalBare-Metal 1 2 3 WDS on Server 2003 Installing WDS on a 2003 SP1 Server Install RIS Install patch from the WAIK: windows_deployment_services_update.exe Installing WDS on a 2003 SP2 Server Control Panel / Add/Remove Programs / Windows Components / WDS WDS on Server 2008 (R2) Installing WDS on a 2008 server Server Manager Add Roles Select Windows Deployment Services from the list of roles Configuring WDS Choose path for the Remote Installation folder DHCP Options PXE Server Settings Configuring WDS 10) Permissions Default Permissions Local administrator on the WDS server Full Control of the RemoteInstall folder Full Control permissions on HKEY_LOCAL_MACHINE\System Domain administrator (domain where the WDS server resides) Full Control permissions on the Service Control Point (SCP) in AD DS for the WDS server. WDS and SCP WDS depends on AD DS for the PXE provider to create computer accounts and service control points (SCPs) in AD. The SCP is a child object under a WDS servers account object used to store configuration data Identifies the server as a WDS server Finding the SCP - DEMO ADSIEdit -> Find your servers computer object -> Expand your server -> CN=NameOfMyServer- Remote-Installation-Services Properties Permissions Continued Enterprise administrator Dynamic Host Configuration Protocol (DHCP) authorization permissions Admin Approval The computer account is created using the servers authentication token (not the admins token performing the approval) WDSSERVER$ must have create computer account objects on the containers / OUs where the approved pending computers will be created Admin Approval Continued Admin Approval of Pending Computers R/W to the F:\RemoteInstall\MGMT contains Binlsvcdb.mdb Active Directory Users and Computers Create a custom task to delegate on OU where the computer account will be created -> Write all properties on Computer Objects Joining a Machine To a Domain ADUC R-click the container or OU and go to Properties Click the Advanced button and add a user or group then click the Edit button Under Apply to: This object and all descendant objects Allow Create Computer objects Ok (3x) BUT now that user can create computer objects and join machines to the domain What if you only want someone to be able to join a machine to the domain? The JoinRights Setting Part 1 JoinRights registry setting determines the set of security privileges located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr olSet\Services\WDSServer\Providers\WDSPXE \Providers\BINLSVC\AutoApprove\ Name: JoinRights Type: DWORD Value: 0 = JoinOnly.; 1 = Full The JoinRights Setting Part 2 The User registry setting determines which users have the right to join the domain User setting located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr olSet\Services\WDSServer\Providers\WDSPXE \Providers\BINLSVC\AutoApprove\ Name: User Type: REG_SZ Value: group or user. Non-English DCs Creating computer accounts against a non- English domain controller using the default user property. Set the Auto-Add settings to use an account that does not contain extended characters. Acceptable characters ([A-Z, a-z, 0-9, \, -, and so on]) For example if the German "Domnen-Admins is used the Auto-Add will fail. WDSUTIL /set-server /AutoAddSettings Common Permissions TASKPermission Prestage a computerADUC -> Create a custom task to delegate on OU where you are putting the computer account -> Write all properties on Computer Objects Add/Remove Image or Image GroupFC F:\RemoteInstall\Images\ImageGroup Disable an imageR/W for the image (on image properties in WDS) ADD boot imageR/W F:\RemoteInstall\Boot R/W F:\RemoteInstall\Admin (if upgrading from 2K3 server) Remove boot imageR/W F:\RemoteInstall\Boot Common Permissions TASKPermission Manage properties on an OS imageR/W on image Res.rwm file found: F:RemoteInstall\Images\ Convert a RIPREP imageR original RIPREP image R/W %TEMP% and destination folder Create Discover / Capture imageR original boot image R/W %TEMP% and destination folder Create a multicast transmissionFC on: HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\WDSServer\Provider s\Multicast R F:\RemoteInstall\Images\ 9) 2K8 WDS - Deployment Fails Server 2008 increased the TFTP block size from 512 bytes to 1,456 bytes to speed things up. If your network has a TFTP block size of less than 1,456 bytes this breaks WDS. Resolution: Install hotfix HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\service s\WDSServer\Providers\WDSTFTP Create a new REG_DWORD Name: MaximumBlockSize Value range: 5121456 8) Renaming/Moving WDS Server Renaming a machine Moving a machine from one domain to another Youll need to uninitialize & reinitialize WDS server From a cmd on the WDS server Wdsutil /uninitialize-server Wdsutil /initialize-server /reminst:E:\RemoteInstall 7) Creating an Image to Deploy WDSCapture WinPE Add boot.wim from a 2K8 Server.iso Right-click the boot.wim and choose Create capture image Add the new.wim file that you just created Sysprep -reseal generalize Boot WDS Capture No Volume to capture? Deploying a W7 Client 6) Pre-Staged Settings Ignored Ensure there are not duplicate machine accounts pre-staged for the same machine Pre-stage using the MAC address Swap the NIC to another machine Dual Admins 1 st admin creates a computer object in ADUC 2 nd admin pre-stages a computer object with the NIC or GUID The first one found is used 5) WinPE Issues Using an older boot.wim Architectures and WinPE Copype WinPE Creating your own Which Boot.wim To Use The most current will always be best Windows 7 Boow.wim can deploy Vista SP1 Windows Server 2003 R2 Windows 7 Server 2008 & R2 Accidently use a Vista or Vista SP1 boot.wim? Vista boot.wim cannot deploy W7 or 2K8 R2 Failure on the Offline servicing pass even if its not configured to install patches Using an Old boot.wim 4) Multicast Issues Multicast traffic running really slow Which version of IGMP is being used? V3 or v2? Multiple WDS servers multicast traffic Overlapping IP addresses WDS snap-in -> Properties of Server -> Multicast tab -> change the IP addresses 3) Automating the Deployment Unattend.xml scripts (2) XP & 2K3 vs Vista and later Unattend.xml does not process settings Not named properly Not stored in the correct folder Automating The Deployment 2) DHCP Bare-MetalBare-Metal DHCP/WDS Discover IP Offer IP/PXE Server Request Acknowledge WDS & DHCP 3 Scenarios 1. WDS and DHCP on the same subnet/ different servers Client will find WDS by broadcasting 2. WDS and DHCP on different subnets Client must find WDS through options 66 and 67 set in DHCP 3. WDS & DHCP on same server Client must find WDS through Option 60 in DHCP WDS & DHCP Same Subnet Bare-MetalBare-Metal DHCP WDS Discover IP/PXE Server Offer IP Im WDS Request Acknowledge WDS & DHCP Different Subnets Bare-MetalBare-Metal DHCP WDS Discover IP/PXE Server Offer IP Option 66 Option 67 Acknowledge Request WDS & DHCP on The Same Server Bare-MetalBare-Metal DHCP / WDS Discover IP Offer IP Option 60 Im also WDS Request Acknowledge WDS And DHCP on The Same Server? 1) Pre-Boot Execution Environment akaPXE PXE Protocol is an extension of DHCP Created by Intel as a standard with a set of pre- boot services stored in the boot firmware The goal: Perform a network boot Find and download a network boot program (NBP) from a Network Boot Server The PXE Process From the client Client receives an IP address Discovers a Network Boot Server (NBS) Downloads the Network Boot Program (NBP) from the NBS (TFTP) and executes it From the server Servers IP address Name of a NBP the client may request Subnets, Routers and Switches OH NO! All PXE / DHCP traffic is local traffic only DHCP port UDP 67 PXE traffic port UDP 4011 PXE Server Settings Known Client PXE boot Unknown Clients No NBS or NBP PXE Issues IP helpers configured properly on your switches and routers are more reliable Older PXE ROMs have issues with DHCP options 60,66,67 Options 66 & 67 are referred to as a Network Boot Referral (NBR) What We Covered Managing the WDS Server Installing and Configuring WDS 10) Permissions 9) 2K8 Deployment Failure 8) Renaming/Moving the WDS server Creating an Image to Deploy 7) WDSCapture Wrapping IT UP.. Deploying an Image 6) Pre-staged settings do NOT take affect 5) WinPE Problems 4) Multicast Automating the Deployment 3) Unattend Answer Files Infrastructure Issues 2) DHCP Issues 1) PXE Issues Troubleshooting Resources Error codes for WDS & AD Integration (BINLSVC)Permissions for Server & ClientRequired Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide