Saturday, December 26, 2009

Complete WDS in 2008 Server


2.3. Deployment

The deployment story in Windows Server 2008 (and Windows Vista, for that matter) has radically changed. Windows Deployment Services (WDS) replaces the old Remote Installation Services (RIS) product that was included with Windows 2000 and Windows Server 2003. It has a number of enhancements, improvements, and new features, but perhaps the most important and the most useful of them is the ability for WDS to read, manage, and stream the new Windows Imaging Format (WIM). WIM support was first baked into Windows Vista and solves a number of problems that you may have stumbled on if you've worked with imaging products for Windows in the past. While WDS can still deploy what it calls "legacy" images—for example, Windows XP installations in the format you used to use in conjunction with Remote Installation Services—WDS shines when you set up different WIM files with boot and install images for different architectures and systems.

With some upfront grunt work (and that may be putting it mildly), you can significantly reduce the time it takes to achieve a complete deployment on machines that are of different types, architectures, and configurations. Let's take a look at some critical components of the deployment infrastructure under Windows Server 2008.

2.3.1. Windows Imaging Format

Windows Vista introduced the Windows Imaging Format, a hardware-independent format that stores images of the operating system. The premise of WIM is to make images many-to-one in nature; in other words, multiple images can be contained within one WIM file. Since Windows Vista was architected to be so modular, 95% of the base operating system can be replicated among any number of images; as a result, Microsoft itself can ship just one binary image for each processor architecture—x86 and x64—to everyone in the channel. Additionally, the sizes of each of the image files are reduced using single-instance storage techniques and enhanced compression. Further, you can create WIM files very easily for your own uses and modify them as well.

Perhaps the best usability improvement of the WIM format is the ability to edit images offline using standard file management tools like Windows Explorer. You can add files and folder to an image; for instance, instead of the painful driver addition process in Remote Installation Services, you can simply drop drivers directly into a WIM-based image and have them automatically present for future deployments. Best of all, you don't need to create independent images for each edit you make—the additions, modifications, and deletions you make can coexist in one image, reducing management burden.

2.3.2. Windows PE

Windows Pre Environment, or Windows PE, is an execution environment designed to assist in installing and troubleshooting operating system installations. Rather than the old blue-background, text-based installation screen with previous versions of NT, Windows PE comes in graphical format and contains a full complement of tools to assist with getting Windows Server 2008 and Windows Vista installed on a drive.

The big win with Windows PE is that standard Windows network drivers work with it out of the box—no hunting for special NDIS drivers only for network deployment use. Additionally, it has a built-in firewall to protect the operating system in its most vulnerable state, when it is partially installed, and the ability to insert drivers from any sort of removable media into the session. You might recall the frustration of only being able to add a driver by hitting F6 at the right moment of Setup and then having the driver only on a floppy disk. Windows PE eliminates this annoyance.

2.3.3. Windows Deployment Services

Windows Deployment Services is the next generation of Windows 2000 and Windows Server 2003's RIS. It released with Windows Server 2003 Service Pack 2 and is the only supported method of deploying Windows Vista over the network, so if you want to stream Vista images to desktops and notebooks over the Net, you'll need to upgrade your RIS servers to that service pack level and then deploy WDS. WDS supports both x86 and x64 images as well.

Like RIS, WDS uses the Preboot Execution Environment (PXE) capabilities of most modern BIOSes and network interface cards to load a session of Windows PE. Windows PE then presents a menu to the user consisting of all the appropriate image and configuration options available on the WDS machine. The user selects a target, and the image—in WIM format, of course—is laid onto the disk of the target machine. It's all very elegant when you have configured it properly, and it makes it possible to reimage a system—in some cases, with applications and configurations as well—in less than 30 minutes. Imagine the boon to your support department: instead of wasting hours tracking down some obscure problem, you simply stream a new image to a machine while the user is out to lunch, and voilĂ ! Problem solved. True, that's a rosy case, but it's possible and realistic with WDS and WIM.

What's changed from RIS? Here's a quick rundown, courtesy of Microsoft:

  • The ability to deploy Windows Vista and Windows Server 2008 aside from simply Windows XP and the old NT-based operating systems

  • Windows PE can be used as a boot operating system, allowing for both deployment and troubleshooting

  • Support for WIM deployments

  • Ability to transmit data and images using multicast functionality, which allows the performance of deployment services over the network to scale significantly better and more efficiently

  • An enhanced PXE server stub

  • A new, more user-friendly boot menu format that is both easier to use and easier to configure

  • A new management console that helps you manage WDS servers on your networks, and the boot and install images contained thereon

There are two types of WDS servers that you can create: a transport server and a deployment server. The transport server only offers the core networking services; it doesn't give you all the functionality of WDS but is useful if you want to take advantage of the multicasting features in larger environments. A deployment server offers everything that WDS offers, including the transport components. For the purposes of this section of the chapter, we'll assume that we are working with a deployment server.

2.3.4. Installing and Configuring Windows Deployment Services

To install WDS, you need a Windows Server 2008 machine that is somehow joined to a domain. You'll also need DHCP working on your network, a valid DNS architecture, a partition formatted as NTFS, and a user account that is both a domain user and a local administrator on the server running WDS. If you meet all those requirements, you can install WDS by loading Server Manager, clicking Add Roles on the Roles Summary pane, and then selecting Windows Deployment Services.

Once you have added the role, it's time to configure the WDS server. There is a command-line utility, aptly named WDSUTIL, and there is the graphical component, which is an MMC snap-in. For this example, we'll walk through the graphical interface for WDS.

Your first steps should be as follows.

  1. We'll need to create a shared folder that stores the necessary programs and supporting files to enable PXE-based networking booting, the files for Windows PE which each machine will store in a dynamic RAM disk, the boot images for Windows PE itself so that it can fully run on your client machines, and the install images for your operating systems (these are the actual WIM files themselves that are meant to be deployed to your target machines).

  2. We then have to tell WDS how to answer PXE requests from the network, so that incoming client requests are answered or ignored depending on how security-conscious you want your deployment to be.

  3. Next, your DHCP settings should be changed, whether your DHCP service is hosted on a Windows Server 2008 machine or provided by some other network device. Specifically, all DHCP broadcasts on UDP port 67 by client computers should be forwarded directly to both the DHCP server and the Windows Deployment Services PXE server. Also, all traffic to UDP port 4011 from the client computers to the Windows Deployment Services PXE server should be routed appropriately. The WDS Configuration Wizard will take care of this step in most environments.

The Windows Deployment Services Configuration Wizard will handle a lot of these tasks for you, so let's load it and run through the wizard to get a baseline configuration prepared. If you haven't already, install the WDS role by using the Add Roles Wizard, which you can enter from the appropriate link at the bottom of the Initial Configuration Tasks page. Then, from the Administrative Tools submenu off the Start menu, select Windows Deployment Services. In the left pane, expand the server list, right-click on the current server, and select Configure Server. The wizard launches.

  1. On the Select Server Roles screen, shown in Figure 2-8, check the Windows Deployment Services box and click Next.

    Figure 2-8. The Select Server Roles screen

  2. The Overview of Windows Deployment Services screen appears, as shown in Figure 2-9. Read the overview and listing of requirements, and then click Next when you finish.

    Figure 2-9. The Overview of Windows Deployment Services screen

  3. The Select Role Services screen appears, depicted in Figure 2-10. Here, you select which of WDS's two roles you want to install, or you can opt for both. The Deployment Server role provides all of the functions and features of WDS and requires the components of the Transport Server role, which actually move the bits and bytes of your operating system images around the network. You can install the Transport Server role without the Deployment Server role, but you cannot have the Deployment Server role without the Transport Server role. Try it; the Add Roles Wizard will flash an error if you attempt the remove the latter and keep the former. For the purposes of our demonstration here, select both roles and click Next.

    Figure 2-10. The Select Role Services screen

  4. The Confirm Installation Selections screen appears. Verify the settings you've chosen in the wizard and then click the Install button. You may need to restart the machine you are using.

Once the WDS roles are installed, it is time to run the configuration wizard. The Welcome Page appears, as shown in Figure 2-11. Read the introduction and then click Next.

Figure 2-11. The Welcome Page of the Windows Deployment Services Configuration Wizard


The Remote Installation Folder Location screen appears, as shown in Figure 2-12. Here, you tell WDS where to store images to stream to clients. This folder must reside on a volume formatted by NTFS. It's recommended that you choose a volume that doesn't contain the Windows system files for best performance, although you won't be prevented from selecting the system disk—simply acknowledge the warning that will appear. Choose a path, and then click Next.

Figure 2-12. The Remote Installation Folder Location screen


The PXE Server Initial Settings screen appears, depicted in Figure 2-13. Here, you can establish whether your WDS machines will respond to clients who aren't made known to WDS before you begin their deployment. If you want any computer to be able to stream an image to its drive (subject to that user having appropriate permissions), then choose "Respond to all known and unknown client computers." You can also elect to have unknown clients make a request that can subsequently be approved by an administrator. To require that clients be prestaged within WDS, choose the second option, and to turn off WDS network booting completely, choose the first option. Click Finish to complete the wizard.

Figure 2-13. The PXE Server Initial Settings screen


The wizard will trundle for a while, completing the initial configuration steps, and then you will see the Configuration Complete screen, shown in Figure 2-14.

Figure 2-14. The Configuration Complete screen


Next up, you need to add the boot images. These are the images that download over the PXE-based network connection and set up the Windows PE-based environment in which all of the deployment magic happens. Expand the server to which you want to add the boot images, right-click on the Boot Images folder, and select Add Boot Image. Then, insert the operating system media into the local CD or DVD drive, and browse to the BOOT.WIM file (on the Windows Server 2008 DVD, it is located in the \Sources directory off of the root of the CD). Click Open, and then enter a friendly image name and description, click Next, and wait as the images are copied to the WDS machine's shared folder that you established during the configuration wizard.

Finally, you add the install images, which as you will recall are the actual target images streamed down over the network onto the machines on which you want an operating system installed. To get started, I recommend putting a default image of Windows Vista or Windows Server 2008 on your WDS machine. While this image won't come out of the box tweaked to your liking or with applications and settings preconfigured, I have found it useful to have the ability to install a vanilla Windows system over the network for other purposes as well. Additionally, you can start with these plain images, stream them to a system, customize them, capture the resulting image, and then re-upload it to the WDS machine, all without touching distribution media. To add a default install image of Windows Server 2008 onto your WDS machine:

  1. Click on the server that will store the install image and expand it to expose the tree of folders beneath it.

  2. Right-click on the Install Images folder in the left pane and select Add Install Image.

  3. The Image Group screen appears, as shown in Figure 2-15. Type a name for this image group—groups are simply ways to organize collections of images. For example, type in Windows Server 2008 Installations into the group name box. You can then add more images later and store them in this group to make it easy to administer them from the WDS MMC snap-in. Click Next.

    Figure 2-15. The Image Group screen

  4. The Image File screen appears. Browse the distribution media to find the INSTALL.WIM file located on the disc. For Windows Server 2008, you can find this image in the \Sources folder off the root of the media. Click Open.

  5. The List of Available Images screen is next (see Figure 2-16). Here, you select which of the editions of the product you would like to make available to installation clients. Clear the checkboxes of images that you would like to exclude from the WDS server, and then click Next.

    Figure 2-16. The List of Available Images screen

  6. The Summary screen shows Click Next to add the images to the store. This could take a while, as there is a lot to copy and manage.

Your boot and install images are now set up on the WDS server.

2.3.5. The Boot Menu

The Boot menu is a text-based screen that appears when WDS first begins loading after the PXE network environment has been established. The boot menu allows the user to choose between boot architectures—x86 clients can choose the right architecture, and there is a special boot version for x64 architectures as well—and further along in the process, it will dictate what choices appear in the installation menu.

WDS and 64-Bit Clients: A Quick Tip

You might find that some of your x64-based hardware isn't being detected correctly by your hardware and/or the PXE software. In this case, you may want to explicitly instruct WDS to show both x64 and x86 options on the boot menu. The simplest way to do this is from the command line, as follows:

WDSUTIL /Set-Server /Defaultx86x64ImageType:both 


2.3.6. Creating and Modifying Images

Now that you have a sense of how to deploy WDS, and you have a few plain-vanilla install images on your server, you can set about creating custom images. You can create boot images and install images that are different from the defaults and suited to your requirements.

2.3.6.1. Creating and modifying boot images

You can create two different types of boot images for your needs: a capture image, which is what you boot a client computer into in order to capture an image of its hard drive for later deployment; and a discover image, which is used to install an operating system via WDS onto a computer that, for lack of hardware or software support, doesn't allow a PXE environment to be created.

Capture images automatically boot into the Windows Deployment Services Capture Utility in lieu of Setup. You use a capture image on a computer that is ready to be imaged, and once it is booted, a wizard creates an install image of the reference computer and saves it as a .wim file. You can then upload this WIM file onto your WDS server for deployment to other target machines. Alternatively, you can burn a CD or DVD that contains a capture image and the ImageX command-line utility. You can then boot the sourced system with the media, run ImageX to create the WIM-based image, and then connect over the network to a machine and upload that image for storage. I find it useful to have one of these capture image DVDs available, even if you choose not to make that method your standard way of capturing images.

To create a capture image:

  1. Open the Windows Deployment Services MMC snap-in.

  2. Expand Boot Images in the left pane.

  3. Right-click on an image to use it as the foundation for your capture image, and select Create Capture Boot Image.

  4. Enter a name, description, and the location to save the image.

  5. Finish out the wizard and then right-click the boot image folder and select Add Boot Image from the resulting menu.

  6. Browse to the new capture image you just created, and then click Next.

  7. Finish the addition wizard and close out. Your capture image is now ready to be deployed.

The second type of boot image you can create, a discover image, forces Setup.exe to launch in Windows Deployment Services mode and then ping around the network to find an active WDS machine. You can use these images on a CD or DVD to allow WDS to stream deployments to machines that don't or won't support PXE. To create a discover image, use the following procedure:

  1. Open the Windows Deployment Services MMC snap-in.

  2. Expand Boot Images in the left pane.

  3. Right-click on an image to use it as the foundation for your discover image, and select Create Discover Boot Image.

  4. Enter a name, description, and the location to save the image.

  5. Finish out the wizard and then right-click the boot image folder and select Add Boot Image from the resulting menu.

  6. Browse to the new discover image you just created, and then click Next.

  7. Finish the addition wizard and close out. Your discover image is now ready to be deployed.

If you are interested in creating hard media, such as a CD or DVD, to contain your discover image, you can download the Windows Automated Installation Kit from the Microsoft web site and install it. From that point, open a command prompt to the C:\Program Files\Windows AIK\Tools\PETools folder and commence the following procedure:

  1. Create a Windows PE build environment by entering CopyPE {arch} c:\WinPE, replacing the architecture of the boot image you'd like when issuing the command.

  2. Copy the discover image to a target directory using the following command:

    copy /y c:\boot.wim c:\winpe\iso\sources 

  3. Go back to the PETools folder in step one, and create the bootable ISO image using the OSCDIMG utility that is bundled in the Windows Automated Installation Kit. Type the following:

    oscdimg -b -bc:\winpe\ISO\boot\etfsboot.com c:\windpe\ISO c:\winpe.sio 

  4. Burn the resulting c:\winpe.iso file to a CD or DVD using your preferred burning and mastering software.

2.3.6.2. Creating install images

You can build custom install images (the images that consist of the actual operating system and any changes you want to bake into the package) from prepared computers and upload them for deployment to target machines. Generally, you boot the source computer normally, run the sysprep utility in most cases to strip out physical machine-specific information and security identifiers, then reboot into a WDS-based capture image, take a WIM-formatted image of the client, upload it somewhere else, and then reboot.

Specifically, after you have finished configuring the source (or reference, as Microsoft refers to it) computer the way you'd like it to be imaged, run the following from the command line:

sysprep /oobe /generalize /reboot 

After the utility has finished and the computer has restarted, press F12 and select the capture image from the boot menu that will be displayed. Choose the drive that contains the operating system on which you just ran SYSPREP, provide a name and description for the image, and click Next to continue. Then browse to a location on the machine where you can store the resulting .WIM file, enter a name of the image file, and then click Save. Finally, click "Upload image to WDS Server," enter the name of your WDS machine, and click Connect, entering credentials if prompted or necessary. (Choose the correct image group along the way if you are so prompted.)

Click Finish, and your image will be created, prepared, and uploaded, and will be ready for deployment to your target machines.

2.3.6.3. Sysprep: the system preparation tool

The most common catch to any imaging solution is the need to identify and scrub security identifier (SID) information from your image. Deploying an image onto multiple computers, all with the same SID information, is an invitation to disaster. Sysprep is the answer to this problem.

Sysprep will not reimage a domain controller, a member of any cluster, or a machine functioning as a certificate server because of the inherent machine-specific characteristics of those services. However, after Sysprep has completed, these services are certainly supported and available to be installed.


Here's an overview of how Sysprep works:

  1. You generate a prototype image and configure everything on that system as needed.

  2. You then copy the profile of the account that has the settings and customizations you've been performing to the Default User profile, so that all future users of the system get those tweaks.

  3. Then you run Sysprep. This scrubs SIDs and personal information from your prototype and shuts down the machine.

  4. Next, you boot the computer from your WDS capture image and generate the WIM file. You can optionally upload that image as well.

  5. Finally, you reboot the computer without the floppy, and proceed through mini-Setup again so that all personal information can be restored and new SIDs can be generated. (You can script this process so that a mini-unattended installation is performed.)

2.3.7. Configuring and Performing Unattended Installations with Scripts

If you are interested in further automating the deployment of operating systems using WDS, look into using unattended installation scripts: not only can you kick off an OS deployment over the network, but you can customize the responses to setup prompts, installed programs, product keys that are configured, and more, so that even if you aren't using an imaged system, you achieve a consistent setup on all machines you roll out.

In Windows Server 2008 and Windows Deployment Services, there are essentially two different unattend files: a WDS client unattend file, which resides on the WDS server and directs the WDS client interface to install the right image and partition disks correctly; and the actual unattend file for the image itself, which is the type of unattend file with which you may be more familiar. This is stored in the $OEM$ structure common in the Windows 2000 and Windows Server 2003 days, or in the \Unattend directory in the image, and automates the remainder of the Setup process that the WDS unattend file can't address.

You'll find the Windows Automated Installation Kit will come in handy if you are creating more than the simplest unattend files—in particular, the Windows System Image Manager can walk you through creating an unattend file, which can then be assigned (associated, in effect) either to clients hitting a specific server or specific clients themselves, as well as different machines based on x86 and x64 architectures.

The format of the WDS client unattend file is easy to read, as it's in XML, which has a familiar syntax and structure. A sample follows.

<?xml version="1.0" ?> <unattend xmlns="urn:schemas-microsoft-com:unattend">    <settings pass="windowsPE">       <component name="Microsoft-Windows-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">          <WindowsDeploymentServices>             <Login>                <WillShowUI>OnError</WillShowUI>                <Credentials>                      <Username>username</Username>                      <Domain>domain</Domain>                      <Password>password</Password>                   </Credentials>                </Login>             <ImageSelection>                <WillShowUI>OnError</WillShowUI>                <InstallImage>                   <ImageName>Windows Vista x86</ImageName>                   <ImageGroup>Windows Vista</ImageGroup>                   <Filename>Install.wim</Filename>                </InstallImage>                   <InstallTo>                   <DiskID>0</DiskID>                   <PartitionID>1</PartitionID>                </InstallTo>             </ImageSelection>          </WindowsDeploymentServices>          <DiskConfiguration>             <WillShowUI>OnError</WillShowUI>                <Disk>                   <DiskID>0</DiskID>                   <WillWipeDisk>false</WillWipeDisk>                   <ModifyPartitions>                      <ModifyPartition>                         <Order>1</Order>                         <PartitionID>1</PartitionID>                         <Letter>C</Letter>                         <Label>CLIENTMACHINE</Label>                         <Format>NTFS</Format>                         <Active>true</Active>                         <Extend>false</Extend>                      </ModifyPartition>                   </ModifyPartitions>             </Disk>          </DiskConfiguration>       </component>       <component name="Microsoft-Windows-International-Core-WinPE" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">          <SetupUILanguage>             <WillShowUI>OnError</WillShowUI>             <UILanguage>en-US</UILanguage>          </SetupUILanguage>          <UILanguage>en-US</UILanguage>       </component>    </settings> </unattend>   					  

Here's the process to integrate unattend files with your WDS deployment. Start by associating the WDS unattend file to the appropriate image.

  1. Create your unattend.xml file for the WDS client. I suggest using the Windows System Image Manager, part of the Windows Automated Installation Kit.

  2. Once you've created the unattend.xml file, upload it to your WDS server at the \RemoteInstall\WDSClient\Unattend folder.

  3. Open Windows Deployment Services Manager.

  4. Right-click the WDS server that is hosting the image to which your new unattend file should be assigned, and click Properties.

  5. Navigate to the Client tab.

  6. Check the "Enable unattended installation" box, browse to your unattend file at \RemoteInstall\WDSClient\Unattend folder (use the full network path—don't go through the WDS server's local C: drive), and click Open.

  7. Click OK.

Next, you can associate the Windows Setup unattended file to the image for a full hands-off deployment. To do so:

  1. Open Windows Deployment Services Manager.

  2. Expand the image group that contains the image you want to use.

  3. Right-click the specific image and select Properties.

  4. Navigate to the General tab.

  5. Click "Allow image to install in unattend mode," and then click the Select file and browse to your Windows Setup unattend file. Click OK.

  6. Click OK to close out of the Properties sheet.

No comments:

Post a Comment