In-Depth

Systems Engineering: Assembly-Line Deployment

When you're calculating TCO to justify Windows 2000, don't forget Remote Installation Services, a neat tool to deploy the OS to your client PCs.

When I worked on a corporate help desk, the one activity that seemed to consume more of my time than any other was building computers for users. I always seemed to be installing Windows 95 or Windows NT on a PC. It didn’t seem to matter whether the build was for a new user (and there seemed to be a never-ending stream of new users) or existing users getting new machines. Of course, installing the operating system was just the beginning. Our build included Microsoft Office, a handful of terminal emulation packages, messaging—you name it, we probably had it. On average, it took two or three hours to prepare a machine for a user.

If you work in a help desk environment, this story probably sounds familiar. If you add up the time it takes to retrieve the computer from the user’s workstation, take it to the staging room, rebuild the machine and return it, you’re talking about a lot of time. And of course, wasted time is one aspect of total cost of ownership.

For coverage of other deployment tools, see "Roll 'Em Out", by Tony Northrup in this issue.

With Windows 2000 here, some of us are starting to plan deployments of the product to users. Microsoft has done a great job in delivering a stable OS, and it’s wrapped in the message of reduced TCO. One of the features of Win2K that will reduce your TCO is Remote Installation Services, or RIS.

RIS is part of Win2K Change and Configuration Management, a group of disciplines that aim to make desktop management more efficient. These features include offline folders, software installation, enhanced roaming user profiles, and RIS. Since RIS shows up in the objectives list for the upcoming core Win2K Professional (70-210) and Directory Services Infrastructure (70-217) exams, you’ll need to understand its operation if you plan to tackle the new MCSE track.

This article will give you a detailed look at the components and features of RIS. Before we discuss that topic, however, we need to look under the hood and examine the engine. In this case, the engine is PXE, or PreBoot Execution Environment.

Under the Hood

PXE allows PCs to use their network cards as boot devices. Just as you can boot from your 3.5-inch disk, your CD-ROM, or your hard disk, PXE allows your computer to go out on the network to find a boot image.

The PXE process isn’t elaborate. PXE communicates using DHCP messages over ports 67 and 68. When you start a computer with the network device set to be the boot device, the NIC must do three things. First, it must get an IP address from a DHCP server so that it can communicate using TCP/IP. Second, it simultaneously asks for the name of the server that is providing the bootstrap programs and the name of the actual bootstrap program. The BINL (Boot Image Negotiation Layer) service on RIS handles this request. Once the NIC gets an IP address and the bootstrap information, it uses Trivial File Transfer Protocol to download the boot image to the computer. TFTP is also running on the RIS server. On the client PC the boot image calls a program called OSChooser, which in turn starts the Client Installation Wizard. This wizard manages the setup of Win2K. Figure 1 illustrates the PXE communications process.

Now that we know a little more about PXE, let’s look at the requirements to implement RIS.

Figure 1. The PXE communication process: 1) Initial DHCP discovery with PXE client extensions; 2) DHCP offer from the DHCP server and extended DHCP offer with PXE server extensions from the RIS server; 3) DHCP request; 4) DHCP acknowledgement; 5) DHCP request to BINL service with PXE client extensions; 6) DHCP acknowledgement with bootstrap program name; 7) request for bootstrap program to TFTP service; 8) bootstrap program downloads via TFTP.

What You Need

You must meet a few hardware and architecture requirements before you introduce RIS to your enterprise. First, let’s look at the hardware requirements for your clients and servers.

According to Microsoft, the server you install RIS on must have a Pentium II 400MHz or faster processor, 128M of RAM, and a separate 2G partition (in addition to your system partition) dedicated to the RIS components and images. In reality, you should probably have a Pentium III 500MHz processor with an absolute minimum of 256M of RAM. If you’re going to install any other services, such as DHCP, or make this a Domain Controller (DC), then you should consider adding even more memory and processor to the machine.

On the client, Microsoft again suggests a Pentium 166MHz or faster, 32M of RAM, and a 1.2G hard disk. From experience, I suggest you increase the processor and amount of memory in your PCs as well.

If your PCs are PC98- or NetPC-compliant, they’ll already have the PXE Remote Boot ROM. If they’re not, then you’ll need to install a NIC that has the PXE Remote Boot ROM, or one of the supported PCI NICs. (To confirm compliance, ask the manufacturer. For instance, if you look at the specifications for the Optiplex GX1p posted on Dell’s Web site, there’s a Management section. Although it doesn’t specify PC98 compliance, it does list the management features: DMI 2.0, Wired For Management (WfM) 1.1a, and Preboot Execution Environment (PXE). This tells me it’s compliant.)

From an architecture point of view, the requirements for RIS are the same as for implementing a Win2K Active Directory infrastructure. You’ll need to have AD, a DHCP server, and a Win2K-compliant DNS server running on your network. Obviously, you’ll need to install RIS on one of your servers. It doesn’t matter if you put RIS on a domain controller or a member server.

There are a few important things to understand about RIS. First, you can install only Win2K Professional using this service. Microsoft plans to allow installation of other OSs in the future, but we’re not there yet. Next, you can’t use RIS to upgrade a PC from an earlier OS to Win2K. The RIS process formats the hard disk before it installs the OS. Thus, RIS supports only a clean install of Win2K. Finally, RIS will support only a client PC with a single hard disk and a single partition. If your PC has multiple partitions, RIS will reconfigure your PC with just one.

Now that we’ve defined the requirements for RIS in your infrastructure, let’s look at the steps for installing it.

Installing and Configuring RIS

You can add the components for RIS to your server in two ways. First, they can be added during the initial build of the server. You simply need to choose the RIS components during setup. The second way is to use Add/Remove Software on an existing server. You’ll need to open Add/Remove Programs, choose Add/Remove Windows Components, and then choose Remote Installation Services. You need access to your Win2K source files for this operation. When the files have been copied, reboot your server.

Once you have the components on your server, run the Remote Installation Services Setup Wizard. To start the Wizard, choose Start | Run and type:

Risetup.exe

Choose OK to run the program. The RIS Setup Wizard performs a number of steps. First, it asks where you want the RIS directory to reside on your server. This directory must be on its own NTFS-formatted partition on the server.

Next, it asks if you want to allow the server to begin responding to clients immediately after completion of setup (see Figure 2). This is checked by default. Another option here asks if you want to ignore unknown client computers. An unknown computer is one that doesn’t have a computer record in AD. We’ll discuss this topic in the advanced settings section.

Figure 2. Passwords in a domain are synchronized with the mainframe using SNA Server and SecurePass.

The next three screens ask for information about the initial Win2K Professional image that will be created. You’ll need the Win2K Professional source files for this step. As shown in Figure 3, you’ll also need to type in a name for the image folder (by default it’s win2000.pro) and a friendly name and description for the image. This name will be shown in the Client Installation Wizard, and appears when you look at the properties of the RIS server.

Figure 3. Provide a friendly name for your first image.

The last step in the Wizard is to verify all of your settings. Once you’ve checked everything, the Wizard creates all of the folders, makes registry changes, and copies the Win2K files to the RIS server. Once this is complete, the Wizard starts the Boot Information Negotiation Layer (BINL) service. There’s one more step to complete before your RIS server is ready to service client requests.

Authorizing Your Server

Win2K introduced a new security feature for DHCP servers. This is the process of authorizing the DHCP servers in AD. If you’re familiar with DHCP in NT 4.0, you know the problems that occur when someone puts a “rogue” DHCP server on your network. Before you know it, clients start to get IP addresses outside the range for your subnet, and you begin to get calls from users who can’t communicate on the network. Win2K tries to alleviate this problem by requiring that DHCP servers be authorized to provide their services. As I mentioned, RIS uses DHCP to communicate. Thus, the RIS server also needs to be authorized, since it looks like a DHCP server to AD.

To authorize your server, you’ll need to open the DHCP Microsoft Management Console. If you right-click on the word DHCP at the root, you’ll get a menu. As shown in Figure 4, choose Manage Authorized Servers. In the dialog box that appears, choose Authorize. Type in the name or IP address of your RIS server and choose OK.

The DHCP service will verify the address, and if all is OK, your RIS server is ready to begin providing images.

Figure 4. Authorizing your RIS server.

Server Configuration

At this point your RIS server can be used to install Win2K Professional on client PCs. There are additional settings available to you on the server properties page. To configure your server, open AD Users and Computers. Double-click on the domain and open the container where the RIS server computer object is located. If you installed RIS on a domain controller, look in the Domain Controllers container. If you installed RIS on a member server, the object is in the Computers container by default. Locate the computer object and right-click to produce a menu. Choose Properties. Choose the Remote Install tab, as seen in Figure 5, to open the RIS properties screen.

Figure 5. RIS server properties.

You can customize a number of items on this page. First, you can instruct RIS to respond to client requests and ignore requests from unknown computers. (This is identical to the options you saw during setup.) You can Verify the Server if you’re having difficulty. This is a troubleshooting tool. You can search AD for RIS clients using the Show Clients button. Finally, you can access the Advanced Settings of RIS.

When you choose the Advanced Settings button, you’ll see another dialog box with three tabs. On the New Clients tab, you’re given options regarding how client computers are named and where they’ll be placed in AD during Win2K setup. There are a number of choices for computer naming, such as first initial/last name or MAC address. You can also choose Custom. This opens a separate dialog box for creating a custom naming format.

The second tab on this dialog box, called Images, shows you which images have been installed on the server. Right now, you should have one image available for clients to install. From here, you can add new images or remove old ones that are no longer required.

The third tab, called Tools, lists third-party preboot environment tools you’ve installed. These tools run on the client PC before the OS has been installed. For example, you may have a tool provided by your BIOS vendor that allows you to make BIOS setting changes.

Once you’ve configured your server to meet your needs, you’ll probably want to create new OS images. The next section describes that process.

Creating Additional Images

RIS provides two types of images to client PCs. From the client’s perspective, they look the same; there’s no difference in the way they’re installed. From your point of view, they’re somewhat different.

The initial image you installed during setup is called a CD-based image. This is where the source files are copied from the Win2K Professional CD or a network share, and an answer file customizes the installation on the client PC. You can make additional answer files using the Setup Manager (a Resource Kit utility) and then associate the new answer file with a new image name.

Another image type is the RIPrep-based image. This type is created using the Remote Installation Preparation Wizard. The RIPrep-based image starts with a client PC and a base installation of Win2K Professional. You then make any changes required for your environment, such as network settings or display settings, and add any corporate software packages required for your users. This PC is now called a Reference PC. At this point, you run the RIPrep program from the Reference PC. The program will remove the SID from the computer (much like SYSPREP) and copy the files to the RIS server.

An important note about using RIPrep—you’ll have to run a mini-setup process when you reboot the Reference PC. The RIPrep process removes all domain information contained on the PC. Another important note about RIPrep images—they can only be used on machines with identical hardware abstraction layers. For example, you can’t deliver an image from a desktop PC to a laptop PC—their HALs are different because of the power management interface.

After the RIPrep Wizard is complete, you have an additional image to deliver to your clients.

The next section of this article walks you through the Client Installation Wizard, which is the program that starts the Win2K Professional installation on your client PCs.

What about Ghost?
You’ve probably at times used a disk imaging package such as Norton Ghost or Powerquest’s Drive Image Pro. These types of programs are great for deploying a new build to a machine quickly. When you team a disk-imaging program with Microsoft’s SYSPREP utility, you can be assured of delivering a good image to most machine types. If you compare the delivery speed of RIS to a disk-imaging package, RIS is going to lose the race.

From the convenience standpoint, both methods are equal. You need to do a good deal of work upfront to realize any benefit on the client side. The ability to install the OS in a preboot environment is cool, but most enterprises lack the PXE capability unless they’ve upgraded their client PCs in the last year or so. In addition, you can’t use PXE to deliver an image to a token ring NIC or a PC card.

I’ve been looking at the latest version of Ghost, and it now gives you the ability to use the PXE capabilities of RIS to boot a PC and connect to a Ghost Multicast server. By using the Multicast Assist feature, Ghost will add an “image” to the menu in the Client Installation Wizard. By choosing this “image,” you’ll make a multicast connection to the Ghost server, and the image will be downloaded to your PC. At the time of this writing, I’m still in my testing phase, but it looks very promising.

So what are we left with? The fact that RIS is built into the product means you don’t have to rely on third-party tools to install the OS on client machines.

—John M. Gunson

Installing Win2K Professional

At this point, you should have a good idea of the processes running behind the scenes. In this section, we’re going to look at what occurs when you boot your client PC.

When you turn on your client PC, you’ll see a few messages from the DHCP process and a message that states, “Press F12 for Network Boot.” This indicates that you’ve received the bootstrap program from the BINL service. When you press F12, you receive the Welcome Screen from the Client Installation Wizard. Press Enter.

Next, the Wizard asks for your AD username, password, and domain. The Wizard will authenticate you against the Directory to make sure you’re a valid user and to determine which images you’re allowed to download. Once you’re authenticated, you’ll see a screen that gives you between one and four choices. By default, you’ll see the Automatic Setup option. Depending on how RIS has been configured in Group Policy, you could also see Custom Setup, Restart a Failed Installation, or Maintenance and Troubleshooting. (A Group Policy object for RIS configures which options are available to users. Domain users will only see Automatic Setup, and Administrators will see both Automatic Setup and Custom Setup.)

When you choose Automatic Setup, you’ll see a list of all the options you’re allowed to download. (As an administrator, you can set access control lists (ACLs) on the image folders to restrict who can download the images.) After you choose an image, you’ll see a confirmation of which image you chose, the GUID of the client PC, and the container in AD where the computer object will be placed. When you choose Next, the installation of Win2K begins.

The only difference between Automatic and Custom setup is that you can change the computer name and container location. These are configured for you by Automatic Setup.

Remote Installation Services is a handy feature of Win2K. By using the PXE Remote Boot ROM capability of certain network cards, you can remotely install Win2K Professional on client PCs. RIS does have its drawbacks: It can only install Microsoft’s newest desktop OS and it can’t perform upgrades from earlier versions of Windows. However, if your environment can take advantage of this technology, you’ll certainly be able to reduce your TCO when deploying new machines to your users. Make sure it’s on any TCO justification list of yours.

Featured