In-Depth
Systems Engineering: Assembly-Line Deployment
When you're calculating TCO to justify Windows 2000, don't forget Remote Installation Services, a neat tool to deploy the OS to your client PCs.
When I worked on a corporate help desk, the one activity
that seemed to consume more of my time than any other
was building computers for users. I always seemed to be
installing Windows 95 or Windows NT on a PC. It didn’t
seem to matter whether the build was for a new user (and
there seemed to be a never-ending stream of new users)
or existing users getting new machines. Of course, installing
the operating system was just the beginning. Our build
included Microsoft Office, a handful of terminal emulation
packages, messaging—you name it, we probably had
it. On average, it took two or three hours to prepare
a machine for a user.
If you work in a help desk environment, this story probably
sounds familiar. If you add up the time it takes to retrieve
the computer from the user’s workstation, take it
to the staging room, rebuild the machine and return it,
you’re talking about a lot of time. And of course,
wasted time is one aspect of total cost of ownership.
| For
coverage of other deployment tools, see "Roll
'Em Out", by Tony Northrup in this
issue. |
|
With Windows 2000 here, some of us are starting to plan
deployments of the product to users. Microsoft has done
a great job in delivering a stable OS, and it’s wrapped
in the message of reduced TCO. One of the features of
Win2K that will reduce your TCO is Remote Installation
Services, or RIS.
RIS is part of Win2K Change and Configuration Management,
a group of disciplines that aim to make desktop management
more efficient. These features include offline folders,
software installation, enhanced roaming user profiles,
and RIS. Since RIS shows up in the objectives list for
the upcoming core Win2K Professional (70-210) and Directory
Services Infrastructure (70-217) exams, you’ll need
to understand its operation if you plan to tackle the
new MCSE track.
This article will give you a detailed look at the components
and features of RIS. Before we discuss that topic, however,
we need to look under the hood and examine the engine.
In this case, the engine is PXE, or PreBoot Execution
Environment.
Under the Hood
PXE allows PCs to use their network cards as boot devices.
Just as you can boot from your 3.5-inch disk, your CD-ROM,
or your hard disk, PXE allows your computer to go out
on the network to find a boot image.
The PXE process isn’t elaborate. PXE communicates
using DHCP messages over ports 67 and 68. When you start
a computer with the network device set to be the boot
device, the NIC must do three things. First, it must get
an IP address from a DHCP server so that it can communicate
using TCP/IP. Second, it simultaneously asks for the name
of the server that is providing the bootstrap programs
and the name of the actual bootstrap program. The BINL
(Boot Image Negotiation Layer) service on RIS handles
this request. Once the NIC gets an IP address and the
bootstrap information, it uses Trivial File Transfer Protocol
to download the boot image to the computer. TFTP is also
running on the RIS server. On the client PC the boot image
calls a program called OSChooser, which in turn starts
the Client Installation Wizard. This wizard manages the
setup of Win2K. Figure 1 illustrates the PXE communications
process.
Now that we know a little more about PXE, let’s
look at the requirements to implement RIS.
 |
| Figure 1. The PXE communication
process: 1) Initial DHCP discovery with PXE client
extensions; 2) DHCP offer from the DHCP server and
extended DHCP offer with PXE server extensions from
the RIS server; 3) DHCP request; 4) DHCP acknowledgement;
5) DHCP request to BINL service with PXE client extensions;
6) DHCP acknowledgement with bootstrap program name;
7) request for bootstrap program to TFTP service;
8) bootstrap program downloads via TFTP. |
What You Need
You must meet a few hardware and architecture requirements
before you introduce RIS to your enterprise. First, let’s
look at the hardware requirements for your clients and
servers.
According to Microsoft, the server you install RIS on
must have a Pentium II 400MHz or faster processor, 128M
of RAM, and a separate 2G partition (in addition to your
system partition) dedicated to the RIS components and
images. In reality, you should probably have a Pentium
III 500MHz processor with an absolute minimum of 256M
of RAM. If you’re going to install any other services,
such as DHCP, or make this a Domain Controller (DC), then
you should consider adding even more memory and processor
to the machine.
On the client, Microsoft again suggests a Pentium 166MHz
or faster, 32M of RAM, and a 1.2G hard disk. From experience,
I suggest you increase the processor and amount of memory
in your PCs as well.
If your PCs are PC98- or NetPC-compliant, they’ll
already have the PXE Remote Boot ROM. If they’re
not, then you’ll need to install a NIC that has the
PXE Remote Boot ROM, or one of the supported PCI NICs.
(To confirm compliance, ask the manufacturer. For instance,
if you look at the specifications for the Optiplex GX1p
posted on Dell’s Web site, there’s a Management
section. Although it doesn’t specify PC98 compliance,
it does list the management features: DMI 2.0, Wired For
Management (WfM) 1.1a, and Preboot Execution Environment
(PXE). This tells me it’s compliant.)
From an architecture point of view, the requirements
for RIS are the same as for implementing a Win2K Active
Directory infrastructure. You’ll need to have AD,
a DHCP server, and a Win2K-compliant DNS server running
on your network. Obviously, you’ll need to install
RIS on one of your servers. It doesn’t matter if
you put RIS on a domain controller or a member server.
There are a few important things to understand about
RIS. First, you can install only Win2K Professional using
this service. Microsoft plans to allow installation of
other OSs in the future, but we’re not there yet.
Next, you can’t use RIS to upgrade a PC from an earlier
OS to Win2K. The RIS process formats the hard disk before
it installs the OS. Thus, RIS supports only a clean install
of Win2K. Finally, RIS will support only a client PC with
a single hard disk and a single partition. If your PC
has multiple partitions, RIS will reconfigure your PC
with just one.
Now that we’ve defined the requirements for RIS
in your infrastructure, let’s look at the steps for
installing it.
Installing and Configuring RIS
You can add the components for RIS to your server in
two ways. First, they can be added during the initial
build of the server. You simply need to choose the RIS
components during setup. The second way is to use Add/Remove
Software on an existing server. You’ll need to open
Add/Remove Programs, choose Add/Remove Windows Components,
and then choose Remote Installation Services. You need
access to your Win2K source files for this operation.
When the files have been copied, reboot your server.
Once you have the components on your server, run the
Remote Installation Services Setup Wizard. To start the
Wizard, choose Start | Run and type:
Risetup.exe
Choose OK to run the program. The RIS Setup Wizard performs
a number of steps. First, it asks where you want the RIS
directory to reside on your server. This directory must
be on its own NTFS-formatted partition on the server.
Next, it asks if you want to allow the server to begin
responding to clients immediately after completion of
setup (see Figure 2). This is checked by default. Another
option here asks if you want to ignore unknown client
computers. An unknown computer is one that doesn’t
have a computer record in AD. We’ll discuss this
topic in the advanced settings section.
 |
| Figure 2. Passwords in a domain
are synchronized with the mainframe using SNA Server
and SecurePass. |
The next three screens ask for information about the
initial Win2K Professional image that will be created.
You’ll need the Win2K Professional source files for
this step. As shown in Figure 3, you’ll also need
to type in a name for the image folder (by default it’s
win2000.pro) and a friendly name and description for the
image. This name will be shown in the Client Installation
Wizard, and appears when you look at the properties of
the RIS server.
 |
| Figure 3. Provide a friendly
name for your first image. |
The last step in the Wizard is to verify all of your
settings. Once you’ve checked everything, the Wizard
creates all of the folders, makes registry changes, and
copies the Win2K files to the RIS server. Once this is
complete, the Wizard starts the Boot Information Negotiation
Layer (BINL) service. There’s one more step to complete
before your RIS server is ready to service client requests.
Authorizing Your Server
Win2K introduced a new security feature for DHCP servers.
This is the process of authorizing the DHCP servers in
AD. If you’re familiar with DHCP in NT 4.0, you know
the problems that occur when someone puts a “rogue”
DHCP server on your network. Before you know it, clients
start to get IP addresses outside the range for your subnet,
and you begin to get calls from users who can’t communicate
on the network. Win2K tries to alleviate this problem
by requiring that DHCP servers be authorized to provide
their services. As I mentioned, RIS uses DHCP to communicate.
Thus, the RIS server also needs to be authorized, since
it looks like a DHCP server to AD.
To authorize your server, you’ll need to open the
DHCP Microsoft Management Console. If you right-click
on the word DHCP at the root, you’ll get a menu.
As shown in Figure 4, choose Manage Authorized Servers.
In the dialog box that appears, choose Authorize. Type
in the name or IP address of your RIS server and choose
OK.
The DHCP service will verify the address, and if all
is OK, your RIS server is ready to begin providing images.
 |
| Figure 4. Authorizing your RIS
server. |
Server Configuration
At this point your RIS server can be used to install
Win2K Professional on client PCs. There are additional
settings available to you on the server properties page.
To configure your server, open AD Users and Computers.
Double-click on the domain and open the container where
the RIS server computer object is located. If you installed
RIS on a domain controller, look in the Domain Controllers
container. If you installed RIS on a member server, the
object is in the Computers container by default. Locate
the computer object and right-click to produce a menu.
Choose Properties. Choose the Remote Install tab, as seen
in Figure 5, to open the RIS properties screen.
 |
| Figure 5. RIS server properties. |
You can customize a number of items on this page. First,
you can instruct RIS to respond to client requests and
ignore requests from unknown computers. (This is identical
to the options you saw during setup.) You can Verify the
Server if you’re having difficulty. This is a troubleshooting
tool. You can search AD for RIS clients using the Show
Clients button. Finally, you can access the Advanced Settings
of RIS.
When you choose the Advanced Settings button, you’ll
see another dialog box with three tabs. On the New Clients
tab, you’re given options regarding how client computers
are named and where they’ll be placed in AD during
Win2K setup. There are a number of choices for computer
naming, such as first initial/last name or MAC address.
You can also choose Custom. This opens a separate dialog
box for creating a custom naming format.
The second tab on this dialog box, called Images, shows
you which images have been installed on the server. Right
now, you should have one image available for clients to
install. From here, you can add new images or remove old
ones that are no longer required.
The third tab, called Tools, lists third-party preboot
environment tools you’ve installed. These tools run
on the client PC before the OS has been installed. For
example, you may have a tool provided by your BIOS vendor
that allows you to make BIOS setting changes.
Once you’ve configured your server to meet your
needs, you’ll probably want to create new OS images.
The next section describes that process.
Creating Additional Images
RIS provides two types of images to client PCs. From
the client’s perspective, they look the same; there’s
no difference in the way they’re installed. From
your point of view, they’re somewhat different.
The initial image you installed during setup is called
a CD-based image. This is where the source files are copied
from the Win2K Professional CD or a network share, and
an answer file customizes the installation on the client
PC. You can make additional answer files using the Setup
Manager (a Resource Kit utility) and then associate the
new answer file with a new image name.
Another image type is the RIPrep-based image. This type
is created using the Remote Installation Preparation Wizard.
The RIPrep-based image starts with a client PC and a base
installation of Win2K Professional. You then make any
changes required for your environment, such as network
settings or display settings, and add any corporate software
packages required for your users. This PC is now called
a Reference PC. At this point, you run the RIPrep program
from the Reference PC. The program will remove the SID
from the computer (much like SYSPREP) and copy the files
to the RIS server.
An important note about using RIPrep—you’ll
have to run a mini-setup process when you reboot the Reference
PC. The RIPrep process removes all domain information
contained on the PC. Another important note about RIPrep
images—they can only be used on machines with identical
hardware abstraction layers. For example, you can’t
deliver an image from a desktop PC to a laptop PC—their
HALs are different because of the power management interface.
After the RIPrep Wizard is complete, you have an additional
image to deliver to your clients.
The next section of this article walks you through the
Client Installation Wizard, which is the program that
starts the Win2K Professional installation on your client
PCs.
| What
about Ghost? |
| You’ve probably at
times used a disk imaging package such
as Norton Ghost or Powerquest’s Drive
Image Pro. These types of programs are
great for deploying a new build to a machine
quickly. When you team a disk-imaging
program with Microsoft’s SYSPREP
utility, you can be assured of delivering
a good image to most machine types. If
you compare the delivery speed of RIS
to a disk-imaging package, RIS is going
to lose the race.
From the convenience standpoint, both
methods are equal. You need to do a
good deal of work upfront to realize
any benefit on the client side. The
ability to install the OS in a preboot
environment is cool, but most enterprises
lack the PXE capability unless they’ve
upgraded their client PCs in the last
year or so. In addition, you can’t
use PXE to deliver an image to a token
ring NIC or a PC card.
I’ve been looking at the latest
version of Ghost, and it now gives you
the ability to use the PXE capabilities
of RIS to boot a PC and connect to a
Ghost Multicast server. By using the
Multicast Assist feature, Ghost will
add an “image” to the menu
in the Client Installation Wizard. By
choosing this “image,” you’ll
make a multicast connection to the Ghost
server, and the image will be downloaded
to your PC. At the time of this writing,
I’m still in my testing phase,
but it looks very promising.
So what are we left with? The fact
that RIS is built into the product means
you don’t have to rely on third-party
tools to install the OS on client machines.
—John M. Gunson
|
|
|
Installing Win2K Professional
At this point, you should have a good idea of the processes
running behind the scenes. In this section, we’re
going to look at what occurs when you boot your client
PC.
When you turn on your client PC, you’ll see a few
messages from the DHCP process and a message that states,
“Press F12 for Network Boot.” This indicates
that you’ve received the bootstrap program from the
BINL service. When you press F12, you receive the Welcome
Screen from the Client Installation Wizard. Press Enter.
Next, the Wizard asks for your AD username, password,
and domain. The Wizard will authenticate you against the
Directory to make sure you’re a valid user and to
determine which images you’re allowed to download.
Once you’re authenticated, you’ll see a screen
that gives you between one and four choices. By default,
you’ll see the Automatic Setup option. Depending
on how RIS has been configured in Group Policy, you could
also see Custom Setup, Restart a Failed Installation,
or Maintenance and Troubleshooting. (A Group Policy object
for RIS configures which options are available to users.
Domain users will only see Automatic Setup, and Administrators
will see both Automatic Setup and Custom Setup.)
When you choose Automatic Setup, you’ll see a list
of all the options you’re allowed to download. (As
an administrator, you can set access control lists (ACLs)
on the image folders to restrict who can download the
images.) After you choose an image, you’ll see a
confirmation of which image you chose, the GUID of the
client PC, and the container in AD where the computer
object will be placed. When you choose Next, the installation
of Win2K begins.
The only difference between Automatic and Custom setup
is that you can change the computer name and container
location. These are configured for you by Automatic Setup.
Remote Installation Services is a handy feature of Win2K.
By using the PXE Remote Boot ROM capability of certain
network cards, you can remotely install Win2K Professional
on client PCs. RIS does have its drawbacks: It can only
install Microsoft’s newest desktop OS and it can’t
perform upgrades from earlier versions of Windows. However,
if your environment can take advantage of this technology,
you’ll certainly be able to reduce your TCO when
deploying new machines to your users. Make sure it’s
on any TCO justification list of yours.