In-Depth

Vista Deployment Done Right

The new crop of deployment tools for Windows Vista is a marked improvement over its predecessors.

• By Rhonda Layfield
• 06/01/2007

WDS lets Pre-Boot Execution Environment (PXE) clients connect and download operating system images with little or no human interaction. You'll need an established Active Directory (AD) domain, plus DHCP and DNS servers prior to installing WDS. Your WDS servers must be members of an AD domain and require NTFS partitions to store images.

You can upgrade your old RIS to WDS by running the Windows-deployment-services-update.exe (found in the Windows AIK\WDS folder). After you've upgraded an RIS server to WDS, it can still offer RIS images, but it can also distribute Microsoft's new Windows Image (.WIM) type files (see "Laying the Groundwork for Vista," February 2007).

To install WDS from scratch, first install Windows Server 2003 SP2. Then add WDS from Control Panel/Add or Remove Programs/Windows Components/Windows Deployment Service (see Figure 1). When you install WDS, you'll have to reboot your server, so plan accordingly.

Configuring WDS is as straightforward as any of the rest of the current crop of wizard-driven Microsoft platforms. Open the Windows Deployment Services snap-in found in Administrative Tools. If your local server doesn't appear under Servers, right-click the Servers node and choose "Add Server." You could also choose to manage a remote WDS server by selecting "Another computer" and browsing to the remote server's name.

[Click on image for larger view.]

Figure 1. You can add these new Windows Deployment Services through the Windows Components Wizard.

Right-clicking your server name and choosing "Configure server" launches the WDS Configuration Wizard. Click "Next" on the Welcome page and choose the NTFS partition you'd like WDS to store your images on. If you're configuring WDS on a DHCP server, you'll see the "DHCP Option 60" page.

Both the WDS and DHCP services listen on port UDP 67. When WDS and DHCP are installed on the same machine, you'll have to configure WDS to not listen on port UDP 67 so it will be available for DHCP. So, if WDS normally listens on UDP 67 for inbound PXE client requests, and you configure WDS to not listen on UDP 67, how will the clients ever find the WDS server?

That's where the DHCP option 60 comes in. When the DHCP server responds to DHCP client requests, option 60 is included in the response. Option 60 lets the DHCP client know that the DHCP server is also a WDS/PXE server. You can set DHCP option 60 by putting a check mark in the Configure DHCP option 60 to "PXEClient."

Configuration Control
Chances are you wouldn't want just anyone in your company to be able to install a new OS on a whim. So WDS allows three levels of controls as shown on the "PXE Server Initial Settings" page.

The first option, "Do not respond to any client computer," is fairly straightforward. This is the default selection. The second option is "Respond only to known client computers" and the third is to "Respond to all (known and unknown) client computers." You could also choose the latter option, notify the administrator and respond after approval. Think of unknown clients as wireless laptops in the company parking lot.

You configure known client computers in Active Directory Users and Computers (ADUC). In ADUC, known computers are referred to as "managed or pre-staged computers." Create a computer object in ADUC, name the computer object and click next to get to the "Managed" page.

Selecting "This is a managed computer" and typing the computer's GUID in the "Computer's unique ID (GUID/UUID)" box identifies that system as a known client. You can usually find the client's GUID in the computer's BIOS. If the computer doesn't have a GUID, you can use the MAC address.

MAC addresses are only 12 characters and GUIDs are 32, so you'll need to pad the MAC address with leading zeros. A MAC address of 00-0F-B1-F6-21-33 would look like this: 00000000000000000000000FB1F62133. You could also type the MAC address (with no dashes) and then add leading zeros until you can select the NEXT button.The third setting lets known clients download images from the WDS server. Unknown clients will generate something called a pending request. You'll find pending requests in the WDS snap-in under "Pending Devices."

Once a pending request appears under Pending Devices, you'll have the option to "approve," "reject" or "name and approve" the request by right-clicking the pending request. The "approve" or "reject" options are pretty straightforward, but "name and approve" may need a little explanation. You'd use this when you want to approve the request and name the ADUC object it will create for the new computer.

The last dialog box in the WDS configuration wizard lets you add images to the WDS server. You'll need at least one boot image and one install image. I like to clear the check mark in the box next to "Add images to the Windows Deployment Server now" and add them manually. Why?

Adding the images manually gives you more flexibility. If you choose to add the install.wim that lives on the Vista product DVD in the Sources folder, you'll install all seven images. If you choose to add them later by right-clicking either "Boot" or "Install Images" and then choosing "Add Boot/Install Image," you can choose to add only one or two of the seven images.

[Click on image for larger view.]

Figure 2. Running sysprep is a critical step. Make sure to run the right version for the OS image you're creating.

Boot images are WinPEs, but the WinPE on the Vista DVD (boot.wim) is different than any you'd create. You'll have to add the boot.wim from the Vista DVD that calls for the OS install program (setup.exe). If you don't, your PXE client will boot and download your custom WinPE and that's it. You won't get a list of OSes to install from the WDS server.

The Power of One
You have to add installation images to an image group, which gives you two important features -- security and single instance store (SIS) technology. Let's say you have two image groups (each containing multiple images), one for an office in Dallas and one for an office in New York. You'd like to give the administrators in the Dallas office full control permissions for the Dallas image group. You'd like to do the same for the New York admins with the New York image group. Right-click the Dallas image group, choose "Security," and then add the Dallas administrators group (this is an ADUC security group). Set the permissions to "Read & Execute, List folder contents and Read permissions."

SIS greatly reduces the amount of disk space required to store your images. Let's say there are three images in your Dallas image group called Marketing, Sales and Research. Each image installs Vista Ultimate, but different applications specific to the departmental needs.

Vista Ultimate takes up more than 2GB, so if you stored three complete copies of Vista Ultimate, you'd need almost 8GB. SIS stores the files needed for Vista Ultimate just once. It stores the applications in three separate image files within the Dallas image group. So when you view the Dallas image group, you'd see a large .RWM (resource .WIM) file containing Vista Ultimate and three smaller image files containing the applications. These smaller image files are typically around 20MB to 30MB (depending on the apps you've installed). So in this scenario, SIS saves 5GB of disk space.

You have to authorize WDS servers in AD. You can perform authorization in the DHCP or WDS snap-in. To authorize in the DHCP snap-in, just right click your server name and choose "Authorize." The red down arrow on the server changes to a green up arrow (you may need to press F5 to refresh).

Authorizing in the WDS snap-in is a little trickier. Right-click your WDS server and choose "Properties." In the "Advanced" tab, choose "Yes, I want to authorize the WDS server in DHCP." When you authorize from the WDS snap-in, you have to restart the DHCP server service. Otherwise, when you look at the server in the DHCP snap-in, there's a red down arrow and right-clicking the server only lets you "Unauthorize."

The WDS Process -- Start to Finish
Let's set the scenario first. You have a bare metal machine upon which you'd like to install Vista. Your WDS server contains only one boot image (the one from the Vista DVD) and one install image and has DHCP installed and configured with an active scope.

A PXE boot (when you see "Press F12 to perform a network boot," press F12) is step one for your bare metal machine. The PXE client sends out a DHCP discover packet looking for a DHCP server from which to get an IP address. Our DHCP server not only gives the PXE client an IP address, but also the DHCP Option 60 that defines the DHCP server as a WDS server as well.

If you choose the "Respond to all (known and unknown) client computers, but for unknown clients, notify the administrator and respond after approval" option in your "PXE Server Initial Settings," your PXE clients will be on hold until an administrator approves or rejects the pending request.

Step two is to download a WinPE. Once you connect to the WDS server, you'll need to authenticate to confirm that the account you're using has permissions to the images stored on the WDS server. The last step is to create and format a partition to which you'll install, or click next and the entire disk0 will be your C: partition. Then about 20 to 30 minutes later, you'll have a brand new machine.

Creative Customizing
Creating your own custom images configured with your choice of applications and desktop settings is a snap. You'll need a master machine and a utility called WDSCapture (you could also use ImageX.exe; see the companion story, "Smaller Is Better," which begins on p. 52). The master machine is the machine upon which you're going to create the image to deploy to other machines. Let's look at the six steps for creating a custom image using the WDSCapture utility:

1. Install an OS (XP, 2003, Vista or Longhorn).
2. Install and configure applications and desktop settings.
3. Sysprep the master machine and shut it down. (Sysprepping the machine will scrub out any identifying information like the computer name or SID so the deployed image will receive unique information. Make sure you use the correct sysprep utility for the OS image you're creating, down to the service pack level. If using a Vista master machine, run sysprep version 3.14 with the generalize switch. You'll find sysprep in the system32 folder.)
4. Restart the master machine by booting to a WinPE.
5. Launch the WDSCapture utility (included in a WinPE by default).
6. The WDSCapture utility launches the WDS Image Capture Wizard. Click "Next" on the Welcome page and you'll see the Image Capture Source page.

Select the volume you want to capture (if nothing shows up here, the machine was not properly sysprepped), give the new image a name and description and click "Next." When prompted for credentials to connect to the WDS server, type an administrative account and password. On the Image Capture Destination page, you'll have to enter a name and location to store the image locally (you can store it on the same volume you're capturing if there's enough space. The image will not contain your .WIM file).

Next, check the box next to "Upload image to WDS server." Under server name, enter either the WDS server's name or IP address. Once the WDSCapture utility has authenticated to the WDS server, a list of Image Groups will appear in the drop-down box (image groups are created on the WDS server). Choose your image group and click "Finish." You'll have to store your new image locally first, then upload it to the WDS server.

You can automate the WDSCapture process by creating a capture boot image. Add the boot.wim from the Vista DVD to your boot images in the WDS snap-in. Highlight "Boot Images" and in the details pane right-click the boot image and choose "Create Capture Boot Image." Name your new capture boot image and store it locally. Once you've created your new capture boot image, right-click the Boot Images node again and choose "Add Boot Image." Then browse to your new capture boot image.

After you've built and sysprepped your master machine, you can PXE boot to connect to the WDS server. You'll see a list of two boot images. Choose the new capture boot image. This will download a WinPE and launch WDSCapture automatically.

The Need for Speed
Downloading an image from a WDS server can be time consuming. You can speed this up by increasing the block size, but please proceed with caution and test first. The command-line utility we're going to use is bcdedit. Vista and WinPE have bcdedit natively, so running this command from Vista or WinPE is the simplest method. We'll run the bcdedit command from a machine named Vista1:

1. On a WDS server (ours is named WDSServer) share the \REMOTEINSTALL\Boot\x86 folder (this is the default folder for storing your images). For this example, we'll use x86 as the shared folder name.
2. From Vista1, map a drive to the x86 shared folder (net use W: \\WDSServer\x86). If prompted for credentials, enter administrative credentials.
3. Copy the default.bcd found in the x86 folder to Vista1's local C:\ drive.
4. The command to change the TFTP block size to 8192KB is typed on the Vista1 machine as one long command from the C: drive:
   
   Bcdedit -store default.bcd -set {68d9e51c-a129-4ee1-9725-2ab00a957daf} ramdisktftpblocksize 8192
   
   (You could use different block sizes such as 4096 or 16384, but the 8192 seems to work well.)
5. Copy the default.bcd from the Vista1 machine to its original location on the WDS server.
6. On the WDSServer, go to a command prompt and type: Sc control wdsserver 129 (this will reset the TFTP block size for the WDSServer).

All this should help you install, configure and enhance your Windows Deployment Service server. Whether you're deploying on a single machine or across a network, Vista can be a monster to deploy. These tools and techniques should help.