Remotely install new Win2K Pro images to workstations in your network
EDITOR'S NOTE: Portions of the following article were adapted from Sean Daily and Darren Mar-Elia's The Definitive Guide to Windows 2000 Administration (Realtimepublishers.com).
It's 8:00 a.m. Monday morning, and you're sitting back in your chair with a cup of coffee reviewing Friday's backup logs. Just then, you receive a call from Craig, the manager of one of your organization's branch offices, whose PC suffered a hardware meltdown over the weekend. Craig's office is a support nightmare because the branch is too small to have a dedicated IT person on staff, but they're too close to the home office for you to outsource their IT support needs to a third-party service provider. Craig is upset because quarterly reports are due and he needs access to the financial applications on his computer pronto. Your palms begin to sweat as you think about the impending 150-mile drive to Craig's office and the time required to rebuild him a new system from scratch. Suddenly you remember the new service you recently set up on the server at Craig's branch office. Instead of jumping in your car, you ask Craig to go to a spare PC (luckily, you had the forethought to order a spare PC for each branch office), connect it to the network, and power it up. Twenty minutes later, Craig calls back to inform you that he now has a fully functional Windows 2000 system, complete with all his office productivity and financial applications. As you hang up, you can't help smiling and wondering if this experience is going to spoil you.
A fictional story? Thanks to a new technology in Win2K, Remote Installation Services (RIS), this scenario can be a reality for network administrators. To benefit from this service, you'll need to become familiar with RIS's features, limitations, and procedures, as well as the little-known tips and tricks that can help improve your RIS experience.
RIS Rudiments
RIS is a set of technologies that let administrators install new Win2K Professional images to remote workstations in the network. RIS differs from earlier deployment technologies (e.g., unattended installations and disk cloning) in that it has low requirements for target workstations. (For more information about unattended installations, see "Related Articles in Previous Issues.") Whereas some deployment methods require the receiving client to already have an existing version of Windows or a complex network-enabled boot disk installed, you usually start RIS installations over the network without a boot disk or an existing OS installation on the target system.
The RIS deployment process involves a client and one or more servers, and works through the cooperation and interaction of several services and technologies, including DHCP, DNS, Active Directory (AD), Boot Information Negotiation Layer (BINL), Single Instance Storage (SIS), and Trivial File Transfer Protocol (TFTP). RIS servers, which house the OS images for remote deployment, are authorized and registered in DNS and AD and make their images available to requesting client workstations.
Client workstations use a special network boot technology, Preboot Execution Environment (PXE), to boot from the network, after which they locate a RIS server and download an OS image. The client's system BIOS, network adapter, or both can provide PXE support. (PXE support is part of the NetPC and PC98 0.6 and later industry specifications, but RIS requires PXE .99c or later.) For systems that don't have PXE support, Microsoft provides the Remote Boot Floppy Generator (RBFG) utility. This tool provides PXE support for a limited number of PCI-based network adapters.
In RIS deployments, a RIS client boots from the network or an RBFG-created boot disk, and uses PXE to obtain an IP address and the necessary information to locate and initiate a session with a RIS server. The RIS server and client then use TFTP to transfer to the client the Custom Installation Wizard, which lets the client's user authenticate in AD and select a RIS image from the server. This selection starts the transfer process, after which the client has a fully functional Win2K installation (which can include applications and a customized configuration).
Preparing Your RIS Environment
The RIS deployment process involves several elements, so successfully configuring a RIS environment and deploying RIS images requires planning. You must ensure that you properly configure your Win2K network environment, RIS servers, and clients.
First, consider whether your RIS servers and clients meet the minimum system requirements. Notwithstanding Microsoft's anemic minimum system requirements, based on experience, I've developed the following requirements for a RIS server: Pentium II processor or better; 128MB of RAM or more (more if the RIS server will also run services such as AD, DHCP, and DNS); 2GB of hard disk space or more on the NTFS-formatted volume that will store the RIS images; and a 100Mbps or faster network adapter. To install RIS on a server, you must have an NTFS volume separate from the Win2K system partition and boot partitions.
RIS clients must meet Win2K's minimum hardware requirements. In addition, they must have a PXE-based boot ROM .99c or later, or an RFBG-supported network adapter.
When planning your RIS environment and server configurations, consider the effect that RIS will have on server and network bandwidth. RIS's primary function is to deliver large installation images to client PCs over the network, so you should treat capacity planning for a RIS server in a similar manner to that of file or Web servers.
The RIS deployment process mainly consumes disk and network resources, and the level of consumption depends on the number of clients the RIS server is serving at any given time. As a result of RIS's installation-oriented nature, it won't act as a continuous drain on resources but as an occasional drain. Most organizations tend to simultaneously deploy machines in groups, so you'll discover that RIS servers are either delivering images to many systems at once or none. This all-or-nothing reality is an important factor in planning your RIS server configurations—overbuilding RIS servers for a one-time deployment isn't cost-effective.
RIS relies on several Win2K networking services, which creates requirements that you should consider before deploying RIS. First, RIS requires an AD-enabled Win2K network because the service is fully AD-integrated and uses AD to locate existing clients and RIS servers. In addition, DNS is an integral, mandatory part of any AD-based Win2K network; thus, RIS requires DNS servers in the network. However, RIS doesn't require you to use Win2K's DNS services; you can use a third-party DNS server product as long as it supports service resource records (SRV RRs, which Internet Engineering Task Force—IETF—Request for Comments—RFC—2052 defines), and dynamic updates (which RFC 2136 defines).
In addition, all RIS clients must be able to reach a DHCP server because DHCP provides RIS clients with their IP addresses. You can use a third-party DHCP product in lieu of Win2K's DHCP services.
Authorizing RIS Servers in AD
After you ensure that your basic Win2K network architecture is in place, the next step in your RIS-environment preparation is to pre-authorize all your RIS servers in AD as permitted DHCP servers. This step is necessary because RIS is a secure, AD-integrated service and therefore requires that RIS clients and servers be validated against AD. Although RIS and DHCP services are separate entities, RIS servers are AD-authorized through the DHCP management utility as if they were DHCP servers. (If you're installing RIS on an existing DHCP server that is already AD-authorized, you don't need to complete this authorization process.) The following steps walk you through how to authorize a RIS server as a DHCP server in AD:
- Log on as a member of the Enterprise Admin group for the forest within which your RIS server will provide services.
- Run the Microsoft Management Console (MMC) DHCP Management snap-in from the Start, Programs, Administrative Tools menu.
- Right-click DHCP in the console's left pane, and select Manage Authorized Servers.
- In the resulting dialog box, click Authorize. Next, you enter the IP address of the RIS server you want to authorize in the Name or IP address text box, which Figure 1 shows.
- Click OK to confirm your entry.
Changes to AD take time to propagate to the domain controllers (DCs) in your network. If you authorize a RIS server and you need the change to take effect immediately on a particular DC, you can use the following command at a command prompt on the DC:
secedit /refreshpolicy /machine_policy
Previous
Register
1) "The PCI-specific support also means that systems with network adapters that use other bus types (e.g., ISA, EISA) and laptop systems that use PC Card or CardBus-based network adapters can't use RIS."
RIS is not PCI-specific. It is PXE specific...if a network card provides a PXE-compatible boot ROM, it will work with RIS. 3Com's 3C509 is supported, as are other network cards where open-source PXE code is available (check the Netboot, Etherboot, and LTSP projects).
Also, PXE technology has been available in PC Cards since at least July of 1999, when 3Com issued a press release regarding the manageability of the 3Com Megahertz
10/100 LAN CardBus PC Card - 3CCFE575CT. See
http://www.3com.com/news/releases/pr99/jul1299a.html. The 3CCFE575CT contains our Managed PC Boot Agent, which includes support for PXE. These do indeed support RIS installation to a notebook via a PC Card.
The 3Com® DynamicAccess® managed PC boot agent on disk (MBA) is a package consisting of multiprotocol network boot firmware and software tools that enable network administrators to deploy centrally- administered management applications to networked clients during their boot phase.
This disk-based boot agent supports a wide variety of 3Com NICs. Below is a link to 3com's website that further discusses MBA on disk.
http://www.3com.com/products/software/dynamicaccess/dyn_mbaondisk.html
The 3Com® DynamicAccess® managed PC boot agent on disk (MBA) supports the 3CXFEM656C laptop card and The 3Com USB Network Interface. This offers another alternative for mobile users who want to extend RIS functionality to their notebooks equipped with these 3Com products. Below are links to the press release for the 3CXFEM656C, and The 3Com USB Network Interface.
http://ca.3com.com/news/releases/pr00/mar0900a.html
http://www.3com.com/products/usb.html
2) "Although Microsoft has promised regular updates to the list of RIS-supported network adapters, no such updates have appeared thus far. "
We recently released support for more adapters for RBFG, including support for the extremely popular RealTek 8139 controller. This was provided to Microsoft in January, for inclusion into a WIN2K update and for Whistler.
3) "...RIS supports imaging only one volume—the C drive—to a RIS client"
This is only the case when using RIS to perform WIN2K Professional installations. Other imaging products oversome this, if provided via 3rd party software and is usually accessed via the "Troubleshooting and Maintenance" menu under the CIW.
4) "....you can't use it (RIS) to deploy other client OSs such as NT, Windows Millennium Edition (Windows Me), and Windows 98."
While other client OS deployment is not natively supported, one can use RIS to deploy other OSs, including all of the ones mentioned above. 3Com provides a free utility - RIS Menu Editor- to assist in this, as well as technical papers that cover these kind of scenarios.
See http://www.3com.com/products/software/dynamicaccess/dyn_rismenu.html
If you or your readers have any questions on extending RIS functionality, feel free to contact me or our Technical Services dep't at lantech_support@3com.com.
Steve Marfisi January 23, 2001