The RIS services, like most network services, are not installed by default when you set up Windows Server 2003. Before installing RIS, you should verify that the computer on which you are installing RIS meets the baseline system requirements for RIS operations for both hardware and software, as well as partition configuration and available free space.
At minimum, the RIS server must meet the following requirements:
The computer must be running Windows Server 2003, Standard, Enterprise, or Datacenter Edition.
The server cannot be multihomed; it must have a single supported 10or 100-MB network interface card (NIC) with TCP/IP installed.
The computer must be a member of an Active Directory domain.
At minimum, a 4-GB drive should be available for RIS images.
The location of files used by RIS must be on a local fixed drive and cannot be a network share or a distributed file system (DFS) share (although DFS can be running as an additional service on the RIS server without any problem).
The partition upon which you install RIS must be formatted as NTFS.
Inside Out: Limitations on partitions used for RIS
The partition used for RIS has a number of limitations placed on it: It cannot be the boot or system drive, and files must be unencrypted. You should, whenever possible, give RIS its own partition, freshly formatted with NTFS, upon which to store images.
In addition, when configuring a new RIS image, access to a Windows distribution CD-ROM of each operating system the RIS server will be installing (or a network location with those files) is required.
Troubleshooting: Multihomed RIS fails to respond to clients
Multihomed RIS servers commonly fail to respond to PXE clients during the initial client boot process. The RIS server can have only one NIC installed; so, if a server has more than one NIC, you should disable or remove the additional NICs or consider using a different server.
In addition to the requirements of the RIS server, certain services must be available on the local network. These services are as follows:
DHCP
DNS
Active Directory
RIS is not included as a server role that you configure using the Manage Your Server Wizard. This means that to install RIS, you use Add Or Remove Programs in Control Panel.
Use the following steps to prepare and install RIS:
In Control Panel, open Add Or Remove Programs.
Click Add/Remove Windows Components, which starts the Windows Components
Wizard. 3 In the Windows Components Wizard, select the Remote Installation Services option, click Next to install RIS, and then click Finish.
Click Yes when prompted to reboot the system. Once the system has rebooted, you must run RISetup.exe to finish the initial configuration of RIS.
Tip
Configure the RIS server as an authorized DHCP server
Although the RIS server must be configured as an authorized DHCP server, it doesn't have to be done manually as a separate process. DHCP configuration now happens automatically as part of the postinstallation configuration process completed by RISetup.
There are several tools used to set up and configure RIS as well as the operating systems that the RIS server will deploy. These tools include the following:
RISetup.exe The primary RIS setup program, RISetup, is used to perform the initial configuration of the RIS server and designate the location of the distribution folder that will contain the operating system images. RISetup also lets you specify the source location of the uninstalled product files, associate answer files with images, and provide a name and description for each of the available operating system installations.
RIPrep.exe The RIPrep utility is used to create file system–based images (differing from both RISetup and Sysprep images). These images typically deploy faster than those created by using RISetup, because RIPrep images reflect an installed copy of the operating system. RIPrep prepares a master computer for imaging using a Sysprep-like process and then, rather than requiring an additional program to perform the imaging process (as Sysprep does), stores the image for deployment to client computers.
RBFG.exe The Remote Boot Floppy Generator (RBFG) utility creates the remote installation boot disk that is used for client computers that do not have a PXE boot read-only memory (ROM).
Once you have installed RIS on the server, you must run the RIS Setup Wizard to configure RIS. Because you have not set up any images, nor have you had a chance to review settings, including security, RIS is not started until after this wizard has been run for the first time.
To configure the Remote Installation service, follow these steps:
Start the RIS Installation Services Setup Wizard on the RIS server by clicking Remote Installation Services Setup on the Administrative Tools menu or by typing risetup at a command prompt.
Specify the folder to use for RIS. Here, you select the disk location to contain RIS installation images and related files, as shown in the following screen. The folder must be on a local fixed drive that is formatted with NTFS version 5 or later (meaning an NTFS folder formatted previously under Windows 2000 or later) and that is not the same drive as the server's operating system.
Tip
Allocate adequate free space for RIS images
The RIS image folder should have substantial free disk space (4 GB minimum), because installation images average over 700 MB, and most RIS installations will house multiple installations of more than one operating system as well as image variants for the same operating systems. Depending on the range of operating system (OS) images to be supported in your environment, and the frequency of adding new OS images, you might want to put RIS on its own partition with many gigabytes of free disk space. In our installation, a separate 60-GB drive is used as the RIS image folder.
Set initial RIS functionality. You can define whether RIS responds to clients at all and control the initial status of the RIS service after this setup wizard is completed (as shown in the screen on the following page). When the server is configured to respond to clients, security can be tightened by instructing RIS not to respond to unknown clients.
Specify the location of the initial source files by selecting the location of the operating system files to use as the source, which is typically the distribution CD (as shown in the following screen). The source could also be a network distribution share containing the distribution source files. In either case, these OS files are the first OS image to be made available by RIS.
Create a name for the RIS installation image folder, as shown in the screen on the following page. The RIS installation image is placed in a folder named WINDOWS by default (contained under the RemoteInstall folder created by RIS in Step 1).
Define the Friendly Description and Help Text, as shown in the following screen. You can customize the Friendly Description of the RIS installation image and set the Help Text to help distinguish between the OS images available through RIS.
Note
The Friendly Description and Help Text for a RIS image are drawn by default from the .inf files with the product's distribution files and can usually be left as is. In cases in which you will be presenting different configurations of the same operating system as options through the RIS server, however, text that is somewhat more descriptive is recommended. You should briefly explain the differences between the various configurations and the computers to which they are applicable.
The Review Settings dialog box displays the configured information prior to finishing the image creation. Once you click Finish, the Remote Installation Services Setup Wizard routine completes the following installation tasks:
Creates the remote installation folder
Copies files needed by RIS
Copies Windows installation files
Updates CIW screen files
Creates unattended setup answer files
Creates the services used by RIS
Updates the Windows registry
Creates the single instance store volume
Starts the required remote installation services
Authorizes DHCP
During the configuration of RIS and creation of the initial distribution folder, the root of the RIS distribution folder is shared automatically at \ServerNameReminst, where ServerName is the name of the RIS server. Three essential services were also installed and configured:
Remote Installation service
Single Instance Store
Trivial FTP Daemon
These services must be running for RIS to work properly. You can check these services using the Services tool on the Administrative Tools menu. In Event Viewer, also accessible from the Administrative Tools menu, you'll find events for these services in the System log.
Inside Out: The RIS server must be authorized as a DHCP server
RISetup should automatically authorize the RIS server in Active Directory as a DHCP server, regardless of whether the server is actually running DHCP. This is necessary because it is how DHCP servers are able to locate RIS servers. You see, DHCP simply forwards the RIS request (which it can't handle) to the RIS server. If for some reason DHCP authorization fails, it can be confirmed by looking in the system log for event ID 1046 from DhcpServer that states the DHCP/BINLSVC service has determined that it is not authorized to start. If this happens, you must authorize the server manually using an account that is a member of the Enterprise Admins group. Log on to a DHCP server, and start its DHCP administration tool or use the DHCP administration tool in Administrative Tools. In the DHCP console, click Action on the menu, then choose Manage Authorized Servers. In the Manage Authorized Servers dialog box, click Authorize, and then type the IP address of the RIS server. Afterward, you must either stop and then restart the Remote Installation service in the Services node in the Computer Management console or reboot the server. A reboot is typically a good idea. Note also that the Group Policy settings control whether and how the related RIS services are started (for details, see the section entitled "Controlling Access to RIS Servers" later in this chapter).
Inside Out: Automating RIS installations
You can associate the operating system image with an answer file (Remboot.sif) to streamline the unattended installation of the operating system to the target computer. You create the answer files used by RIS in Setup Manager as discussed in Chapter 5.
You can also configure the RIS server by double-clicking its computer account in Active Directory Users and Computers and then selecting the Remote Install tab, as shown below.
The following options are displayed:
Respond To Client Computers Requesting Services This instructs the RIS services to respond to client requests, effectively making the RIS server available to RIS clients on the network.
Do Not Respond To Unknown Client Computers If you select this option, the RIS server will disregard requests from unknown computers (that is, computers without an account in Active Directory). Access to the RIS servers can be restricted using this option—only prestaged computers (computers with accounts previously established in Active Directory) can access the RIS server and the OS images it hosts.
In addition to the settings in Active Directory that control how the server handles client requests, you can verify the RIS server configuration, gain administrative access to RIS clients using this server, and control management of RIS-installed computers.
To verify that the RIS server is correctly configured, click Verify Server in the Remote Install tab. RIS will analyze the configuration, repair any problems if possible, and report on the status of the server.
Clicking Show Clients loads the Find Remote Installation Clients dialog box, which lets you find and display known remote installation clients within the selected scope (the entire directory or a single domain).
Tip
Prestage client computers
When you prestage a computer, you can specify which RIS servers can provide installation services to it or allow it to be serviced by any available RIS server. This is configured in the Remote Install tab of the client computer's properties in Active Directory. For more information on prestaging computers, see the section entitled "Prestaging Clients in Active Directory" later in this chapter.
How client computer names are generated and where they are placed in Active Directory are controlled by settings available through the Advanced button (as shown in the following screen).
You can configure the naming format used for generating client computer names in the New Clients tab. Several naming formats are offered, including the following:
First initial, last name
Last initial, first name
First name, last initial
Last initial, first name
User name
The string "NP" with the Media Access Control (MAC) address appended
Custom
You can also specify the client account location—the place in the directory where the client computer accounts are established. You can store the new computer account in the default Active Directory location in the Computers container or the same location as the user creating the account, or you can select a specific location in the directory.
Tip
Computer accounts can have same name as user accounts
For the purposes of applying Group Policy, computer accounts are commonly placed in Information Technology (IT)–designated OUs. Note also that computer accounts can be the same name as user accounts, which is why the naming options using parts of the user's actual name or logon are allowed. To prevent conflicts between like-named user and computer accounts, Active Directory adds a hidden dollar sign to the computer account name. This means the computer account WRSTANEK is actually WRSTANEK$. Yes, this is a fix to resolve a naming problem found in Microsoft Windows NT. In Windows NT, you couldn't have user and computer accounts with the same name.
To configure manually how the computer account names are created, select a naming option to use as the template, and then click Customize to open the Computer Account Generation dialog box, as shown in the screen on the following page. The initial custom name format is based on the naming option you used as a template. You can then modify the format and select from several variables to create a wide variety of name templates. A box at the bottom of the dialog box previews the naming formats for you. If you make a mistake in the formatting, it shows an error.
The variables that can be used in computer names include the following:
%First First name of user
%Last Last name of user
%Username Logon name of user
%Mac MAC address of the client's NIC
%# Used to specify an incrementing number
%n<field> Used to designate n characters of <field>
%0n<field> Used to pad n characters with zeros
For example, to have computer names generated from the first 10 characters of the user logon name plus the first 5 characters of the MAC address of the NIC plus an incrementing number, use this syntax:
%10Username%5MAC%#
You needn't get that fancy, though. Maybe you just want to use a standard root name and increment? Well, you can do that, too. Consider the following example:
cpandl%#
Here, all computers names begin with cpandl (which is the abbreviated company name for City Power & Light) and end with a number that is automatically incremented by RIS.
Tip
It is important to note that name settings are ignored for prestaged clients. Prestaged clients were assigned names when their accounts were created in Active Directory.
You can view and manage the RIS installation images in the Images tab (as shown in the following screen). Information concerning each installation image is displayed—the image name, operating system it contains, platform it supports, and the language to which it is localized are all listed. You can add and remove images in this dialog box, while additional information and options are available by clicking Properties.
You can modify the name and description of the image presented by the CIW (as shown in the screen on the following page). This wizard also contains additional details about the image, including version, language, date last modified, type of image, and RIS image storage folder. Security for the image is accessed by clicking Permissions. This lets you limit access to each OS image based on security group membership.
Access to RIS servers can be controlled by Group Policy, which allows you to manage network traffic and the workload of each RIS server. To access these settings, open a Group Policy Object, expand Computer Configuration, Windows Settings, Security Settings, Systems Services, and select Remote Installation Policy. By using this policy, you can configure the startup method for the RIS server and configure security permissions for users and groups.
Access to RIS servers can also be controlled by setting up prestaged computer accounts. During account creation, by selecting This Is A Managed Computer and specifying a globally unique identifier (GUID)/universally unique identifier (UUID), you have the option to specify which RIS server to use or to allow any available RIS server to be used. The GUID/UUID can be found in the system BIOS or it can be posted on the computer case.
You can set security permissions on RIS services and images to control access to remote OS installation. By setting security permissions on the image, you can specify the users and groups that are allowed to install from this OS image. You control the remote installation of the OS images by applying permissions to the default answer file for that image. For a RIPrep image, this file is Riprep.sif. For RISetup, this file is Ristndrd.sif. Right-click the file, and select Properties. In the Properties dialog box, shown in the screen on the following page, select the Security tab, and configure group and user names and the appropriate permissions.
When RIS installs an operating system on a computer, a computer account is created in Active Directory. Therefore, engineers and administrators who will be performing RIS installations must be able to add computers to the domain. If the individuals performing RIS installations don't already belong to a security group that can add computers to the domain, they must be granted the right to do so before they can use RIS.
To do this, set permissions in Active Directory that allow the designated security group to add computers to the domain by following these steps:
Log on to the domain with an account that has Administrator privileges, and then run Active Directory Users and Computers by clicking Start, pointing to Programs or All Programs, clicking Administrative Tools, and then selecting Active Directory Users And Computers.
Right-click the appropriate domain node, and select Delegate Control to start the Delegation Of Control Wizard.
Select the specific Users or Groups to delegate. Click Add, and then select a user or security group that will be responsible for using RIS. Repeat this step to add other users or groups.
On the Tasks To Delegate page, select Join A Computer To The Domain as the task to delegate.
Click Finish to complete the delegation of control.
Through delegation, you allow users to create computer accounts, but you don't miss out on the opportunity to allow users to help themselves. If Sally messes up her computer by installing things she shouldn't have installed, hand her a remote installation boot floppy disk, tell her to insert the disk, boot the machine and press F12 when prompted, and then follow the prompts, making sure to choose the appropriate image she needs. This way, Sally can help herself, and you can focus on other tasks, such as keeping the network running.
As long as Sally has been authorized to join a computer to the domain, she'll be able to complete the installation process. If she hasn't, though, she'll see an error telling her that she doesn't have permission to create or modify a computer account in the domain. Now you might be wondering why you need to authorize Sally to join a computer to the domain when any ordinary user can create a computer account. Well, if there is an existing computer account, RIS must delete the computer account and create a new one with the same name or change the password for the computer account, depending on the operating system. These procedures cannot be performed by ordinary users, which is why you must authorize the user to join a computer to the domain.
Users with the privilege to join a computer to the domain can create computer accounts and modify the computer accounts they've created. They won't, however, be allowed to modify the computer accounts other users have created. If you want to allow users to modify computer accounts created by other users, you must create a special RIS installers group, grant it this permission, and then add users who should have this permission to the group.
To create a special group for RIS installers, follow these steps:
Log on to the domain with an account that has Administrator privileges, and then run Active Directory Users and Computers by clicking Start, pointing to Programs or All Programs, clicking Administrative Tools, and then selecting Active Directory Users And Computers.
Right-click the existing folder or organizational group into which you want to place the special group for RIS installers. Typically, this is the Users container, so right-click the Users folder, click New, and then select Group. This opens the New Object— Group dialog box.
Type a name for the group, such as RISInstallers (as shown in Figure 6-1), and then click OK. By default, the group is created as a Global Security Group—which you'll learn all about in Chapter 37.
In Active Directory Users and Computers, select View, and click Advanced to enable the console to show advanced properties, such as the Security tab.
Grant permission to add computers to the domain to the group you just created using the Delegation Of Control Wizard, as discussed in the previous procedure.
By default, computer accounts are created in the Computers container. You must change the permissions on this folder to allow RIS installers to delete and change computer accounts. Right-click the Computers folder, and then choose Properties. On the Computers Properties page, click the Security tab, as shown in the following screen:
Find the RISInstallers group in the Group Or User Names list box, click it, and then click Advanced to display the Advanced Security Settings For Computers dialog box, as shown in the following screen:
Scroll down the list of labeled Permissions, as shown in the following screen. You should see that the Create Computer Objects permission is set to Allow. Select this entry, and then click Edit to display the Permission Entry For Computers dialog box, as shown in the following screen:
Select Allow for Write All Properties and for Delete Computer Objects. Click OK to return to the Advanced Security Settings For Computers dialog box. Click OK twice more to close the dialog boxes. Now all you need to do is add the users who should have these permissions to the RISInstallers group.
To add members to the special RISInstallers group, follow these steps:
In Active Directory Users and Computers, access the folder that contains the RIS-Installers group.
Right-click the group entry, and then click Properties.
In the Members tab, click Add.
Find an account to add, and then click OK. Repeat this step to add other accounts.
Click OK to close the group Properties page.
That's it! Yes, it was a lot of work, but now you can let users help themselves.