Understanding Remote Installation Services

Remotely install new Win2K Pro images to workstations in your network

EDITOR'S NOTE: Portions of the following article were adapted from Sean Daily and Darren Mar-Elia's The Definitive Guide to Windows 2000 Administration (Realtimepublishers.com).

It's 8:00 a.m. Monday morning, and you're sitting back in your chair with a cup of coffee reviewing Friday's backup logs. Just then, you receive a call from Craig, the manager of one of your organization's branch offices, whose PC suffered a hardware meltdown over the weekend. Craig's office is a support nightmare because the branch is too small to have a dedicated IT person on staff, but they're too close to the home office for you to outsource their IT support needs to a third-party service provider. Craig is upset because quarterly reports are due and he needs access to the financial applications on his computer pronto. Your palms begin to sweat as you think about the impending 150-mile drive to Craig's office and the time required to rebuild him a new system from scratch. Suddenly you remember the new service you recently set up on the server at Craig's branch office. Instead of jumping in your car, you ask Craig to go to a spare PC (luckily, you had the forethought to order a spare PC for each branch office), connect it to the network, and power it up. Twenty minutes later, Craig calls back to inform you that he now has a fully functional Windows 2000 system, complete with all his office productivity and financial applications. As you hang up, you can't help smiling and wondering if this experience is going to spoil you.

A fictional story? Thanks to a new technology in Win2K, Remote Installation Services (RIS), this scenario can be a reality for network administrators. To benefit from this service, you'll need to become familiar with RIS's features, limitations, and procedures, as well as the little-known tips and tricks that can help improve your RIS experience.

RIS Rudiments
RIS is a set of technologies that let administrators install new Win2K Professional images to remote workstations in the network. RIS differs from earlier deployment technologies (e.g., unattended installations and disk cloning) in that it has low requirements for target workstations. (For more information about unattended installations, see "Related Articles in Previous Issues.") Whereas some deployment methods require the receiving client to already have an existing version of Windows or a complex network-enabled boot disk installed, you usually start RIS installations over the network without a boot disk or an existing OS installation on the target system.

The RIS deployment process involves a client and one or more servers, and works through the cooperation and interaction of several services and technologies, including DHCP, DNS, Active Directory (AD), Boot Information Negotiation Layer (BINL), Single Instance Storage (SIS), and Trivial File Transfer Protocol (TFTP). RIS servers, which house the OS images for remote deployment, are authorized and registered in DNS and AD and make their images available to requesting client workstations.

Client workstations use a special network boot technology, Preboot Execution Environment (PXE), to boot from the network, after which they locate a RIS server and download an OS image. The client's system BIOS, network adapter, or both can provide PXE support. (PXE support is part of the NetPC and PC98 0.6 and later industry specifications, but RIS requires PXE .99c or later.) For systems that don't have PXE support, Microsoft provides the Remote Boot Floppy Generator (RBFG) utility. This tool provides PXE support for a limited number of PCI-based network adapters.

In RIS deployments, a RIS client boots from the network or an RBFG-created boot disk, and uses PXE to obtain an IP address and the necessary information to locate and initiate a session with a RIS server. The RIS server and client then use TFTP to transfer to the client the Custom Installation Wizard, which lets the client's user authenticate in AD and select a RIS image from the server. This selection starts the transfer process, after which the client has a fully functional Win2K installation (which can include applications and a customized configuration).

Preparing Your RIS Environment
The RIS deployment process involves several elements, so successfully configuring a RIS environment and deploying RIS images requires planning. You must ensure that you properly configure your Win2K network environment, RIS servers, and clients.

First, consider whether your RIS servers and clients meet the minimum system requirements. Notwithstanding Microsoft's anemic minimum system requirements, based on experience, I've developed the following requirements for a RIS server: Pentium II processor or better; 128MB of RAM or more (more if the RIS server will also run services such as AD, DHCP, and DNS); 2GB of hard disk space or more on the NTFS-formatted volume that will store the RIS images; and a 100Mbps or faster network adapter. To install RIS on a server, you must have an NTFS volume separate from the Win2K system partition and boot partitions.

RIS clients must meet Win2K's minimum hardware requirements. In addition, they must have a PXE-based boot ROM .99c or later, or an RFBG-supported network adapter.

When planning your RIS environment and server configurations, consider the effect that RIS will have on server and network bandwidth. RIS's primary function is to deliver large installation images to client PCs over the network, so you should treat capacity planning for a RIS server in a similar manner to that of file or Web servers.

The RIS deployment process mainly consumes disk and network resources, and the level of consumption depends on the number of clients the RIS server is serving at any given time. As a result of RIS's installation-oriented nature, it won't act as a continuous drain on resources but as an occasional drain. Most organizations tend to simultaneously deploy machines in groups, so you'll discover that RIS servers are either delivering images to many systems at once or none. This all-or-nothing reality is an important factor in planning your RIS server configurations—overbuilding RIS servers for a one-time deployment isn't cost-effective.

RIS relies on several Win2K networking services, which creates requirements that you should consider before deploying RIS. First, RIS requires an AD-enabled Win2K network because the service is fully AD-integrated and uses AD to locate existing clients and RIS servers. In addition, DNS is an integral, mandatory part of any AD-based Win2K network; thus, RIS requires DNS servers in the network. However, RIS doesn't require you to use Win2K's DNS services; you can use a third-party DNS server product as long as it supports service resource records (SRV RRs, which Internet Engineering Task Force—IETF—Request for Comments—RFC—2052 defines), and dynamic updates (which RFC 2136 defines).

In addition, all RIS clients must be able to reach a DHCP server because DHCP provides RIS clients with their IP addresses. You can use a third-party DHCP product in lieu of Win2K's DHCP services.

Authorizing RIS Servers in AD
After you ensure that your basic Win2K network architecture is in place, the next step in your RIS-environment preparation is to pre-authorize all your RIS servers in AD as permitted DHCP servers. This step is necessary because RIS is a secure, AD-integrated service and therefore requires that RIS clients and servers be validated against AD. Although RIS and DHCP services are separate entities, RIS servers are AD-authorized through the DHCP management utility as if they were DHCP servers. (If you're installing RIS on an existing DHCP server that is already AD-authorized, you don't need to complete this authorization process.) The following steps walk you through how to authorize a RIS server as a DHCP server in AD:

  1. Log on as a member of the Enterprise Admin group for the forest within which your RIS server will provide services.
  2. Run the Microsoft Management Console (MMC) DHCP Management snap-in from the Start, Programs, Administrative Tools menu.
  3. Right-click DHCP in the console's left pane, and select Manage Authorized Servers.
  4. In the resulting dialog box, click Authorize. Next, you enter the IP address of the RIS server you want to authorize in the Name or IP address text box, which Figure 1 shows.
  5. Click OK to confirm your entry.

Changes to AD take time to propagate to the domain controllers (DCs) in your network. If you authorize a RIS server and you need the change to take effect immediately on a particular DC, you can use the following command at a command prompt on the DC:

secedit /refreshpolicy /machine_policy

Installing and Configuring RIS
At this point, you're ready to install and configure RIS on your target server. You install RIS as an optional component either during the initial Win2K Server installation or later from the Control Panel Add/Remove Programs applet. If you install RIS on an existing server, you must restart the server after you select the option to install this component from the Add/Remove Programs applet.

After rebooting the server, RIS will be available on the machine in an unconfigured state. When you log on, the system will automatically launch the Remote Installation Services Setup Wizard (risetup.exe), which Figure 2 shows. The wizard walks you through the steps required to get your RIS server running and ready to provide installation images to clients.

The first step in the wizard is to select a folder to serve as the root of the installation folder structure. By default, the wizard selects the first NTFS volume that isn't the system or boot partition and creates a \RemoteInstall folder.

Next, you select whether the RIS server will respond to requesting RIS clients. By default, this option is off. Although this option seems odd, it lets you complete the installation process and fine-tune the configuration before you enable RIS. In the same dialog box, you can select whether the RIS server will respond to unknown clients. By default, the server will respond to any requesting client. To configure the server to respond only to clients that you've pre-authorized on the RIS server, select the Do not respond to unknown client computers check box.

The wizard then prompts you for the Win2K Pro CD-ROM or the location of a hard-disk-based distribution folder that contains the Win2K Pro installation files. After you specify the CD-ROM or the location of the folder, RIS Setup uses the files to build a RIS image. Usually, the Win2K Pro installation files you specify are a basic installation image. After you specify the location of the installation files, the wizard asks you to specify a folder to contain the RIS image. This folder will be under the \RemoteInstall\Setup\English\Images folder on the RIS server. The wizard provides a default folder name of win2000pro, but you can change the name to any name you prefer.

In the next step, the wizard offers you an opportunity to give the image a descriptive name. This description will appear in the list of installed images on the server and as the name displayed to the remote user who is installing the image. Therefore, be sure that the description you assign to the image is clear and reflects its contents (e.g., a description of Windows 2000 Professional is much better than W2KP).

After you specify the location of your initial RIS image and give it a folder and descriptive name, the setup wizard builds the image and installs and configures several ancillary services RIS relies on, including the BINL service, SIS Filter driver, SIS Groveler service, and TFTP service. (For more information about SIS, see the sidebar "SIS: Disk Space Savings for RIS," page 94.)

Preparing RIS Clients
The last step in the RIS deployment process is preparing the clients that will receive an installation image. A client can receive a RIS image using built-in PXE BIOS support or an RBFG-generated boot disk. If your client workstations provide PXE BIOS support, configuring your clients to use RIS will be as simple as configuring the system BIOS so that the machine includes the option to boot from the network in the list of boot device selections. However, if one or more of your clients don't provide PXE support, enabling RIS will involve using the RBFG utility to create a boot disk.

Using the RBFG Utility
Win2K automatically installs the RBFG utility on a RIS server in the \RemoteInstall\Admin\i386 folder. This folder is accessible over the network through the RemInst share, which the RIS setup wizard automatically creates and in which the Uniform Naming Convention (UNC) pathname to the file is \\RIS_server_name\RemInst\Admin\i386\Rbfg.exe.

After running the utility, you can create a boot disk or display a list of the supported PCI adapters, as Figure 3, page 94, shows. Unlike disks created with the network client setup program that Windows NT 4.0 provides, an RBFG-created disk isn't adapter-specific: The disk that the utility creates is the same regardless of the NIC in the machine on which you create the disk because the adapter type is auto-detected during system boot. Thus, the same disk will work for any machine that has an RBGF- and RIS-supported PCI adapter.

The Client Installation Wizard
After someone uses an RBFG-created boot disk or the system's native PXE support to boot the remote client, the client side of the RIS installation process begins. First, the client presents the user with a message that the client has obtained a DHCP address from a DHCP server. Then a message appears, telling the user to Press F12 for Network Service Boot. The user must press F12, or the client will skip the network boot process, and the installation process won't begin.

After the user presses F12, the client loads a binary setup image from a RIS server. This text-based program is the Client Installation Wizard, which handles the client side of the RIS installation process.

After the opening screen, the wizard prompts the user for authentication. This authentication feature provides several important security and management benefits to RIS administrators. For example, it prevents unauthorized users from installing RIS images; at the administrator's choice, it lets the username server as a basis for choosing the machine name; it lets administrators assign particular users to specific RIS servers; and it lets administrators control and limit the image choice that the image menu displays to users.

After the user provides a username, password, and domain name, the wizard authenticates the user against AD and assigns him or her a RIS server. The server then displays a menu of installation image choices to the client. After the user selects an image, the Client Installation Wizard displays a final screen warning that the installation process will repartition and reformat the disk, a process that will destroy any exiting data on the drive. After the user confirms that the installation can proceed, the setup image for the selected image is transferred to the workstation through TFTP and the installation process begins.

RIPrep: RIS Meets Disk Cloning
Although using RIS images based on CD-ROM or disk-based installation folders is fairly handy, some administrators might long for the convenience of disk duplication and cloning utilities because of these methods' ability to duplicate an entire system, including applications. However, RIS and disk imaging aren't mutually exclusive. In Win2K Server, Microsoft includes RIPrep (riprep.exe), a utility that lets you roll back and image a preconfigured Win2K system—complete with applications—to a state at which duplicating is safe.

RIPrep strips an installed system of its unique identification configuration data (i.e., SID and computer name). RIS servers host and deploy RIPrep-created images. The following list provides the requirements and limitations of RIPrep:

  • RIPrep works only with Win2K Pro.
  • The target computer that receives a RIPrep image must have a hard disk at least the size of the source computer's primary disk partition and must have the same hardware abstraction layer (HAL).
  • Microsoft designed RIPrep to duplicate only the first partition of the first hard disk (i.e., the boot and system partition), which must contain Win2K Pro and all the applications you want included in the RIPrep image.
  • RIPrep images tend to be larger than CD-ROM and distribution folder images because they hold an uncompressed copy of the source computer's primary disk partition, including applications.
  • To use RIPrep images on a RIS server, you must ensure that you have CD-ROM and distribution folder images on the same server, for the same product and language. The reason is that in situations in which the drivers required for the target computer differ from those of the original source computer, the RIPrep answer file references the CD-ROM and distribution folder images to gain access to text-mode drivers.

The RIPrep Deployment Process
After you ensure that your RIS environment meets RIPrep's requirements, you can use the following steps to create and deploy a master RIPrep image. First, install and configure your master (i.e., source) computer. When partitioning the system's drive, use only the first partition and make it as small as possible with enough space to hold only Win2K and the applications and utilities you want the image to include. The size of the source computer's partition determines the minimum disk size requirement for your target systems.

Next, log on to the system with a user account and configure the Win2K environment, including network, security, user, and desktop settings. You then install every application that you want the master image to contain. Install these applications from a location that will be available later (e.g., a network UNC pathname or drive letter and path) so that they can access additional or updated files as necessary. If you install from a temporary location or a drive that might not be available on a target computer, you might encounter problems. In addition, refrain from installing applications that are .msi packages installed through Group Policy Objects (GPOs).

Next, verify that you've properly configured your master system and tested all applications. You can't edit a RIPrep image after you create it. If you don't properly set up your RIPrep image, you have to start the imaging process from scratch.

After the system is ready, run the RIPrep utility on the source computer. The RIS installation automatically installs RIPrep under the RemInst share of every RIS server, and it's accessible using the UNC pathname \\RIS_server\RemInst\Admin\i386\Riprep.exe. Running this utility launches the Windows 2000 Setup Manager Wizard, which Figure 4 shows.

In the dialog boxes that follow, the wizard will prompt you to specify the RIS server name that will hold the RIPrep image, assign an image folder name, and provide the image with a descriptive name. At the end of the configuration process, the wizard lets you review and confirm your settings. When you're ready, click Next to start the image-creation process. At this point, the wizard strips the machine of its SID and other unique information and generates an image on the specified RIS server.

To create a RIPrep image on the server, the account you're logged on to on the source computer must have backup privileges. If you're logged on as the domain or local administrator, you automatically have this permission.

After you've used RIPrep to create images, you can configure security to control access to them. To do so, remove the reference to the Everyone group from the ACL associated with each answer file related to your RIPrep images (i.e., the .sif file in the image's \i386\Templates subfolder). Then add Read permissions for each user or group that is allowed to access and install the image.

If you're planning to include Microsoft Office 2000 in a RIPrep-created image, you must turn off 8.3 filename creation, which creates DOS-compatible filename equivalents for long filenames. (This option is enabled by default.) To do so, use a registry editor to navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem subkey, add (or modify if it already exists) an NtfsDisable8dot3NameCreation value of type REG_DWORD, and set its value to 1 (the default value is 0). Then reboot the machine to cause the change to take effect.

Managing RIS Servers and Images
After you use the RIS setup wizard to get your RIS server up and running, you can concentrate on the next phase of RIS administration—long-term maintenance of images and other configuration settings. Over time, you'll need to perform several maintenance activities on your RIS server, including managing images and changing client naming conventions.

To manage a RIS server's configuration and installed images, run the MMC Active Directory Users and Computers snap-in on any server that has RIS installed. After you load the snap-in, locate the RIS server you want to manage by opening its organizational unit (OU) container. Right-click the server, and select Properties. If the server you're working on has the RIS component installed, you'll see a Remote Install tab, which Figure 5 shows, in the Properties dialog box.

If you need to manage a RIS server from a Win2K Server system that doesn't have RIS installed, you have several options. You can install and configure Win2K Server Terminal Services in remote-administration mode on the RIS server and the Terminal Services client on the server that you want to use to manage the RIS server. Then use a terminal session to manage the remote RIS server.

Alternatively, you can install the RIS component on the server that you want to manage the RIS server from, but cancel the configuration and setup of RIS when the RIS setup wizard launches. This method provides the modified Properties dialog box, which includes the Remote Install tab in the Active Directory Users and Computers snap-in.

One of the most common administrative tasks on a RIS server is managing images. Although RIS doesn't provide a dedicated management console (e.g., an MMC snap-in), you can use a RIS server's Properties dialog box in the Active Directory Users and Computers snap-in. To do so, run the Active Directory Users and Computers snap-in on any RIS-enabled server and locate the RIS server's parent container in the left pane. Right-click the RIS server you want to manage, and select Properties from the pop-up menu. On the Remote Install tab of the Properties dialog box, click Advanced Settings. The resulting Images tab, which Figure 6 shows, displays a list of the currently installed images on this server. At this point, you select an image and click Remove to delete it, Properties to change the image's description, or Add to launch the Add New Image Wizard.

Alternatively, to add a new image to a RIS server, run risetup.exe, and in the first dialog box, select the option to add a new image. Or, use the following command to launch the RIS setup wizard:

risetup 	add

RIS Is Great, but Not Perfect
Although RIS is a wonderful new technology, it has a major and unfortunate shortcoming: limited network adapter support. As of this writing, RIS supports only 25 PCI-based network adapters (this number includes standard peripheral cards and some motherboard-embedded network adapters). The PCI-specific support also means that systems with network adapters that use other bus types (e.g., ISA, EISA) and laptop systems that use PC Card or CardBus-based network adapters can't use RIS. (However, I'm aware of at least one laptop model—IBM Thinkpads—that uses a mini-PCI slot type that supports PXE and RIS.) The most represented brand of network adapters that RIS supports is 3Com, although the list also includes models from Intel, Digital Equipment, SMC Networks, and Hewlett-Packard (HP). The 3Com-centric list isn't surprising given that a subsidiary of 3COM, Lanworks Technologies, developed RIS's remote boot technology.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.

"Customizing Unattended Win2K Installations," January 2000, InstantDoc ID 16219
"Remotely Deploy Windows 2000," May 2000, InstantDoc ID 8433
"Using Win2K's Remote Installation Service," September 1999, InstantDoc ID 7109
"Windows 2000 Professional Deployment Options," March 2000, InstantDoc ID 8142
Although Microsoft has promised regular updates to the list of RIS-supported network adapters, no such updates have appeared thus far. This shortcoming keeps RIS out of the hands of many companies. If you're one of the organizations left out in the cold as a result of RIS's feeble adapter support, I encourage you to write Microsoft at [email protected] and request that the company provide RIS support for your network adapter brand and model.

In addition to its lack of adapter support, RIS has other notable shortcomings. For instance, RIS supports imaging only one volume—the C drive—to a RIS client. In addition, Microsoft designed RIS to provide only Win2K Pro images, so you can't use it to deploy other client OSs such as NT, Windows Millennium Edition (Windows Me), and Windows 98.

Despite these shortcomings, RIS is an important technology that will prove invaluable to many Win2K administrators. RIS can help facilitate initial machine rollouts and the type of machine replacement that saved the day for Craig. However, using RIS successfully requires a commitment on your part: Specifically, you must maintain up-to-date RIS images. If you take the time to augment your RIS deployments by combining RIS with other deployment tools such as RIPrep, you can turn this new technology into an amazing timesaver that lets you sit back, relax, and finish your cup of coffee.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.