Windows Tips & Tricks UPDATE, March 29, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
This Issue Sponsored By
Ecora Patch Manager
Symantec V2i Protector–Real-time Backup/Recovery
Sponsor: Ecora Patch Manager
Ecora is offering a FREE "Patch Management Best Practices" whitepaper which outlines steps you can take today to develop a comprehensive, reliable patch management plan for your organization. It identifies the challenges of patch management and walks you through a six-step process for setting up an effective procedure to protect your environment from vulnerabilities and security breaches. Whether you are a CIO, CSO, or harried Systems Admin or IT Manager, you need this whitepaper. Download it here:
- Q. What's Automated Deployment Services (ADS)?
- Q. How can I install Automated Deployment Services (ADS)?
- Q. How can I move the Automated Deployment Services (ADS) image store to a different disk?
- Q. I'm using the Novell NetWare client on my Windows XP installations with roaming profiles. Why do my users receive an error message every morning stating that their local profile is newer than the remote profile?
- Q. How can I use Group Policy to disable System Restore in Windows XP and later?
by John Savill, FAQ Editor, [email protected]
This week, I describe Automated Deployment Services (ADS), tell you how to install ADS, and explain how to move the ADS image store to a different disk. I also tell you why you might receive an error message when using the Novell NetWare client on Windows XP with roaming profiles and how to use Group Policy to disable System Restore in Windows XP and later.
Around the industry, VMware has released VMware Workstation 4.5.1. One of the cool new features is that the software now lets you perform a Preboot Execution Environment (PXE) boot straight from the BIOS. This feature is handy for demonstrating Microsoft Remote Installation Services (RIS) and ADS to clients. I suspect that Microsoft will release an update to Microsoft Virtual PC 2004 in the near future to include this functionality.
Sponsor: Symantec V2i Protector–Real-time Backup/Recovery
Every computer is vulnerable to data loss caused by viruses, faulty software, or hard disk failure. V2i Protector provides a real-time, disk-based backup and disaster recovery solution designed to capture a system's active state, including all server/desktop files and configurations. Using V2i Protector, you can quickly restore failed systems to a specified point-in-time without taking hours to manually reinstall and restore data from tape backup or rebuilding from scratch. Perform a full system restoration, a complete bare metal recovery or restore individual files and folders in minutes. V2i Protector also creates exact backups of volumes/partitions through the use of snapshot technology. Backups are created without disrupting data access or application usage. Click here to download an evaluation version today:
Q. What's Automated Deployment Services (ADS)?
A. ADS is a feature pack for Windows Server 2003, Enterprise Edition, and Windows 2003, Datacenter Edition, that lets you deploy Windows server OSs onto "bare-metal" servers over large installations. ADS provides several features, including the ability to
- use imaging technology to capture an image of a server as one file and store that file on a central server
- use a Preboot Execution Environment (PXE) boot, which is similar to Microsoft Remote Installation Services (RIS), or other methods such as the Windows Preinstallation Environment (WinPE) to deploy captured images to new servers (known as "devices" in ADS terms)
- administer a virtual 3.5" disk from the ADS server for deploying BIOS updates, RAID configuration information, or other tasks that typically require the machine to boot from a 3.5" disk
- create jobs to deploy to other systems (e.g., from the ADS server, you can perform a BIOS update, configure a RAID array, deploy an OS image, and run a script on 100 servers)
- mount images locally so that you can modify them
- use multicast instead of unicast (a RIS limitation) to perform bulk deployments of images, which minimizes network bandwidth
- use the ADS Administration Agent from the ADS console to run commands, programs, scripts, task sequences, and Windows Installer packages from one server or a predefined set of servers with minimum effort
- store configuration data in a Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE) database
ADS consists of three services and also relies on DHCP to let PXE clients obtain IP addresses. The first, the Controller service, is the core service of ADS. It performs all communication with the appropriate database and provides information to the other services. The ADS administration inputs (e.g., the Microsoft Management Console--MMC--snap-in, Windows Management Instrumentation--WMI--interface, command-line tools) need the Controller service to operate. The Controller service maintains records in a database for each ADS device (i.e., a server typically identified by its media access control--MAC--address). During the build process, the Controller service uses the Network Boot Services (NBS--explained in the next paragraph) to tell the PXE component to provide to the device the boot commands or images the device needs at each stage in the deployment process. In other words, the Controller service manages the task sequence for the installation. The Controller service lets you group servers into sets so that ADS can manage them as one entity for deployment and postdeployment administrative functions. You can also use references to link sets together, thereby forming a hierarchy.
The second service, the NBS, works with DHCP to help the PXE client locate the NBS server. NBS includes the ADS PXE service, the ADS Deployment Agent Builder service, and the Trivial FTP Daemon (TFTPD) service. The PXE service, which is part of NBS, can instruct the PXE client to download and boot an ADS deployment agent, boot a virtual 3.5" disk, or boot from the hard disk. With instructions from the Controller service, NBS is responsible mainly for building remote servers. To transfer data to these remote servers, NBS uses Trivial FTP (TFTP) in the TFTPD service. Because TFTP uses UDP instead of TCP, TFTP is connectionless and has little overhead--communication takes place over port 69. ADS's third service is the Image Distribution service. This service manages the storage of the OS images and the communication associated with images.
ADS uses two agents: the Deployment Agent and the Administration Agent. The Deployment Agent, which NBS boots over the network through PXE, uses a subset of Windows so that you can deploy systems from the ADS server. The agent also lets you download a disk image from or upload images to the ADS server. The Deployment Agent executes XML-based instructions (known as "task sequences") for typical jobs such as disk partitioning, modifying the registry, and copying extra files. The Deployment Agent is basically a scaled-down version of Windows 2003 that runs in memory. This figure shows the Deployment Agent capturing an image.
The Administration Agent is a service on the deployed OS that you must install before you image the OS. The Administration Agent lets the ADS server use Active Directory Services Interfaces (ADSI), the WMI Command-line (WMIC) tool, or Windows Script Host (WSH) on the deployed OS. You can also use the Administration Agent to execute other third-party scripting engines.
ADS also includes several tools to capture, open, modify, and restore images. You can even use certain tools to create or deploy images without using the Deployment Agent (e.g., in the WinPE), although the Deployment Agent uses TFTP for better performance and is typically the best option. The main tools are
- Imgdeploy--performs the image capture and restoration. When you restore an image, ADS captures local images on a file-by-file basis and defragments the image. Note that defragmentation doesn't occur when you perform a remote capture. In such instances, ADS performs a cluster-by-cluster capture; when you restore the remote image, any fragmentation that existed on the original system remains.
- Imgmount--lets you mount an ADS image as if it were a local drive so that you can modify the image.
- Adsimage--lets you list and deploy images.
ADS is a powerful new addition to the Windows Server family. ADS should ease administration in many environments, even those that don't use ADS's deployment functionality.
Q. How can I install Automated Deployment Services (ADS)?
A. You can install ADS only on Windows Server 2003, Enterprise Edition, or Windows 2003, Datacenter Edition. ADS also requires access to a Microsoft SQL Server database or a local Microsoft SQL Server Desktop Engine (MSDE) database. After you've met these requirements, you can download the ADS software from the Microsoft Web site.
After you download the software, execute the self-extracting downloaded file (by default, the file extracts to the C:\ADS folder). The software automatically starts a wizard to guide you through the installation process. When you run the wizard, you can opt to install the MSDE engine and the ADS Administration Agent.
During installation, the wizard prompts you to provide the Windows 2003 installation CD-ROM, so ensure that you have it on hand. To install ADS, perform the following steps:
- After you execute the downloaded file, navigate to the ADS folder and execute Adssetup.exe.
- Click Install Automated Deployment Services, assuming you've already installed SQL Server or MSDE.
- Click Next when you see the ADS Install Wizard welcome screen.
- Click "I accept the terms of the license agreement" on the license page, then click Next.
- Under Setup type, select Full Install and click Next.
- Select your database type (if you use SQL Server, enter the name of the machine to use), select the appropriate option to create a new database, then click Next.
- For the Network Boot Services (NBS) settings, select "Prompt for the path when required."
- For the Image Location service settings, select the path you want and click Next.
- If you have more than one IP address, ADS asks which one you want to use for ADS device communication. Click Next.
- Click Install at the summary screen.
ADS is now installed, and you're ready to configure and add devices.
Q. How can I move the Automated Deployment Services (ADS) image store to a different disk?
A. By default, ADS stores OS images in the C:\images folder. To change this location, perform the following steps:
- Log on to the ADS server as an administrator.
- Start a command prompt.
- Stop the ADS Image Distribution service by typing
net stop adsimgsvc
- Remove the ADS share by typing
net share ADSImages$ /d
- Move the images folder to the new disk.
- Create a new ADS share by typing
net share ADSImage$=For example, to create a new share called "images" on the E drive, type
net share ADSImage$=E:\images
- After you create the new share, you must change the permissions so that the Administrators and System groups have Full Control privileges and Network Service has Change and Read privileges. No other permissions should exist.
- Modify the registry so that the Image Distribution service knows in which folders you want to store the images. Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adsimgsvc\Parameters registry subkey.
- Double-click ImageRoot and change the value to the new path. Note that you must add an extra backslash (\) to the end of the string (e.g., E:\images\).
- Click OK.
- Restart the Image Distribution service by typing
net start adsimgsvc
Q. I'm using the Novell NetWare client on my Windows XP installations with roaming profiles. Why do my users receive an error message every morning stating that their local profile is newer than the remote profile?
A. I recently experienced this problem with a client's systems. After investigating the cause, I discovered that every time that XP's System Restore creates a new restore point, it changes the modification date of the ntuser.dat files in the local profiles to match the time when the system created the restore point. After the user logs off for the day and the system creates a restore point, the System Restore process updates the user's local profile date. Then, when the user logs on the next day, the local profile date is newer than the date on the network share, which prompts the system to display the error message relating to the local profile being newer than the remote profile. You don't typically experience this problem with a standard Windows logon because the Graphical Identification and Authentication (GINA) .dll file takes into account the restore point creation and avoids the problem. However, because many third-party GINAs (including Novell) don't account for creating restore points, some clients can receive this error message. To resolve the problem, you must stop the System Restore process.
Q. How can I use Group Policy to disable System Restore in Windows XP and later?
A. System Restore is a systemwide setting. As a result, you must disable it at the Computer Configuration level by performing the following steps:
- Load the policy that you want to modify. For example, go to Start, Programs, Administrative Tools, Active Directory Users and Computers; right-click a domain; select Properties; select the Group Policy tab; then create a new policy or edit an existing policy.
- Navigate to Computer Configuration, Administrative Templates, System, System Restore.
- Double-click "Turn off System Restore," set it to Enabled, then click OK.
- Close the policy.
The change will take effect at the next policy refresh.
(from Windows & .NET Magazine and its partners)
Stop wasting your valuable resources! Find out everything you need to know to secure your messaging environment including information about antigen antivirus solutions, antispam, and content filtering. Get access to FAQs, free seminars, and the latest articles. Take the Sybari survey for a chance to win a $100 gift card!
SQL Server Magazine is a 360-degree resource loaded with must-read information covering database modeling, ADO.NET, XML, performance tuning, security, and the latest topics that SQL Server database developers, administrators, and business intelligence architects need to know. Try two (no-risk) sample issues today, and discover the timesaving qualities the magazine has to offer. Click here:
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
Get the inside scoop on how Enterprise Rent-A-Car eliminated spam and viruses, improved their email security, and increased productivity. Don’t miss this opportunity to educate yourself and become a smarter customer when it comes to choosing an antispam solution that best fits your organization’s needs. Sign up for this free Web seminar today!
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.winnetmag.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.