DEPLOYMENT TACTICS

Microsoft's New SysPrep Tool

Support for cloned systems

BUILDING LARGE NETWORKS takes time. The more systems you need to build, the longer the rollout will take. Suppose you have to build 500 Windows NT 4.0 workstations from scratch. If each system build takes an hour, this 500-hour rollout will take one administrator 12 forty-hour weeks and 1 day to complete, or four administrators 3 weeks and 5 hours to complete-assuming each workstation takes only 1 hour to build. With applications added to the OS installation, the build-time increases exponentially, right with the total cost of owning those workstations.

Disk-cloning software can solve the increased cost of ownership problem. With cloning software, you can install and configure complete system software packages once and clone the installation to numerous additional workstations. After you achieve the initial installation, the cost of cloning that installation onto other systems drops tremendously, because all cloning requires is the time to copy one disk to another.

To determine which required drivers and configuration settings to install for a particular computer system, OSs rely on the hardware platform. Therefore, to clone systems, you must ensure that all cloned machines use identical hardware. Otherwise, the wrong drivers will install and the machines will fail to operate correctly. Administrators who use dissimilar hardware must reinstall the proper hardware drivers after the cloning, and that task defeats the purpose of cloning.

In the past, Microsoft hasn't supported cloned systems because of problems inherent in the cloning mechanism. NT systems require unique security IDs (SIDs) to operate correctly in a networked NT environment. Correspondingly, each cloned NT system requires a unique SID. SID generators, such as Norton Ghost Walker and Systems Internals' NewSID shareware software, create unique SIDs to assign to cloned NT systems. SID generators work well, as long as you understand the limitations and pitfalls involved in cloning one system to another. However, Microsoft supports only proprietary software and cloned systems with SIDs that the company's new System Preparation (SysPrep) tool generates. (For information about obtaining SysPrep, go to the Microsoft Web site at http://www.microsoft.com/ntworkstation/deployment/ deployment/syspreptool.asp.)

Introducing SysPrep
SysPrep is a SID generator that works with third-party disk-cloning tools such as Norton Ghost. SysPrep generates a unique SID and sets a few vital system parameters, such as the machine's NetBIOS name and the initial administrator account password.

SysPrep requires that you install NT Workstation 4.0 using a CD-ROM and that you participate in Microsoft's Select, Open, or Enterprise licensing programs. (For more information about Microsoft volume software licensing and program requirements, go to the Microsoft Web site at http://www.microsoft.com/licensing.)

Be aware that a difference exists between the various NT master installation CD-ROMs. SysPrep can detect the difference and enforce the licensing program restriction. Therefore, Open and Enterprise license customers need to run SysPrep with a -defeat commandline switch to override the detection mechanism. NT installations using the Select CD-ROMs don't require overriding the detection mechanism.

SysPrep supports NT Workstation 4.0 and can support NT Server 4.0 as a standalone server. Microsoft plans to ship SysPrep with the Windows 2000 (Win2K) release. SysPrep won't work with Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs); NT 3.51 or earlier; NT Server, Enterprise Edition; NT Server 4.0, Terminal Server Edition; or BackOffice Small Business Server (SBS).

Besides these limitations, SysPrep has other caveats, which the product's README file explains. For example, you can't preinstall Systems Management Server (SMS) client software on the source PC you clone to other systems. You must install the SMS client to each cloned system after you boot the cloned system for the first time.

Hazards of Cloning NT
Let's examine the pitfalls of cloning systems and generating SIDs outside a normal NT installation. First, NT generates many identifiers on the fly. For example, when you create a user account, create a new user group, and join an NT system to a domain, the OS generates unique IDs. Additionally, certain software installations, such as third-party system services, might require the use of a unique ID if the service requires an account to run under.

NT uses SIDs to learn where actions originate and to determine whether those actions have authorization. Because SIDs are the heart of NT system security, SID generators must create unique SIDs correctly. SID generators need to know when to create the SIDs. Any software you install before SysPrep generates a unique SID during the initial boot sequence will become invalid after SysPrep generates the new SID.

The reason the software becomes invalid is because of the way SID generators create SIDs. Here's what happens. When you first install NT, the setup routine generates a unique SID. The computer uses this SID as a unique prefix for all the machine's local accounts. Suppose, for example, that the SID for a system is XYZ123, and you create two new user accounts for system services to run on that system. The SIDs for those accounts are XYZ123-1000 and XYZ123-1001. When you first run SysPrep on the computer, SysPrep will change the system's SID prefix. Let's assume the new SID prefix is PEG4555. When the system services try to start using their SIDs of XYZ123-1000 and XYZ123-1001, they will fail their security authorization, because the system expects their SIDs to be PEG4555-1000 and PEG4555-1001.

However, duplicate SIDs can wreak havoc and cause major operational failures enterprisewide. For instance, you would have no way to differentiate local or remote accounts in a workgroup, because all the SIDs would be identical. System access restrictions would be wide open, even with permissions set, because user accounts would have identical SIDs. NT looks only at the account SID and not at the user account name. (For details about group accounts with default SIDs, see the Microsoft article "SID Values For Default Windows NT Installations" at http://support.microsoft.com/support/kb/articles/q163/8/46.asp.)

A similar scenario exists when you contemplate cloning NT domain controllers in a multimaster domain. Without unique SIDs, you can't guarantee access control.

Using SysPrep Is Easy
You clone a system with SysPrep in four basic phases: installing NT, installing applications, running SysPrep, and cloning the disk image to another disk. Let's take a close look at the details. Running the NT installation routine is self-explanatory. Be aware, however, that you're installing an OS and its components on a source PC to clone to other systems, so the cloned systems will use the configuration you define on the source PC until you modify the cloned systems to operate otherwise. Be sure you load the latest service pack and any associated post-service-pack hotfixes you might require. (To obtain service packs and hotfixes, go to the Microsoft FTP site at ftp://ftp.microsoft.com/bussys/winnt/winnt-public.)

During the NT installation, you need to define an administrator account password. Microsoft recommends that you set this password to be blank or to NULL during the setup of the source PC. If you don't set the password to be blank or to NULL, errors result when SysPrep's mini setup wizard runs during a cloned system's initial system boot.

You might think that to set the password to be blank or to NULL would create a security race condition in which an intruder could tamper with the system on the network before you had a chance to reset the password, but such isn't the case. The first time you boot the cloned system, SysPrep's mini setup wizard requires you to reset the password. You can reset it manually by answering the wizard's dialog box or by using a predefined configuration file that the mini setup wizard recognizes.

When you install and configure the OS to your liking, the next step is to install any applications and third-party services you want to run on each cloned machine. Software such as virus scanners, personal desktop firewalls, management tools, and development platforms are all items that you can install at this point.

Keep in mind that any applications and services that require a user account to operate correctly will fail when you boot the cloned system for the first time. Unfortunately, for now you must install these types of software packages after you first boot the cloned system.

To use SysPrep, you must copy it onto the source PC. Be aware that if you copy the software into an NT system drive root subdirectory, SysPrep will automatically delete itself from the drive once it runs. For example, if you install NT into C:\winnt, installing SysPrep into C:\sysprep will cause SysPrep to automatically delete itself after running. Installing SysPrep in any other directory won't cause it to delete itself from the system.

After you install the necessary services and applications, to run SysPrep, double-click SysPrep's program name in NT Explorer or enter the program name on the command line in a command shell. Command-line options are available to help govern SysPrep's operation. The -quiet command line is an option that tells SysPrep not to display any messages during its operation. The -reboot command line is an option that tells SysPrep to reboot the system after SysPrep completes. Additionally, you can specify a script filename on the command line that tells SysPrep where to locate predefined parameters. Table 1, page 88, shows SysPrep's definable parameters.

Remember that to use SysPrep, you must use the Select licensing version of the NT installation CD-ROMs (or override the detection mechanism for the Open or Enterprise versions). When you use the Select CD-ROMs to install NT and run SysPrep, the program will present a dialog box asking you for your organization name, volume license agreement contract number, type of volume license, and license count. After SysPrep confirms the information you entered, SysPrep terminates, and you can use a third-party disk-cloning tool to clone the source PC to other hard disk. After you insert a cloned hard disk into a computer-either a disk image or a physical disk-and power it on, the cloned system will boot and automatically run the SysPrep-generated mini setup wizard.

The wizard will prompt you for information that you can easily script by defining parameters in a script file. SysPrep doesn't display dialog boxes for user input when it uses the script file, which lets the mini setup wizard run uninterrupted. After the mini setup wizard completes, the system is ready for you to use.

Clone a few test machines before you roll out an entire group. You might find subtle system configuration errors that you need to correct. Be aware that SysPrep might change system security settings during its execution, so you need to examine the system security settings carefully after the system boots for the first time and before you use the clones in a secured production environment.

About Time?
It's about time Microsoft offered official support for cloned systems. SysPrep is an effective SID generator and I'm happy to know it will be available for Win2K. But I have two things on my wish list for SysPrep. I hope to see a future version that lets third-party vendors hook into the mini setup wizard to simplify cloning unique service accounts. I also hope Microsoft loosens the licensing requirements for this timesaving tool. Then, SysPrep can help smaller shops keep down their total cost of ownership (TCO).

Windows NT Magazine
Bugs, Comments, Suggestions        Subscribe
Copyright Duke Communications Intl, Inc. All rights reserved.: