Using Systems Management Server to Deploy Windows 2000 |
To upgrade user computers to run Windows 2000 Professional by using SMS, you must first create a Windows 2000 Professional package. You prepare and use this package in much the same way as the Windows 2000 Server package. Begin by following the procedure to create a Windows 2000 Server package, but be sure to specify that this is a Windows 2000 Professional package. Because there are special issues for Windows 95 and Windows 98 upgrades to Windows 2000, you must create a new program as outlined in the following section.
Note
Make sure to also create a separate package when you use SMS to distribute Windows 2000 Advanced Server. Although many files and setup details in this program are the same as those in Windows 2000 Server, there are enough differences to require each version to have its own package. You can use the basic Windows 2000 Server package definition as a starting point when creating packages to distribute other Windows 2000 Server versions.
In addition to the differences in the source files, a significant difference between the Windows 2000 Server and Windows 2000 Professional upgrades is in the answer file when upgrading Windows 95 or Windows 98 clients to Windows 2000 Professional. Computers running Windows 95 or Windows 98 have not been members of a domain (even if the users using them have been logging onto a domain), and have not had local accounts (although they have had local profiles and password list files). Therefore, relevant details must be specified in the answer file, such as the following (you must change the JoinDomain, DomainAdmin, and DomainAdminPassword values):
[Unattended]
FileSystem = LeaveAlone
UnattendMode=FullUnattended
Win9xUpgrade=Yes
[Networking]
InstallDefaultComponents = Yes
[GUIUnattended]
AdminPassword=Testing123
[Identification]
JoinDomain = RED1
DomainAdmin = AddComputers
DomainAdminPassword = Restricted
A computer that is upgraded from Windows 95 or Windows 98 to Windows 2000 is given a local Administrator account. This account requires a password; you can specify that password in the GUIUnattended section of the answer file or let the user be prompted for it at the end of the upgrade. This password can be read from the answer file by anyone that can access the SMS package share, which is commonly most users. This is not an immediate security risk because the Windows 95 and Windows 98 computers were not secure before the upgrade, due to the nonsecure nature of those operating systems.
You might want to set the administrator password to a secure value and begin enforcing limited administrative privileges. You can do this after the upgrade by running a program that sets the password to a value shared only with authorized staff. The password is compiled within the program and is not available to unauthorized staff. You can easily create such programs by using common programming languages or scripting tools, such as SMS Installer. The program can be distributed with SMS, or it can be invoked at the end of the Windows 2000 upgrade by specifying appropriate values in the answer file.
Although computers that run Windows 95 and Windows 98 are not members of domains, computers that run Windows 2000 must be. Therefore, you need to include the JoinDomain line in the answer file to indicate which domain the computer needs to join, along with an administrative account and password with the right to join computers to that domain.
Caution
Answer files can be read by unauthorized staff so you need to consider security issues when you create them. However, it is unlikely that people would access the files from an SMS distribution point because the distribution points are hidden and they must know where to look for these details. An appropriate precaution, however, is to use an administrative account whose only right is Add workstations to domain. Another precaution is to add the computers upgraded in this manner to a dedicated resource domain. In that case the administrative account only needs to have rights in that domain, and therefore cannot cause problems in other domains in which you might have account domain controllers or other sensitive computers.
The answer file must also specify that you want to upgrade the computers that are running Windows 95 or Windows 98. Do this by including the following line in the answer file:
Win9xUpgrade=Yes
Without this line, you do a clean install of Windows 2000 rather than an upgrade.
During the Windows 95 or Windows 98 upgrade to Windows 2000, the Windows 2000 Setup program eliminates programs that it suspects might be incompatible with Windows 2000. This occurs for some of the SMS 2.0 client components. Windows 2000 provides a facility, called migration DLLs, to ease the migration of such programs. For more information about migration DLLs, see the Microsoft Systems Management Server link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Upgrading from Windows NT Workstation to Windows 2000 is quite simple compared to upgrading from Windows 95 or Windows 98. This is because Windows NT Workstation has much more in common with Windows 2000 Professional. For this reason, you can upgrade the Windows NT Workstation without using an answer file, or you can upgrade using a minimal answer file.
It is important to set the Environment properties of the SMS program so that it runs with administrative rights, unless users will be logged on and have administrative rights when the package is initiated at client computers.