Remote OS Installation |
With RIS, you can designate which RIS servers can accept and process requests and also designate which RIS servers will only service clients on the network
After you have successfully installed RIS and authorized it in Active Directory, configure your RIS settings. These settings are required to service clients on your network. From within the Active Directory Users and Computers snap-in, use the RIS Administrative Tools to do the following:
These settings allow clients to locally install Windows 2000 Professional from RIS servers. RIS does not provide a mechanism for replicating operating system images from one RIS server to another, such as from RIS server 2 to RIS server 3 in Figure 24.2. However, you can use third-party replication tools for operating system image replication. Make sure that the replication mechanism supports the file maintenance attributes, extended attributes, and security settings of the source images.
Group Policy applies to sites, domains, and organizational units. It is important that you understand the effects of Group Policy in your organization before setting specific policies for your users or computers. You can determine which choices the Client Installation Wizard displays to a particular user or user group by using the Group Policy snap-in. For more information about Group Policy, see "Group Policy" in this book.
To restrict the Client Installation Wizard options for users of RIS in your organization, set the desired Group Policy settings for the RIS servers on your network by using the following procedure.
To set RIS policy to restrict the installation options for a particular user or security group
For more information about the Client Installation Wizard, see "Using Client Installation Wizard to Install Clients" later in this chapter.
The computer naming policy that is used during operating system installation provides the computer with a unique name. The computer name identifies the client on the network, similar to the NetBIOS name used in Microsoft® Windows NT® version 4.0. If you have an existing computer naming policy, you can set this format prior to users turning on their computer and requesting an operating system installation.
You can determine the computer naming format and the Active Directory container in which client accounts are created. In a large organization where multiple RIS servers are available, it is beneficial to define a computer naming policy to use to prestage clients and define which RIS servers that a client can access.
To define computer naming policy
The New Clients page of the Advanced Settings property sheet allows you to control the name that the client is assigned when a user selects the Automatic Setup option within the Client Installation Wizard and where the computer account object is created in Active Directory. The naming format defaults to the user name of the account entered in the Client Installation Wizard with an incremental number (#) appended. You can customize this format. Table 24.1 lists the RIS computer naming options.
Table 24.1 RIS Computer Naming Options
Naming Options | Property |
---|---|
%first | User's first name |
%last | User's last name |
%Username (Default) | User's logon name |
%MAC | Media access control (MAC) address of the network adapter |
%# | Incremental number |
%nField | Number of characters to be used in indicated field |
Note
You cannot use all Active Directory object attributes to create a naming format for use with the RIS automatic computer naming feature.
For example, if you create a name with the following format:
%5Username% 3#
Where Username = JoeUser, %nField = %5, and %# = %3.
This yields the name: JoeUs123
For %5, it uses the first five characters of "JoeUser", which results in the "JoeUs" characters in the account. The "123" is determined by scanning Active Directory for existing computer account objects. The %3# specifies to use a three-digit number for the number. In this case, it had to go up to 123 to find a number opening, hence "JoeUs123". By changing the number in "#3", you can restrict or broaden the search from 0-9 to 0-999999999. It is best to keep your incremental number to as few digits as possible. The default is 2 if no specification is given.
Using the New Client page, you can also control the organizational unit in which the computer account objects are created. The default is the default account creation location as set in Active Directory. The following are your options:
Default directory service location This creates the computer account object for the client in an Active Directory location where all computer accounts are created by default during the domain join operation. The default Active Directory location is set to the Computers container in Active Directory. The client becomes a member of the same domain as the RIS server installing the client.
Same location as the user setting up the computer This creates the computer account object in the same Active Directory container as the user who is setting up the computer. For example, if you log on in the Client Installation Wizard and your user account currently resides in the Users Active Directory container, the client computer account object is created in the Users container in Active Directory.
A specific directory service location This creates the computer account object in a specific Active Directory container that you predetermine. It is assumed that most administrators will select this option to specify a container for all remote installation client computer account objects.
The RIS settings on the Properties page control how the RIS server responds to remote boot–enabled clients requesting service. You can set the RIS server to Respond to client computers requesting service or only respond to known clients. When the RIS server is set to Do not respond to unknown client computers, it only responds to clients with a prestaged computer account object in Active Directory. This setting allows you to limit access to authorized clients that are prestaged in Active Directory, thereby increasing the security on your network. The Do not respond to unknown client computers setting also provides support for multiple third-party remote boot or installation servers on one physical network. For example, if your company already uses another vendor's remote boot or installation server, you cannot control which vendor's server answers the client's request. By setting the Do not respond to unknown client computers option in conjunction with pre-staging clients, you make sure that only those prestaged clients are serviced by authorized RIS servers.
Note
If a user sets up the client, the user needs to have the appropriate rights to create the computer account in the domain or organizational unit chosen. For more information about granting computer account creation permissions to users, see Windows 2000 Server Help.
You can also use the computer's GUID for pre-staging clients and making sure that each computer is uniquely identified. This unique ID is stored with the computer account object that is created when pre-staging the client. In most cases you can find the GUID for clients that are PC98 or Net PC–compliant in the system BIOS of the computer or on the outside of the computer case.
Valid characters for the client GUID are restricted to the hexadecimal characters 0-9 and A-F (uppercase or lowercase). You can enter the GUID in either "pretty print" or "raw byte order" format. However, combining the two formats causes RIS to not recognize the client.
Pretty print format is as follows:
{dddddddd-dddd-dddd-dddd-dddddddddddd}
where d is a hexadecimal character. For example, {921FB974-ED42-11BE-BACD-00AA0057B223}. The dashes are optional and spaces are ignored.
You can also enter GUIDs in raw byte order, such as the byte order you get from a packet sniffer. In this case, do not include the curly brace and enter only the hexadecimal characters. The following GUIDs have exactly the same value:
{12345678-1234-1234-1234-1234567890AB}
78563412341234112341234567890AB
Notice the first three parts of the pretty print GUID are in a different order than the raw byte format. This is how the computer stores the information internally and how it is sent on the network.
If you are having trouble with a prestaged client not being answered by a RIS server, make sure the GUID entered is either in pretty print format or raw byte order.
Clients can also be granted permission to create their own computer account (non-prestaged) and install an image. This allows users to turn on their system, connect to the RIS sever, log on with their domain account, and be able to install an operating system image without assistance. To do this, the user needs the following permissions to the organizational unit that you have specified to hold the newly-created computer account:
Users can also install an operating system image on their prestaged client if they have been granted the ability to read and write all properties on the specific computer object (not the container) that was created when the client was prestaged. The user also requires the ability to reset and change password rights on the computer object. (An administrator might need to reset the user account.)