At this point we’ve already installed and properly configured Windows Deployment Server on Windows 2003/Windows 2008 (Part I); and we created a full image (programs and features installed) on our Windows Vista and uploaded it to the server (Part II); the only thing missing is creating the answer files that will be used on the images to achieve the full unattended installation of our operating system. For those using Windows Server 2003 SP1, we reviewed that among the requirements for WDS installation there was installing Windows Automated Installation Kit. This kit also gives us an important tool for the unattended files creation, the Windows System Image Manager. So, it’s recommended for any other platform used on WDS to download this kit and install the System Image Manager. This tool it’s not a requirement for creating the unattended files. Installing WAIK Preparing the Files Using System Image Manager System Image Manager provides us the way to, using the .wim (or .clg) file for an installation, select the components that are necessary within the answer files. This way we can be sure that the answer options selected are used on the right place at the right time: Open System Image Manager for Start Menu. Click on File and click on Select Windows Image. Select the .wim file that we previously created or just use the file from the installation media (install.wim). You can also select the catalog files (.clg): these are the […]
I was very excited when I started to play around with the first beta versions of Windows Server 2008 and experiment with the latest security improvements. At first, I wanted to start with one of the more basics and important things on this new server: Active Directory. Several improvements were made on security matters that we can find it related to Active Directory: Read-Only DCs, more group policies, auditing enhancements, etc. After installing a small lab to check all these features, I finally arrive to another important Active Directory matter: Backing up and Restoring Data from a Domain Controller. I was pretty disappointed at first when I realized that there was no easy way to backup a system state from a Domain Controller. Even more disappointed when I couldn’t find out the way to schedule a system state backup! Well on this post I want to review the way to simply schedule a system state backup on a Domain Controller and maintain those backups by removing the old ones from the backup catalog. Requirements a. A secondary hard drive on the domain controller. It cannot be a network drive.The only storage point possible for backing up your server is using a secondary hard drive that can only be attached locally. b. Having the Windows Server Backup feature installed. The first thing that you must know to start backing up data from Windows Server 2008 is that the backup tool is […]
Ok then, after completing the first configurations made on the Part I of this guide we can perform a clean but attended network installation of Windows Vista. There are two main steps to take and complete a full image and unattended deployment: 1. Creating the base image to deploy: OS, programs and other special configurations + uploading it to the WDS server. 2. Making an unattended file to be used with that image. Creating the Base Image Note: On this series of posts we are only considering to deploy Windows Vista or Windows Server 2008 images. The files used on WDS Native mode as unattended files are only valid to those operating systems, if you want to make unattended deployment with Windows XP or 2003 OS; you will need to use RIS or WDS Legacy Mode. The first step it’s pretty simple, it consists on installing the operating system with all the features, programs and configurations that you want. But there are some considerations first: After you complete the image, there’s a process where you release all the specific data involving the computer where it’s installed, like the Security Identifier (SID), computer name, etc. Here are some of the things that the image won’t keep after the release process: · Computer name· Owner and Company name· SID· Domain or workgroup membership· TCP/IP Settings· Regional and keyboard settings· Specific hardware drivers. This refers to specific computer hardware, like video or audio […]
I’ve prepared a complete guide to configure a WDS Server on Windows Server 2008 or Windows Server 2003 to deploy complete operating systems images, this is the first part. In this post I’ll be setting the WDS requirements, installation, first configurations and images needed. Introduction Deploying operating systems it’s always a hard thing to do. Annoying, uncomfortable, but necessary for every environment. Why? Because every desktop computer on every organization has their own life cycle (even servers, a longer one, but cycle at last). Even if your organization doesn’t have many desktops and even if those desktops don’t seem to need an image refresh in several months; the dynamics of today’s technology makes your base operating systems to change: Updates available, service packs, a new version of your organization’s software, newer operating systems, etc. And don’t forget the consequences of any user’s intervention: overloading the hard drive, personal software installation, etc; transforming always into a need to a fresh new installation. No need to keep enumerating things that normally happens; you probably know all of them. Common Base Image Life Cycle The bottom line is that a good and automated system to deploy your full operating systems images will significantly (and I do mean significantly) improve your daily tasks: Making an awkward job of following the installations steps for maybe 2 or 3 hours and transforming it to 30mins of a complete unattended provisioning. Here’s where Windows Deployment Services comes […]
Did you get the feeling that your WSUS was not downloading all the drivers that your clients needed? Well, let me tell you if you have that feeling probably you are right. WSUS does not automatically recognize or download all the drivers needed for all devices. Why is this happening? Because by default WSUS only receives and distributes drivers that are digitally signed by Microsoft (meaning that the driver was fully and properly tested by Microsoft). I’ve recently had several problems with machines that are part of my domain, like the newer IBM ThinkPad T60 and T61 models with Vista installations. Some of their drivers were missing and I had to use IBM official site to download them because WSUS did not recognize any updates on that machines. But you actually don’t have to worry, within a few steps you can configure your WSUS to import all the drivers that you are requiring by your clients. The only thing that must be clear to you first is the model of each device you need to update the driver (you can easily find out all the details by accessing the manufacturer’s official site, like IBM Lenovo downloads and support site). Here are the steps: 1 – Open your WSUS console and access “Action” and select “Import Updates”. The Microsoft Update Catalog site will appear 2 – Insert the model of the device that you need to update the driver. For example: […]
Now that we saw in the previous posts of WSUS (Part I and Part II) about the first steps of the deployment, we are going to take a quick look about handling the tool itself. Once you get to know the WSUS interface, you’ll see that everything it’s pretty much intuitive. You have to know that when there are tools like WSUS involved, the process of patching that you defined (testing the updates, defining how and when you’ll apply those updates, period of time involved, etc.) is the crucial matter to get WSUS work as you planned. In this case, the process it’s even more important than the technology. Let’s take a final look to the group policies. We already talk about that it’s a common best practice to implement different layers of GPOs, but which are the ones that you actually have to enable for each OU? This is an example of a GPO applied on an OU with all the testing computers. We decide that in those testing computers the updates will download and install automatically at a certain hour of the day. But what happens if that computer is not available at that time? Then you must use the option “Reschedule Automatic Updates schedule installations”, when you enable it, you can set that the updates will install on those computers at the moment that they become available again (you actually have to set only the minutes that […]
Recently I found out that there was no way to implement different password policies on domains running on Windows Server 2003. It didnt sound right to me, why I cannot keep different password complexity, for example, in different OUs for different users? You can actually link to separate OUs with different policies with different values on passwords options, but theyll be ignored by Default Domain Policy. It seems that there’s a way to accomplish this (not an easy way, but anyhow) running domains with Windows Server 2008 and of course in the highest domain functional level. The tools involved: GPMC (included with Windows Server 2008) and ADSI Edit. Here’s the solution: http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html Cheers!