Securing Client Image Selections
RIS provides several security features that let you control which users have access to which RIS servers in your network and which images on each server. For example, as I discussed in "Understanding Remote Installation Services," RIS lets you configure whether a RIS server will serve images to clients that haven't been authorized against AD. (By default, clients must authenticate during the Client Installation Wizard's setup process.)
Another security measure you can configure relates to RIS answer files (i.e., ristndrd.sif) that Win2K creates and uses by default for all non-RIPrep RIS images. You can set ACLs on individual answer files within each image folder. These settings will determine whether a user operating from the Client Installation Wizard will be able to use a particular image. To secure images in this manner, set the ACLs on each answer file by right-clicking the file, selecting Properties, and editing the file's ACL. Remove the Everyone group access control entry (ACE), and add Read permissions for each group or user that can access the image. You can find the answer files associated with each image in the \i386\templates subfolder of each image folder. You can access these folders from the RIS server or over the network through a Uniform Naming Convention (UNC) pathname that points to the RemInst share on the RIS server.
Tricking RIS into Deploying Servers
One of the most frustrating and limiting aspects of Win2K's RIS technology is that it supports only the deployment of Win2K Professional images. Although Microsoft originally promised to support deployment of Win2K Server products, the company reneged on this promise. This lack of support is unfortunate because many network administrators want to use RIS to deploy servers.
However, you can easily trick RIS into imaging and deploying Win2K Server, Win2K Advanced Server, and Win2K Data- center Server to remote systems. To fool RIS into deploying a Win2K Server machine (or another server-family product), copy the \i386 folder of the product's installation CD-ROM to a hard disk. (At this point, a good practice is to perform an integrated installation of the most recent Win2K service pack to the distribution folder. For the technique to perform this installation, see "Understanding Remote Installation Services.") Next, edit the txtsetup.sif file, which is in the \i386 folder in the hard disk copy of the installation files. To edit the file, use a text editor, and search for the keyword ProductType, which will bring you to a line that reads
ProductType = x
as Figure 5 shows. Change the value to 0; this value tells the OS that this installation is Win2K Pro. Next, create a new RIS image based on this customized hard disk-based distribution folder. After you name the new image folder and give it a descriptive name, edit the txtsetup.sif file in your hard disk-based distribution folder and change the ProductType value back to the original value. At this point, your new server image is ready for your RIS clients.
Microsoft hasn't documented this trick very well (the company mentions it only once in the article "How to Create a Remote Installation Share for Windows 2000 Server" at http://support.microsoft.com/support/kb/articles/q214/7/94.asp), and the company doesn't officially support this procedure. Therefore, don't expect Microsoft Product Support Services (PSS) to help with Win2K Server machines that you create using this method.
Room for Improvement
RIS doesn't sport the most sophisticated set of management tools—it doesn't even provide it's own MMC snap-in. In addition, although RIS's deployment and customization features are fairly robust, the online manuals that accompany Win2K Server don't document these features' capabilities well. Therefore, how to take advantage of what RIS has to offer isn't always clear. However, using the techniques in this article, you can improve RIS's usefulness in your network.