Pre-staging and Assigning Permissions
Two final steps are necessary before you use RIS to build a client PC. First, you must give users the appropriate permissions within AD to modify their computer account. By default, only members of the Domain Admins group can add a computer to AD. Instead of making all users members of this group, you can give them limited rights to modify the computer account. However, this setup requires you to pre-stage users' systems in AD and give the users permissions to modify their computers' accounts.
Pre-staging client systems is a quick process. Open the AD Users and Computers console, navigate to your domain, and choose the container in which your computer accounts reside. (By default, Win2K puts computer accounts into the Computers container.) First, add a new computer account by right-clicking the container, clicking New, Computer, and adding the computer account. Next, go into the account's Properties by right-clicking the account and selecting Properties, and select the This is a managed computer option. In the text box below this option, input the computer's universally unique identifier (UUID), which is a unique 128-bit value. According to Microsoft, this number should be on the computer's case. If you can't find the UUID on the case, Microsoft suggests looking in the BIOS. If all else fails, Microsoft recommends using Network Monitor or another packet sniffer to uncover your computer's UUID in client/server communications.
After you create the computer account, you must give users permission to modify the account when they run the Client Installation Wizard. To give users permission, go into the new account's Security properties by right-clicking the account, selecting Properties, and selecting Security. Next, add the user (or a group that contains the user), and give the user Read, Write, Change Password, and Reset Password permissions. After you complete this process, you're ready to run the Client Installation Wizard.
The Client Installation Wizard
After the client PC boots from the network, the Client Installation Wizard starts. This wizard is responsible for authenticating the user in AD, presenting the available OS images, and starting the installation process. After the user selects the image to install, the wizard will start the installation process. A basic Win2K Pro build takes between 15 and 30 minutes to complete, depending on your network connection.
To simplify the setup process, you can customize the screens that the wizard displays. The most useful screen to modify is the welcome screen, welcome.osc, which the wizard displays when it starts. Welcome.osc is a text file in a format similar to HTML. If you replace the default text with new text, the file will work fine. Welcome.osc is in \\riserver\rishare\OSChooser, where riserver is the name of your RIS server and rishare is the name of the RIS folder share on the server.
This process uses basic RIS features to install Win2K Pro. But RIS offers many advanced features that can also simplify remote OS installation.
Creating New Custom OS Images
After you have experience using RIS to build a Win2K Pro machine, you can begin making custom OS images. The riprep.exe utility takes a snapshot of a customized Win2K Pro installation and copies that image to the RIS server so that you can install the custom OS image to client computers.
To run riprep.exe, you must first use a RIS CD-ROM-based image to build a computer. You can also run riprep.exe after you install Win2K Pro from the CD-ROM, although Microsoft doesn't recommend this method. After you install Win2K Pro, customize the image by installing your business applications and configuring the system to run in your environment. After you complete this setup and configuration, run riprep.exe from \\riserver\rishare\Admin\riprep.exe, where riserver is the name of your RIS server and rishare is the name of the RIS folder share on the server. And specify on which server you want to store the new image. By default, Win2K stores riprep.exe on the RIS server on which you're running the utility, but you can specify any RIS server on your network. Next, specify the folder name that will hold the RIS files. Riprep.exe also asks you to input a friendly display name and descriptive Help text for the new image. Finally, riprep.exe asks you to verify the information that you provided. If everything looks correct, choose Next to begin the copy process. After this process completes, the new image will be available for users to install.
To reduce the number of redundant files stored on the server, Microsoft uses a technology called Server Intelligent Storage (SIS). This feature checks the RIS directory tree for duplicate files. When SIS finds a duplicate, it copies the duplicate file to the SIS store and leaves a pointer in place of the file.
Restricting Users
You can use the images that riprep.exe creates on systems with different hardware, but the hardware abstraction layer (HAL) must be the same. For example, you can't use Advanced Configuration and Power Interface (ACPI) to install a desktop image on a laptop. Therefore, restricting desktop users' access to images makes sense. To restrict users' access, you can set ACLs for the unattended setup installation file (i.e., .sif) that riprep.exe created. A riprep.exe image usually has only one .sif file, whereas a CD-ROM-based OS image might have multiple .sif files. By default, the .sif files assign everyone permissions. If you remove the Everyone group and explicitly give permission to an individual user or group, you can control what image choices the Client Installation Wizard presents. This restriction is one of the reasons that clients must log on to continue with the wizard.
Another reason for authentication is to determine what installation options the user has. The wizard offers four options:
- Automatic Setup—This option uses the computer naming conventions and computer account location that you specified in the RIS server configuration and jumps directly to the list of OS image choices. If you've authorized the user to see only one OS choice, the wizard won't display the menu of OS image choices. Instead, the user will log on, and the wizard will ask the user only to confirm that the OS image RIS is installing is the correct one.
- Custom Setup—This option lets the user define the computer name and account location before the wizard presents the OS image options. Then the wizard displays the OS image choices in the same manner as in the Automatic Setup option.
- Restart a previous setup attempt—This option lets users restart a failed installation. The wizard won't prompt the user for computer names or locations.
- Maintenance and Troubleshooting—This option displays a list of installed tools that users can use in the preboot environment.
To control the display of these choices, you can set a group policy for the RIS Choice Options. To modify RIS settings in the default domain policy, open AD, right-click your domain, select Properties, and select the Group Policy tab. The tab will display a group policy called Default Domain Policy. Highlight this policy, and click Edit. The left pane of the resulting window will display a Windows Settings folder. In this folder, select Remote Installation Services and double-click Choice Options. This action opens the RIS Choice Options screen.
For each option, you can specify to allow or deny a policy or specify that you don't care about a policy. If you set an option to Allow, the Client Installation Wizard will display it. If you set an option to Deny, the wizard won't display that option. And if you set an option to Don't Care, the wizard uses the group policy from the parent container to determine which options to display.
In my environment, I left the default domain group policy set to Don't Care. For my RIS clients, I created a second Group Policy Object (GPO), set the Apply Group Policy permissions for the security group that contains the clients, and set the Deny flag on every option except Automatic Setup. When clients in my environment log on to the Client Installation Wizard, they see only the Automatic Setup option, and the wizard continues straight to the OS image menu.
Is RIS Right for Your Environment?
Why would you want to use RIS in your infrastructure? From the initial build of a Win2K workstation to disaster recovery after a user deletes a crucial file, RIS can install Win2K Pro in a fast and efficient manner. When you combine RIS with Win2K's other Change and Configuration Management (CCM) components, such as IntelliMirror and the Windows Installer Service (WIS), you have a powerful solution for simplifying desktop management.
However, RIS has some drawbacks. First, RIS lets you install only Win2K Pro. Microsoft has announced that the company will add support for other OSs in the future. Other remote OS installation products (e.g., ON Technology's ON Command CCM) use PXE technology to install most Windows OSs, as well as provide preboot troubleshooting. Another limitation of RIS is its inability to handle multiple partitions. Disk imaging products have matured substantially in the past few years, and competing products have been able to work with multiple partitions for a while. Despite these shortcomings, RIS is still a good tool for deploying Microsoft's newest OS.