Beruflich Dokumente
Kultur Dokumente
Guide
Microsoft Corporation
Published: March 2009
Author: Trina Gorman
Abstract
This document contains detailed information that explains how to configure
Windows Server® 2008 to deploy operating system images to computers.
Copyright information
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, Windows, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Copyright information......................................................................................................................2
Contents..........................................................................................................................................3
Configuring AD DS Integration......................................................................................................18
In This Topic...............................................................................................................................18
Supported Environments...........................................................................................................18
Configuring Static Domain Controllers and Global Catalog Servers..........................................19
Configuring DHCP........................................................................................................................24
In This Topic...............................................................................................................................24
Configuring DHCP Options........................................................................................................24
Enabling DHCP Authorization....................................................................................................24
Authorizing a Server..................................................................................................................25
Automating Setup.........................................................................................................................63
In This Topic...............................................................................................................................63
Creating Unattend Files.............................................................................................................63
Automating the User Interface Screens of the Windows Deployment Services Client...............64
Unattend File Settings............................................................................................................65
Automating the Remaining Setup Phases.................................................................................66
Creating Images............................................................................................................................89
In This Topic...............................................................................................................................89
Image Types..............................................................................................................................90
Boot Images..............................................................................................................................90
Creating Custom Boot Images...............................................................................................90
Versions of Windows PE........................................................................................................91
Discover Images........................................................................................................................91
Creating Custom Discover Images.........................................................................................92
Capture Images.........................................................................................................................93
Comparison of ImageX and Image Capture Wizard...............................................................93
Creating Custom Capture Images..........................................................................................94
Converting RIPREP Images......................................................................................................94
Default Conversion.................................................................................................................95
In-Place Conversion...............................................................................................................95
Filtering Images............................................................................................................................97
Automatic Filtering by Windows Deployment Services..............................................................97
Filtering Images Manually..........................................................................................................97
Servicing Images..........................................................................................................................98
In This Topic...............................................................................................................................98
Types of Servicing.....................................................................................................................98
Servicing an Image Offline.........................................................................................................98
Reducing the Size of Images.....................................................................................................99
Troubleshooting..........................................................................................................................166
Common Problems.....................................................................................................................173
Performing PXE Boots on Client Computers...........................................................................174
I am unable to perform PXE boots on client computers....................................................174
When I perform a PXE boot and select a boot image, I see a command prompt..............175
The client computer fails to get an IP address when I try to PXE boot..............................175
The client computer obtains an IP address but then fails to download a NBP...................176
I don't see the hard drive of the client computer on the disk configuration page of Setup.176
My computer loads the boot image, but it cannot access an install image........................176
I created an unattend file, but when installation completes, my client computer is not joined
to the domain.................................................................................................................176
Install images do not appear on the image selection page...............................................176
Troubleshooting x64-Based Client Computers........................................................................177
My x64-based client computer does not have any x64-based images on the boot image
selection page...............................................................................................................177
My x64-based client computer is detected as x64, but it fails to boot to the default image.
......................................................................................................................................177
Performing Management Operations.......................................................................................177
I can't approve a pending computer..................................................................................177
I approved a pending computer and then deleted the computer account that was created in
AD DS during the process. Now the server will not answer my client computer............177
I received the error: "0x2: File not found" when trying to manage a remote Windows
Deployment Services server..........................................................................................178
Creating Custom Install Images...............................................................................................178
When using Image Capture Wizard to create a custom image, the volume that contains my
image is not selectable..................................................................................................178
The finish button is not enabled on the final page of the image capture wizard................179
Multicasting..............................................................................................................................180
My multicast transmissions are running very slowly..........................................................180
After enabling multicasting, there is excessive traffic on the network................................180
Required Permissions.................................................................................................................186
In This Topic.............................................................................................................................186
General Permissions...............................................................................................................186
Permissions for Common Management Tasks.........................................................................187
Permissions for Client Installations..........................................................................................190
Permissions for Server Properties...........................................................................................192
Windows Deployment Services Deployment
Guide
This guide contains detailed information about how to manage and deploy operating systems by
using Microsoft® Windows® Deployment Services. To download the Windows Deployment
Services documentation (including a getting started guide, deployment guide, and WDSUTIL
command-line syntax), see http://go.microsoft.com/fwlink/?LinkId=89381. For information about
what is new in each version of Windows Deployment Services, see Windows Deployment
Services: What's New (http://go.microsoft.com/fwlink/?LinkId=140114).
In This Guide
• Configuring Your Deployment
• Optimizing Your Deployment
• Performing Unattended Installations
• Working with Images
• How to Perform Common Tasks
• Troubleshooting
Note the following information about this documentation:
• This guide applies only to the Windows Deployment Services server role for Windows
Server 2008. It does not apply to the Windows Deployment Services update (which is
included in the Windows AIK and Windows Server 2003 SP2). For more information about the
Windows Deployment Services update, see http://go.microsoft.com/fwlink/?LinkId=81031.
• This guide focuses primarily on the functionality of the complete installation of Windows
Deployment Services (Deployment Server role service). For information about configuring
and using the Transport Server role service, see Using Transport Server.
• For information about installing and configuring this role, see Windows Deployment
Services Getting Started Guide.
• To provide feedback on this documentation, e-mail wdsdoc@microsoft.com.
In This Topic
• Benefits of Windows Deployment Services
• Management Tools
• Common Usage Scenarios
12
• Reduces the complexity of deployments and the costs associated with inefficient manual
installation processes.
• Enables you to perform network-based installation of Windows operating systems,
including Windows Vista and Windows Server 2008.
• Deploys Windows images to computers without operating systems.
• Supports mixed environments that include Windows Vista, Windows Server 2008,
Microsoft Windows XP, and Microsoft Windows Server 2003.
• Provides an end-to-end solution for the deployment of Windows operating systems to
client computers and servers.
• Uses standard Windows Server 2008 setup technologies, including Windows PE, .wim
files, and image-based setup.
Management Tools
• Windows Deployment Services MMC snap-in. A console that provides an easy way to
manage images, computers, and common server settings. You can perform almost all tasks
from the MMC snap-in (you cannot prestage client computers, but you can use it to set the
Auto-Add policy and approve or reject pending computers). Note that the snap-in is not
available when you are using the Transport Server role service.
• WDSUTIL command-line tool. A tool that enables you to manage the full functionality of
the server. WDSUTIL also enables you to script common tasks; simple batch files can run the
required commands because no command requires an interactive user session.
13
computers). For almost three days, Monica was unavailable to work on anything else. Then she
would spend almost as much time installing the applications on each computer.
Monica is the only IT professional at Fabrikam, which means that she also must help teach users
about the new operating system. Therefore, it is important that she minimizes the amount of time
she spends on deployment. To accomplish this, Monica chooses to use Windows Deployment
Services because she can:
• Save time by running several installations simultaneously.
• Use a custom install image with preinstalled applications.
• Create an image by using the Windows Deployment Services Image Capture Wizard.
To begin, Monica does the following:
1. Upgrades her server to Windows Server 2008.
2. Installs the Windows Deployment Services server role.
3. Adds the Boot.wim from the Windows Server 2008 media (which contains a Windows PE
image, Setup.exe, and supporting files).
4. Adds the Install.wim from the Windows Vista media to the Windows Deployment Services
server by using the MMC snap-in.
5. Uses the MMC snap-in to create a capture image from the boot image she added in step
3. This image contains Windows PE and a wizard that will capture her custom image into a
.wim file.
All users at Fabrikam have the same desktop hardware, which was purchased from a single
vendor. To deploy on each of these computers a standardized image that contains the operating
system and preinstalled applications, Monica does the following:
1. Boots a reference computer from the network and installs the Install.wim onto it, which
contains the standard version of Windows Vista.
2. Installs Microsoft Office, the company's towel-design application, and the latest drivers
from the manufacturer’s site.
3. Uses Sysprep to generalize the operating system.
4. Reboots the computer into the capture image.
5. Uses the Image Capture Wizard to recapture the operating system and upload it directly
to the Windows Deployment Service server.
Now, Monica is ready to install the new operating systems. She does not need to migrate any
user data, because all of the employees store their user data on a server (rather than on their
hard disks). She reboots a client computer and then presses F12 to perform a network boot. This
boots her into the Boot.wim file, which guides her through the installation process. She selects
the disk partition and image she wants, and then the installation begins. While waiting for the
image to be applied to the first computer, Monica boots another computer and starts the same
process on that one.
14
Scenario Two: The Medium-Sized Business
Northwind Traders is a shipping firm with three offices: a central office in Tooth City, and branch
offices in the towns of Brushville and Flosston. Ron Gable is one of six IT staff members at
Northwind Traders. His responsibility is maintaining the 250 client computers used by the
company's employees. These are mostly desktop computers, but the sales force uses laptops for
customer presentations. There are 200 computers in the central office in Tooth City, and 25 each
in the Brushville and Flosston offices. Each site has an internal network running at 100 MB per
second (MBps), and the branch sites are connected to the Tooth City office by a T1 line. Ron has
three servers at the Tooth City office and one in each of the branch offices, which are
administered remotely.
Ron’s supervisor has tasked him with deploying Windows Vista to the whole company. Previously,
this would have involved many expensive trips to Brushville and Flosston, and it would have
taken Ron several weeks to complete. He wants to use Windows Deployment Services to deploy
Windows Vista remotely; however, company policy dictates that there can be only one DHCP
server on the corporate network, and this server is located at the Tooth City office. Remotely
deploying images to the 50 computers at the branch offices would cause immense congestion on
the connection.
Ron chooses to use Windows Deployment Services because with unattended setup, he can:
• Deploy Windows Vista to computers at the branch sites without being physically present
there.
• Use his existing replication solution to deliver images to the branch site servers.
• Use the PXE boot referral system to minimize network traffic between the branch sites
and the central office.
Ron configures the Windows Deployment Services server in the central office to pass on any
network boot requests from the branch offices to the local servers, which will supply the boot
programs and subsequent images. This minimizes the traffic on the line between the offices.
Ron has two standard operating system configurations — one for the desktop computers and one
for laptops that contains the sales presentations and drivers for projectors. Therefore, he builds
two images: one with the desktop configuration, and one with the laptop configuration (with no
applications). He stores all the user data on one of the servers, so he can deploy Windows Vista
without preserving any existing data on the client computers.
Ron uses Windows System Image Manager (Windows SIM) to author two image unattend files —
one for the desktop computers and one for the laptops. These files automate the installation, so
Ron does not need to be present at each computer during the installation. They also
automatically install Microsoft Office and the line-of-business application that the company uses
for package tracking. He uses the Windows Deployment Services management tools to associate
them with the images.
Next, Ron uses Active Directory® Domain Services (AD DS) to offer all computers a boot
program. The computer boots without requiring the users to press F12, and it assigns the correct
images to all of the desktops and laptops. He has configured each computer so when it is
restarted, it will boot from the network automatically and deploy the appropriate image. After the
image is applied to each computer, the computer is automatically joined to the corporate domain
15
and restarted. This time, it is served a different boot program that requires pressing F12 (so that it
boots to the hard disk drive and finishes the installation process). This prevents a boot loop, in
which the computer would continue booting into Setup. When the installation is completed, the
computer is ready for the user to log on.
16
To preserve the state and data on the previous computers, Shu uses the User State Migration
Tool (USMT) to save all of the data and user configurations to a shared folder on the primary
Windows Deployment Services server. Then he sets up each computer to boot from its local
Windows Deployment Services server and to start automated setup by using the unattend files.
The computers in the U.S. office will automatically join the multicast transmission, while the
computers in the other offices will deploy using unicasting. When the installation is completed,
Shu runs a task with USMT to migrate the user data to each computer.
When the lease on a server expires and the server is replaced, Shu can use Windows
Deployment Services to deploy his Windows Server 2008 image in the same way that he
performed the RIS deployment.
17
Configuring Your Deployment
• Configuring AD DS Integration
• Creating a Localized Setup Experience
• Configuring DHCP
• Managing Network Boot Programs
• Managing the Boot Menu
• Prestaging Client Computers
Configuring AD DS Integration
Windows Deployment Services uses Active Directory Domain Services (AD DS) for a variety of
reasons. AD DS is its data store, and it contains all of the necessary helper routines. You can
prestage a device in AD DS, which means to link a physical computer to a computer account
object. By doing this, you can configure properties on the computer account object to control the
installation. For example, you can configure the network boot program and the unattend file that
the client should receive, as well as the server from which the client should download the boot
files.You can also link physical booting computers to computer account objects in AD DS. For
more information, see Prestaging Client Computers.
In This Topic
• Supported Environments
• Configuring Static Domain Controllers and Global Catalog Servers
Supported Environments
Windows Deployment Services supports AD DS environments that contain
Windows Server 2000, Windows Server 2003, Windows Server 2008, or environments with any
combination of these three operating systems. You will not gain any more functionality or features
in Windows Deployment Services features by switching to a higher forest functional level.
Windows Deployment Services works well in both single-domain and multidomain environments.
Windows Deployment Services also works in multiforest environments, but in such cases the
following caveats apply:
• A trust relationship must be established between the forest that contains the Windows
Deployment Services server and other forests in that environment.
• The server must be configured to answer all client requests. The server cannot answer
only known clients in this configuration. This is because the AD DS search algorithm that is
used by Windows Deployment Services will only be able to locate prestaged computer
objects in the same AD DS forest as the Windows Deployment Services server. This also
18
means that all computer account objects that are created by Windows Deployment Services
will be created in the forest that contains the Windows Deployment Services server.
In This Topic
• Localizing the Boot Menu
• Localizing Setup
• Installing Language Packs
19
reengineering is a new firmware-independent data store that contains boot configuration data
(BCD), which influences the boot process. For more information about BCD, see
http://go.microsoft.com/fwlink/?LinkId=110353.
You can configure the BCD store to display localized text in the boot menu by using a
combination of BCD store settings and true-type fonts. However, note the following two
limitations:
• The language that is configured in the BCD store will apply to all clients of a
particular architectural type. There is no way to configure language settings at a more
detailed level or to enable users to select the correct language.
• Image names are displayed exactly as they appear in the metadata of the Windows
image (.wim) file. Therefore, if you want the image names to be localized, you must change
the names manually.
To customize the BCD store, see How to Modify the BCD Store Using Bcdedit.
Localizing Setup
You can configure Windows Deployment Services to support a localized installation experience to
the same extent that you can configure Windows Vista Setup. For example, you can change the
display language, the input settings, and the keyboard layout. To enable this functionality, you
must edit the boot image to include the necessary localized setup files. The keyboard layouts and
input device drivers are included in Microsoft Windows Preinstallation Environment (Windows PE)
by default (with the exception of Input Method Editor devices).
The language of the user interface of the Windows Deployment Services client is controlled by
the language settings that are specified on the language-neutral page of Setup (an optional page
that is not shown by default). The data that is displayed on this page is provided by the
multilingual user interface (MUI) application programming interface (API). The data is populated
based in the UI languages section of the Lang.ini file (in the boot image's \Sources folder).
Selecting a language on this page loads the proper resources so that all text will be displayed in
the selected language.
The keyboard layout selection menu is also derived from the chosen language. You can configure
both the language and keyboard layout options in the Windows Deployment Services client
unattend file. For more information, see Automating Setup. Some information shown on the
image selection page, such as image name and description, will not be shown in localized strings.
This is because the data displayed on this page is taken directly from the .wim metadata, which
can hold only a single string in a single language.
20
4. Copy the setup MUI resource files and their associated folder to the \Sources
directory of the mounted boot image. For example, to add the German setup resource
files to your English boot image, copy the \Sources\de-de directory and all of its contents
to your mounted boot image at C:\Mount\Sources. At the end of this process, you should
have two sets of setup resource files: English at \Sources\en-us, and German at
\Sources\de-de.
5. If you are enabling a language that requires Asian fonts, perform the following
additional steps. In all other scenarios, go to Step 6:
a. Install the Windows Automated Installation Kit (AIK) on either a reference
computer or the Windows Deployment Services server.
b. Use the Copype.cmd script to create a Windows PE distribution share.
c. At the root of the C:\ drive, create a folder named Temp.
d. In C:\Temp, create two subfolders: WindowsPE1 and WindowsPE2.
e. Mount (read/write) the boot image to C:\Temp\WindowsPE1.
f. Copy the Boot.wim image from the Windows Vista DVD to C:\Temp.
g. Mount (read only) the second image in Boot.wim into C:\Temp\WindowsPE2.
h. Copy the entire \Sources folder from the mounted image at
C:\Temp\WindowsPE2 into C:\Temp\WindowsPE1.
i. Unmount the image mounted to C:\Temp\WindowsPE1, and then commit the
changes.
j. Add the modified image to your Windows Deployment Services server.
6. To enable the language-neutral page, adjust the Lang.ini file in the mounted boot
image to specify that additional setup resource files are available. The following is a
sample Lang.ini file after editing:
Contents of C:\mount\Sources\lang.ini
[Available UI Languages]
en-US = 3
de-DE = 3
[Fallback Languages]
en-US = en-us
7. Using ImageX, unmount the image and then commit the changes.
8. Import the image. To do this, right-click the disabled boot image by using the MMC
snap-in, and then click Replace Image.
21
view the client installation screens in one language and keyboard combination. It also allows you
to install an image that will have a completely different language and keyboard combination.
Windows Vista is language neutral, meaning that core system binaries and UI elements that
contain strings (content that would need to be localized) are stored separately. The localized
elements are known as multilingual user interface (MUI) files. All of the language-specific binaries
for a given language are bundled together in a single package known as a language pack. For
more information, see Installing Language Interface Packs (http://go.microsoft.com/fwlink/?
LinkId=111017)
Note also that Windows Vista enables you to add or remove language packs to change
languages in a current image (although licensing restrictions may apply, depending on the version
of the operating system that you are using). You can do this either online or offline. With this
functionality, you can maintain a single image with associated language packs — something that
was not possible with previous Windows operating systems, in which you needed to maintain a
separate image for each language.
Methods
There are three language pack deployment models that work well in enterprise environments.
Method 1: Install the necessary language packs into the offline image.
In this method, you use Package Manager to inject language packs into your base image. For
more information, see Install a Language Pack to an Offline Image at
http://go.microsoft.com/fwlink/?LinkId=120685.
• Pros: Install times are faster than with the other two methods because the language pack
is already in the image.
• Cons: The image size increases. Also, many applications are locked into a single
language. Therefore, you may not be able to take full advantage of this scenario, because
even though you could change the underlying operating system language, the languages in
the applications would not change to match the operating system language.
Method 2: Store language packs outside the image, and during installation, have Setup
install both the image and the language pack.
You can implement this method by using Windows Deployment Services. A control on the image
selection page enables you to select the language packs that are installed in the image and those
that reside outside the image (but are still associated with the image). Expect the following
behaviors:
• If the selected image is from an earlier version of Windows, the language selection
control on the image selection page will be disabled. This is because these images do not
support installing language packs.
• If the selected image is Windows Vista but there are no language packs available on the
server, the drop-down list will display those languages that are currently installed in the image
as defined in the image’s metadata. The selection will default to the default language that is
defined in the image’s metadata.
22
• If the selected image is Windows Vista and there are language packs available on the
server, the drop-down list will display all externally available language packs as well as those
that are already installed in the image. The selection will default to the default language that
is defined in the image’s metadata.
The language pack that is selected will be the default language for the first boot of the install
image, and it controls the boot environment language, UI language, and default settings for
system locale and keyboard layout (if these are not defined in the unattend settings).
• Pros: There are fewer images to maintain
• Cons: Install times are longer because external language packs must be copied and
installed.
Method 3: Deploy language packs online (to a running operating system) after the
installation.
Though this method of deployment falls out of the scope of the Windows Deployment Services
solution, it is included here to cover all scenarios. To use this method, you could run scripts at first
logon or deploy the language packs to the client by using management software such as Group
Policy or Systems Management Server (SMS).
• Pros: This method does not require a change to the setup method that you are currently
using.
• Cons: The user’s first experience with Windows Vista is not necessarily in the expected
language. For example, the boot and the initial logon might be shown in the language of the
operating system because the language pack has not been applied yet. Also, only certain
versions of Windows support language pack installation and removal.
23
Configuring DHCP
In This Topic
• Configuring DHCP Options
• Enabling DHCP Authorization
• Authorizing a Server
Note
There are some scenarios (particularly those that require running a DHCP server) that do
not support adding custom DHCP option 60 on the same physical computer as the
Windows Deployment Services server. In these circumstances, it is possible to configure
the server to bind to UDP Port 67 in nonexclusive mode by passing the
SO_REUSEADDR option. For more information, see Using SO_REUSEADDR and
SO_EXCLUSIVEADDRUSE (http://go.microsoft.com/fwlink/?LinkId=82387).
If DHCP is installed on a server that is located in a different subnet, you will need to do one of the
following: configure your IP Helper tables (recommended) or add DHCP options 66 and 67. For
more information about these settings, see Managing Network Boot Programs.
Authorizing a Server
You can authorize a Windows Deployment Services server using the Advanced tab of the
server’s properties. However, you must be a domain administrator in the root domain of the forest
or be an enterprise administrator. Alternatively, you may delegate permissions by using the
following procedure.
25
The environment that the Windows Deployment Services server is in influences the authorization
behavior:
• NT4 domain. If the PXE server is part of an NT4 domain, no authorization is performed
and the PXE server will service requests. This mode is supported only if the PXE server is
running with a custom non-Microsoft PXE provider. Windows Deployment Services requires
AD DS; therefore, it cannot operate if joined only to an NT4 domain.
• Windows Server 2000 or later domain. If the PXE server is part of a
Windows Server 2000 or later domain (meaning that AD DS is present), it queries AD DS to
determine its authorization state.
• Workgroup. If the PXE server is part of a workgroup, it can service client requests as
long as other DHCP servers on the same subnet are not part of a domain. If a DHCP server
that is part of a domain comes online, the PXE server will stop servicing requests.
• Windows Small Business Server 2003.If the PXE server is part of a Small Business
Server 2003 domain, it must be the only DHCP server on the network. If another DHCP
server exists or comes online, the PXE server stops servicing requests.
In This Topic
• Configuring the NBP
• List of NBPs
• Directing a Client to the Appropriate NBP
• Updating the IP Helper Tables
• Using DHCP Options 60, 66, and 67
• Implementing PXE Referrals
• When to Implement PXE Referrals
• Requirements
• Referral Examples
• Enabling Architecture Detection
• Avoiding a Boot Loop
26
Note
For information about avoiding a boot loop, see Automating the PXE Boot.
List of NBPs
The following table lists the available NBPs in Windows Deployment Services.
PXEboot.com (Default) Requires the user to press the F12 x86-based and BIOS
key for a PXE boot to continue. x64-based
PXEboot.n12 Does not require pressing F12 and x86-based and BIOS
immediately begins a PXE boot. x64-based
AbortPXE.com Boots the computer by using the next boot x86-based and BIOS
item in the BIOS without waiting for a time- x64-based
out.
Hdlscom1.com and Causes computers that do not support x86-based and BIOS
Hdlscom2.com firmware console redirection to display x64-based
"Press space or F12 for network boot," using
console redirection to serial port 1 or 2.
Users can proceed with the boot process by
pressing either key, or they can exit the boot
process by not pressing either key.
Hdlscom1.n12 and Causes computers that support firmware x86-based and BIOS
Hdlscom2.n12 console redirection will not display the x64-based
prompt "Press space or F12 for network
boot" and the computer will not wait for user
input.
Bootmgfw.efi The EFI equivalent for Bootmgr.exe. In EFI, x64-based and EFI
the choice of whether or not to perform a Itanium-based
27
NBP Description Architecture Firmware
28
• All DHCP broadcasts by client computers on User Data Protocol (UDP) port 67 should be
forwarded directly to both the DHCP server and the Windows Deployment Services PXE
server.
• All traffic on UDP port 4011 from the client computers to the Windows Deployment
Services PXE server should be routed appropriately (these requests direct traffic, not
broadcasts, to the server).
29
Implementing PXE Referrals
A PXE referral (also known as a network boot referral) occurs when a client is directed to
download an NBP from a different server than the one it was in communication with through
DHCP (as part of the process to discover the network boot server name and NBP). This referral
may be initiated by either a network boot server or a DHCP server.
The following areas are covered in this section:
• When to Implement PXE Referrals
• Requirements
• Referral Scope
Requirements
PXE boot referrals that don't involve using DHCP options 66 and 67 require that the referred
client to be prestaged. Additionally, the netbootMachineFilePath attribute of that computer
account must be populated with (at a minimum) the server name that the client should use. In
environments that contain both Remote Installation Services (RIS) and Windows Deployment
Services servers, only the Windows Deployment Services servers should act as referral servers.
30
This enables the Windows Deployment Services server to control the referral process, correctly
referring clients to new Windows Deployment Services servers and maintaining backward
compatibility for RIS servers.
Note
Having a RIS server act as a referral server for a back-end Windows Deployment
Services server will work only if prestaged computers have both the referral server name
and the NBP name defined in the netbootMachineFilePath attribute. Failing to populate
the NBP name will cause the RIS server to populate the value automatically with
Startrom.com (which will not exist on the backend Windows Deployment Services server
if the server is in Native mode on Windows Server 2003, or if you are running Windows
Server 2008).
Referral Examples
Referrals are classified based on the number of jumps the client must make before it downloads
and executes an NBP. The following table contains three examples of referrals. Each of these
examples supports the referral of x86-based or x64 BIOS-based clients, but does not support the
referral of Itanium-based and x64 EFI-based clients
Example Details
First order referral ComputerA sends a DHCP broadcast packet and receives an IP address
from PXE server lease from a DHCP server and a response from PXE Server1. ComputerA
contacts PXE Server1 directly on port 4011. PXE Server1 refers the client
to download \boot\wdsnbp.com from Server2. The client computer
downloads Wdsnbp.com from Server2.
Requirements:
• The NBP that the client computer is directed to download from the
TFTP server (Server2 in this example) must be Wdsnbp.com.
• The network boot server performing the referral (PXE Server1 in
this example) must be running Windows Deployment Services.
First order referral ComputerA sends a DHCP broadcast packet and receives an IP address
using DHCP options lease from a DHCP server. The lease also contains values for DHCP
options 66 and 67, referring the client to download the file \boot\
x86\wdsnbp.com from Server1. The client computer downloads
Wdsnbp.com from Server1.
Requirement:
• The NBP that the client computer is directed to download from the
TFTP server (Server1 in this example) must be Wdsnbp.com.
Second order referral ComputerA sends a DHCP broadcast packet and receives an IP address
using both DHCP lease from a DHCP server. The lease also contains values for DHCP
options and PXE options 66 and 67, referring the client to download the file \boot\
31
Example Details
In This Topic
• Configuring the Boot Menu
• Specifying Boot Images for Prestaged Clients
• Considerations for x64-Based Clients
33
• There is no support for alternate keyboards, other than what the BIOS supports.
• There is limited support for localization, other than what the BIOS supports.
• There is limited support for accessibility.
In This Topic
• Creating Computer Account Objects in AD DS
• Benefits
• Enabling the Auto-Add Policy
• Purging the Auto-Add Database
34
You can use Windows Deployment Services to link physical computers to computer account
objects in Active Directory Domain Servers (AD DS). This is called prestaging the client.
Prestaged clients are also called known computers. This allows you to then configure properties
on the computer account to control the installation for the client. For example, you can configure
the network boot program and the unattend file that the client should receive, as well as the
server from which the client should download the network boot program. You can create a
computer account object and associate it with a physical computer using the following methods:
• Using WDSUTIL. You can prestage client computers before they have attempted a
network boot, by running WDSUTIL /Add-Device /Device:<name> /ID:<ID>. You cannot
prestage computers by using the Windows Deployment Services MMC snap-in, but you can
set the Auto-Add policy and approve or reject pending computers.
• Using the Active Directory Users and Computers snap-in. You can prestage client
computers before they have attempted a network boot using AD DS. For instructions, see the
section "To prestage a client computer" in How to Manage Client Computers.
• Enabling the Auto-Add policy. If you enable this policy, when you approve the
installation for an unknown client, the installation will proceed and a computer account will be
created in AD DS for the client. For more information, see Enabling the Auto-Add Policy
• Using Windows Deployment Services as part of the image installation. By default,
all operating system installations using Windows Deployment Services result in a client
computer that is joined to a domain. You can disable this functionality using the Client tab of
the server’s properties page.
Benefits
Prestaging clients provides three main benefits:
• An additional layer of security. You can configure Windows Deployment Services to
answer only prestaged clients, therefore ensuring that clients that are not prestaged will not
be able to boot from the network.
• Additional flexibility. Prestaging clients increases flexibility by enabling you to control
the following:
• The computer account name and location within AD DS.
• Which Pre-Boot Execution Environment (PXE) server should service the client.
• Which network boot program (NBP) the client should receive.
• Other advanced options — for example, what boot image a client will receive or what
Windows Deployment Services client unattend file the client should use.
• The ability for multiple PXE servers to service the same network segment. You can
do this by restricting the server to answer only a particular set of clients. Note that the
prestaged client must be in the same forest as the Windows Deployment Services server
(trusted forests do not work).
35
Enabling the Auto-Add Policy
When the Auto-Add policy is enabled, administrative approval is required before unknown clients
(clients that are not prestaged) can install an image. To enable this policy, run WDSUTIL /Set-
Server /AutoAddPolicy /Policy:AdminApproval. You can also enable it using the PXE
Response settings tab of the server’s properties page.
If you enable this policy, when an unknown computer attempts to boot against the server, the
computer will appear in the Pending Devices node of the MMC snap-in. The computer will
remain in this pending queue until you approve or reject it, the time-out is reached, or the user
cancels the attempt. If you approve the computer, the computer will continue booting from the
network, and a computer account object will be created in AD DS to represent the physical
computer. If you reject the computer, the network boot will abort, the computer will boot from the
next item in the boot order, and a computer account will not be created. If you do not enable this
policy, Windows Deployment Services will not create a computer account for unknown clients. It
will, however, still answer clients according to the settings on the server.
The Auto-Add policy applies only when the Windows Deployment Services server is set to answer
all clients, and Windows Deployment Services does not find a prestaged computer account for a
booting computer. In all other cases, this policy will not be in effect. Also note that this policy does
not pertain to computers that use Extensible Firmware Interface (EFI).
Note
If you are creating computer accounts against a non-English domain controller and you
are using the default user property, you must set the Auto-Add settings to use a different
account that does not contain extended characters. If the account contains a non-
standard character (any character outside [A-Z, a-z, 0-9, \, -, and so on]), such as
German's "Domänen-Admins", then Auto-Add will fail. To change this value, see the help
at the command prompt for WDSUTIL /set-server /AutoAddSettings.
36
two steps. First, you must delete the computer from AD DS. Second, you must delete the
computer's record in the Auto-Add database. Failing to purge the database will cause the client to
be stuck in Wdsnbp.com and not proceed with booting from the network. This occurs because the
record in the Auto-Add database shows the computer as approved, but a prestaged computer in
AD DS will never be found (because the computer was deleted). In this situation, the server will
hold the client at Wdsnbp.com until a prestaged computer appears in AD DS.
In This Topic
• Benefits
• Creating a Custom Solution
• Custom Solution Example
Benefits
Using the Windows Deployment Services platform as part of a custom deployment solution
provides the following benefits:
37
• Increased interoperability. Common barriers for new deployment solutions include the
need for new hardware and the need for changes to network infrastructure to support
advanced networking configurations (for example, having two Pre-Boot Execution
Environment (PXE) servers on the same network segment). Windows Deployment Services
has built-in extensibility points that help you avoid these potential conflicts. You do not need
to have a separate physical server for each deployment solution because of the unified PXE
server architecture. Also, you do not need to store images in multiple locations or in multiple
formats because the management approach (which uses the Windows imaging format)
provides a central repository for images.
• A scalable PXE server infrastructure. The PXE server that is included in Windows
Deployment Services enables you to implement custom logic that dictates which clients are
answered. The PXE server handles advanced networking configurations by giving you control
over which interfaces the server binds to. This control extends to the IP address and MAC
address layers. The PXE server can handle the throughput generated by more than 5,000
client PXE requests per second.
• Image storage and management. Windows Deployment Services stores images in a
central location, and the management tools enable you to perform all common tasks, such as
adding and removing images and configuring server settings.
• Enumeration of images. Many network installation scenarios face a common problem:
getting a list of available install images from a central distribution point and returning that list
to the client. Windows Deployment Services does just this. It shows an authenticated client
computer a list of available images that are stored on a server or in a remote storage location,
which is referenced by using Distributed File System (DFS).
• Network boot support. Offering support for booting from the network becomes more
complex when different variations of Windows PE need to be supported (for example,
different languages, different hosted applications, and different architecture versions).
Windows Deployment Services accomplishes this by using the image storage structure and
management tools provided in Windows PE.
38
develop custom PXE solutions while taking advantage of the core PXE server networking code
base. The PXE server logic in Windows Deployment Services has two main features:
• A default provider that you can change. The provider installed by default with Windows
Deployment Services is BINLSVC, which is implemented in the DLL, Binlsvc.dll. You can
remove this PXE provider from the server and replace it with a custom-written provider.
• Support for multiple providers on a single server. Rather than having two PXE
listeners on the network (each with its own application logic), you can have multiple providers.
This means that you can have only one PXE listener on a network that has two or more sets
of application logic.
With this PXE server implementation, you can perform either of the following tasks:
• Create a PXE plug-in for a stand-alone PXE server (for example, a server that is not
joined to or communicating with an Active Directory Domain Services (AD DS) domain). The
plug-in might use a .txt file, an .xml file, or a SQL database as its data store.
• Enable a second, registered provider to offer functionality without disrupting or
reconfiguring Windows Deployment Services. One of the most powerful implementations
available is writing a filter provider, which is an additional PXE provider that resides above
BINLSVC (or any other PXE provider) in the ordered provider list. This filter provider acts as a
gate before the next provider in the list, enabling the next provider to service selected clients
by passing some requests and filtering others.
39
4. The application uses the Windows Deployment Services client library to retrieve a list of
available images stored on a Windows Deployment Services server and displays the list of
choices to the client (by using the custom UI).
5. The application deploys the image that the user selects, and it also copies the unattend
file that was acquired previously.
6. The application sends progress and status messages to the server by using the
functionality provided by the Windows Deployment Services client library.
40
a. Create a custom Winpeshl.ini file, and then copy it to the \Windows\System32 folder
of the mounted image.
b. Create a custom script (for example, domainOU.vbs) by using the sample code in the
section following this procedure. Copy this script to the mounted image's \Sources folder.
3. Unmount the image, and then commit the changes.
4. Add the image back to your Windows Deployment Services server.
5. Create an image unattend file similar to the sample file (Sample Image Unattend File).
6. Associate the unattend file with an install image.
7. Boot a client into the updated boot image.
8. Select the install image associated the unattend file.
The script starts running when Windows PE boots. It shows a basic UI which enables the user to
enter the computer name and the computer OU. The script performs the install and then replaces
all occurrences of %COMPUTERNAME% with the value specified in the message box, as well as
replacing all occurrences of %OU% with the value specified in the message box. Remember that
the OU must be entered in a distinguished name form — for example,
OU=MyOU,DC=Domain,DC=com.
'----------------------------------------------------------------------
unattendFile = "C:\Windows\Panther\unattend.xml"
'----------------------------------------------------------------------
dim answer
answer = MsgBox("Is this correct?" & vbCrLf & vbCrLF & "Name: " & computerName &
vbCrLF & "OU: " & OU, vbYesNo, "Computer Account Details")
loop
41
Set fso = CreateObject("Scripting.FileSystemObject")
else
strContents = unattendFileObject.ReadAll
unattendFileObject.Close
unattendFileObject.Write(strContents)
unattendFileObject.Close
End If
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<UnsecureJoin>false</UnsecureJoin>
<MachineObjectOU>%OU%</MachineObjectOU>
<Credentials>
<Domain>MyDomain</Domain>
<Username>MyUserName</Username>
42
<Password>MyPassword</Password>
</Credentials>
<JoinDomain>%MACHINEDOMAIN%</JoinDomain>
</Identification>
</component>
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>%COMPUTERNAME%</ComputerName>
</component>
</settings>
</unattend>
"%SYSTEMROOT%\system32\cscript.exe","%SYSTEMDRIVE%\sources\domainOU.vbs"
In This Topic
• Managing a Server Remotely
• Avoiding IP Address Conflicts
• Testing by Using Virtual Computers
• Versions of the Management Tools to Use with RIS and Windows Deployment Services
Note
When performing Pre-Boot Execution Environment (PXE) referrals in an environment
that includes Windows Deployment Services and RIS, the Windows Deployment
Services server must answer PXE requests and perform referrals. If a RIS server
attempts to refer a client computer to a Windows Deployment Services server that is
running in Mixed mode or Native mode, the client computer will receive an incorrect
network boot program, which may cause the client to fail to boot.
43
Managing a Server Remotely
In addition to running Windows Deployment Services locally, you can also manage Windows
Deployment Services remotely using the following methods.
Method Explanation
Managing from To do this, you must specify which server you want to manage. You can do
another Windows this in either of the following ways:
Deployment • Using the Windows Deployment Services MMC snap-in. First
Services server you must add the server to the console. To do this, right-click the
Servers node and then click Add Server. Next, type the name of the
server you want to add, or select it in the list. The server will be added
to the left pane in the console, and you can perform any task by
selecting it just as you would select the local server.
• Using WDSUTIL. To specify a remote server to run a WDSUTIL
command, append /Server:<name> to the command. For example:
WDSUTIL /Add-Image /ImageFile:C:\images\capture.wim
/Server:MY-WDS-02 /ImageType:Boot
Managing from a To do this, you can install Remote Server Administration Tools, which will
remote server that install WDSUTIL and the Windows Deployment Services MMC snap-in on
is running Windows the server. To install Remote Server Administration Tools, open Server
Server 2008 (but Manager, right-click the Features node, click Add Features, and then click
not Windows Remote Server Administration Tools. Next clickRole Administration
Deployment Tools, and then click Windows Deployment Services Tools.
Services)
Using PsExec You can also manage the server by using PsExec. For example: psexec
\\<servername> \wdsutil /get-device /id:<GUID>
For information about using PsExec, see http://go.microsoft.com/fwlink/?
LinkId=110605.
The Windows Deployment Services management tools enable you to manage a remote server.
Note, however, that there are some restrictions regarding which versions of the tools will work on
which server versions. The following table lists the seven possible configurations and the versions
of the tools that you should use with each environment. Essentially, you should use the latest
available version of each tool. For example, see the sixth row in the table: if you have servers
45
running the 2003 and 2008 versions of Windows Deployment Services, you should use RISETUP
(II), RIPREP (II), WDSUTIL (II), and WDSMMC (II)
Note
You cannot manage a Windows Deployment Services server running Windows
Server 2008 from a Windows Deployment Services server running Windows
Server 2003.
Servers Servers running Servers running Tools that you should use
running Windows Windows
RIS on Deployment Deployment
Windows Services on Services on
Server 200 Windows Windows
3 Server 2003 Server 2008
X • RISETUP (I)
• RIPREP (I)
X • WDSUTIL (II)
• WDSMMC (II).
X X • RISETUP (II)
• RIPREP (II)
• WDSUTIL (I)
• WDSMMC (I)
X X • RISETUP (I)
• RIPREP (I)
• WDSUTIL (II)
• WDSMMC (II)
X X • RISETUP (II)
• RIPREP (II)
• WDSUTIL (II)
• WDSMMC (II)
X X X • RISETUP (II)
• RIPREP (II)
• WDSUTIL (II)
46
Servers Servers running Servers running Tools that you should use
running Windows Windows
RIS on Deployment Deployment
Windows Services on Services on
Server 200 Windows Windows
3 Server 2003 Server 2008
• WDSMMC (II)
In This Topic
• Best Practices for Avoiding Performance and Scalability Problems
• Configuring the Server for Performance and Scalability
• Performance and Scalability Expectations
• Unicasting
• Multicasting
For information about analyzing blockages during an installation, see Troubleshooting
Performance Problems.
47
• Ensure that the disk that contains the RemoteInstall folder has enough throughput
to meet the client demand. On small-scale solutions, this may mean getting a Serial
Advanced Technology Attachment (SATA) drive that spins at 7,200 RPM or faster. On mid-
scale solutions, this may mean getting multiple drives and configuring them using Redundant
Array of Independent Drives (RAID) configuration. On large-scale solutions, this may mean
investing in a hardware RAID array. The disk volume that contains RemoteInstall should be
separate from the system volume.
• Ensure that there is sufficient memory on the server to handle the demands. This
may mean upgrading a server from 32-bit (x86) to 64-bit (x64). (for details about how to
evaluate whether this solution is worthwhile for you, see Performance and Scalability
Expectations).
• Ensure that there is enough processor bandwidth on the server to handle the
demands. If the server has a lot of processes or services that are running, you may need to
distribute the processes and services or upgrade the server’s processor.
48
Performance and Scalability Expectations
This section outlines the approximate amounts of time that elapsed during the image apply and
TFTP download phases.
• Unicasting
• Multicasting
Unicasting
The following table outlines the hardware configurations of the servers that were used during
these scalability tests.
Note
Network configuration for the high-end server involved connecting the server’s GB
network adapter to a GB switch, which was connected to 100-MB switches that
supported a GB back-plane configuration.
Time elapsed during the image apply phase
This table shows the approximate time (in minutes) from start to finish that it took for all of the
clients to apply an install image.
1 25 25 25
10 61 55 25
25 125 117 25
50 235 220 35
49
Number of clients Low-end Mid-range High-end
75 355 330 45
1 70 55 40
10 210 145 75
Multicasting
Microsoft performed tests to compare the installation times of multicast and unicast transmissions
using the same hardware, software, and image set. The following table outlines the configurations
of the servers and clients that were used during these tests. The boot and install images were
taken from an x86-based version of Windows Server 2008. The size of the boot image was
approximately 128 MB, and the size of the install image was approximately 1.32 GB. Note that
the out-of-box experience (OOBE) and logon were automated by using an unattend file.
50
Network interface card Hardware configuration Operating system
Multicast Installation
Time when the first client started the 3:04 3:55 8:18
multicast transfer
Time when the last client finished the 6:06 7:54 12:30
multicast transfer
Total amount of time until the last client 19:47 22:40 27:40
reached the desktop
Unicast Installation
51
SMB 25 clients SMB 100 clients SMB 300 clients
Time when the first client started image 3:14 4:38 8:29
transfer using unicast/SMB
Time when the last client started image 13:36 38:15 1:47:58
transfer using unicast/SMB
Total amount of time until the last client 20:59 45:37 1:55:15
reached the desktop
52
In This Topic
• Comparison of Deployment Server and Transport Server
• Configuring Transport Server
• Using a Transport Server to Boot from the Network
• Using a Transport Server for Multicast
• How to create a namespace with Transport Server
• How to join a client computer to a namespace using Wdsmcast.exe
• How to perform common tasks
Server requirements Requires AD DS, Dynamic Host Does not require other servers
Configuration Protocol (DHCP), and in the environment.
Dynamic Name Services (DNS) in the
environment.
PXE Supports PXE boot with the default A PXE provider is not installed
PXE provider. so you must create a custom
PXE provider.
Image server Includes the Windows Deployment Does not include the Windows
Services image server. Deployment Services image
server.
Management tools Is managed using either the Windows Is managed only by the
Deployment Services MMC snap-in or WDSUTIL command-line tool.
the WDSUTIL command-line tool.
53
The server architectures are illustrated in the following diagram. The blue parts are installed with
Transport Server and the Deployment Server. The grey parts are installed with the Deployment
Server only. The yellow parts are not installed with either, but can be written using guidelines in
the Windows SDK.
54
Multicast\Profiles. Specify Custom if you want to customize the settings yourself by editing
the registry. You should not modify the other profiles that are provided. You should use the
custom profile even if you only want to change one setting. To set the profile, run
WDSUTIL /Set-TransportServer [/Server:<name>] /Profile:{10Mbps|100Mbps|1Gbps|
Custom} at an elevated command prompt.
• Set the UDP port range. To do this, run WDSUTIL /Set-TransportServer
[/Server:<name>] /StartPort:x /EndPort:y at an elevated command prompt.
55
• A content provider. You can use the Windows Deployment Services content provider
(named WDS) that is included when you install Transport Server. Or you can create your own
content provider by using the tools in the Windows Server 2008 SDK.
• Data to transmit. You can transmit any data that your content provider knows how to find
(for example operating system images, data files, or an MP3 archive). The Windows
Deployment Services content provider knows how to find any file within a folder.
• Familiarity with WDSUTIL. The only way to manage Transport Server is through the
WDSUTIL command-line tool.
• A way to boot clients. This is because Transport Server does not include a PXE
provider (such as BINLSVC).
• Routers. The routers in your environment must support multicasting. In particular, your
network infrastructure needs to support the Internet Group Management Protocol (IGMP) to
properly forward multicast traffic. Without the IGMP, multicast packets are treated as
broadcast packets, which can lead to network flooding.
To create a namespace
Like with Deployment Server, you can create Scheduled-Cast and Auto-Cast namespaces. For
more information about each parameter, see Options.
• To create a Scheduled-Cast namespace
Syntax: WDSUTIL /New-Namespace [/Server:<server name>] /Namespace:<namespace
name> /FriendlyName:<friendly name> [/Description:<description>]
/ContentProvider:<name> /ConfigString:<config string> /NamespaceType:ScheduledCast
[/Time:<YYYY/MM/DD:hh:mm>] [/Clients:<number of clients>]
For example: WDSUTIL /New-Namespace /Server:MyWDSServer
/FriendlyName:"Custom Scheduled Namespace" /Namespace:"Custom Scheduled
1" /ContentProvider:WDS /ConfigString:D:\Images /NamespaceType:ScheduledCast
/Time:"2006/11/20:17:00" /Clients:20
• To create an Auto-Cast namespace
Syntax: WDSUTIL /New-Namespace [/Server:<server>] /Namespace:<namespace name>
/FriendlyName:<friendly name> [/Description:<description>] /ContentProvider:<name>
/ConfigString:<config string> /NamespaceType:AutoCast
For example:
WDSUTIL /New-Namespace /FriendlyName:"Custom AutoCast Namespace"
/Namespace:"Custom Auto 1" /ContentProvider:WDS /ConfigString:D:\Images
/NamespaceType:AutoCast
56
• Use Wdsmcast.exe, which is included in the Windows Automated Installation Kit (AIK).
This is a command-line utility you can use to connect to any namespace or multicast
transmission that uses the Windows Deployment Services content provider. For more
information about this, see the following procedure. You can download the Windows AIK at
http://go.microsoft.com/fwlink/?LinkID=54863.
• Use a custom deployment client. You can do this by using the APIs of the Windows
Deployment Services transport client. You will need to create a custom client if you are using
a custom content provider. For instructions on how to do this, see the Windows Server 2008
SDK.
Option Description
/Server:<server name> The name of the Windows Deployment Services server. This can be
either the NetBIOS name or the fully qualified domain name (FQDN).
If the server name is not specified, the name of the local server will
be used.
/Namespace:<namespace The name of the namespace. This value should match the name
name> given when creating the namespace on the server. This is not the
"friendly" name, and it must be unique.
Note
When using this option with Deployment Server, the syntax is
57
Option Description
as follows:
/Namespace:WDS:<ImageGroup>/<ImageName>/<Index>.
For example: WDS:ImageGroup1/install.wim/1
Note
To view all namespaces that currently exist on the server, run
WDSUTIL /get-allnamespaces.
/Username:<domain and The domain name and user name to connect to the server. These
user name> can be either in the format Domain\User or the format
User@Domain.
[/Password:<password>] The password for the user. If this is not specified, you will be
prompted to enter it.
/SourceFile:<file path> Path to the name of the file to be transferred, relative to the directory
specified in the /ConfigString path of the namespace. For example, if
you specified WDSUTIL /New-Namespace
/ConfigString:C:\RemoteInstall\Images, specify
/SourceFile:ImageGroup\install.wim.
/DestinationFile:<file The complete file path and name for the destination file.
path>
58
WDSUTIL /Remove-Namespace /Server:MyWDSServer /Namespace:"Custom Auto
1" /Force
• To stop a client installation completely
Syntax: WDSUTIL /Disconnect-Client /ClientID:<id> /Force
Important
You should use this option with caution because the installation will fail and the
computer could be left in an unusable state.
• To discontinue the download for a client but continue to transfer the image through
another method (such as SMB copy). The client will fall back to another method of transfer
only if the client implementation supports this behavior. Although the Windows Deployment
Services client will fall back to SMB transfer, note that Wdsmcast.exe does not support any
fallback mechanism.
Syntax: WDSUTIL /Disconnect-Client /ClientID:<id>
• To view the client <id> for each namespace
Syntax: WDSUTIL /Get-Namespace /Namespace:<name> /show:clients
• To view all clients connected to all namespaces on the server
Syntax: WDSUTIL /Get-AllNamespaces
Options
The options in the following table apply to the sections "Creating a namespace with Transport
Server" and "Using common commands" earlier in this chapter.
Option Description
/Server:<server The name of the Windows Deployment Services server. This can be either
name> the NetBIOS name or the FQDN. If the server name is not specified, the
name of the local server will be used.
/ The name of the namespace. This value should match the name given
Namespace:<Name when creating the namespace on the server. Note that this is not the
space name> "friendly" name, and it must be unique.
Note
When using this option with Deployment Server, the syntax is as
follows:
/Namespace:WDS:<ImageGroup>/<ImageName>/<Index>. For
example: WDS:ImageGroup1/install.wim/1
Note
To view all namespaces that currently exist on the server, run
WDSUTIL /get-allnamespaces.
/ The friendly name of the namespace. Note that this name does not need to
FriendlyName:<frie be unique.
59
Option Description
ndly name>
/ The name of the content provider that supplies data to the multicast server.
ContentProvider:<n If you are using the Windows Deployment Services content provider,
ame> specify WDS.
/ The configuration string for the content provider. If you are using the
ConfigString:<confi Windows Deployment Services content provider (WDS), specify the path to
g string> the folder where content is stored (for example, D:\Photos\Landscapes).
This path can be anywhere on the server.
/ The time on the server when the namespace will start (note that you can
Time:<YYYY/MM/D set this option only for Scheduled-Cast transmissions).
D:hh:mm>
/Clients:<Num of The number of clients to wait for before the namespace will start (note that
Clients> you can set this option only for Scheduled-Cast transmissions).
/Force An option that deletes the transmission, even if there are current client
installations. If you do not specify /Force, the transmission will be in the
Delete Pending state, meaning that the transmission will be removed after
clients' downloads are completed.
60
Automating the PXE Boot
In This Topic
• Automating the PXE Boot
• Automating the Selection of the Boot Image
Note
Because there is only one NBP for EFI computers, you must configure this setting within
the EFI shell.
61
(always booting from the network and never booting from the hard disk drive). The following are
best practices that you can use to avoid a boot loop:
• Always configure the hard disk drive as a higher priority than the network. To
enable a computer that already has an operating system installed to boot automatically from
the network (for example, when reprovisioning a computer), disable any active partitions
before rebooting the computer to initiate the PXE boot.
• For prestaged computers that are configured to boot from the network before
booting from the hard disk drive, toggle the BootProgram value between *.N12 and
*.COM to control the automatic PXE boot behavior. For example, set it to
boot\x86\pxeboot.n12 when you want to boot the computer from the network, and set it to
boot\x86\abortpxe.com when you want to boot from the hard disk drive. For instructions on
how to do this, see How to Manage Client Computers.
• For nonprestaged computers that are configured to boot from the network before
booting from the hard disk drive, set the server default NBP to *.COM and configure
the AllowN12ForNewClients option. This will prevent a boot loop if both of the following are
true: the booting client will perform an operating system installation by using Windows
Deployment Services, and the client computer is configured to join a domain, which is the
default.
Example Scenario
Consider the following situation. Computer A has been configured with the following boot order:
CD-ROM, Network, then Hard disk.
On the Windows Deployment Services server, the default NBP setting for x86-based computers is
boot\x86\pxeboot.n12, which is an NBP that does not require pressing F12 to boot from the
network. The following sequence of events will result in a boot loop:
1. The computer is turned on.
2. Assuming there is not a bootable CD, the computer boots from the network, downloads
Windows PE from the Windows Deployment Services server, and proceeds through the user
interface of the Windows Deployment Services client.
3. The image installation to the hard disk drive begins.
4. After the image is applied, the computer reboots.
The boot order sequence still specifies the network as a higher priority than the hard disk drive.
And, the NBP received by the client is still *.N12, which causes the computer to continue the
process of booting from the network. As a result, the image that was just applied to the hard disk
drive will never be booted.
Automating Setup
In This Topic
• Creating Unattend Files
• Automating the User Interface Screens of the Windows Deployment Services client
• Automating the Remaining Phases of Setup
63
must configure the command-line unattend precedence appropriately. For precedence
information, see Advanced Unattended Installation Scenarios. For an example file, see Sample
Unattend Files. In addition, Windows Deployment Services supports implicit unattend searching
and can be used in conjunction with AutoUnattend.xml. For more information about implicit
search paths, see Methods for Running Windows Setup at http://go.microsoft.com/fwlink/?
LinkId=120686.
64
contains the Windows Vista or Windows Server 2008 image that you want to associate
the unattend file with, and then click Properties.
4. On the Client tab, select Enable unattended installation, browse to the appropriate
unattend file, and then click Open.
5. Click OK to close the Properties page.
Note
The commands for this task are: To associate a client unattend file by
architecture run WDSUTIL /Set-Server /WDSUnattend /Policy:enabled
/File:<filepath> /Architecture:<arch>. To associate a client unattend file per
computer, run WDSUTIL /Set-Device /Device:<computername> /ID:<GUID or
MAC address> /WDSClientUnattend:<relative path>
page WindowsDeployme
ntServices
66
following location:
\RemoteInstall\Images\<imagegroup>\<imagename>\Unattend\ImageUnattend.xml.
• Sysprep.inf. For images prior to Windows Vista, author Sysprep.inf by using Setup
Manager and then save these files to the $OEM$ structure of the image (for example,
D:\RemoteInstall\Images\Windows XP\winxpsp2\$OEM$\$1\sysprep\sysprep.inf). Now when
you deploy the image, Setup will automatically locate and use the Sysprep.inf file.
In This Topic
• Modifying Your Unattend Files
• Choosing a Permissions Method
67
• For Windows Vista or Windows Server 2008 images, this file exists within the image itself
as \System32\WDSUnattendTemplate.xml. Therefore, after the image is applied, the template
file will be located offline on the disk.
• For Windows XP and Windows Server 2003 images, this file exists in the
\RemoteInstall\Templates\Sysprep.inf folder on the server when the server is first initialized.
After the image is applied, Windows Deployment Services will copy the template Sysprep.inf
into the offline image and then edit it as appropriate. This file is copied from the server into
the offline image as C:\Sysprep\Sysprep.inf.
This method involves resetting the computer This method is secure in the sense that it
account to a known, shared computer requires credentials (user name, domain, and
password and enabling the computer to join a password) before you can reset the account
domain without credentials. For Windows Vista and perform the domain join. However, in
and Windows Server 2008 images, this shared practice this method is actually less secure
computer password is a dynamically generated, because the credentials reside in the
strong password that is set by Windows ImageUnattend.xml file in plain text.
Deployment Services. The password is inserted • Advantages: This method uses a
into the ImageUnattend.xml file as the simplified permissions model because a
<MachinePassword> setting. For images from single account is used throughout the
an earlier version of Windows, this shared enterprise to perform all domain join
computer password is the computer name. operations.
• Advantages: This method does not • Disadvantages: Credentials are stored
require placing unattend credentials in plain in plain text in the image unattend file,
text in the unattend file. which is located on a shared folder on the
• Disadvantages: It is possible for a Windows Deployment Services server.
malicious user to join the domain between To implement a secure join, do the following to
the time the computer account was reset the unattend file:
(in Windows PE) and when the actual
1. Set UnsecureJoin = FALSE.
domain join occurs (on first boot of the
2. Specify the credentials for performing
applied image). This particular attack is
the domain join, and the domain that you
effectively mitigated with Windows Vista
want to join the computer to.
and Windows Server 2008 images because
the password is dynamically generated. 3. Ensure that the Microsoft-Windows-
Shell-Setup component exists for the
To implement an unsecure join, set
specialize phase.
UnsecureJoin = TRUE and ensure that the
Microsoft-Windows-Shell-Setup component 4. Set the <ComputerName> value to
68
Unsecure join Secure join
Setting Description
ImageName Specifies the value to be set as the image name within the image
69
Setting Description
ImageDescription Specifies the value to be set as the description within the image metadata.
This will be the image name as displayed in the Windows Deployment
Services management tools and the user interface of the Windows
Deployment Services client.
DestinationFile Specifies the full path and name of the .wim file to which the image is to be
captured.
SystemRoot The name of the system root folder. If this setting is not specified,
\Windows, \Winnt, and \i386 will be tried. The Image Capture Wizard must
locate the system root to extract the data needed to form the metadata (for
example, the version of the operating system and installed languages) that
is added to the .wim during the capture.
Overwrite=Yes|No| (Default=No)
Append Designates whether the file specified in DestinationFile should be
overwritten if a file with that name already exists in the specified location.
• Yes. Specifies to overwrite the existing file.
• No. The process will cause an error if a file with the same name
already exists in the specified location.
• Append. If a .wim file with the same name already exists, the
capture should be appended as a new image within the existing .wim
file. This setting often produces a much faster capture because when
files from the current capture operation already reside in the .wim file
(for example, if file resources in another image already exist in the .wim
file), the files are not copied into the .wim file again. The image name
specified must be unique within the .wim file; otherwise, you will receive
an error.
[ExclusionList]
Defines the files and folders to be excluded from the capture. By default, this section is populated
with the following items: $ntfs.log, hiberfil.sys, pagefile.sys, System Volume Information,
RECYCLER, winpepge.sys, and %SYSTEMROOT%\CSC. Note that the %SYSTEMROOT%
variable is replaced by the value specified in SystemRoot in the [Capture] section.
[WDS]
Contains all of the Windows Deployment Services-specific unattend settings.
70
Setting Description
Username The user name to use when connecting to the specified Windows
Deployment Services server. This name can take either of the
following forms: domain\username or username@domain.com.
Note
We recommend that you enter credentials in the wizard
user interface (UI). Credentials specified in
WDSCapture.inf are stored in plain text within the capture
image, and there is no way to secure these credentials.
DeleteLocalWIMOnSuccess= Specifies whether the local capture image (where the capture
Yes|No image was saved) will be deleted at the end of the process,
assuming that the image is successfully uploaded to the Windows
Deployment Services server. You should be careful when using
this option with the Overwrite=append option because the entire
image will be deleted (not just the new .wim that was appended to
the existing image).
In This Topic
• Passing Unattend Files to Setup by Using the Command Line
• Using Implicit Unattend Files
• Embedding an Unattend File in an Image
• Understanding Unattend File Precedence
71
• Setting Command-Line Precedence for Unattend Files
• Using Variables to Obtain Information from the Client
72
Embedding an Unattend File in an Image
In general, it is a best practice to store unattend files outside of the images with which they are
associated. The main reason for this is flexibility; it is easier to modify an image that is on a file
share on the Windows Deployment Services server than it is to mark an image offline, export the
image, mount it, modify the unattend file, and then reimport the image. However, there are some
cases where you may want to include the unattend file in a boot or install image. The following is
an example of a scenario in which you may want to do this.
There are two types of computers in your organization — laptops and desktops. Your company
policy states that all laptops should be configured with two partitions to support BitLocker Drive
Encryption, and desktops should have a single partition and do not need BitLocker support. You
create a custom boot image that is configured to run a simple script. The first action in the script
is to use Windows Management Instrumentation (WMI) calls to determine whether a particular
booted client computer is a laptop or a desktop.
• If the computer is a laptop, the script calls Setup.exe by using the /wds option and then
passes an Unattend.xml file for laptop use (one that creates two hard disk partitions).
• If the computer is a desktop, the script calls Setup.exe by using the /wds option and then
explicitly passes an Unattend.xml file for desktop use (one that creates only a single
partition).
AWindows Deployment Services client unattend The order of precedence for this file is as
file that is defined always overrides an implicit follows:
unattend file. The order of precedence for this 1. Explicitly assigned image unattend files
file is as follows: (Windows Vista images only)
1. Unattend files that are passed explicitly 2. Image unattend files in the $OEM$
from the command line (for example, structure
setup.exe /wds /unattend:<unattend
3. Template unattend files (used as part of
file>)
a domain join)
2. Unattend files that are defined on the
4. Client unattend files that have been
server
carried over into additional phases of
3. An implicit unattend file unattend processing
(AutoUnattend.xml)
73
Setting Command-Line Precedence for Image
Unattend Files
There are installation scenarios in which you may want to use the same Unattend.xml file for
automating the Windows Deployment Services client and subsequent phases of Setup when
performing a custom deployment solution. Note that command-line precedence does not apply to
Windows Deployment Services client unattend files that are obtained from the Windows
Deployment Services server. By setting the command-line precedence value, you can specify
whether another unattend file (either an implicit unattend file such as AutoUnattend.xml, or an
unattend file passed by using the /Unattend option) will be used instead of the image unattend
file when installing a client computer. To override an existing image unattend file associated with
an image, first enable unattend installations by running the command wdsutil /set-server
/wdsunattend /Policy:{Enabled | Disabled}. Next, run one of the following:
• To allow an unattend file on the client computer to override the unattend file sent from the
server, run WDSUTIL /Set-Server /WDSUnattend /CommandLinePrecedence:Yes.
• To force the unattend file from the server to be used, run WDSUTIL /Set-server
/WDSUnattend /CommandLinePrecedence:No.
The following is an example scenario:
There are two types of computers in your organization — laptops and desktops. Your company
policy states that all laptops should be configured with two partitions and should contain the
proper Bluetooth drivers and software. It also states that desktops should have a single partition
and do not need Bluetooth support. Because the majority of the computers in your organization
are desktops, you create a Windows Deployment Services client unattend file that creates a
single disk partition. Then you create a Windows Vista image with an image unattend file that
does not install the Bluetooth drivers and software. Next, you create a single Unattend.xml file
that performs all of the custom actions needed for laptop installations. Finally, you create a
custom boot image that is configured to run a script. The first action in the script is to use WMI
calls to determine whether a booted client computer is a laptop or a desktop.
• If the computer is a laptop, the script calls Setup.exe by using the /wds option and then
explicitly passes the custom Unattend.xml file for laptop use. To ensure that this single
unattend is used throughout the process, you set the command-line precedence value of the
server appropriately. This action causes the unattend file that is passed to the Windows
Deployment Services client through the command line to override the existing image unattend
file that is associated with the image on the Windows Deployment Services server.
• If the computer is a desktop, the script invokes the client normally, enabling the typical
installation to continue (the client will obtain both the Windows Deployment Services client
unattend file and, later, the image unattend file from the Windows Deployment Services
server).
74
Using Variables to Obtain Information from the
Client
The Windows Deployment Services client can obtain several pieces of information during an
installation that you can use as part of your custom deployment scenario. The client will insert the
proper variable valuess into your unattend file automatically as long as your file is formatted
correctly. The variables that the client can use for this purpose are:
• %USERDOMAIN%. The name of the user's domain, which was specified either by
credentials or in the Windows Deployment Services client unattend file.
• %USERNAME%. The user's name, which was specified either by credentials or in the
Windows Deployment Services client unattend file.
• %USERPASSWORD%. The user's password, which was specified either by credentials
or in the Windows Deployment Services client unattend file. Using this variable may pose a
security risk and is not recommended. The password value will be written to the unattend file
in plain text.
• %MACHINEDOMAIN%. The domain containing the computer account that represents the
physical client computer.
• %MACHINENAME%. The computer name of the computer account that represents the
physical client computer.
• %TIMEZONE%. The time zone of the Windows Deployment Services server.
• %ORGNAME%. The organization name of the Windows Deployment Services server.
To see an example file that uses these variables, see Sample Unattend Files.
In This Topic
• Windows Deployment Services Client Unattend Files
• Example 1: Standard installation
• Example 2: Install a language pack
• Image Unattend Files for Windows Vista and Windows Server 2008
• Example 1: Unsecure domain join
• Example 2: Secure domain join
• Example 3: Using variables
• Image Unattend Files for Older Operating Systems
• Example 1: Domain join
• Example 2: Using variables
• Example 3: Run a script
75
• Combined Image and Client Unattend File
• Image Capture Wizard Unattend File
Note
To download the Windows Deployment Services documentation (including a getting
started guide, deployment guide, and WDSUTIL command-line syntax), see
http://go.microsoft.com/fwlink/?LinkId=89381.
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<WindowsDeploymentServices>
<Login>
<WillShowUI>OnError</WillShowUI>
<Credentials>
<Username>username</Username>
<Domain>Fabrikam.com</Domain>
<Password>my_password</Password>
</Credentials>
</Login>
<ImageSelection>
<WillShowUI>OnError</WillShowUI>
<InstallImage>
<ImageGroup>ImageGroup1</ImageGroup>
76
<Filename>Install.wim</Filename>
</InstallImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
</ImageSelection>
</WindowsDeploymentServices>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
<DiskID>0</DiskID>
<WillWipeDisk>false</WillWipeDisk>
<ModifyPartitions>
<ModifyPartition>
<Order>1</Order>
<PartitionID>1</PartitionID>
<Letter>C</Letter>
<Label>TestOS</Label>
<Format>NTFS</Format>
<Active>true</Active>
<Extend>false</Extend>
</ModifyPartition>
</ModifyPartitions>
</Disk>
</DiskConfiguration>
</component>
<component name="Microsoft-Windows-International-Core-WinPE"
publicKeyToken="31bf3856ad364e35"
<SetupUILanguage>
<WillShowUI>OnError</WillShowUI>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<UILanguage>en-US</UILanguage>
77
</component>
</settings>
</unattend>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<WindowsDeploymentServices>
<Login>
<WillShowUI>OnError</WillShowUI>
<Credentials>
<Username>Administrator</Username>
<Domain>Fabrikam.com</Domain>
<Password>Password1</Password>
</Credentials>
</Login>
<ImageSelection>
<WillShowUI>OnError</WillShowUI>
<InstallImage>
<ImageGroup>ImageGroup1</ImageGroup>
</InstallImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
</ImageSelection>
78
</WindowsDeploymentServices>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
<DiskID>0</DiskID>
<WillWipeDisk>false</WillWipeDisk>
<ModifyPartitions>
<ModifyPartition>
<Order>1</Order>
<PartitionID>1</PartitionID>
<Letter>C</Letter>
<Label>Vista</Label>
<Format>NTFS</Format>
<Active>true</Active>
<Extend>false</Extend>
</ModifyPartition>
</ModifyPartitions>
</Disk>
</DiskConfiguration>
</component>
<component name="Microsoft-Windows-International-Core-WinPE"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<SetupUILanguage>
<WillShowUI>OnError</WillShowUI>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<UILanguage>de-de</UILanguage>
<SystemLocale>de-de</SystemLocale>
<UserLocale>de-de</UserLocale>
</component>
</settings>
</unattend>
79
Image Unattend Files for Windows Vista and
Windows Server 2008
Example 1: Unsecure domain join
This file sets the password for the computer to a dynamically generated and shared password,
and joins the computer to a domain without credentials. The password will be inserted into this
unattend file as the <MachinePassword> value in the <Identification> section. The attributes that
define this domain join method are <UnsecureJoin>true</UnsecureJoin> and the Microsoft-
Windows-Shell-Setup component. For more information about this method, see the “Ensuring
Security” section of Automating the Domain Join.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<UnsecureJoin>true</UnsecureJoin>
</Identification>
</component>
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ProductKey>XXXX-XXXX-XXXX-XXXX-XXXX</ProductKey>
</component>
</settings>
</unattend>
80
Example 2: Secure domain join
This example uses the credentials specified in this file (user name, domain, and password) to
perform the domain join. The attributes that define this domain join method are
<UnsecureJoin>false</UnsecureJoin>, <Credentials>, and the Microsoft-Windows-Shell-Setup
component. During installation, Windows Deployment Services will retrieve the name of the
prestaged account from Active Directory Domain Services (AD DS) and replace the
%MACHINENAME% string with the actual computer name. For more information about this
method, see the “Ensuring Security” section of Automating the Domain Join.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<UnsecureJoin>false</UnsecureJoin>
<Credentials>
<Domain>Fabrikam.com</Domain>
<Password>Password1</Password>
<Username>MyUserName</Username>
</Identification>
</component>
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>%MACHINENAME%</ComputerName>
</component>
</settings>
</unattend>
81
variables using the proper values. For more information, see "Using Variables to Obtain
Information From the Client" in Advanced Unattended Installation Scenarios.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<Credentials>
<Domain>%USERDOMAIN%</Domain>
<Password>%USERPASSWORD%</Password>
<Username>%USERNAME%</Username>
</Credentials>
<JoinDomain>%MACHINEDOMAIN%</JoinDomain>
</Identification>
</component>
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>%MACHINENAME%</ComputerName>
</component>
</settings>
<settings pass="oobeSystem">
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserAccounts>
<DomainAccounts>
<DomainAccountList wcm:action="add">
<Domain>%USERDOMAIN%</Domain>
82
<DomainAccount wcm:action="add">
<Group>Administrators</Group>
<Name>%USERNAME%</Name>
</DomainAccount>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
<RegisteredOrganization>%ORGNAME%</RegisteredOrganization>
</component>
</settings>
</unattend>
DoOldStyleDomainJoin=Yes
[Networking]
[UserData]
OrgName = "%ORGNAME%"
ComputerName = %MACHINENAME%
ProductKey= "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
[GuiUnattended]
TimeZone = %TIMEZONE%
83
[Networking]
[Identification]
JoinDomain = %MACHINEDOMAIN%
DoOldStyleDomainJoin = Yes
[GuiUnattended]
AutoLogon = Yes
AdminPassword = Password1!
OEMSkipRegional = 1
OemSkipWelcome = 1
TimeZone = %TIMEZONE%
[Identification]
JoinDomain = %MACHINEDOMAIN%
DoOldStyleDomainJoin = Yes
<settings pass="windowsPE">
84
<component name="Microsoft-Windows-Setup" publicKeyToken="31bf3856ad364e35"
language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<WindowsDeploymentServices>
<Login>
<WillShowUI>OnError</WillShowUI>
<Credentials>
<Username>Administrator</Username>
<Domain>Fabrikam.com</Domain>
<Password>Password1</Password>
</Credentials>
</Login>
<ImageSelection>
<InstallImage>
<ImageName>Install Image</ImageName>
<ImageGroup>defaultx86</ImageGroup>
<Filename>install.wim</Filename>
</InstallImage>
<WillShowUI>OnError</WillShowUI>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
</ImageSelection>
</WindowsDeploymentServices>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
<DiskID>0</DiskID>
<WillWipeDisk>false</WillWipeDisk>
<ModifyPartitions>
<ModifyPartition>
<Order>1</Order>
<PartitionID>1</PartitionID>
<Letter>C</Letter>
<Label>Vista</Label>
85
<Format>NTFS</Format>
<Active>true</Active>
<Extend>false</Extend>
</ModifyPartition>
</ModifyPartitions>
</Disk>
</DiskConfiguration>
</component>
<component name="Microsoft-Windows-International-Core-WinPE"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<SetupUILanguage>
<WillShowUI>OnError</WillShowUI>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<UILanguage>en-US</UILanguage>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-UnattendedJoin"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<Identification>
<UnsecureJoin>true</UnsecureJoin>
</Identification>
</component>
<ComputerName>computer1</ComputerName>
</component>
<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<SecurityLayer>2</SecurityLayer>
<UserAuthentication>2</UserAuthentication>
</component>
86
<component name="Microsoft-Windows-TerminalServices-LocalSessionManager"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
</settings>
<settings pass="oobeSystem">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Work</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
<Display>
<ColorDepth>32</ColorDepth>
<DPI>96</DPI>
<HorizontalResolution>1024</HorizontalResolution>
<RefreshRate>60</RefreshRate>
<VerticalResolution>768</VerticalResolution>
</Display>
<UserAccounts>
<LocalAccounts>
<LocalAccount>
<Password>
<Value>Password1</Value>
<PlainText>true</PlainText>
</Password>
<DisplayName>John Smith</DisplayName>
<Group>Administrators;Power Users</Group>
<Name>John</Name>
</LocalAccount>
87
</LocalAccounts>
<DomainAccounts>
<DomainAccountList>
<DomainAccount>
<Name>Administrator</Name>
<Group>Administrators;Power Users</Group>
</DomainAccount>
<Domain>Fabrikam.com</Domain>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
</component>
</settings>
</unattend>
[Capture]
Unattended=Yes
VolumeToCapture=C:
SystemRoot=windows
ImageName="WindowsVista"
DestinationFile=C:\Capture.wim
Overwrite=Yes
[ExclusionList]
88
$ntfs.log
hiberfil.sys
pagefile.sys
RECYCLER
winpepge.sys
%SYSTEMROOT%\CSC
[WDS]
UploadToWDSServer=Yes
WDSServerName=WDSServer
WDSImageGroup="ImageGroup1"
Username=Username
Domain=Domain
Password=Password1
DeleteLocalWimOnSuccess=No
Creating Images
This topic contains information about the images that you use with Windows Deployment
Services.
In This Topic
• Image Types
• Boot Images
• Discover Images
• Capture Images
• Converting RIPREP Images
89
Note
To download the Windows Deployment Services documentation (including a getting
started guide, deployment guide, and WDSUTIL command-line syntax), see
http://go.microsoft.com/fwlink/?LinkId=89381.
Image Types
Windows Deployment Services uses two basic image types, both of which use the Windows
Image (.wim) file format:
• Install image: The operating system image that you deploy to the client computer.
• Boot image: The Microsoft Windows Preinstallation Environment (Windows PE) image
that you boot a client into before you install the install image. To install an operating system,
you first boot the computer into the boot image, and then you select the install image to
install. You can also create two additional types of boot images:
• Capture image: A type of boot image that you boot a client computer into to capture
the operating system as a .wim file. You must first create a capture image when you are
creating custom install images.
• Discover image: A type of boot image that you can use to install an operating
system on a computer that is not Pre-Boot Execution Environment (PXE) enabled. When
you boot a computer into a discover image, the Windows Deployment Services client will
locate a valid Windows Deployment Services server, and then you can choose the install
image you want to install.
Boot Images
These images contain Windows PE and the Windows Deployment Services client, which is
Windows Vista Setup.exe with some additional functionality needed for network deployments. In
most cases, you should use the standard boot image that is included on the Windows
Server 2008 media (located at \Sources\boot.wim) without modification. Do not use the Boot.wim
from the Windows Vista media unless your version of Windows Vista has SP1 integrated into the
DVD. If you use the Boot.wim from the version of Windows Vista that does not contain SP1,
multicasting will not work correctly.
90
2. Mount the boot image that is RAMDISK-bootable in the Boot.wim file (Boot.wim contains
two Windows PE images, and the bootable image is the second image).
3. Copy all of the Setup.exe files from the \Sources folder in the mounted image to the
\Sources folder in the custom boot image.
In addition, you must ensure that the Windows Deployment Services client is started by
Windows PE. To ensure that this occurs, create an entry in the WinPESHL.ini file to start
Setup.exe in Windows Deployment Services mode. For more information, see “When Setup Is
Started in Windows Deployment Services Mode” in How the Windows Deployment Services
Client Works (http://go.microsoft.com/fwlink/?LinkID=147067). For more information about editing
WinPESHL.ini, see Include a Custom Script in a Windows PE Image
(http://go.microsoft.com/fwlink/?LinkId=120692). For information about managing and modifying
the boot menu, see Managing the Boot Menu.
Versions of Windows PE
When creating custom boot images, the version of Windows PE that you use must match or be
newer than the install image. For example, you can use Windows PE 2.1 to deploy install images
of all versions of Windows (including Windows Vista with SP1, Windows Server 2008, and all
earlier versions of Windows). You cannot, however, use Windows PE 2.0 to deploy
Windows Vista with SP1 or Windows Server 2008.
If you are deploying Windows Server 2003 and your boot image does not contain the Windows
Deployment Services client (for example, if you are booting a Windows PE 2005 boot image into
the command prompt instead of into the user interface screens of the Windows Deployment
Services client), we recommend that you use the latest version of Windows PE. You can use
Windows PE 2004, Windows PE 2005, Windows PE 2.0, or Windows PE 2.1, although the
following caveats apply:
• If you are applying a .wim image of Windows Server 2003 using ImageX, you can use
either the x86 or x64 version of Windows PE.
• In the past, if you were running Winnt32.exe for Setup.exe, you could only use x64
versions of Windows PE, but that has changed. For details, see Knowledge Base article
931761 (http://go.microsoft.com/fwlink/?LinkID=110354).
• If you are using Windows PE 2.0, you might run into the issue documented at
http://go.microsoft.com/fwlink/?LinkID=110354. In this scenario, run the command
Bootsect.exe /nt52 c: to set up the correct NTFS file system boot sector.
Discover Images
Discover images are generally used in scenarios where the client cannot perform a PXE boot.
These images enable a computer to locate a Windows Deployment Services server and use it to
install an image. To create a discover image, right-click a boot image in the MMC snap-in, and
then click Create discover boot image. In most cases, you should use the Boot.wim file included
on the Windows Server 2008 DVD to create your image. For instructions, see the Windows
91
Deployment Services Getting Started Guide.When you create a discover images, you configure
one of the following:
• Static discovery. Static discovery is when you specify the server that the computer
should use. Static discovery works well in data center environments or branch offices where
DHCP may not be available. One major disadvantage of static discovery is that it introduces a
single point of failure. For example, if the server that is specified is unavailable, the Windows
Deployment Services client will not work, and there is no way to have the client try a different
server. Another flaw is that static discovery does not allow for load balancing, because all
clients using a particular boot image would use the specified server. You can specify the
server when you create the discover image.
• Dynamic discovery. If you do not specify the server to use when you create a discover
image, the Windows Deployment Services client will emulate a PXE request from within
Windows PE. Based on the responses to that PXE request, the client can locate a valid
server and continue the installation process.
or
[LaunchApps]
See the following table for more information about these options.
4. Capture the modified image into a new .wim file.
5. Update the image metadata to reflect any changes to the image name or description.
There are two command-line options for Setup.exe that control the discovery behavior of the
Windows Deployment Services client. These options are described in the following table.
92
Option Description
/WDSDiscover (Default) Specifies that the Windows Deployment Services client should
be in discover mode. If you do not specify /WDSServer with this option,
Windows Deployment Services will search for a server. For example, to
start the Windows Deployment Services client in this dynamic discover
mode, run the command \sources\setup.exe /wds /WDSDiscover.
/ Specifies the name of the Windows Deployment Services server that the
WDSServer:<Server client should connect to. Note that <ServerName> can be an IP address,
Name> a NetBIOS name, or a fully qualified domain name (FQDN). You must also
specify /WDSDiscover. For example, to start the Windows Deployment
Services client in this static discover mode, run the command
\sources\setup.exe /wds /WDSDiscover /WDSServer:MyWDSServer.
Capture Images
Capture images are boot images that contain Windows PE and the Windows Deployment
Services Image Capture Wizard. When you boot a computer (that has been prepared with
Sysprep) into a capture image, the wizard creates an install image of the computer and saves it
as a .wim file. Then you can upload the image to the Windows Deployment Services server or
copy them to bootable media (CD, DVD, USB drive, and so on). You create capture images from
existing boot images — most commonly, the Boot.wim file from the installation media. For
instructions on creating these images, see the Windows Deployment Services Getting Started
Guide. For information about automating the wizard, see Automating the Image Capture Wizard.
Regardless of which tool you use (capture images or ImageX), the high-level process for
capturing images remains essentially the same:
1. Install Windows on a reference computer.
2. Perform customizations and install software.
3. Run the correct version of Sysprep for the reference computer's operating system.
4. Reboot into Windows PE.
5. Capture the offline Sysprep image into .wim format.
6. Upload the image to the Windows Deployment Services server’s image store.
93
Functionality Image Capture ImageX
Wizard
%SYSTEMROOT%\system32\wdscapture.exe
94
Default Conversion
To convert your files, right-click the RIPREP image you want to convert in the Legacy Images
node, and then click Convert to WIM. The default conversion process copies the updated version
of a file to another location. There were two main factors that influenced this design decision:
• The original image remains unmodified, in case the conversion process fails or you want
to continue to use the original RIPREP image after the conversion process is run.
• In RIS, you could associate multiple unattended setup installation files (.sif) with a
particular image. If an image is so configured, a conversion process that is run for one .sif file
would alter the backing files used by the other .sif file.
The conversion process requires at least twice as much free disk space as the size of the image.
This space is needed for a copy of the RIPREP image placed in the %TEMP% folder and the
.wim file that was created by using the contents of the converted image in the %TEMP% folder.
Note that the data in the %TEMP% folder can be removed only after the new image has been
captured.
In-Place Conversion
You can force an in-place conversion of a RIPREP image, which will save time and the amount of
disk space that you use during the conversion process. You can do this by using the /InPlace
option with the WDSUTIL /Convert-RiprepImage command. It is common for multiple variations
of a single RIPREP image (differing only by HAL type) to exist on a server. You can save time
during the conversion process by using the /Overwrite:Append option of the WDSUTIL
/Convert-RiprepImage command to take advantage of single-instancing technology within the
.wim format. For instructions, see the "Install Images" section in How to Manage Images.
The append operation is much faster than a traditional capture because it does not need to
compress and insert files that already exist in the .wim file. Files that are identical between
images and that already exist within the .wim file will simply have their reference count
incremented to indicate that the single file belongs to multiple images within the .wim file. The
general conversion process entails first converting the first RIPREP image in the set by creating a
new .wim file, and then converting the remaining RIPREP images (for the other HAL types) by
appending them to the .wim file you created previously.
95
Although Windows Deployment Services provides full functionality for applying images for
Windows Vista, note the following limitations when deploying the images of earlier Windows
operating systems:
• Sysprep must be applied to the first primary partition: Earlier operating system
images that have been prepared with Sysprep must be applied to the first primary partition
(for example, C:\). Applying these images to other partitions is not supported.
• The HAL must match: Earlier operating system images are hardware abstraction layer
(HAL)-specific, meaning that they can be applied only to computers that have a matching
HAL type. Therefore, Windows Deployment Services detects the local computer's HAL type
and filters out images that are earlier than Windows Vista and that are not of that same HAL
type. For example, if there are two images on the Windows Deployment Services server that
the client has permissions to (one ACPI and the other APIC) and the client computer is ACPI,
only the ACPI image will be available. This is true in both attended and unattended
installation scenarios. Note that the HAL type of an image is stored in the .wim image
metadata: <HAL>acpiapic</HAL>
• External language packs do not apply: When you are applying these images, the
concept of external language packs does not apply. The language selection drop-down list on
the image selection page will not let you select an additional language. Additionally, if you
specify a language, locale, and keyboard layout in the Windows Deployment Services client
user interface (or if you using an unattend file) the settings you specified will not be used in
the image that gets applied. This is because Windows Deployment Services does not support
modifications to offline images older than Windows Vista that would be necessary for this
functionality.
• You cannot apply a driver to an offline image (by using the F6 key or load driver
functionality) . The API set you use to perform offline driver injection is supported only for
Windows Vista images.
• The Boot.ini file must exist in the image: Rather than Setup generating a Boot.ini file
when deploying an operating system earlier than Windows Vista, Boot.ini must already exist
in the image. This is currently the default behavior of most image-based deployments,
including those involving ImageX.
96
Filtering Images
You can restrict which install images are shown to users. These restrictions can be policy-based
or enforced by the computer.
97
Servicing Images
In This Topic
• Types of Servicing
• Servicing an Image Offline
• Reducing the Size of Images
Types of Servicing
Servicing images means updating an image that is currently available to users — for example,
adding an update to your existing image. There are two types of image servicing:
• Offline. In the context of updating images, the term "offline" refers to updating or applying
changes to an operating system image that is not currently running. For example, you might
update a .wim file with security updates by using ImageX, while it sits in a folder structure or
another partition.
• Online. In the context of updating images, the term "online" refers to updating or applying
changes to an operating system that the computer is booted into. For example, installing an
update by using Windows Update is an online operation.
Windows Vista supports offline servicing of images that have been prepared with Sysprep,
whereas earlier versions of Windows do not. You can service an image offline with Package
Manager or on a running Windows operating system with OCSetup, Package Manager, or the
Windows Update Standalone Installer. Package Manager works only with operating system
packages (hotfixes, updates, drivers, service packs, and language packs). All of these are
command-line tools can install and uninstall packages. Service packs and other updates that are
delivered as .msu files must be installed online on a running Windows installation with the
Windows Update Standalone Installer. For more information, see Servicing an Image
(http://go.microsoft.com/fwlink/?LinkId=122507).
98
3. Service the image. In this step, you update the image using the tools in the Windows
AIK. For example, you can mount the image to a folder by using ImageX, and then add the
files and folders to the image. You can also load the registry hive to add, delete, or modify
registry keys. If the image is a boot image, you can use PEimg.exe to add drivers to the
image. After all your changes are complete, use ImageX to commit the changes to the .wim.
For more information, see the following topics:
• Phase 5: Image Maintenance (http://go.microsoft.com/fwlink/?LinkId=120703)
• Package Manager Technical Reference (http://go.microsoft.com/fwlink/?
LinkId=120704)
• Add Device Drivers to an Offline Windows Image (http://go.microsoft.com/fwlink/?
LinkId=120705)
• Install a Language Pack to an Offline Image (http://go.microsoft.com/fwlink/?
LinkID=120685)
4. Replace the current image with the updated version. In this step, you add the
updated image back to the Windows Deployment Services server. If the previous image is still
in use, you have two options:
• Wait for existing installations to complete, delete the old copy, and then replace it with
the new. To do this, right-click the image and click Replace. We recommend this method
because any associated external data such as language packs, unattend files, or $OEM$
folder contents will remain associated with the image.
• Add the updated image as a new, separate image. You must also copy or associate
any external data such as language packs, unattend files, or $OEM$ folder contents.
Sometimes it may be more efficient to redeploy and recapture an image to add applications,
rather than servicing the image offline.
99
Storing and Replicating Images Using DFS
This section outlines the tools and topology configurations associated with the Distributed File
System (DFS) role service in the File Services server role of Windows Server 2008. You may
have to update your Active Directory Domain Services (AD DS) schema to use DFS to manage
multiple Windows Deployment Services servers. Any issues pertaining to AD DS, updates to an
AD DS schema, and AD DS maintenance and best practices are outside the scope of this
document. For more information about DFS, see:
• Distributed File Systems Step-By-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=111021)
• Distributed File System (http://go.microsoft.com/fwlink/?LinkId=108012)
Note
You cannot redirect the boot directory (that is, \\<server>\reminst\boot) using DFS. If you
do, Windows Deployment Services will not start.
100
6. Add images to the Windows Deployment Services server.
7. Verify that the content appears when you connect to
\\MyServerOrDomain\MyNamespace\ImageGroup.
8. Repeat this procedure for additional image groups.
Replicating Images
DFS Replication is a server technology that you can use to replicate images between Windows
Deployment Services servers. DFS Replication can decrease the total cost of ownership by
making it possible for you to manage images from a single server in the environment. Changes
can then be propagated to other servers without requiring interaction. A best practice is to create
a single, master Windows Deployment Services server that clients do not connect to. Make all
modifications to images on this server by using the Windows Deployment Services management
tools and the image maintenance tools included in the Windows AIK. Next, replicate changes
from this server to other servers in the topology. To prevent replication conflicts, avoid modifying
or servicing the same image from multiple servers at the same time.
For more information, see Distributed File System Replication: Frequently Asked Questions
(http://go.microsoft.com/fwlink/?LinkId=111023).
Option Explanation
/BcdRefreshPolicy Causes the server to regenerate BCD stores in the \Tmp folder for all boot
images.
/RefreshPeriod Determines how often the boot images are regenerated. This value is
required so that any changes that you make to your boot images on the
master server are reflected in the boot menus that clients receive from
remote servers. If you do not make changes to boot images very often, it is
okay to have a larger value. If you make changes to boot images often or if
you want changes to propagate quickly, set this to a lower value. However,
101
Option Explanation
be careful when setting a low value. BCD generation causes CPU and disk
overhead on the Windows Deployment Services server. Configuring a small
value can cause performance problems on the server. A good default value is
30 minutes.
How to Manage Images • View information about images and image groups
• Create images
• Add, copy, export, remove, update images from the
image store
• Set attributes and associate unattend files for install
images.
• Convert RIPREP images
• Add and remove image groups
• Set attributes of an image group
How to Modify the BCD Store • To view the contents of the BCD store
102
Category Example tasks
Note
To download the Windows Deployment Services documentation (including a getting
started guide, deployment guide, and WDSUTIL command-line syntax), see
http://go.microsoft.com/fwlink/?LinkId=89381.
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt or online at
http://go.microsoft.com/fwlink/?LinkId=112194.
Type Procedure
103
Type Procedure
Client Boot • To choose which boot images are displayed on x64-based computers
Settings • To choose the default network boot program for each architecture
• To choose the default network boot program that does not require F12
for each architecture
• To choose the default boot image for each architecture
Unattend File • To choose a default unattend file for the Windows Deployment Services
client
• To specify whether an unattend file on the client computer overrides the
default unattend file
General Tasks
To configure Windows Deployment Services
104
Using the MMC Using WDSUTIL
Deployment Services snap-in, right-click where <path> is the path where you would
the server and then click Configure like the RemoteInstall folder to be located.
Server.
4. Follow the instructions in the wizard.
1. Right-click the server, and then click All 1. Click Start, right-click Command
Tasks. Prompt, and click Run as administrator.
2. Click Stop Server or Start Server. 2. Run WDSUTIL /Start-Server or
WDSUTIL /Stop-Server.
105
Using the MMC Using WDSUTIL
106
Note
If this remote procedure call (RPC) port is changed from the default value, you must add
a firewall exception for the new RPC port.
• To bind to all interfaces other than those on the list, run WDSUTIL
/Set-Server /BindPolicy /Policy:Exclude.
107
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Network Settings tab under 2. Run WDSUTIL /Set-Server
Network Profile, select the option that [/Server:<name>] /Transport /Profile:
specifies the network speed of your {10Mbps|100Mbps|1Gbps|Custom}.
organization.
Select Custom if you want to customize the settings yourself by editing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\Multi
cast\Profiles\Custom
Important
You should not modify the other profiles that are provided. Instead, you should create a
custom profile even if you want to change only one setting.
108
DHCP
To configure Windows Deployment Services to run on the same
computer as Microsoft DHCP
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the DHCP tab, select Do not listen 2. Run WDSUTIL /Set-Server
on port 67 and Configure DHCP Option /UseDHCPPorts:No /DHCPOption60:Yes.
#60 Tag to PXEClient.
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the DHCP tab, select Do not listen 2. Run WDSUTIL /Set-Server
on port 67. /UseDHCPPorts:No.
3. Use your DHCP server tools to set the 3. Use your DHCP server tools to set the
option 60 tag to PXEClient. option 60 tag to PXEClient.
109
Using the MMC Using WDSUTIL
1. Ensure that you are a domain administrator 1. Ensure that you are a domain
in the root domain of the forest or an enterprise administrator in the root domain of the
administrator. For information about delegating forest or an enterprise administrator. For
permissions, see “Authorizing a Server” in the information about delegating permissions,
Configuring DHCP topic. see “Authorizing a Server” in the
2. Right-click the server, and then click Configuring DHCP topic.
Properties. 2. Click Start, right-click Command
3. On the Advanced tab, select Authorize Prompt, and click Run as administrator.
the Windows Deployment Server in DHCP. 3. Run WDSUTIL /Set-Server
/Authorize:Yes.
The preceding procedure creates an entry for DHCP authorization under the CN-NetServices,
CN=Services, CN=Configuration, DC=Domain, DC=com object in AD DS.
Client Requests
To configure the server to answer clients
110
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as
2. On the PXE Response Settings tab, do administrator.
one of the following: 2. Do one of the following:
• To respond to all client PXE requests, • To respond to all clients’ PXE
select Respond to all (known and requests, run WDSUTIL /Set-
unknown) client computers. Server /AnswerClients:All.
select Do not respond to any client • To not answer any clients’ PXE
computer. Note that this option will only requests, run WDSUTIL /Set-
work if Windows Deployment Services and Server /AnswerClients:None.
DHCP are running on different servers.
This is because although Windows
Deployment Services will not respond,
DHCP will. You can try to work around this
issue by disabling DHCP Option 60 on the
DHCP tab.
111
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the PXE Response Settings tab, 2. Run WDSUTIL /Set-Server
set the PXE Response delay in the control. /ResponseDelay:X, where X is the amount of
time (in seconds) you want the server to
wait before responding to clients.
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Boot tab, insert the path to the 2. Run WDSUTIL /Set-Server
boot file you want to use for each /BootProgram:<path> /Architecture:{x86|
architecture. For a list of network boot x64|ia64},
where <path> is relative to the
programs, see Managing Network Boot RemoteInstall folder.
Programs.
113
To choose the default network boot program that does not
require F12 for each architecture
1. Right-click the server, and then click Properties. 1. Click Start, right-click
2. On the Boot tab, insert the path to the boot image you Command Prompt, and
want to use for each architecture. In most cases, you should click Run as
use the standard boot image that is included on the administrator.
Windows Server 2008 media (located at \Sources\boot.wim) 2. Run WDSUTIL /Set-
without modification. Do not use the Boot.wim from the Server
Windows Vista media unless your version of Windows Vista /BootImage:<path>
has SP1 integrated into the DVD. /Architecture:{x86|x64|
ia64}, where <path> is
relative to the
RemoteInstall folder.
114
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Advanced tab, click Let 2. Run WDSUTIL /Set-Server
Windows Deployment Services use only /PreferredDC:<name>,where <name> is a
the specified servers, and then enter the NetBIOS name or fully qualified domain
domain controller name. name (FQDN).
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Advanced tab, click Let 2. Run WDSUTIL /Set-Server
Windows Deployment Services use only /PreferredGC:<name>,
where <name> is a
the specified servers and then enter the NetBIOS name or FQDN.
Domain controller name.
115
In the preceding procedure:
• DCFirst sets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\
WDSPXE\Providers\BINLSVC\ADSearchOrder to 1
• GCOnly sets it to 0.
Note
The GUID string should be specified without brackets or dashes
(as seen during a PXE boot).
116
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Directory Services tab, enter 2. Run WDSUTIL /Set-Server
the naming policy string in the indicated /NewMachineNamingPolicy:<Policy> where
field (see below for details). <policy> is the naming policy string (see
below for details).
117
Using the MMC Using WDSUTIL
1. Right-click the 1. Click Start, right-click Command Prompt, and click Run
server, and then click as administrator.
Properties. 2. Do one of the following:
2. On the Directory • To create new accounts in the default computer OU in
Services tab, click the domain the Windows Deployment Services server is in,
Default Directory run WDSUTIL /Set-Server /NewMachineOU
Service location or /Type:ServerDomain.
specify the domain and
• To create new accounts in the default computer OU in
organizational unit (OU)
the domain the specified user account is in, run WDSUTIL
/Set-Server /NewMachineOU /Type:UserDomain.
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Client tab, clear the Do not 2. To join new computers to the domain,
create account in Active Directory after run WDSUTIL /Set-Server
running the WDS Client check box to join /NewMachineDomainJoin:Yes.
computers to the domain.
118
Unattend File
To choose a default unattend file for the Windows Deployment
Services client
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Client tab, select the Enable 2. To turn on unattended installation and
client unattend check box and then specify the unattend file, run WDSUTIL /Set-
choose an unattend file for the relevant Server /WDSUnattend /Policy:Enabled
architecture. /File:<path> /Architecture:{x86|x64|
ia64}.
• To force the unattend file sent from the server to be used for the
Windows Deployment Services client, run WDSUTIL /Set-server
/WDSUnattend /CommandLinePrecedence:No.
119
How to Manage Client Computers
This topic contains procedures for the tasks that are listed and described in the following table.
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt or online at
http://go.microsoft.com/fwlink/?LinkId=112194.
Type Procedure
Specify • To change the rate at which pending computers will poll the server
Settings for • To change the number of times pending computers will poll the server
Pending
• To change the message displayed to pending computers
Computers
• To set a default network boot server for pending computers
• To set a default network boot program for pending computers
• To set a default unattend file for pending computers
• To set a default boot image for pending computers
• To set domain join options for pending computers
Approve and • To view the table of computers that are pending approval
Reject • To approve a pending computer by using the default settings
Pending
• To approve all pending computers by using the default settings
Computers
• To approve a pending computer, but change a setting
• To approve all pending computers, but change a setting
• To reject a pending computer
120
Prestage Computers
To prestage a client computer
Using the Active Directory Users and Computers snap-in Using WDSUTIL
1. On the server running Active Directory Users 1. Click Start, right-click Command
and Computers, open the Active Directory Users Prompt, and click Run as
and Computers MMC snap-in (click Start, click administrator.
Run, type dsa.msc, and then click OK). 2. Run WDSUTIL /Add-Device
121
The command in the preceding procedure creates a computer account object in Active Directory
Domain Services (AD DS) for the specified computer, with the netbootGUID attribute set to the
specified ID.
The preceding procedure appends the specified path to the referral server as part of the
netbootMachineFilePath attribute on the computer.
122
Using the MMC Using WDSUTIL
123
The preceding procedure sets the JoinDomain variable in the netbootMirrorDataFile AD DS
attribute on the client’s computer account object to 1. It also grants the specified user rights on
the computer object.
Note
To specify that the client is in a domain other than the local one,
specify /Domain:<domain> with either of these commands.
Note
To search the entire AD DS forest, specify /Forest:Yes with
either of these commands.
The preceding procedure displays the requested information from the folder.
1. Right-click the server, and then click Properties. 1. Click Start, right-click
2. On the PXE Response settings tab, click Command Prompt, and click
Respond to all (known and unknown) client Run as administrator.
computers. 2. Run WDSUTIL /Set-Server
124
The preceding procedure sets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers
\BINLSVC\AutoApprove\Policy to 1.
125
The preceding procedure deletes the contents of the approved or rejected table in the Auto-Add
database.
126
This procedure sets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers
\BINLSVC\AutoApprove\PollMessage to the specified message.
127
The preceding procedure sets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers
\BINLSVC\AutoApprove\<architecture>\WdsUnattendFilePath to the specified path.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Provid
ers\BINLSVC\AutoApprove\<architecture>\JoinRights to 0 if Join Only and 1 if Full
•
128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Provid
ers\BINLSVC\AutoApprove\<architecture>\JoinDomain to 1.
The preceding procedure displays the Auto-Add devices table from the Binlsvcdb.mdb file.
The preceding procedure approves the computer. For more information, see Prestaging Client
Computers.
The preceding procedure approves the computers. For more information, see Prestaging Client
Computers.
129
To approve a pending computer, but change a setting
1. Select the 1. Click Start, right-click Command Prompt, and click Run as
Pending Devices administrator.
node. 2. Run WDSUTIL /Approve-AutoAddDevices /RequestID:<ID> with
2. Select the the ID obtained from the Auto-Add database
computer you want In addition, you can append this command with the following options:
to approve.
• To change the name, specify /MachineName:<name>
3. On the Action
• To change the organizational unit (OU) where the account will
menu, click Name
be created, specify /OU:<name of OU>.
and Approve.
• To change the user account for the domain join, specify
4. In the dialog
/User:<name> where the name is domain\user or user@domain.
box, type the name
• To enable the user to join this computer to the domain only
you want to give
once, specify /JoinRights:JoinOnly.
the computer.
• To enable the user to join this computer to the domain at any
time, specify /JoinRights:Full.
• To join this computer to the domain, specify /JoinDomain:Yes.
• To direct the computer to install from a different Windows
Deployment Services server, specify /ReferralServer:<server
name>.
The preceding procedure approves the computer, with the configured settings. For more
information, see Prestaging Client Computers.
130
Using the MMC Using WDSUTIL
In addition, you can append this command with the following options:
• To change the OU where the accounts will be created, specify
/OU:<name of OU>.
The preceding procedure approves the computers with the configured settings. For more
information, see Prestaging Client Computers.
1. Select the 1. Click Start, right-click Command Prompt, and click Run as
Pending Devices administrator.
node. 2. Do one of the following:
2. Right-click the • To reject a single computer, run WDSUTIL /Reject-
computer, and then AutoAddDevices /RequestID:<ID> with the ID obtained from the
click Reject or Auto-Add database.
Reject All.
• To reject all computers, run WDSUTIL /Reject-
AutoAddDevices /RequestID:All.
The preceding procedure sets the Status field for the computer to 2 (rejected) in the table of
pending computers, and it sends the Abortpxe.com file to the computer.
131
How to Manage Images
This topic contains procedures for the tasks that are listed and described in the following table.
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt or online at
http://go.microsoft.com/fwlink/?LinkId=112194.
Type Procedure
General Tasks • To export an image from the server to a stand-alone .wim file
• To replace an image on the server with an updated version
• To remove an image
General Tasks
To export an image from the server to a stand-alone .wim file
132
Using the MMC Using WDSUTIL
1. Right-click a boot 1. Click Start, right-click Command Prompt, and click Run as
or install image, and administrator.
then click Export 2. Do one of the following:
Image.
• For a boot image, run WDSUTIL /Verbose /Progress
2. In the dialog box, /Export-Image /Image:<name> /ImageType:Boot
choose a file name to /Architecture:{x86|x64|ia64} /DestinationImage
export the image to. /Filepath:<path and file name>.
133
Using the MMC Using WDSUTIL
1. Right-click a boot 1. Click Start, right-click Command Prompt, and click Run as
or install image, and administrator.
then click Replace 2. Do one of the following:
Image.
• To replace a boot image, run WDSUTIL /Verbose /Progress
2. Browse to the /Replace-Image /Image:<name> /ImageType:Boot
updated version. /Architecture:{x86|x64|ia64} /ReplacementImage
3. Click through the /ImageFile:<path>.
rest of the wizard. • To replace an install image, run WDSUTIL /Verbose
/Progress /Replace-Image /Image:<name> /ImageType:Install
/ImageGroup:<image group name> /ReplacementImage
/ImageFile:<path>.
The preceding procedure adds the new image to the image store and removes the old one.
To remove an image
The preceding procedure deletes the .wim image file from the image store.
Note
If you specify /SourceImage, data folders associated with the original image (for example,
folders that contains unattend files or language packs) will be kept intact and will be
associated with the replacement image.
Boot Images
To add a boot image to the server
134
Using the MMC Using WDSUTIL
1. Right-click the Boot Images node, and then click Add 1. Click Start, right-click
Boot Image. Command Prompt, and
2. Enter the path to the boot image or browse to the image click Run as
file, and then click Next. In most cases, you should use the administrator.
standard boot image that is included on the Windows 2. Run WDSUTIL
Server 2008 media (located at \Sources\boot.wim) without /Verbose /Progress
modification. Do not use the Boot.wim from the /Add-Image
Windows Vista media unless your version of Windows Vista /ImageFile:<path>
has SP1 integrated into the DVD. /ImageType:Boot, where
3. Enter an image name and description, and then click the path is a full path to
Next. the image file.
4. Review the choices, and then click Next.
1. Right-click a boot 1. Click Start, right-click Command Prompt, and click Run as
image, and then click administrator.
Disable to take the 2. Do one of the following:
image offline.
• To take the image offline, run WDSUTIL /Set-Image
2. Right-click the /Image:<name> /ImageType:Boot /Architecture:<arch>
image, and then click /Enabled:No.
Properties.
• To change the name and description, run WDSUTIL /Set-
3. Enter the name Image /Image:<name> /ImageType:Boot
and description. /Architecture:<arch> /Name:<name>
/Description:<description>.
The preceding procedure displays the file name, image name, description, architecture, image
type, size, creation and modify dates, default languages, operating system version, service pack
level, and online and offline status of the image.
Install Images
To add an install image
1. Right-click the 1. Click Start, right-click Command Prompt, and click Run as
image group, and then administrator.
click Add Install 2. To create an image group, run WDSUTIL /Add-ImageGroup
Image. /ImageGroup:<image group name>.
2. Select an image 3. Run WDSUTIL /Verbose /Progress /Add-Image
group. /ImageFile:<path to .wim file> /ImageType:Install.
3. Select the file to If more than one image group exists on the server, append
add. /ImageGroup:<image group name> to specify which group the
4. Proceed through image should be added to.
the rest of the wizard. To skip the integrity check before adding the image, append
/SkipVerify.
The preceding procedure runs an integrity check on the specified image file, creates a metadata-
only .wim file in the image group folder, and adds the resources in the image file to the
Resource .wim (res.rwm) file for the image group.
137
Using the MMC Using WDSUTIL
The preceding procedure changes image metadata or file access control lists (ACLs) on the
image file to store the attributes. If you specify an unattend file, this procedure also copies it into
the image store. Note that taking an image offline makes the file hidden.
1. Right-click the 1. Click Start, right-click Command Prompt, and click Run as
image. administrator.
2. Click Properties. 2. Run WDSUTIL /Get-Image /Image:<name>
/ImageType:Install /ImageGroup:<image group name>.
The preceding procedure displays the file name, image name, description, architecture, image
type, image group, size, HAL type, creation and modification time, languages, operating system
version, ACLs, unattend file (if assigned), and the online or offline status of the image.
138
Using the MMC Using WDSUTIL
1. Click the 1. Click Start, right-click Command Prompt, and click Run as
Legacy Images administrator.
node. 2. Run WDSUTIL /Verbose /Progress /Convert-RiPrepImage
2. Right-click the /FilePath:<path to RIPREP image sif file> /DestinationImage
RIPREP image /FilePath:<path and name of .wim image>. In addition, you can
you want to specify the following:
convert, and then • To give the new .wim image a name in the metadata,
click Convert to append /Name:<name>.
WIM.
• To give the new .wim image a description in the metadata,
3. Enter the append /Description:<description>.
name, description,
• To convert the original RIPREP image, rather than a copy,
path, and file
append /InPlace.
name, and then
• To determine behavior when the image file specified in
click Next.
/DestinationImage already exists, append /Overwrite:{Yes|No|
Append}. Yes will overwrite the .wim file, No will cause an error,
and Append will append the new image to the existing .wim file.
The preceding procedure creates a copy of the metadata .wim file that corresponds to the
selected image, and it sets the image name and file name (and description, if specified) to the
values you specify.
Image Groups
To remove an image group
139
Using the MMC Using WDSUTIL
1. Right-click image 1. Click Start, right-click Command Prompt, and click Run
group. as administrator.
2. Click Delete. 2. Run WDSUTIL /Remove-ImageGroup /ImageGroup:<image
group name>.
This procedure deletes the image group folder and all of its contents from the image store. For
install images, if an associated data folder exists (the folder that contains unattend files or
language packs), it will be removed as well.
The preceding procedure creates a folder in the image store with the specified name.
Note
Changing the name renames the image group folder in the image store, and changing
the security sets ACLs on the folder and its contents.
140
To display information about all images in an image group
1. Select an image group. 1. Click Start, right-click Command Prompt, and click
2. View the images in the Run as administrator.
right pane. 2. Run WDSUTIL /Get-ImageGroup /ImageGroup:<image
group name>. To display the full image metadata on each
image in the group, append /Detailed.
In This Topic
• When to Implement Multicasting
• Prerequisites for Creating a Multicast Transmission
• Known Issues in Creating a Multicast Transmission
• Transmission Types
• To create a multicast transmission with Deployment Server
• To manage transmissions
• To manage clients in a transmission
• To configure the UDP port range for multicast
• To configure how the server will obtain IP addresses for multicast transmissions
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt or
online at http://go.microsoft.com/fwlink/?LinkId=112194.
For information about using Transport Server to create a namespace, see Using Transport
Server.
141
Consider implementing multicasting if your Multicasting might not optimize your installations
organization: if your organization:
• Has network routers that support • Has network routers that do not support
multicasting. multicasting.
• Is a large company that requires many • Does not have bandwidth overload
concurrent client installations. problems.
• Wants to use network bandwidth • Deploys images to only a small number
efficiently. This is because with this feature, of client computers simultaneously.
images are sent over the network only • Has disk space limitations on the client
once, and you can specify limitations (for computers. (This is because the image is
example, to only use 10 percent of your downloaded to client computers instead of
bandwidth). being installed from a server.)
• Has enough disk space on client
computers for the image to be downloaded.
• Meets the requirements listed in the
following section.
Transmission Types
There are two types of multicast transmissions. Note that content is transferred over the network
only if clients request data. If no clients are connected (that is, the transmission is idle), data will
not be sent over the network.
• Auto-Cast. This option indicates that as soon as an applicable client requests an install
image, a multicast transmission of the selected image begins. Then, as other clients request
the same image, they too are joined to the transmission that is already started.
• Scheduled-Cast. This option sets the start criteria for the transmission based on the
number of clients that are requesting an image and/or a specific day and time. If you do not
select either of these check boxes, the transmission will not start until you manually start it.
Note that in addition to these criteria, you can start a transmission manually at any time by
right-clicking it and then clicking Start.
143
Consider using Auto-Cast if: Consider using Scheduled-Cast if:
• You work for a large • You work for a smaller organization or an organization
corporation or an where network traffic is an issue during the day. This way,
organization with high you can set installations to occur during nonpeak hours or
bandwidth that can handle at night.
installations at any time. • To reduce the total time of the transmission. Because
• You do not want you can set multiple clients to start at the same time, the
customers to have to wait time will be reduced because Windows Deployment
for the installation to begin. Services will not have to resend a part of the image to
clients that started after the first client.
• You do not want the transmission to start until you
manually start it (to do this, clear both check boxes when
you create the transmission).
Do one of the 1. Click Start, right-click Command Prompt, and click Run as
following: administrator.
• Right-click the 2. Do one of the following:
Multicast a. To create an Auto-Cast transmission
Transmission
Syntax: WDSUTIL /New-MulticastTransmission /Image:<image
node, and then
name> /FriendlyName:<friendly name> /ImageType:Install
click Create
/ImageGroup:<Image group name> /TransmissionType:AutoCast
Multicast
b. To create a Scheduled-Cast transmission
Transmission.
Syntax: WDSUTIL /New-MulticastTransmission /Image:<image
• Right-click an
name> /FriendlyName:<friendly name> /ImageType:Install
image, and then
/ImageGroup:<Image group name>
click Create
/TransmissionType:ScheduledCast [/Time:<yyyy/mm/dd:hh:mm>]
Multicast
[/Clients:<no of clients>]
Transmission.
To manage transmissions
144
Using the MMC Using WDSUTIL
145
Using the MMC Using WDSUTIL
146
range is also used by the TFTP provider, you will need as many available ports as you have
concurrent clients accessing the server.
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Network Settings tab, specify 2. Run WDSUTIL /Set-Server
the UDP port range. [/Server:<name>] /Transport /StartPort:x
changes will take effect. To do this, right- 3. You must restart the service before the
click the server in the MMC snap-in, click changes will take effect. To do this, run
All Tasks, and then click Restart. wdsutil /stop-server and then run wdsutil
/start-server.
147
Using the MMC Using WDSUTIL
1. Right-click the server, and then click 1. Click Start, right-click Command
Properties. Prompt, and click Run as administrator.
2. On the Network Settings tab under 2. Do one of the following:
Multicast IP Address, select one of the • To use MADCAP to obtain the IP
following: address for each namespace, run
• Obtain IP address from DHCP. WDSUTIL /Set-Server [/Server:<name>]
You can select this option only if your /Transport /ObtainIPFrom:DHCP.
DHCP server supports it. The IP • To configure a preset range of IP
address for each namespace will be addresses, run WDSUTIL /Set-Server
obtained by using MADCAP (RFC [/Server:<name>] /Transport
2730, Multicast). /ObtainIPv4From:Range /Start:x.x.x.x
• Use IP address from the /End:y.y.y.y.
following range. You will need to enter 3. You must restart the service before the
a range. changes will take effect. To do this, run
3. You must restart the service before the WDSUTIL /stop-server and then run WDSUTIL
changes will take effect. To do this, right- /start-server.
click the server in the MMC snap-in, click
All Tasks, and then click Restart.
In This Topic
• Stop Transmissions Slower than 1 MB per Second
• Display Performance Information About Clients
148
MulticastTransmission /Show-clients. Note that there may be as many master clients as the
server has network adapters.
' -------------Times are in milliseconds
sleepTime = 5000 ' Minimum time to wait between each query to the server
timeThreshold = 60000 ' Minimum time to wait before kicking the master client out of a
slow session
displayAllSessions = true ' Display all sessions on the server, not just the slow sessions
printStatusDots = true ' Print a dot every time we contact the server. Useful to show
that the script is doing something
WdsTptDisconnectUnknown = 0
WdsTptDisconnectFallback = 1
WdsTptDisconnectAbort = 2
main()
sub main
hostname = "localhost"
149
else
hostname = WScript.Arguments.Item(0)
end if
end if
if printStatusDots then
end if
' Loop forever. User must control C out of the script to stop execution.
Do while true
if printStatusDots then
Wscript.StdOut.Write(".")
end if
loopAndKick()
wscript.sleep(sleepTime)
150
loop
end sub
sub loopAndKick
for i = 1 to CLng(NamespaceCollection.count)
Set ns = NamespaceCollection.Item(i)
for j = 1 to CLng(ContentCollection.count)
for k = 1 to CLng(SessionCollection.count)
tRate = CLng(session.TransferRate)
if displayAllSessions then
end if
151
' If the session ID already exists in the dictionary, but no
clients are connected, remove the entry from the dictionary
if ( (CLng(ClientCollection.count) = 0) AND
sessionDictionary.Exists( CLng(session.ID)) ) then
sessionDictionary.Remove(CLng(session.ID))
' If we've gone too slow for too long, kick the current
master client
Server.DisconnectClient session.MasterClientId,
WdsTptDisconnectFallback
timeSlow = 0
end if
end if
sessionDictionary.Remove(CLng(session.ID))
152
' If the session is still too slow, add it back to the
dictionary with the new time value
else
end if
else
sessionDictionary.Add CLng(session.ID), 0
end if
end if
next
next
next
end sub
if WScript.Arguments.Count = 0 then
153
Set Server = Manager.GetWdsTransportServer("localhost")
else
end if
for i = 1 to CLng(NamespaceCollection.count)
Set ns = NamespaceCollection.Item(i)
wscript.echo " Namespace ID: " + CStr(ns.id) + ", Name: " + ns.name
for j = 1 to CLng(ContentCollection.count)
for k = 1 to CLng(SessionCollection.count)
tRate = CLng(session.TransferRate)
154
wscript.echo " Session ID: " + CStr(session.id) + ",
NIC Name: " + session.NetworkInterfaceName &_
for l = 1 to Cint(ClientCollection.count)
if Clng(session.MasterClientId) = Clng(client.id)
then
else
end if
next
next
next
next
Server: wds-server.fabrikam.com
155
Namespace ID: 2471217811, Name: WDS:Vista/x86.wim/1
Session ID: 3353296855, NIC Name: Broadcom NetXtreme Gigabit Ethernet #2, tRate: 0
kB/sec, clients: 0
Session ID: 3353296854, NIC Name: Broadcom NetXtreme Gigabit Ethernet #2, tRate:
883 kB/sec, clients: 1
Note
Note that when you modify the BCD store, you must force it to be recreated in order for
your changes to take effect. To do this, either restart the WDSServer service (run wdsutil
/stop-server and then run wdsutil /start-server) or run Sc control wdsserver 129.
In This Topic
• To View the Contents of the BCD Store
• To Configure the Default Selection Time-out Value
• To Configure a Localized Boot Manager Experience
• To Configure the TFTP Block Size
• To Configure the TFTP Window Size
• To Configure Windows Debugger Options
• To Turn On Emergency Management Services Settings
156
Example: C:\boot>bcdedit.exe /enum all /store c:\remoteinstall\tmp\X86.{05FF3388-7D71-
46A1-AE8A704480979281}.bcd
--------------------
identifier {bootmgr}
inherit {dbgsettings}
timeout 30
--------------------------------
identifier {40fe5c41-285e-412b-b4cd-0ce498e470a2}
device boot
path OSChooser\i386\startrom.n12
pxesoftreboot Yes
Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200
Device options
--------------
157
identifier {68d9e51c-a129-4ee1-9725-2ab00a957daf}
ramdisksdidevice boot
ramdisksdipath \Boot\Boot.SDI
--------------------
identifier {bootmgr}
inherit {dbgsettings}
timeout 30
--------------------------------
identifier {40fe5c41-285e-412b-b4cd-0ce498e470a2}
device boot
path OSChooser\i386\startrom.n12
pxesoftreboot Yes
158
Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200
Device options
--------------
identifier {68d9e51c-a129-4ee1-9725-2ab00a957daf}
ramdisksdidevice boot
ramdisksdipath \Boot\Boot.SDI
--------------------
159
identifier {bootmgr}
inherit {dbgsettings}
timeout 30
--------------------------------
identifier {40fe5c41-285e-412b-b4cd-0ce498e470a2}
device boot
path OSChooser\i386\startrom.n12
pxesoftreboot Yes
Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200
Device options
--------------
identifier {68d9e51c-a129-4ee1-9725-2ab00a957daf}
ramdisksdidevice boot
ramdisksdipath \Boot\Boot.SDI
2. Set the appropriate TFTP block size value by running the following command:
Syntax: bcdedit /store <full path and file name of store> /set {<GUID identifier>}
ramdisktftpblocksize <block size>
Example: C:\>bcdedit /store c:\RemoteInstall\boot\x86\default.bcd /set {68d9e51c-a129-
4ee1-9725-2ab00a957daf} ramdisktftpblocksize 4096
Note
We recommend that you go up in multiples (4096, 8192, 16384, and so on) and that
you not set a value higher than 16384.
3. Force regeneration of the BCD store in the \Tmp folder by sending a control signal to the
WDSServer service, using the following command:
C:\>sc control wdsserver 129
160
To Configure the TFTP Window Size
The default TFTP window size is 8. You can configure this value by setting the appropriate value
in the default BCD store for the client architecture, using the following steps:
1. At the command prompt, determine the GUID identifier of the boot manager application
by running the following command:
Syntax: bcdedit /enum all /store <full path and file name of store>
2. Set the appropriate TFTP window size by running the following command:
Syntax: bcdedit /store <full path and file name of store> {<GUID>} ramdisktftpwindowsize
<windowsize>
Example: C:\>bcdedit /store c:\RemoteInstall\boot\x86\default.bcd {68d9e51c-a129-
4ee1-9725-2ab00a957daf} ramdisktftpwindowsize 9
3. Force regeneration of the BCD store in the \Tmp folder by sending a control signal to the
WDSServer service by running the following command:
C:\>sc control wdsserver 129
Option Description
--------------------
identifier {bootmgr}
inherit {dbgsettings}
timeout 30
161
Real-mode Application (10400009)
--------------------------------
identifier {40fe5c41-285e-412b-b4cd-0ce498e470a2}
device boot
path OSChooser\i386\startrom.n12
pxesoftreboot Yes
Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200
Device options
--------------
identifier {68d9e51c-a129-4ee1-9725-2ab00a957daf}
ramdisksdidevice boot
ramdisksdipath \Boot\Boot.SDI
162
Windows Boot Loader
-------------------
identifier {06689f95-f69c-4937-8ded-09a966a6a319}
device ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
a129-4ee1-9725-2ab00a957da
f}
osdevice ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
a129-4ee1-9725-2ab00a957da
f}
systemroot \WINDOWS
detecthal Yes
winpe Yes
163
performing system-recovery tasks. This method is typically used for high-end servers in a data
center.
There are generally two types of devices that support remote administration: those whose BIOS
and Extensible Firmware Interface (EFI) support UI redirection, and those whose BIOS does not
support UI redirection. The first class of computers is generally EFI-based, typically Itanium-
based servers. The second class of computers have had the video card removed (or the
computer did not come with one), and the goal is to redirect output by using a COM port.
Support for remote administration is enabled by default for Itanium-based computers that are
using configuration settings specified in the default BCD store that was created for Itanium-based
clients. These EMS settings are enabled and set to use the BIOS default settings (as opposed to
COM port redirection). Each per-image BCD store that is generated for Itanium-based clients is
set to inherit these settings from the default BCD configuration.
Support for remote administration is not enabled by default for x86-based or x64-based
computers that do not support BIOS redirection. To enable this support, you must do the
following:
• Adjust the default NBP to one that supports remote administration (for example,
hdlscom1.com, hdlscom1.n12, hdlscom2.com, or hdlscom2.n12). For more information about
boot programs and their use, see the "Network Boot Program" section in Managing Network
Boot Programs.
• Signal the loader to support remote administration. You can do this by using
BCDedit.exe to set the appropriate EMS options in the default BCD store used for that
architecture. You must enable EMS settings and, optionally, you can specify the default port
and baud rate.
To turn on EMS settings for a particular operating system entry (for OSLoader)
1. Determine the GUID of the operating system entry by running the following
command:
Syntax: BCDEDIT /store <full path and file name of per-image BCD store> /enum all
Example:
C:\>bcdedit /store c:\RemoteInstall\Boot\x86\Images\boot.wim.bcd /enum all
-------------------
identifier {06689f95-f69c-4937-8ded-09a966a6a319}
device ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
a129-4ee1-9725-2ab00a957da
f}
osdevice ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
164
a129-4ee1-9725-2ab00a957da
f}
systemroot \WINDOWS
detecthal Yes
winpe Yes
2. Create the EMS settings option in the Default.bcd store by running the following
command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /create
{emssettings} /d <description>
Example: C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /create
{emssettings} /d "EMS Settings”
3. Set the baud rate by running the following command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /set
{emssettings} baudrate <value>
Example: C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /set
{emssettings} baudrate 115200
4. Set the output port type by running the following command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /set
{emssettings} debugtype <value>
Example:C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /set
{emssettings} debugtype Serial
5. Set the output port number (this should match the output port of the configured
network boot program (NBP)) by running the following command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /set
{emssettings} debugport <value>
Example: C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /set
{emssettings} debugport 1
6. Determine the GUID of the operating system entry by running the following
command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /enum all
Example:
C:\>bcdedit /store c:\RemoteInstall\Boot\x86\Images\boot.wim.bcd /enum all
-------------------
identifier {06689f95-f69c-4937-8ded-09a966a6a319}
device ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
a129-4ee1-9725-2ab00a957da
165
f}
osdevice ramdisk=[boot]\Boot\x86\Images\boot.wim,{68d9e51c-
a129-4ee1-9725-2ab00a957da
f}
systemroot \WINDOWS
detecthal Yes
winpe Yes
7. Enable EMS settings in the per-image BCD by running the following command:
Syntax: bcdedit /store <full path and file name of the per-image BCD store> /set <GUID
identifier> ems <value>
Example:C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /set {06689f95-
f69c-4937-8ded-09a966a6a319} ems on
8. Enable inheritance of EMS settings from Default.bcd values as configured above, by
running the following command:
Syntax: bcdedit /store <full path and file name of per-image BCD store> /set <GUID
identifier> inherit {emssettings}
Example: C:\>bcdedit /store c:\RemoteInstall\Boot\x86\default.bcd /set {06689f95-
f69c-4937-8ded-09a966a6a319} inherit {emssettings}
9. Force regeneration of the BCD store in the \Tmp folder by sending a control signal to
the server service, using the following command:
C:\>sc control wdsserver 129
Troubleshooting
• Troubleshooting Performance Problems
• Common Problems
• Logging and Tracing
• Network Ports Used
• Required Permissions
166
In This Topic
• Analyzing Blockages in Each Phase of Installation
• PXE Boot Phase
• TFTP Download Phase
• Image Apply Phase
• Using Performance Monitoring
Note
167
Diagnosing TFTP Download Performance Problems
The simplest way to diagnose long download times (observed from the client computer as a
progress bar below an IP address) is to look at the average response time between the client and
the server it is downloading from. To do this, in Windows PE, open the Command Prompt window,
type ping <server’s IP address>, and then note the average latency measured. The output will
look similar to the following, where the average latency is less than 1 millisecond (which is good):
C:\Windows\system32>ping 10.197.160.93
High round-trip time values indicate latency on the network, which is an indicator that TFTP
download performance will be poor. To improve this performance, consider doing one or more of
the following:
• Use a Windows Deployment Services server that is closer to each client.
• Remove stress and load from the network segment.
• If the client connects to the server after multiple network hops, use the output from the
tracert command to identify the latent segment, and consider rerouting TFTP traffic to avoid
the hop.
You can also diagnose TFTP download performance problems by examining a network trace of
the download activity. Generally, the best practice is to obtain this trace from the client and server
simultaneously to assess exactly where the blockage is occurring (server, client, or network). To
do this, add a client and a third computer to a hub, start network traces from the server and the
third computer, and then boot the client computer from the network.
168
• Use the tools in the Windows Automated Installation Kit (AIK) to create a custom boot
image that contains the Windows Setup binary files and Microsoft Windows Preinstallation
Environment (Windows PE). For instructions, see Creating Images. Ensure this image has
been prepared by using PEIMG.exe /prep. For more information, see PEImg Command-Line
Options (http://go.microsoft.com/fwlink/?LinkId=120707).
• Ensure that the Windows image (.wim) file that contains the boot image does not contain
extra space. A best practice is to use the ImageX /export command to export your boot
image to a "clean" .wim file before adding the image to the Windows Deployment Services
server. For more information, see ImageX Command-Line Options
(http://go.microsoft.com/fwlink/?LinkId=120708).
• Ensure that the .wim file that contains the boot image is using the maximum compression
format, LZX. To do this, run Imagex /info ImageFile <ImageNumber|ImageName>. For
more information, see ImageX Command-Line Options (http://go.microsoft.com/fwlink/?
LinkId=120708).
• In situations where a server is overburdened, use PXE boot referrals to direct booting
clients to different PXE servers for TFTP downloads. For more information, see Managing
Network Boot Programs.
• Alter your physical network topology by doing one or more of the following:
• Add a PXE server closer to the client computer.
• Move the client computer closer to the PXE server.
• Repair the existing network infrastructure (in the case of high-packet loss).
• Upgrade to better cabling (Cat 5e is recommended).
• Check the condition of the switches between the client computer and the PXE server
to ensure that packets are not being dropped.
169
• Do performance problems occur only at certain times of the day? This may indicate
a scalability problem that is probably caused by an overused network or an overburdened
server.
• Do performance problems occur only for clients on a particular subnet or network
location? If so, determine whether there is a network issue on that segment.
• Do performance problems occur only for clients that access a particular server? If
so, check the server’s performance statistics as well as the network segment that connects
the clients to the server to see whether the server is overused.
Performance problems that occur across a larger group of computers generally indicate either a
concurrency problem (scalability) or a blockage in the network or server. To investigate, measure
the amount of time it takes to download a file (of approximately the same size as the install
image) from the server to the client, in Windows PE. Or try to download the install image after it
has been placed in a shared folder on the server. If the time it takes to download a large file
exceeds the expectations, you should analyze the switch utilization and observe other network
metrics to identify the network conditions that are impacting download times.
If you suspect that the server is the blockage, use the steps in the Using Performance Monitoring
section later in this chapter to identify the root cause of the blockage.
170
• Problems with the physical network connection between the client computer and the
network topology
• Problems with the switching equipment
• A bad disk controller interface on the client computer
• A bad network adapter on the client computer
• Insufficient RAM on the client computer (512 MB of RAM is the minimum requirement for
Windows Vista)
• Poorly performing system drivers
171
• Processor (% Processor Time). You can tell from the % Processor Time counter whether
there is enough processing power on the server to meet the demands being placed on it. If
you see that processor utilization is high, use this counter for each individual process to
determine the cause of the degraded performance. If the Windows Deployment Services
server is configured to work with File Replication Service (FRS), and the Distributed File
System Replication (DFSR) service is consuming a significant portion of processor time, you
should consider increasing the boot configuration data (BCD) refresh interval to reduce the
number of changes that FRS has to propagate between servers. If the server has multiple
server roles, you may want to configure the roles so that they are better distributed across
multiple servers.
A strong correlation between network utilization and disk reads (and disk throughput)
indicates that the network card may be the cause of a reduction in image deployment times.
In this case, if you are not concerned with disk throughput, consider upgrading the network
infrastructure to support GB Ethernet, or refactoring the Windows Deployment Services
server infrastructure so that it is spread across multiple servers.
• WDS Multicast Server (all counters). The following list describes all of counters for
multicasting.
• Active Clients. This counter shows the clients that are currently connected to a
multicast session.
• Active Contents. Contents refers to the data that is being transmitted. When a client
connects to a namespace, a “content” is created. The content is then removed if clients
are not active in the content for 5 minutes or longer. You can have multiple contents for a
single namespace if there are multiple network cards on the server.
• Active Namespaces. This counter is essentially equivalent to a multicast
transmission. A namespace is the underlying object that gets created when you create a
multicast transmission.
• Incoming Packets/Second (in Bytes). This counter shows the sum of all incoming
data packets (per second) from all multicast sessions.
• Outgoing Packets/Second (in Bytes): This counter shows the sum of all outgoing data
packets (per second) from all multicast sessions.
• Total Data Packets. This counter shows the total number of data packets sent by the
multicast server.
• Total Master Client Switches. This counter shows the total number of times that the
master client has been changed in a transmission. Note that the master client is the
slowest client in a transmission — that is, the client that is not capable of installing any
faster, whereas the other clients may be able to install at a faster rate.
• Total NACK Packets. A NACK packet is a negative acknowledgement. This counter
shows the total number of NACK packets received from client computers.
• Total Repair Packets. This counter shows the total number of repair packets sent by
the server. Note that the server sends repair packets in response to NACK packets. If the
number in this counter is high, relative to the Total Data Packets counter, this indicates
172
that packet loss is occurring between the clients and the server. Ideally, the ratio of total
data packets to total repair packets should be greater than 100:1.
• Total Slowdown Request. Clients send slowdown requests when the server is
sending data faster than the client can handle it. This is usually caused by slow disk
performance on the clients, or by other resource pressure (such as insufficient memory,
high CPU utilization, and so on).
• WDS TFTP Server (all counters). The following list describes the two counters for TFTP.
• Active Requests. This counter shows the number of active TFTP transfers on the
server.
• Transfer Rate/Second (in Bytes). This counter shows the total amount of data that the
TFTP server is sending out per second.
• WDS Server (all counters). The following list describes the counters for the Windows
Deployment Services server.
• Active Requests. This counter shows the number of currently active requests on the
Windows Deployment Services server, including remote procedure calls (RPCs) to the
server and multicast requests.
• Processed/Second. This counter shows the number of requests processed in the last
second.
• Requests/Second. This counter shows the number of requests received in the last
second.
For more information about Reliability and Performance Monitor, see
http://go.microsoft.com/fwlink/?LinkID=110854.
For information about how to view these counters, see the following Microsoft TechNet articles:
• Add Counters Dialog Box (http://go.microsoft.com/fwlink/?LinkId=105531)
• Creating Data Collector Sets (http://go.microsoft.com/fwlink/?LinkID=55157)
Common Problems
This chapter highlights some common issues that you may encounter when using Windows
Deployment Services including the following:
Type Issues
173
Type Issues
page of Setup.
• My computer loads the boot image, but it cannot access an install image.
• I created an unattend file, but when installation completes, my client
computer is not joined to the domain.
• Install images do not appear on the image selection page.
Troubleshooti • My x64-based client computer does not have any x64-based images on the
ng x64-Based boot image selection page.
Client • My x64-based client computer is detected as x64, but it fails to boot to the
Computers default image.
Creating • When using the Image Capture Wizard to create a custom image, the
Custom volume that contains my image is not selectable.
Images • The finish button is not enabled on the final page of the image capture
wizard.
174
• The answer policy is not configured correctly. For example, the server is not configured to
answer clients, or it is configured to answer only known clients and the client is not prestaged.
To fix this, reconfigure the policy. For example, run WDSUTIL /set-server
/answerRequests:all. For instructions, How to Manage Client Computers.
• The computer is marked as approved in the Auto-Add database, but a computer account
representing the computer does not exist in Active Directory Domain Services (AD DS). To fix
this, purge the database using the steps in Prestaging Client Computers topic.
• The computer is marked as rejected in the Auto-Add database. After a computer has
been marked as rejected, the computer will not be able to PXE boot. You can clear the entry
in the Auto-Add database by deleting all pending computer records (by running WDSUTIL
/delete-AutoAddDevices /DeviceType:RejectedDevices) or enabling the record to be
purged automatically (according to the default cleanup interval). For instructions, see the
Auto-Add Database section of How to Manage Client Computers.
• Client boot requests are not getting routed correctly to the Windows Deployment Services
server. To ensure that the IP Helper router is updated and that the Dynamic Host Control
Protocol (DHCP) option configuration has been completed correctly, see "Methods of
Directing a Client to the Appropriate NBP" in Managing Network Boot Programs.
• The client has been prestaged and a network boot program (NBP) has been defined;
however, the NBP does not exist on the server. Examine the output from WDSUTIL /get-
device /Device:<device name> to determine the name and path of the NBP. Then check
that location on the Windows Deployment Services server to ensure that the file exists. If it
does not exist, run WDSUTIL /Set-device to direct the client to a different NBP.
• DHCP and Windows Deployment Services are running on the same physical computer,
but the settings associated with this configuration have not been defined. To configure this,
see the DHCP section of How to Manage Your Server. For more information, see Configuring
DHCP.
When I perform a PXE boot and select a boot image, I see a command
prompt.
If you do not see the UI from Setup.exe when you boot into a boot image, the boot image
probably does not contain the Windows Deployment Services client (which is basically Setup.exe
and supporting files for Windows Deployment Services). One common cause of this is if you
created an image of Windows PE by using the Windows AIK instead of using the Boot.wim file
from the Windows Vista or Windows Server 2008 DVDs. To fix this, upload the Boot.wim file
located in the Sources directory of Windows Server 2008 DVD. This image contains the Windows
Deployment Services client and Windows PE.
The client computer fails to get an IP address when I try to PXE boot.
The most common causes of this problem are:
• There is a problem with the network.
• There is a problem with DHCP.
175
To resolve these issues, check Event Viewer for events and errors, and then refer to the DHCP
Infrastructure troubleshooting documentation (http://go.microsoft.com/fwlink/?LinkId=108014) for
steps you can use to resolve the problem. If you are using a non-Microsoft DHCP server, contact
the manufacturer for troubleshooting information.
I don't see the hard drive of the client computer on the disk configuration
page of Setup.
The most common cause of this problem is that the client computer does not have the correct
storage driver from the hardware manufacturer. To fix this, do one of the following:
• Add the driver to the image by using the tools in the Windows AIK.
• Click Add Driver on the disk configuration page, and then specify the driver.
My computer loads the boot image, but it cannot access an install image.
The boot image may not contain the correct network driver for the client computer. To resolve this,
on the client computer, press SHIFT+F10 to open a command prompt and run IPConfig. If an IP
address and subnet mask are not reported in the output, this indicates that networking has not
been started and it is likely that a network driver is not present. To fix this, add the driver from the
hardware manufacturer to the image by using the tools in the Windows AIK.
176
images are located at \\<WDSServer>\RemoteInstall\Images\<Image Group>. For more
information, see Required Permissions.
• The architecture of the client computer (x86, Itanium, x64) does not match the
architecture type of the install image. A client booting into an x86-based boot image will only
be able to view x86-based install images on the image selection page.
• You may have an incompatible hardware abstraction layer (HAL) type. To deploy an
image to this computer, you will need an image that has the correct HAL type — that is, an
image that was captured from a computer that has the same HAL type as this computer.
I approved a pending computer and then deleted the computer account that
was created in AD DS during the process. Now the server will not
answer my client computer.
Deleting a prestaged computer that was added to AD DS by using the approval process for
pending computer involves two steps:
177
• Remove the computer account from AD DS.
• Remove the record in the Auto-Add database.
Failing to remove the record in the database will cause the client to remain in Wdsnbp.com, and it
will not proceed with booting from the network. This occurs because the record in the Auto-Add
database shows the computer as approved, but a prestaged computer in AD DS will not be found
(because the computer was deleted).
This scenario is identical to a case where there is AD DS replication latency. For example, the
server will not permit the client to proceed past Wdsnbp.com until a prestaged computer appears
in AD DS.
For more information, see Prestaging Client Computers.
I received the error: "0x2: File not found" when trying to manage a remote
Windows Deployment Services server.
You may have received this error if you are trying to manage a Windows Deployment Services
server running Windows Server 2008 from a Windows Deployment Services server running
Windows Server 2003.This scenario is not supported. You can only manage Windows
Deployment Services servers running Windows Server 2008 from a Windows Deployment
Services server running Windows Server 2008. For more information, see Managing a Complex
Environment.
To inject drivers into a boot image, and use the boot image to create a capture image:
1. Add a boot image to your server.
2. Mark the image as offline (disabled).
3. Mount the image by using ImageX and Mountrw (included in the Windows AIK).
4. Insert all of the drivers that use PEIMG.exe into the boot image.
5. Mark the image as online (enabled).
178
6. Create the capture image using this boot image.
• Cause 2: The volume does not contain an image that was prepared using Sysprep.
To determine whether the offline image has been prepared using Sysprep:
1. Run regedit to load the offline system hive.
2. In HKEY_LOCAL_MACHINE\System, create a new key called Test.
3. Import the offline system hive from C:\windows\system32\config\system
(assuming the offline operating system is located on C:\) into the empty Test key.
4. Examine the two registry keys in the imported system hive that are checked by
the wizard:
• Ensure that HKEY_LOCAL_MACHINE\System\Setup\CloneTag exists
• Ensure that
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress is set to 1.
If either of the registry keys are not set correctly, there are two likely causes:
• The Generalize check box was not selected when Sysprepwas run.
• After Sysprep completed, the computer was specialized before the Image Capture
Wizard was started. This can happen if you installed Windows Vista, ran Sysprep,
rebooted the computer, and then failed to signal the PXE boot in time so that the
computer starts to boot and the specialization process runs. You realized your mistake,
restarted the computer, and signaled the PXE boot. Then you booted into Windows PE
and start the image capture wizard. In this scenario, the wizard will not show the volume
because the offline image is no longer generalized.
To resolve either of these, boot into the image, run Sysprep again, and then perform the
capture process again.
The finish button is not enabled on the final page of the image capture
wizard.
This occurs when a name and location for the .wim file is not specified. You must specify this
information even if you are uploading the resulting image to a Windows Deployment Services
server. The Image Capture Wizard creates a local copy of the image first, to ensure that transient
networking conditions will not interfere with the image capture process.
179
You can specify a location for the .wim file that is on the same volume that is being captured (this
will not interfere with the capture process). By default, this local image is not deleted at the
conclusion of the image capture process. To delete the file, specify the appropriate unattended
installation setting. For more information, see Automating the Image Capture Wizard.
Multicasting
My multicast transmissions are running very slowly.
One typical cause of this issue occurs in environments that contain computers with different
hardware configurations and architectures. In this case, some clients can run multicast
transmissions faster than others. Because each transmission can be run only as fast as the
slowest client, the entire transmission will be slow if there is one slow client. To resolve this issue,
first determine the client that is holding back the transmission (this is called the master client). To
do this, view the output of the following command: WDSUTIL /Get-
AllMulticastTransmissions /Show:Clients. Next, disconnect the master client using
WDSUTIL /disconnect-client /ID:<ID>, where ID is the client ID (which you can get using the
/get-transmission option).
Disconnecting the master client will force it to run the transmission by using the Server Message
Block (SMB) protocol, and the other clients' multicast performance should speed up. If they do not
speed up, there is a problem with the client's hardware (for example, a slow hard drive) or a
network problem. Also, see Example Multicast Scripts for an example script that will automatically
disconnect slow master clients.
180
Other than displaying a message that indicates whether the operation succeeded or failed,
WDSUTIL shows minimal screen output (by default). However you can specify two additional
options to enable more output. You can specify/Verbose to show detailed information about a
task, and you can specify /Progress to use ellipses to indicate that a long-running process (for
example, adding an image) is running and is not stalled. Even when you use these options, you
can redirect the WDSUTIL output to a file. In the sample WDSUTIL command-lines in this section,
these options are used wherever they provide useful information.
Note
You should close the Windows Deployment Services MMC snap-in when you run a
WDSUTIL command. If the snap-in is open, the trace logs may not contain messages for
some actions.
Caution
Incorrectly editing the registry might severely damage your system. Before making
changes to the registry, you should back up any valued data.
181
Component Obtain and review this output:
Name: EnableFileTracing
Value:1
b. Set the following registry key to enable tracing in the management
console:
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\WDSMMC
Name: EnableFileTracing
Value:1
Then you can obtain the trace logs at %windir%\tracing\wdsmgmt.log and
%windir%\tracing\wdsmmc.log.
• WDSUTIL /get-server /show:all /detailed
• Windows Application log in Event Viewer
• Windows System log in Event Viewer
Note
Although the Windows Deployment Services MMC snap-in and
WDSUTIL share the same API layer, in some cases the MMC adds
additional processing and functionality. In instances where an error
occurs, it is often worthwhile to attempt to reproduce the failure
using WDSUTIL to determine if the error is localized to the MMC or
if it is a general management API failure. Often, WDSUTIL will
provide more detailed error output without enabling tracing. Where
applicable, use the /detailed, /verbose, and /progress options for
extra information.
Windows Logging in the Windows Deployment Services client serves two purposes. First,
Deployment it allows you to determine if a particular client failed during installation, and it
Services client provides details regarding the failure. Second, it allows you to collect
information regarding client installations including how many clients installed a
particular image, and the success rate for client installs. You can view the logs
in the Application event log in Event Viewer. Because a time stamp is logged
with each event, you can use this information to determine how long particular
phases of the client installation process took to complete. This information is
especially useful when diagnosing performance problems or doing performance
benchmarking. There are four logging levels:
• NONE: No logging (default)
• ERRORS: Errors only
• WARNINGS: Warnings and errors
• INFO: The highest level of logging, which includes errors, warnings,
and informational events
To turn on client logging, run WDSUTIL /Set-Server /WDSClientLogging
182
Component Obtain and review this output:
183
Component Obtain and review this output:
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\WDSCapture
Name: EnableFileTracing
Value:1
d. Open a second instance of the Image Capture Wizard.
e. Reproduce the failure using the wizard that you just opened. Do not
close the original wizard or the computer will restart.
Note
Note: you can use Alt+Tab to move between windows.
f. Obtain the trace log from X:\Windows\Tracing\WDSCapture.log.
PXE boot • Enable tracing in the server and management components and obtain
components the trace logs (as outlined previously).
• Obtain a network trace that shows the failed boot attempt. It is a best
practice to obtain this trace from the client and server simultaneously to
accurately assess whether the failure is occurring at the sending server or
the receiving client. The process is:
a. Place a client and a third computer (laptop or desktop) on a hub.
b. Start network traces from the server and third computer.
c. Boot the client from the network.
Note
If you are using Network Monitor to obtain the traces, ensure
that the buffer size is at least 20 MB. If you configure a bufferf
size too small for the capture, then packets will be lost (not
appear) in the capture output.
Protocols
Windows Deployment Services uses the following protocols for installing images:
• Dynamic Host Configuration Protocol (DHCP)
• Pre-Boot Execution Environment (PXE)
• Trivial File Transfer Protocol (TFTP)
• Remote procedure call (RPC)
• Server Message Block (SMB)
• Multicasting
184
Ports
The following table outlines the User Data Protocol (UDP) and Transmission Control Protocol
(TCP) network ports that are used during image deployment. You can modify the values that have
an asterisk (*) by using the instructions in How to Manage Your Server.
UDP TCP
• 4011 • 137–139*
The following steps explain the UDP and TCP ports that are used during image
deployment:
1. The client performs a PXE boot.
2. PXE uses DHCP ports and TFTP to download the binary files. For UDP and DHCP,
you need to enable ports 67, 69, and 4011. In addition, TFTP endpoints are used; by
default, these endpoints range from 64001 through 65000. For instructions on modifying
these ranges, see How to Manage Your Server.You can also use the Network Address
Translation (NAT) with the Routing and Remote Access network service to control these
ports.
3. In accordance with RFC 1783 (http://go.microsoft.com/fwlink/?LinkId=81027), the
client chooses random UDP ports to establish the session with the server. You should
use an application exception for TFTP if you have the Windows firewall enabled on the
Windows Deployment Services server.
4. The client downloads Windows PE and boots to the Windows Deployment Services
client. This download also uses the same TFTP ports as mentioned previously.
5. The Windows Deployment Services client communicates with the Windows
Deployment Services server to authenticate and obtain the list of available images. This
conversation occurs over RPC because RPC has built-in authentication (it is one of the
few completely available protocols in Windows PE). You need to allow the port for the
Endpoint Mapper (TCP 135) and the port for the RPC listener for the Windows
Deployment Services server (which is TCP 5040 by default).
6. The Windows Deployment Services client installs the selected image. Image transfer
occurs through SMB. You need all the file-sharing and printer-sharing ports — for
example, TCP 137 through 139 — for installing the image.
Note
185
In addition, if DHCP authorization is required on the server, you need DHCP
client port 68 to be open on the server. Note that DHCP authorization is not
required by default; but you can turn it on manually.
Required Permissions
This chapter outlines the following permissions and, where appropriate, how to grant them.
In This Topic
• General Permissions
• Permissions for Common Management Tasks
• Permissions for Client Installations
• Permissions for Server Properties
Caution
To modify the registry settings that are described in this guide, use only the Windows
Deployment Services management tools—you should not directly edit these settings
and attributes.
General Permissions
To fully administer a Windows Deployment Services server, you need the following permissions:
• Local administrator of the Windows Deployment Services server. This gives you the
following rights:
• File permissions and permissions to the RemoteInstall folder (the management tools
interact with the image store using UNC paths).
• Registry hive permissions. Many settings for the Windows Deployment Services
server are stored in HKEY_LOCAL_MACHINE\System, and you need appropriate
permissions to these locations to change them.
• Domain administrator of the domain that contains the Windows Deployment
Services server. This gives you permissions on the Service Control Point (SCP) in Active
Directory Domain Services (AD DS) for the Windows Deployment Services server. Some
configuration settings for the server are stored here.
• Enterprise administrator (optional). This gives you Dynamic Host Configuration
Protocol (DHCP) authorization permissions. If DHCP authorization is enabled, the Windows
Deployment Services server must be authorized in AD DS before it will be allowed to answer
incoming client PXE requests. DHCP authorization is stored in the Configuration container
in AD DS.
186
It is often useful to delegate the management of a Windows Deployment Services server to an
account other than the domain administrator or enterprise administrator (and grant these general
permissions to the delegated account). The delegated administrator account should be a local
and domain administrator as specified above.
Disable an image Permission to read and write attributes for the associated image file.
Disabling an image means hiding the Windows image (.wim) file associated
with the image.
Set properties on Read and write permissions to the .wim metadata file that represents the
an image image. This file is located within the image group at:
C:RemoteInstall\Images\ImageGroup.
Approve a Read and write permissions for the folder that contains the database file
pending computer Binlsvcdb.mdb in the RemoteInstall share (for example,
C:RemoteInstall\MGMT). The actual account of an approved pending
computer is created by using the server’s authentication token, not the token
of the administrator who is performing the approval. Therefore, in AD DS, you
must grant rights to the Windows Deployment Services server’s account
(WDSSERVER$) to create computer account objects for the containers and
OUs where the approved pending computers will be created.
To grant permissions to approve a pending computer
1. Open Active Directory Users and Computers.
2. Right-click the OU where you are creating prestaged computer
accounts, and then select Delegate Control.
3. On the first screen of the wizard, click Next.
4. Change the object type to include computers.
5. Add the computer object of the Windows Deployment Services
server, and then click Next.
6. Select Create a Custom task to delegate.
7. Select Only the following objects in the folder. Then select the
Computer Objects check box, select Create selected objects in this
folder, and click Next.
8. In the Permissions box, select the Write all Properties check box,
and click Finish.
Prestage a The user account must have permissions to join the domain. The JoinRights
computer to join a registry setting determines the set of security privileges, and the User registry
domain setting determines which users have the right to join the domain. To change
the per server (per architecture) defaults, you need read and write
permissions to these registry keys.
• The JoinRights setting is located at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDS
Server\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>
Name: JoinRights
Type: DWORD
Value: 0 = JoinOnly.; 1 = Full.
A user that has Join only rights cannot join the domain without
administrator assistance (an administrator with proper permissions on the
188
Task Permissions Needed
computer account object must reset the computer account before the
client installation and domain join).A user that has Full rights can reset
the account and join the domain without administrator assistance.
• The User setting is stored at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDS
Server\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>
Name: User
Type: REG_SZ
Value: Name of group or user. For this setting, there are two
administration models that you can use.
• (recommended) You can associate a primary user to the account
at the time the computer is approved. When the computer is
approved, the computer account will grant the primary user 1) read
and write permissions on all properties on the computer object
(JoinRights = JoinOnly or JoinRights = Full), and 2) reset and
change password rights on the computer object (JoinRights = Full).
• You can specify server defaults for the user and JoinRights that
apply to all approved clients of a given architecture. The default
values grant domain administrators the Full join right. If you do not
assign a primary user to the computer account at the time of
approval, these default values will take effect.
Note
If you are creating computer accounts against a non-English
domain controller and you are using the default user
property, you must set the Auto-Add settings to use a
different account that does not contain extended characters.
If the account contains a non-standard character (any
character outside [A-Z, a-z, 0-9, \, -, and so on]), such as
German's "Domänen-Admins", then Auto-Add will fail. To
change this value, see the help at the command prompt for
WDSUTIL /set-server /AutoAddSettings.
Create a discover • Read and write permission to the %TEMP% directory and destination
or capture image location
• Read permissions on the original boot image
transmission Server\Providers\Multicast
• Read permissions to RemoteInstall\Images\ImageGroup.
PXE boot a client No permissions are required to PXE boot a client, and no mechanism
computer exists to secure the process of booting from the network. If security is
the primary concern for you, we recommend that you use physical
media (for example, that contains a discover image) to boot each
computer.
Select a boot image No permissions are required to select a boot image and no
mechanism exists to secure entries that are displayed in the list. The
first authentication mechanism occurs using the Windows Deployment
Services client running within Windows PE.
Select an install image The credentials provided in the user interface of the Windows
Deployment Services client must be those of a domain account. After
a client has been authenticated to the Windows Deployment Services
server, the authenticated user must be able to read the install .wim file
and Res.rwm file from the RemoteInstall folder. By default,
authenticated users have permissions to do so.
Join a domain The JoinRights registry setting determines the set of security
privileges, and the User registry setting control which users have the
right to join the domain. For more information about these settings,
see the Prestaged a computer to join a domain section in the
previous table.
If the computer is prestaged, then the user performing the installation
(or the credentials in the Unattend file for the domain join) needs the
appropriate JoinDomain rights. If the computer is not prestaged
190
Task Permissions Needed
Disabling access to the By default, users can gain access to a command prompt during
command prompt during Windows Deployment Services installations by:
installations • Pressing Shift+F10 when Setup is running in Windows PE.
• Pressing Shift+F10 when the Image Capture Wizard is
running in Windows PE.
• Holding down the CTRL key when Microsoft Windows
Preinstallation Environment (Windows PE) is booting.
• Pressing Shift+F10 when the Out of Box Experience (OOBE)
is running (OOBE is the wizard that usually runs after Setup).
Important
A Command Prompt window that is opened during OOBE
will be running in the system context. If this window is not
closed at the conclusion of Setup, the user may have
access to it and therefore, system rights, even though the
user is not a local administrator on the client computer.
You can disable this functionality by adding a DisableCmdRequest.tag
to the image.
To disable access for boot images
1. In the Windows Deployment Services MMC snap-in, right-click
the desired boot image and select Disable.
2. Mount the image for read and write access using ImageX
which is provided in the Windows Automated Installation Kit (AIK).
For more information about ImageX, see the ImageX Technical
Reference (http://go.microsoft.com/fwlink/?LinkID=120693).
3. Create the file %windir
%\Setup\Scripts\DisableCmdRequest.tag in the mounted image.
4. Commit the changes and unmount the image.
191
Task Permissions Needed
PXE • PXE response policy. The PXE response policy (for example, responding
Response only to known clients, or responding to all clients) is stored on the server’s SCP.
Settings Configuring these settings requires read and write permissions to the SCP
object.
To grant permissions to the SCP object
a. Open Active Directory Users and Computers.
b. Click View, and then click Advanced Features (if it is not already
enabled).
c. Right click the computer account for you Windows Deployment
Services server, and click Properties.
d. On the Remote Install tab, select Advanced Settings…
e. Select the Security tab, and click Add…
f. Select the user, and then select Full Control on this object.
• PXE response delay. Configuring this setting requires read and write
192
Tab Settings that Require Permissions
Directory • New client naming policy. This setting is stored in the SCP object on the
Services server. The property is called: netbootNewMachineNamingPolicy
• Client account location. This setting is stored in the SCP object on the
server. The property is called: netbootNewMachineOU
193
Tab Settings that Require Permissions
DHCP • Do not listen on Port 67. This option is controlled by the following registry
key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSSERVE
R\Providers\WDSPXE
Name: UseDhcpPorts
Type: DWORD
Value: 0 disabled; 1 enabled
• Configure DHCP option 60 to "PXEClient".This requires that the user is
able to configure the Microsoft DHCP server running on the local computer.
194