Automating Deployment with Remote Installation Service

For those who have worked with Windows 2000 networks, Remote Installation Service (RIS) is a familiar Windows component used for creating and deploying on-demand desktop images. Though the desktop deployment features are still included, Windows Server 2003 now extends the functionality of RIS to include the ability to create on-demand server images for all versions of Windows 2000 and 32-bit versions of the Windows Server 2003 operating system.

The primary benefits of using RIS for building Windows Server 2003 servers include the following:

• Rapid deployment of multiple servers. If an enterprise needs to deploy multiple servers that have similar hardware and software specifications, RIS can accelerate the deployment process that used to involve a manual install of one server at a time.

• Rapid recovery of mission critical servers. If a server is lost due to disaster, a RIS image of that lost server can be used to quickly build a replacement.

• Standardization of servers. For a company that manages many servers, having standard RIS server images in line with company policies and specifications takes the guesswork out of server configurations deployed across the enterprise.

System Requirements for RIS

To take advantage of RIS, there are certain hardware and software system requirements that must be met. The following list describes the hardware requirements for building a RIS server:

• The server hardware must meet minimum requirements for the product version of the Windows Server 2003 family that is being imaged . For example, if you are installing Windows Server 2003, Enterprise Edition, your computer must meet the minimum requirements for this product.

• A minimum of 4GB of disk space is required for the RIS server folder tree. Because RIS images take up a great deal of space, it is recommended to dedicate an entire partition to the RIS folder tree.

• A 10 or 100Mb/sec Windows-compatible network adapter that supports TCP/IP (100Mb/sec recommended) is required. A RIS server cannot be a multihomed computer; that is, it can contain only one network adapter.

For the machine that will serve as the template, in other words, the machine from which an image will be taken, there are a couple of hardware requirements as well:

• As with the RIS server, this computer must meet the minimum requirements for the operating system that is to be installed.

• A Pre-Boot eXecution Environment (PXE) DHCPbased boot ROM version 1.00 or greater is required.

The networking environment in which you install a RIS server must meet a few requirements as well. These requirements are listed here:

• There must be a DHCP server in the environment to assign addresses to machines being imaged. DHCP is also used to identify which RIS servers are available on the network.

• A DNS server is necessary in order to locate the directory service that will authenticate the client machines.

• Active Directory is required to set security parameters around the RIS process. Specifically, AD will restrict or control which RIS servers will respond to specific client requests for operating systems.

Finally, some additional considerations that are more software-based are needed when planning to use RIS. These include the following:

• RIS cannot be installed on the same partition as the system volume or boot volume.

• The volume on which RIS is installed must be formatted with NTFS.

• RIS does not support Encrypting File System (EFS).

• A Distributed File System (DFS) share cannot be used as a target for a RIS image. RIS can be installed, though, on a server running DFS.

Although there seems to be a rather long list of prerequisites to using RIS, most Windows Server 2003 environments will have all of the elements mentioned previously present already. As such, most companies would be able to add this service to their infrastructure quite easily with a single additional server with a good size data partition.

Creating a Remote Installation Preparation Wizard (RIPrep) Image

There are two types of operating system images that can be used with RIS. The first type is a flat image, which is similar to using a CD install, only the installation files are located on a RIS server. The benefit of using a flat image type is that RIS supports flat images for all Windows 2000, XP, and Windows Server 2003 editions, including 64-bit editions.

The second type of RIS image is a Remote Installation Preparation Wizard (RIPrep) image. The RIPrep image type enables you to add application installations and other customizations to the image. RIPrep also uses the Plug and Play feature; therefore computers targeted with these images do not have to be exactly the same, though they do need to share the same Hardware Abstraction Layer (HAL). Because of this flexibility to customize the image, the RIPrep image has the most practical utility for most companies.

The remainder of this section will detail the process by which a RIPrep image is created. To install a RIPrep image of a Windows Server 2003, perform the following steps:

1. Install Windows Server 2003 on a computer that you will use to create the installation image. The operating system can be installed using either Remote Installation Services (RIS) or the product CD. Using RIS to do the install is the recommended practice.

2. Install any additional applications and modify the local configuration settings of the source Windows Server 2003 computer.

3. From the Run line, type the Universal Naming Convention (UNC) path of the RIPrep utility on the RIS server, for example: \\Servername\RIS\reminst\Riprep.exe , and then click OK.

4. Click Next at the Remote Installation Preparation Wizard welcome screen.

5. Type the name of the server to which the image will be copied , and then click Next. By default, this is the RIS server you typed in step 3.

6. Type the name of the folder to which to which the image will be copied, and then click Next.

7. Type the friendly description and the Help text, and then click Next. This information is displayed by the Client Installation Wizard when RIS clients request network services.

8. Click Next two more times to initiate the replication of the source machine image to the RIS server.

Securing Server Images

RIS in Windows Server 2003 provides functionality for securing the imaging process of servers and desktops. RIS has an authorization feature that will prevent unauthorized RIS servers from making images available on an Active Directory network.

RIS can be used to specify which RIS servers can accept and process requests, and which RIS servers can only service clients on the network. Before a RIS server can accept requests, it must be authorized to run in Active Directory. To authorize a RIS server in Active Directory, run RISETUP Check.

RIS also offers the capability to individually secure particular images. Using this feature allows flexibility on who is able to install the various images from the RIS server. For example, to limit access to install a Windows Server 2003 image from a RIS server to the Domain Admins group, the Authenticated Users group should be removed from the permissions on that particular image.

Making the Most of the RIS Deployment Tool

RIS is a valuable deployment tool for companies that use it correctly. To gain the efficiency, security, and disaster recovery benefits of using RIS, consider the following best practices in designing and maintaining an enterprise RIS solution:

• Use the security features of RIS. Take advantage of both authorizing RIS servers in Active Directory and restricting access to RIPrep images. The PXE architecture on which RIS relies is inherently insecure . Without the RIS safeguards in place, there is little stopping a malicious user with a PXE-enabled network card from pulling images from a RIS server on the network. This is especially important with server images. Likewise, an intruder could set up a rogue RIS server that can interfere with a company's deployment plans.

• Install RIS servers appropriate to your network topology. For a small company located in a single subnet, a single RIS server can serve all PXE- related deployment needs. For distributed companies with sites connected over slow links, it makes sense to include RIS servers at the remote sites. Do not use RIS to deploy images over slow links.

• Install RIS on a physical disk separate from the disk that houses the operating system. Giving RIS its own physical hard drive will ensure optimal performance.

• Choose to create RIPrep images over RISetup flat images if capturing application installation and customizations in the image is desired. RIPrep can accommodate some differences in the hardware because it utilizes Plug and Play. Using RISetup with a scripted install can enable you to install to hardware that have different HALs.

• If your servers do not use PXE-enabled network cards, create boot disks using the rbfg.exe utility. The boot disks can be customized to access your RIS server images.