RIS Server Configuration Design Tasks

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When designing your RIS server configuration, your primary tasks are to define the following:

  • Network deployment configuration and the supporting Active Directory infrastructure

  • RIS server properties and other RIS configuration parameters.

  • RIS security configuration.

For a job aid to record your design decisions for your RIS server configuration, see "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit).

Note

  • Although your Group Policy settings are part of your RIS server configuration, it is unnecessary to design them here because you should have already made those design decisions in "Designing the RIS Deployment Mode" earlier in this chapter, and recorded them in job aid "Designing for the RIS Deployment Mode"(ACIRIS_08.doc).

Designing the RIS Network Deployment Configuration

RIS servers are dependent on your network configuration: the way you deploy and manage your RIS servers on the network determines how they perform. Depending on how you place and configure your RIS servers, one operating system image can support multiple Active Directory sites, domains, and organizational units, or you can provide multiple customized images that you distribute to clients from strategically placed RIS servers.

Because each RIS server can only handle a limited number of simultaneous client installations, you might consider load balancing client service requests by using a RIS referral server. Figure 4.6 shows a basic RIS configuration unit that illustrates the relationship between PXE-enabled remote boot clients, a RIS referral server, and RIS install servers on the network that provide service to clients.

Figure 4.6   RIS Server Network Deployment

RIS Server Network Deployment

In Figure 4.6, a PXE-enabled remote boot client requests the remote installation of an operating system. The request is passed to the RIS referral server, which is configured with the Do not respond to unknown clients option. This allows only prestaged clients to be acknowledged by the RIS referral server. The RIS referral server checks Active Directory to verify whether the client has a prestaged computer account and if it is configured to receive service from a specific RIS install server. If it finds a prestaged computer account and a designated RIS install server, the RIS referral server passes the request to the appropriate RIS install server (RIS Install Server 3) in Figure 4.6. The client then downloads the CIW and begins the installation process.

RIS Install Servers 1, 2, and 3 are install servers that only provide operating system installations and do not respond to initial client requests for service. Conversely, the referral server does not provide image support, but does answer initial client service requests.

Figure 4.6 shows how RIS referral and install server configurations can work in an enterprise setting. In this configuration, you can apply tight control to which clients can access which RIS servers. This enables you to load-balance client service requests to ensure that each RIS server is not overloaded. You have this capability because you can specify which RIS server services which clients when you prestage client computer accounts in Active Directory. When you do this, be sure not to configure more than 75 clients per RIS server if you expect heavy service request traffic from clients. Alternatively, you can implement a simpler solution by configuring all RIS servers to respond and provide service to all RIS clients, however, this foregoes the additional security gained by using prestaged RIS clients.

To design a RIS server network deployment that includes configuration units such as the one depicted in Figure 4.6, begin by deciding the following:

  • The number of RIS servers you require (including both RIS image and RIS referral servers).

  • Where you will place RIS servers.

  • How you will distribute RIS server images to clients.

Defining the number of RIS servers

The number of RIS servers you need is largely dependent upon how many RIS clients you need to support. You might need multiple RIS servers to support the clients in a large organization or only one RIS server if you are deploying Windows XP Professional on a small LAN or network segment.

The number of RIS servers you will need is impacted by the demand for new, upgrade, or custom operating system installations. As a result, you will need to determine your needs prior to deploying a standard desktop configuration of Windows XP Professional or other operating systems to your clients. Once you determine your needs, you can calculate how many RIS servers to deploy. You can base your estimate on the following metric for best case scenarios: one RIS server can send multiple operating system images over the network for up to 75 clients simultaneously.

The speed of your network and the hardware you use on your RIS server to support image distribution can also have a bearing on how many RIS servers you need. If you have slower network connections or RIS server hardware with marginal capabilities, you will need more RIS servers to handle client service requests to avoid network traffic bottlenecks during periods when RIS servers are active. If you follow the hardware recommendations specified in "Evaluating RIS Server Hardware Requirements" earlier in this chapter, you will be able to maintain support for the maximum number of clients per RIS server.

For load balancing and security reasons, consider using prestaged clients with a RIS referral and install server configuration. If you decide in favor of this configuration, then you must also determine the number of RIS referral servers you need to use. A RIS install server should be in close proximity to the clients it services, but a RIS referral server can pass client service requests to RIS install servers that are located across routers and domains. This is possible as long as the routers are enabled to pass DHCP traffic and there is a trust relationship between domains. As a general guideline for calculating how many RIS referral servers you will need, you can use a metric of one RIS referral server for every three RIS install servers.

For this part of your RIS server configuration design process, use the "RIS Network Deployment Configuration" section in job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record the total number of clients you need to support and the total number of RIS servers you need to provide image services. Also include the total number of RIS referral servers that you will need.

Defining RIS server placement

The primary issues concerning RIS server placement involve where you physically locate the server and where you place it in your Active Directory infrastructure. For more information about designing your Active Directory infrastructure, see "Designing the Active Directory Infrastructure" later in this chapter.

As a general guideline, place RIS servers in close physical proximity to the client computers they service rather than making connections across a WAN link. However, it might be necessary for your clients to locate a RIS server across a router or domain. When this is the case, the router must be configured to pass DHCP packet traffic and there must also be a trust relationship between domains. When considering RIS server placement in your network, you might also consult your DHCP scopes to analyze your domain structure.

In large organizations, do not place your RIS server on a DHCP server. This avoids potential failures in DHCP service if the RIS server becomes overloaded with client service requests. For more information about RIS server placement on the network, see "Assessing RIS Server Placement" earlier in this chapter.

Other placement issues are associated with the type of network connection you use to integrate RIS servers into your environment. Slow connections to RIS servers can hinder the speed of your entire network during periods when RIS is active. Inappropriate RIS server hardware that cannot support network demands can do the same thing. As a practical example, if your organization has branch offices, it is best to place a RIS server in each branch rather than attempting to have clients connect to a RIS server across a slow WAN connection.

For this part of your RIS server configuration design process, use the "RIS Network Deployment Configuration" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record the following:

  • The network location or site name.

  • The names of RIS install servers that provide service to specific clients.

  • Whether you need to enable DHCP on routers for cross-domain client service requests.

  • Whether you need to establish cross domain trusts.

  • The names of your RIS referral servers and the Active Directory domains/subnets which they support.

Defining the distribution of RIS server images

Depending on the size of your network and the number of clients you have, you might need to create a scheme for managing the distribution of multiple operating system images from different RIS servers to ensure quick installations across the network. You can do this by using multiple RIS servers that provide custom operating systems installations to specific clients. To provide specific operating system images to clients from designated RIS servers, you will need to do the following:

  • Create the operating system images you want on each RIS server using Risetup.exe or Riprep.exe.

  • Create unique answer files and associate them with specific operating system images on each RIS server.

  • Set security permissions on the answer files to configure which users or user groups can access the images.

You can also create unique versions of the CIW process with custom .osc files on each RIS server to manage how you identify and distribute images associated with each RIS server. By distributing operating system images from different RIS servers in this manner, you can mitigate network traffic and accelerate the installation process for designated RIS clients.

For this part of your RIS server configuration design process, use the "RIS Network Deployment Configuration" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record whether you intend to use multiple RIS servers to handle the distribution of a single operating system or multiple operating systems. If you choose multiple operating systems, record the operating system image names, the RIS servers that will host them, and whether you want to use a corresponding custom CIW process on each RIS server.

For more information about creating operating system images, see "Designing the RIS Installation Type" earlier in this chapter. For more information about customizing the CIW process see "CIW Design Tasks" earlier in this chapter.

Designing RIS Server Properties

How you configure your RIS server properties has an impact on RIS server performance and function. The properties you can set on a RIS server are located in the RIS server Properties dialog box. You can access this dialog box by using the Active Directory extension on your RIS server. To open the dialog box, right-click the RIS server computer account object in Active Directory and select Properties to access the Remote Install tab. From here you have access to RIS server properties, which includes the following options:

  • Client support. Consists of options that allow you to determine which clients the RIS server responds to.

  • Computer naming format. Consists of various options that determine how computer account objects will be named.

  • Computer account location. Consists of options that determine where the computer account objects will be placed in Active Directory.

To determine the most appropriate settings to use for RIS server properties in your organization, use Table 4.4 as a guide.

Table 4.4   RIS Server Property Settings

Use This Setting When

Client supportoptions

You need to configure the way RIS servers respond to clients requesting installation service. For more information about client support options, see the discussion about designing RIS server security in Designing RIS Server Security later in this document.

Respond to client computers requesting service

You want a RIS server to acknowledge all clients requesting service, including prestaged and non-prestaged clients, to whom the server makes its operating system images available. Use when maximum security is unnecessary or when you are setting up a RIS referral server.

Do not respond to unknown client computers

You want a RIS server to acknowledge only clients with prestaged computer accounts in Active Directory, to whom the server makes its operating system images available. Use when you want to maximize the security applied to RIS clients so unauthorized clients cannot receive an operating system installation.

Client computer naming formatoptions

You configure the Automatic Setup option in Group Policy, so you can apply the computer naming format to non-prestaged clients and to Custom Setup clients that do not provide input for computer name and Active Directory location.

User name

You want to name the client computer requesting RIS service based on the user name of the operating system installer. This is the default setting.

NP plus MAC address

You want to name the client computer requesting RIS service based on the media access control (MAC) address of the client network adapter.

Custom naming scheme

You want to name the client computer requesting RIS service based on a custom naming format that you specify.

Other name variations

You want to name the client computer requesting RIS service based on name variations such as first name, last name, initial, and so on.

Client account locationoptions:

You want to define the default Active Directory container for all client computer accounts prior to installation.

Default directory service location

You want to specify that the client computer account object is created in the Computers container by default when the client joins the domain. Use when you want the client computer to become a member of the same domain as the RIS server handling the client installation process.

Same location as that of the user setting up the client computer

You want to specify that the client computer account object is created within the same Active Directory container as the user account of the user setting up the computer, for example, in the Users container.

The following directory service location

You want to predetermine where client computer account objects are created in Active Directory. Use when you want to configure an account location for all client computers installed from a RIS server.

Tip

  • If a prestaged client exists in a forest separate from the RIS forest and RIS is configured to not respond to unknown clients, this client will not be answered by RIS. You can fix this by configuring RIS to answer unknown clients and specifying the directory service location in the correct forest where computer accounts are created. Do this using the New Clients tab of the Remote Install dialog box on the RIS server.

For this part of your RIS server configuration design process, use the "RIS Server Properties" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record the configuration settings you choose from Table 4.4.

Defining Other RIS Server Configuration Parameters

The Remote Install tab also provides you with access to other dialog boxes that allow you to do the following:

  • Associate new answer files with existing images.

  • Set security permissions on answer files.

  • Add new Risetup images to the RIS server.

  • Remove tools or view properties of tools provided by third parties.

  • Set security permissions on the RIS server computer account object in Active Directory.

From the Remote Install tab, you can also browse Active Directory to do such things as display the UUIDs of all your RIS clients along with the RIS servers designated to service them.

Defining answer file associations

By clicking the Advanced Settings button in RIS server Properties, you can define answer file associations on your RIS server. For example, from the Images tab, you can associate answer files with existing operating system images. This allows you to provide custom operating system installations based on answer files that you create and tailor for specific user needs. After you associate the answer file with an image, you can set permissions on the answer file to enable specific users to access the image associated with it.

Note

  • In Advanced Settings in RIS server Properties, setting permissions on an item under Descriptions on the Images tab sets permissions on answer files associated with images rather than on the images themselves.

You should already have recorded the design decisions that specify which answer files you associate with RIS installation images and the user groups that you permit or deny access to these files. These tasks are part of designing the RIS deployment mode and the CIW process.

Choosing additional Risetup images to host on RIS servers

From the Image tab of RIS server Properties, you can add new Risetup images to your RIS server based on an operating system CD that you provide. If you click the Add button on the Images tab, a dialog box displays with an option that starts the Risetup Wizard. The design decisions about which Risetup images you intend to host on your RIS server(s), made in "Riprep Image Design Tasks" earlier in this chapter, were recorded using job aid "Defining Risetup Images" (ACIRIS_07.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Defining Risetup Images" on the Web at https://www.microsoft.com/reskit).

Choosing to remove tools

From the Tools tab, you can remove tools or view the properties of system maintenance and troubleshooting tools provided by third parties. You cannot add tools to your RIS server from the Tools dialog box. Only independent software vendors (ISVs) or original equipment manufacturers (OEMs) can provide system maintenance and troubleshooting tools to administrators, technical support staff, and users of client computers. ISVs and OEMs use a custom setup program to add their tools to the \RemoteInstall directory on a RIS server.

Your RIS server configuration design might involve removing certain tools from your RIS server so that they are not available to clients. However, note that you can achieve the same objective by using Group Policy settings for specific user groups rather than by deleting the tool entirely. You cannot retrieve a tool once you delete it, except by the OEM reinstalling it. Record which tools you want to delete in the "Other RIS Server Configuration Parameters" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit).

Choosing to delegate RIS administrative tasks

If you decide to delegate administration of your RIS server, you can set permissions on your RIS server computer account in Active Directory from the Security tab of RIS server Properties. The decision to delegate RIS administrative tasks is addressed in the discussion about assessing delegation of RIS administrative tasks in "Planning Security for RIS Administrative Tasks" earlier in this chapter. If you did record your decision in job aid "Planning RIS Server Security" (ACIRIS_05.doc) earlier, record the information now in the "RIS Administrative Task Security" section of the job aid. See "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit).

Designing RIS Server Security

Most RIS server security issues are addressed in "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit). The security design issue details that must now be completed include choosing how to do the following:

  • Provide secure responses from your RIS server to clients, with load balancing.

  • Provide security for non-prestaged RIS clients.

  • Optimize network security for RIS services.

  • Provide authorization for your RIS servers.

Designing secure RIS server responses and load balancing

To control how a RIS server responds to remote boot-enabled clients that request service, set Client support options on the RIS server Properties dialog box. Available settings consist of the following:

  • Respond to client computers requesting service. The RIS server responds to all clients requesting service. This is the least secure setting because the RIS server does not distinguish between authorized and unauthorized clients.

  • Do not respond to unknown client computers. The RIS server only responds to clients that have a prestaged computer account object in Active Directory. This is the most secure setting for your network because it enables you to limit access to only authorized clients that are prestaged in Active Directory.

If you configure a RIS server with the Respond to all clients requesting service option, you designate that server to handle all client requests for RIS services. In this configuration, you have less security with respect to unknown and possibly unauthorized clients accessing the RIS server. However, you can enhance security by configuring the RIS server to only respond to prestaged clients using the Do not respond to unknown client computers option.

In addition, if you prestage all computer accounts and use the RIS referral and install server configuration described in "Designing the RIS Network Deployment Configuration," you can provide load balancing for client service requests by:

  • Dedicating RIS servers as referral servers that acknowledge all initial prestaged client service requests and then provide referrals to the appropriate RIS install servers.

  • Using specific RIS install servers to handle service requests from designated clients.

Figure 4.7 illustrates how a referral server responds to non-prestaged and prestaged RIS clients.

Figure 4.7   Securing Client Request Responses and Achieving Load Balancing With RIS Servers

Client Request Responses and Load Balancing

In Figure 4.7, only Server B is configured as a referral server because it is the only one that can respond to initial client requests for RIS services. It is also configured to only respond to prestaged or "known" clients. Because Client 1 and Client 3 are prestaged and configured to obtain service from a specific RIS server, they receive replies from Server B that refer them to either Server A or Server C.

In Figure 4.7, Servers A and C cannot reply to initial client service requests, but only provide operating system installation services to Client 1 and Client 3 through referrals from Server B. Client 2 is not recognized by Server B because it is not prestaged and therefore cannot receive service from any RIS server.

If you configure Server B to not use the Do not respond to unknown client computers option, then Server B itself replies to service requests from Client 2 and offers itself as the remote boot server. Server B functions this way because it is configured to respond to all clients requesting service (Respond = Yes in Figure 4.7).

If you have not already done so, use the "RIS Server Properties" and "RIS Network Deployment Configuration" sections of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record the Client support options you choose and whether you want to use the RIS referral and install server configuration.

Designing security for non-prestaged RIS clients

To improve the security of non-prestaged RIS clients, you can control which valid users can create computer accounts in Active Directory during installation. You do this by using the Active Directory Delegation feature to preassign the right to join computers to the domain. This automatically provides the user with the Create/Delete Computer Objects permission. You can also do this by explicitly adding the Create Computer Objects and Delete Computer Objects permissions to the user within the Computers container of the appropriate domain or organizational unit in Active Directory.

By pre-assigning prestaged client computers with the right to join a domain, you enable users to turn on their systems, connect to a RIS server, log on with their domain accounts, and perform an unassisted installation of an operating system image — all without compromising the security of your network.

For this part of your RIS server security design process, use the "RIS Server Security" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to indicate whether you want to secure non-prestaged RIS clients by giving them the right to join a domain using the Active Directory Delegation feature.

Designing an optimal security configuration with prestaged clients

You can optimize RIS server security by using prestaged clients. After you prestage computer accounts in Active Directory, configure your RIS server to only respond to these prestaged clients. To further enhance security, you can configure your users with read, write, and reset or change password permissions on the prestaged computer account objects.

For this part of your RIS server security design process, use the "RIS Server Security" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record your decision to enhance the security of prestaged clients by setting user permissions on the prestaged computer accounts. Also indicate the user groups you want to receive these permissions.

Designing the RIS server authorization method

To ensure that your RIS clients are serviced by known RIS servers on the network, you must authorize each RIS server. This ensures that the RIS server is recognized in Active Directory.

The easiest way to authorize RIS on a computer running Windows Server 2003 is to use the Verify Server feature on the Remote Install tab of the RIS server Properties dialog box. You can also type the following command at the command line:

Risetup /Check

If you intend to delegate this task to specific personnel, they must be part of the Enterprise Admins security group or another group that you configure with this permission in order to access and configure a RIS server.

Alternatively, you can authorize a RIS server to Active Directory by using the Authorize function in the Manage Authorized Servers dialog box in the Windows Server 2003, Windows XP, or Windows 2000 DHCP snap-in.

To use the DHCP snap-in to authorize the RIS server, it is unnecessary to install the DHCP service. You can use this snap-in if the Administrative Tools package is installed on a computer running Windows XP Professional or Windows Server 2003, from which you can authorize the RIS server. You can install this package by running the adminpak.msi installer — located in the System32 directory of a computer running Windows Server 2003 — on the computer running Windows XP Professional.

You should not attempt to install Windows Server 2003 DHCP on a RIS server just to obtain the snap-in. To service RIS clients, any combined Windows Server 2003 DHCP/RIS server must have a fully functional DHCP service with defined and active scopes. This is because the Windows Server 2003 DHCP service on a combined server is aware that RIS is also present. If a client requests DHCP and remote boot services in its DHCP discovery broadcast, DHCP issues a single reply containing the specific details on DHCP and remote booting for that server. If the Windows Server 2003 DHCP service is not answering clients properly, the server does not generate a remote boot reply to clients requesting service.

For this part of your RIS server security design process use the "RIS Server Security" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at https://www.microsoft.com/reskit) to record the following information:

  • The names of RIS server authorization personnel, who are either included in the Enterprise Admins group or in a separate RIS authorizers group that has appropriate permissions.

  • The RIS server authorization location.

  • The RIS server authorization method.

  • Whether you need to install the Administrative Tools package on a computer running Windows XP Professional.

If you have multiple RIS servers, you might simplify things by using a common location and authorization method for each one. For example, you can choose to authorize all RIS servers from a remote administration session by using the Verify button in RIS server Properties.