Export (0) Print
Expand All

Designing the Active Directory Infrastructure

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The successful implementation of RIS in your environment requires you to carefully analyze your Active Directory architectural design. The logical structure of Active Directory is separate and distinct from the physical network structure. You use physical structures to configure and manage network traffic. You use the logical structure of Active Directory to organize your network resources.

The core units of logical structure in Active Directory are forests, trees, domains, and organizational units. Forests consist of multiple trees which in turn consist of multiple domains that share a contiguous namespace. For any given domain, Active Directory provides organizational units, which are containers that you can use to organize users, computers, and resources into logical administrative groups. This can assist you when defining your RIS server location in Active Directory.

The core units of physical structure associated with Active Directory are sites, which consist of one or more Internet Protocol (IP) subnets connected by a high-speed link. Sites map the physical structure of a network; domains map the logical structure of your organization. Active Directory allows multiple domains in a single site and multiple sites in a single domain.

For further information about Active Directory planning and deployment, see "Designing the Active Directory Logical Structure" in Designing and Deploying Directory and Security Services of this kit.

Choosing the Active Directory Location for RIS Servers

Where you place your RIS servers in Active Directory depends in part on how many clients you need to provide with RIS services. The Active Directory location you choose might also depend on your existing infrastructure. If you have a domain containing subnets that each have 75 clients or less, you might create an infrastructure with organizational units for each subnet to be serviced by a single RIS install server. Otherwise, for domains with 75 clients or less, you can use a single RIS install server to provide service to domain clients. Also, to simplify administrative organization, you can choose to create a logical grouping of your RIS servers by placing them all in the same organizational unit.

If it is not possible to locate your clients in close physical proximity to your RIS server, you might locate a RIS server at a particular site and allow RIS clients to connect to it remotely to receive remote installation services. If RIS servers and clients are at different Active Directory sites on separate IP subnets in a common domain, you must connect them with a high speed links, such as a fiber optic backbone. This ensures adequate installation times and minimal traffic congestion during periods when RIS is active.

For this part of your Active Directory infrastructure design process, use the "RIS Network Deployment Configuration" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at http://www.microsoft.com/reskit) to record the Active Directory location of each RIS server.

Designing Active Directory Support

To design the Active Directory configuration that supports RIS, you need to define the following:

  • Any new Active Directory security groups you want to provide for RIS administrators.

  • The details of prestaging RIS clients in Active Directory.

Defining new Active Directory security groups

If you decided to delegate RIS administrative tasks in job aid "Planning RIS Server Security" (ACIRIS_05.doc), you need to create a new group in Active Directory for RIS administrators. For more information about delegation issues see "Planning Security for RIS Administrative Tasks" earlier in this chapter. If you want to designate more than one group with each handling different tasks, you need to create multiple security groups. After you create the groups, you need to set the appropriate permissions to allow performance of assigned tasks.

For this part of your Active Directory design, use the "Designing Active Directory Support" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at http://www.microsoft.com/reskit) to finalize your decision to create Active Directory security groups for RIS administrators or add administrative personnel to the Enterprise Admins group. If you decide to create new groups, record the names of the groups and the personnel you want to add to them.

Defining prestaging details

You can prestage client computer accounts either manually using the Active Directory snap-in or with the prestaging script from the Remote Installation Scripts link on the Web Resources page http://www.microsoft.com/windows/reskits/webresources.). If you have a small number of clients, it might be sufficient to use the snap-in. If you use the snap-in, however, you can only configure the computer name, UUID, and the RIS server you choose to support the client. You cannot specify which startup file is designated for each client, as you might want to do when configuring some clients with automated installations and others with interactive installations. However, you can designate the startup file by using the prestaging script.

While the primary use of the prestaging script is to automate the prestaging process, you can also use it to automate the configuration of startup boot files for client use. Automating this process helps reduce administrative efforts in a large environment. However, for the prestaging script to work properly, you must run it from within the domain where you want to prestage clients, and the computer from where you run it must have ADSI installed.

The prestaging script uses an Excel spreadsheet created by the BIOS information script as input data, as described in "Evaluating the RIS Client Prestaging Process" earlier in this chapter. You run the BIOS information script to automate the process of obtaining the UUIDs of existing client computers on your network for prestaging these computer accounts in Active Directory.

If you have an OEM spreadsheet with the UUIDs of new client computers, you can add this information to the second column of the Excel spreadsheet generated by the BIOS information scirpt. The OEM UUIDs that you add to the spreadsheet must each be a 32-bit hexadecimal number in raw byte order format as follows:



  • When you prestage manually using the Active Directory snap-in, you can use either the raw byte or pretty print format. Pretty print format includes curly braces and spaces, as follows:

  • {12345678-1234-1234-1234-15E4160B15F2}

When you add OEM UUIDs to the spreadsheet, you must also add other information, including the new computer account name, location, domain\user, description, and startup boot file path. See the prestaging script for more information. The startup boot file path is the path to the RIS server location where the boot files are located, for example:


In the spreadsheet, you can specify which startup file you want for each client, by using either the Startrom.n12 or Startrom.com boot files. However, the prestaging script also provides options that allow you to set all clients to either boot file, to accommodate groups of clients that you configure with interactive or automated installations. When you choose to use these options, you must specify the appropriate action command, the RIS server name, the image name, and the path to a fully-configured input spreadsheet file. In this case, the script does not read data from the cells in Startup File Path column of the spreadsheet, but applies the value you enter at the command line to each client computer account listed in the spreadsheet. Values are automate, to configure the client with Startrom.n12 and interactive, to configure the client with Startrom.com.

The prestaging script contains usage instructions that explain how to run the script and the commands or input arguments you must provide. The script also provides header information that explains the details of the Excel spreadsheet file format. Whether you prestage by script or manually, you still must acquire the UUIDs for your client computers. For more information about methods to acquire the UUIDs for client computers, see "Evaluating the RIS Client Prestaging Process" earlier in this chapter.

For this part of your Active Directory design, use the "Designing Active Directory Support" section of job aid "Designing the RIS Server Configuration" (ACIRIS_09.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing the RIS Server Configuration" on the Web at http://www.microsoft.com/reskit) to record your decision to prestage client computers in Active Directory either manually or using the prestaging script. If you decide to prestage, also record the name of the input Excel file that the script requires and the personnel who will create and configure this file. You can also specify the method you will use to obtain UUIDs.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft