Prestaging Client Computers

Applies To: Windows Server 2008, Windows Server 2008 R2

In This Topic

  • Creating Computer Account Objects in AD DS

  • Benefits of Prestaging Client Computers

  • Enabling the Auto-Add Policy

  • Purging the Auto-Add Database

Creating Computer Account Objects in AD DS

You can use Windows Deployment Services to link physical computers to computer account objects in Active Directory Domain Services (AD DS). Computer accounts are created when you:

  • Create an account before you have attempted a network boot. You can do this using the Active Directory Users and Computers snap-in or WDSUTIL. For instructions, see the "Prestage Computers" section in How to Manage Client Computers.

  • Enable the Auto-Add policy. If you enable this policy, when you approve the installation for an unknown client, the installation will proceed and a computer account will be created in AD DS for the client. For more information, see Enabling the Auto-Add Policy later in this topic.

  • Install an operating system. By default, all operating system installations using Windows Deployment Services result in a client computer that is joined to a domain. You can disable this functionality using the Client tab of the server’s properties.

Once a computer is linked to a computer account object in AD DS (using any of these methods), the computer is considered “prestaged” or “known.” Then, you can configure properties on the computer account to control the client’s installation (using WDSUTIL alone). For example, you can configure the unattend file that the client should receive and the server that the computer should contact for a network boot. For instructions, see the "Prestage Computers" section in How to Manage Client Computers.

Benefits of Prestaging Client Computers

Prestaging clients provides three main benefits:

  • An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network.

  • Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the “Prestage Computers” section of How to Manage Client Computers.

    • The computer account name and location within AD DS.

    • Which server the client should network boot from.

    • Which network boot program the client should receive.

    • Other advanced options — for example, what boot image a client will receive or what Windows Deployment Services client unattend file the client should use.

  • The ability for multiple Windows Deployment Services servers to service the same network segment. You can do this by restricting the server to answer only a particular set of clients. Note that the prestaged client must be in the same forest as the Windows Deployment Services server (trusted forests do not work).

Enabling the Auto-Add Policy

When the Auto-Add policy is enabled, administrative approval is required before unknown clients (clients that are not prestaged) can install an image. To enable this policy, do one of the following:

  • Right-click the server in the MMC snap-in, and then click Properties. On the PXE Response settings tab, click Respond to all (known and unknown) client computers, and then select the check box For unknown clients, notify administrator and respond after approval.

  • Run WDSUTIL /Set-Server /AutoAddPolicy /Policy:AdminApproval.

Note

For instructions about performing common tasks related to the Auto-Add policy, see How to Manage Client Computers (https://go.microsoft.com/fwlink/?LinkID=115265).

If you enable this policy, when an unknown computer attempts to boot against the server, the computer will appear in the Pending Devices node of the MMC snap-in. The computer will remain in this pending queue until you approve or reject it, the time-out is reached, or the user cancels the attempt. If you approve the computer, the computer will continue booting from the network, and a computer account object will be created in AD DS to represent the physical computer. If you reject the computer, the network boot will abort, the computer will boot from the next item in the boot order, and a computer account will not be created. If you do not enable this policy, Windows Deployment Services will not create a computer account for unknown clients. It will, however, still answer clients according to the settings on the server.

The Auto-Add policy applies only when the Windows Deployment Services server is set to answer all clients, and Windows Deployment Services does not find a prestaged computer account for a booting computer. In all other cases, this policy will not be in effect. Also note that this policy does not pertain to computers that use Extensible Firmware Interface (EFI) if your server is running Windows Server 2008 (Windows Server 2008 R2 supports the Auto-Add policy for EFI-based computers).

Note

If you are creating computer accounts against a non-English domain controller and you are using the default user property, you must set the Auto-Add settings to use a different account that does not contain extended characters. If the account contains a non-standard character (any character outside [A-Z, a-z, 0-9, , -, and so on]), such as German's "Domänen-Admins", then Auto-Add will fail. To change this value, see the help at the command prompt for WDSUTIL /set-server /AutoAddSettings.

Purging the Auto-Add Database

All computers in the pending queue are represented as an entry in the Auto-Add database. This temporary storage location serves three purposes:

  • To provide the management utilities with a list of all pending computers on a server.

  • To serve as an audit trail by recording what computers have been approved or rejected.

  • To reduce the size of AD DS and keep old computer account objects out of the AD DS.

Each record is considered unapproved, rejected, or approved. By default, Windows Deployment Services purges unapproved and rejected computers from the database every 24 hours and purges approved computers every 30 days.

To delete an approved computer (one that was added to AD DS by using the approval process), you must perform two steps. First, you must delete the computer from AD DS. Second, you must delete the computer's record in the Auto-Add database (using WDSUTIL /Delete-AutoAddDevices /DeviceType:ApprovedDevices) or else the client will not be able to boot from the network. This occurs because the record in the Auto-Add database shows the computer as approved, but a prestaged computer in AD DS will never be found (because the computer was deleted).

To delete rejected devices, run WDSUTIL /Delete-AutoAddDevices /DeviceType:RejectedDevices.

To delete all (approved, pending, rejected) computers from the Auto-Add database

  1. Run WDSUTIL /stop-server to stop all services.

  2. Create a Temporary folder in the \RemoteInstall\Mgmt folder.

  3. Move all existing files in the Mgmt folder to the Temporary folder.

  4. Run WDSUTIL /start-server to start all services.