Configuring RIS Servers

  • Article

With RIS, you can designate which RIS servers can accept and process requests and also designate which RIS servers will only service clients on the network

After you have successfully installed RIS and authorized it in Active Directory, configure your RIS settings. These settings are required to service clients on your network. From within the Active Directory Users and Computers snap-in, use the RIS Administrative Tools to do the following:

  • Reset and create computer account objects.

  • Browse Active Directory.

  • Search for computer accounts by name, globally unique identifiers (GUIDs), and dedicated servers.

  • Configure the server.

These settings allow clients to locally install Windows 2000 Professional from RIS servers. RIS does not provide a mechanism for replicating operating system images from one RIS server to another, such as from RIS server 2 to RIS server 3 in Figure 24.2. However, you can use third-party replication tools for operating system image replication. Make sure that the replication mechanism supports the file maintenance attributes, extended attributes, and security settings of the source images.

Restricting Client Installation Options by Using Group Policy

Group Policy applies to sites, domains, and organizational units. It is important that you understand the effects of Group Policy in your organization before setting specific policies for your users or computers. You can determine which choices the Client Installation Wizard displays to a particular user or user group by using the Group Policy snap-in. For more information about Group Policy, see "Group Policy" in this book.

To restrict the Client Installation Wizard options for users of RIS in your organization, set the desired Group Policy settings for the RIS servers on your network by using the following procedure.

To set RIS policy to restrict the installation options for a particular user or security group

  1. Locate the Active Directory container where you want to set the RIS policy settings. By default, the RIS policy settings are applied in the Default Domain Policy Object , which is located at the root of your domain.

  2. Right-click your domain root name, click Properties , and then click the Group Policy tab.

  3. In the Group Policy Object Links window, select your Default Domain Policy object, and then click Edit .

  4. Click User Configuration , double-click Windows Settings , and then click Remote Installation Services .

  5. Double-click Choice Options in the right pane.

  6. On the Policy tab, set the Automatic Setup , Custom Setup , Restart Setup , and Tools settings. Set the policy for the options available to users in the Client Installation Wizard from the following choices:

    • Allow Users who are affected by this policy are allowed to access that installation option in the Client Installation Wizard.

    • Don ' t Care Users receive the policy settings of the parent container. For example, if the administrator for the entire domain sets a RIS-specific policy, and the administrator of this container chooses the Don't Care option, the policy that is set on the domain is applied to all users who are affected by that policy.

    • Deny Users who are affected by this policy are not allowed to access that installation option in the Client Installation Wizard.

For more information about the Client Installation Wizard, see "Using Client Installation Wizard to Install Clients" later in this chapter.

Defining a Computer Naming Policy

The computer naming policy that is used during operating system installation provides the computer with a unique name. The computer name identifies the client on the network, similar to the NetBIOS name used in Microsoft® Windows NT® version 4.0. If you have an existing computer naming policy, you can set this format prior to users turning on their computer and requesting an operating system installation.

You can determine the computer naming format and the Active Directory container in which client accounts are created. In a large organization where multiple RIS servers are available, it is beneficial to define a computer naming policy to use to prestage clients and define which RIS servers that a client can access.

To define computer naming policy

  1. Start the Active Directory Users and Computers snap-in.

  2. Right-click the RIS server.

  3. Click Properties , and then click the Remote Install tab.

  4. Click Advanced Settings .

  5. Click New Clients .

  6. Define computer naming and where the computer account object is created for new clients.

The New Clients page of the Advanced Settings property sheet allows you to control the name that the client is assigned when a user selects the Automatic Setup option within the Client Installation Wizard and where the computer account object is created in Active Directory. The naming format defaults to the user name of the account entered in the Client Installation Wizard with an incremental number (#) appended. You can customize this format. Table 24.1 lists the RIS computer naming options.

Table   24.1 RIS Computer Naming Options

Naming Options

Property

%first

User's first name

%last

User's last name

%Username (Default)

User's logon name

%MAC

Media access control (MAC) address of the network adapter

%#

Incremental number

%nField

Number of characters to be used in indicated field

note-iconNote

You cannot use all Active Directory object attributes to create a naming format for use with the RIS automatic computer naming feature.

For example, if you create a name with the following format:

%5Username%3#

Where Username = JoeUser, %nField = %5, and %# = %3.

This yields the name: JoeUs123

For %5, it uses the first five characters of "JoeUser", which results in the "JoeUs" characters in the account. The "123" is determined by scanning Active Directory for existing computer account objects. The %3# specifies to use a three-digit number for the number. In this case, it had to go up to 123 to find a number opening, hence "JoeUs123". By changing the number in "#3", you can restrict or broaden the search from 0-9 to 0-999999999. It is best to keep your incremental number to as few digits as possible. The default is 2 if no specification is given.

Using the New Client page, you can also control the organizational unit in which the computer account objects are created. The default is the default account creation location as set in Active Directory. The following are your options:

Default directory service location    This creates the computer account object for the client in an Active Directory location where all computer accounts are created by default during the domain join operation. The default Active Directory location is set to the Computers container in Active Directory. The client becomes a member of the same domain as the RIS server installing the client.

Same location as the user setting up the computer    This creates the computer account object in the same Active Directory container as the user who is setting up the computer. For example, if you log on in the Client Installation Wizard and your user account currently resides in the Users Active Directory container, the client computer account object is created in the Users container in Active Directory.

A specific directory service location    This creates the computer account object in a specific Active Directory container that you predetermine. It is assumed that most administrators will select this option to specify a container for all remote installation client computer account objects.

Client Response Options

The RIS settings on the Properties page control how the RIS server responds to remote boot–enabled clients requesting service. You can set the RIS server to Respond to client computersrequesting service or only respond to known clients. When the RIS server is set to Do not respond to unknown client computers , it only responds to clients with a prestaged computer account object in Active Directory. This setting allows you to limit access to authorized clients that are prestaged in Active Directory, thereby increasing the security on your network. The Do not respond to unknown client computers setting also provides support for multiple third-party remote boot or installation servers on one physical network. For example, if your company already uses another vendor's remote boot or installation server, you cannot control which vendor's server answers the client's request. By setting the Do not respond to unknown clientcomputers option in conjunction with pre-staging clients, you make sure that only those prestaged clients are serviced by authorized RIS servers.

note-iconNote

If a user sets up the client, the user needs to have the appropriate rights to create the computer account in the domain or organizational unit chosen. For more information about granting computer account creation permissions to users, see Windows 2000 Server Help.

Pre-staging Clients in Active Directory Using GUID

You can also use the computer's GUID for pre-staging clients and making sure that each computer is uniquely identified. This unique ID is stored with the computer account object that is created when pre-staging the client. In most cases you can find the GUID for clients that are PC98 or Net PC–compliant in the system BIOS of the computer or on the outside of the computer case.

GUID Format

Valid characters for the client GUID are restricted to the hexadecimal characters 0-9 and A-F (uppercase or lowercase). You can enter the GUID in either "pretty print" or "raw byte order" format. However, combining the two formats causes RIS to not recognize the client.

Pretty Print

Pretty print format is as follows:

{dddddddd-dddd-dddd-dddd-dddddddddddd}

where d is a hexadecimal character. For example, {921FB974-ED42-11BE-BACD-00AA0057B223}. The dashes are optional and spaces are ignored.

Raw Byte Order

You can also enter GUIDs in raw byte order, such as the byte order you get from a packet sniffer. In this case, do not include the curly brace and enter only the hexadecimal characters. The following GUIDs have exactly the same value:

  • Pretty print:
    {12345678-1234-1234-1234-1234567890AB}

  • Raw byte order:
    78563412341234112341234567890AB

Notice the first three parts of the pretty print GUID are in a different order than the raw byte format. This is how the computer stores the information internally and how it is sent on the network.

If you are having trouble with a prestaged client not being answered by a RIS server, make sure the GUID entered is either in pretty print format or raw byte order.

Clients Installing Operating System Images

Clients can also be granted permission to create their own computer account (non-prestaged) and install an image. This allows users to turn on their system, connect to the RIS sever, log on with their domain account, and be able to install an operating system image without assistance. To do this, the user needs the following permissions to the organizational unit that you have specified to hold the newly-created computer account:

  • Read permissions

  • Create computer objects

Users can also install an operating system image on their prestaged client if they have been granted the ability to read and write all properties on the specific computer object (not the container) that was created when the client was prestaged. The user also requires the ability to reset and change password rights on the computer object. (An administrator might need to reset the user account.)