Several years ago when Windows 98 was king, I found myself having to deploy way more Windows 98 machines than I care to think about. Symantec’s Ghost made the job much better than installing Windows 98 by hand on multiple machines, as long as all of the new workstations had identical hardware.

My deployment technique worked great until Microsoft released Windows 2000. Like Windows 98, Windows 2000 required each computer to have a unique computer name. The problem was that the computer name was linked to a security identification number, which must also be unique. If you duplicate a machine that’s running Windows 2000 (or Windows XP or Windows 2003), you also duplicate the machine’s SID. Although you can rename the machine, renaming the machine does not change the machine’s SID. Since having machines with duplicate SIDs on a network causes problems, I put my copy of Ghost away and stopped using it.

Now let’s fast forward a few years to the year 2004. Deploying desktop operating systems is still an issue for most companies and although the current desktop operating system is Windows XP instead of Windows 2000, SID duplication is still an issue. Fortunately, Windows Server 2003 can assist with workstation deployment by doing some things that Ghost can’t do.

Windows 2003’s Remote Installation Service (RIS) allows you to create an image of a machine that’s running Windows 2000, XP, or 2003, and then deploy that image to other computers. The cool thing about it is that RIS even takes care of making sure that each new computer receives a unique SID. You can build the image file by using a utility that’s built into Windows Server 2003, called RIPREP.

Author’s Note

RIPREP is installed only after RIS has been installed and configured. For the purposes of this article, I am assuming that you already have RIS up and running on a Windows 2003 Server box. If that isn’t the case and you need some help setting up RIS, then check out my TechRepublic article ” Using Windows Server 2003’s Remote Installation Services”�.

Getting the basic configuration
With that said, the first thing that you will want to do is to setup a workstation that uses your “approved corporate configuration” with either Windows 2000 or Windows XP, whichever your company uses. You should also install all of the most current service packs and hot fixes and the applications typically used by employees of your company. You should also make the PC a member of the appropriate domain.

Once you’re satisfied that your computer is configured perfectly, log in as a domain administrator and then open the Network Neighborhood. Double click on your RIS server to reveal the shares that it contains. There should be a share named REMINST. If this share doesn’t exist then it means that RIS hasn’t been completely installed. If this is the case then you will have to go back to your RIS Server and run the Remote Installation Service Setup program found on the server’s Administrative Tools menu.

Once you open the REMINST folder, double click on the Admin folder followed by the i386 folder. Now, double click on the RIPREP.EXE file to launch the Remote Installation Preparation Wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen that asks for the name of the RIS server that you want to install the image file onto.

Since you are accessing the server through a network share, the server name should be filled in for you. Click Next and you will be asked for the name of the folder to install the image into. Since this is the first image file that you’ve created, a folder doesn’t exist yet. Just call the folder what ever you want, click Next, and the folder will be automatically created on the server using the name that you have specified. Just remember that because of the way that RIS works you can’t use spaces or symbols in the folder name.

After entering the folder name, you will be asked to enter a friendly description for the installation image. The friendly description should just be a readable name such as “Windows XP”. This screen also allows you to enter some help text. You can use the help text box to enter a much longer description. I recommend entering detailed information in regards to what applications, service packs, and hot fixes are included in the image. It’s also a good idea to make note of the image’s creation date.

Click Next and you will see a report old any system incompatibilities that might exist. Hopefully you won’t have any problems, but there are a few common things that simply aren’t supported by RIPREP. For example, RIPREP only supports the imaging of a single hard drive partition (the C: partition). Another common issue is that RIPREPO will only image a single user profile. This shouldn’t be a big deal though if the machine that you are imaging has never actually been used by an end user, or if your network is configured to use roaming profiles.

Click Next and you will see a message explaining that in order to avoid errors a bunch of services must be stopped while the machine is imaged. Click Next and the necessary services will be stopped. You might also be asked to manually close applications or stop system level processes. You can do this through the Task Manager. Finally, you will see a summary of the options that you have chosen. If after reviewing this summary everything looks good, click Next and the imaging process will begin. When the imaging process completes, the workstation will be shut down and rebooted. This allows all of the services that had been previously stopped to restart.

After the workstation reboots, something really strange happens. Windows Setup runs as if you are installing Windows XP for the first time. The reason for this is because RIPREP removes the machine’s SIDs and any user specific information prior to creating the image file. After the machine reboots, Setup recreates these settings.

The good news is that running through Setup doesn’t take nearly as long as it did to initially install Windows because Setup doesn’t make any attempts to detect the system’s hardware. You do however have to answer a few questions for Setup. To get through Setup, you must accept the end user license agreement, select your language, enter the product key. Setup will then copy a few files and reboot the machine. Although running through Setup is annoying, the entire process only takes about two minutes.

After the system reboots, you will notice a glitch in RIPREP. The system is no longer a member of a domain. Instead, it has been reconfigured to be a member of a workgroup that has the same name as the domain that the machine previously belonged to. To reconnect the machine to its domain, right click on My Computer and select the Properties command from the resulting shortcut menu. When you do, you will see the System Properties sheet. Select the Computer Name tab and then click the Change button to reveal the Computer Name Changes dialog box. Select the Domain radio button and enter the name of the domain that the system should belong to. You will then be prompted to enter the credentials for a user with permission to join machines to the domain. Finally, you will see a message welcoming you to the domain and you will be asked to reboot the system again.

Deploying the Image
Now that I have talked about how to image a computer, let’s talk about how to deploy that image to new systems. A new system gets the attention of a RIS server through the Preboot Execution Environment (PXE) protocol. PXE is normally implemented at the hardware level. Many network cards have PXE built in and some computers even support PXE at the BIOS level.

What do you do if your workstations don’t natively support PXE? Well you could buy new, PXE compliant network cards, but there is an easier technique. Windows Server 2003 allows you to create a RIS boot disk. This boot disk emulates a PXE boot. Best of all, you don’t have to create a separate disk for each machine. You can create one disk and use it for all of your OS deployments.

To create the RIS boot disk, go to your RIS Server and navigate to the \RemoteInstall\Admin\i386 folder. Once there, run RBFG.EXE. Creating the RIS boot disk is as simple as clicking the utility’s Create Disk button. However before doing so, I recommend clicking the Adapter List button. The RIS boot disk only supports a couple dozen different network adapters, so it’s a good idea to make sure that your workstation’s network adapter is supported.

Once you finish creating the RIS boot disk, boot one of your new workstations from the disk. The boot process will quickly detect your network adapter and will then take a second to acquire an IP address from a DHCP server. You must then press the [F12] key to continue the boot. Otherwise the boot process will abort if you don’t press [F12] fast enough.

At this point, you will see the Client Installation Wizard appear. Press [Enter] to bypass the wizard’s Welcome screen. The next screen that you will see prompts you to enter your username and password for the domain. The domain name is filled in for you by default, although it can be changed. Press [Enter] and you will be given a choice of which operating system you want to install from the RIS Server. The bottom of the screen contains a full description of each operating system.

Select the operating system that you have just created the image for and press [Enter]. You will now see a warning message indicating that the machine’s hard drive must be repartitioned and reformatted. As soon as you commit to the installation, the formatting will begin and there is no turning back. This isn’t a big deal for a new machine, but if you are reinstalling an operating system on an existing machine then you will want to go back and make sure that there is nothing important on the hard drive. Press [Enter] and you will see the GUID and the computer name that will be applied to the new system. If everything looks good, press [Enter] and the formatting begins.

Reinstalling The Operating System
OK, RIS images are great for installing operating systems and applications onto new workstations, but what about reinstalling an operating system? Imagine that one of your users approached you and told you that their operating system was badly damaged and needed to be reinstalled from scratch. Assuming that you trusted the user’s judgment (no laughing please) you would have a couple of choices. You could take some time out and reload the system yourself, you could loan the user some CDs and let them reload the system, or you could loan the user a RIS boot disk and let them restore one of your image files.

In a situation like this, letting the user restore a RIS image is probably the best bet. Unfortunately, it won’t work without a little prep work on your part. As a part of setting up the machine, RIS must delete the machine’s old computer account and create a new computer account. By default, the user won’t have permission to do this. I recommend creating a group called Setup that will give members the rights to install a RIS image. You can then add a user to this group whenever they need to perform a reinstallation and remove the user from the group when the installation is complete.

To create such a group log into a domain controller with domain Administrator credentials. Next, open Active Directory Users and Computers, right click on the Users folder and select the New | Group commands from the shortcut menu. You will now see a dialog box asking what the name of the new group should be. Enter Setup as the group name. This will create a new Global Group.

At this point, select the Advanced Features command from the console’s View menu. Now right click on the Computers container and select the Properties command from the resulting shortcut menu to reveal the container’s properties sheet. Select the Security tab click the Add button, type Setup, and click OK. The Setup group is now added to the list of group or user names. With the Setup group selected, click the Advanced button. This will reveal the Advanced Security Settings for Computers dialog box.

Click Add, enter Setup in the space provided and click OK. You will now see a dialog box asking what permissions should be assigned to Setup. Select the Allow check box for Create Computer Objects and click OK Now, click Add again, enter the Setup group, and click OK. You will once again see the list of available permissions. Locate the Apply Onto drop down list and select the Computer Objects option. In the permissions section, select the Allow check boxes that correspond to these options: Write All Properties, Change password, Reset Password Permissions. Now select the check box at the bottom of the dialog box labeled Apply these permissions to objects and / or containers within this container only. Click OK three times and you’re done. All you have to do now is to add users to the group.

A Final Thought
In a production environment, you will probably have more than one hard drive image. For example, one standard workstation image might have Microsoft Office, while an image created for people in the IT department might also have Visual Studio. You don’t want a user to install an image that wasn’t intended for them. To prevent this from happening, you can use NTFS permissions on the file server to control which groups have read permissions to which images. If a user is preparing to install an image, the user will not even be given the choice of installing images that they do not have read access to. They will never even know that other images exist.