Microsoft Windows 2000 Professional can be deployed within your organization in many different ways. This article will discuss the crhme of the crop, Sysprep. Sysprep is not an all in one deployment utility. Rather, it is a complement to many of the popular disk cloning utilities, such as Symantec's Norton Ghost. Sysprep allows you to customize your -golden- image to be used in your enterprise, and then clone it to all of your workstations.
This paper is not intended to be a guide to the best practices of configuring Windows 2000 Professional. This paper will cover how best to utilize Sysprep and a third party cloning utility to allow you to deploy a standard image throughout your organization. This image will be configured to reduce the amount of input by deployment personnel to a bare minimum. In fact, the image detailed in the following scenario requires only the machine name to be successfully deployed. By cloning your base image, you can minimize your departments support costs by eliminating workstation -deltas- (one machine configured differently than others) and the possibility of human error during the setup process.
Sysprep is a utility that will allow you to duplicate a fully configured Windows 2000 installation to a large number of machines. This utility automatically regenerates the SID on each duplicated system. Sysprep can also be used to duplicate stand alone and member servers. At this time, Sysprep cannot be used to clone Domain Controllers. You can however create a base server image, and then run DC Promo on each server to reduce deployment time for a large number of similar servers. Microsoft has written a very informative Whitepaper on the subject called Automating Windows 2000 Deployments with Sysprep located here.
The version of Sysprep that comes on the Windows 2000
CD has been updated to V 1.1. You
can download the new version here.
This new version eliminates the mass storage controller dependency of the
original version. Previously you
would need to create a separate image for each system that had a different mass
storage controller. Sysprep is
still dependent on the Hardware Abstraction Layer, and you will need a separate
image for each variation of HAL's within your enterprise.
When used in conjunction with Plug and Play, you can deploy Windows 2000
Professional throughout an entire organization with one single image.
The following is a brief overview of the Sysprep process:
- Install and configure Windows 2000 Professional.
- Install and configure applications.
- Run sysprep.exe and shutdown computer. (note: sysprep.exe uses options configured in sysprep.inf)
- Clone image to network share utilizing third party disk copying software.
- Deploy image to target workstation.
- On restart, machine with duplicated image parses sysprep.inf and runs minisetup.
- After minisetup completes, restart machine, SID is automatically regenerated.
The following is a list of requirements and goals that we will accomplish with this Sysprep image:
- Reduce the amount of user/administrative input during setup of the machine.
- Give each imaged machine a unique name consistent with our organizations naming convention.
- Set the administrative password with setup. (In my current organization our tech support personnel are not given the local administrative password. This eliminates the only common account in use in our organization. We will set the same option here.)
- Allow dynamic updating of hardware drivers.
- Allow additional applications to be installed after setup.
- Allow additional files to be copied to the workstation after setup.
For the purposes of this discussion, we will be deploying Windows 2000 Professional to our company named Trake Inc. Our main file server's name is DC1, containing our distribution share DIST$. We have created our Sysprep directory on our distribution share under the Windows 2000 directory. We will also need to create a directory named POSTPROC to handle some of our workarounds that we will incorporate into our sysprep image.
The Sysprep directory will contain the following:
I386 directory - contains $OEM$ directory and cmdlines.txt
Sysprep.inf is the configuration file that is applied to your cloned image for use with Minisetup. In keeping with our -minimal input- theme, I will highlight the main options needed to appropriately answer the most common setup questions:
ExtendOemPartition=1 (automatically extends system partition to size of disk)
OemSkipEula=Yes (End user license agreement acceptance)
InstallFilesPath = "c:\sysprep\i386"
OemPnPDriversPath=\\dc1\dist$\windows2000\postproc\drivers (location of additional drivers)
timezone=015 (current time zone, refer here for complete listing of timezones)
OEMSkipWelcome=1 (Skip welcome screen)
OEMSkipRegional=1 (Skip Regional options screen - default US English)
DomainAdmin="trake\w2kadmin" (Domain\username of account with permission to add computer account to domain)
DomainAdminPassword=123456 (Password of above account, please make your password stronger)
JoinDomain="trake" (Domain to join)
The most notable option we have enabled here is the OemPnPDriversPath. By redirecting the drivers location to a network share, we have the ability to update Plug and Play drivers for future hardware purchases, without recreating the original image.
We are agreeing to the License and welcome screens by default.
The $OEM$ directory contains a file named cmdlines.txt, which allows you to specify additional commands to run at the conclusion of minisetup. The standard method of utilizing this file is to script your additional commands here. After minisetup runs, the commands will be processed and applied to the machine. This would allow you specify the installation of extra applications and the like. However, if one of those applications becomes outdated, you will need to recreate your image just to remove the line that specifies the out of date application. This is where we will create another one of our own workarounds.
We will have cmdlines.txt invoke a batch file in the same local directory, which invokes another batch file on our network share to allow dynamic updating of these commands, again with no updating of the original image.
Here are the contents of cmdlines.txt:
The contents of cmdlines.bat:
net use m: \\dc1\dist$ 123456 /USER:trake\w2kadmin /PERSISTENT:NO
And finally the contents of postproc.bat:
regedit /s logonopt.reg
regedit /s legal.reg
copy logoff.exe c:\winnt /y
copy con2prt.exe c:\winnt /y
copy printers.bat c:\winnt /y
Your configuration of postproc.bat may differ. Here is what the sample postproc.bat does:
- call adminpw.bat - This batch file contains the standard NET USER command to reset the admin password. This prevents us from having to specify it during setup, and allows us to change the local admin password on newly imaged machines if the original is ever compromised. This is useful if your organization has a policy of changing the local password every 6 months or so.
- regedit /s logonopt.reg - Registry hack to blank out the Username field, and prepopulate the Domain field in the Ctrl+Alt+Del dialog box after your target machine restarts.
- regedit /s legal.reg - Registry hack to create the LegalNoticeCaption and LegalNoticeText option. It may be a good idea to be able to change your Legal Notice on your workstations with the vast number of companies involved in mergers these days.
- copy logoff.exe c:\winnt /y - A Resource Kit utility that allows you to remotely logoff a user from the workstation. My company does not currently utilize this utility, but it is there if we ever need it.
- copy con2prt.exe c:\winnt /y - A utility that allows you to script the installation of network printers.
- copy printers.bat c:\winnt /y - The actual batch file for the network printer utility. Our users simply select Start | Run | printers and all the network printers are mapped.
This is just a sampling of the many different configurations you can apply to your image dynamically. You can also add unattended installations of applications to your image to keep up with the ever changing world of software upgrades.
Using Sysprep in the real world
Now that we now how it works, let's make it work. We are assuming that you have created your master Windows 2000 image, configured all of your applications, and are ready to stamp this image as the Master. We also assume that you possess a third party imaging utility and have it configured per the manufacturers instructions for use in a networked environment.
- Copy the Sysprep directory from the network share to the C: drive of the workstation.
- Reset the local Administrator password to blank (not the word blank, just nothing)
- Remove the workstation from the domain and put it into a workgroup.
- After restarting, log in as the local Administrator with the black password.
- Remove all of your domain specific profiles from C:\Documents and Settings (we don't need to deploy extra profiles do we?).
- Select Start | Run | C:\sysprep\sysprep.exe -pnp (This will invoke a full plug and play scan during deployment to the new workstations to pick up any different hardware than what was used for this image).
- The workstation will shut down (It probably won't. There is a hotfix for this bug, but I haven't ever gotten around to applying it. If you get the chance, go for it. Otherwise, just wait 20 seconds after the screen goes blank and then turn the machine off).
- Insert your network boot disk to connect to the imaging share and use a third party utility to copy the image to the network.
That's it. You can use your third party imaging utility to copy this image to your workstations for deployment.
In our example, the only information that will be needed will be the workstation name. I have experimented with the approved ways of automating the naming of the workstations but never found a scenario that was able to take advantage of it. If your organization is willing to accept the default machine names given by Windows 2000 setup (cryptic at best), you will have a fully automated installation with absolutely no input by support personnel.
You will notice when you are prompted for the machine name that you are also prompted for the local Administrator password. Remember, we set the local Administrator password with postproc.bat, and any password you put in at this stage, will get overwritten with our after-setup processing. This is by design.
You can also reduce the size of your image stored on the network by deleting pagefile.sys, and hiberfil.sys (if applicable).
By utilizing Sysprep and a third party disk cloning utility, you can deploy Windows 2000 Professional to your network with the same exact configurations every time. With the introduction of Plug and Play to the Windows 2000 platform and depending on the variation of hardware in your workstations, you may be able to perform a full scale deployment to your organization with one single image.
You can also use this repeatability to your advantage with workstation support. In my neck of the woods, we troubleshoot for 10 minutes, then we blast down the master image to the workstation again. Returning the users workstation to a known, supported, working state. With the availability of free software for download from the Internet, and how that free software always seems to destroy something on an NT based workstation, this is a must for large scale shops. Otherwise the majority of your IT Departments time is spent troubleshooting problems caused by unsupported software.
Please take the time to read through the Microsoft Whitepapers regarding Sysprep and Automated Deployments. With a little planning, you can reduce the costs associated with supporting an Enterprise network tremendously.