Recently, we completed our series of articles that examined different methods of handling Windows XP deployments. We focused primarily on solutions that offered an increased degree of automation, centralized management, and auditing and reporting functionality. The need for technology that can install client operating systems on multiple computers is common, and products that address these needs come in handy in environments of practically any size.
However, the need for equivalent functionality for installing server operating system is also desired. However, the customer base, which consists primarily of larger enterprises, is smaller. While such capability is available as part of Remote Installation Services, this solution has been designed with desktop rollouts in mind and lacks centralized management, efficiency, and scalability features all of which are critical when dealing with servers. Microsoft addresses these challenges in the form of Automated Deployment Services, which is the topic of this article.
Automated Deployment Services (ADS) is a free add-on to Windows 2003 Server Enterprise Edition. Intended mainly for corporate clients and boasting hundreds and thousands of devices hosted in the data centers, ADS streamlines and automates deployment and maintenance of the recent server operating systems (covering 32-bit versions of Windows 2000 Standard and Advanced Server as well as Windows 2003 Standard, Web, and Enterprise Editions). It distances itself from other, similar solutions, such as Remote Installation Services, through a variety of significant functionality, scalability, manageability, and security enhancements, such as:
- Centralized deployment methodology designed to minimize the amount of time necessary to install and fully configure a new Windows server system. The initial investment in time and resources necessary to set up ADS can be easily justified in larger environments, with few variations in the way systems are set up. This makes it well-suited for blade servers.
- Leveraging Preboot Execution Environment (PXE) combined with Windows Preinstallation Environment (Windows PE) 2005 or its new ADS-specific alternative (Deployment Agent) for remote server installation on bare-metal hardware and virtual floppy operations (such as BIOS upgrades or RAID configurations).
- Remote operating system management and automation capabilities based on variety of administrative tools, from Microsoft Management Console snap-ins and command-line utilities to Windows Management Instrumentation-based scripts and programs.
- Efficient management through set-based operations targeting groups of devices, which can be referenced as a single entity.
- Set of innovative proprietary imaging tools, with built-in compression, defragmentation, encryption, simplified edits, and image library management.
- Bandwidth savings through multicasting support and bandwidth throttling.
- A complete audit of administrative tasks (facilitated by centralized operations and logging) with records stored in a SQL Server database.
From an architectural point of view, ADS forms an agent-based, centralized infrastructure. Its central piece is Controller Service system, which serves as a functional and communication hub for all operations. This includes interaction with two types of agents running on managed devices (Deployment and Administration), providing entry point for creating and scheduling administrative tasks (management tools require connection to the Controller Service), maintaining SQL Server-based database of all devices within its management scope (identified by MAC addresses of their network adapters or by their SMBIOS GUID), and coordinating two supplementary services responsible for carrying out its requests:
Network Boot Service
Network Boot Service (NBS) consists of three subcomponents, PXE Service, TFTP Service, and Deployment Agent Builder Service. It functions like an enhanced version of the Remote Installation Services server. It also relies on Microsoft DHCP Server for some of its features.
NBS' main purpose is facilitating remote operations on PXE-enabled (version 0.99c or later) devices without relying on their operating system. DHCP-initiated sessions established at the boot time on such devices serve as means for exchanging information necessary for the operating system installation and Virtual-Floppy-based activities. This includes network address of the system where PXE Service resides (provided by the server) and PNP identifiers of hardware components on the target device (provided by the client).
Depending on the instructions from its administrator, NBS might initiate operating system installation by downloading (using TFTP service) a copy of Windows Preinstallation Environment 2005. However, since Windows PE is not included with ADS, it is sold separately. For more information on this subject, refer to our earlier article in this series or ADS Deployment Agent created dynamically by Deployment Agent Builder Service and the required drivers (based on the device records stored in the SQL Server database), and rebooting the device. Another potential action NBS can be triggered is a system boot using Virtual Floppy image (created with ADS DskImage utility and downloaded via TFTP Service), which facilitates the need for BIOS and firmware upgrades, RAID configuration, or similar types of operations. In the past they have required direct access to the hardware to perform a floppy-based boot.
>> Obtaining ADS
Image Distribution Service
Image Distribution Service (IDS) manages storage of operating system images and their distribution to managed devices. ADS provides its own set of imaging tools (such as Imgdeploy, ImgMount, and Adsimage), that generally follow the same principle as other programs in this category. They capture content of a drive containing installation of an operating system (after adding to it Sysprep components, install ADS Administration Agent, register it with the Controller Service, verify its proper operations, and trigger-capture from the Controller Service) on a reference computer into a file. It can then be copied to another device resulting in a new, fully functional installation.
The tools, however, also feature a number of functionality, efficiency, and security improvements. In particular:
- Imgdeploy offers built-in compression and encryption, as well as automatic defragmentation of files contained within the image during its copy to a target system.
- Imgmount enables the mounting of existing images, thus eliminating the need to maintain the reference computer. It also allows direct modification of file system on the resulting volume, and storing of changes in a new version of the image.
- Adsimage sports both command-line and Microsoft Management Console interfaces, allowing the review and management of images (including their deletion or property updates).
Image deployment is easily managed (a single image can be delivered in a single operation to up to 128 devices), efficient (it supports unicasting and multicasting, as well as bandwidth throttling), and secure (via Secure Sockets Layer connections).
As mentioned earlier, Controller Service communicates also with ADS Deployment and Administration Agents residing on managed devices, which handle remote deployment and administration (respectively). More specifically, the former (which, in essence, consists of memory-resident cut-down version of Windows 2003 Server) is loaded into memory of PXE-capable devices, partitions the hard drives, and initiates full operating system image load, or performs described earlier virtual floppy-based functions (such as BIOS upgrade or RAID configuration). It can also facilitate the remote capture of images. The primary purpose of the latter, which gets added to every image and loads as one of services running within operating system boundaries, is to assist with post-deployment maintenance tasks.
Remote administration covers not only Windows server rollouts or hardware configuration and maintenance, but also running sequenced tasks against managed devices. Their processing can take place locally on the controller system, or it can be launched directly on target systems. Such tasks might include executing local or network-based Windows applications or scripts. If required, scripts can be downloaded prior to their invocation. Task sequences (referred to as jobs) stored in XML-formatted files are created using ADS Sequence Editor, a graphical utility included with ADS Controller Service. XML authoring program can also be invoked for such tasks.
A number of predefined templates simplify the implementation of jobs handling typical deployment procedures and administration procedures (stored in Program FilesMicrosoft ADSSamplesSequences). An administrative interface is available in graphical (ADS Microsoft Management Console snap-in) and command-line formats.
The interfaces include utilities, such as ADSDevice (managing device records) or ADSArchive (archiving completed task sequences), in addition to the previously described Adsimage, DskImage, Imgdeploy, and Imgmount. Furthermore, ADS makes its functionality available via Windows Management Interface, facilitating the development of custom code, using both scripting and programming languages. Administration can be performed, with graphical or command line utilities, remotely from any system running Windows 2000 Professional, Server, or Advanced Server, Windows XP Professional SP1, as well as Standard or Enterprise Edition of Windows 2003 Server.
As with RIS, Microsoft DHCP Server is required for subnets where devices deployed and managed by the Controller Service are located. The devices should also be in the same broadcast domain as the Network Boot Service and share multicast domain with Image Distribution Service. The ADSDHCPConfig utility (included in the set of ADS administrative tools) helps assign ADS-specific settings on the DHCP server, including option 60, which is intended for PXE-enabled boot process. For the purpose of storing configuration data and task logs for managed devices, you will need to have access to either Microsoft SQL Server Desktop Engine 2000 (which is included with the installation files) or SQL Server 2000 (database is created automatically during ADS setup).
Despite bandwith-saving optimizations (e.g., throttling and support for multicasting), the network must be reliable and relatively fast (at least 10 Mbps). Bear in mind that image copying does not handle connectivity interruptions gracefully. Controller Service hardware should include sufficient processing power capable of dealing with heavy processing load caused by imaging activities (primarily compression and encryption) and plentiful disk space. This is especially true if you anticipate a large number of images.
Ensure that your servers hardware BIOS options are set to attempt boot from the network first; otherwise you'll need to rely on someone pressing F12 key at the console during their installation.
The current version of Automated Deployment Services (1.1) is available from the download section of Microsoft Web site. The download consists of a single file ADS_VSMT_1.1.exe, which, when executed, creates a folder structure that can be used for the setup. Launching the ADSSetup.exe displays the Windows 2003 Automated Deployment Services Setup Welcome page, from which you can proceed with steps necessary to complete the installation.
If no instances of SQL Server can be invoked to create a database to store records of managed devices, first select "Install Microsoft SQL Server Desktop Engine SP4". Once this is done, choose the "Install Automated Deployment Services" entry, which triggers Automated Deployment Services Setup Wizard. The wizard-driven process is fairly straightforward and provides the ability to perform full or custom installation. It also allows an "Administrative tools only" limit to be set. It prompts for the location of the SQL Server database (as indicated earlier) and path to the Windows setup files (content of the Windows 2003 Server CD). You can also automatically configure Network Boot Services and DHCP service. This results in addition of option 60 for PXE clients.
If you are a licensed user of Windows PE 2005, you can also create the Windows Preinstallation Environment repository that the Network Boot Service (in lieu of Deployment agent) will subsequently use during image rollouts and Virtual Floppy operations. This can also be done with command-line utilities after the setup completes.
To verify whether the outcome was successful, launch the ADS Management console from the Microsoft ADS group in the All Programs menu and check the State column of three entries in its Services node. The installation process also includes the ADS Administration Agent. Be sure to review settings on the Service tab of the Controller Service Properties dialog box and confirm they are configured as required (e.g., determine the default template for controlled devices, whether MAC address or SMBIOS GUID will be the identifier, and whether newly discovered PXE systems will be automatically added to the console or ignored).
Loading Administration Agent on existing devices (such as a reference system where images are captured) tends to be a bit cumbersome, since it requires executing setup program (ADSAgentSetup.msi or ADSSetup.exe) on each.
During setup, be sure to specify the path to PKI certificate (used for the purpose of encrypting communication) that is generated on the ADS Controller during its installation (residing, by default, in the Program FilesMicrosoft ADSCertificate folder). If the Windows Firewall is enabled on Windows Server 2003 SP1 systems, you must also explicitly allow traffic on UPD port 8198.
Fortunately, these steps are not required on systems deployed via Image Distribution Service, where the agent is automatically included, and the proper ports are opened as part of the default configuration.
Deploying an operating system image requires registering target devices with Controller Service system (e.g., from MMC ADS console or with Adsdevice command-line utility using its MAC addresses or SMBIOS GUIDs); assigning them a job that encompasses the necessary tasks (which can be based on the da-deploy-image-wg.xml template and covers such actions as booting into the ADS Deployment Agent, disk partitioning, image download, and hard drive reboot); and powering them. Customization of the process (by assigning to every installation instance unique values such as product key, the local administrator's password, or machine name) is handled by defining them on the User Variables tab of each device Properties dialog box in the ADS Management console.
Additional steps may be required when implementing Automated Deployment Services on servers from some hardware vendors. For more information on this subject, refer to the Automated Deployment Services Original Equipment Manufacturers page on the Microsoft Web site or contact the vendor directly.