The Holy Grail of Deployment

3/23/2010
Presented by Rhonda J. Layfield

Copyright 2010
IT industry 25+ years

Contribute articles to Windows IT Pro mag
Setup and Deployment MVP
Desktop Deployment Product Specialist (DDPS)
Co-Author Windows Server 2003 R2 and Windows
Server 2008 books
NEW Microsoft Deployment Book
Deployment class – Vegas next week
1
3/23/2010
Microsoft Assessment and Planning Tool (MAP)

Manually creating and deploying images
Windows Automated Installation Kit 2.0
Volume Activation and Key Management Service (KMS)
Microsoft Deployment Toolkit 2010
Deploy a bare metal Windows 7 client
Migrate an XP client to Windows 7
Advanced features
Windows Deployment Service (WDS)
Installation
Setup
Common issues
Application Compatibility Toolkit (ACT)
Deployment Process
Image Formats
WIM
VHD
Windows Automated Installation Kit (WAIK) 2.0
Windows Pre-Installation Environment (WinPE) 3.0
Windows System Image Manager (WSIM)
User State Migration Tool (USMT) 4.0
Deployment Image Servicing and Management (DISM)
Volume Activation 2.0
2
3/23/2010
3
3/23/2010
Agentless
Finding your clients
This is called discovery
Getting information from your clients
Inventory
Windows 7
Windows Vista
Windows XP Pro SP 2 or later
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003 SP 1 or later
Runs on either x86 or x64
Itanium processors are not supported
4
3/23/2010
Discovery Methods
Active Directory Domain Services (AD DS)
Windows networking protocols
Import names of your computers from a file
IP address ranges
Manually enter a computer name
LDAP query to a DC
Asking for information that is:
Domain based
Container based
OU based
Some clients may not show up

Computers that have not been logged onto the AD
domain in over 90 days will not be inventoried
Supports up to 120,000 computer objects per domain
User Account that performs the LDAP query
member of the “Domain Users” group
5
3/23/2010
Windows Networking Protocols

Machines that are connected to Workgroups or NT 4.0
domains
Queries are sent to the Browser service
Must be run on each subnet
Text file
Each computer name should be on a new line
No delimiters
Supports up to 120,000 computer names to inventory
NetBIOS names
Fully Qualified Domain Names (FQDN)
Only one file at a time can be imported
Hardware and Device Driver Planning

Windows 7
Windows Vista
Windows Server 2008
Microsoft Office 2007
Microsoft Application Virtualization
Microsoft SQL Server 2008
Forefront Client Security and Network Access
Protection.
6
3/23/2010
Windows Management Instrumentation (WMI)

Collects hardware, software and device information
Remote Registry Service
Finds the roles that are installed on a server
VMWare Webservice
Inventory hosts running VMWare ESX
7
3/23/2010
1 2 Imaging Tool
MDT
W7 ImageX
WDS Capture
3
Targets
Deployment Server
4
Wims
Contain a single volume (c: d: e:)
Multiple images may be stored in a single .wim file
Single instancing
No redundant file storage
Service image offline
Apply patches quick and easily
Vhds
Brand new with Windows 7
Contain an entire hard drive (multiple volumes)
Microsoft Deployment Toolkit (MDT) 2010 does not support
.vhd
Windows Deployment Service does support .vhd
8
3/23/2010
Tool What it does for You!

Deployment Tools Command Prompt cmd that is aware of the path that contains the
WAIK tools
CopyPE create a WinPE working environment
Deployment Image Servicing and mount, unmount and manage images, Add /
Management Remove packages and drivers to an image
(DISM)
Imagex Capture and apply images
OSCDIMG create an .ISO out of the contents of a folder
Windows System Image Manager create answer files (setup scripts) in .xml
(WSIM) format
User State Migration Tool 4.0 migrates users profile, IE favorites and
(USMT 4.0) documents
Volume Activation Management Tool 1.2 centrally manage volume activation
Install an OS
XP SP3
Vista SP1 or later
Windows 7
Windows Server 2003 R2 (all SPs)
Windows Server 2008 (all SPs)
Configure Settings
Sysprep (Generalize switch)
Capture an image using ImageX
But you can’t get an image of an OS up and running…
9
3/23/2010
So you’ll need to boot the reference machine into

another OS
That’s where Windows Pre Installation Environment
(WinPE) comes in
WinPE 3.0 that is
Scaled down version of the Windows 7 Kernel

You can think of it as W-7 Jr.
Boots into and runs from RAM
X: drive by default
Not appropriate for production, day-to-day use
Reboots every 72 hours
Command Line Interface Only

Can be converted to a bootable .ISO and placed on:
CD, DVD, USB Flash Drive, external hard drive
Where can you find a WinPE?
Boot.wim (from the sources folder on a DVD)
10
3/23/2010
WPEUtil shutdown Regedit.exe

WPEUtil reboot Netsh
WPEUtil enablefirewall DiskPart
You want to create an image

You want to apply an image
You want to troubleshoot an issue with the OS offline
Root kit detectors
11
3/23/2010
Create the WinPE structure

Copype x86 C:\WinPE
C:\WinPE folder cannot exist
If it does you’ll get an error:
Destination directory exists: C:\WinPE
Copype amd64 C:\WinPE
Copype ia64 C:\WinPE
Copy winpe.wim c:\winpe\iso\sources\boot.wim
Convert to an .ISO
oscdimg -n –h -betfsboot.com c:\winpe\iso
c:\winpe\winpe.iso
12
3/23/2010
XML scripting support is built-in

Additional packages are not inside WinPE
No more “Prepping”
Now you will “Profile”
You can put one on your system, add a .wim to it… and
tell bcdedit to boot that OS
Mounting a .VHD in Win7 is called “attaching"
Un-Mounting a .VHD is called “detaching”
Diskpart is the basic tool of choice to work with .vhds
Of course, W-7 & 2008 use them for backups now
13
3/23/2010
Open elevated command prompt

Diskpart
create vdisk file=c:\W7Ultimate.vhd maximum=25000
type=fixed
Select vdisk file=c:\W7Ultimate.vhd
attach vdisk
List disk (find your new disk number)
Sel disk #
Create part primary
Sel part 1
Still in Diskpart
Sel part 1
Active
Format fs=ntfs quick
Assign
Detail partition (get the drive letter)
Exit
Mkdir f:\windows
Imagex /apply c:\wims\install.wim 4 f:\
Edit Boot Configuration Database to boot from the
new .vhd
14
3/23/2010
15
3/23/2010
Allows you to service images offline

Both .wim and .vhd
Supports Vista SP1 and later images
Enable / disable / configure Windows features
Add and configure updates (MSU’s)
Gives you more functionality with consistent syntax
Replaced 3 tools
Package Manager (Pkgmgr.exe)
International Settings Configuration Tool (Intlcfg.exe)
Windows PE command-line tool (PEimg.exe)
No capture or apply feature
Elevated command prompt

Without image context
Dism /?
No image specified - your looking at the image
that is currently running - called the HOST
With Image Context
Dism /online /?
Don’t try this on WinPE
16
3/23/2010
Image Context
DISM /?
Vs
DISM /online /?
DISM has an awesome help file

Pipe it to a text file
Edit the text file and save it
For example to mount an image:
Dism /Mount-Wim >C:\MW.txt
Notepad C:\MW.txt
Edit the command
Paste it into a new doc
Run it from the command prompt
The WinPE we created earlier needs ImageX added
17
3/23/2010
Mount WinPE.wim
Dism /Mount-Wim /WimFile:winpe.wim /index:1
/MountDir:C:\WinPE\Mount
Add Imagex to WinPE.wim
Copy C:\Program Files\WAIK\Tools\amd64 (or x86,
ia64) \ Imagex.exe into C:\WinPE\Mount\Windows
Un-Mount WinPE.wim
Dism /Unmount-Wim /MountDir:C:\WinPE\Mount
/commit
Or
Dism /Unmount-Wim /MountDir:C:\WinPE\Mount
/discard
Un-Mount WinPE.wim
Dism /Unmount-Wim /MountDir:C:\boot\mount
/commit /discard
Oscdimg –n –h –betfsboot.com C:\WinPE\Iso C:\WinPE\Boot.iso
18
3/23/2010
It’s time to create the image from the C: volume

Within WinPE type:
imagex /capture c: c:\ name.wim “description”
Across the network
I have a server named WDS and a shared folder “Images”
Open a command prompt
Net use W: \\WDS\Images
imagex /capture c: w:\name.wim “description”
Imagex /capture c: w:\Win7Ult.wim “Windows 7 Ultimate”
19
3/23/2010
Windows\CSC (offline files)

RECYCLER
System Volume Information
pagefile.sys
hiberfil.sys
$ntfs.log
Compress your image fast (default), none or maximum

imagex /capture /compress switch c: c:\mkt.wim “Mkt
Apps”
A Win7 image not compressed = 3.65 GB (35 mins)
A Win7 image with fast compression = 2.32 GB (45
mins)
A Win7 image with max compression = 2.24 GB (90+
mins)
20
3/23/2010
Boot the target machine into WinPE

Applying the image
Copy the image to the new C: partition
imagex /apply c:\imagename.wim 1 c:
Apply the image from a mapped drive (W:)
imagex /apply w:\imagename.wim 1 c:
Must apply the image to the same partition it was
created from
21
3/23/2010
What happens if your not the one who created the

image?
How do you know what is in it?
Drivers
Packages
Applications
Getting information on .wims
22
3/23/2010
In the past we had Imagex

Imagex /info <Path to image file>
For example:
Imagex /info c:\wims\install.wim
NOW we can use DISM
DISM /Get-WimInfo /wimfile:<Path to image file>
Another example:
Dism /get-wiminfo /wimfile:c:\wims\install.wim
Document, document, document!
23
3/23/2010
What you can do to a mounted image

Dism /Image:c:\mount\win7 /?
Add all drivers from a folder:
Dism /image:C:\winpe\mount /Add-Driver
/driver:C:\drivers\
Add all drivers from a top level folder and all
folders below:
/driver:C:\drivers /recurse
Add a specific driver:
/driver:C:\drivers\mydriver.INF
Get a listing of drivers:

Dism /image:C:\winpe\mount /Get-Drivers
Dism /image:C:\winpe\mount /Get-Drivers /format:table
Get driver information:

Dism /image:C:\winpe\mount /Get-DriverInfo
/driver:C:\test\drivers\usb\usb.inf
Remove drivers:
Dism /image:C:\winpe\mount /Remove-Driver /driver:oem1.inf
Remove multiple drivers

Dism /image: C\winpe\mount/Remove-Driver /driver:oem1.inf
/driver:oem2.inf
24
3/23/2010
Mount Install.wim
Dism /Mount-Wim /WimFile:C:\wims\install.wim /index:5
/MountDir:C:\Mount
Add drivers from C:\Drivers
– Dism /image:C:\mount /Add-Driver /driver:C:\drivers
List your drivers
Dism /image:C:\winpe\mount /Get-Drivers
List your drivers in table format
Dism /image:C:\winpe\mount /Get-Drivers /format:table
Un-Mount Install.wim
Dism /Unmount-Wim /MountDir:C:\Mount /commit
Check the status of your .wim

Get mounted .wim information
Dism /Get-MountedWimInfo
OK – good
Needs remount
Dism /Remount-Wim
/MountDir:<target_mount_directory>
If that doesn’t work
You’ll need to cleanup the wim
DISM /Cleanup-Wim
Then Remount
25
3/23/2010
No more setup monkey…next, next, next

Answer files help to create consistent installations
Remember unattend.txt and winnt.sif from Windows
XP?
W-7’s autounattend.xml = XP’s unattend.txt/winnt.sif
Remember Setup Manager from Windows XP
W-7’s Windows System Image Manager (aka Windows
SIM or WSIM) = XP’s Setup Manager
Add third party drivers and applications via the answer
file
26
3/23/2010
Open an image file (install.wim)

OR
Open an existing catalog file
Choose to create a New Answer File
Choose the components to configure
Configure the components
Validate the Answer file
Fix any issues until no error messages
Save the answer file
Distribution Answer File Pane Properties

Share Pane Pane
Windows Image
Pane
Message Pane
27
3/23/2010
Open the Windows System Image Manager (Windows

SIM)
Click the Start button -> All Programs -> Microsoft Windows
AIK -> Windows System Image Manager
Opening the install.wim file you copied from the Windows
7 Product DVD
In the bottom left corner right-click “Select a Windows image
or catalog file” and choose Select Windows Image… (or from
the File menu)
Browse to the folder where you copied the install.wim to
OR
Open a catalog file directly from the Windows 7 DVD
/Sources folder
28
3/23/2010
This is expected, click Yes to create a catalog
A Catalog is a binary file that contains all the component settings in a

Windows image file (.wim), which can be customized in an answer file
Create the catalog for the OS you are creating the answer file for
You wouldn’t want to attempt to configure Bitlocker for Win7 Business
The catalog will have a .clg extension and is created in the same
directory as the .wim you opened
Catalog files are typically 5 MB in size
29
3/23/2010
Catalog
Windows 7 Installations
are performed in stages…
These stages are called
Configuration Passes
There are 7 but not all
passes must be run
30
3/23/2010
Windows PE Configuration Pass (1)
31
3/23/2010
32
3/23/2010
33
3/23/2010
2 Reboots
Specialize Configuration Pass (4) OR

Oobe System Configuration Pass (7)
34
3/23/2010


35
3/23/2010

36
3/23/2010

There are three passwords that may be put in an

answer file:
Microsoft-Windows-Shell-Setup | AutoLogon |
Password
Microsoft-Windows-Shell-Setup | UserAccounts |
AdministratorPassword
Microsoft-Windows-Shell-Setup | UserAccounts |
LocalAccounts | LocalAccount
Passwords are hidden by default
Tools menu -> Hide Sensitive Data
37
3/23/2010
Validating the answer file compares the setting values

you have input to a list of valid entries for the image
If a setting you have input does not match one of the
valid entries for the image an error message will be
displayed in the bottom right corner under Messages
Bottom Left corner in WSIM - Messages
Double-click the Component Location to go directly

to the setting with the error, correct until you see:
38
3/23/2010
Windows could not parse or process the unattend

answer file for pass [specialize]. The settings specified
in the answer file cannot be applied. The error was
detected while processing settings for component
[Microsoft-Windows-Shell-Setup].
39
3/23/2010
Upgrade
Applications 1
Deployment Server
Run
ScanState 2
Store locally
XP SP2 or across the
network
40
3/23/2010
Upgrade
Applications 1
Run
ScanState 2 Deployment Server
Store locally
or across the
XP SP2/SP3
Windows 7 network
Install
Windows 7 3
Install
Applications 4
Run
LoadState 5
OS Supported ScanState LoadState

Windows XP Professional X
Windows XP Professional X
x64 Edition
32-bit versions of X X
Windows Vista
64-bit versions of X X
Windows Vista
32-bit versions of Windows 7 X X

64-bit versions of Windows 7 X X
41
3/23/2010
Can - Migrate a 32-bit OS to a 64-bit OS

Cannot - migrate a 64-bit OS to a 32-bit OS
Can - Migration from XP SP2 / SP3
Not supported on:
any of the Windows Server Oss
Starter editions for Windows XP, Windows Vista, or
Windows 7
USMT must be run in Administrator mode

Right-click a command prompt and choose “Run as
Administrator”
OR
If you don’t log on with an administrator account then
the only user profile that will be migrated is the one
you logged on as
42
3/23/2010
MigUser.xml
MigApp.xml
MigDocs.xml
MigUser.XML
– Rules to migrate user profiles and data
– Describes a “core” migration
– Folders that will be migrated
My Documents Desktop files

My Video Start menu
My Music Quick Launch settings
My Pictures Favorites
43
3/23/2010
All Users profile

Windows XP
Public profile in Vista or Windows 7
Shared Documents
Shared Video
Shared Music
Shared desktop files
Shared Pictures
Shared Start menu
Shared Favorites
.accdb .one* .qel .vsd

.ch3 .oqy .qph .wk*
.csv .or6 .qsd .wpd
.dif .pot* .rqy .wps
.doc* .ppa .rtf .wq1
.dot* .pps*
.scd .wri
.dqy .ppt*
.sh3 .xl*
.iqy .pre
.slk .xla
.mcw .pst
.mdb* .pub .txt .xlb
.mpp .qdf .vl* .xls*
44
3/23/2010
Accessibility settings
Address book
Command-prompt settings
*Desktop wallpaper
EFS files
Favorites
Folder options
Fonts
Users, Groups and Group memberships
*Windows Internet Explorer® settings
* Settings not available for offline migration
Microsoft Open Database Connectivity (ODBC)

settings
Mouse and keyboard settings
Network drive mapping
*Network printer mapping
*Offline files
*Phone and modem options
RAS connection and phone book (.pbk) files
*Regional settings
Remote Access
45
3/23/2010
*Taskbar settings
Windows Mail
Microsoft Outlook Express Mail (.dbx) files are
migrated from Windows XP
*Windows Media Player
Windows Rights Management
MigUser.XML
The following does not migrate with MigUser.xm
Files outside the user profile that don’t match any file
extensions listed in MigUser.xml
46
3/23/2010
Adobe Acrobat Reader 9 Money Plus Business 2008

AOL Instant Messenger 6.8 Money Plus Home 2008
Apple iTunes 7, 8 Mozilla Firefox 3
Microsoft Office Access 2003, 2007
Apple QuickTime Player 7
Microsoft Office Excel 2003, 2007
Apple Safari 3.1.2
Microsoft Office FrontPage 2003, 2007
Google Chrome beta
Microsoft Office OneNote 2003, 2007
Google Picasa 3 Microsoft Office Outlook 2003, 2007
Google Talk beta Microsoft Office 2003, 2007
IBM Lotus 1-2-3 9.8 PowerPoint
IBM Lotus Notes 8 Microsoft Office Publisher 2003, 2007
IBM Lotus Organizer 9.8 Microsoft Office Word 2003, 2007
IBM Lotus WordPro 9.8 Opera Software Opera 9.5
Microsoft Outlook Express (mailbox file)
Intuit Quicken 2009
Microsoft Project 2003, 2007

Microsoft Office Visio 2003, 2007
RealPlayer Basic 11
Sage Peachtree 2009
Skype 3.8
Windows Live Mail 12, 14
Windows Live Messenger 8.5, 14
Windows Live MovieMaker 14
Windows Live Photo Gallery 12, 14
Windows Live Writer 12, 14
Windows Mail Vista only
Microsoft Works 9
Yahoo Messenger 9
Zune 3
47
3/23/2010
Cannot migrate from/to a different version of an

application
Except for Microsoft Office
USMT can migrate from an earlier version to a
later
Microsoft Project settings are not migrated from
Office 2003 to Office 2007
Mapped network drives Executable files

Local printers Permissions for shared
Hardware-related settings folders
Drivers Languages must match
Passwords Customized icons for
Application binary files shortcuts
Synchronization files Taskbar settings (Migrating
DLL files from XP)
48
3/23/2010
Internet Connection Firewall check box and

settings are migrated
Internet Connection Sharing setting is not
migrated
Could make the network less secure if migrated to
the destination computer
The firewall advanced-configuration settings are
not migrated because of increased security risks
The Network Connections user interface does
not refresh properly until you log off or press F5
Data residing on USB hard disks will be migrated

Data residing on USB flash drives (UFD) will not be
included when you specify the /localonly option
49
3/23/2010
Running ScanState
Command prompt
Scanstate C:\Path To Store Data
Scanstate C:\USMT
Scanstate C:\USMT /Auto
Scanstate C:\USMT /Auto /hardlink /nocompress
Running LoadState
Loadstate C:\Path To Store Data
Loadstate C:\USMT
Loadstate C:\USMT /Auto
Loadstate C:\USMT /Auto /hardlink /nocompress
Uncompressed (UNC)
Mirror image of the folder hierarchy being migrated
Settings are stored in a catalog file that also describes
how to restore files on the destination computer
Compressed
a single image file that contains all files being migrated
and a catalog file
You can encrypt and protect this file with a password
Hard-Link
a map that defines how a collection of bits on the hard
disk are to be migrated. These files remain fully in tact
50
3/23/2010
Guarantees you are running a Genuine

Windows OS
Activation ensures the Windows Genuine
Advantage (WGA) ActiveX control is valid
OSs that require Activation
Vista
Server 2008
Windows 7
Server 2008 R2
Online validation experience unchanged
51
3/23/2010
Multiple Activation Key (MAK)

One key multiple activations
Each client connects to Microsoft to activate
30 day initial activation period
Can be reset 3 times
Slmgr -rearm
Key Management Service (KMS)

Requires a KMS Server
KMS server activates with Microsoft directly
Volume license clients activate with internal KMS server
52
3/23/2010
Microsoft Activation Server
2
13
Deployment.Com
Service License Manager (SLMGR)

\System32 folder (Vista and later Oss)
Volume license software does NOT prompt for a license
key
The license key is built into the software
Turn KMS on
Slmgr –ipk INPUTKEY
Slmgr –ipk 11111-22222-33333-44444-55555
Same KMS key can be used 6 times
Build 6 different KMS servers using the same key
KMS Servers can be re-activated 9 times
Re-build a KMS server
53
3/23/2010
KMS Server MUST activate with Microsoft

Activate Online:
Slmgr –ato
Activate via the phone:
Slui 4
Single domain
1 SRV record created in DNS
1 KMS servicing multiple domains
Default behavior
SRV record is published in the domain the KMS server is a
member of
Manually create SRV records in DNS
OR
HKLM/Software/Microsoft/Windows
NT/CurrentVersion/SL
New Multi-string value
Named: DnsDomainPublishList
Add each DNS domain suffix on it’s own line
(Deployment.Com)
54
3/23/2010
Deployment.Com
Bigfirm.Com
55
3/23/2010
Volume Media 30 day initial grace period

If activation does not occur
AND activation has not been reset
Activation is attempted every 2 hours
Once Activated
Activation is good for 6 months
Re-news activation every 7 days
Directly connect clients to a specific KMS server

Slmgr –skms kms_FQDN
Example:
Slmgr –skms kms_WDS.Deploy.Com
OR
Slmgr –skms kms_10.10.10.5
The default port is TCP 1688, to change it type:

Slmgr –skms kms_10.10.10.5:2050
56
3/23/2010
Performed by DNS queries

KMS server registers SRV records in DNS
Vlmcs
Client queries DNS asking for all vlmcs SRV records
Random list is sent
Client chooses one of the KMS servers
Connection is successful
Client caches this KMS server for future activation attempts
Connection fails
Client chooses another KMS server until it finds one
Weight and Priority now COUNT! W7- 2008/R2 Clients

only
No
But it can be (recommended)
Support for SRV records (RFC 2782)
Support for dynamic updates (RFC 2136)
BIND 8.x & 9.x
57
3/23/2010
Performance Reliability Compatibility

• Modified hardware • Improved • Updated tools to
tolerance values to notifications, support Windows 7
reduce # of clarified error • Single KMS for
reactivations messages and multiple operating
• Count virtual systems troubleshooting systems
towards KMS instructions
activation threshold • Multiple
• Improved KMS improvements in
discovery through WMI for SLSVC
DNS Suffix List
System Center Configuration Manager 2007

System Center Operations Manager 2007
Alerts for major conditions
Initialization issues
DNS SRV record registration failures
Reports client activations
monitor license conditions and asset intelligence
use wmi to capture data
health of KMS service
Event logs on KMS and clients
58
3/23/2010
Can be installed on:

XP SP2
Server 2003 SP1
Vista
Windows 7
Server 2008
Server 2008R2
59
3/23/2010
1 2 MDT
Deployment Server
W7 DVD MDT WinPE

Reference Store Image
Download Image
4
XP Targets
SP2
XP 3
SP3 Custom
MDT
WinPE
Bare Metal
New machines
Refresh
Keeping the old hardware
Refreshing the OS on the existing machine
Replace
Replacing existing hardware with new
Maintaining user’s settings and data
Upgrade
Unless your upgrading from Vista there is no upgrade
path
60
3/23/2010
1 2 Imaging Tool
MDT
W7 ImageX
WDS Capture
3
Targets
Deployment Server
4
Upgrade
Applications 1
Deployment Server
Store Users
Data and 2
Settings
XP SP2/SP3
61
3/23/2010
Upgrade
Applications 1
Store Users
Data and 2 Deployment Server
Settings
XP SP2/SP3
Windows 7
Install
Windows 7 3
Install
Applications 4
Restore
Users
Settings and
5
Data
Upgrade
Applications 1
Store Users
Settings
XP SP2/SP3
62
3/23/2010
Upgrade
Applications 1
Store Users
Settings
XP SP2/SP3
Windows 7
Install
Windows 7 3
Install
Applications 4
Restore
Users
Settings and
5
Data
63
3/23/2010
MDT Deployment Image
Bare Metal
Pro No Network Connectivity
Con No Version Control
64
3/23/2010
Operating system must be:

Vista SP1
Windows 7
Server 2003 SP2
Server 2008
Server 2008 R2
Windows Automated Installation Kit (WAIK) 2.0
Required software is included in the WAIK
NET Framework 2.0
MSXML 6.0
MMC 3.0 if Server 2003
New default installation of W7

2 partitions
(hidden): - Bootmgr and friends
C:\Windows
All commands are Powershell
New .vhd image format
NOT supported in MDT 2010
.Wims only
65
3/23/2010
Create a Deployment Share

Import OSs
Add applications
Add drivers
Add patches
Create a task sequence
Update Deployment Share
Deploy
The Deployment Share is the shared folder on the

Deployment Server where target machines connect to
perform the deployment
You must create it
Old MDT created it for you
But it put it on the C: drive
Now you decide where to create it
MDT
Deployment Server
Deployment
Share
66
3/23/2010
XP SP3
Vista SP1 or later Supported
Windows 7 OSs
Windows Server 2008 & R2
67
3/23/2010
3rd party drivers
68
3/23/2010
OS patches
Language Packs
A list of tasks to be run in order to complete the

deployment
The order in which the tasks will be run
Run task sequences in two different ways
Standard Client TS
LiteTouchPE_x86.iso
Within XP
69
3/23/2010
TASK SEQUENCE TEMPLATE NAME DESCRIPTION

Sysprep and Capture TS Syspreps and reboots into WinPE then runs
ImageX to capture an image of the machine.
Standard Client TS Deploys a desktop operating system,

applications, drivers and patches.
Standard Client Replace TS Backs up the target machine before deploying

an image including gathering users state
information
Custom Task Sequence TS Task sequence you create that deploys
applications, drivers and packages to machine
that already contains an operating system.
Lite Touch OEM TS Used by OEMs to deploy OS images to target
machines en mass
Standard Server TS Basic server task sequence that will deploy a
Server operating system, applications, drivers
and patches to a target server (including roles
like DNS, AD and DHCP).
Post OS Installation TS Performs installation tasks after the operating
system is deployed to a target machine.
70
3/23/2010
Boot the MDT WinPE

CD
DVD
External hard drive
UFD (USB flash device)
Run the Deployment Wizard
71
3/23/2010
Choose which pages are displayed during the

deployment
Suppress the pages you do not want anyone to change
or see like:
Product Key
Administrator’s password
Properties of your deployment share

Rules tab
F:\DeploymentShare\Control\CustomSettings.ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\DeploySrv\DeploymentShare$
SkipBDDWelcome=YES
72
3/23/2010
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=DeploymentDr
OSInstall=Y
SkipTaskSequence=YES
TaskSequenceID= W7X64
SkipComputerName=YES
ComputerName=%SerialNumber%
SkipUserData=YES
SkipLocaleSelection=YES
KeyboardLocale=En-US
UserLocale= En-US
UILanguage= En-US
SkipTimeZone=YES
TimeZoneName=Eastern Standard Time
SkipApplications=YES
73
3/23/2010
SkipCapture=YES
SkipAppsOnUpgrade=YES
SkipAdminPassword=YES
AdminPassword=Swordfish1
SkipProductKey=YES
ProductKey=11111-22222-33333-44444-55555
SkipBitLocker=YES
74
3/23/2010
Selection profiles allow you to group MDT components

The grouped MDT components can be used for different
reasons
The MDT components you group will determine what you
can do with the selection profile:
Group drivers and packages to inject into the MDT generated
WinPEs
Group drivers to inject into an OS task sequence
Control which MDT components are included in “media”
Group MDT components to replicate (and keep in sync) to
other deployment shares
Pick and choose which TS and applications appear in the
deployment workbench
R-click
Selection
Profile
Choose New
Selection
Profile
Choose your
components
75
3/23/2010
Media allows you create a fully deployable image complete

with OS, applications, drivers, packages and task sequences
that can be deployed with NO NETWORK CONNECTIVITY
Create Media
First you’ll need a selection profile containing the MDT
components needed for deployment to a client (include
everything)
Within DW r-click Media
Choose New Media
Give it a name, choose your selection profile
Update Media (r-click the MEDIA001 and choose Update
Media Content)
Copy files to external hard drive, UFD or burn the .ISO to DVD
LDS allow you copy a subset (or all if you choose) of

components to another machine
Even windows 7 can be a LDS
MDT 2010 does not need to be installed on the machine
To create a LDS
First create a selection profile containing all the MDT
components you would like replicated
From within the Deployment Workbench R-click Linked
Deployment Shares node and choose New Linked
Deployment Share
Type in the UNC path to where you want the new LDS
\\ComputerName\Shared\FolderName
76
3/23/2010
Choose your selection profile

Select one of the options:
Merge the selected contents into the targert deployment share
OR
Replace the contents of the target deployment share folders with
those selected
R-click LINKED001 and choose Replicate Content
The contents you selected in your selection profile will
be copied to the new LDS via ROBOCopy
I would change the replication technology to be DFS-r
77
3/23/2010
Discover IP
DHCP/WDS
Bare-Metal
Acknowledge
DHCP
1
AD/DNS
2
3
Bare-Metal
WDS
78
3/23/2010
Installing WDS on a 2003 SP1 Server

Install RIS
Install patch from the WAIK:
windows_deployment_services_update.exe
Installing WDS on a 2003 SP2 Server
Control Panel / Add/Remove Programs / Windows
Components / WDS
Installing WDS on a 2008 (& R2) server
Server Manager
Add Roles
Select Windows Deployment Services from the list of
roles
WDS snap-in
Right-click Servers
Add Server –
defaults to local
server
Right-click your
server and choose
Configure Server.
79
3/23/2010
Store your images on a drive other than where the OS

resides
80
3/23/2010
81
3/23/2010
564D49219C768546A956C310ED7D2BF6
82
3/23/2010
The most current will always be best

Windows 7 Boow.wim can deploy
Vista SP1
Windows 7
Server 2008 & R2
Accidently use a Vista or Vista SP1 boot.wim?
Vista boot.wim cannot deploy W7 or 2K8 R2
Failure on the Offline servicing pass even if it’s not
configured to install patches
Both .wim and .vhd are supported

Adding a .wim
Right–click Install Images
Add Install Image
Image Groups
Single Instancing occurs
Adding a .vhd
Elevated command prompt
WDSUTIL /Add-Image /ImageFile:\\Server\Share
\Win7.vhd /Server:WDSServer /ImageType:Install
/ImageGroup:Windows7 /Filename:"Windows7.vhd"
83
3/23/2010
Dynamic Driver Provisioning (DDP)

Add drivers to a driver group
Driver groups can be filtered to make the packages in the
group available to a specific group of clients
No filters?
All packages are available to all clients with matching hardware
You define
Clients have access to all packages in a group
or
Only packages that match the hardware (Plug and Play hardware)
Filters
Based on the hardware of the client (manufacturer or BIOS)
Based on an attribute of the install image selected for the client
(version or edition of the image
167
R-click boot
image
Choose Add
Driver
Packages to
Image
168
84
3/23/2010
PXE Protocol is an extension of DHCP

Created by Intel as a standard with a set of pre-boot
services stored in the boot firmware
The goal:
Perform a network boot
Find and download a network boot program (NBP) from
a Network Boot Server
85
3/23/2010
86
3/23/2010
87
3/23/2010
88
3/23/2010
1) Choose your OS Image
89
3/23/2010
All PXE / DHCP traffic is local traffic only

DHCP – port UDP 67
PXE traffic – port UDP 4011
90
3/23/2010
Mis-configured Switch or Router
Where will the client go?

Known clients can be configured to connect to a specific
WDS Server
Or
You could create a list of WDS Servers to be presented
to the client so they can manually choose which WDS
Server they connect to:
Registry entry
Restart the WDS Service
91
3/23/2010
What happens when there is more than one WDS

Server
But you don’t want to set in stone which WDS Server
the client attaches to
You want to be able to pick and choose your WDS
Server
Registry setting changed on the WDS Server
HKLM\SYSTEM\CurrentControlSet\services\WDSS
erver\Providers\WDSPXE\Providers\BINLSVC
AllowServerSelection = 1
Restart the WDS service
net stop WDSServer & net start WDSServer
3 Scenarios
1. WDS and DHCP on the same subnet/ different
servers
Client will find WDS by broadcasting
2. WDS and DHCP on different subnets
Client must find WDS through options 66 and 67 set in
DHCP
3. WDS & DHCP on same server
Client finds WDS through Option 60 in DHCP
92
3/23/2010
DHCP
Bare--Metal
Bare
Discover IP/PXE
Server
WDS
DHCP
Bare--Metal
Bare
Discover IP/PXE
Server
Acknowledge
Request
WDS
93
3/23/2010
Discover IP
DHCP / WDS
Bare--Metal
Bare
Acknowledge
• IP helpers configured properly on your switches and

routers are more reliable
Older PXE ROMs have issues with DHCP options
60,66,67
Options 66 & 67 are referred to as a Network Boot
Referral (NBR)
94
3/23/2010
Server1 sends packet 1 to client1

• Server1 sends packet 1 to all clients
• Server1 sends packet 1 to client1,

client5 client9, client22
Multiple Stream Transfer

Multiple streams of traffic
Optimized rates based on
client connection
Fast
Client Auto Removal
Slower clients can be
dropped to unicast or
entirely (only in standard
Medium multicast)
Boot Image Multicast

Windows PE boot
images can use multicast
Slow (clients with EFI)
95
3/23/2010
WDS Server
Multicast
Transmission
First client joins “transmission”
Clients
WDS Server
Multicast
Transmission
Waiting for other clients to join…
Clients
96
3/23/2010
WDS Server
Multicast
Transmission
Additional clients join stream
Fastest Mediu Slowest Mediu

m m
Clients with multiple transfer speeds
WDS Server
Multicast
Transmission
More clients to join
Mediu Slowest Mediu Fastest Mediu Fastest Mediu

m m m m
97
3/23/2010
WDS Server
Multicast
Last clients complete…
Slowest Mediu Mediu

m m
WDS Server
Multicast
All clients complete.

Transmission ends.
Clients
98
3/23/2010
2 ways to start creating a multicast transmission from

within the WDS snap-in
Right-click Multicast Transmissions and choose Create
Multicast Transmission
OR
Drill down to your Install Image and right-click the
image then choose Create Multicast Transmission
99
3/23/2010
You will need 2 scripts

WinPE Phase
Language of installation
Keyboard layout
Credentials for Image
Which Image to install
Disk Configuration (partitioning)
Where to install the image
The rest of the installation (specialize and OOBE)
Computer name
User account
Time zone
WinPE script
Store script in RemoteInstall\WDSClientUnattend folder
WDS snap-in -> R-click server -> Properties Client tab
Enable unattended installation
Browse to WinPE script
Sets the script for all computers of that architecture
100
3/23/2010
Switch that doesn’t support IGMP uses broadcast

instead of multicast
The slowest computer on the switch dictates the speed of
all broadcast traffic
Client computers that are in a sleep power state
Windows operating system reduce the speed of the
network connection to 10 Mbps to save power
So a client attempting to multicast an image on the
same switch as a sleeping client causes severe
performance problem for multicast
The fix
switching hardware supports IGMP
101
3/23/2010
Default Permissions
Local administrator on the WDS server
Full Control of the RemoteInstall folder
Full Control permissions on
HKEY_LOCAL_MACHINE\System
Domain administrator (domain where the WDS
server resides)
Full Control permissions on the Service Control Point
(SCP) in AD DS for the WDS server.
WDS depends on AD DS for the PXE provider to create

computer accounts and service control points (SCPs)
in AD.
The SCP is a child object under a WDS server’s
account object used to store configuration data
Identifies the server as a WDS server
Finding the SCP - DEMO
ADSIEdit -> Find your servers computer object ->
Expand your server -> CN=NameOfMyServer-Remote-
Installation-Services Properties
102
3/23/2010
Enterprise administrator
Dynamic Host Configuration Protocol (DHCP)
authorization permissions
Admin Approval
The computer account is created using the server’s
authentication token (not the admins token performing
the approval)
WDSSERVER$ must have “create computer account
objects” on the containers / OUs where the approved
pending computers will be created
Admin Approval of Pending Computers

R/W to the F:\RemoteInstall\MGMT
contains Binlsvcdb.mdb
Active Directory Users and Computers
Create a custom task to delegate on OU where the
computer account will be created -> Write all properties
on Computer Objects
103
3/23/2010
ADUC
R-click the container or OU and go to Properties
Click the Advanced button and add a user or group then
click the Edit button
Under Apply to: This object and all descendant objects
Allow “Create Computer objects” Ok (3x)
BUT now that user can create computer objects and join
machines to the domain
What if you only want someone to be able to join a
machine to the domain?
JoinRights registry setting determines the set of

security privileges
located at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Services\WDSServer\Providers\WDSPXE\Pro
viders\BINLSVC\AutoApprove\<arch>
Name: JoinRights
Type: DWORD
Value: 0 = JoinOnly.; 1 = Full
104
3/23/2010
The User registry setting determines which users have

the right to join the domain
User setting located at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Services\WDSServer\Providers\WDSPXE\Pro
viders\BINLSVC\AutoApprove\<arch>
Name: User
Type: REG_SZ
Value: group or user.
Creating computer accounts against a non-English

domain controller using the default user property.
Set the Auto-Add settings to use an account that does
not contain extended characters.
Acceptable characters ([A-Z, a-z, 0-9, \, -, and so on])
For example if the German "Domänen-Admins“ is used
the Auto-Add will fail.
WDSUTIL /set-Server /AutoAddSettings
/Architecture:x86 /User:Deploy\Administrator
105
3/23/2010
TASK Permission
Prestage a computer ADUC -> Create a custom task to
delegate on OU where you are putting
the computer account -> Write all
properties on Computer Objects
Add/Remove Image or Image Group FC

F:\RemoteInstall\Images\ImageGroup
Disable an image R/W for the image (on image properties
in WDS)
ADD boot image R/W F:\RemoteInstall\Boot

R/W F:\RemoteInstall\Admin (if
upgrading from 2K3 server)
Remove boot image R/W F:\RemoteInstall\Boot
TASK Permission
Manage properties on an OS image R/W on image Res.rwm file found:
F:RemoteInstall\Images\<ImageGroup>
Convert a RIPREP image R original RIPREP image

R/W %TEMP% and destination folder
Create Discover / Capture image R original boot image

R/W %TEMP% and destination folder
Create a multicast transmission FC on:

HKEY_LOCAL_MACHINE\SYSTEM\C
urrentControlSet\Services\WDSServ
er\Providers\Multicast
R
F:\RemoteInstall\Images\<ImageGroup
>
106
3/23/2010
Server 2008 increased the TFTP block size from 512

bytes to 1,456 bytes to speed things up.
If your network has a TFTP block size of less than 1,456
bytes this breaks WDS.
Resolution:
Install hotfix 975710
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\WDSServer\Providers\WDSTFTP
Create a new REG_DWORD
Name: MaximumBlockSize
Value range: 512–1456
Renaming a machine
Moving a machine from one domain to another
You’ll need to uninitialize & reinitialize WDS server
From a cmd on the WDS server
Wdsutil /uninitialize-server
Wdsutil /initialize-server /reminst:E:\RemoteInstall
107
3/23/2010
WDSCapture WinPE
Add boot.wim from a 2K8 Server .iso
Right-click the boot.wim and choose “Create capture
image…”
Add the new .wim file that you just created
Sysprep
-reseal
generalize
No
Volume to
capture?
108
3/23/2010
Ensure there are not duplicate machine accounts pre-

staged for the same machine
Pre-stage using the MAC address
Swap the NIC to another machine
Dual Admins
1st admin creates a computer object in ADUC
2nd admin pre-stages a computer object with the NIC or GUID
The first one found is used
109
3/23/2010
Using an older boot.wim

Architectures and WinPE
Copype – WinPE
Creating your own
The most current will always be best

Windows 7 Boow.wim can deploy
Vista SP1
Windows 7
Server 2008 & R2
Accidently use a Vista or Vista SP1 boot.wim?
Vista boot.wim cannot deploy W7 or 2K8 R2
Failure on the Offline servicing pass even if it’s not
configured to install patches
110
3/23/2010
Multicast traffic running really slow

Which version of IGMP is being used?
V3 or v2?
Multiple WDS servers multicast traffic
Overlapping IP addresses
WDS snap-in -> Properties of Server -> Multicast tab ->
change the IP addresses
111
3/23/2010
Unattend .xml scripts (2)

XP & 2K3 vs Vista and later
Unattend.xml does not process settings
Not named properly
Not stored in the correct folder
112
3/23/2010
From the client

Client receives an IP address
Discovers a Network Boot Server (NBS)
Downloads the Network Boot Program (NBP) from the
NBS (TFTP) and executes it
From the server
Servers IP address
Name of a NBP the client may request
• IP helpers configured properly on your switches and

routers are more reliable
Older PXE ROMs have issues with DHCP options
60,66,67
Options 66 & 67 are referred to as a Network Boot
Referral (NBR)
113
3/23/2010
MDT & WDS Together
MDT
Deployment Server
W7 DVD MDT WinPE

Model Store Image
Download Image
WDS Server
MDT WinPE
MDT can use WDS F12

Multicast feature
Targets
WDS
Installation
Configuration
Known clients vs Unknown clients
PXE Booting
Multiple WDS Server Selection
Common issues
Multicasting
Automating
Integrating WDS and MDT
PXE boot
Multicast
114
3/23/2010
Questions or Comments
Rhonda@DeploymentDr.com
Please fill out your evaluations!
WWW.DeploymentDr.Com
RhondaLayfield@Twitter.com
115

The Holy Grail of Deployment

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Holy Grail of Deployment

Uploaded by

Copyright:

Available Formats

3/23/2010

Presented by Rhonda J. Layfield

IT industry 25+ years

Microsoft Assessment and Planning Tool (MAP)

Some clients may not show up

Windows Networking Protocols

Hardware and Device Driver Planning

Windows Management Instrumentation (WMI)

Tool What it does for You!

CopyPE create a WinPE working environment

OSCDIMG create an .ISO out of the contents of a folder

So you’ll need to boot the reference machine into

Scaled down version of the Windows 7 Kernel

Command Line Interface Only

WPEUtil shutdown Regedit.exe

You want to create an image

Create the WinPE structure

XML scripting support is built-in

Open elevated command prompt

Allows you to service images offline

Elevated command prompt

DISM has an awesome help file

Oscdimg –n –h –betfsboot.com C:\WinPE\Iso C:\WinPE\Boot.iso

It’s time to create the image from the C: volume

Windows\CSC (offline files)

Compress your image fast (default), none or maximum

Boot the target machine into WinPE

What happens if your not the one who created the

In the past we had Imagex

What you can do to a mounted image

Get a listing of drivers:

Get driver information:

Remove multiple drivers

Check the status of your .wim

No more setup monkey…next, next, next

Open an image file (install.wim)

Distribution Answer File Pane Properties

Open the Windows System Image Manager (Windows

This is expected, click Yes to create a catalog

A Catalog is a binary file that contains all the component settings in a

Windows PE Configuration Pass (1)

Windows PE Configuration Pass (1)

Windows PE Configuration Pass (1)

Windows PE Configuration Pass (1)

Windows PE Configuration Pass (1)

Specialize Configuration Pass (4) OR

Specialize Configuration Pass (4) OR

Specialize Configuration Pass (4) OR

Oobe System Configuration Pass (7)

Specialize Configuration Pass (4) OR

Specialize Configuration Pass (4) OR

There are three passwords that may be put in an

Validating the answer file compares the setting values

Bottom Left corner in WSIM - Messages

Double-click the Component Location to go directly

Windows could not parse or process the unattend

OS Supported ScanState LoadState

32-bit versions of Windows 7 X X

Can - Migrate a 32-bit OS to a 64-bit OS

USMT must be run in Administrator mode

My Documents Desktop files

All Users profile

.accdb .one* .qel .vsd