Windows Deployment Services: How to configure Legacy or Mixed Mode or Native Mode for legacy image and Windows 7

Windows Deployment Services (WDS) running on Windows 2008 provides many of the same features and functions of RIS, Automated Deployment Services, and Windows Server 2003 SP2 combined.  Two of the distinct features of Windows 2008 Windows Deployment Services are that both server and desktop operating systems can be deployed and images can be deployed using multicast communications. With the release of Windows 7 AIK, MDT 2010, ACT and MAP, Microsoft deployment service and automations are more robust and powerful tools then its predecessor RIS. 

However, if you are in a situation that you don’t want to get rid of RIS image but you want to enjoy benefits of WDS. In this case, there are three different modes of WDS within Windows Server 2003: Legacy, Mixed, and Native. You have the option to choose both legacy image and Windows 7 WIM image in a mixed mode environment. If RIS had previously been deployed with existing images, the upgrade took the existing RIS (RIPREP and RISETUP) images and placed them in the Legacy Image folder within the WDS MMC snap-in and upon your initial launch of the WDS console, the administrators were prompted to choose whether the WDS system would run in Legacy or Mixed mode. After a few more simple configurations, existing RIS images would work successfully in the environment. The entire upgrade process can be done in existing RIS server or you can re-home RIS into a new server. In this article, I will write, how to run WDS and AIK in windows server 2003. Also, I will show upgrading Windows Server 2003 SP2 RIS server into Windows Server 2008. WDS, AIK and MDT are available in Microsoft download centre and free to obtain. 

Prerequisite: 

Windows Server 2003 SP1 

.NET Framework 2.0 

MSXML6 

Windows Server 2003 Service Pack 2 or Windows Deployment Services for Windows Server 2003 

Windows Server 2008 SP2 (for scenario#2) 

Warning: Backup DHCP, RIS images, RIS answer files to make sure you are safe. 

Scenario#1: Running WDS on Windows Server 2003 SP1 

   

You can use Windows Vista AIK to install WDS on Windows Server 2003 SP1. Alternatively, You can install Windows Server 2003 Service Pack 2 in RIS server that will automatically install WDS.   

  

 

Open WDS for the first time using Administrative tools>WDS or WDS legacy. you have the option to choose WDS mixed mode or legacy. Do NOT open WDS legacy because here your intension is to use mixed mode. so Choose Windows Deployment Services. 

        

Once you finished installing WDS on Windows Server 2003 SP1, follow my previous posting on “  How to deploy custom windows 7 using windows deployment services (WDS) 2008 ” . I have elaborately written how to install and configure WDS, capture custom Windows 7 and deploy image in that posting. It would be redundant to write again. 

Scenario#2: Upgrading RIS server/WDS mixed mode server from Windows server 2003 to Windows server 2008 

Direct Upgrade from Windows Server 2003 RIS server or WDS legacy/mixed mode to Windows Server 2008 is NOT supported.  Consider that you have a working RIS/WDS mixed mode environment and have images that will need to be maintained, these images can be manually imported into a Windows 2008 WDS server using a capture image and a detailed process. 

1. Deploy the legacy images to master pc using the legacy RIS server or Mixed mode WDS Server. 

2. Prepare the newly deployed master pc using the Sysprep utility and, as required, the Setup Manager utility to prepare the system for imaging. 

3. Boot the master pc that will be captured, using PXE boot. 

4. Select the capture image when the list of available images is presented. 

5. Follow the capture imaging prompts to create the new custom install image. 

6. Redo step1 to step5 to capture all images 

Organise captured images into WDS server by setting up Image group and linking WDS unattended answer file. 

Using WDSUTIL Command  

To determine which operating mode the server is currently in, run the command 

WDSUTIL /get-server /show:config 

To change the server mode from Legacy to Mixed  Run the command

WDSUTIL /Initialize-Server /RemInst:E:\reminst (consider e:\reminst is the location of RIS folder)

To change the server mode from mixed mode to native run the command
WDSUTIL /SET-Server /ForceNative

To convert a RIPREP image to .wim format by using the WDSUTIL

WDSUTIL /convert-riprepimage /filepath:<path to RIPREP image .sif file> /destinationimage /filepath:<path and name of .wim image> 

you can use the following with above command:

To give the new .wim image a name in the metadata, use /Name:<name>.

To give the new .wim image a description in the metadata, use /Description:<description>.

To convert the original RIPREP image, rather than a copy, use /InPlace.

To determine behavior when the image file specified in /DestinationImage already exists, use /Overwrite:{Yes|No|Append}. Yes will overwrite the .wim file, No will cause an error, and Append will append the new image to the existing .wim file

To add WIM file to the server, type the following where <filepath> is the full path to the new .wim file

WDSUTIL /add-image /imagefile:<filepath> /imagetype:install

Once you convert WDS into Native mode then you are ready to upgrade Windows Server 2003 to Windows Server 2008. Make sure you got compatible hardware (Processor, RAM and disk space) to install Windows Server 2008. Follow the screen shot to upgrade windows. 

   

 

Further References: 

Microsoft WDS 

Move RIS from one server to another 

MDT 

WDS answer file

How to: auto enrolment in MS certificate server

Start menu>run>mmc.exe>ok

File>Add/Remove Snap in>Add>Certificate Authority

Right click on certificate templates>Manage

right Click Computer>Duplicate Template>Type “Machine Cert” on Name

Right Click on Machine Cert>Properties

Click on on Security Tab>Add domain group>Select added domain group>Check Read and Auto Enrol

All done.

How to install and configure Microsoft Windows SharePoint Services 3.0

Microsoft share point server is an integrated suite for content management and documents flow for business/organisation. It is a simple way of doing better document management. There are few easy step to install and configure SharePoint Server.

Step1 Prepare Server

• Windows 2003 server (X64 bit or X86)
• Windows Service Pack 1 or Service pack 2
• IIS with ASP
• .net framework 2.0 and .net framework 3.0
• SQL Server 2005 Express
• Antivirus program

Step2 Download SharePoint Server 3.0

Step3 Install SharePoint Server 3.0

 

Step4 (optional) Add a CNAME record in your DNS server if you want to browse as FQDN

Step5 (optional) Add WEB listener in ISA server

Step6 Start menu>Administrative tool>SharePoint Central Administration and customise with your need such as

Internal email address, SMTP and Proxy setup, Department, Documents, Web layout, Announcement, Add users

Now users are ready browse or upload their contents. you have to administer, optimize and tune SharePoint server regularly to fulfil your need.

How to migrate Windows 2003 Active Directory to Windows 2008 Active Directory—–Step by Step guide

Microsoft’s new baby in their server family is Windows Server 2008. The Windows Server® 2008 operating system ease operation of IT administrator and enterprise IT planner and designer. Windows 2008 Active Directory got improved roles, AD domain services, federation services, AD rights management services, compliances and BPA. Its time to shift to Windows 2008 Active Directory. In this article, I will show how to migrate from windows 2003 AD to windows 2008 AD.

On Windows Server 2003 DC, insert the Windows Server 2008 DVD, then open command prompt and change directory to  d:\sources\adprerp directory. Here D:\ is my dvd rom drive. In your case do as appropriate. note: you need to log on to windows 2003 domain controller as enterprise admin to run these command.

Now run following command   adprep/ forestprep 

After finishing forestprep run adprep/ domainprep

  

adprep/ rodcprep (Optional)

Install windows 2008 server and promote windows 2008 server as additional domain controller in windows 2003 forest

This is a trial version of windows 2008, I do not find any necessity to mention any cd key for this article. If you have proper cd key, you can mention here.

Windows 2008 will ask you to reset password for the first time. note: password complexity is enabled by default.

Now you have completed installing Windows 2008 machine. Log on as an administrator. Add active directory role in windows 2008 server. follow the screenshot as shown below

Mention your existing domain name, provide domain admin credentials to add this server to domain.

A restore password is required in case you need to restore AD.

Now restart windows 2008 server. It takes few minutes to replicate all AD container, AD object and DNS records. I would prefer to wait more then hours and see all the records are available in windows 2008 active directory. or you can force replicate all record if necessary.

Now transfer all the FSMO roles from windows 2003 AD domain controller to windows 2008 AD domain controller. Log on to windows 2003 domain controller as enterprise admin. open command prompt type as follows:

ntdsutil

roles

connections

connect to server WIN2008SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master

 

Now you are ready to demod windows 2003 domain controller. log on to windows 2003 domain controller as domain admin . Open AD sites and services from administrative tools, expand default first site name, expand windows 2003 domain controller, right click on NTDS settings and go to properties. uncheck global catalog, click ok.

open run from start menu type dcpromo

 

LEAVE THIS ABOVE BOX UNCHECKED, this will enable windows 2003 domain controller transfer all AD database to windows 2008 domain controller.

 

Click next, provide password and follow next prompt, wait until demotion completed. Restart…. That’s all.

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Internet Authentication Service (IAS) is the Remote Authentication Dial-in User Service (RADIUS) server in Windows Server 2003 family. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. A RADIUS client (typically an access server such as a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. Microsoft Radius supports Windows 7, Windows XP SP2 and Mac OSX clients. This article provided an overview of Microsoft RADIUS and PEAP security and described how RADIUS security are implemented and deployed in IT infrastructure.

Prerequisite : Microsoft Active Directory, DNS, DHCP and Certificate Server, Cisco 1200 series wireless AP, MAC OSX 10.5, Windows XP Pro/Windows 7.

AAA Infrastructure:

Aunthentication: Microsoft Active Directory, Authorization: Microsoft Radius (IAS), Accounting: Microsoft Radius (IAS)

Security Measures: PEAP and Shared Secret

Encryption: MSCHAPv2 

Configure IAS

Make sure all prerequisites mentioned above are ready and working. Install windows server and make it a member of Microsoft Active Directory domain.

Install machine certificate i.e. computer certificate in this server

Click on add/remove snap in

 

Click add

Select Certificates, click add

Check computer account radio button, click next

Select local computer, click finish

Right mouse click on personal and click on request certificate, follow screen shot

Click next, then click ok.

Install IAS as follows

Go to Add remove windows component, select internet Authentication Service, click ok.

Open IAS console from administrative tools, right click on IAS as above, click register service in Active Directory

Add RADIUS Client, mention Cisco access point name and IP of Cisco Access Point, click next

Select Radius standard and provide shared secret and confirm, click finish. Shared secret must be same as you mentioned in Cisco wireless access point

Create Wireless access group in windows Active Directory and Add desired members in that group

go to administrative tools in IAS server, open IAS console, Add wireless access policy in Radius server

right click in wireless access policy and create new access policy

Select as above

Check Wireless and click next

Add wireless access group from active directory by click add button

Select PEAP, click on configure

Click ok

Click finish

Now go to property of newly created access policy, click edit profile, click authentication tab, check EAP  methods as follows.

Check  encryption and authentication method. Use MSCHAP v2. Encryption 128 bits.

Configure Wireless access point as shown in the link

http://araihan.wordpress.com/2009/08/02/how-to-configure-cisco-1242-ap-to-get-authentication-from-ms-ias/

Now infrastructure is ready to authenticate iMac OSX 10.5, Windows 7 and XP via wireless.

Log on to an XP machine using user credentials who is a member of wireless access group. Go to run, type mmc and press ok. follow the steps mentioned above on top to install machine certificate but this time install user certificate i.e. check user account instead of computer account.

Once user certificate installed, right click on user certificate, click All task, click export follow screen shot

Save certificate in usb stick.

Configure Mac OSX 10.5

Now open iMac/Mac book pro. Go to utility, open Key Chain, select login, drag certificate from USB stick and drop it in key chain login, click ok

Type the password used while exporting certificate

go to system preference, open network, select AirPort, click on advance, click on +

Click on show all, select desired Mac wireless SSID, follow screen shot

type AD user name and password who is a member of wireless access group, select certificate, click  add

Now authenticated as above. all done.

It is not necessary to bind Mac OSX 10.5 to AD to get wireless authentication via RADIUS. PEAP and certificate will do. now you can add user home drive, printer from print server. 

On Windows XP or Windows 7 machine, log on using domain user credential who is a member wireless access group, install user certificate and machine/computer certificate as mentioned above. Turn on wireless, select SSID, click on connect, in few seconds it will be connected.

Move RIS from old server to new

Scenario: Consider present infrastructure got AD, DNS, DHCP and RIS. DHCP and RIS installed in old server. You bought new server that required to move RIS and DHCP. This is how, you can accomplish your objective. Consider ServerA will be decommissioned as RIS and ServerB will be commissioned as RIS.

Step1 Backup DHCP

Step2 Copy all RIS images from ServerA  from separate storage \\ServerA\REMINST\Setup\English\Images

you can use XCOPY Source destination /Y /X /O /E /H /K /C from command prompt.

Step3 Stop DHCP and RIS services in ServerA

Step4 Install new server i.e. ServerB and Patch up

Step5 install DHCP in ServerB, restore DHCP from backup and start DHCP service

Step6 install RIS from add/remove windows component and run RIS setup

Step 7 delete *.pnf files from \\ServerB\REMINST\Setup\Images folder

Step 8 Copy all previous image using XCOPY command to new server i.e. \\ServerB\REMINST\Setup\Images folder

Step9 restart RIS service or reboot new RIS server

You are ready to go.

Setting up NTFS permission in file server/home drive for different active directory group/users

Download XCALS from Microsoft web site XCALS download link

Extract XCALS in c:\windows folder of your server

Create a test.cmd folder in c:\Windows folder of your server and type the following in test.cmd folder

@echo off
For /D %%A in (*) do echo y| cacls D:\Home\%%A /T /C /G “Domain Admins”:F
For /D %%A in (*) do echo y| cacls D:\Home\%%A /T /C /G /E Staff:C
For /D %%A in (*) do echo y| cacls D:\Home\%%A /T /C /G /E %%A:C
@echo on

Here Domain Admin get full rights and staff group gets Change rights. individual user gets change rights. Now go the specific folder you want to apply permission from command prompt

Type test.cmd

Don’t interrupt it will apply permissions to all folder of home drive. You modify it for your need.