Overview
Details
.. Client Install / RIS
.. Drivers in RIS
.. Auto Server Setup w2k
.. Auto Server Setup w2k3
.. Application Distribution
.. MSI Tricks
.. Backup / Restore
.. Magic Boot Scripts
.. Magic Login Scripts
.. ADSI with Perl
.. User and Host Management
.. User Profile Management
.. License Management
.. Set ACLs from VBS
Downloads
Failures
Resources
Mailinglist
Cast & Crew
Real Men don't click
Automated Server Setup
by Edwin Thaler <thaler@ee.ethz.ch>

To setup a Windows 2000 environment you need at least one central server to host all the new Windows 2000 servicies. This server acts as a Root Domain Controller for the Active Directory Service, a Domain Name Server, a DHCP Server, a Remote Installation Server, a License Server and many more.

The goal of our approach is to setup the server in a reproducible way without clicking. We started from scratch by setting up charon which was going to be the central server of our environment. We found that the best way to approach this bootstrapping problem is to boot the server from the "Windows 2000 Server" CD and have a floppy disk with a file named WINNT.SIF in drive A:. The WINNT.SIF contains all the answers to the Questions the Windows 2000 installation would ask.

Booting from CD and performing an unattended installation

  • Before you start with the installation, it is wise to wipe all partitioning information off your disks: boot a Windows 9X floppy and delete all partitions with fdisk. For good measure you can start fdisk -mbr to clean away any foreign boot-sectors.
  • In the BIOS-Setup, chose to boot from CD-Rom first (disable boot from floppy).
  • Create a file named WINNT.SIF, which contains all settings of the new server. The layout and the parameters of this answer file are described in http://www.microsoft.com/technet/win2000/win2ksrv/technote/unattend.asp

    There is also a MS-Word document Microsoft Windows 2000 Guide to Unattended Setup (Unattend.doc) on the W2k Server CD in \SUPPORT\TOOLS\DEPLOY.CAB

    DEPLOY.CAB contains a tool named "Setup Manager" (setupmgr.exe) which make it easy to create the first raw answerfile. But you need a running W2k system to use this tool! Later on, changes can be made with your favorite text editor.

  • Depending on your hardware, an unattended installation takes about 1 hour.

Hints on WINNT.SIF

  • If you want to use the Remote Installation Service on the the root domain controller and you have only one disk then set 
    [Data]
 "AutoPartition=0"

    and make a second partition for the Remote Installation Service (RIS) at begin of the installation. ("RIS" requires its own partition!)

  • Our server (named charon) has an ASUS P2B-DS motherboard, which is not fully ACPI compliend. Therefore we select a "MPS Multiprocessor PC" without ACPI functions. 
    [Unattended]
; Asus P2B-DS does not work as "ACPI Multiprocessor PC"
   OemPreinstall=Yes
   ComputerType = "MPS Multiprocessor PC","RETAIL"
  • Setup network and computer/domain names: 
    [UserData]
   FullName="ISG Delek"
   OrgName=ETHZ
   ComputerName=charon

    [Identification]
   JoinDomain=hades

    [NetProtocols]
   MS_TCPIP=params.MS_TCPIP

    [params.MS_TCPIP]
   DNS=No
   UseDomainNameDevolution=Yes
   DNSSuffixSearchOrder=hades, ee.ethz.ch, ethz.ch
   EnableLMHosts=Yes
   AdapterSections=params.MS_TCPIP.Adapter1

    [params.MS_TCPIP.Adapter1]
   SpecificTo=Adapter1
   DHCP=No
   IPAddress=129.132.116.2
   SubnetMask=255.255.255.0
   DNSServerSearchOrder=129.132.116.2
   DefaultGateway=129.132.116.1
   WINS=No
   NetBIOSOptions=1
  • We use the "AutoLogon" feature to customize the server after the initial Windows 2000 installation. Warning: WINNT.SIF contains the clear-text password of the administrator account! 
    [GuiUnattended]
   AdminPassword=xyz
   AutoLogon=Yes
   AutoLogonCount=1
   OEMSkipRegional=1
   TimeZone=110
   OemSkipWelcome=1

    For final customization we make the server run a batch file hosted on a remote accessible computer (this could be a Windows computer - we prefer Unix with Samba).

    [GuiRunOnce]
   "\\winpack.ee.ethz.ch.\pack\configure\charon\runonce.bat"
  • Select all required components for RIS, DHCP, DNS, Terminal Server,... 
    [Networking]
   InstallDefaultComponents=No

    [NetOptionalComponents]
   DHCPServer=1
   DNS=1

    [Components]
   reminst=On
   TSClient=On
   TSEnable=On
   LicenseServer=On

Network decisions

As we wanted a simple robust environment which fits our needs, we took the following decisions:

  • We use the "Active Directory Service", but only in its simplest layout: just one root domain organized in "Organisational Units" (one site, no trees, no forest or any other kind of shrubbery (Ni!)).
  • "RIS" ("Remote Installation Service") requires an "AD-integrated" DNS server. But this DNS server is only responsible for the W2k clients. As domain we use our own unregistered top level domain named hades.
  • At the moment we use one switched 8-Bit subnet for all W2k clients. This allowes more than 250 clients.

Customisation with the '[GuiRunOnce]' Script

After the basic W2k installation, the administrator is automatically logged in and the script mentioned in the '[GuiRunOnce]' section of WINNT.SIF is executed.

Tasks of the '[GuiRunOnce]' script: (long lines are broken and indented for better readability!)

  • Add registry entries: enpltepa.reg enables plain text passwords (required for Samba) 
    Start /wait regedit /s
  \\winpack.ee.ethz.ch.\pack\configure\charon\enpltepa.reg
  • Install additional software packages (very important in our environment is the scripting language Perl - most of the administration scripts are written in perl). 
    rem Support Tools
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\support\tools\2000rkst.msi
rem Resource Kit
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\reskit2000Srv\w2000rk.msi
rem Multi language Kit
Start /wait \\winpack.ee.ethz.ch.\...\multlang\muisetup.exe
   /i 040c 0410 0407 /d 0409 /s
rem Perl from www.activestate.com
Start /wait msiexec /qb /i \\winpack.ee.ethz.ch.\...\perl-5.6.0-ds.msi
   TARGETDIR="C:\" PERL_PATH="Yes"
  • Set the NTP time server: 
    Start /wait net time /setsntp:time.ethz.ch
  • Change the driver-letter of the CD-Rom to 'R:' and fix references to the previous drive-letter in the registry (two small perl-scripts which you can find in the download section). 
    C:\Perl\bin\Perl
   \\winpack.ee.ethz.ch.\pack\configure\charon\cdromtor.pl
C:\Perl\bin\Perl
   \\winpack.ee.ethz.ch.\pack\configure\charon\fixspath.pl
  • Active the "Domain Controller" (and also DNS) with answer-file: 
    Start /wait dcpromo
   /answer:\\winpack.ee.ethz.ch.\pack\configure\charon\dcinst.txt

    The answerfile dcinst.txt contains ony the [DCInstall] section

    [DCInstall]
 ReplicaOrNewDomain=Domain
 TreeOrChild=Tree
 CreateOrJoin=Create
 DomainNetBiosName=w2k-hades
 NewDomainDNSNAME=hades
 DNSOnNetwork=No

    After this section, a popup will appear with the question if you really want to create a new top-level-domain named "hades". Press 'Yes'. Do not reboot after dcpromo. runonce isn't finished yet. (Anyone knows how to get rid of this last dialog ?)

  • We want to see the real world all the same, so we add "real" DNS Servers as forwarders for our private W2K server: 
    "C:\Program Files\Support Tools\dnscmd"
   . /ResetForwarders 129.132.250.220 129.132.98.12
  • Apply Servie Pack 1: (with reboot) 
    Start /wait
   \\winpack.ee.ethz.ch.\...\i386\update\update.exe -n -q -z

    If you use a installation CD with Service Pack 1 applied, you can omit the last step.

The new server is now set up and ready for further customization. You can bring the server back in this state in a reproducable way without too much work. Now it's time for experiments.

Final Customisation ('handmade')

Not all customization can be done by scripts (or we haven't found the way to do it). The followings steps must be done by hand for every server you set up.

  • Install additional drivers (the video drivers for Matrox Graphic Adapters are not on the Windows 2000 CD).
  • Final DNS customization (packed in a batch file): 
    rem add reverse zone
"C:\Program Files\Support Tools\dnscmd"
   . /ZoneAdd 116.132.129.in-addr.arpa. /DsPrimary
rem enable dynamic secure updates
"C:\Program Files\Support Tools\dnscmd"
   . /Config 116.132.129.in-addr.arpa. /AllowUpdate 2
rem add PTR record for charon
"C:\Program Files\Support Tools\dnscmd"
   . /RecordAdd 116.132.129.in-addr.arpa. 2 PTR charon.hades.
  • Format additional partitions and upgrade to "Dynamic Disks", if you want to use disk-mirroring (charon has two equivalent, mirrored 18 GByte SCSCI disks). You find "Disk Management" under "My Computer" -> "Manage". Add mirrors for the partitions of the first disk.
  • Switch the "Domanin Controller" mode form mixed to nativ (We do not want do support old Windows NT systems):

    Active Directory Domains and Trusts -> Properties -> General -> Change Mode

  • Activate license server for Terminal Server:

    Terminal Server Licensing -> Activate Server

    (Yes, you will tell Microsoft that you have a license server running...) Buy and install "Terminal Server Access Licenses".

Appendix: Creating a bootable Windows 2000 CD-Rom with Service Pack applied

With Windows 2000 it is possible to apply a Service Pack to a copy of the i386 tree of the original Windows 2000 CD and then burn a new installation CD-Rom.

Thanks to Pierre Sangouard: it's even possible to to add OEM-drivers and programs to the modified installation CD.

  • Copy the content of the original Windows 2000 (Professional or Server) on a disk of a PC running Windows 2000.
  • Download the newest Service Pack and extract its contents (w2ksp2.exe -x). Apply Service Pack to the copied distribution in d:\w2k-server-sp2\w2ssel_en: 
    cd w2k-sp2
i386\Update\Update.exe -s:d:\w2k-server-sp2\w2ssel_en
  • Move the files to UNIX system (we burn CD's on Solaris workstations using cdrecord).
  • How to add OEM-drivers:

    2 things a required:

    1. Create a directory structure like this (in w2ssel_en): 
      $OEM$\ 
  $1\ 
     Drivers\ 
       Video\ 
         Matrox\ 
           G4XX\ 
             (all Matrox driver files)
     MyData\ 
       .....
i386\ 
  ......

      Important: $OEM$ is in the top-level directory of the CD-Rom files (same level as i386, not beneath i386)! All directories and files in $OEM$\$1 are copied to the system-drive during the installation.

    2. A WINNT.SIF-file is required and must contain the following lines in the [Unattended] section: 
      [Unattended]
 OemPreinstall=Yes
 DriverSigningPolicy=Ignore
 OemPnPDriversPath="Drivers\Video\Matrox\G4XX"

      OemPnPDriversPath may contain a list of pathes, separated by ';'. WINNT.SIF may be copied to a floppy (as described earlier) or directly in the i386 directory of the CD-Rom-files!

  • Extract the boot file from the original Windows 200 CD (on UNIX/Solaris) with readcd. The boot file is the same on the W2k Professional and Server CD. The boot file starts on block 20 (found with Jörg Schilling's hdump tool). 
    readcd dev=4,0 f=boot.bin sectors=20-20

    Copy boot.bin to the directory with the W2k-files (w2ssel_en).

  • Create a CD-Rom image with mkisofs and burn it with cdrecord: (long lines are broken for better readability!) 
    mkisofs -o w2k-isg.iso -N -d -l -no-iso-translate
        -relaxed-filenames -V W2P_ISG
            -boot-load-seg 0x7c0 -b boot.bin -c boot.cat
            -no-emul-boot w2ssel_en

    cdrecord -v -eject dev=4,0  w2k-isg.iso
2001-05-15etInitial Version
2001-05-31toWording and Spelling update
2001-06-05etDescription of 'enpltepa.reg' added
2001-07-05etHow to add OEM drivers
Edwin Thaler  //  2007-03-23  //  Copyright 2001, ETH Zurich