Overview
Details
.. Client Install / RIS
.. Drivers in RIS
.. Auto Server Setup w2k
.. Auto Server Setup w2k3
.. Application Distribution
.. MSI Tricks
.. Backup / Restore
.. Magic Boot Scripts
.. Magic Login Scripts
.. ADSI with Perl
.. User and Host Management
.. User Profile Management
.. License Management
.. Set ACLs from VBS
Downloads
Failures
Resources
Mailinglist
Cast & Crew
Real Men don't click
Automated Server Setup 2003
by Manuel Oetiker <moetiker@ee.ethz.ch>

To setup a Windows 2003 environment you need at least one central server to host all the new Windows 2003 services. This server acts as a Root Domain Controller for the Active Directory Service, a Domain Name Server, a DHCP Server, a Remote Installation Server, a License Server and many more.

The goal of our approach is to setup the server in a reproducible way without clicking. We started from scratch by setting up charun which was going to be the central server of our environment. We found that the best way to approach this bootstrapping problem is to boot the server from the "Windows 2003 Server" CD and have a floppy disk with a file named WINNT.SIF in drive A:. The WINNT.SIF contains all the answers to the Questions the Windows 2003 installation would ask.

Booting from CD and performing an unattended installation

  • Before you start with the installation, it is wise to wipe all partitioning information off your disks: boot a Windows 9X floppy and delete all partitions with fdisk. For good measure you can start fdisk -mbr to clean away any foreign boot-sectors.
  • In the BIOS-Setup, chose to boot from CD-Rom first (disable boot from floppy).
  • There is a MS-Word document Microsoft Windows 2003 Guide to Unattended Setup (Unattend.doc) on the W2k3 Server CD in \SUPPORT\TOOLS\DEPLOY.CAB

    DEPLOY.CAB contains a tool named "Setup Manager" (setupmgr.exe) which make it easy to create the first raw answerfile. But you need a running W2k3 system to use this tool! Later on, changes can be made with your favorite text editor.

  • Depending on your hardware, an unattended installation takes about 1 hour.

Hints on WINNT.SIF

  • If you want to use the Remote Installation Service on the the root domain controller and you have only one disk then set 
    [Data]
  AutoPartition="0"
  MsDosInitiated="0"
  UnattendedInstall="Yes"

    and make a second partition for the Remote Installation Service (RIS) at begin of the installation. ("RIS" requires its own partition!)

  • [Unattended]
  UnattendMode=FullUnattended
  AutoActivate = Yes
  DriverSigningPolicy = ignore
  OemSkipEula=Yes
  OemPreinstall=Yes
  OemPnPDriversPath="drivers\net;drivers\intelinf;drivers\sound;drivers\video"
  TargetPath=\WINNT
  • Setup network and computer/domain names: 
    [UserData]
  ProductKey=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  FullName="ISG.EE D-ITET"
  OrgName="ETH Zurich"
  ComputerName=charun

    [Identification]
   JoinDomain=hades.local

    [NetAdapters]
   Adapter1=params.Adapter1

    [params.Adapter1]
   INFID=*

    [NetClients]
   MS_MSClient=params.MS_MSClient

    [NetServices]
   MS_SERVER=params.MS_SERVER

    [NetProtocols]
   MS_TCPIP=params.MS_TCPIP

    [params.MS_TCPIP]
   DNS=No
   UseDomainNameDevolution=Yes
   DNSSuffixSearchOrder=hades.local, ee.ethz.ch, ethz.ch
   EnableLMHosts=Yes
   AdapterSections=params.MS_TCPIP.Adapter1

    [params.MS_TCPIP.Adapter1]
   SpecificTo=Adapter1
   DHCP=No
   IPAddress=129.132.158.2
   SubnetMask=255.255.254.0
   DefaultGateway=129.132.158.1
   DNSServerSearchOrder=129.132.158.2,129.132.250.2
   WINS=No
   NetBIOSOptions=2
   DNSDomain=hades.local
  • We use the "AutoLogon" feature to customize the server after the initial Windows 2003 installation. Warning: WINNT.SIF contains the clear-text password of the administrator account! Encryptet Admin Password's do not work with autologin. 
    [GuiUnattended]
   AdminPassword=xyz
   EncryptedAdminPassword=NO
   AutoLogon=Yes
   AutoLogonCount=1
   OEMSkipRegional=1
   TimeZone=110
   OemSkipWelcome=1

    For final customization we make the server run a batch file hosted on a remote accessible computer (this could be a Windows computer - we prefer Unix with Samba). The samba share has to be added to the local internet Zone with the netz.reg, otherwise it will not start automatic without a warning pop-up.

    [GuiRunOnce]

       Command0="reg /s \\winpack.ee.ethz.ch\pack\configure\charun\netz.reg"

       Command1=\\winpack.ee.ethz.ch\pack\configure\charun\runonce-w2k3.bat
  • netz.reg: 
     Windows Registry Editor Version 5.00

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ 
 Internet Settings\ZoneMap\EscDomains\isgtc]
 "file"=dword:00000001

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ 
 Internet Settings\ZoneMap\EscDomains\winpack]
 "file"=dword:00000001
  • Select all required components for RIS, DHCP, DNS, Terminal Server,... 
    [Networking]
   InstallDefaultComponents=No

    [NetOptionalComponents]
   DHCPServer=1
   DNS=1

    [Components]
   reminst=On
   TerminalServer=On
   LicenseServer=On
   hypertrm=On

    [TerminalServices]
   AllowConnections=10
   PermissionsSetting=0
   LicensingMode = PerUser

Network decisions

As we wanted a simple robust environment which fits our needs, we took the following decisions:

  • We use the "Active Directory Service", but only in its simplest layout: just one root domain organized in "Organisational Units" (one site, no trees, no forest or any other kind of shrubbery (Ni!)).
  • "RIS" ("Remote Installation Service") requires an "AD-integrated" DNS server. But this DNS server is only responsible for the WinXP clients. As domain we use our own unregistered top level domain named hades.local.
  • At the moment we use one switched /23 subnet for all WinXP clients. This allowes more than 500 clients.

Customisation with the '[GuiRunOnce]' Script

After the basic W2k3 installation, the administrator is automatically logged in and the script mentioned in the '[GuiRunOnce]' section of WINNT.SIF is executed.

Tasks of the '[GuiRunOnce]' script: (long lines are broken and indented for better readability!)

  • Install additional software packages (very important in our environment is the scripting language Perl - most of the administration scripts are written in perl). 
    rem Support Tools
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\SUPPORT\TOOLS\SUPTOOLS.MSI
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\gpmc-1.0.2\gpmc.msi
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\adminpak-3790\adminpak.msi
rem Resource Kit
Start /wait msiexec /qb /i
   \\winpack.ee.ethz.ch.\...\reskit2003Srv\rktools.msi
rem Perl from www.activestate.com
Start /wait msiexec /qb /i \\winpack.ee.ethz.ch.\...\perl-5.8.6-mo.msi
   TARGETDIR="C:\" PERL_PATH="Yes"
  • Set the NTP time server (swisstime.ethz.ch): 
    Start /wait w32tm /config /syncfromflags:manual /manualpeerlist:swisstime.ethz.ch
Start /wait w32tm /config /update
  • Change the driver-letter of the CD-Rom to 'R:' and fix references to the previous drive-letter in the registry (two small perl-scripts which you can find in the download section). 
    C:\Perl\bin\Perl
   \\winpack.ee.ethz.ch.\pack\configure\charun\cdromtor.pl
C:\Perl\bin\Perl
   \\winpack.ee.ethz.ch.\pack\configure\charun\fixspath.pl
  • Active the "Domain Controller" (and also DNS) with answer-file: 
    Start /wait dcpromo
   /answer:\\winpack.ee.ethz.ch.\pack\configure\charun\dcinst.txt

    The answerfile dcinst.txt contains ony the [DCInstall] section

    [DCInstall]
 ReplicaOrNewDomain=Domain
 TreeOrChild=Tree
 CreateOrJoin=Create
 DomainNetBiosName=w2k3-hades
 NewDomainDNSNAME=hades.local
 DNSOnNetwork=No

    After this section, a popup will appear with the question if you really want to create a new top-level-domain named "hades". Press 'Yes'. Do not reboot after dcpromo. runonce isn't finished yet. (Anyone knows how to get rid of this last dialog ?)

  • We want to see the real world all the same, so we add "real" DNS Servers as forwarders for our private W2K3 server: 
    "C:\Program Files\Support Tools\dnscmd"
   . /ResetForwarders  129.132.98.12 129.132.250.2
  • To automate the generation of the ris image you can use 
    risetup /add /check  /auto risetup-winxp-sp2.inf

    The answerfile risetup-winxp-sp2.inf contains:

    [Version]
Signature = "$Windows NT$"

    [Risetup]

    RootDir = "d:\RemoteInstall"
Source ="\\winpack\pack\src-cd\wxp-sp2"

    Directory = "winxp-sp2"
Description = "Windows XP Prof SP2"
HelpText = "For English-speaking users.
Screens = "backup"
Architecture = "x86"
Language = "English"

The new server is now set up and ready for further customization. You can bring the server back in this state in a reproducable way without too much work. Now it's time for experiments.

Final Customisation ('handmade')

Not all customization can be done by scripts (or we haven't found the way to do it). The followings steps must be done by hand for every server you set up.

  • Final DNS customization (packed in a batch file): 
    rem add reverse zone
"C:\Program Files\Support Tools\dnscmd"
   . /ZoneAdd 158.132.129.in-addr.arpa. /DsPrimary
rem enable dynamic secure updates
"C:\Program Files\Support Tools\dnscmd"
   . /Config 158.132.129.in-addr.arpa. /AllowUpdate 2
rem add PTR record for charon
"C:\Program Files\Support Tools\dnscmd"
   . /RecordAdd 158.132.129.in-addr.arpa. 2 PTR charon.hades.local.
  • Format additional partitions and upgrade to "Dynamic Disks", if you want to use disk-mirroring (charon has two equivalent, mirrored 18 GByte SCSCI disks). You find "Disk Management" under "My Computer" -> "Manage". Add mirrors for the partitions of the first disk.
  • Activate license server for Terminal Server:

    Terminal Server Licensing -> Activate Server

    (Yes, you will tell Microsoft that you have a license server running...) Buy and install "Terminal Server Access Licenses".

Appendix: Creating a bootable Windows 2003 CD-Rom with Service Pack applied

With Windows 2003 it is possible to apply a Service Pack to a copy of the i386 tree of the original Windows 2003 CD and then burn a new installation CD-Rom.

Thanks to Pierre Sangouard: it's even possible to to add OEM-drivers and programs to the modified installation CD.

  • Copy the content of the original Windows 2003 on a disk of a PC running Windows 2003. 
  • WindowsServer2003-KB889101-SP1-x86-EN.exe /integrate:
\\winpack.ee.ethz.ch.\pack\...\w2k3-server-sp1\nrmsvol_en
  • Move the files to UNIX system (we burn CD's on Solaris workstations using cdrecord).
  • How to add OEM-drivers:

    2 things a required:

    1. Create a directory structure like this (in w2ssel_en): 
      $OEM$\ 
  $1\ 
     Drivers\ 
       Video\ 
         Matrox\ 
           G4XX\ 
             (all Matrox driver files)
     MyData\ 
       .....
i386\ 
  ......

      Important: $OEM$ is in the top-level directory of the CD-Rom files (same level as i386, not beneath i386)! All directories and files in $OEM$\$1 are copied to the system-drive during the installation.

    2. A WINNT.SIF-file is required and must contain the following lines in the [Unattended] section: 
      [Unattended]
 OemPreinstall=Yes
 DriverSigningPolicy=Ignore
 OemPnPDriversPath="Drivers\Video\Matrox\G4XX"

      OemPnPDriversPath may contain a list of pathes, separated by ';'. WINNT.SIF may be copied to a floppy (as described earlier) or directly in the i386 directory of the CD-Rom-files!

  • Extract the boot file from the original Windows 200 CD (on UNIX/Solaris) with readcd. The boot file is the same on the W2k Professional and Server CD. The boot file starts on block 20 (found with Jörg Schilling's hdump tool). 
    readcd dev=4,0 f=boot.bin sectors=20-20

    Copy boot.bin to the directory with the W2k-files (w2ssel_en).

  • Create a CD-Rom image with mkisofs and burn it with cdrecord: (long lines are broken for better readability!) 
    mkisofs -o w2k3-isg.iso -N -d -l -no-iso-translate
        -relaxed-filenames -V W2P_ISG
            -boot-load-seg 0x7c0 -b boot.bin -c boot.cat
            -no-emul-boot nrmsvol_en

    cdrecord -v -eject dev=4,0  w2k3-isg.iso
2005-04-11moInitial Version
2005-06-07acnetz.reg
Manuel Oetiker  //  2007-03-23  //  Copyright 2001, ETH Zurich