Help me develop a process for OS deployment

[MrChad]

I work for a small software consulting company (~50 people). We don't have a dedicated IT staff, but almost everyone in the company is technically inclined, and over the years we've managed to set up and maintain the PCs and servers in our three offices. Each office has a W2K3 domain controller (the domains talk to one another), and every employee is issued a laptop (although not all laptops are joined to the domain).

Going forward, we'd like a more uniform OS deployment process. All our laptops are Dells, but different models and hardware revisions. When we get new laptops from Dell, I'd like to have a streamlined process for getting a clean OS install on the machine, joining the machine to the domain and installing all the latest drivers from Dell. I'd also like to install a basic set of applications out of the box. How should I approach this? Any step-by-step guides?

I know that I'll need a basic drive imaging program like TrueImage or Ghost (any recommendations)? I've also started reading up on Sysprep. I apologize for the basic questions, but my background leans more towards software development rather than IT administration. I thought I'd appeal to the experts on this forum.

Thanks for your help!

 

[Seeruk]

Download nlite
Use it to build a DVD that includes all the common apps and drivers, The install is completely silent, no prompts, no cdkeys required, nothing left to configure.... just choose a partition and GO

Then, if there is one laptop that is fairly common (at our place probably 50% are one model and the rest are a mix) install to one and make an image for faster deployment to those with the common model, use the DVD for the rest. In fact the DVD is up for download to users so they can do it themselves with zero Brainpower required if they can burn a DVD

If it really is a huge mess of different hardware and no two models the same, its still a good solution, but you could also look at the remote deployment tools from MS.

The important thing is to revise the build every 6 months or so to include extra security packs and software versions.

 

[imported_Questar]

Altiris Deployment Solution handles the OS and the applications.

 

[ForumMaster]

what Seeruk said: download nlite and do it through that.

 

[ND40oz]

Setup a base image. That means a clean install of XP, configured the way you want it, install the programs you need (office, nero, adobe, ect.) and then configure a default user account. Join it to the domain, add the accounts in to the administrators and power users groups that you want in them and unjoin it from the domain (change back to workgroup). Copy the drivers you need to for all your systems to a folder at the root of c:. Create an unattended install answer file using the Setup Manger tool. (you will need to configure the sysprep.inf file to tell it the location of your driver paths and make any other tweaks you may want) Sysprep the system.

At this point do not allow the system to boot up. Boot to your favorite imaging program (altiris, norton, ect.) I use the ultimate boot cd and then use the 32 bit version of rdeploy (altiris) because it's much faster then running in dos using the 16 bit version. Upload your image to a network share or portable hard drive.

On your new hardware, boot up with your same imaging program and dump the image down. Using rdeploy32 and a usb2 hard drive, you should be able to image a system with a 2 gb image in less then 2 minutes. Allow the system to boot, run through setup (it should use the sysprep.inf answer file, so there should be little input on your part) and then give it to the user.

Once you have a good image, you should be able to deploy a system with your custom image in less then 10 minutes. Don't forget to sysprep a "factory" image before you do a -mini -reseal, so that you can always dump down your factory image and do any updates you may need to do.

More info can be found here.

This is just a quick run through, it is an indepth process and you'll probably need to mess around with your image some before it's the way you want it.

 

[dclive]

Install RIS on your 2003 Server box.
Using RISetup (Start, run, risetup) the wizard will guide you thru copying your XPSP2 CDROM to your server's RIS directory. Modify the RIS folder with an $OEM$ folder with the appropriate drivers, and modify the ristndrd.sif file with the appropriate paths to those drivers. This will take care of the basic OS deployment plus any customized drivers you may have (you'd put them in $OEM$). (To deploy a machine, boot from its' NIC and you'd then be able to select that XP image.)

Using Windows 2003's Group Policy Management Console (grab the latest from MS), set up a GPO to hit all of your PCs. Tell it to deploy your software, and copy the software from your source CDs to a place on the 2003 Server box. Note that this assumes your software is .MSIs - all MS stuff is, and many, many other vendors are as well.) When done, just the act of a new PC booting up and being in your domain and in the right OU will cause all the software to automatically install with no user interaction. Installing new software is effortless.

There are lots and lots of ways to do this, but that's what I prefer. Another path is to eliminate GPOs and instead use RIPREP - first use RIS to build a PC, then put all the software you want onto it, then use RIPREP to blast it back up to the RIS server, and from then on, any machine can PXE boot and get that 'image'.

I see GPOs for software deployment as vastly easier than RIPREP, though, and customizing GPOs/standard RIS with new drivers and software is trivial.

 

[Brazen]

DO NOT USE IMAGES!!!!!!! I can find you information on setting up automated installs and pushing out applications through Active Directory, but do not fall into the imaging nightmare. It's a quick easy solution, but it's dirty. dirty dirty dirty. Start out on the right foot. Use automated OS installs and push your apps out through Group Policy, or even login scripts or something, anything, but don't fall into disk imaging.

Read this.

edit: dclive has good comments above. Personally, I use automated CD installs rather than RIS, but only because of network congestion. If your network can handle it, RIS is just as good as automated CD installs. In fact, it's pretty much the same thing. except one method burns a CD and the other burns bandwidth.

edit: Appdeploy has a list of software applications and how to automate their installs or how to find where they hide the msi. If I can't get an msi, I can usually still use Group Policy by using the Windows Installer Wrapper Wizard to create an msi that starts the automated installation. The site also has articles on tips and such for automating deployments, and http://unattended.sourceforge.net also has a helpful article on command line switches supported by the common installation programs.

 

[Brazen]

Here ya go. This site is the best for how to create automated CDs. Most of the info applies directly to using RIS also, you just put the files and settings in your RIS installation location instead of burning to a cd.

 

[dclive]

I like RIS because it's supported by Microsoft, which, for a company, may be a big deal. It also means there's no confusion over whether you have the latest CD or not...and techs never ask if they can borrow said CD.

AppDeploy has *wonderful* articles and links to MSIs and other great ways to find and create MSIs from vendor-supplied media. It's a really, raelly good site. I like MSFN.ORG as well - great, great stuff.

 

[nweaver]

Originally posted by: Brazen
DO NOT USE IMAGES!!!!!!! I can find you information on setting up automated installs and pushing out applications through Active Directory, but do not fall into the imaging nightmare. It's a quick easy solution, but it's dirty. dirty dirty dirty. Start out on the right foot. Use automated OS installs and push your apps out through Group Policy, or even login scripts or something, anything, but don't fall into disk imaging.

Read this.

edit: dclive has good comments above. Personally, I use automated CD installs rather than RIS, but only because of network congestion. If your network can handle it, RIS is just as good as automated CD installs. In fact, it's pretty much the same thing. except one method burns a CD and the other burns bandwidth.

edit: Appdeploy has a list of software applications and how to automate their installs or how to find where they hide the msi. If I can't get an msi, I can usually still use Group Policy by using the Windows Installer Wrapper Wizard to create an msi that starts the automated installation. The site also has articles on tips and such for automating deployments, and http://unattended.sourceforge.net also has a helpful article on command line switches supported by the common installation programs.

I'm going to beg to differ. I manage a 600+ machine test lab, and we use Altiris Deployment Solution, and it''s so much easier and faster. We change images on machines at the rate of 250ish a week, and 250 CD installs, and updates, and software would be a nightmare, not to mention 3rd party software. I can roll 5 H/W configs, 2 OS's 600 Machines is about 3 hours tops, and most of that is sitting and waiting on the machines to image, run a few scripts (built in functionality right in DS) and install a few RIP packages. I think you would be hard pressed to RIS 600 machines, get all the updates for windows/office/other S/W, install 3rd party software, and make global changes (such as remove from domain, change dns, etc) on 600 machines in under 6 hours with RIS, and that would be working your butt off, not sitting and forum posting while occasonaly glancing at the status on the console.

It will also do bare bones deployment on dell servers, including BIOS and F/W updates (from DOS land), RAID/DRAC/BIOS configuration, and then deploy the image.

Not to say imaging isn't a small feat, it's a handfull, but if you have lots of boxes, it's worth doing right.

 

[Brazen]

5 HW configs with 2 OSes... That means you have a minimum of 10 images to maintain. That doesn't include different software applications that only certain departments use. What happens when you have a software update that applies to every install? You have to re-image 10+ different installations. With RIS+Group Policy, you add the update to the GPO and you're done.

Re-reading your post, I just noticed you change images at 250ish A WEEK!! That's exactly why imaging is such a nightmare! With Group Policy you take whatever changed, and as I said, add it to the GPO and every single computer in the domain, current and future, gets the change. Say you need to add one application to all your installs.... instead of having to make 250 new images, you just add it to ONE place in Group Policy. Deploying configurations through Group Policy may have a bit more learning curve (I didn't think so, but there must be some reason people start out with imaging), but believe me it will save you countless hours in long-term management.

And BTW, if you choose to use automated CDs for this, it's the same, your apps and settings are still pushed out with Group Policy, you just use the same CD no matter what changes, no matter what the hardware config. You only need different CDs for the different OSes.

We have 450 workstations, and I'm still using the same 6 CDs I burned when SP2 came out for XP. And even then, I didn't need to, but I wanted to save the bandwidth. I could have just as easily used our internal Windows Update Server or a GPO to apply SP2 and continue using the same CDs I burned 2 1/2 years ago. In fact, I do still have Windows 2000 cds from years ago for when we do a reinstall on an old machine. I haven't had to do ANY extra work to keep packages updated for it though. It just gets put in the appropriate GPO and it's brought up to our current settings and software packages, this goes for common software packages and software for whatever department/person that machine belongs too.

So instead of making a change 250 times, I make it 1 time and spend the rest of my day posting on AT why Group Policy takes care of all the work.

 

[GeekDrew]

Originally posted by: Brazen
5 HW configs with 2 OSes... That means you have a minimum of 10 images to maintain. That doesn't include different software applications that only certain departments use. What happens when you have a software update that applies to every install? You have to re-image 10+ different installations. With RIS+Group Policy, you add the update to the GPO and you're done.

Re-reading your post, I just noticed you change images at 250ish A WEEK!! That's exactly why imaging is such a nightmare! With Group Policy you take whatever changed, and as I said, add it to the GPO and every single computer in the domain, current and future, gets the change. Say you need to add one application to all your installs.... instead of having to make 250 new images, you just add it to ONE place in Group Policy. Deploying configurations through Group Policy may have a bit more learning curve (I didn't think so, but there must be some reason people start out with imaging), but believe me it will save you countless hours in long-term management.

And BTW, if you choose to use automated CDs for this, it's the same, your apps and settings are still pushed out with Group Policy, you just use the same CD no matter what changes, no matter what the hardware config. You only need different CDs for the different OSes.

We have 450 workstations, and I'm still using the same 6 CDs I burned when SP2 came out for XP. And even then, I didn't need to, but I wanted to save the bandwidth. I could have just as easily used our internal Windows Update Server or a GPO to apply SP2 and continue using the same CDs I burned 2 1/2 years ago. In fact, I do still have Windows 2000 cds from years ago for when we do a reinstall on an old machine. I haven't had to do ANY extra work to keep packages updated for it though. It just gets put in the appropriate GPO and it's brought up to our current settings and software packages, this goes for common software packages and software for whatever department/person that machine belongs too.

So instead of making a change 250 times, I make it 1 time and spend the rest of my day posting on AT why Group Policy takes care of all the work.

I suppose I could have misread him, but I read his post such that he deploys images 250 times per week, not updates.... but I guses that's kindof ambiguous, at least to me.

How long does RIS take to complete its work on one station? Back when I was evaluating using RIS & GPO over ZenImaging for one enterprise, ZenImaging won *hangs down* because of speed. I could issue a reimage command from any admin console, the target PC would immediately reboot and begin imaging, and would be back online (using the new image) in less than 15 minutes. IIRC, RIS was taking upwards of an hour, particularly after we starting throwing in software packages.

 

[Brazen]

Well, I don't throw in software packages to the RIS images (as I've said, group policy for that), but RIS will take longer because it actually goes through the installation routine (the Microsoft designed for the OS to be installed). That is why is works great on any hardware config, because it produces a installation just as if you installed it by hand from a stock XP cd.

I can't tetify much to the speed of RIS though, as I use CDs instead which are going to be much faster, but It's about 20 minutes for the CD to run through, and then about 30 minutes for Group Policy to install software (maybe that is what you meant by throwing software in, although you can also add software to RIS images, which is as bad as any other imaging scheme). To me though, it could take all day, and it wouldn't affect me any. It's all automatic so I can be doing something else anyway.

 

[GeekDrew]

Originally posted by: Brazen
Well, I don't throw in software packages to the RIS images (as I've said, group policy for that), but RIS will take longer because it actually goes through the installation routine (the Microsoft designed for the OS to be installed). That is why is works great on any hardware config, because it produces a installation just as if you installed it by hand from a stock XP cd.

I can't tetify much to the speed of RIS though, as I use CDs instead which are going to be much faster, but It's about 20 minutes for the CD to run through, and then about 30 minutes for Group Policy to install software (maybe that is what you meant by throwing software in, although you can also add software to RIS images, which is as bad as any other imaging scheme). To me though, it could take all day, and it wouldn't affect me any. It's all automatic so I can be doing something else anyway.

It's been a couple of years since I played with it, but I think that I tried both ways -- no software in the RIS image, and the including it in.... I can't remember what I concluded of that, though... I was just pissed off at having wasted so much time.

Well, imaging is all automatic too, as far as deployment goes. You don't have to update images for every small change, you can use a combination of GPO/($your_favorite_distribution_utility_here) with imaging. I maintained an image for each major computer model that we had (we were lucky that we were able to keep the number of models we supported fairly low), and put all of the common software in the image (such as MS Office, development libraries, etc), and then any special software that needed to go to the machines was sent out via ZenApps (which I preferred to GPO, but that's an entirely different argument).

I had to update the images infrequently, because they would automatically be brought up-to-date after the imaging was complete, and the only times I really updated them were when we moved between office versions, or change OS service packs (because I didn't feel like supporting SP2 rolling out via ZenApps). I think I had the best combination of speed and efficiency... there is no "right way" to do this, it all depends on what your particular installation needs.

 

[dclive]

Originally posted by: GeekDrew

Originally posted by: Brazen

How long does RIS take to complete its work on one station? Back when I was evaluating ...
...
image) in less than 15 minutes. IIRC, RIS was taking upwards of an hour, particularly after we starting throwing in software packages.

Agreed. RIS is slow, but it's not as if a tech sits at a PC while it images - he does other things while he images 10 machines or so at once, for example. It's also dead-standard in Win2003, dirt cheap (free), and dead-simple. It's well-known, so anyone can support it with a little studying. In our environment, those things are important. Proprietary (unless it's MS...heh) is a no-no.

 

[GeekDrew]

Originally posted by: dclive
Agreed. RIS is slow, but it's not as if a tech sits at a PC while it images - he does other things while he images 10 machines or so at once, for example. It's also dead-standard in Win2003, dirt cheap (free), and dead-simple. It's well-known, so anyone can support it with a little studying. In our environment, those things are important. Proprietary (unless it's MS...heh) is a no-no.

Oh, I wouldn't question that RIS is best for your environment -- just don't say that it is for everyone's.

 

[dclive]

I don't think anyone can say what they have is best for _everyone_, but for a basic, small environment it works very well. It's also the "Microsoft way", which is easily supportable and easily supported with $250 calls to MS.

 

[tyanni]

Brazen -

Using Landesk in our environment, I've got ONE image which works on our Latitude D600/D610 Laptops and Optiplex GX620/280/260 Desktops. So imaging is not necessarily a bad thing - you just have to spend the time to get the image created correctly.

 

[dclive]

Tyanni -

You're lucky, you have a homogeneous environment.

For those with different disk controllers or, worse, HALs, it becomes quite a bit more difficult to use standard imaging methods.

 

[ND40oz]

Eh, we give the option of choosing one of the 4 hals when the image boots up. We have one XP Pro image that we use accross 10,000 PCs, from P3s all the way to Pentium Ds. If I have to deploy software to a portion or all of those PCs, that's what SMS is for...

As long as you build your image properly, have your driver pathes setup properly in the sysprep.inf file and know what your doing when it comes to choosing the HAL before the box starts running through the minisetup, you'll have no problem using an image.

 

[spikespiegal]

I noticed nobody asked Mr. Chad what type of license he has for Windows in the first place.

Taking an XP image for instance and installing it on the 50 different machines is *illegal* in Microsoft's eyes *unless* you have a open license version of XP in the first place.

 

[Brazen]

The general consensus with people who support imaging seems to be that it is ok because you still use it with Group Policy. But then why use imaging at all? If you are putting some software in Group Policy why not put it ALL in group policy? The only advantage I can see is that it is faster than RIS installs, but as it was said it's not like a tech has to sit at the computer the whole time and you are having to maintain/keep-track-of software and settings in two seperate locations (the images and group policies). With RIS or automated CDs you can pretty much set up the install automation and forget about it, and you don't have problems with hardware changes like you do with imaging.

It just seems to me that you are wasting your time maintaining images, especially if you are already using and familiar with deploying and maintaining software with group policy.

You also have the option of seemlessly using RIS or sneakernetting a CD install if something like PXE or network congestion crops up as a problem.

 

[GeekDrew]

Originally posted by: Brazen
The only advantage I can see is that it is faster than RIS installs, but as it was said it's not like a tech has to sit at the computer the whole time

That's a huge advantage to me. I'm sure that the implementation that I've chiefly been is different than yours by far, but I find it hard to justify that much time offline. The labs I'm referring to are in constant use, and downtime is never good, so workstation speed is of the essence, whereas if it takes a little while longer to make sure that it's done properly from an administrative standpoint, that's ok -- because it doesn't directly affect the end user.

I'm not against RIS in the least bit; I think that it would be ideal in some situations... primarily not those where end user uptime is a remote consideration.

 

[nweaver]

Can you grab groups of computers, drag them to a job with a set of tasks (reimage, run this reg patch, install this software rip) and then walk away? Now that I have everything set up, it's about literally 4 minutes to image from 1-600 machines.

Not to mention, it's a test lab, where we don't always join a domain, or we create a domain and join hundreds of machines to the domain.

speed is the other issue, kicking off 600 machines, I can do it 1 time, specifiing "do X computers every Y minutes" and walk away, and then multicast imaging goes like mad. Can you RIS 600 machines (that's a hell of alot of CD swapping) in 3 hours?

Altiris also throws in management. I have the ability to throw scripts at the machine, no need to do startup/shutdown scripts and wait for someone to log off. I can deploy prebuilt software images, I have remote control functionality, etc.

It also helps that when we do a test, SOP is to download the base image, apply customer S/W, slurp it, back up, then deploy it out with changes (DNS, Domain, etc). Altiris also fixes the computer names, keeps a database of settings (static IP versus dynamic, etc)

as far as licensing goes, we have an MSDN sub for each test lead, so it's legal

 

[Seeruk]

Jeesus H Christ NWeaver, thats a meaty old lab you got there You must work for a software company that actually does test sh1t!!! I was beginning to think they didn't exist any more

A few posts above have highlighted MrChad hasnt provided everything really needed to make a proper recommendation. What licensing, what hardware, what builds, etc, and what he already has in place in terms of domain servers and policies.

More info would yield more accurate responses