Windows Insider

Installation With RIS

In the last of his two-part series on Windows 2000 Server installations, Bill tackles the complexities of Remote Installation Services.

In last month’s column, I covered how to do server installations using unattended setup scripts. It’s possible to simplify the installation process even further using the Remote Installation Services (RIS) feature in Windows 2000. With RIS, you can simply boot a server with no operating system and come back in an hour or so to a machine with a fully installed operating system.

RIS uses the base installation files from the Setup CD to create a file-based “image.” This file-based image has an advantage over sector-based images such as those created by Symantec Ghost and PowerQuest Drive Image because it can accommodate differences in hardware. If you prefer using sector-based images, the latest versions of Ghost and PowerQuest include RIS integration.

In the past, it wasn’t possible to use RIS to install Win2K servers without resorting to a hack of the setup file. Service Pack 3 removed this limitation so that now you can use RIS to install Win2K Server, Win2K Advanced Server and Windows XP. See Knowledge Base articles Q308508, “Unable to Create Windows 2000 Server Image on RIS Server,” and Q304314, “How to Deploy Windows XP Images from Windows 2000 RIS Servers.”

I’m a big fan of RIS but, for some reason, it hasn’t really caught on in a big way. This is partly due to the requirement of having Active Directory, but it’s also because RIS has quite a few moving parts that can be complex to get set up and running. Here are the elements you’ll need to configure RIS.

RIS Server
A RIS server must be a Win2K member server in an AD domain. The domain can be in Mixed or Native mode. The server must have at least two partitions because the RIS image files can’t be placed in the system partition. The RIS partition must be formatted with NTFS and have a minimum of 1GB free space to hold the images files.

Install the Remote Installation Services via Control Panel | Windows Components. This requires a restart. Following the restart, run Risetup to create a file-based image on the server.

RIS Image
The Risetup utility can copy the setup files either directly from the Setup CD or from a folder that’s been slipstreamed with the latest service pack. Do not attempt to slipstream a service pack into an existing RIS image—you will render the image unusable. Instead, create a second image using slipstreamed files.

The initial RIS image created from the installation files is called a “flat” image. A utility called Riprep can be used to layer files from an existing machine onto the flat image. This Riprep image permits you to clone servers onto similar hardware. The Riprep utility can be accessed on a RIS server via a share called Reminst with the UNC path \\<server>\Reminst\ Admin\I386\Riprep.

The original version of Riprep refuses to run on a Win2K server, but a new version is available via links in Knowledge Base article Q313069, “Update for the Riprep Tool.” This new version will image Windows XP, Win2K Server, and Win2K Advanced Server. Microsoft states in the article that it doesn’t support imaging Win2K servers, although the updated Riprep seems to work fine as long as you aren’t running IIS or DHCP. Riprep requires that the RIS server have the proper flat image for the operating system you’re imaging.

Other Riprep limitations include the inability to image encrypted files and a bug in the Winlogon Registry entry that can be fixed using steps in Knowledge Base article Q248257, “Program Installation Problems on Sysprep or Riprep Installed Systems.”

The Setup Script
A RIS image includes a setup script in the form of a Setup Information File (SIF). The default SIF is called Ristndrd.sif. If you create a layered image using Riprep, a new SIF is built that includes instructions for handling the additional files. The SIF file resides in \RemoteInstall\Setup\<language>\ Images\<imagename>\i386\Templates.

The SIF created by Riprep needs very little modification. The only thing you need to do is add the 25-character Product ID. Here’s an example:

[UserData]
FullName = "%USERFIRSTNAME% %USERLASTNAME%"
OrgName = "%ORGNAME%"
ComputerName = %MACHINENAME%
ProductID = "BBBBB-BBBBB-BBBBB-BBBBB-BBBBB"

You can use the SIF to manage the installation of special drivers and handle application setup using entries in the SIF file. You can use Setup Manager to create multiple SIFs for the same image. Each SIF is listed separately in OS Chooser. Assign separate NTFS permissions to the SIF files to control which of them appear in the OS Chooser.

If the server where you install the image has a different mass storage device than the server imaged with Riprep, you’ll run into installation problems. Microsoft’s white paper, “Sysprep Update: Image Maintenance: Reducing the Number of Master Images Required,” (go to http://www.microsoft.com/windows2000/downloads/
servicepacks/sp2/deploytools.asp
and click on the link "NewSysprep documentation") has tips for hacking unattended setup entries but, frankly, it’s easier just to use separate images for each server with a different mass storage device.

Common Store
As you might imagine, putting several file-based images on a RIS server can consume a lot of disk real estate. A special service called the Single Instance Storage (SIS) Groveler paws through the images looking for identical files, as determined by matching file names, hashes and byte comparisons. SIS Groveler then moves the files to a folder called SIS Common Store. In their place it leaves a reparse point a special NTFS structure that points at another NTFS record. You can spot a reparse point from a command prompt by doing a DIR. The file type will be flagged as “junction.”

The SIS Groveler analyzes CPU utilization to determine the best time to snatch CPU cycles so it can do its work. The initial analysis takes a few hours, so don’t expect to see any activity right after you install RIS. You can force SIS to work in the foreground using the GROVCTRL utility. The syntax is grov ctrl /f. Expand the GROVCTRL utility from the I386 folder on the Setup CD.

Configuration
RIS doesn’t use a Microsoft Management Console (MMC). Instead, a RIS server is configured using the Active Directory Users and Computers console. Open the Properties window for the RIS server, select the Remote Install tab, then click Advanced Settings (see Figure 1).

RIS server properties
Figure 1. RIS server properties showing the Advanced Settings window.

The OS Images tab lists the names of the images you’ve installed. Set NTFS permissions on the SIF file so that only members of your deployment group have access. This prevents the accidental or deliberate download of the image.

The Automatic Computer Naming field lets you choose how RIS will name your computers. You can specify a standard prefix followed by an incremental number, such as W2K-S%n or whatever fits your naming structure.

The Client Account Location field specifies the OU where the associated Computer object will be created. This is useful if the OU administrator doesn’t have access rights to the default Computers container.

You can override the automatic naming and Organizational Unit location features using a Custom screen in the Client Installation Wizard described in the next section (see Figure 2 for an example). The Custom screen isn’t displayed by default. Enable it by using the Custom Setup option of the Remote Installation Services Group Policy.

RIS Client Installation Wizard
Figure 2. The custom setup screen in the RIS Client Installation Wizard. (Click image to view larger version.)

Once you’ve configured the RIS server, stop and start the BINLSVC service using the NET command as follows:

net stop binlsvc then net start binlsvc

The Client Side
Now that you have a RIS image, the next step is to configure a client to use the image for an installation. Computers that meet the PC97 standard have an embedded Ethernet controller with a Pre-boot eXecution Environment (PXE) boot ROM that contains bootstrap code designed to find a RIS server with a suitable boot image. PXE is a diskless boot protocol developed jointly by Microsoft and 3COM.

The PXE boot ROM also contains a Globally Unique Identifier (GUID) that tags the machine as a “managed PC.” A GUID is a 128-bit number (16 octets represented in hex, represented by 32 numerals in the user interface) generated using an algorithm that guarantees its uniqueness. AD stores a computer’s GUID as an attribute of the Computer object when the operating system is installed using RIS.

If a machine has a network adapter that meets the PXE requirements but doesn’t have a PXE boot ROM, use the Rbfg (Remote Boot Floppy Generator) utility in \RemoteInstall\Admin\i386. The Rbfg utility places bootstrap information on a floppy along with a file called Risdisk that will boot a PC and initiate a PXE session.

The Adapters button in the Rbfg utility lists the supported adapters. This is purely informational. You don’t need to select a particular adapter. If you have a PCI network adapter that isn’t listed, it may work with PXE if it has a supported Ethernet controller. It’s best to experiment.

The Rbfg utility creates a GUID for a machine using the network adapter’s MAC address padded with leading zeros. If you use the same adapter to do RIS installations on multiple machines, you will get a “duplicate GUID” error. Use the ADSI Editor in the Support Tools to change the RemoteBoot-GUID attribute of the original machine to match the MAC address of its current network adapter.

Negotiation
When the machine boots using PXE, the boot ROM gets an IP address using DHCP. It then plays the digital equivalent of, “Button, button, who’s got the button?” by sending out a modified DHCP Discover packet with its GUID in the payload. The Binary Information Negotiation Layer (BINL) service on a RIS server listens for these special DHCP Discover packets and responds with a DHCP Offer packet that includes a copy of the client’s GUID, but no IP address. In effect, this packet tells the PXE client, “I’m a RIS server that’s heard your broadcast, and I have an image for you to download.”

The PXE client replies with a DHCP Request packet sent directly to the BINL service on UDP port 4011. The BINL service responds with a DHCP Ack packet that contains the name and path of the boot image, Startrom.com.

This dual-headed DHCP process can cause problems when you configure RIS for the first time. In a routed network, an IP helper field in the router contains the IP address of a DHCP server. When the router receives a DHCP Discover packet, it forwards the packet to the DHCP server and then acts as an intermediary between the server and the DHCP client.

If the RIS server is also a DHCP server, this configuration works just fine. The server returns a single DHCP Offer packet with the client’s GUID in the payload and the client handles the rest. If the DHCP server and RIS server are on different machines in the same broadcast segment as the PXE client, the process also proceeds without problems.

If, however, the RIS server and the DHCP server are on different machines that don’t reside in the same broadcast segment as the PXE client, both servers must be included in the IP helper field at the router, and you must verify that both servers get the DHCP Discover packet from the router.

If you have more than one RIS server, don’t install RIS on a DHCP server. A PXE client that gets a standard DHCP Offer that contains its GUID won’t listen for responses from any other RIS servers.

Because BINL is actually a modified DHCP service, it must be authorized in AD. To do this, open the DHCP console, right-click the DHCP icon at the top of the tree, select Manage Authorized Servers, then click Authorize and type the name of the server you want to authorize. If the console can contact the server and get its fully qualified DNS name and IP address, it will place a DHCPClass object in AD that authorizes the server.

Client Installation Wizard
Armed with the name of the RIS server and the path to the boot image, the PXE client now uses Trivial File Transfer Protocol (TFTP) to download Startrom.com and execute it. Startrom.com uses TFTP to get two more files: Ntldr, the Win2K secondary bootstrap loader, and Winnt.sif, the Win2K setup script. It then prompts you to press F12 to begin the Client Installation Wizard (CIW).

If you don’t want to be bothered with pressing F12, replace the standard Startrom.com in \RemoteInstall\ OSChooser\I386 with another file in the same folder called Startrom.n12. Just rename Startrom.com to Startrom.std and Startrom.n12 to Startrom.com.

Windows .NET has additional Startrom images that permit using RIS to install the operating system on a headless server (a machine with no keyboard, mouse or video adapter).

The presence of TFTP on a RIS server introduces a potential security vulnerability. The TFTP service doesn’t authenticate connections, so you can pull a copy of any file in the \Remote Install folder. Don’t put any sensitive files in RIS images, and set Read permissions only for authorized administrators. Also, TFTP permits inbound traffic, making it possible to use a TFTP PUT command to place a hacked version of Startrom.com on the server that could scramble the Master Boot Record, Partition Boot Sector or the BIOS on a PXE client. Set NFTS permissions to block Write or Change.

When you press F12, Startrom downloads the first of a series of HTML files from the RIS server. These HTML files make up the Client Installation Wizard, or CIW. The files have an .osc (OS Chooser) extension and are stored in \RemoteInstall\OS Chooser\.

These OSC files perform a variety of duties. For example, Login.osc obtains the credentials that Startrom uses to authenticate to the BINL service. This authentication uses standard NTLM Challenge-Response, not Kerberos. You must provide credentials with sufficient permission to create a Computer object in the target OU.

OSC files use a subset of HTML 2.0 tags with additions that Microsoft calls OSC Markup Language (OSCML). You can use a text editor to modify the existing OSC files to add instructions to existing screens or to build screens of your own. See the Microsoft white paper, “Technical Guide to Remote Installation Services,” for a complete list of the OSCML variables.

The Choice.osc screen in the CIW lists the images stored at the RIS server using information in the SIF file. When you select an image, the CIW loads the associated SIF file and begins downloading the setup files.

Sit Back and Relax
From this point on, the server chugs away to install the operating system, then downloads any layered files from the Riprep image. You shouldn’t need to intervene except to log on when the installation has finished. RIS will make the entire boot drive into a single partition. You can modify this behavior with entries in the SIF file.

Using a combination of the unattended setups covered last month and the RIS setups covered this month, you should be able to deploy a fleet of servers and still have time to play all the cool electronic games you got for Christmas or even prepare for the Windows .NET certification exams.

comments powered by Disqus

Reader Comments:

Wed, May 16, 2007 kauthar UAE

hello
how can i make the RIS work with Ghost not using bootbale disk or cd

Fri, Mar 9, 2007 Greg Anonymous

I've just noted the issue Simon says - and would love a solution.

Wed, Apr 19, 2006 Anonymous Anonymous

helpful!

Tue, Feb 14, 2006 Joseph Laracuenta New York, NY

I have edited the .sif file and inserted the Windows 2000 Pro Serial Number, however, each time I download the image, the RIS asks me for the serial number even though it is already in the file. Can you shred light on this problem. I would prefer to have the ris process automated and not have to insert the serial number on each and very installation.

Wed, Feb 8, 2006 Anonymous Anonymous

great

Fri, Jan 27, 2006 biju kochi

excellent material , really helpful

Mon, Jan 9, 2006 Anonymous Anonymous

Thu, Nov 24, 2005 Anonymous Anonymous

You can create a network boot disc for MOST NICs using a supplied tool when you install RIS onto your server. The bootdisc will allow a PXE compliant, but not enabled, NIC to boot from the network, IE pull an IP from DHCP, locate the RIS server, and begin the install.

I am currently working at creating multiple images, for various groups of user classes for my company.

RIS is a time consuming endevour, but is well worth it once it's in place and functional.

Useing ghost images and other 3rd party imaging tools is a risky undertaking unless you know that every machine is IDENTICAL, and for me, woking with various dell laptop platforms, ghost is completely useless.

Thu, Nov 24, 2005 Anonymous Anonymous

When using RIS, the hardware limitation applies to images created from a fully installed machine.

Using the other method and creating your image from an install CD reduces the worry about exact hardware.

Just about all the problems with RIS can be overcome with a little initiative. This article is GREAT, it's condensed a 60 page white paper into USEFULL information.

Thu, Oct 20, 2005 Anish india

Wounderfull Article !!

Fri, Oct 14, 2005 Andi Anonymous

Great article!
But I have still a problem with RIS in our company.
Running riprep.exe results in an UNC error. Invald handle.
That means riprep copys all files in the RIS-RemoteInstallation directory, but creating a new directory doesn't work. For example riprep isn't able to create the "Windows" directory, so it creates a "Windows" file, and wants to copy the files in the "Windows" file, which logically doesn't work.
Has anyone a solution?
The funny is, all worked some days ago, no changes have been made.

Mon, Aug 8, 2005 WoLi London

well written and knowledgeable.
Unfortunately I had to go the hard way before finding this article, and find out about the need to add an "ip helper-address" for the RIS server additional to DHCP&AD controllers in an routed environment. Did MS mention this in any place??

Fri, Apr 22, 2005 Anonymous Anonymous

This column answered several questions I had although it didn't mention anything about prestaging computers in AD which really complements RIS.

Fri, Jan 14, 2005 Simon Anonymous

One thing to watch out for is if your taking an image to put it on to different hardware (say a WinXP image with all yoru corporate apps and you have lots of different PCs) you need to take the image from the PC type with the smallest hard drive. It's often useful to have a small drive with you specifically for this purpose.

When you push the image out to other PCs as long as the hard drive is bigger than your original one it'll work, and also make use of all the extra space... but try it the other way around and the process fails..

Sat, Jan 8, 2005 Anonymous Anonymous

great

Sun, Dec 19, 2004 Yousaf Pakistan

can I install RIS image on client but with the existing parition I mean if I dont want to erase my existing parition with RIS installation on Clients

Wed, Dec 15, 2004 Manejer Virgin Islands

RIS works great, if you should need to roll out Service packs then use SUS or slipscreen the original RIS image. It's been the ultimate time killer for me and especially since we have 6 different types of PC's.

Thu, Aug 26, 2004 Al Anonymous

Saved me loads of time.

Thu, May 20, 2004 Michael TN

Excellent! Where are the previous ones?

Wed, May 19, 2004 Benoit Boucher Montreal, Canada

Very good hint, specialy with BINL and IP Helper when servers and workstations are on different subnet.

Thank's

Tue, May 11, 2004 Jo Anonymous

This is a very good overview of RIS - I recommend it for anyone needing to "sell" RIS to management. We used RIS very successfully for our XP deployment and are getting ready to use it for Server 2K3.

Tue, May 4, 2004 Anonymous Anonymous

when i start my ris installation with pxe boot, i can press f12 and authenticate username and password but then it comes with blue screen error sayin " a duplicate ip address has already been assigned" this tends 2 happen if there is more than 1 pc being imaged

Thu, Apr 1, 2004 Anonymous Anonymous

asdasd

Wed, Mar 10, 2004 Anonymous Anonymous

Nice Work!!!

Mon, Feb 23, 2004 Mark Oregon

To speak to John's comment: That limition is only true with RIPREP images where you want to "hand configure" a server or workstation and then "image" the results. A flat RIS installation is fully unattended and is the equivelent of running an install from CD with all the GUI questions answered. A flat RIS install can be customized with REG scripts Perl Scripts or batch files and using this method you can create a variety of server configurations that are hardware independant.

Tue, Jan 20, 2004 Joaci Anonymous

Is it possible to use Ris with network cards without PXE protocol and PXE boot ROM ?

Fri, Nov 7, 2003 Claus Abraham Denmark

Nice article. But what about the problems with servicepacks. It concerns w2k pro and XP pro. When we make a complete installation including all service packs it cannot be uploaded to the RIS server. That can be very annoying and totally destroy the meaning behind RIS. Maybe you could come up with som great solution about these matters.

Thanx

Mon, Sep 1, 2003 Andy London

RIS work great in all sizes of business, what SAN or NAS has to do with it is anyones guess !!!

Wed, May 7, 2003 Anonymous Anonymous

Is it possible to use RIS in one domain while the DHCP server is in a separate domain???

Mon, Apr 14, 2003 Anonymous Anonymous

Cool article

Tue, Apr 8, 2003 bill Anonymous

How to run more then 1 RIS server off 1 dhcp?
Your article stated I need IP helpers.
Should I also look into editing the OSC files to give me a choice of servers to connect, or is the connect all done even before the login.osc?

Fri, Apr 4, 2003 John Anonymous

Ris has its limitations. When creating an image you need to use the smallest hard drive that will be in a system on the network. HALs differ greatly and are over come by using ghost. And you will have issues as service packs are released.

Thu, Mar 27, 2003 J. earth

In a large scale environment connected to a SAN or NAS such a ours, the RIS is useless... sorry.

Wed, Mar 5, 2003 GW Anonymous

I'm new to this site. Where can I find the 1st of Bill's two part series?

Sun, Feb 23, 2003 Anonymous Anonymous

excellent

Wed, Feb 5, 2003 Scott NM

RIS works great and saves our organization a ton of time. To answer Craig's question, RIS only works with a PXE boot or a disk made with the Rbfg (Remote Boot Floppy Generator) utility in \RemoteInstall\Admin\i386. It won't work with other network boot disks

Wed, Feb 5, 2003 Anonymous Anonymous

What a concept!

Mon, Feb 3, 2003 Tim Pratt Coron, CA

Excellent! I use RIS and have not had any problems, but this answered several questions and provided me with some ideas to try to enhance it further.

Fri, Jan 31, 2003 Anonymous Anonymous

You hear about the client side of remote instalation. It was nice to hear about it from the server side, with screen shots.

Thu, Jan 30, 2003 David Baldwin Akron, OH

This article was amazing! While it talks about RIS from mostly server installation perspective, it also takes all of the information we spent a year sifting and waiting for and puts it together in one space. I couldn't think of one thing that we had to do that wasn't mentioned in this article. The only warning I had that he didn't cover was that the GUID is stored in a re-parsed format in AD and even in the Computer Account properties shows up in this reverse-like format. It can make it hard to trouleshoot if your RIS server only answers to known client like ours has to. Good job! Thanks. DB.

Mon, Jan 27, 2003 Craig Hamilton NZ

If your network card doesn't have a PXE boot-rom, but you can load network drivers using Bart's boot disk as described in your last month column, can you do a RIS boot using this disc?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.