The best ZTI plan

[Kingskawn]

I was wondering which technique of ZTI (Zero Touch Installation) each one of you were using. I mean from A to Z, from the pc taking ou of the box to the user that puts his account and password.

The thing that I wanted to do is getting a simpler method than the one we are using for now. This is my method. Putting pc on the shelf, connect vga, mouse and keyboard and network cable. Creating Ghost sessions for the number of pc's to ghost. Putting a Ghost cd to boot (8.2). After that installation of windows through Ghost and after that sysprep with integration to the domain. When pc is done he's ready for delivery to client. With the installation the SMS 2003 client is installed. When this is al done, I'm putting all the necessary software with SMS 2003.

I just know that there is a simplified version of mine but can someone show me the way. Could be more than one method.

[Noise]

First of all, get rid of ghost. Every noob administrator out there uses ghost to deploy windows. Any administrator worth their paycheck will do a scripted (unattend.txt/winnt.sif) installation. Unattended installations get rid of HAL and SID issues that are inherent in ghosted (image) based installations. In addition, unattended installations are much easier to keep updated (hotfixes slipstreamed, adobe reader updated, etc).

My installations go as follows: Unpack PC; Configure CMOS; Insert floppy disk (yes - my PC's must have a $4 floppy drive) with customized winnt.sif; boot from build CDROM.

- Wait 50 minutes - (get lunch, have a smoke, or do like I'm doing now and read msfn)

When I get back the PC is ready for the user. I help them log in and restore any data the first time. Setup custom printers and network drives unique to them. Then, in a week - I yank their admin rights, 70% of the time, they never even realize it.

That's it.

[CoffeeFiend]

First of all, get rid of ghost. Every noob administrator out there uses ghost to deploy windows. Any administrator worth their paycheck will do a scripted (unattend.txt/winnt.sif) installation.

Wow. I don't think you know what you're saying. TONS, and I mean TONS of HUGE enterprises routinely use ghost (or other imaging method) for deploying most PCs - it's more or less the de facto standard out there. Were you working in the field, you'd know people are far too overworked to use only scripted installs. Every admin ALSO uses scripted installs - to generate the basic images, that is. No one in this field has time to wait after windows and apps installing slowly (easily takes an hour), when ghosting the average business machine takes about 3 minutes on the average PC.

HAL is hardly ever an issue, and it can be replaced if necessary (but most people just create one image per batch of similar PCs, so it's irrelevant). SID is a TOTAL non-issue, just use sysprep like everybody else (or newsid or whatever if you prefer).

In addition, unattended installations are much easier to keep updated (hotfixes slipstreamed, adobe reader updated, etc).

Hardly! It's every bit as easy making updated images every once in a while. And most places don't use either methods as primary patch mangement/deployment. Updates and apps are most often pushed via SMS, WSUS or such (process checking updates at logon, etc).

Imaging can be done at a client's desk while he goes for some java if necessary - it'll be up and running by the time he's back. Reinstalling would require taking his PC away (and him either not having one which is totally unacceptable, or issuing them a temp one meanwhile - paperwork to fill and administrative stuff like updating asset database, stuff to move around, all kinds of wires to plug/unplug in tight spaces behind desks, etc etc), to then spend an hour to reinstall it (to end up with essentially the same end result), to have to swap it back again - more time wasted, more disturbing the person who's trying to do their job (You mind closing outlook and everything else you're busy with? We've got to swap your PC again!) or even staying late to do it... If you've got a bunch to do, then you can just multicast the thing (hundreds of PC at a time if you want).

No need for those $15 obsolete floppy drives in every single machine either (none of our new machines have any, and we don't want 'em either)

Every noob administrator out there blindly uses unattended installs [that take forever and often are highly unpractical] only to deploy windows, without considering other alternatives used everyday by ~95% of the industry.

I've never seen a place like that were the average user will be given local admin rights either, which is totally unecessary (more like problematic)

Kingskawn: That's what pretty much everybody else out there does too, unless they work in some tiny shop and are so underworked that they have tons of time to waste. Well, there's also a fair amount of places using RIS, but that's also imaging based. And about Vista? Yep. Deployment or even manual/"normal installing" is imaging-based too. Imaging is widely used, is proven and just works. There's a place for unattended installs, but it's not for massive or quick deployments for sure.

[InTheWayBoy]

I don't know, I agree with Nois3. Disk Imaging to deploy on multiple platforms is not the best path. True there are ways around it, some scripting or possibly another third-party application/extension, but unattended is free and much more universal in the end.

I use PXE to boot RIS which handles the XP setup routine which connects to the domain which runs GPO's to deploy and configure applications. The users have roaming profiles and folder redirection, so no data is saved on a client.

With RIS\Unattended you can sit down at a client and reload the sucker in about 20-30 minutes with nothing more than booting from PXE. And this is with custom naming too, since RIS handles that, and much better than any other auto-naming solution I've used. And with RIS and Unattended you don't have to invest anything other than time if you already have a 2000 or 2003 server.

As you mention the HAL issue can either be fixed or you can make various versions for each group of computers that is slightly different. That will eventually result in chaos with all the different versions. With Unattended you can bypass most of that and only have to deal with one image. Of course this depends on how crafty you are.

Sysprep is a direct branch of Unattened too, and as you note it's necessary to run to deal with the SID issue of images.

I do agree that applications need to be handled via some central point, like GPO or SMS. I typically deploy a very baseline system and use GPO's to handle the rest. I'm in the works of converting all my regtweaks into GPO's so I can eliminate most custom material from the install source.

Edited October 3, 2006 by InTheWayBoy

[Br4tt3]

I hated disk imaging before... static and not so generic when dealing with loads of diffrent machine, especially when it comes to HAL things... of course, Vista will remedy that for us! Anyway, to answer ur question:

ZTI comes from the BDD concept, however, running RIS/GHOST does NOT qualify for ZTI, those are included with the LT (light touch) concept I think, and dont shout @ me, this is MS!

I use the following things:

1. I build my WinXP SP2 / Win2003 SP1 images using BDD 2.5 which results in a .wim image which I then can use in any way... more or less a syspreped image. Of course those are HAL dependent.

2. Once here, I have a WinPE 2.0 image which I have built into a .msi module which I can deploy through my distribution mechanism, which is NOT SMS but a "home built thingy". I install the .msi on the desired client(s), the module will replace boot loader files and place the WinPE .wim file on the harddrive of the client, reboot the machine, run WMI scripts that determine the HAL of the machine, parse it into a image file name, fetch it from a UNC path and then apply that image using imagex.exe

3. Nice part for me is that I can do it from my admin console, which does not require me to walk over to the machines and press F12.

4. Downside, this can only be done on already installed and manageable machines, bare metal installation still has to be done using RIS/WDS which is also the case when it comes to the MS concept using SMS 2003.

Looking forward to BDD 2007 / WinPE 2.0 / WDS and Vista...

[Kingskawn]

Thanks to you guys for the quick responses but I've got some clarification to do.

I've got around 200 servers (all Win2003). These servers are from several entreprises. But all makes part of a big VPN. So there are entreprises who've got 34MB lines and others who've got 2MB lines.

My goal in the future (with WinXP clients no Vista yet) to install WinXP on 10 or 100 clients after production time (at night).

So I'm looking for a good and reliant system to do this. I'm using the ghost solution for about 40% of the method used today. I can't say that it doesn't work but when I read things on msfn I can see that there is another simpler world beyond ghost

Every single entreprise has his politics about the use of a pc and I'm dealing with a WinXP OS that has to be in Dutch for 1, French for another and German for another in the future. The general WinXP must be English for most of them.

I hope you see clear now in the thing I'm now

[Br4tt3]

Then, my question is: Do you have to be able to remotely launch the actual reinstall of the clients or is it more important

to be able to deploy the installation method? For example, is it oki to have the end users boot their machines and then press F12?

If u must be able to deploy machines without being physical at the machine, then I guess ZTI/SMS 2003 with OSD! If this is not a criteria,

then the easiest way to do it is to write a little .vbs which will do it for you (outlined below):

1. The script will have to execute the sysocmgr.exe which can be used to install or to uninstall native Win2003 components, for example the

RIS component in Win2003. U specify the sysocmgr.exe to point to a .inf file which contains the component to install, for example:

[Components]

reminst = On

2. Once u have done this, the machine will have the RIS component installed. Now it is time to configure the server components, which is easiest done via running rissetup.exe /u <answer file> if I remember correctly. At this time, the script can also do several other configuration parameters to be used within the RIS deployment.

3. I also suggest that u will only install and configure the RIS component, each image to be added, is a simple copy sequence which is preferable trough .msi rather than .vbs.

The nice part of this approach is that since it is a native Windows component, u dont have to download and transfer whole image(s) each time a client needs to be reinstalled, rather, just send the "small" .vbs script over the WAN and the script can access it's own source file local to the machine and begin the installation from there..... saves bandwith! And no licenses to Symantec for each ghost, just utilize the things that u have already paid for with the Win2003 license....

For the language question of the OS, could u not use MUI's? have one base OS installed on all clients (English) and apply the correct MUI for that language to the specific criterias? such as domain, OU, naming convention or something else? this would work out for Office as well..

Maby?

[Kingskawn]

Then, my question is: Do you have to be able to remotely launch the actual reinstall of the clients or is it more important

to be able to deploy the installation method? For example, is it oki to have the end users boot their machines and then press F12?

If u must be able to deploy machines without being physical at the machine, then I guess ZTI/SMS 2003 with OSD! If this is not a criteria,

then the easiest way to do it is to write a little .vbs which will do it for you (outlined below):

To answer your question, we consider the client being a total noob (almost a zombie) that can't do anything. Yes it exists So we have to do everything for them. Meaning also that we must not be (or not much) in front of the pc.

[Br4tt3]

To answer your question, we consider the client being a total noob (almost a zombie) that can't do anything. Yes it exists So we have to do everything for them. Meaning also that we must not be (or not much) in front of the pc.

I already like ur end users more and more.... they remind me of mine!

My guess is that u have to develop something that corresponds to a home built SMS 2003 OSD kind of thing like we have done, or buy MS 2003 OSD and SMS with all tha bells and whissles!!! U might go bankrupt while ur at it but it works smoothly... F12 does not meet the requirement, as u need to manually press F12. However, SMS 2003 with OSD does not either meet this requirement until the first time the PC has obtained a SMS agent... then it can be managed and reinstalled remotely! Ghost, dunno much about it but I dont think u can do it unattended unless wrapped in tons of .vbs and an intermediate boot OS such WinPE or BartPE! And if u r already into building that, then u dont need to worry about SMS, but then ur on ur way to building a simple OSD!

[Noise]

Crahak,

You're right about the number of administrators using image based deployment. The reason isn't because it better, it's because it's easy. And yes, I know what I'm talking about. I've managed the deployment of literally tens of thousands of PC's. I've been administrating computers since 1990 for a fortune 100 company. I know corporate deployment.

I've used ghost for deployment in the past. I don't hate the product, I hate the way it's used by inexperienced admins. And I've seen many many bad admins in charge of major operations. Always the same "fanboy" attitude towards Ghost. They never listen to my arguements and reasoning not use it. They don't want to hear it. They don't want to learn how to script.

The ONLY way to properly use Ghost for deployment is to image the reference disk immediately after the text mode portion of setup, before the hardware detection begins. Indeed, this is the only way Microsoft will "officially" support ghosted PC's. (reference)

And don't insult me saying HALS and SIDS arn't an issue, they are very much at issue. Sysprep like tools only reset SIDS they are programmed to know about. Many programs use SIDS and GUIDS. If these programs are pre-installed in the ghosted image, there will be problems. Usually weird, hard to qualify problems that people don't trace back to the ghosted installation. In addition, most people dont realize that shortcuts (.lnk) created on a ghosted PC will try to contact the original ghosted PC. (reference) And yes, this is an issue in XP, and not just for broken links. It results in unnecessary network traffic and slow-to-launch shortcuts.

But I've argued these points ad nauseam here in these forums. I try to tell aspiring admins about the hazards of using ghost. Always someone comes and argues the point. Frankly, I'm tired of idiocy I see in most windows administrators.

[InTheWayBoy]

It sounds like you need to impliment a mix of RIS and DFS. RIS will handle the installs and deployment of the OS, and DFS will ensure that all of your servers have the same images. I've actually never done this so I can't give any pointers. I know with DFS you can regulate when it sync's files, so you could configure it to only do that after-hours like you want. And your zombie clients would just need to know how to hit the F12 key. They will need to login, but you could make a generic account that only has permissions to run RIS.

The ZTI is a myth in my opinion...unless you are willing to shell out tons of money for a proprietary system. I think you'll have better long term success with what I am suggesting. And don't forget, RIS can handle the servers too!

[Br4tt3]

The ZTI is a myth in my opinion...unless you are willing to shell out tons of money for a proprietary system. I think you'll have better long term success with what I am suggesting. And don't forget, RIS can handle the servers too!

Agree, unless u do ur own version of it.... just a question, the RIS and DFS solutions, does that work out well with SIS (Single Instance Storage)? I have never tried it and maby u can shead some light on it?

[InTheWayBoy]

See, that's the one thing that worries me. I know it's possible, I believe I've seen whitepapers/tutorials on the net about it. But if anything would complicate it. SIS would be it. As I mentioned I have never done it myself, so I can't pesonally comment on it. I'll try and dig up some info on it later.

[cluberti]

I personally also vote for scripted RIS / WDS deployments, rather than disk imaging. As a previous poster said, imaging is definitely not better, but it is easier up front. But what happens if you need to add an application to your image? Or it starts failing to work on a new hardware platform? Or you find an error or security issue with it down the road? You have to basically start all over again when using most imaging software.

RIS (now WDS with Vista - yay!) and ADS make client and server deployment easier and more configurable in the long run, but they are definitely harder to learn and get set up properly the first time for most new users - it is worth it though. Besides, those of us with ZTI RIS installs (yes, it is possible, and quite good when done) will have an easier time getting Vista deployed, as most RIS scripting works just fine in Vista, either flat or WIM files via ximage .

For the language question of the OS, could u not use MUI's? have one base OS installed on all clients (English) and apply the correct MUI for that language to the specific criterias? such as domain, OU, naming convention or something else? this would work out for Office as well..

Br4tt3 (and everyone else), note that Vista and Longhorn are language-neutral. Meaning that even English is technically a MUI, making this a moot-point in the near future. All code is language neutral, meaning a true 1-image solution for all languages. Just specify the language in the answer file, and viola! - a localized version of Vista in any available language from a single flat-file or WIM image...

[CoffeeFiend]

Everyone seems to think I said imaging is a better way to install or something. What I said is basically: imaging is good enough (and no, we've NEVER had HAL/SID issues - not even once). But mainly, life's too short to wait after unattended installs that easily take over an hour (vs like 3 minutes with ghosting) -- unless you have the luxury of endless spare time. It's not easier by any means. It's just much *FASTER* - that's all.