Thursday, March 24, 2011

Getting Windows Deployment Services running

There are some good resources out there for Windows Deployment Services (WDS), such as the following: (obligatory manual reference)
Dan Stolts blog
Tom and Jason include some nitty gritty details on their blog (obligatory google reference)

Basically, I'm trying to set up the following:

WDS service on non-DHCP server in an AD environment with DHCP running on AD Domain Controllers only
Should note that the server is 2008 Standard R2, and the AD DC's are 2008 R2 and 2003.

DHCP scope option settings:
66 - <ip of WDS server>
67 - boot\x86\

I'm also setting this up so that unknown devices need admin approval in AD (pending devices approval in WDS), and the problem I've run into is the following:

An error occurred while trying to create the machine account for the following  device:

 Name: install01
 OU: CN=Computers,DC=<company_name>,DC=local
 MAC Address: 00000000000000000000BC305B9C1C03
 GUID: 44454C4C560010348039B8C04F435031

 Error Information: 0x5
-----------end snip-----------

This also shows up with Task category BINLSVC and an Application Error code of 524 (google search of "microsoft wds error 524" has details).

Solution to this is at the following technet page, and included below:

Per Microsoft's Technet page:

Ensure that the server has the necessary permissions

To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.
To grant permissions:
  1. In Active Directory Users and Computers, locate the organizational unit that you are creating machine accounts in. The organizational unit is specified in the server properties for the Windows Deployment Services server.
  2. To view the organizational unit information, open the Windows Deployment Services MMC snap-in, right-click the server name, click Properties, and then click the Directory Services tab.
  3. Right-click the organizational unit, and then click Delegate Control to grant the Windows Deployment Services server Full permission to create and edit accounts.
Note: The computer that caused this issue is specified in the event message string. To view this information, open Event Viewer, expand Custom Views, expand Server Roles, click Windows Deployment Services, and then locate BINLSVC event 524 or 525.

In my case, I opened AD Users and Computers, selected the OU where I wanted the installed systems to show up, r-click and select "Delegate Control", then had to do the following:

change "Object Types..." to Computers
enter the beginning of the system name and "Check Names"
verify computer name and click next
select "Create a custom task to delegate", click next
select "Only the following objects in the folder:"
check the "Computer objects" box
check the "Create selected objects in this folder"
leave "Delete selected objects in this folder" UNchecked
click next
check "Full Control", click next
click finish

At this point, you'll be able to name devices in the "Pending Devices" tab for the WDS role when you approve them without that annoying error.

The beauty of this is that once you have the server set up and the OS's configured for an install, you can literally just plug the computer in at it's location and PXE boot it and install the OS and pull in the user data in one fell swoop.  Also, you can use this system to manage server images as well as desktop images.  While there are other ways of installing systems, especially in a VM environment (templates, ghost images, etc.), the advantage this holds is that you can install both virtual and physical systems from this one server, and be sure that you have the same config on all your systems.  See Chapter 3 of "The Practice of Systems and Network Administration, 2nd Edition" for more wise counsel related to systems configuration and automated installation.

No comments:

Post a Comment