Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

WDS Authentication for Boot Images

- - - - -

  • Please log in to reply
4 replies to this topic

#1
mrbeatnik

mrbeatnik

    Newbie

  • Member
  • 33 posts
  • Joined 06-April 09
Hi again all...

I know this may not be the exact forum for this... it's a WDS question.
I'd appreciate if it could be moved to the correct forum if wrong.


We used to use RIS.
- When we PXE to RIS, we would get a screen to authenticate the user.
- Depending on the user, different screens would appear (Maintenance & Troubleshooting etc).

WDS seems to be very different in this respect.
- The BOOT IMAGES have no authentication.


We would like to PXE to WDS, and only show certain BOOT IMAGES depending on the user.
We may have ~10 active boot images for development work, but only one production boot image that everyone else should use. Unfortunately everyone sees all boot images and may select the incorrect one.


Does anyone know why the (inital) authentication was removed?
I preferred the RIS method to authenticate first, and then have various choices.

Any ideas?
Thanks.


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,837 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I am thinking that your best option would be to pre-qualify the clients into WDS/Active Directory. Then create a deployment exception (rule) that makes those said computers use a different boot rom than the default.

wdsutil.exe /set-device /Device:SERVER01 /BootProgram:Boot\x86\pxeboot.n12

See:

http://blogs.artinso...05/16/1442.aspx

So, create a rule for your pre-qualified clients to receive the x86 boot file, and only use 1 x86 Boot Image. Then set your default boot image to x64, and only use 1 x64 boot image. The x64 could be used by developers and should be able to deploy x86 images. However, if you have more clients than developers, you may want to pre-qualify the dev computers instead. If you are running any asset management environments (such as Altiris Notification Server) you could probably script it to pre-qualify them automatically, presuming you can set up the appropriate container. Otherwise you'd have to enter this information manually.

If this seems confusing, let me know exactly how your WDS is laid out. Myself, for example, have 2 Boot Images and 7 Install Images.

You have an additional option as well, if there is only 1 client "system image", aka a captured and sysprepped image, you could pre-qualify your client machines to boot into a standard WinPE, and then script it appropriately to deploy the image. That way the client would not have any option to do a selection.

As far as "no authentication" this is incorrect. Although, this does depend on where you are getting these boot images from. A standard Win PE does not, this is correct, but the boot.wim from a Vista disc does.

Let me know your thoughts about this.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
mrbeatnik

mrbeatnik

    Newbie

  • Member
  • 33 posts
  • Joined 06-April 09
Working in an educational environment, we don't want students to be able to PXE and start an image.
We have various scripts after mini setup to install certain items over the network depending on lab (machine name).

Authentication is required to stop students from doing this to a computer and perhaps interupting classes etc.
Authentication at the very beginning of a sequence makes sense... we can lock down the WIMs which will ask for authentication later on through the sequence... it would be much better (IMO) if auth was asked for at the beginning...

It's not a huge problem, just a little untidy IMO.
Wasn't sure if there is something I was missing when comparing to RIS, which does do what I want. Shame they simply removed it the initial auth.

#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,837 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

OK, this would be what I recommend. By default your PXE option should not be available. Since you are in a school, you should already have inventory information for your system, which (I would hope) includes the hardware (MAC) address. For all of your domain computers, this information should be included into Active Directory. Your default boot option in WDS should be: Boot\x86\abortpxe.com.

Then, when you know you have to re-image a certain machine, you put in your exception (in my previous post) to use one of the other options for PXE.

Just make sure that if you ever replace a system, a motherboard or upgrade/replace a NIC that you update the hardware address in Active Directory.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
mrbeatnik

mrbeatnik

    Newbie

  • Member
  • 33 posts
  • Joined 06-April 09
Currently we only have pxe as optional boot (i.e. hit F12).
When booting to RIS you are asked to auth, and can then start an image immediately witout any special work.

We have over 4000 machines.
Labs are imaged at a time by technicians when required... it's extra work to add exceptions as and when they need it. Instead a technician can just go PXE, authenticate and the rest of the work goes automatically.

WDS will let me authenticate a bit further through the boot.wim (when I am about to select image) and that would have to do. More than likely I can script it (AutoIT etc) to begin with to ask for user/pass and authenticate to the WDS share - this should hopefully hold when I need to select an image.

Again, it's no big deal really - just wanted to make sure I wasn't missing something before I go and write something that should already be working...


Thanks for all the info Tripredacus!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users