Deploy / OS Training Series (part 1): Environmental Preparations
(Last updated on July 3, 2020)
Specops Deploy has been designed from the ground up to utilize and integrate with your existing Windows environment. This offers customers unique advantages such as fast implementation, and native scalability. Most importantly, your Specops Deploy environment will be as stable, and reliable as your Windows environment.
The Training Series will provide you with all the knowledge you need to get your Specops Deploy environment running smoothly. The content of the series will be split into 3 parts:
Welcome to part 1, let’s get started with a quick overview.
Specops Deploy extends and integrates new functionality in the Windows platform.
Specops Deploy relies on the following technology:
- Active Directory (AD)
- Group Policy
- Windows Assessment and Deployment Kit (ADK)
- Microsoft Deployment Toolkit (MDT)
- Windows Deployment Services (WDS)
Specops also needs core networking services, such as:
- Domain Name System (DNS)
- Dynamic Host Configuration Protocol (DHCP)
- Preboot Execution Environment (PXE)
- Distributed File System (DFS)
No additional hardware investments required.
For information on the requirements, click here, and expand the Requirements tab.
Organizational Unit Structure
An organizational unit (OU) is a container within an AD domain which can hold users, groups, and computers. It is the smallest unit to which an administrator can assign Group Policy settings or account permissions. It is important to create an OU structure which allows you to efficiently apply the Group Policy settings your organization requires.
You should plan ahead to ensure that the structure will be easily adaptable to future needs. This typically means being restrictive when creating OUs. It is a lot easier to expand an OU structure, than it is to move OUs and objects.
TIP: Always create a separate root OU for your organization. The OU should be created directly beneath your domain partition and used to hold any additional OUs. This setup will allow you to separate the built-in components from your own creations, and assign organizational wide Group Policy settings, without affecting sensitive objects like your Domain Controllers.
Active Directory Security
The AD security model allows fine grained access control to any AD object and its attributes.
If you are working in a large organization, with IT-administrators in several locations, you may want to create separate OUs for each location, and delegate control to local administrators. Local administrators will have full control over the part of AD relevant to them, while the rest is kept safe from unwanted access.
All Specops products are subject to AD security. The Setup Assistant can assign the appropriate permissions to service accounts and security groups, if the account used during installation has permissions to do so.
TIP: When using the Administration Tools, the security context of the user account you are logged in with will be used to perform actions against AD. Make sure that your account has sufficient permissions to manipulate the objects in question, such as GPOs, Computer and User objects.
Specops Deploy uses Windows components which are site aware. Your AD Sites will need to be configured properly to help avoid unnecessary traffic across WAN links.
Sites are defined by IP-address subnets, and should reflect parts of your network that are well connected in terms of bandwidth. For instance, defining sites for your Stockholm LAN and your London LAN will keep most AD traffic local, only going across sites when it is specifically required.
Specops Deploy requires properly configured core network components, such as DNS and DHCP services. Since AD is a resilient technology, it will continue to work even if the core services are not correctly configured. Thus, you may not notice a problem until using a product like Specops Deploy.
DNS is essential for a working AD as the service records point clients to the right domain controllers.
While it is possible to rely on the standard DNS service for your AD, it is recommended to use the built-in Microsoft DNS service. Using an AD integrated DNS system has the following benefits:
- Replication of zone data across all domain controllers for redundancy and easy client access.
- Secure dynamic updates to DNS records from any server.
- AD integrated security controls (ACLs) from zone data.
- Zone data automatically replicated to new domain controllers. This makes it easier to scale your DNS environment with your AD, providing a natural way for each site to hold a local copy of the zone.
Specops Deploy uses DNS for name resolution of the client computers. For instance, right-clicking a computer object in the Users and Computers console to trigger a re-installation requires a DNS query to determine where to send the gpupdate or reboot command.
Specops Deploy requires DHCP to PXE boot for bare metal installations. You may have to reconfigure your network to assist your clients in finding the PXE server:
- If the Deployment Server is able to receive the initial DHCP:DISCOVER broadcast, do not configure the scope options.
- If a switch or router blocks the broadcast, forward the requests to your DHCP and/or PXE server. Reconfiguring your network equipment (IP Helper) is more reliable than using scope options.
Ensure that your clients can use TFTP (udp/4011) to download the required boot files from the Deployment Server.
TIP: If your clients need static IP-addresses, you can still use DHCP if you configure your scopes with reservations. Specific IP-addresses from the scope will be reserved for specific MAC-addresses. This will give you better control over where your IP-addresses belong.
Single Server Considerations
While it is not best practice to install all network and AD services on a single server, you may not have a choice with smaller remote sites. To keep the system working, you will need to configure your service to handle possible conflicts:
- If your Deployment Server is on the same machine as your DHCP server, WDS needs to be configured to not listen to port 67.
- Set scope option 60 to “PXEClient”
On a Specops Deploy Deployment Server, these settings are available in the WDS management tool.
Specops Deploy uses PXE booting to initiate Windows installations when you want to replace the contents of the hard drive. It is useful for bare metal installations on new hardware, or when changing owners on old hardware. Computers installed with Specops Deploy should be configured to PXE boot as the first boot option in BIOS.
When a computer PXE boots, it broadcasts a discovery package on the local network segment to request an IP-address from a DHCP server, and a PXE server to handle the network boot. If the broadcast is received by the appropriate servers, they will reply with offers of assistance.
The client will select an available DHCP server to request an IP-address. Once the IP-address is in place, the client will request to start the PXE boot process from the PXE server. The client will be directed to download the appropriate network bootstrap program, and any other files needed to complete the process.
|PXE Client||Broadcast||DHCP: Discover||I need to PXE boot, is there any DHCP servers out there?|
|DHCP Server||Broadcast||DHCP: OFFER||Yes! I’m here! You can use this IP address if you want to…|
|PXE Server||Broadcast||DHCP: OFFER||Did someone need to PXE boot? I’m ready to help…|
|PXE Client||Broadcast||DHCP: REQUEST||Ok, I’ll start using that IP-address. Please reserve it for me.|
|DHCP Server||PXE Client||DHCP: ACK||Sure thing, please enjoy it.|
|PXE Client||PXE Server||DHCP: REQUEST||You said you would help me PXE boot?|
|PXE Server||PXE Client||DHCP: ACK||Sure, you should run this Network Bootstrap Program…|
|PXE Client||PXE Server||TFTP: READ||Ok, give me that Bootstrapper|
|PXE Server||PXE Client||TFTP: DATA||Here you go…|
|PXE Client||PXE Server||DHCP: REQUEST||The NBP says I need another boot file…|
|PXE Server||PXE Client||DHCP: ACK||Yeah, you should fetch this N12 boot file|
|PXE Client||PXE Server||TFTP: READ||Ok, give it to me.|
DFS consists of two components:
- Makes file shares on one or more file servers available under a common name
- Ties to your domain, creating paths like \\your.domain.org\dfs\software
- Refers client requests to the closest available source when they request files
- Replicates the contents of namespaces between different file servers
- Manages and optimizes bandwidth usage for replication
Client computers requesting a file from the namespaces will be directed to the closest available replica, preventing unnecessary file transfers across sites.
Specops Deploy automatically configures DFS-R to the Deployment Servers. You should configure your DFS environment for your software installation files to reduce download and installation time.