Flexible Security For Your Peace of Mind

Deploy / OS Training Series (part 1): Environmental Preparations

(Last updated on August 2, 2018)

Specops Deploy has been designed from the ground up to utilize and integrate with your existing Windows environment. This offers customers unique advantages such as fast implementation, and native scalability. Most importantly, your Specops Deploy environment will be as stable, and reliable as your Windows environment.

The Training Series will provide you with all the knowledge you need to get your Specops Deploy environment running smoothly. The content of the series will be split into 3 parts:

Welcome to part 1, let’s get started with a quick overview.

Overview

Specops Deploy extends and integrates new functionality in the Windows platform.

Specops Deploy relies on the following technology:

  • Active Directory (AD)
  • Group Policy
  • Windows Assessment and Deployment Kit (ADK)
  • Microsoft Deployment Toolkit (MDT)
  • Windows Deployment Services (WDS)

Specops also needs core networking services, such as:

  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Preboot Execution Environment (PXE)
  • Distributed File System (DFS)

No additional hardware investments required.

For information on the requirements, click here, and expand the Requirements tab.

Organizational Unit Structure

An organizational unit (OU) is a container within an AD domain which can hold users, groups, and computers. It is the smallest unit to which an administrator can assign Group Policy settings or account permissions. It is important to create an OU structure which allows you to efficiently apply the Group Policy settings your organization requires.

You should plan ahead to ensure that the structure will be easily adaptable to future needs. This typically means being restrictive when creating OUs. It is a lot easier to expand an OU structure, than it is to move OUs and objects.

TIP: Always create a separate root OU for your organization. The OU should be created directly beneath your domain partition and used to hold any additional OUs. This setup will allow you to separate the built-in components from your own creations, and assign organizational wide Group Policy settings, without affecting sensitive objects like your Domain Controllers.

Active Directory Security

The AD security model allows fine grained access control to any AD object and its attributes.

If you are working in a large organization, with IT-administrators in several locations, you may want to create separate OUs for each location, and delegate control to local administrators. Local administrators will have full control over the part of AD relevant to them, while the rest is kept safe from unwanted access.
All Specops products are subject to AD security. The Setup Assistant can assign the appropriate permissions to service accounts and security groups, if the account used during installation has permissions to do so.

TIP: When using the Administration Tools, the security context of the user account you are logged in with will be used to perform actions against AD. Make sure that your account has sufficient permissions to manipulate the objects in question, such as GPOs, Computer and User objects.

Site Assignment

Specops Deploy uses Windows components which are site aware. Your AD Sites will need to be configured properly to help avoid unnecessary traffic across WAN links.
Sites are defined by IP-address subnets, and should reflect parts of your network that are well connected in terms of bandwidth. For instance, defining sites for your Stockholm LAN and your London LAN will keep most AD traffic local, only going across sites when it is specifically required.

Network Services

Specops Deploy requires properly configured core network components, such as DNS and DHCP services. Since AD is a resilient technology, it will continue to work even if the core services are not correctly configured. Thus, you may not notice a problem until using a product like Specops Deploy.

DNS

DNS is essential for a working AD as the service records point clients to the right domain controllers.

While it is possible to rely on the standard DNS service for your AD, it is recommended to use the built-in Microsoft DNS service. Using an AD integrated DNS system has the following benefits:

  • Replication of zone data across all domain controllers for redundancy and easy client access.
  • Secure dynamic updates to DNS records from any server.
  • AD integrated security controls (ACLs) from zone data.
  • Zone data automatically replicated to new domain controllers. This makes it easier to scale your DNS environment with your AD, providing a natural way for each site to hold a local copy of the zone.

Specops Deploy uses DNS for name resolution of the client computers. For instance, right-clicking a computer object in the Users and Computers console to trigger a re-installation requires a DNS query to determine where to send the gpupdate or reboot command.

DHCP

Specops Deploy requires DHCP to PXE boot for bare metal installations. You may have to reconfigure your network to assist your clients in finding the PXE server:

  • If the Deployment Server is able to receive the initial DHCP:DISCOVER broadcast, do not configure the scope options.
  • If a switch or router blocks the broadcast, forward the requests to your DHCP and/or PXE server. Reconfiguring your network equipment (IP Helper) is more reliable than using scope options.

Ensure that your clients can use TFTP (udp/4011) to download the required boot files from the Deployment Server.
TIP: If your clients need static IP-addresses, you can still use DHCP if you configure your scopes with reservations. Specific IP-addresses from the scope will be reserved for specific MAC-addresses. This will give you better control over where your IP-addresses belong.

Single Server Considerations

While it is not best practice to install all network and AD services on a single server, you may not have a choice with smaller remote sites. To keep the system working, you will need to configure your service to handle possible conflicts:

  • If your Deployment Server is on the same machine as your DHCP server, WDS needs to be configured to not listen to port 67.
  • Set scope option 60 to “PXEClient”

On a Specops Deploy Deployment Server, these settings are available in the WDS management tool.

PXE Booting

Specops Deploy uses PXE booting to initiate Windows installations when you want to replace the contents of the hard drive. It is useful for bare metal installations on new hardware, or when changing owners on old hardware. Computers installed with Specops Deploy should be configured to PXE boot as the first boot option in BIOS.

When a computer PXE boots, it broadcasts a discovery package on the local network segment to request an IP-address from a DHCP server, and a PXE server to handle the network boot. If the broadcast is received by the appropriate servers, they will reply with offers of assistance.

The client will select an available DHCP server to request an IP-address. Once the IP-address is in place, the client will request to start the PXE boot process from the PXE server. The client will be directed to download the appropriate network bootstrap program, and any other files needed to complete the process.

FromToProtocolPurpose
PXE ClientBroadcastDHCP: DiscoverI need to PXE boot, is there any DHCP servers out there?
DHCP ServerBroadcastDHCP: OFFERYes! I’m here! You can use this IP address if you want to…
PXE ServerBroadcastDHCP: OFFERDid someone need to PXE boot? I’m ready to help…
PXE ClientBroadcastDHCP: REQUESTOk, I’ll start using that IP-address. Please reserve it for me.
DHCP ServerPXE ClientDHCP: ACKSure thing, please enjoy it.
PXE ClientPXE ServerDHCP: REQUESTYou said you would help me PXE boot?
PXE ServerPXE ClientDHCP: ACKSure, you should run this Network Bootstrap Program…
PXE ClientPXE ServerTFTP: READOk, give me that Bootstrapper
PXE ServerPXE ClientTFTP: DATAHere you go…
PXE ClientPXE ServerDHCP: REQUESTThe NBP says I need another boot file…
PXE ServerPXE ClientDHCP: ACKYeah, you should fetch this N12 boot file
PXE ClientPXE ServerTFTP: READOk, give it to me.

DFS

DFS consists of two components:

DFS-Namespaces (DFS-N):

  • Makes file shares on one or more file servers available under a common name
  • Ties to your domain, creating paths like \\your.domain.org\dfs\software
  • Refers client requests to the closest available source when they request files

DFS-Replication (DFS-R):

  • Replicates the contents of namespaces between different file servers
  • Manages and optimizes bandwidth usage for replication

Client computers requesting a file from the namespaces will be directed to the closest available replica, preventing unnecessary file transfers across sites.

Specops Deploy automatically configures DFS-R to the Deployment Servers. You should configure your DFS environment for your software installation files to reduce download and installation time.

That’s all for today. Stay tuned for part 2 of the Training Series. In the meantime, you can find Specops Deploy / OS documentation here.

Happy Deployment!

  • Was this Helpful ?
  • Yes   No

Tags: , , , ,

>

Written by

Johan Soderstrom

Product Specialist, Specops Software

More Articles
Back to Blog

Related Articles

  • Access is Denied during OS Deployment

    Problem: You receive an “Access is Denied” “Press OK (Enter) to shutdown (automatic shutdown in 10 minutes).” message on your client during an OS Deployment. This happens very early in the process, right when the client should report progress first time. So you also don’t see any progress in the Admin Tool. Cause: It’s related…

    Read More
  • Add Internet Explorer to Windows 10 start menu

    As you may know from a previous blog post, the Windows 10 start menu can be customized. In this post, I will show you how to add Internet Explorer to the start menu. Before you get started, refer to the aforementioned post as you will need a customized start menu. Step 1: Create a shortcut…

    Read More
  • Application deployment without repackaging

    IT administrators working in a complex environment usually have to manage a large portfolio of applications. A lot of times you have to repackage applications to simplify deployment, especially when you update images, customize installations and work with legacy applications that do not use the Windows Installer (MSI) packages. This is an arduous task that most administrators…

    Read More

© 2019 Specops Software. All rights reserved. Privacy and Data Policy