Flexible Security For Your Peace of Mind

PXE boot, GUIDs, and MAC addresses in Specops Deploy and WDS

(Last updated on February 15, 2019)

In this blog post, I will describe the core functionality in the PXE boot used by Specops Deploy. I will address prestaging, and how the MAC address, or UUID work when finding objects in AD.

Pre-boot eXecution Environment (PXE) boot

PXE is a protocol that allows computers (PXE clients) to load an operating system from a remote server (PXE server). PXE can also be used to load Windows Preinstallation Environment (WinPE), from which a full operating system can be installed. Specops Deploy uses PXE booting to initiate Windows installations, replacing the contents of the hard drive. Computers installed with Specops Deploy should be configured to PXE boot as the first boot option in BIOS.

When a computer initiates a PXE boot, it sends a network broadcast containing its Universally Unique Identifier (UUID) and the Media Access Control (MAC) address, together with a request for a PXE server. This will typically reach as far as a broadcast can go, i.e. the local subnet. The entire PXE protocol is similar to how DHCP works when retrieving IP addresses – and DHCP actually needs to work for PXE to work to work as well.

In Specops Deploy, Windows Deployment Services (WDS) is installed as part of the Specops Deployment Server. WDS is in essence a PXE Server, so it handles all communication sent from the computer that is PXE booting. What happens on the WDS server when a PXE Client sends out a broadcast? An Active Directory (AD) search is performed, searching computers for the NetBootGUID attribute, and comparing against the sent UUID and MAC address. If a match is found, the WDS server knows the computer that is booting is the same computer in AD. Depending on the configuration, WDS can select to download a Windows PE boot image over Trivial File Transfer Protocol (TFPT). The computer will load the Windows PE image into memory, and boot. The Windows PE image contains bootstrap information that will contact the Specops Deployment Server, and start the actual installation.

The act of mapping a UUID, or MAC address with the NetBootGUID, is called Prestaging. This is what happens when a new computer is added, or targeted for reinstallation, from the Specops Deploy /OS Admin tool.

UUID, GUID or MAC address

There is a lot of confusion regarding how UUID, Globally Unique Identifier (GUID), and MAC addresses are being used in PXE, and WDS/Deploy. Let’s start with a summary, and explanation of the three:

  • UUID is a 128-bit value used to define IDs that are unique in a variety of implementations, such as code objects and hardware parts. The UUID is displayed in a (somewhat) readable form for humans – always divided into 8-4-4-4-12 of hexadecimal characters. An example would look like: bfd61fa5-9689-4d53-84fa-60e2ecb7b859. This is the UUID that is displayed during a PXE boot.
  • GUID is Microsoft’s implementation of UUID – thus, UUID or GUID can in practice be used interchangeably. This is one of the main areas of confusion since the value is called UUID in some areas, for example in the PXE protocol, and GUID in other areas, such as the NetBootGUID attribute. At the end of the day, they represent the same thing when it comes to WDS.
  • MAC address is the 48-bit ID of the Network Interface Controller (NIC) used on the network to identify the physical network card. For obvious reasons, they are supposed to be unique. But since network cards can be moved between computers, or replaced, there can be multiple network cards in a single computer. So, they are not optimal as IDs for computers. The only real value they add is that they are easier to enter. The friendly name of the MAC address is written using hexadecimal characters, and uses either colons 00:15:5D:0A:6B:00 or hyphens 00-15-5D-0A-6B-00.

The NetBootGUID can only contain a single value. It is not possible to register both a MAC address and GUID, or multiple MAC addresses (if the computer has multiple NICs).

Prestaging with MAC address

The MAC address consists of 48-bits, so it does not fill the full AD NetBootGUID value that requires 128-bits. In Specops Deploy, this is handled by zero-padding the MAC address. A MAC address entered as 00:15:5D:0A:6B:00 will be converted into a UUID with a friendly name, such as
00000000-0000-0000-0000-00155D0A6B00, and stored in the NetBootGUID value. The same conversion is performed when the WDS server searches AD for computers that match the UUID and MAC address during PXE boot.

Specops Deploy/OS will install a PXE Filter on all WDS servers acting as Deployment Servers. The PXE Filter hooks into the WDS server, and executes before the WDS server runs the PXE server protocol. The PXE Filter searches AD for computers with either the UUID or MAC address. If the Filter detects that the MAC is used, it will simply switch the NetBootGUID value from the MAC address to the UUID. When the WDS server searches AD (a few milliseconds later) it will find the UUID and not the MAC address. The reason for this feature being the longevity of UUIDs, over the shorter life span of MAC addresses.

Prestaging with UUID

When prestaging with UUID, there is a hidden problem that the Specops Deploy PXE Filter manages automatically, but native WDS and SCCM does not. When a PC is booted, the UUID displayed on the screen can look like 4C4C4544-0057-3810-8036-B7C04F5A344A, but when you run this command (get-wmiobject Win32_ComputerSystemProduct).UUID in PowerShell, you get 44454C4C-5700-1038-8036-B7C04F5A344A. They look similar, but next to each other the difference is obvious:

4C4C4544-0057-3810-8036-B7C04F5A344A (Big Endian version seen during PXE boot)
44454C4C-5700-1038-8036-B7C04F5A344A (Little Endian version seen from within Windows)

Normally if the Big Endian, also sometimes called Network Byte order version, is added to the NetBootGUID attribute during prestage, the computer will not be detected during PXE boot. But the Specops PXE Filter searches for both Endian versions of the UUID. If it finds that the Big Endian version is stored in AD, it replaces it with the Little Endian version. When WDS (a few milliseconds later), searches for the computer, everything looks like it should, regardless of how the UUID was entered – all due to the magic of the Specops PXE Filter.

Summary

Regardless of the format used during prestaging, UUID (Big or Little Endian), or MAC address, the Specops PXE Filter will make sure that the correct Little Endian version is found in the NetBootGUID attribute. This feature is so awesome, that even if you were running a WDS shop only, you might want to install the Specops Deployment Server PXE Filter.

Tags: , , , ,

Written by

Thorbjörn Sjövold

Head of Research, Specops Software

More Articles
Back to Blog