Windows 7 / Getting Started

---

Booting a PXE Client

It is likely that any hardware that can support Windows 7 will have a PXE-capable network adapter. If not, you can create a discover image in the WDS console by right-clicking on a suitable boot image and selecting Create Discover Image. You would boot up the computer using this discover image. However, you will probably not need to do this.

You may have noticed in the past when you power up a computer that there is a prompt to press a key to boot the machine up on the network. Using this prompt is how you start the PXE client. If this prompt does not appear, you can go into the BIOS and enable it to appear. The exact instructions and the key to press are hardware specific, so you should consult your hardware vendor, their support site, or their supplied documentation.

Pressing that key will bring you to a screen similar to that shown in Figure below. What you are seeing is the machine requesting the DHCP-supplied IP configuration and a PXE server configuration. You can also see the MAC address of the network adapter and the GUID of the machine that you are working on. This information may be useful later, as you will soon see. This process may time out. Some of the possible causes of this include the following:

• There is no DHCP server with a configured DHCP scope for the network that the machine is on.
• DHCP is not functioning correctly.
• The WDS server is not configured.
• WDS is not functioning correctly. Check the IP Helper.
• An enterprise administrator has not authorized the WDS server in the DHCP console.
• The PXE response settings are not configured.
• A segmented network is not configured to forward the DHCP traffic as required.

Configuring PXE Response

You were asked how you wanted to configure the PXE response during the initial configuration of WDS. Here are the possible settings:

Do Not Respond To Any Client Computers: The WDS server will not respond to any requests by PXE clients. Your WDS server may be configured this way during the initial configuration of the service. You will need to change this setting before you test the WDS server or before you put it into production.

Respond Only To Known Client Computers: This means that only machines that have Active Directory computer objects with a configured GUID or MAC address will be serviced by WDS. This is how you might configure WDS in a secure environment.

Respond To All Client Computers (Known And Unknown): You might choose this configuration when you are using WDS in an open environment that is subject to frequent hardware change. This option could be further controlled by requiring an administrator to authorize each connection by an unknown computer.
There is a related suboption for Respond To All Client Computers (Known And Unknown) that lets you require administrative approval for any PXE client request.

You can control all these settings in the WDS console. Right-click on the server in question, select Properties, and navigate to the PXE Response tab.

Let's assume that you want to restrict access to your WDS server to just a few machines. The Respond Only To Known Client Computers setting will allow you to do this. WDS will only respond to PXE clients that have an associated computer object in Active Directory. This computer object must have the netbootGUID attribute configured with either the MAC address or the GUID of the computer that is being worked with. This is the downside of this completecontrol approach. Any new machine that you wish to prepare using WDS will require you to manually create a computer object and to populate the netbootGUID attribute with the MAC address or GUID of the machine. This process is referred to as prestaging the machine. Any previously existing machines that were prepared using something other than WDS will require you to populate the netbootGUID.

You have two ways that you can edit this computer object attribute. The first is to use the Active Directory Users and Computers console. Enable the Advanced Features option in the View menu and navigate to where the computer object is located. Right-click on the computer object, select Properties, and go into the Attribute Editor. You can double-click the netbootGUID attribute to edit it.

Alternatively, you can use scripting (such as Visual Basic or PowerShell) to edit this attribute. This approach will be useful if you need to prestage a lot of machines. Microsoft shares some Visual Basic scripts for manipulating and accessing the netbootGUID attribute here: http://support.microsoft.com/kb/302467.

So what do you enter in the netbootGUID attribute? You saw the MAC address and GUID of a machine when you started a network boot (earlier in Figure). You can enter either of these in this attribute to associate the computer object with the machine. Doing so allows this machine to access the PXE server (on the WDS server) when Respond Only To Know Client Computers is enabled. Let's see how this works.

The machine in Figure above has a MAC address of 00 15 5D 0C A5 80. The GUID is 5C68915C-715D-4247-AFD9-E8F6EA878A35. The GUID is 32 characters if you strip away the hyphens. WDS also expects to find a 32-character string in the netbootGUID attribute. That means you can enter 5C68915C715D4247AFD9E8F6EA878A35 to associate this computer object with the machine. Alternatively you can enter the MAC address of the network adapter.

The MAC address is only 12 characters (without the hyphens) so it won't be usable without some help. You can pad out the netbootGUID attribute if using the MAC address by adding twenty 0 characters on the left. This pads the MAC address up to 32 characters. For example, you would enter 00000000000000000000001DD8B71C05 for this machine.

Multiple Network Adapters and PXE:
Some machines may have multiple network adapters, and this fact may cause some confusion when you are trying to boot up the machine on the network. You need to ensure that the primary network card for PXE boots is the one that is connected to the PXE-enabled network. This is also the network adapter that you need to associate with the computer object in Active Directory if you are prestaging the machine.

The result will look where you can see that the MAC address has been entered. You'll notice that it is displayed in a format similar to the GUID you observed. This machine will now be able to access the PXE services of this WDS server.

You can choose to configure PXE Response with the option Respond To All Client Computers (Known And Unknown) when the prestaging process becomes too much to manage. For example, you may have an environment where hardware is constantly changed or your organization is replacing a lot of hardware for the Windows 7 deployment project. You will not need to prestage computer objects if you choose this option. Note that the netbootGUID attribute will be populated by WDS.

The netbootGUID attribute associates a machine with a computer account in Active Directory. Because it is associating a computer name with that machine, you can rebuild a machine using WDS and the machine will retain the computer name from the associated computer account.

At this point you should be able to power up your test machine that you want to boot up with the PXE client. You will have to be quick. By default you will have a few seconds to respond to a prompt that asks you to press F12 to continue the PXE boot, referred to as a network service boot. The PXE boot will be aborted if you fail to respond to this prompt quickly enough.

There is a middle ground between manually prestaging computer objects and providing unlimited access to PXE services. You can enable the Respond To All Client Computers (Known And Unknown) option and combine that with the Require Administrator Approval For Unknown Computers option. Any machine that has a previously unknown MAC address or GUID will not be rejected as would happen with the Respond Only To Known Client Computers option. Instead, the process would work as follows:

1. A user will acquire a new machine and boot it up.
2. The user will initiate a network boot.
3. WDS will check to see if the machine has a computer account with a matching netboot-GUID attribute.
4. If it does, then the PXE boot will continue as normal. If the machine does not have an associated computer account, then the network service boot will be halted until an administrator approves it.
5. The user is prompted to press F12 and then to call support with the IP address of the WDS server and a request ID.
6. An administrator uses this information to approve or reject the PXE boot request.
7. If approved, the PXE boot will continue as normal. WDS will later populate the computer account's netbootGUID attribute.

Figure below shows the screen that informs users that their PXE or network service boot must be approved by an administrator. Users are given two pieces of information that the administrator will need in order to approve the session. The first is a request ID. This uniquely identifies the connection request and allows the administrator to deal with many simultaneous requests. The contacting server IP address identifies the WDS server that the administrator will have to either log into or manage remotely.

Configuring Contact Details for Administrators:
If you configure WDS to require administrative approval for any connecting PXE client, you must consider how the end users can initiate a help desk call. Your organization might have shared the phone number or email address via a website or a global address list. But how exactly do users access those if they are trying to install an operating system on their computer? A useful solution to this chicken-and-egg problem is to configure the WDS server to display the administrator contact details on the PXE client. You can do this by running the WDSUtil command on the WDS server:

WDSUtil /set-server /AutoAddPolicy
/message:"To contact your network administrator please dial 9999"

This will display the contact message to the end user when the WDS server requires administrative approval for the client.

With that information, the administrator can launch the WDS console and browse into Pending Devices. Figure below shows a machine that is waiting for administrator approval or rejection. You can right-click on a pending device to perform an action. There are three choices.

Approve: The network service boot request will be approved and the PXE boot will continue as normal.

Name And Approve The network service boot request will be approved. However, the administrator will provide the name of the computer account as well. This can be a new (unique) computer object name, or the administrator can select a previously created computer object. The administrator also has the opportunity to pick a specific OU location for the new computer object.

Reject: The network service boot request will be rejected, preventing the machine from downloading the PXE client and being able to access the WDS services. A message briefly appears on the monitor of the machine before it attempts to boot up with alternative boot devices that are configured in the BIOS.

If you are working in an isolated lab, you will probably want to set the PXE response policy to Respond To All Client Computers (Known And Unknown) without any further controls.

Network Service Boot Rejections Are Remembered
WDS records the rejection of network service boots in an Auto-Add Devices database. This means that all future requests to boot up using PXE will be ignored by this WDS server. The DHCP request on the machine will time out if no alternative WDS server is available. Eventually the following error will appear: "ProxyDHCP: No reply to request on port 4011."

You can use the WDSUTIL command to manage any records of rejected network service boot requests. You can view all rejected devices by running this command:

Wdsutil /Get-AutoAddDevices /DeviceType:RejectedDevices

The following will delete all rejection records on the current WDS server:

Wdsutil /Delete-AutoAddDevices /DeviceType:RejectedDevices

Note that you can substitute PendingDevices or ApprovedDevices for the RejectedDevices. No way is available for deleting individual rejections.

Luckily, you probably won't have to do that very often. By running the following command, you will see (under Auto-Add Policy) that, by default, device approvals are retained for 30 days and others (including rejections) are retained for 1 day:

Wdsutil /Get-Server /Show:Config

You can alter the other approvals (or rejections) retention by running this command:

WDSUTIL /Set-Server /AutoAddPolicy /RetentionPeriod /Others:<time in days>

Selecting a Boot Image

At this point the client machine's connection request to the PXE (WDS) server has been approved. A PXE client is downloaded to the client machine. The PXE client will allow you to select a boot image from the WDS server. You can see in Figure below that the previously created setup and capture images are available to be selected using the keyboard. If there is only one boot image, this screen will not appear and the single boot image will be downloaded automatically.

Use the cursor keys to navigate between boot images in this screen. Normally you will press Enter to select the image. If you experience trouble with the boot image, you can press F8 to select a boot mode such as Safe Mode, Safe Mode With Networking, and so on.

Once you've selected a boot image, the boot image will be downloaded and it will start up. Plug and Play will figure out which of the included drivers need to be started. The boot image will get an IP address and then start interacting with the user.

The first screen asks the user who is sitting at the PC to enter the Locale and Keyboard Or Input Method. These entries should match the regionalization of the keyboard being used. A logon box will appear. This is where users will authenticate themselves using their Active Directory credentials. WDS will use this information to determine whether it should authorize the users.

A list of available installation images is presented to the user once they have been authorized. You can see this screen.

From this point on, the user experience is very similar to installing Windows 7 using a DVD. A big difference is that Windows 7 is being installed over the network. In fact, the installation runs in what is known as Windows Deployment Services mode.

Customizing the PXE Boot Process

You may have noticed that you had to make a few clicks during the PXE bootup process. And you also had to be very quick to hit that F12 key or the network service boot would fail. This can be quite annoying, especially if you are building several machines at once and can't watch each and every monitor.

The good news is that you can customize how the PXE client works. You can make some changes by accessing the properties of your WDS server in the WDS console and browsing to the Boot tab.

You can customize the PXE Boot Policy for known and unknown clients. Here are the possible settings:

• Require The User To Press The F12 Key To Continue The Boot (default setting)
• Always Continue The PXE Boot
• Continue The PXE Boot Unless The User Presses The ESC Key

The default option requires you to press the F12 key almost immediately after the prompt appears. That can be quite frustrating after several near misses. The other options make the process a little less annoying.

You can select what the default boot image will be when the menu appears, assuming that there is more than one boot image. You can select different boot images for the 32-bit, 64-bit, and Itanium architectures. The boot image will appear (if there is more than one boot image) and a countdown clock of half a minute will start to tick. You only need to interact with this menu if a nondefault boot image is required. That means you can completely automate the PXE bootup process once the initial network boot is started during the power-on self-test (POST) of the machine.

Now you have the knowledge and the means to deploy the Microsoft-provided Windows 7 installation images over the network using WDS. That's a big improvement over installing an operating system using a DVD. But now it is time to look at how you can create and deploy a customized Windows 7 installation image.