Unattended Install of Windows 2000

From: Subject: Unattended Install of Windows 2000 Date: Mon, 24 Feb 2003 08:34:53 +0100 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.uh.edu/windows2000/docs/Unattended_Install.html X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Unattended Install of Windows 2000
Unattended Install of Windows 2000

Karl Bernard, University of Houston, Information = Technology,=20 Security and Disaster Recovery

Overview

Unattended installations provide a very stable and surprisingly quick = way to=20 deploy Windows 2000 Professional and a most line of business = applications. With=20 a little work and planning, an unattended installation can be used to = deploy=20 anywhere from five or ten computers to hundreds of computers.

Unattended installation of Windows 2000 is quite similar to that of = NT 4.=20 When getting ready for an installation of Windows 2000 it is helpful to = read as=20 much of the documentation that can be found about Windows 2000 = installations and=20 the different tools and methodologies supported by Microsoft. Attending = as many=20 of the trainings and TechNet briefings that Microsoft presents = throughout the=20 year is also very helpful.

Unattended installation of Windows 2000 from a = CD-ROM

The easiest way to create an unattended installation of Windows 2000 = is=20 initiated by booting from the
Windows 2000 CD-ROM and using a=20 WINNT.SIF file on a floppy as the answer file.

To install Windows 2000 using a bootable CD
(Paraphrased from Chapter 25 of the Windows 2000 = Server=20 Resource Kit)

Create a Winnt.sif file on a floppy similar to the example = below.=20
1. Be sure to include the extra [Data] section. This section = is=20 NOT in a standard unattend.txt.=20
2. Most of the other parameters are as outlined later in the = section about=20 the unattend.txt file.
Set the system BIOS to boot from CD-ROM.=20
Boot the system from the Windows 2000 CD.

2. When the blue text-mode screen with "Windows 2000 Setup" is = displayed,=20 place the floppy disk containing the Winnt.sif file into the = floppy disk=20 drive.

After the computer reads from the floppy disk drive, remove the = floppy=20 disk. Setup will now run from the CD as specified by the Winnt.sif=20 file.

Note The bootable CD-ROM method requires that all necessary = files be=20 on the CD-ROM. Uniqueness Database Files (UDFs) cannot be used with this = method.

Winnt.sif

(must be located on a floppy)

[Unattended]

UnattendMode=3DFullUnattended

OemSkipEula=3DYes

OemPreinstall=3DYes

TargetPath=3D\WINNT

FileSystem=3DConvertNTFS

Repartition=3DYes

ExtendOemPartition=3D1

[Data]

UnattendedInstall=3DYes

MSDosInitiated=3DNo

AutoPartition=3D1

[GuiUnattended]

AdminPassword=3DYourPassword

OEMSkipRegional=3D1

TimeZone=3D20

OemSkipWelcome=3D1

[UserData]

FullName=3D"Information Technology - TSS"

OrgName=3D"University of Houston"

ComputerName=3DTheTest

ProductID=3D" XXXXX- XXXXX - XXXXX = - XXXXX -=20 XXXXX "

[Display]

BitsPerPel=3D16

Xresolution=3D800

YResolution=3D600

Vrefresh=3D72

[Identification]

JoinWorkgroup =3D UH_IT

[Networking]

InstallDefaultComponents=3DYes

Network-Based Unattended installation of Windows 2000

The Network Boot Disk

The easiest way to distribute an unattended installation of NT 4.0 or = Windows=20 2000 is via the network and the easiest protocol to set up is NetBEUI. = Although=20 TCP/IP is an option, NetBEUI is by far the easiest to setup and = configure. It is=20 also a bit faster.

Also important for an unattended installation is automating as many = of the=20 preparation tasks as possible =97 deleting existing partitions, creating = a new=20 partition, rebooting machine, formatting the new partition, and finally = starting=20 the network-based installation. The installation itself is started using = winnt.exe with the following switches: WINNT.EXE = /S:Z: /T:C=20 /U:Z:\$oem$\setup\unattend.TXT = /UDF:%1,Z:\$oem$\setup\unattend.UDF

/S:sourcepath (Installation Source) =97 Specifies = the source=20 location of the Windows 2000 files. The location must be a full = path of=20 the form x:\[path]
/T:tempdrive (Temp Drive) =97 Directs Setup to place = temporary=20 files on the specified drive and to install Win2K on that drive.=20
/U:answer file (Answer File) =97 Performs an = unattended=20 Setup using an answer file, and specifies the path to the answer file. =
/UDF id [,UDB_file] (Uniqueness Database = File) =97=20 Indicates an identifier (id) that Setup uses to specify how a=20 Uniqueness Database (UDB) file modifies an answer file. The = /udf=20 parameter overrides values in the answer file, and the identifier = determines=20 which values in the UDB file are used.=20
%1 =97 This is a variable in the batch file that is equal to a = parameter=20 specified at the command line =97 in this case the Unique Identifier = for the=20 machine being installed.

The Answer File (unattend.txt)

The first step to create an unattended install is installing the = Win2K=20 resource kit (conveniently supplied on the Win2K CD!) on an available NT = 4/Win2000 machine and then using Setup Manager to create an initial = answer file=20 (unattend.txt), Unique Database File (UDF, also called UDB), as well as = the=20 distribution share itself. MS suggests naming the distribution share = "i386". The=20 next step is to modify the answer file =97 the default answer file will = not create=20 a totally unattended, silent installation, with the product ID supplied = by the=20 install, join the NT 4 domain and etc. Perhaps the best guide for = modifying the=20 answer file is: "Microsoft Windows 2000: Guide to Unattended Setup". = Within this=20 139-page document can be found the proper sections and associated = parameters to=20 accomplish a fully unattended installation. The following example of an = answer=20 file is similar to what is used at the Central Site student = lab:

Unattend.txt

[Unattended]

UnattendMode=3DFullUnattended

OemSkipEula=3DYes

OemPreinstall=3DYes

TargetPath=3D\WINNT

FileSystem=3DConvertNTFS

ExtendOemPartition=3D1

[GuiUnattended]

AdminPassword=3DMyPassWord

OEMSkipRegional=3D1

TimeZone=3D20

OemSkipWelcome=3D1

[UserData]

FullName=3D"Information Technology - TSS"

OrgName=3D"University of Houston"

ComputerName=3D*

ProductID =3D XXXXX- XXXXX - XXXXX - XXXXX - XXXXX

[Display]

BitsPerPel=3D16

Xresolution=3D800

YResolution=3D600

Vrefresh=3D72

[OEM_Ads]

Logo =3D mylogo.bmp

[Identification]

DoOldStyleDomainJoin =3D YES

JoinDomain =3D UH_IT

[Networking]

InstallDefaultComponents=3DYes

Explanation of selected parameters

The parameters in the [unattended] section provide answers to = the=20 questions that the user is prompted for during a "hand" install. The = more=20 parameters that are specified in the answer file, the more unattended = and=20 specific the installation. When planning for a fully automated = installation,=20 there are certain minimum requirements in the answer file. The primary=20 parameters needed to accomplish this are: = UnattendMode=3DFullUnattended and=20 OemSkipEula=3DYes, and OemPreinstall=3DYes =97 these are = the main steps=20 that must be taken to insure that the installation doesn=92t halt and = wait for=20 user input. Other important answers that need to be supplied are the = parameters=20 under [UserData], specifically FullName=3Dyour name = here and=20 OrgName=3Dyour organization fields, as well as=20 ProductID=3DXXXX=85. If omitted, these will also cause the = installation to halt, requesting user input.

Perhaps the most elusive, and yet most important parameter (when = installing=20 in a non-Active Directory/NT4 legacy domain) is = DoOldStyleDomainJoin=3DYes,=20 in the [Identification] section, which is an undocumented switch = to allow=20 the machine to join an NT 4 domain, in an unattended fashion, without = supplying=20 a UserID and password within the answer file. This is an undocumented = switch=20 that was found on Microsoft.public.win2000.setup_deployment = (which can be=20 easily subscribed to from anywhere using the = msnews.Microsoft.com=20 NNTP server) using www.deja.com/usenet.

The Unique Database File (UDF)

Another parameter that is necessary for a completely unattended = install is=20 the computer name, represented in the answer file by:=20 ComputerName=3DMyComputer. As in NT 4 unattended = installations, this=20 parameter can be supplied in a separate file called the Unique Database = File (or=20 UDF). This parameter can be set according to "Unique ID=92s" in the UDF = so that=20 the unattended install can be more flexible for installing machines with = different user data and other unique factors.

Unattend.udf

[UniqueIds]

pc1 =3D UserData

pc2=3DUserData

pc3=3DUserData

pc4=3DUserData

pc5=3DUserData

[pc1:UserData]

ComputerName=3Dcsitewin2k01

[pc2:UserData]

ComputerName=3Dcsitewin2k02

[pc3:UserData]

ComputerName=3Dcsitewin2k03

[pc4:UserData]

ComputerName=3Dcsitewin2k04

[pc5:UserData]

ComputerName=3Dcsitewin2k05

Preparing and Installing Applications during an Unattended=20 Installation

The next step, in an unattended installation is determining the = easiest way=20 to automate or script the installation of the application. Some common = methods=20 that usually work, depending on the application, are:

Some applications, which use the "InstallShield" installer, can be = easily=20 scripted by:

Copy all files required for the installation onto a network = share =97=20 preferably on the same machine as your Windows 2000 distribution = share.=20
Installing the application on a reference machine by starting = the=20 installation from the command line with=20 \\server\share\directory\SETUP.EXE -R.=20
After installation completes, search for a file named=20 "SETUP.ISS", which will normally be found in the=20 c:\winnt directory.=20
Copy "SETUP.ISS" into the share\directory with the = installation=20 files.=20
When setting up the software on the new machine, start the setup = in a=20 batch file with \\server\share\directory\SETUP.EXE=20 -S.

Applications that are "natively" installed with the Microsoft = Installer=20 Service usually have a vendor-documented way to be customized and=20 installed silently or in an automated fashion. Two prime examples of = this are=20 Microsoft Office 2000 and McAffee VirusScan 4.5.

Microsoft Office 2000 is customized using the Custom Install = Wizard,=20 which is a free utility that can be downloaded from Office 2000 = "Toolbox"=20 at: http= ://www.microsoft.com/office/ork/2000/appndx/toolbox.htm.=20 The Office Resource Kit (ORK) has full instructions about the = process. The=20 resultant command line to install Office 2000 that we use at the=20 Central-Site Lab is \\server\share\setup.exe /wait=20 TRANSFORMS=3D\\server\share\MyCustom.MST /qb-.=20
McAfee (Network Associates) VirusScan 4.5 is also a Microsoft = Installer=20 (MSI) package and is customized using the Installation = Designer=20 (contact Zachary Thierry at UH Software Licensing about how to = obtain a=20 copy). Once customized, the installation is started from the command = line=20 using: \\server\share\setup /qb /i.

Some software that requires a great deal of configuration and does = not=20 have a documented method for automating the install will need to = be=20 installed using some sort of "snapshot" method. The two primary = methods for=20 this in Windows 2000 are Sysdiff.exe (from Microsoft =97 ships with = the Windows=20 2000 CD) and WinInstall LE (from Veritas, also ships with the Windows = 2000=20 CD).Both of these methodologies follow the same basic format:=20
1. A beginning "snapshot" on a basic machine, preferably with no = other=20 software installed.=20
2. Install the software and configure it as needed and desired.=20
3. Perform any necessary reboots. (It is always good to reboot the = machine=20 at least once or twice before finishing the process)=20
4. Take an afterwards snap-shot (called a "diff" by sysdiff) and = then save=20 the resulting file(s) to the server for use in the unattended = installation.=20
5. Note: Sysdiff will result in a single .img file and = WinInstall=20 will result in a .msi file (Microsoft Installer File) and a = number of=20 directories.=20
6. Sysdiff images are applied using sysdiff /apply .=20
  Reference: http://www.microsoft.com/windows2000/library/r= esources/reskit/tools/hotfixes/sysdiff-o.asp=20
7. WinInstall images are installed using the Microsoft Installer,=20 msiexec.exe and various command line switches: http://m= sdn.microsoft.com/library/psdk/msi/app_73eb.htm=20
Unattended Security Configuration of Windows 2000

The primary method for easily deploying consistent security on = Windows 2000=20 machines is through the use of the Security Configuration and Analysis = MMC=20 (Microsoft Management Console Snap-In. A full explanation of the = tool=92s use=20 and considerations is: MS Security Configuration Tool = Set=20 (Available on-line at: http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/securc= on.asp).=20

Hard-Disk Imaged installations of Windows 2000

Until very recently, Microsoft did not support the use of hard-disk = imaging=20 for deployment of Windows products. Carrying forward with the = introduction of=20 the Sysprep utility and subsequent support for disk imaging of NT 4, = Microsoft=20 supports hard disk imaging of Windows 2000 Professional, provided that = the=20 latest Sysprep (V1.1) utility has been used to prepare the hard drive = for=20 imaging. Imaging itself is done by using any 3^rd party = product that=20 can do sector-by-sector copying or is compatible for file-by-file = imaging for=20 NTFS 5. Examples of this kind of software are ImageCast3 by Innovative = Software, Norton=92s Ghost and DriveImage by PowerQuest. Microsoft has = a good=20 white paper that details the process at: http://www.microsoft.com/windows2000/library/planning/inc= remental/sysprep11.asp

NOTE: On the University of Houston Campus, TCP/IP Multicasting = is=20 currently discouraged since the campus network hardware is not = multi-cast=20 "aware". Normally, use what vendors usually refer to as "standalone"=20 installation. Contact UH Network personnel at x3-1111 if you have = questions=20 about using multicasting in your building/department.

Unattended Versus Hard-Disk Imaged installations of Windows=20 2000

Unattended installations and Hard-Disk Imaged installations both = have much=20 to recommend them. Unattended installations are especially good for=20 departments and groups with some expertise on a tight budget, because = there is=20 no added software expense to use this methodology. It is fully = supported and=20 documented by Microsoft and can be set up so that there are no = "touches" to=20 the machine, other than perhaps rebooting the machine and setting the = BIOS to=20 boot from the Hard Drive. However, this comes at the cost of several=20 personnel-hours in setting up and testing the automated installation = of the OS=20 and the associated applications.

Hard Disk imaging can be much faster than an unattended = installation,=20 resulting in fully installed and configured machines in probably less = than=20 half of the time required for an unattended installation. If your = networking=20 segment supports IP multicasting, this time can be reduced to perhaps=20 one-fourth or less of the time for an unattended installation. The = downside to=20 imaging is principally cost. UH does have a volume license for = ImageCast 3=20 (Call x3-1145 or check out http://uh.edu/software with inquiries), but = each=20 department still must make that purchase to use the software. However, = given=20 the savings in personnel-hours, the cost may be quite = worthwhile.

Appendices

Appendix A =97 Network Boot Floppy Basics:
1. Boot to DOS 6.22 floppy with networking.
  Originally created = the DOS=20 boot floppy using NT4 Server client manager. Out of the box, this = wants to=20 do a full network setup of DOS before it gets started on NT. = Modified the=20 Autoexec to NOT do the full DOS setup and instead behave as = described in the=20 next step. DOS drivers for the PCI card (3Com 3c905b) were = downloaded and=20 setup per a 3com KB article (http://knowledgebase.3com.com/kb/publisher.eng?sid=3D29.0xf6f48&= amp;page=3D4&user=3D94822838641241&id=3D3KBWEB:1.0.741814.1475731= ) from their site =97 they have a number of excellent KB = articles about=20 networking with their NICs.
2. Autoexec.bat runs =97 The version of = Autoexec that is=20 used in the C-site install was based strongly on a TechNet article = titled:=20 Windows NT 4.0 Automated Installation Framework=20 (MSIF), (http://www.microsoft.com/TechNet/winnt/winntas/technote/implemnt= integra/manntnet/ntautoin.asp) By Matthew D. Storer, Microsoft Consulting Services, = Great=20 Lakes.
  Autoexec.bat does the following steps:
- Query user about the type of machine (C-Site installs are for = ISA &=20 PCI Dells) or boot to DOS.=20
- Query user for the machine=92s "Unique Identifier" =97 = corresponds to its=20 entry in the UDF.=20
- Run DEBUG.exe with=20 "piped" commands to wipe the hard-drive out.The MSIF = used debug=20 text taken from MSDN.
- Run FDISK.exe with=20 undocumented switches (Primary Partition: "FDISK /PRI:512 1") to = create a=20 single 512 Meg partition that will be expanded at the time of the = NTFS=20 conversion (by using "ExtendOEMPartition =3D 1, nowait" in the = answer file) to=20 a maximum partition size of 8.6 Gig .=20
- Disable the Plug-n-Play (PnP) on ISA based machines using a = utility=20 included on 3Com=92s etherdisk for the Etherlink III card.=20
- Reboot using the DOS REBOOT.exe command that came with the MSIF=20 information =97 it can also be found on the web, on Technet and MSDN = has an=20 article on how to create it using DEBUG.exe.
- Note: The stages of the process and the variables = entered at the=20 beginning are tracked in files written to the floppy that are in = turn read=20 when the floppy boots. This allows the second reboot to proceed = without=20 entering any more information.=20
- Quick format the partitions using OFORMAT.EXE, an OEM tool = provided on=20 OEM NT4 CD=92s at: E:\SUPPORT\OPK\SAMPLES. The disk sectors are not = verified,=20 but this should not be a problem for a functional, newer, computer. = A piped=20 "echo y" prevents the setup from prompting for an answer. The actual = command=20 format used is: "echo y|OFORMAT=20 /q".=20
- Start networking with a pre-supplied password. Although this = puts the=20 password on the floppy, the user never actually sees it. Disks are = picked up=20 immediately after installations and the installation user only has = read=20 rights anyway.=20
- Set the time of the local machine to that of the server using=20 "NET TIME \\SERVER /SET /YES". Synching = the time with a=20 properly synched server is important for the batches to run in = proper=20 sequence, since the time sync service is installed so early in the = process.=20 If the target computer is not synched the setup jobs frequently end = up being=20 scheduled for the next day because the clock "jumps ahead" of them.=20
- Call the specific setup batch based on the machine type (they = have=20 different answer files): Setup=20 %computername% (in this batch, "computername" = is the UDF=20 entry)=20
- The specified setup batch runs WINNT.exe and uses the proper switches for = an OEM=20 install with an answer file and a UDF. : Since the computer names = are all=20 very similar and the IP addresses are incremental, I created the UDF = using a=20 short QBASIC program.=20
- WINNT.exe runs and=20 copies all the files specified by NT setup and the OEM parameters to = the=20 hard-drive.=20
- Note: Setup networking uses NetBEUI networking since it is = lightweight,=20 fast and easy to setup. Only about 350 Meg is actually transferred = by=20 NetBEUI. All of the applications and most significant setup takes = place=20 after the NT OEM unattended install and runs over TCP/IP.
1. Machine reboots (disconnecting from the network) and runs the = setup=20 locally, using the copied files. The machine won=92t be back on the = network=20 until the networking part of the GUI setup.
Appendix B =97 Basic Steps for Using the Security = Configuration and=20 Analysis Tool:
1. Any of the template items can be modified and then your new, = customized,=20 template can be exported to be applied using Secedit.exe [Actual = Command=20 Sequence: echo y|secedit /configure /db %windir%\temp\secedit.sdb = /cfg=20 X:\PolicyPath\csitews.inf /overwrite = /verbose]
Reading list and links:
1. General reference: Windows 2000 Server Resource Kit
2. The best place to start for unattended installations: "Microsoft = Windows=20 2000: Guide to Unattended Setup" (found on the Windows 2000 CD in = the=20 Support folder)
3. Locating hard to find, possibly undocumented, information: www.deja.com/usenet=20
4. The Office Resource Kit (ORK)=20 http://www.microsoft.com/office/ork/2000/.=20
5. Sysdiff information: http://www.microsoft.com/windows2000/library/r= esources/reskit/tools/hotfixes/sysdiff-o.asp=20
6. MSIEXEC.EXE Command line switches (used in conjunction with = installing=20 WinInstall LE images: http://m= sdn.microsoft.com/library/psdk/msi/app_73eb.htm=20
7. MS Security Configuration Tool Set Guidelines for its = use,=20 available on-line at: http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/securc= on.asp).=20
8. MS=92s White paper about using Sysprep: http://www.microsoft.com/windows2000/library/planning/inc= remental/sysprep11.asp=20
9. Creating the MSIF boot floppy:
  Windows NT 4.0 Automated=20 Installation Framework:
  http://www.microsoft.com/TechNet/winnt/winn= tas/technote/implemntintegra/manntnet/ntautoin.asp=20
  Download the required files:
  http://www.microsoft.com/technet/download/indexfiles/Winntas/= msif.exe/t_top