This document is a bit dated, I wrote it back in November 2012 (with some small updates later on).
Lab environment
I started out in a lab environment and moved over to production environment when everything was working as expected. My testing environment was (is) VMware Workstation.
I have to say that all the guides I found on the Internet were a bit confusing, but I finally got it working the way it should. I’ll try to recap my steps, and hopefully it won’t be as confusing for others trying to build a similar environment.
I basically followed these steps:
· Installed Windows Server 2008 R2 Datacenter in a Virtual Machine.
· Configured the Virtual Machine:
o Network as host-only with a static IP-address.
o Added a second virtual hard drive. It’s best practice to have the deployment share on a different drive/partition.
· Installed the necessary software:
o .NET Framework 3.5 from Server Manager, Features
o Windows Automated Installation Kit (AIK) v. 3.0 (Update: please use Windows ADK)
o Microsoft Deployment Toolkit (MDT) 2012 Update 1
· Installed necessary Server Roles for WDS:
o Active Directory Domain Services Server Role
o DNS Server Role (configuration documentation not included for lab environment)
o DHCP Server Role (configuration documentation not included for lab environment)
· Copied a plain Windows 7 Enterprise 64-bit image to the server
· Copied our production .wim-image to the server (also Windows 7 Enterprise 64-bit)
MDT
Now the server was ready for configuring the most important part, Microsoft Deployment Toolkit (MDT) 2012 Update 1. As I said before, many guides are available on the Internet but they can be confusing. One guide that helped me was:
http://www.vkernel.ro/blog/deploying-windows-7-with-wds-and-mdt-2010-part1
Thanks to the author for this one. Kept me going without giving up 
Anyways, I’ll try to recap my steps:
· Created a new Deployment share, D:\DeploymentShare$ in my case.
o Disabled every step in options (wizard panes)
· You’ll end up with a very basic vanilla Deployment Share. This has to be heavily customized for your own environment.
· Add Operating System(s) either from Source (DVD) or from an image file (.wim). There are a couple of questions to answer during the OS import, but they can be googled if not self-explanatory.
Fig 1. Adding Operating Systems in MDT 2012
· Above is a screenshot with two Operating Systems added. This is enough for my deployment. I used an old domain-image, which I installed in a virtual machine. I updated all programs and added some new ones. I then sysprep’ed the virual machine and made an image with ImageX. (Took a snapshot before this so it’s easy to revert). You can use other techniques to sysprep and capture (MDT’s own Task Sequence for example), but I used imageX because I’ve done it before. You now have your “Golden Image”, which can be deployed straight away or modified by adding Applications or injecting drivers etc.
· Much of the important settings are available when you right click the deployment share and choose properties. Fig 2. shows a screenshot of the default rules for the deployment share. Much can (and should) be changed. I’m not going through every setting here as you can find help online, for example:
http://scriptimus.wordpress.com/2011/05/06/mdt-2010-skipping-deployment-wizard-pages/
Fig 2. Default Rules for the Deployment Share.
Screenshots are better than text, so here are my rules after modifications. Almost all dialogs are bypassed, except machine name and domain. I also configured logging, as it’s nice to know if something went wrong (SLShare=\\WDS\Logs)
Fig 3. CustomSettings.ini (Rules)
WDS
Time to move along to the wds-part. I’ve already installed the wds server role so now it’s time to configure it.
· Start wds, right-click your server and choose configure server.
· The instructions will tell you to add the default images (Install.wim and Boot.wim) that are included in the Windows 7 installation DVD (in the \Sources folder). This is where it gets a bit confusing (at least for me). DO NOT add the install image, JUST the boot image. This way, you just boot from the wds-server, and can point the installation to use an install image from your mdt share.
· Go back to MDT and choose properties on your Deployment Share. Go to the Rules tab. Click Edit Bootstrap.ini, down in the right corner. Edit the file according to your environment. Here’s a screenshot of my customized file:
Fig 4. Bootstrap.ini
· Every time you change a setting in Rules or Bootstrap.ini in MDT, you’ll have to UPDATE THE DEPLOYMENT SHARE (right click deployment share). This wasn’t that well documented.
Also, if you make changes to the Boot Image configuration (Bootstrap.ini), you will HAVE TO REPLACE the Lite Touch Windows PE (x64) boot image in WDS (right-click the current boot image and choose replace) after you have updated the deployment share. Otherwise wds will boot with the old boot image. Choose the file from your Deplyment Share\Boot\ LiteTouchPE_x86.wim.
Fig 5. WDS
Back to MDT – Task Sequences
Anyways, back to MDT. Now it’s time to make some Task Sequences which basically tells MDT what to do before, during and after Deployment. This is where the magic happens.
Fig 6. MDT, Task Sequences.
· Right click Task Sequences, choose New Task Sequence
· Give it an ID, Name and optionally a comment
· Choose Standard Client Task Sequence (I won’t look into the other options in this document, though I will probably test them further on)
· Choose your desired Image (Operating System)
· Fill in the other information to suit your needs
· Do not specify an Administrator Password at this time
· Right click or double-click to configure your newly created Task Sequence
Have a look at all the default options from your newly created Task Sequence. Modify and test-deploy to look at different options. Google and learn. I won’t go into details of all of the options as it would take forever. Information is available online, just use it.
I haven’t modified that much as my current image has most of the important settings already. I had a look at the partitioning (Preinstall/Format and Partition Disk) and changed the volume label. 100% disk use was good for me, so I didn’t change that. It’s easy to change it later according to your needs.
I have a custom script that configures MDT to allow the graphics driver auto detect method to set the screen resolution. Thanks to Johan Arwidmark for this script. Won’t paste the code here as it’s a bit too long…
(Source: http://www.deploymentresearch.com/Blog/tabid/62/EntryId/70/Going-Production-Deploy-Windows-8-using-MDT-2012-Update-1.aspx )
I also have a custom script that renames and disables the local Administrator account. It runs last in the “State Restore” process of the deployment. It’s added via Add/General/Run Command Line and moved to the correct place in the sequence. It runs a command line “cscript.exe “%SCRIPTROOT%\DisableAdmin.vbs” which basically runs a custom script from the default “Scripts” dir. Included in this script is the following information:
strComputername = “.”
Set objUser = GetObject(“WinNT://” & strComputername& “/Administrator”)
objUser.SetPassword “thePasswordFromCustomSettings.ini”
objUser.AccountDisabled = True
objUser.SetInfo
Set objWMIService = GetObject(“winmgmts:\\” & strComputerName & “\root\cimv2”)
Set colAccounts = objWMIService.ExecQuery (“Select * From Win32_UserAccount Where LocalAccount = True And Name = ‘Administrator'”)
For Each objAccount in colAccounts
objAccount.Rename “OldLocalAdm”
Next
(Source: http://social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/87b61d5e-7085-465d-a2f0-5b5d131c6670#933ec6db-87ff-4b55-8f85-b190880f8e17 )
Deployment
Now it’s time to test the deployment process. You should already have configured wds with a boot image so that the clients can boot from it. You should also have specified the correct settings in Bootstrap.ini so that the Deployment Share (images) can be found from wds.
· Make an “empty” virtual machine
· Configure it to pxe-boot
· Start it
· Press F12 to boot from the network
· Your WDS-server is found
· Start Deployment and follow on-screen instructions
Fig 7. Actual Deployment process/progress
Production environment
The setup is obliviously different in the production environment. The wds-server is on our internal network, but has access to the public network (AD) via NAT. I’ll start with a picture of the whole setup to give you an idea of the configuration.
Fig 8. Production Setup
Basically what we have here is a linux computer that is used to NAT/IP masquerade the traffic to the internal network. On the internal part we have a different linux dhcp-server that gives out leases to all of our internal clients. Three different subnets are configured, but the .17.x is used for our wds-server. The linux dhcp server will have to be configured to understand to boot from the windows wds-server. More on that later on.
The steps for installation are basically the same as for the lab environment, except for the dhcp-server and (no) AD. Here’s a list:
· Installed Windows Server 2008 R2 Datacenter (in a Virtual Machine on a VMware ESXi 3.5 server)
· Configured the server:
o Network with static IP-address.
o Added a second (virtual) hard drive. It’s best practice to have the deployment share on a different drive/partition.
· Joined the server named “wds” to the production domain
· Installed the necessary software:
o .NET Framework 3.5 from Server Manager, Features
o Windows Automated Installation Kit (AIK) v. 3.0
o Microsoft Deployment Toolkit (MDT) 2012 Update 1
· Installed necessary Server Roles for WDS:
o WDS Server Role
o DNS Server Role (not actually used, more on the configuration later on)
o Didn’t install DHCP Server Role, as I’m using the existing linux dhcp server (more on the configuration in next chapter)
· Copied a plain Windows 7 Enterprise 64-bit image to the server
· Copied our production .wim-image to the server (also Windows 7 Enterprise 64-bit)
The steps for MDT are exactly the same as in the Lab environment. Same goes for WDS, except that I configured the server to boot from the production share. Some small changes in CustomSettings.ini (Rules) are made, for example domain and username/password.
Linux DHCP
As I said before, I decided to use our existing linux dhcp-server for pxe-booting. For this to work, I added the following to /etc/dhcp3/dhcpd.conf :
subnet 192.168.17.0 netmask 255.255.255.0 {
range 192.168.17.10 192.168.17.250;
option domain-name-servers 130.232.213.x;
# option domain-name-servers 192.168.16.200;
option routers 192.168.17.254;
next-server 192.168.16.200;
option tftp-server-name “192.168.16.200”;
option bootfile-name “boot\\x86\\wdsnbp.com00”;
and restarted the dhcp-server, /etc/init.d/dhcp3-server restart.
(Source: http://tspycher.com/2011/03/booting-into-wds-windows-deployment-service-from-linux-dhcpd/)
Now the test client booted nicely. Here’s a screenshot:
Fig 9. PXE-booting from wds.
All wasn’t that good though. My Deployment Share wasn’t accessible due to dns errors. I got “A connection to the deployment share (\\WDS\DeploymentShare) could not be made”.
I pressed F8 to get into console mode and to do some error checking. I could ping my wds server via IP-address so the problem was dns. A quick configuration check on the linux dhcp server revealed the problem, my dhcpd.conf had the dns option:
domain-name-servers 130.232.x.x; (external).
I changed this to our own internal dns server (192.168.16.200).This dns server was also configured with forwarders to our external network (130.232.x.x.) so name resolution works for both internal and external hosts. Good idea in theory, not in practice. Here’s a screenshot of DNS on the wds server.
Fig 10. Windows DNS Manager on wds-server
WindowsPE still can’t access \\wds via short name. Somehow I get the external dns-suffixes even though I have configured the hosts to use the internal dns server (and suffixes) in dhcp.conf.
Also, option domain-search “intra.abo.fi”, “xxx.fi”, “xxx.fi”; in dhcpd.conf gives me errors and I have no idea why 
root@iloinen:/etc# /etc/init.d/dhcp3-server restart
dhcpd self-test failed. Please fix the config file.
The error was:
WARNING: Host declarations are global. They are not limited to the scope you declared them in.
Well I tried declaring them globally also… still no luck.
/etc/dhcp3/dhcpd-iloinen.conf line 167: unknown option dhcp.domain-search
option domain-search “intra.abo.fi”
Configuration file errors encountered — exiting
I finally gave up with dns names and used IP addresses instead. It’s not the prettiest solution, but at least it’s working. Clients are now contacting \\192.168.16.200\DeploymentShare instead of \\WDS\DeploymentShare. Success, finally
Note to self: If a computer exists in AD, it won’t join the domain during deployment. From logs:
NetSetup.LOG:
12/14/2012 09:34:46:923 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
There is probably an easy workaround for this, but for me the easiest way was to remove the computer from AD before deployment.
My image is now finally deployed to a (physical) test computer. Success! Further enhancements/tweaks can of course be done, and I’m writing about a few of them now. Total time for deployment (12GB compressed image) was about 30minutes over 1Gbit LAN.
Adding Applications
One thing you probably want to do is add different applications to your image after/during deployment. It’s quite easy (at least for basic applications), and the thing you need are the switches for silent install and so on. I tried adding Adobe Acrobat Reader 11 to my deployment, and the installation went fine during installation. I followed a guide from:
http://www.itninja.com/question/hi-i-have-to-install-acrobat-reader-x1-silently-i-am-not-given-adberdr11000-en-us-exe-file-instead-i-am-given-setup-msi-ini-files-i-want-to-run-a-customization-wizard-to-create-an-mst-file-i-don-t-know-how-to-do-it-please-help
and as the forum post says, the “AdbeRdr11000_en_US.exe /sPB /rs” also worked for me. I guess the installation of different programs is about the same, so I won’t try any other at the moment. Time will tell what I need.
Adding Drivers
One more thing you probably want to customize is different drivers. You can add/inject out-of-box drivers from different vendors. This is very useful, as you can have different setups for workstations and laptops and so on. Update: I suggest that you have a look at selection profiles (or similar) before you mess around with other driver options:
http://www.deployvista.com/Default.aspx?tabid=78&EntryID=132
Our regular workstations (Osborne Core 2’s, a bit on the older side) works fine without (almost) any additional drivers, but I’ll add the missing ones with a trick learned from a video.
Video: http://channel9.msdn.com/Events/TechDays/Tekniset-Esitystallenteet/TechNet-2011-Windows-7-k-ytt-notto-osa-2
Laptops (Lenovo)
Our Department uses Lenovo Thinkpad laptops, which uses various drivers. I will test to inject a couple of these. Lenovo have made an (excellent) administrator tools which will help you with the drivers. Instead of injecting (and downloading) a driver one by one, you can use programs that will do all of this automatically. Well, semi-automatically anyways. They’re called ThinkVantage Update Retriever and ThinInstaller. Google “thinkvantage update retriever mdt” and you will find a word document with instructions.
Here are my steps:
· Downloaded Lenovo Update Retriever 5.00 and installed it on the wds/mdt server
· Downloaded Lenovo ThinInstaller 1.2 and installed it on the wds/mdt server
· Did not completely follow the instructions in the document for setup instructions.
o It was suggested to add drivers to Out-of-Box Drivers section. If you/I did this, drivers were added to the boot image which made it grow to a huge size. I only need LAN (and possibly HDD-drivers) for the boot image. In my case, I didn’t need either because WinPE found my HDD and LAN card without additional Out-of-Box Drivers.
· Skipped to Working with ThinInstaller-step of the guide
· Followed guide, and added a step (after restart-step in Postinstall section) in my task sequence for copying ThinInstaller files from server to c:\thin on the clients.
· Next step is to create a command after the previous step that actually runs the ThinInstaller and installs all the necessary software and drivers on the client.
The command used here is:
C:\Thin\ThinInstaller.exe /CM -search A -action INSTALL -noicon -includerebootpackages 1,3,4 –noreboot
· Run a test-Deployment on our Departments Lenovo T500
· Various results, didn’t work that great actually. Too many details to go through here.
· Ended up with plan B, which was installing Lenovo’s System Update via MDT’s “Applications”. Again, not the prettiest solution but at least you have the option of installing this software and it doesn’t take that long to install missing drivers/software afterwards.
Our main installation scenario is workstations anyway, so I’ll put my energy on other fields of the deployment process.
Workstations (Osborne)
Nothing special about this, same procedure as with laptops except different Task Sequence without the Lenovo-stuff.
· Installed our production image
· Installed missing drivers via Windows Update after deployment completed
· Copied the drivers that were installed via Windows Update (using the trick from the video described earlier)
o From: Clients C:\Windows\system32\DriverStore\FileRepository\
o To: mdt-server
o Drivers with newer date than 28.11.2012 (dates after my image making/sysprepping)
· Injected the drivers into MDT
· Drivers will be used in next deployment. Tadaa 🙂
· Update: now using selection profiles instead
Now that all of the “new computer” installations are working the way I want, I decided to go ahead and try refresh and replace installations. This is handy if you get a new computer and want to save the data from your old computer for example.
Refresh installation
I decided to try a refresh installation so I would know what it does. I didn’t do this on physical hardware, just in my lab environment.
“Basically you need to launch the deployment wizard from the OS you’re about to replace.
There are a variety of ways to do this but I usually browse to my deployment point on the network and run the BDD_Autorun.wsf within the scripts folder (an example is \\<server>\distribution$\Scripts\BDD_Autorun.wsf).
It will give you the option to either Refresh or Upgrade this computer, choose refresh, finish the wizard stuff and you should be good to go.”
Source: http://social.technet.microsoft.com/forums/en-US/itprovistadeployment/thread/57629548-ad95-4da6-a85c-ec3d9fe0e33a/
I ran BDD_Autorun.wsf and sat back to watch the magic. The result was a “refreshed” computer, just the way I left it before the refresh including all my documents and all extra folders I had created.
Replace installation
I decided to try out the replace installation as well. This is more likely to come in handy when new computers arrive at the Department and we want to save all the data from the old one.
Here’s some information copy/pasted from Andrew Barnes’s scripting and deployment Blog.
An existing computer on the network is being replaced with a new computer. The user state migration data is transferred from the existing computer to share then back to the new computer. Within MDT this means running 2 task sequences, Replace Client Task Sequence then a task based on the Standard Client Task Sequence template. The Replace Task Sequence will only back up your data and wipe the disk in preparation for disposal/reuse.
- Task Sequence deployment from within Operating System or Bare Metal
- Task Sequence run on Source machine captures user state
- New machine begins using PXE boot or boot image media
- User state must be stored on a share or state migration point
- User state and compatible applications re-applied on new machine
Source: http://scriptimus.wordpress.com/2011/06/28/mdt2010-deployment-scenarios/
Pic source: http://blogs.technet.com/b/chrad/archive/2012/07/26/learning-mdt-2012-s-user-driven-installation-udi.aspx
· I created a new Standard Client Replace Task Sequence on the wds server.
· I run BDD_Autorun.wsf (from \\wds-server\DeploymentShare$) from the computer that would be replaced, which launches the Windows Deployment Wizard.
· I chose my newly created Standard Client Replace Task Sequence from the list of Task Sequences.
· Didn’t work and ended up with errors. Solution was to do some modifications to CustomSettings.ini:
DeploymentType=REPLACE
UserDataLocation=AUTO
UDShare=\\10.0.0.1\MigData
UDDir=%ComputerName%
Using this modification, the User Data got stored in MigData on the wds-server.
Note: I could also have used the method described later, which is removing stuff from Customsettings.ini…
Source: http://social.technet.microsoft.com/Forums/en-US/mdt/thread/9b9d32c3-4805-4264-95a3-51e90b24bfb7
· I now ran a Standard Client Task Sequence to do a new installation and to restore the user data from MigData. Result: Standard Client Task Sequence did NOT restore the user data.
· Had to some more reading about the subject, starting with: http://deployment.xtremeconsulting.com/2009/11/20/understanding-usmt-with-mdt-2010/
“The Client Deployment Wizard will ask if you want to restore user state and where the user state is stored. The Restore User State step in the task sequence would then use USMT to restore the user state to the computer being deployed”.
This was not true in my case, the Wizard didn’t ask me anything. Time to check why.
· Even more reading in:
http://allcomputers.us/windows_7/designing-a-lite-touch-deployment-%28part-2%29—deploying-images-to-target-computers.aspx
· Easiest solution for me was to remove all the automatic stuff I had added in Customsettings.ini. I changed (commented out) the following so I could manually answer the questions:
;SkipBDDWelcome=YES
;SkipDeploymentType=YES
;DeploymentType=NEWCOMPUTER
:UserDataLocation=AUTO
;UDShare=\\10.0.0.1\MigData
;UDDir=%ComputerName%
;SkipUserData=Yes
· I ran the replace task sequence from the source computer again. I now had the option to tell mdt where to save the backup and whether I wanted to restore the user data into the new installation. I saved the files to the wds-server.
· Created a new virtual machine and deployed Windows via a Standard Client Task Sequence. Manually answered questions in the wizard. I now had the option to restore the user data.
· Success
· (I later noticed that SkipUserData & SkipDeploymentType were the correct options to solve my little mystery. I don’t mind answering a couple of questions and I don’t have the need for UDShare and UDDir etc automatically defined).
Source: http://allcomputers.us/windows_7/designing-a-lite-touch-deployment-%28part-3%29—customizing-target-deployments.aspx )
There’s also an UPGRADE installation/deployment option, but I won’t test it because we do not have the need for it. You can’t upgrade from WinXP to Win7/8 so in our case it’s no use.
Windows 8 Deployment
I tried deploying a plain and a production image of Windows 8 also. It’s just about the same procedure as with Windows 7, but you have to uninstall WAIK and install the new Windows Assessment and Deployment Kit (Windows ADK) for Windows 8 for proper deployment.
Also, update your deployment share and copy over the new boot image to the wds server (ADK uses a new version of Windows PE).
Other than that, everything seems to be working including Task Sequences and so on.
Note:
Tried (successful) Win 8-deployment (4.3.2013) and here are a couple of other problems:
http://support.microsoft.com/kb/977512
http://msitpros.com/?p=1290
with these problems fixed everything seemed to be working just fine. (Actually uninstalled DNS completely as I didn’t need it)
Note 2:
I’ve now (5.3.2013) moved over to better driver management with selection profiles.
Good article about this:
http://www.deployvista.com/Default.aspx?tabid=78&EntryID=132
Note 3:
Learn how to deploy with UEFI in my post Converting a windows 8 BIOS Installation to UEFI
That’s it for this document. It’s been fun and I’ve learned a lot
Sources:
Mentioned in the text.
A random blog from a sysadmin 
