Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

(1)

For more information about Specops Deploy and other Specops products, visit www.specopssoft.com

Installation Guide

(2)

2

Copyright and Trademarks

Specops Deploy™ is a trademark owned by Specops Software. All other trademarks used in this document belong to their respective owners.

(3)

3

About Specops Deploy / OS

Specops Deploy automates the installation of operating systems, software, and applications in your Microsoft Active Directory environment. Specops Deploy extends the functionality of Group Policy and can be used to target any number of user and computer objects within Active

Directory. You can use Specops Deploy to save user state during installation, manage user local settings, capture operating system image, and remotely manage and monitor multisite deployments.

Specops Deploy is a complete deployment management solution. Specops Deploy is a component of the Specops Desktop Management suite. You can learn more about Specops Deploy and other Specops products at www.specopssoft.com.

(5)

5

Key components

Specops Deploy / OS consists of the following components and does not require any additional servers or resources in your environment.

Image Server: Maintains operating system images and drivers used in each Deployment Group and replicates them to the associated Deployment Servers.

The Microsoft Deployment Toolkit (MDT), and the Windows Assessment and Deployment Kit (ADK) will be installed on this server. This will be the Hub for Distributed File System Replication (DFS-R) to replicate the images.

Administration Tools: Used to configure the central aspect of the solution and enable the creation of new Deployment Servers.

Deployment Server(s): Replies to client requests for PXE booting and Client Side Extension.

The Deployment Server(s) will be the DFS-R target for the Image Server. The Windows Deployment Services role will be installed onto this server.

Specops Log Viewer: Provides searchable log files, in various formats, in real-time.

Note: The Specops Log Viewer is an optional component.

(6)

6

Requirements

Your organization’s environment must meet the following system requirements:

Item Requirement

Image Server  Windows Server 2008 or later

 Microsoft Deployment Toolkit (MDT):

o 2012 Update 1 to deploy Windows XP to Windows 8 OR

o 2013 to deploy Windows 7 to Windows 8.1

Note: MDT 2013 on the Image Server requires Windows Server 2008 or later on the Deployment Server.

 Windows Assessment and Deployment Kit (Deployment Tools, USMT, and Win PE):

o 8.0 to deploy Windows XP to Windows 8 OR

o 8.1 to deploy Windows 7 to Windows 8.1.

 PowerShell 2.0 or later

Note: For Specops Deploy 5.0 MR1, you will need PowerShell 3.0 or later.

Administration Tools  Windows Server 2003 or later

 Client OS Windows XP or later

 .Net Framework 3.51 SP1 or later

 MMC 3.0 with Active Directory and Users and Computers snap-in

 Group Policy Management Console (GPMC)

Deployment Server(s)  Windows Server 2003 R2 (requires manual configuration) or Windows Server 2008 or later

 .NET Framework 3.51 SP1 installed on Windows Server

2003/2008 OR .NET Framework 4.0 installed on Windows Server 2012

 DHCP environment

Note: Option 66 and 67 must be defined in the DHCP scope. Option 66 tells the computer which deployment server to use. Option 67 tells the computer what boot file should be used.

Specops Log Viewer  .Net Framework 4.0 or later

(7)

7

Installing Specops Deploy / OS

During installation, Specops Deploy will launch the Setup Assistant. The Setup Assistant contains installation information for all products from the Specops Deploy suite including Specops Deploy / OS, Specops Deploy / App, and Specops Deploy / Endpoint Protection. You will only need to complete the installation steps for the product you plan on installing.

The Setup Assistant will help you install the following components for Specops Deploy / OS:

 Image Server

 Administration Tools

 Specops Log Viewer

Before you begin verify that the account being used to run the Setup Assistant has permissions to create Child Objects in Active Directory.

1. Download the Setup Assistant.

2. Save and Run the Setup Assistant locally to a machine where you administer Group Policy Note: By default the file is extracted to C:\temp\SpecopsDeploy_Setup_[VersionNumber]

3. Double click Specopssoft.SetupAssistant.exe to launch the Setup Assistant.

4. To begin, click Start Installation in the Specops Setup Assistant dialog box.

(8)

8

Installing the Image Server

The Image Server maintains operating system images and drivers and ensures that the Deployment Servers are updated automatically when changes are made in the central repository.

Install the Image Server

1. In the main menu, select Image Server Setup.

2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:

a. Verify that you are running a valid operating system.

b. Select the operating systems you want to support.

Note: The operating system you can deploy is determined by the version of MDT you have installed. To have continued support for all operating systems in your organization, despite MDT restrictions, you will need install two Image Servers with a different version of MDT on each.

c. Click Download… to download the Microsoft Deployment Toolkit (MDT). The version of MDT you download is dependent on the operating system you want to support.

d. Click Download to download the required version of the Windows Assessment and Deployment Kit (ADK).

e. Verify that PowerShell is installed and enabled. PowerShell version 2.0 is pre- installed with Windows 7 and Windows Server 2008 R2 or later. For all other operating systems, you will need to download PowerShell from Microsoft.

3. Click Select… to identify the management level where the Active Directory permissions are created. This is also used to track license usage.

4. Click Select User….

5. Enter the Username and Password of the user account that will join your work stations to the domain, and click OK.

Note:

 All operations performed by the Specops Image Server component will be performed in the context of the service account selected here.

 If you are also installing Specops / Deploy App, we do not recommend using the same service account.

 The account should be configured with the minimum permissions necessary to complete the required tasks.

Permission Permission type

Change Password Object

Reset Password Object

(9)

9

Allowed to authenticate Object

Validated write to service principal name Object Validated write to DNS host name Object

Read public information Property

Read personal information Property Read account restrictions Property Write account restrictions Property Read DNS host name attributes Property

6. Click Select… to select the disk drive where Specops Deploy / OS will store data.

7. If necessary, click Update MDT….

8. Click Install.

(10)

10

(11)

11

Installing the Administration Tools

Installing the Administration Tools will install the Specops Deploy / OS admin tool and the GPMC snap-in. You can use the Specops Deploy / OS admin tool to configure the solution and enable the creation of new Deployment Servers. You can use the GPMC snap-in to create operating system deployment settings in Group Policy Objects.

The Administration Tools should be installed on the computer that you want to administer the product from.

Install the Administration Tools

1. In the main menu, select Administration tools.

2. If you want Specops Deploy / OS to register the Specops Active Directory Users and Computers (ADUC) Menu Extension, click Add menu ext.

Note: This will allow Specops to add the Specops Display Specifiers in the configuration partition of your Active Directory forest allowing you to administer the product directly from the right-click menu of Active Directory objects. In order to add the menu extension to Active Directory the user running of the Setup Assistant must be an Enterprise Administrator.

4. In the Installation succeeded dialog box, click OK.

(12)

12

Installing the Specops Log Viewer

The Specops Log Viewer is a stand-alone text file reader. The Log Viewer should be installed on any machine where the Specops Deploy / OS admin tool is installed.

Install the Specops Log Viewer

1. In the main menu, select Specops Log Viewer.

(13)

13

Post-installation configuration

You will need to complete the following configuration settings once you have installed Specops Deploy / OS:

1. Add new license key 2. Assign permissions

3. Create a Deployment Server 4. Add an operating system image

5. Deploy the Specops Deploy Client-Side Extension using Group Policy Software Installation (GPSI)

6. Complete the Default Policy

7. Create a “Capture” organizational unit and policy

8. Add operating system deployment settings to a Group Policy Object

(14)

14

Add new license key

Enter your new license key in the Specops Deploy / OS admin tool.

a. Open the Specops Deploy / OS admin tool.

b. In the Add License dialog box, click Import License…

c. Browse to the location of the TXT file and click Open.

(15)

15

Assign permissions

Verify that your account is assigned the appropriate permissions. To obtain administrative permissions on the image server you will need to belong to one of the following local groups on the image server:

 Specops Deploy OS Admins

 Administrators

(16)

16

Create a Deployment Server

You will need to create a Deployment Server which the clients will connect to during operating system installations. You can create a Deployment Server using the Specops Deploy / OS admin tool.

1. Open the Specops Deploy / OS admin tool.

2. In the navigation pane, expand Servers, and click Install new Deployment Servers.

3. Enter the name of the server you want to configure as a Deployment Server, or click the browse button to find the server in Active Directory, and click Next.

Note: If the Image Server and Deployment Server are installed in the parent domain, and a GPO is configured in the sub domain, you will need to configure the deployment server explicitly in the GPO.

4. Click Next. The Specops Deploy / OS admin tool will verify that the target server meets requirements.

5. Click Finish when the installation is complete.

(17)

17

Add an operating system image

You will need at least one operating system image to use during client installations. You will need to add your first operating system image from an original source. This should be the original Microsoft Volume License DVD.

Note: It is important to load the DVD / ISO that has been most recently added to the Microsoft download site. If you are importing an image from an ISO, you will need to mount the ISO and browse to the drive it is mounted to.

2. In the navigation pane, expand Images and Packages, and click Import Operating System from Original Source.

3. Enter or browse to the location of the device or the folder containing the operating system, and click Next.

4. Select the operating system you want to import, and click Next.

5. Enter an image name and description.

Note: If you are using MAK-licensing you should also add the license key to the image data.

6. Click Next to import the selected image to the Specops Deploy / OS deployment repository.

Note: To make the operating system image available on the Deployment Servers, you will need to publish the deployment repository.

(18)

18

Deploy the Specops Deploy Client-Side Extension using Group Policy Software Installation

You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain. The Client Side Extension is a required component for all Deploy Products. You can deploy the Client-Side Extension from the Setup Assistant in the Specops Deploy / App menu.

1. Launch the Setup Assistant and click Start Installation from the Specops Deploy / App menu.

2. Click Deploy Specops Deploy Client Side Extension.

3. To select the Group Policy Object that will be used to deploy the client, click Select GPO. You will be given the following options:

Option Step

Create New GPO 1. Click Create New GPO.

2. Enter a new Group Policy Object name.

3. Select the location you want to link the Group Policy object to.

4. Click OK.

Select an existing GPO 1. Select an existing GPO from the list.

2. Select a link for the chosen GPO, and click OK.

4. To install the Client on all computers in your organization you can:

Option Step

Create a network share on the local computer and copy the Client-side extension package to the new network share

1. Click Create Share.

2. Select a local path to create the share for, and click OK.

3. Click Select share.

4. Verify that the network path to the network share you created is correct, and click OK.

Select an existing network share and manually copy the msi-package to the existing network share

1. Click Select Share

2. Browse to the location of the msi-package, and click OK.

Note: It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing verify that the setup files are copied to all servers before proceeding.

(19)

19 5. To create the packages for x86 and x64 deployments in the selected GPO, click Add

Settings.

Note: For future deployment, it is best practice to include the Deploy Client in your captured image. This will allow Application Deployment to proceed during the build process as opposed to a subsequent reboot that will allow the client to install via Group Policy Software Installation.

(20)

20

Complete the Default Policy

The Default Deployment Policy applies to computers that are not affected by any Group Policy Object with Specops Deploy / OS settings. A computer with a default policy can be deployed to any organizational unit in the “Scope of Management” without Group Policy deployment

settings.

2. In the navigation pane, expand Policies.

3. Click Edit Policy.

4. Configure the following settings:

Installation settings

Setting name Description

Allow user to initiate reinstall (F12)

Allows end users to initiate an operating system reinstall by pressing F12 at system startup.

Save local user data on user initiated reinstall

Saves local user data when a user initiates a reinstall of a computer.

Enable real time logging Enables real time logging to produce a detailed log from the computer being reinstalled. The log can be accessed by right- clicking a computer in the Deployment navigation pane.

Generate Strong Random Password

Generates a strong random password each time a computer is reinstalled. The computer will have to be administrated through Domain Admin accounts.

Local Admin Password Enter the local administration password that will be configured for all computer that are installed through this policy.

Repeat Password Re-type the Local Admin Password.

Encrypt Password Encrypts the Local Admin Password. The Password will be stored in a configuration file on all deployment servers.

Lock screen during installation Locks the Windows desktop during the final stages of the installation when the computer is logged on as a local administrator.

Operating System Settings

Force x86 image on all systems Forces the installation of the 32-bit OS image on all computers.

Image for x86 systems The operating system image to be used on systems which are 32-bit capable, or all systems if the Force x86 image on all systems setting is used.

(21)

21 Image for x64 systems The operating system image to be used on systems which are

64-bit capable.

Organization name Enter the organization name that should be configured for computers installed with this policy.

Usage of WSUS Specify if Windows Update Services should be used, either from Microsoft or a Windows Server Update Server services infrastructure within an enterprise.

WSUS Server URL The UR; to the internal WSUS server.

Note: This setting is only available if the Internal WSUS Server type has been enabled.

Language Packs Specifies the language packages that should be included in the installation.

Environment Settings

Windows UI Language Specifies which UI language Windows should use.

Regional Settings Language Specifies which language code to use for regional formatting settings.

Time Zone Specifies the time zone the computer should be configured to use.

Keyboard Languages Specifies the keyboard languages that should be installed and the order of preference between keyboard languages.

Custom MDT Properties

Specify or customize properties used by the MDT during installation.

5. Click OK.

(22)

22

Create a “Capture” organizational unit and policy

To complete a successful capture, it is recommended that a “Capture” organizational unit be created. This organizational unit should block other Group Policy Objects in the domain so that they cannot interfere with the capture process. You should also create a Group Policy Object within the “Capture” organizational unit that enables the following connections through the Windows Firewall.

 Remote Registry service

 Remote Procedure Call (RPC)

 Windows Management Instrumentation (WMI)

 Internet Control Message Protocol (ICMP), also known as Ping

Client computers should be added to the organizational unit to ensure a clean image after capture. It is important to use a virtual machine, as opposed to a physical machine, when completing the below steps.

1. In the GPMC, right-click your domain node, and click New Organizational Unit.

2. In the text field, enter a name for the organizational unit (eg.

“Specops_Deploy_Capture_Settings”).

3. Click OK.

4. Right-click on the organizational unit, and click Block Inheritance.

5. Right-click on the organizational unit, and click Create a GPO in this domain and Link it here.

6. In the text field, enter a name for the GPO, and click OK.

7. Right-click on the newly created GPO, and click Edit.

8. You will need to edit the GPO with the following settings:

Setting Step

Enable Remote Registry 1. In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, and click System Services.

2. In the Service Name tab, right-click Remote Registry and select Properties.

3. Enable Define this policy setting.

4. Enable Automatic.

5. Click OK.

Enable RPC 1. In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security.

(23)

23 2. Right click Inbound Rules and select New Rule…

3. Enable Predefined.

4. From the drop-down menu, select Remote Service Management, and click Next.

5. Verify that all the rules are enabled, and click Next.

6. Verify that Allow the Connection is enabled and click Finish.

Enable WMI 1. In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security.

2. Right click on Inbound Rules and select New Rule…

3. Enable Predefined.

4. From the drop-down menu, select Windows Management Instrumentation, and click Next.

5. Verify that all the rules are enabled, and click Next.

6. Verify that Allow the Connection is enabled and click Finish.

Allow ICMP (Ping) exceptions 1. In the Group Policy Management Editor expand Computer Configuration, Policies,

Administrative Templates, Control Panel, Network, Network Connections, Windows Firewall, and click Domain Profile.

2. In the Settings tab, right-click Windows Firewall:

Allow ICMP exception and select Edit.

3. Select the Enabled checkbox, and click OK.

(24)

24

Add operating system deployment settings to a Group Policy Object

The operating system image and settings that apply to a computer during installation are

determine by the Group Policy Object in Active Directory. You will need to create a Group Policy Object with Specops Deploy / OS settings.

The GPMC snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Policy settings from the Group Policy Management Console. The settings are stored as a part of the Group Policy Object allowing you to control how and where the policy applies.

1. In the GPMC, expand your domain node, and locate the GPO node.

2. Right-click on the GPO node, and select New.

3. Enter a name for the Group Policy Object, and click OK.

4. Right click on the new GPO node, and select Edit.

5. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and click Specops Deploy / OS.

6. Click Edit Policy….

7. Select the Operating System tab.

8. Find your OS image from the appropriate drop-down box, and click Save.

9. Link the GPO to the appropriate OU.

(25)

25

Support

Congratulations! You have successfully installed and configured Specops Deploy / OS. For more information, you can find the Administration Guide at:

www.specopssoft.com/documentation/specops-deploy-documentation/specops-deploy- administration-guide.

If you are unable to resolve a product related issue, contact Specops Support for assistance.

Online

We recommend submitting your case directly on our website at: www.specopssoft.com/support.

Telephone International +46 8 465 012 50

Monday - Friday: 09:00 - 17:00 CET North America

+1-877-SPECOPS (773-2677) Monday - Friday: 09:00 - 17:00 EST

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit