A
LTIRIS
®
2
Notice
Altiris® AAA Document
© 2006 Altiris, Inc. All rights reserved. Document Date: October 3, 2006
Altiris, Inc. is a pioneer of IT lifecycle management software that allows organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogenous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate through a common Web-based console and repository. For more information, visit www.altiris.com.
The content of this document represents the current view of Altiris as of the date of publication. Because Altiris responds continually to changing markets and conditions, this document should not be interpreted as a commitment on the part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of
publication. Altiris, Inc. 588 West 400 South Lindon, UT 84042 Phone: (801) 226-8500 Fax: (801) 226-8506
Bootworks U.S. Patent No. 5,764,593.
Altiris and Deployment Solution for Servers are registered trademarks of Altiris, Inc. in the United States.
Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks, of Microsoft Corporation in the United States and/or other countries.
Other brands and names are the property of their respective owners.
Chapter 1
Setting Up PXE Server
What is PXE?
Preboot Execution Environment (PXE) is an open industry standard which enables computers to boot remotely using a network card.
PXE uses standard network protocols to establish a communication channel between a computer and a PXE server during the boot process. Using this channel, a PXE server sends an execution environment to the computer so that work can be performed in a pre-boot state.
In Deployment Solution, this pre-boot state is called the automation environment, and DOS, Linux, and WinPE are currently supported as pre-boot operating systems. An overview of the automation boot methods and environments is contained in a separate document, Deployment Solution: Automation Preboot Environments.
An advanced, tightly integrated PXE environment is provided with Deployment Solution. Deployment Solution leverages PXE to provide the following advantages:
z When a managed device needs to boot into automation, Deployment Solution
restarts the computer and notifies the PXE server. PXE server then boots the computer into the automation environment indicated in the Deployment Solution job automatically.
z PXE can perform an initial deployment of a new system by checking to see if a
computer exists in Deployment Solution.
z All PXE configuration is done using the PXE Configuration Utility from the
Deployment Solution console, enabling you to remotely configure all PXE servers in your network.
Why Use PXE?
PXE is used in Deployment Solution to perform two tasks:
z Boot managed computers into the automation environment z Perform initial deployment of new managed computers
How you implement PXE is partially dependent on what you plan to do with it. Many organizations use PXE only on a subnet in a receiving department to deploy corporate images and initial configuration of new computers. After this computer is assigned to a user, PXE is not used in the normal production environment.
This limits the extent of the PXE environment, but prevents you from accessing the automation environment to capture images and perform other automation-only tasks. Other companies which often use automation select PXE because it leaves no footprint on the managed computer, and has several other advantages such as image
Altiris Deployment Solution 6.8 4 Regardless of how broadly you implement PXE, Deployment Solution provides tools and services to simplify management of PXE in your environment. This section contains the following topics providing an overview of PXE in Deployment Solution:
z PXE Services and Architecture z How PXE Works
PXE Services and Architecture
PXE services use a tiered-architecture which enables you to provide global settings and boot options shared across all PXE servers, then override configuration and expand boot options on a local level.
Boot options and PXE settings can be applied to a shared configuration. This shared configuration is inherited by all PXE servers in your environment. Each PXE server still has its own specific configuration, so you can override settings and add additional boot options as needed.
New services have been provided to replicate settings and data automatically, making it unnecessary for you to individually configure each PXE server.
The following table contains an overview of the PXE services:
The PXE Manager service interacts with Deployment Server, PXE Helper service, and the PXE config utility to perform centralized PXE management:
Service Description
PXE Manager z Provides all boot options and configuration settings
for each PXE server in your environment.
z Interfaces with the PXE Config Utility to replicate data
and apply PXE configuration.
z Manages all communication between your
Deployment Server and your PXE servers.
The PXE Manager Service is installed on your Deployment Server regardless whether or not you have also installed a PXE server.
PXE Config Helper z Interfaces with PXE Manager to receive data and
configuration.
z Configures, starts, and stops the additional PXE
services on the PXE server.
PXE Server z Provides the PXE listener and proxy DHCP to respond
to PXE requests and send the location of bootstrap files.
MTFTP z Sends bootstrap files to managed computers using
On each individual PXE server, the PXE Server service and the MTFTP service are installed to perform the work of a PXE server. These services are configured, started and stopped by the PXE Config Helper service. Clients connect directly to these services during the PXE boot process:
How PXE Works
Before a computer can boot over a network, it needs two things: an IP address to communicate, and the location of a PXE server to contact for boot instructions. The following sections outline the PXE boot process:
Altiris Deployment Solution 6.8 6
Part 1: DHCP Request and PXE Discovery
Request and Receive an IP Address
Initially, the boot agent directs the execution of normal DHCP operations by broadcasting a DHCPDISCOVER packet (255.255.255.255) to port 67 on its local physical subnet to discover a DHCP server.
Any available DHCP servers respond with a broadcast DHCPOFFER packet indicating their server IP.
When the client has chosen a target DHCP server, it broadcasts a DHCPREQUEST packet that includes its MAC address and the IP address of the selected DHCP server. The DHCPREQUEST also contains option 60 to identify the client as a PXE client.
PXE Option 60
DHCP allows clients to receive options from the DHCP server indicating various services that are available on the network. A number of standard and custom options are available that can convey a vast amount of information to DHCP clients. Option 60 deals specifically with PXE related services. Both PXE clients and servers use option 60 to convey specific information about the PXE services they need or are providing.
Contacting the PXE Server
All DHCP servers examine the DHCPREQUEST packet. If the request is intended for a different server, the IP address they offered is reclaimed. The DHCP server providing the accepted offer supplies a DHCPACK packet to the client to acknowledge the client’s receipt of its IP.
During this process, the Altiris PXE server monitors the wire for DHCPREQUEST packets with an option 60 (PXE client). When a packet is recognized, the clients MAC address is used to find any pending automation work in Deployment Server. If no automation work is required, the PXE server does not respond to the client and it boots normally.
If there is work to do, the PXE server responds with its address using a DHCPACK with option 60.
At this point, the client has received a DHCPACK containing an IP address, and a DHCPACK with option 60 containing a PXE server. If the PXE server is located on the same server as DHCP, both are contained in the same DHCPACK packet.
Part 2: PXE Bootstrap
Now the client is ready to contact the PXE server for boot files. After this request, clients are provided a boot menu containing all of the boot options the PXE server can provide. Most of the time, the correct boot option has already been selected by Deployment Server, so this transparent to the client.
After the selection is made, the client requests the necessary boot files using MTFTP. This consists of a .0 and a .1 file.
The .1 file is an image of a boot disk floppy with modifications to the autoexec.bat and additional files which ultimately provide the automation environment on the managed computer.
The following diagrams contain a basic outline of this process:
PXE Planning and Installation
This section contains an overview of the PXE deployment process, in the following sections:
Altiris Deployment Solution 6.8 8
Enabling PXE on Managed Computers
Each computer you plan to manage using PXE must have PXE boot enabled (sometimes called network or NIC) and set to the correct sequence in the BIOS. It is also a good idea to apply the latest BIOS updates, especially if your network card is integrated on the motherboard.
Deployment Solution also supports Wake on Lan to power on managed computers remotely. If this is enabled, a Wake on Lan signal is sent to the managed computer if the device is powered off (disconnected from Deployment Server) when a job is scheduled to start.
Installing and Configuring DHCP
DHCP is an integral part of the PXE process, and must be installed and configured in order to use PXE. A DHCP server is not provided with Deployment Solution, you must obtain, install, and configure this component separately.
After DHCP is set up and your PXE servers are installed, you need to configure how your PXE servers interact with the DHCP server. This is done using the PXE Configuration Utility.
How Many PXE Servers Do I Need?
Number of Client Connections
PXE servers do not typically require a lot of resources. By using multicast, a single PXE server can deploy a DOS boot image to up to 100 computers at a time, and not consume any more resources than it would deploying a single image. If you are using WinPE or Linux however, multicast boot is not available.
Usually a single PXE server in a specific location is enough if you either use multicast to deploy images or spread out your image capturing jobs to be in line with the capabilities of your server. Additional PXE servers can easily be added if necessary.
Network Speed
Since the majority of the resources on a PXE server are used transferring files over the wire, the faster the network, the more work a single PXE server can do. A single PXE server on a gigabit network can capture and deploy several times as many images over a period of time than even multiple servers on a slower network.
Physical Layout of your Network
Your PXE configuration might be set up according to the physical layout of your network. If you have three offices in different locations, it might make sense to install a PXE server at each location to reduce traffic and resolve routing issues (see PXE Request Routing).
PXE Request Routing
PXE clients use broadcast packets to find DHCP and PXE services on a network, and multicast packets (MTFTP) to transfer files. These packet types can present challenges when planning a PXE deployment because most default router configurations do not forward broadcast and multicast traffic.
Because of this, either your routers need to be configured to forward these broadcast and multicast packets to the correct server (or servers), or you need to install a PXE server on each subnet.
Routers generally forward broadcast traffic to specific computers. The source subnet experiences the broadcast, but any forwarded broadcast traffic targets specific computers.
Enabling a router to support DHCP is common. If both PXE and DHCP services are located on the same computer, and DHCP packet forwarding is enabled, you shouldn’t have any problem transferring broadcast packets.
If these services are located on different computers, additional configuration might be required.
If you are going to forward packets, make sure your router configuration allows DHCP traffic to access the proper ports and IP addresses for both DHCP and PXE servers. Once the broadcast issues are resolved, the routing of multicast traffic must be considered. Multicasting leverages significant efficiencies in transferring files but also introduces challenges similar to broadcast packet forwarding. Like the broadcasting solution, routers can be configured to support multicast traffic between PXE Clients and PXE Servers.
Please consult the documentation provided by your router vendor for additional information on packet forwarding.
Installing PXE Servers
After you have determined the PXE needs of your network, you must to determine where to install these PXE servers.
A PXE server can be installed on your Deployment Server, on your DHCP server, on another server in your network (such as a file server), or as a standalone server. You can also use a combination of these (for example, a PXE server on your Deployment Server and your DHCP server).
The actual installation process is straightforward. You can install a PXE server at the same time as you install Deployment Solution, or you can install one later by running the installation program and selecting the add additional components option.
After these servers are installed an running, they are configured using the PXE Configuration Utility. See the following section.
Configuring PXE Settings
All PXE configuration is done using the PXE Configuration Utility. The PXE config utility is used to create and modify two things:
z Global and local configuration settings. These settings include timeout values,
Altiris Deployment Solution 6.8 10
z Boot options. Each boot option corresponds to a specific configuration which
includes an operating system, network and other drivers, utilities, mapped drives, and so on.
This section contains a brief overview of selected PXE configuration and boot options. For complete details, see the help for the PXE Configuration Utility.
PXE Settings
Shared vs. Local
Deployment Solution provides a PXE settings hierarchy enabling you to provide shared and local PXE configuration values. All PXE servers inherit the shared values unless they are overridden on the local server.
Session Timeout
The PXE configuration utility connects the PXE Manager service on Deployment Server. To make sure your changes are not overwritten by another instance of the PXE Configuration Utility, only one instance of PXE config is allowed to connect to PXE manager at any given time.
If you attempt to launch PXE Configuration when another instance is running, you receive an error. To prevent you from being completely locked out for extended periods (for example, an instance is inadvertently left open on another computer), a timeout has been added which terminates a connection after 30 minutes of inactivity after someone else attempts to connect.
This timeout only applies if someone else is attempting to launch PXE Configuration. If no other connections are attempted, the timeout is never enabled and your session remains active.
DHCP Server Options
For most circumstances, you want option 1. If you have DHCP installed on your Deployment Server but it is not active, Deployment Server might still attempt to communicate with that instance. This is changed by selecting option 3. If you are using a 3rd party DHCP server which automatically sends the client 60 message, select option 2.
Boot Integrity Services
PXE is potentially vulnerable to hackers, especially in security-conscious business and government settings not willing to risk network boot ups unless safeguards are in place. For example, it is important ensure that the boot image comes from a trusted source and has not been tampered with in transit. You can also designate and enforce which boot images can be installed on selected groups of platforms. Boot Integrity Services (BIS) addresses these security needs.
Deployment Server supports the BIS technology. However, the BIS support from Altiris is only applicable when the computers being managed also supports BIS. Even if BIS is configured from the Deployment Server console, BIS will not work unless the physical computer supports it. At the present time, there are very few computers that support BIS.
Boot Options
Boot options are the boot configurations provided to a client by a PXE server. Each boot option has a corresponding automation operating system, network drivers, and other settings.
Shared vs. Local
Deployment Solution provides a PXE boot option hierarchy enabling you to provide shared and local PXE boot options. Shared boot configurations are available on all PXE servers, while local boot options are available on a specific PXE server.
PXE Redirection
Lets you redirect a global PXE menu option to a local PXE menu option. Redirection settings are not available globally, they are always specific to an individual PXE server. This is due to the role redirection plays in your PXE environment.
Consider the following example:
You manage computers in three locations: Two offices in Ontario, and one office in Alberta. To limit transfer between each site, each office has a local PXE server, and a file server with a mirror of the deployment share. This enables clients at each location to contact the local PXE server to boot, then use the local deployment mirror to access the network tools and to store images.
You need to create a job to capture an image of each managed computer on Friday evening, once a month. To create this job, you add an imaging task, select a PXE boot option, then set the schedule. Simple, right?
Hold on. If you select the same PXE boot option for each office, you are going to have problems. The Alberta office uses a mirror of the deployment share on alb1\eXpress, and stores captured images on alb1\images. The two Ontario offices use the ont1 and ont2 servers respectively.
You could go ahead and create three global configurations and three different jobs, but that is confusing and could potentially cause problems if the wrong selection is made. If you took this route, on each PXE server, two of the three global configurations could potentially cause problems (they are mapped to drives in remote offices). Since you enjoy avoiding problems, what you really need is a way to select a single global configuration for a job, then update it based on the location of the PXE server. This is exactly what redirection does. You create a global configuration named, for example, “Imaging Environment”. Then, on each PXE server, you create a local configuration for each office with the correct server mappings.
