Difference between revisions of "Client Setup"

From FOG Project
Jump to: navigation, search
(Firewall Exceptions)
m (Image Capture)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Absolute Basics ==
 
== Absolute Basics ==
When using FOG all clients should be setup to have PXE boot as the [[Booting into FOG and Uploading your first Image#Set_client_to_PXE_boot_in_BIOS|first boot device]]. This allows imaging tasks to be deployed without visiting the client computer, while only slowing down the boot process by a few seconds.<br>
+
When using FOG all clients should be setup to have PXE boot as the [[Booting into FOG and Capturing your first Image#Set_client_to_PXE_boot_in_BIOS|first boot device]]. This allows imaging tasks to be deployed without visiting the client computer, while only slowing down the boot process by a few seconds.<br>
If you are following this guide straight through, it is a good idea to test an upload on a spare computer rather than testing it on your master image after doing all the steps below, just in case of complications.
+
If you are following this guide straight through, it is a good idea to test a capture on a spare computer rather than testing it on your master image after doing all the steps below, just in case of complications.
  
 
=== Deciding on an Image Strategy ===
 
=== Deciding on an Image Strategy ===
Line 68: Line 68:
 
==== DBAN ====  
 
==== DBAN ====  
 
[http://www.dban.org/ DBAN] is another tool you could use to wipe a drive. It is available as a bootable ISO (or put on a USB drive if you wish[http://www.pendrivelinux.com/]) and can wipe many drives at the same time. It supports all types of wipes. Either Zero, Random, 7 Pass, or even 35 Pass.
 
[http://www.dban.org/ DBAN] is another tool you could use to wipe a drive. It is available as a bootable ISO (or put on a USB drive if you wish[http://www.pendrivelinux.com/]) and can wipe many drives at the same time. It supports all types of wipes. Either Zero, Random, 7 Pass, or even 35 Pass.
 +
 +
Here is an article on DBAN: [[DBAN (Darik's Boot and Nuke)]]
  
 
== Single Image Machines ==
 
== Single Image Machines ==
Line 180: Line 182:
  
 
Windows 7: Add NetDOM*
 
Windows 7: Add NetDOM*
*As of FOG 0.28 this is no longer riquired.<br/>
+
*As of FOG 0.28 this is no longer required.<br/>
 
Both: Download Sysprep - don't use included version
 
Both: Download Sysprep - don't use included version
  
Line 255: Line 257:
 
Here we setup a custom grub wallpaper: it is an XPM image, 640x480, 14 colors.
 
Here we setup a custom grub wallpaper: it is an XPM image, 640x480, 14 colors.
  
=== Image Upload ===
+
=== Image Capture ===
  
The image upload need to be setted as:
+
The image capture needs to be set as:
  
 
* Single disk, multiple partitions
 
* Single disk, multiple partitions
 
* OStype Linux
 
* OStype Linux
  
The option Single disk, multiple partition will manage to upload/deploy all the partition of the disk.
+
The option Single disk, multiple partition will manage to capture/deploy all the partition of the disk.
 
The OStype setted to Linux will copy a 32256 bytes MBR.
 
The OStype setted to Linux will copy a 32256 bytes MBR.
  
 
  NOTE: setting a Windows 7 OStype, will clone a 512 bytes MBR: at the boot the system will show the string GRUB and then will hang!
 
  NOTE: setting a Windows 7 OStype, will clone a 512 bytes MBR: at the boot the system will show the string GRUB and then will hang!
  
With this configuration, after the image upload, in the directory '''/images''' of the fog server there should be a directory with the name selected for the image containing:
+
With this configuration, after the image capture, in the directory '''/images''' of the fog server there should be a directory with the name selected for the image containing:
  
 
* d1.mbr (the MBR: should be 32256 bytes)
 
* d1.mbr (the MBR: should be 32256 bytes)

Latest revision as of 03:18, 8 July 2016

Absolute Basics

When using FOG all clients should be setup to have PXE boot as the first boot device. This allows imaging tasks to be deployed without visiting the client computer, while only slowing down the boot process by a few seconds.
If you are following this guide straight through, it is a good idea to test a capture on a spare computer rather than testing it on your master image after doing all the steps below, just in case of complications.

Deciding on an Image Strategy

FOG's strength is the flexibility to adapt to your environment needs. As an example lets say you have 20 of one computer model and 20 of another. You need to support both groups of machines and wish to use FOG to host images for both the machines.

There are two ways to do this.

  • Create an image for a specific computer (useful if you have 10+ more of the same model computer)
  • Create a hardware independent image (useful if you have many different models of computers in your environment)

Example: Your environment has 20 Dell Optiplex 760 Machines. Your environment also has 20 Lenovo ThinkCentre M91p Machines.

Since FOG allows you to group your host and apply the same image to all host in that group, it might be better for you to create a standard Dell Image and a seperate Lenovo Image. However if you have 5+ machines with different models, it might be time to create a Master Image that covers the hardware for ALL your machines. These are known as Hardware Independant Images or Master Images. They are also known as Golden Images. Regardless of the name used, they all mean the same thing. An image that works on any machine/hardware.

Common Steps for Any OS Installation

Always Start with a Clean Hard Drive

Even if your drive is brand new from the Factory, it is recommended to wipe the drive before you install an OS on it. This is considered a best practice and has several reasons for doing so.

Reasons for Wiping a Hard Drive

Brand New Hard Drives

Even if the drive is brand new from the factory in an unopened box, you should wipe it. In 2007 an incident was reported where 1800 brand new hard drives were shipped from the manufacturer with a virus already on the drive. While the likelihood of hard drives being infected from the manufacturer is extremely small, wiping a drive with a single pass only takes a few minutes and can save you much heart aches in the future. It is also a good way to test the drive to make sure it's not a bad drive from the factory. Most hard drives that have a factory defect will die within the first few months of use. If the drive fails during the wipe, you normally can return it to the store in a timely manner and get a new one.

Used Drives

Deleting partitions or doing a soft format isn't enough. Some virus and malware components can survive a full disk format. They place themselves in un-used disk areas (eg: counting backwards from the last logical block of the drive geometry.) Even though they cannot execute themselves until specifically called, a re-infection could allow them to access previously-saved information, such as keylogger data or other personal information.

Wiping a Drive

Wipeing a Hard drive can take a long time depending on the size of the drive! On average a 160gb SATA hard drive can take an hour to wipe. Writing a single pass of data (random or not) is plenty sufficient to remove all traces of a program or malware. In fact, the Gutmann method has been called useless by the creator of the method [1] as his paper was misinterpreted. Thirty Five passes are not needed in modern drives.

Windows 7

Open a Command Line as Administrator Type: format /p:1 <Drive Letter> Replace <Drive Letter> with E:\ or which ever drive you wish to format. This will zero-out all bits on a disk.

UNIX/Linux

Open a Shell prompt as root or a user with sudo rights on Ubuntu/Debian based machines

Simple Wipe

Fedora: dd if=/dev/zero of=/dev/sdX

Ubuntu/Debian Based dd if=/dev/zero of=/dev/sdX

Replace sdX with the driver leter you wish to wipe This will zero-out all bits on the disk

Random Wipe

Fedora: dd if=/dev/random of=/dev/sdX

Ubuntu/Debian Based dd if=/dev/random of=/dev/sdX

Replace sdX with the driver leter you wish to wipe This will zero-out all bits on the disk

FOG

FOG has a built-in utility that can do this as well. Be sure to use Normal Wipe as Fast Wipe only zeros out the first few sectors of a disk (Master Boot Record and Partition Table). A Full Wipe is not necessary to remove data from a disk. It is reserved for the most extreme cases.

DBAN

DBAN is another tool you could use to wipe a drive. It is available as a bootable ISO (or put on a USB drive if you wish[2]) and can wipe many drives at the same time. It supports all types of wipes. Either Zero, Random, 7 Pass, or even 35 Pass.

Here is an article on DBAN: DBAN (Darik's Boot and Nuke)

Single Image Machines

Install Windows

  • Set the BIOS to your preferred SATA mode. Legacy and AHCI work very well. Intel (fake) RAID has caused problems.
  • After wiping your hard drive, install Windows as normal on the machine you wish to make the image for.
    • During installation, select Custom(Advanced) to open the disk partitioner and delete any existing partitions.
    • Click Next to continue with Unallocated space. Do not manually create partitions unless absolutely necessary. Doing so may break FOG's ability to manage Windows.

Install Updates

Be sure to perform all updates. Windows often requires multiple reboots and visits to update.microsoft.com until everything reports as up-to-date. Note that Windows may attempt to push additional software through the update channel such as Windows Live and Silverlight. Decide what you want on your platform before accepting additional software. It is recommended you at least explore the custom updates section as many times there are updated drivers for your hardware.

Install Software

Any software that are constantly updated such as Adobe Products (reader/flash), Java or anything that has the possiblity of being out-of-date. Should be installed using other means AFTER the image is made. This will save space as well as keep security risk to a minimum. Execptions should be made for large applications or time-consuming software such as Microsoft Office Suite.

  • Install any software that is necessary for client management.
For example, install the FOG Service. Don't forget to place your customized version of hostnamechange.dll in the FOG programs folder.
  • Install other enterprise tools you need such as SCCM or Atriris services.

Setup a Default Profile

In order to have the same settings for all new profiles on the machine such as desktop shortcuts you should setup a default profile. Note: The default profile is different from the all users profile. All Users are only for profiles already created. Any new profile will be generated by using the default profile.

Windows XP

  1. Create a new profile
  2. Setup the profile as you wish - Shortcuts/Desktop Image
  3. Log out of this profile and log in to the administrator profile.
  4. Copy the profile: Right-click My Computer > Properties > Advanced > User Profiles. Select the profile you edited and choose to Copy it to the Default Profile folder under Documents and Settings.
  5. Ensure permissions are correct: Under Permitted to use, click Change, click Everyone, and then click OK.

You may wish to see MS KB 168475 and MS KB 959753 for details.

Windows 7

This is handled by Sysprep. You can use the <CopyProfile>true</CopyProfile> in your unattend.xml file.


Remove Unnecessary Software/Files

It is recommended you remove any software that is not used. You can use a cleaner program such as ccleaner to remove unnecessary files. Other things you can remove to save image size space are:

  • shrinking/turning off system restore.
  • removing hotfix uninstaller folders

Firewall Exceptions

  • Run these in Administrative Command Prompt(cmd) on the host to allow communication between the FOG Client Service installed on the Host and the FOG Server
  • Past setups suggested disabling the firewall and is less secure
    netsh advfirewall firewall add rule name="Fog Client" dir=in action=allow program="C:\Program Files\FOG\FOGService.exe"
    netsh advfirewall firewall add rule name="Fog Service" dir=in action=allow program="C:\Program Files\FOG\FOGServiceConfig.exe"
    netsh advfirewall firewall add rule name="Fog Tray" dir=in action=allow program="C:\Program Files\FOG\FOGTray.exe"

Before Running Sysprep

Make a Pre-Sysprep an Image

It is recommended that you make a system image using FOG BEFORE YOU SYSPREP! Sysprep does alot of changes, and takes a long time. It is useful to make an image of the drive the way it is now incase something happens during the sysprep process. It is also nice to have a pre-sysprep image available when it comes time to update the systems image. You can deploy the pre-sysprep image to the computer and then update windows or install new software etc. without having to redo this entire process!

Before Running Sysprep

Other steps to consider are:

  • Run Chkdsk /f /p prior to imaging
  • Defrag the drive
  • Make sure 2gb of disk space is free or the NTFSresize will fail
  • Make sure the FOG service is installed and properly configured
  • Update your hostnamechange.dll file
  • For *Windows 7 ONLY*: FOG Prep
    • (Both of the above are available from your FOG server: FOG_Server_IP_or_Hostname/fog/client/)
  • pasted from notes: (Some of these are best handled at the enterprise-level (Group Policy) rather than maintaining them on the image.)
Enable Admin account
Set admin PW
Disable UAC
Disable Sidebar objects?
My Computer, IE, Recycle Bin, Documents on Desktop
Change Home page
Delete Start Menu Items
Run Media Player
Disable System Restore
Disable Hybernation - delete Hyberfile.sys
disable Virtual Memory - delete pagefile.sys
Firewall: Allow Fog Client Exceptions
Disable Windows Defender
Disable automatic updates
Security Center - Warnings
Disable Windows Welcome Screen
Don't show this message - IT Information Bar
Power Options
HAL Drivers set correctly within Device Manager (Advanced Configuration and Power Interface (ACPI)
Show "Run" and "Printers" in Start menu
Windows Updates up-to-date
Enable Remote Desktop
Enable Remote Assistance
Show Hidden Files Disable Hidden Files
Remove/Delete other Windows Accounts
Delete Recent Items
Empty Recycle Bin
Copy Creation Profile to Default profile
Defrag
Disk Clean up
Chkdsk OS partition
bcdedit /set {bootmgr} device boot
bcdedit /set {default} device boot
bcdedit /set {default} osdevice boot
  • Set up "creation" profile exactly how user profiles will be.
  • Select option to copy profile to Default profile during Sysprep
  • Rather than enabling Admin account as described above, disable built-in Administrator account - create custom named Administrator account and Set password


Windows 7: Add NetDOM*

  • As of FOG 0.28 this is no longer required.

Both: Download Sysprep - don't use included version

Run Sysprep

Windows XP

<content needed>

Windows 7

<content needed>

Dual boot Images

This part is referred to the installation of the master PC to be cloned, in the following working environment:

  • Fog 0.32 - http://www.fogproject.org/
  • The installation of the server has been accomplished using the official wiki infos
  • The installation will be performed on Dell Optiplex 960
  • The desired system is a dual boot
    • Windows 7
    • Ubuntu (12.04 alpha at the moment, final installation will be done on Ubuntu 12.04 LTS)

PC configuration

The needed partitions are:

  1. Windows 7 (about 100M)
  2. Windows 7 (the all system)
  3. linux swap
  4. linux home

The disk is partitioned in 4 primary partitions, the installation sequence is:

  • Windows installation (Seven will setup 2 partition)
  • Manual disk resizing/partitioning to add a swap and the linux partition (formatted as ext3)
  • Ubuntu installation
NOTE: FOG use partimage, so the selected partition type must be compatible with partimage

Windows Seven

No particular modifications (i.e. see the relevant part on installing a standalone Windows 7)

Linux Ubuntu

The installation is a standard Linux installation, but the default grub is not supported (see also http://www.ehu.es/es/web/instalaciones/fogehu/-/wiki/main/conocimiento#Despliegue_de_im%C3%A1genes_con_Ubuntu_11.04), so we downgrade to grub-legacy:

apt-get install -y grub
cp NEWmenu.lst /boot/grub/menu.lst
cp ${DATA_DIR}/wallpaper-asid-640x480.xpm.gz /boot/grub/wallpaper-asid-640x480.xpm.gz
grub-install /dev/sda

where the NEWmenu-lst is:

timeout 10

# Pretty colours
color cyan/blue white/blue

#splashimage
splashimage=(hd0,3)/boot/grub/wallpaper.xpm.gz                              

title GNU/Linux Ubuntu
root (hd0,3) 
kernel /boot/vmlinuz-3.2.0-14-generic-pae root=/dev/sda4 ro quiet splash
initrd /boot/initrd.img-3.2.0-14-generic-pae

title Windows 7
rootnoverify (hd0,0)
chainloader (hd0,0)+1

quiet
savedefault
boot

The partition naming and kernel filenames are related to a particular installation: you need to check them. Here we setup a custom grub wallpaper: it is an XPM image, 640x480, 14 colors.

Image Capture

The image capture needs to be set as:

  • Single disk, multiple partitions
  • OStype Linux

The option Single disk, multiple partition will manage to capture/deploy all the partition of the disk. The OStype setted to Linux will copy a 32256 bytes MBR.

NOTE: setting a Windows 7 OStype, will clone a 512 bytes MBR: at the boot the system will show the string GRUB and then will hang!

With this configuration, after the image capture, in the directory /images of the fog server there should be a directory with the name selected for the image containing:

  • d1.mbr (the MBR: should be 32256 bytes)
  • d1p1.img
  • d1p2.img
  • d1p4.img

there are 1 file for partition, with the exception of the swap partition.

Hardware-Independent Images

Making a Hardware Independent Image, is very similar to making a Single Machine Image with a few very important differences.

Understanding HAL

HAL (Hardware Abstraction Layer) is very similar to the Kernel in *nix systems.

Windows XP and HAL

Not using the correct HAL will lead to a BSOD on your computers or give you a huge performance hit. Luckly you can tell Windows XP (via sysprep) to update the HAL on the fly.

Windows XP typically uses one of 3 HAL types.

  • Advanced Configuration and Power Interface (ACPI)
  • ACPI Uniprocessor PC
  • ACPI Multiprocessor

Updating HAL with Sysprep.inf

You can update the HAL dynamically by adding this to your Sysprep.inf under the [unattended] section

UpdateUPHAL = “ACPIAPIC_UP,%WINDIR%\Inf\Hal.inf”
UpdateUPHAL = “ACPIPIC_UP,%WINDIR%\Inf\Hal.inf”
UpdateUPHAL = “MPS_UP,%WINDIR%\Inf\Hal.inf”

As a General rule it is best to create your image using a machine (or virtual machine) using a single processor (ACPI Uniprocessor PC). Using a Muti-core processor might yield unexpected results even when using the UpdateUPHAL lines in the sysprep.inf file.


Windows Vista,7 and Beyond

As of Windows Vista you don't need to worry about HAL's due to the /generalize switch. When you use this switch with sysprep Windows will automatically take care of updating the HAL during the sysprep process!

Install Wipe / Install / Setup

At this point you should: For help with these steps refer to the Single Image Directions above.

  • Wipe The Hard Drive
  • Install Windows
  • Install Large Software Packages
  • Install other Enterprise software (such as FOG Client)
  • Install Windows Updates
  • Setup Default Profile
  • Remove Unnecessary Software/Files

Changing the IDE Controller to Standard

Windows XP Only If using Windows 7 you can skip this step. To help make the image more compliant to other hardware, you should change the IDE controller to the standard driver included with Windows XP. To do this:

  • Open Computer Management (right click My Computer Select Manage)
  • Locate the IDE ATA/ATAPI Controllers
  • Expand
  • Right Click on the IDE Controller
  • Select Update Driver
  • If asked to search online select No, not this time.
  • Select install from a list or specific location (advanced)
  • Select Don't Search, I will choose the driver to install
  • Make sure "Show Compatible Hardware" is checked
  • Select the Standard Dual Channel PCI IDE CONTROLLER
  • Next
  • Finish
  • Reboot

This will allow Windows to boot on the target machines, then the new hardware wizard will take over and detect the correct controller card for that machine.

Loading Drivers

Mass Storage Drivers

To make a truly hardware independent image it is recommended you load all the mass storage drivers in your image. To include every mass storage driver needed for any machine you could use driver packs.

Other Drivers

You should also include all other drivers for all your other machines. These drivers should include VGA Drivers, Network Drivers, Sound Drivers and any other drivers you might need for those systems.

Before You Sysprep

Make a Pre-Sysprep an Image

It is recommended that you make a system image using FOG BEFORE YOU SYSPREP! Sysprep does alot of changes, and takes a long time. It is useful to make an image of the drive the way it is now incase something happens during the sysprep process. It is also nice to have a pre-sysprep image available when it comes time to update the systems image. You can deploy the pre-sysprep image to the computer and then update windows or install new software etc. without having to redo this entire process!

Run Sysprep

Windows XP Sysprep Guides

Vernalex Sysprep Guides offer some great advice on this subject. You should pay particular attention to the mass storage devices part of the guide as this is crucial to makeing the image work with your hardware. It is recommended to build the mass storage section before running sysprep.

You should also read Microsoft KB Article 302577 on sysprep

Windows XP

Run Sysprep.exe and tick mini-setup and detect plug and play hardware. Click Reseal.

Windows 7

<content needed>

Take a Post-Sysprep Image

TEST THIS IMAGE Before use in a production environment. Your first try might not work, you might be missing drivers that you will have to add. This is why it is recommended to make a Pre-Sysprep Image. It might take a few trys before all the drivers needed are loaded. When all is done right, it's worth the time as you will have an image that works on ANY HARDWARE!

If the image works fine on one type of computer, try others to make sure its truely hardware independant. If it works well, this is the image you should use when deploying to your target machines.