Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ALTIRIS® Deployment Solution™ 6.8 PXE Overview Notice Altiris® AAA Document © 2006 Altiris, Inc. All rights reserved. Document Date: October 3, 2006 Altiris, Inc. is a pioneer of IT lifecycle management software that allows organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogenous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate through a common Web-based console and repository. For more information, visit www.altiris.com. The content of this document represents the current view of Altiris as of the date of publication. Because Altiris responds continually to changing markets and conditions, this document should not be interpreted as a commitment on the part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of publication. Altiris, Inc. 588 West 400 South Lindon, UT 84042 Phone: (801) 226-8500 Fax: (801) 226-8506 Bootworks U.S. Patent No. 5,764,593. Altiris and Deployment Solution for Servers are registered trademarks of Altiris, Inc. in the United States. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks, of Microsoft Corporation in the United States and/or other countries. Other brands and names are the property of their respective owners. Information in this document is subject to change without notice. For the latest documentation, visit www.altiris.com. 2 Chapter 1 Setting Up PXE Server What is PXE? Preboot Execution Environment (PXE) is an open industry standard which enables computers to boot remotely using a network card. PXE uses standard network protocols to establish a communication channel between a computer and a PXE server during the boot process. Using this channel, a PXE server sends an execution environment to the computer so that work can be performed in a pre-boot state. In Deployment Solution, this pre-boot state is called the automation environment, and DOS, Linux, and WinPE are currently supported as pre-boot operating systems. An overview of the automation boot methods and environments is contained in a separate document, Deployment Solution: Automation Preboot Environments. An advanced, tightly integrated PXE environment is provided with Deployment Solution. Deployment Solution leverages PXE to provide the following advantages: z When a managed device needs to boot into automation, Deployment Solution restarts the computer and notifies the PXE server. PXE server then boots the computer into the automation environment indicated in the Deployment Solution job automatically. z PXE can perform an initial deployment of a new system by checking to see if a computer exists in Deployment Solution. z All PXE configuration is done using the PXE Configuration Utility from the Deployment Solution console, enabling you to remotely configure all PXE servers in your network. Why Use PXE? PXE is used in Deployment Solution to perform two tasks: z Boot managed computers into the automation environment z Perform initial deployment of new managed computers How you implement PXE is partially dependent on what you plan to do with it. Many organizations use PXE only on a subnet in a receiving department to deploy corporate images and initial configuration of new computers. After this computer is assigned to a user, PXE is not used in the normal production environment. This limits the extent of the PXE environment, but prevents you from accessing the automation environment to capture images and perform other automation-only tasks. Other companies which often use automation select PXE because it leaves no footprint on the managed computer, and has several other advantages such as image multicasting and tight Deployment Solution integration. Altiris Deployment Solution 6.8 3 Regardless of how broadly you implement PXE, Deployment Solution provides tools and services to simplify management of PXE in your environment. This section contains the following topics providing an overview of PXE in Deployment Solution: z PXE Services and Architecture z How PXE Works PXE Services and Architecture PXE services use a tiered-architecture which enables you to provide global settings and boot options shared across all PXE servers, then override configuration and expand boot options on a local level. Boot options and PXE settings can be applied to a shared configuration. This shared configuration is inherited by all PXE servers in your environment. Each PXE server still has its own specific configuration, so you can override settings and add additional boot options as needed. New services have been provided to replicate settings and data automatically, making it unnecessary for you to individually configure each PXE server. The following table contains an overview of the PXE services: Service Description PXE Manager z Provides all boot options and configuration settings for each PXE server in your environment. z Interfaces with the PXE Config Utility to replicate data and apply PXE configuration. z Manages all communication between your Deployment Server and your PXE servers. The PXE Manager Service is installed on your Deployment Server regardless whether or not you have also installed a PXE server. z Interfaces with PXE Manager to receive data and configuration. z Configures, starts, and stops the additional PXE services on the PXE server. PXE Server z Provides the PXE listener and proxy DHCP to respond to PXE requests and send the location of bootstrap files. MTFTP z Sends bootstrap files to managed computers using TFTP. PXE Config Helper The PXE Manager service interacts with Deployment Server, PXE Helper service, and the PXE config utility to perform centralized PXE management: Altiris Deployment Solution 6.8 4 On each individual PXE server, the PXE Server service and the MTFTP service are installed to perform the work of a PXE server. These services are configured, started and stopped by the PXE Config Helper service. Clients connect directly to these services during the PXE boot process: How PXE Works Before a computer can boot over a network, it needs two things: an IP address to communicate, and the location of a PXE server to contact for boot instructions. The following sections outline the PXE boot process: z Part 1: DHCP Request and PXE Discovery z Part 2: PXE Bootstrap Altiris Deployment Solution 6.8 5 Part 1: DHCP Request and PXE Discovery Request and Receive an IP Address Initially, the boot agent directs the execution of normal DHCP operations by broadcasting a DHCPDISCOVER packet (255.255.255.255) to port 67 on its local physical subnet to discover a DHCP server. Any available DHCP servers respond with a broadcast DHCPOFFER packet indicating their server IP. When the client has chosen a target DHCP server, it broadcasts a DHCPREQUEST packet that includes its MAC address and the IP address of the selected DHCP server. The DHCPREQUEST also contains option 60 to identify the client as a PXE client. PXE Option 60 DHCP allows clients to receive options from the DHCP server indicating various services that are available on the network. A number of standard and custom options are available that can convey a vast amount of information to DHCP clients. Option 60 deals specifically with PXE related services. Both PXE clients and servers use option 60 to convey specific information about the PXE services they need or are providing. Contacting the PXE Server All DHCP servers examine the DHCPREQUEST packet. If the request is intended for a different server, the IP address they offered is reclaimed. The DHCP server providing the accepted offer supplies a DHCPACK packet to the client to acknowledge the client’s receipt of its IP. During this process, the Altiris PXE server monitors the wire for DHCPREQUEST packets with an option 60 (PXE client). When a packet is recognized, the clients MAC address is used to find any pending automation work in Deployment Server. If no automation work is required, the PXE server does not respond to the client and it boots normally. If there is work to do, the PXE server responds with its address using a DHCPACK with option 60. At this point, the client has received a DHCPACK containing an IP address, and a DHCPACK with option 60 containing a PXE server. If the PXE server is located on the same server as DHCP, both are contained in the same DHCPACK packet. Part 2: PXE Bootstrap Now the client is ready to contact the PXE server for boot files. After this request, clients are provided a boot menu containing all of the boot options the PXE server can provide. Most of the time, the correct boot option has already been selected by Deployment Server, so this transparent to the client. After the selection is made, the client requests the necessary boot files using MTFTP. This consists of a .0 and a .1 file. The .0 file functions as a bootstrap loader. It creates a RAM disk and manipulates the BIOS interrupt vectors, interrupt structures and hardware information tables to make the RAM disk function exactly like a typical floppy disk. This file then copies the .1 file byte by byte into the newly created RAM disk. Altiris Deployment Solution 6.8 6 The .1 file is an image of a boot disk floppy with modifications to the autoexec.bat and additional files which ultimately provide the automation environment on the managed computer. The following diagrams contain a basic outline of this process: PXE Planning and Installation This section contains an overview of the PXE deployment process, in the following sections: z Enabling PXE on Managed Computers z Installing and Configuring DHCP z How Many PXE Servers Do I Need? z Installing PXE Servers Altiris Deployment Solution 6.8 7 Enabling PXE on Managed Computers Each computer you plan to manage using PXE must have PXE boot enabled (sometimes called network or NIC) and set to the correct sequence in the BIOS. It is also a good idea to apply the latest BIOS updates, especially if your network card is integrated on the motherboard. Deployment Solution also supports Wake on Lan to power on managed computers remotely. If this is enabled, a Wake on Lan signal is sent to the managed computer if the device is powered off (disconnected from Deployment Server) when a job is scheduled to start. Installing and Configuring DHCP DHCP is an integral part of the PXE process, and must be installed and configured in order to use PXE. A DHCP server is not provided with Deployment Solution, you must obtain, install, and configure this component separately. After DHCP is set up and your PXE servers are installed, you need to configure how your PXE servers interact with the DHCP server. This is done using the PXE Configuration Utility. How Many PXE Servers Do I Need? Number of Client Connections PXE servers do not typically require a lot of resources. By using multicast, a single PXE server can deploy a DOS boot image to up to 100 computers at a time, and not consume any more resources than it would deploying a single image. If you are using WinPE or Linux however, multicast boot is not available. Usually a single PXE server in a specific location is enough if you either use multicast to deploy images or spread out your image capturing jobs to be in line with the capabilities of your server. Additional PXE servers can easily be added if necessary. Network Speed Since the majority of the resources on a PXE server are used transferring files over the wire, the faster the network, the more work a single PXE server can do. A single PXE server on a gigabit network can capture and deploy several times as many images over a period of time than even multiple servers on a slower network. Physical Layout of your Network Your PXE configuration might be set up according to the physical layout of your network. If you have three offices in different locations, it might make sense to install a PXE server at each location to reduce traffic and resolve routing issues (see PXE Request Routing). In these configurations, the deployment share can be mirrored to a local server, and images are usually taken from and restored to local file servers. See “PXE Redirection” on page 11 for an example of this type of configuration. Altiris Deployment Solution 6.8 8 PXE Request Routing PXE clients use broadcast packets to find DHCP and PXE services on a network, and multicast packets (MTFTP) to transfer files. These packet types can present challenges when planning a PXE deployment because most default router configurations do not forward broadcast and multicast traffic. Because of this, either your routers need to be configured to forward these broadcast and multicast packets to the correct server (or servers), or you need to install a PXE server on each subnet. Routers generally forward broadcast traffic to specific computers. The source subnet experiences the broadcast, but any forwarded broadcast traffic targets specific computers. Enabling a router to support DHCP is common. If both PXE and DHCP services are located on the same computer, and DHCP packet forwarding is enabled, you shouldn’t have any problem transferring broadcast packets. If these services are located on different computers, additional configuration might be required. If you are going to forward packets, make sure your router configuration allows DHCP traffic to access the proper ports and IP addresses for both DHCP and PXE servers. Once the broadcast issues are resolved, the routing of multicast traffic must be considered. Multicasting leverages significant efficiencies in transferring files but also introduces challenges similar to broadcast packet forwarding. Like the broadcasting solution, routers can be configured to support multicast traffic between PXE Clients and PXE Servers. Please consult the documentation provided by your router vendor for additional information on packet forwarding. Installing PXE Servers After you have determined the PXE needs of your network, you must to determine where to install these PXE servers. A PXE server can be installed on your Deployment Server, on your DHCP server, on another server in your network (such as a file server), or as a standalone server. You can also use a combination of these (for example, a PXE server on your Deployment Server and your DHCP server). The actual installation process is straightforward. You can install a PXE server at the same time as you install Deployment Solution, or you can install one later by running the installation program and selecting the add additional components option. After these servers are installed an running, they are configured using the PXE Configuration Utility. See the following section. Configuring PXE Settings All PXE configuration is done using the PXE Configuration Utility. The PXE config utility is used to create and modify two things: z Altiris Deployment Solution 6.8 Global and local configuration settings. These settings include timeout values, replication and logging options, and so on. 9 z Boot options. Each boot option corresponds to a specific configuration which includes an operating system, network and other drivers, utilities, mapped drives, and so on. This section contains a brief overview of selected PXE configuration and boot options. For complete details, see the help for the PXE Configuration Utility. PXE Settings Shared vs. Local Deployment Solution provides a PXE settings hierarchy enabling you to provide shared and local PXE configuration values. All PXE servers inherit the shared values unless they are overridden on the local server. Session Timeout The PXE configuration utility connects the PXE Manager service on Deployment Server. To make sure your changes are not overwritten by another instance of the PXE Configuration Utility, only one instance of PXE config is allowed to connect to PXE manager at any given time. If you attempt to launch PXE Configuration when another instance is running, you receive an error. To prevent you from being completely locked out for extended periods (for example, an instance is inadvertently left open on another computer), a timeout has been added which terminates a connection after 30 minutes of inactivity after someone else attempts to connect. This timeout only applies if someone else is attempting to launch PXE Configuration. If no other connections are attempted, the timeout is never enabled and your session remains active. DHCP Server Options For most circumstances, you want option 1. If you have DHCP installed on your Deployment Server but it is not active, Deployment Server might still attempt to communicate with that instance. This is changed by selecting option 3. If you are using a 3rd party DHCP server which automatically sends the client 60 message, select option 2. Boot Integrity Services PXE is potentially vulnerable to hackers, especially in security-conscious business and government settings not willing to risk network boot ups unless safeguards are in place. For example, it is important ensure that the boot image comes from a trusted source and has not been tampered with in transit. You can also designate and enforce which boot images can be installed on selected groups of platforms. Boot Integrity Services (BIS) addresses these security needs. BIS enhances the network boot environment by providing mechanisms to validate the source and integrity programs and data downloaded over the network prior to the time an operating system is installed. Using BIS firmware built into the client computer, BIS can validate (before executing a boot image) that the image came from a trusted source and was not tampered with en route. Altiris Deployment Solution 6.8 10 Deployment Server supports the BIS technology. However, the BIS support from Altiris is only applicable when the computers being managed also supports BIS. Even if BIS is configured from the Deployment Server console, BIS will not work unless the physical computer supports it. At the present time, there are very few computers that support BIS. Boot Options Boot options are the boot configurations provided to a client by a PXE server. Each boot option has a corresponding automation operating system, network drivers, and other settings. Shared vs. Local Deployment Solution provides a PXE boot option hierarchy enabling you to provide shared and local PXE boot options. Shared boot configurations are available on all PXE servers, while local boot options are available on a specific PXE server. PXE Redirection Lets you redirect a global PXE menu option to a local PXE menu option. Redirection settings are not available globally, they are always specific to an individual PXE server. This is due to the role redirection plays in your PXE environment. Consider the following example: You manage computers in three locations: Two offices in Ontario, and one office in Alberta. To limit transfer between each site, each office has a local PXE server, and a file server with a mirror of the deployment share. This enables clients at each location to contact the local PXE server to boot, then use the local deployment mirror to access the network tools and to store images. You need to create a job to capture an image of each managed computer on Friday evening, once a month. To create this job, you add an imaging task, select a PXE boot option, then set the schedule. Simple, right? Hold on. If you select the same PXE boot option for each office, you are going to have problems. The Alberta office uses a mirror of the deployment share on alb1\eXpress, and stores captured images on alb1\images. The two Ontario offices use the ont1 and ont2 servers respectively. You could go ahead and create three global configurations and three different jobs, but that is confusing and could potentially cause problems if the wrong selection is made. If you took this route, on each PXE server, two of the three global configurations could potentially cause problems (they are mapped to drives in remote offices). Since you enjoy avoiding problems, what you really need is a way to select a single global configuration for a job, then update it based on the location of the PXE server. This is exactly what redirection does. You create a global configuration named, for example, “Imaging Environment”. Then, on each PXE server, you create a local configuration for each office with the correct server mappings. The “Imaging Environment” global option is then redirected to the local option, and the process is simplified. Now the imaging job can be applied to all computers at once, simplifying the process and reducing the chance of errors. Altiris Deployment Solution 6.8 11