Wednesday 12 August 2009

SETTING UP A GHOST SERVER USING PXE AND AN ACTIVE DIRECTORY PDC

I was able to setup a ghost server in a workgroup in the past but I never tried to do it within a domain and actually using the PDC as ghost server.
I’ve been playing around for the last week with VMWare and I finally resolved a couple of issues I encountered: hopefully this guide will help many users to shed some light on a couple of points.

So you have installed your win 2k3 Sp2 Enterprise edition and you are ready to create your “MyDomain” domain: piece of cake, just don’t forget to assign a static IP address to your “MyServer” (In case you forgot it will eventually complain that it is missing).
In my case I assigned the address 192.168.0.1 but it is totally up to you.

Second : install the DNS server role. Actually when installing the active directory you will be prompted to setup the server as DNS server as well, so will need very little configuration.

Third install the DHCP server and assign a new scope. (Example 192.168.0.10--192.168.0.100)

If you are into system administration you will know this already, otherwise here is the first issue I encountered:

I setup the scope correctly



But the clients were not getting an IP address. After quite a lot of troubleshooting I realized that the DHCP server need to be authorized in AD even if it is the same PC.

Right click and select Authorize




Very important don’t forget to setup the following scope options:

006 DNS Servers 192.168.0.1
013 Image Size 0x28
066 Boot Server host Name 192.168.0.1
067 Bootfile name: Pxelinux.0



We now need to create a user that will authenticate our boot disk: for our purpose I created a user “TSBOOTDISK” with password “Tsghost12” member only of the group “Domain Users”
The next step is to create a share where we can store our ghost executable and obviously our images; also add full control to the user TSBOOTDISK


We can create more than 1 share to separate the backups, or the original Images but the procedure will still be the same.

Now is time to setup our TFTP server to inject the boot image via PXE: I will use the freeware Tftpd32 but you are free to use any software that emulates a TFTP server.

Here my settings:
Image and video hosting by TinyPic

In our directory C:\TFTP-Root we will need the following files:
Floppy.img (Use WinImage to create it from Bart network boot disk)
Pxelinux.0
Memdisk
Pxelinux.cfg folder containing the default settings file

You can find the whole directory HERE

A bit of configuration will be required to create our floppy.img and tailor it to our virtual network.
First we need to add the dos drivers for the VM network adapter: you can find them on the Bart website, the model is AMD PCNet Family Ethernet Adapter NDIS v2.0.1 MAC Driver v3.12 link here

So open our floppy.img with winimage and add in the directory lib\ndis the file pcntnd.cab
Image and video hosting by TinyPic

Second we need to modify the autoexec.net file, from the etc folder, to automatically map the network share: I will add the following lines

net use Z: \\MyServer\SVR_Share
Z:\

In the etc\PROFILE add a test.pro file containing the following:

set P_PROT=mstcp
set P_IP=0.0.0.0
set P_SUBNET=0.0.0.0
set P_GWAY=0.0.0.0
set P_WINS=0.0.0.0
set P_DNS=0.0.0.0
set P_DHCP=1
set P_PKT=1
set P_USER=TSBOOTDISK
set P_MNAME=PC-102192
set P_WRKGRP=workgroup
set P_DOMAIN=MyDomain
set P_TIMEOUT=0
set P_NICMODE=2
set P_TCPWIN=1
set P_IDWIN=1
set W_PASSWD=Tsghost12

I noticed that the bart disk has some trouble to run ghost: when the process start it usually freeze immediately.
I instead found that the Universal TCP/IP Network Bootdisk works very well: you obviously need a bit of configuration in it as well or you can download the whole TFTP-Root directory with the universal disk from HERE


We should now be ready so let’s give it a go:

Image and video hosting by TinyPic

Image and video hosting by TinyPic

Image and video hosting by TinyPic

As we can see we were logged on as TSBOOTDISK so why are we prompted for a password? And the worst thing is that even if we type the correct password “Tsghost12” we get an ERROR 5 : access has been denied

Image and video hosting by TinyPic

The NET VIEW command will return an

ERROR 6118 : The list of servers for this workgroup is not currently available

Image and video hosting by TinyPic

I literally tried everything to resolve this issue from changing the password for TSBOOTDISK to modifying the test profile but nothing seemed to work.
Until I found on the net that a couple of Domain Security Policies needed to be disabled:

Domain member: Digitally encrypt or sign secure channel data (always) - Disabled
Microsoft network client: Digitally sign communications (always) - Disabled
Microsoft network server: Digitally sign communications (always) - Disabled
Network security: LAN Manager authentication level - Send LM & NTLM responses

But still I was prompted for a password and I was getting access denied.
After several attempts I finally succeeded by disabling the following policies:

Domain member: Digitally encrypt or sign secure channel data (always) Disabled
Domain member: Digitally encrypt secure channel data (when possible) Disabled
Domain member: Digitally sign secure channel data (when possible) Disabled

Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees) Disabled

Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client agrees) Disabled

Network security: LAN Manager authentication level - Send LM & NTLM responses



Do the same for the Domain Controller Security Policy



And finally we will be able to access our share and start GHOST.exe

Image and video hosting by TinyPic

Image and video hosting by TinyPic

HERE you can download this guide in word format

2 comments:

Unknown said...

Great explanation. Unfortunately I'm still getting the "Access denied" message... :-(

darconio said...

Sorry to hear that mate!
Did u change all the policies listed and also have you done the same for the Domain Controller Security Policy ?