The art of desktop deployment
Scripted install or imaging?
Blog Each week brings a new topic to discuss here on the Reg Desktop Management Blog, and this week's is Windows Deployment Services (WDS) vs Ghost-Like Applications (GLAs).
Now, unless you already have a fairly good idea what ghost is, that topic would probably be fairly meaningless to you. The topics I discuss in my blog posts are based on challenges I have to overcome as part of a network upgrade I am performing. The challenge that triggered this set of articles is install and configure (to “deploy”) a computer in another physical location from with a new operating system, and a pre-configured copy of the corporate bundle of applications. The methods of doing so are many and varied; some of which are not simple.
I’ll be honest and up front about this, I haven’t touched this topic in about ten years. I have used Symantec Ghost for ages, but when Windows 2000 came out I took the time to learn Microsoft’s Remote Imaging Services (RIS). I remember only frustration and defeat - a few weeks of working at it, and I admit that I retreated back to the comfort of Ghost. It was a product with which I was familiar, it was easy to use, and I had little reason to ever look at alternative. A massive network upgrade is however a great reason to do research on just about everything, and so I am setting about to discover the best possibly way to remotely image my desktop PCs.
The big question for me, initially, was “so what’s out there?” I have lived a decade of desktop imaging seclusion, and it was time to poke my head out of the cave. The first place to look was at the tools Microsoft offers, if for no other reason than that it is part of the Microsoft servers I already run. It is not exactly “free,” but it is part of software I will already be paying for regardless. I was pleased to discover that the state of Microsoft desktop imaging has evolved in the past decade. Microsoft now has two different offerings; RIS has been upgraded to WDS, and they have System Center Configuration Manager (SCCM) for good measure.
I won’t go into SCCM in any further detail except to say that it is both a feature-rich desktop management application of which desktop imaging is only a fraction of its functionality, and that it is completely outside of my price range. (Similarly, Symantec’s Altiris and most other offerings competing in the “full blown desktop management solution” range are simply not financially feasible.)
Exploring Windows deployment services, I discovered that it now offers two modes: scripted installation and imaging. Scripted installation has not changed much since RIS, and is essentially exactly what it sounds like. WDS in scripted install mode deploys a minimal boot environment to the target computer, and runs a Windows install along pre-defined lines using a script you created. It then relies on either post-install scripts to install applications, or having applications deployed via group policy objects in active directory.
In theory, scripted installs are superior to imaging, because it offers much greater flexibility in configuring the operating system and any scripting-friendly applications. This flexibility comes at a price though: it is significantly more complex than straight imaging, can take far more time to execute, and (depending on the application’s level of “scripting-friendliness”) may require user input from individuals on site.
An open source alternative to WDS imaging mode exists in the form of a Linux distribution called WINNER (Windows Is Not Necessary for Everyone's RIS). Imaging mode is very similar in concept to what is most often referred to as “ghosting”. In the bad old days, if you had two computers that were hardware-identical in every way, you could image a bit-for-bit copy of one computer’s hard drive onto the other. Think of it as copying and pasting an entire operating system; applications, configurations and all. The catch was that the hard drives had to be identical, because it was quite literally a bit-for-bit transfer.
As time marched on the technology evolved, and limitations were successively removed. You could eventually image to drives of different sizes, from one partition to another or even image files instead of partitions. Eventually, GLAs became “operating system aware”. They offered the ability to modify the hardware access layer (HAL) of Windows. This had the benefit of allowing you to (sometimes) image from one PC to a PC with completely different hardware, and by extension driver requirements.
Modern GLAs have refined this art into a science, and it is now commonplace to take an image of an operating system and ghost it either onto a computer with completely different hardware, or even into a virtual machine. It needs to be noted that software makers tend to dislike GLAs. Their complaint is that it copies the CD keys and license information of all your installed products along with everything else. An unscrupulous administrator could use GLAs to duplicate one set of installed and activated/validate applications across many computers.
As a response to this, many companies have invested significant time and money into making their applications capable of detecting ghosting, and subsequently disabling themselves. These technologies can have unintentional side effects, such as disabling the application if the computer’s name is changed, or a hardware component is replaced. As imaging becomes more commonplace, the practice has become more controversial, but it remains commonplace enough to be a consideration that requires a great deal of testing before using imaging in a production environment.
The more polite application developers allow installation methods friendly to imaging; you can install their applications without entering your license information. These applications will instead prompt you for this information the first time you run the program, allowing you to deploy their applications to multiple computers while still remaining license compliant.
Most developers who have put this much thought into their application will distribute their applications in such a way that they not only will ask for license information on first run rather than install, but will also have a “silent install” method that lends itself well to the “scripted install” method of desktop imaging.
Windows itself is quite possibly the greatest example of such software. With any of a large number of GLAs, you can easily image any Windows operating system provided you sysprep it first. (Sysprep removes all Microsoft license information from the computer.) While imaging XP still largely requires that the image be restored to a computer that is hardware-identical, on Windows Vista or newer (NT6), sysprep can do marvelous things.
On NT6, sysprep makes the copy of windows you are imaging “generic,” allowing you to deploy your image to a much broader collection of hardware. With Windows XP, the rule of thumb was that the southbridge of the source and destination computers had to be the same, as did the interface for the hard drive the OS was installed on. With NT6, so long as the source and destination hardware are x64 compatible, you are good to go.
When comparing either scripted installs or imaging, it should be noted that as is typically the case, Microsoft’s offerings only really recognize or play with Microsoft’s software. It is possible to trick WDS into deploying Linux images; however it is often messy, and rarely easy. At the moment, I know of no way to convince WDS to run scripted Linux installs, something almost every Linux distribution has put a great deal of time into perfecting. (Look up kickstart for RHEL if you are looking to script a Linux install. Other distributions have their variants.)
Acknowledging the Microsoft-centric limitations of WDS, it is then worth looking at the absolute plethora of GLAs that exist. The top commercial (payware) offerings are the canonical Norton/Symantec Ghost, Acronis True Image, Terabyte’s Boot IT NG, Future Systems’ Casper, and Paragon’s Hard Disk Manager Suite. Each of these applications can handle imaging not only of Windows, but of Linux as well. The fierce competition amongst these applications has driven the list of features up such that comparing them is a research project of itself.
Perhaps more excitingly, and certainly of interest to any company on a tight budget, there exist several stable and credible open source alternatives. The first on this list is Clonezilla. Clonezilla isn’t so much an imaging application as a collection of them packaged together in an easy to use distribution. (Clonezilla relies on a GLA called Partimage, itself available in live cd format.) Clonezilla offers just about everything you could want in an imaging application: the ability to image operating systems of many stripes, massively multicast images to your target computers, and even comes with an open-source version of sysprep to ensure your Windows images are deployed with unique SIDs.
Another very notable GLA that I have had the opportunity to explore was LRS (Linbox Rescue Server). LRS was feature-packed, and while a little cumbersome to use I would go so far as to say that it compares well with Ghost Enterprise Server, and expands upon its basic imaging capabilities by offering system backup, file backup, inventory, and both VNC and Webmin integration. Eventually however I settled on PING (Ping Is Not Ghost) as my favourite of the open source GLAs. PING does everything I want a GLA to do, and it has a sister project WINNER that is a RIS/WDS competitor. Amongst all the open source imaging applications I tried, both FOG (“free, open-source ghost”) and g4u (“ghosting for unix”) are also deserving of honourable mentions. The open source GLAs naturally handle Linux imaging as well as Windows.
Looking at the list of applications mentioned above both as payware and as open source, it should go without saying that the market for imaging applications is fiercely competitive. Finding an imaging program to take an image of your computer, and either restore it to that same computer or a completely different computer is no longer a problem. The challenge lies in finding one that will do so across computers with completely different hardware. The program must ensure that unique identifiers (such as the Windows SID,) are changed and it must be able to image multiple systems at a time using PXE.
Having taken the time to research all of the options available to me, I feel that the most mature representative of payware desktop deployment software is the canonical Syamtec Ghost. PING claims to be the best of breed for the open source alternatives, and since I found nothing to dispute this claim it will serve as my representative example of open source imaging software. Both of these will of course have to compete for my affections against Microsoft’s WDS. Both WDS and PING (via its sister distro WINNER) support scripted install in addition to imaging as methods of desktop deployment.
In my next article I will discuss the implementation of these applications in a real world environment, how they stack up against each other, and my expectations for ease of use. ®
Sponsored: Global DDoS threat landscape report