We are considering expanding the capabilities of System Center Configuration Manager (a product for managing IT infrastructure) when booting user PCs over a network using PXE. We create a boot menu based on PXELinux with System Center functionality and add anti-virus scanning, diagnostic and recovery images. At the end of the article, we touch on the features of System Center 2012 Configuration Manager in conjunction with Windows Deployment Services (WDS) when booting via PXE.
We perform all actions on a test environment that already has System Center 2012 Configuration Manager SP1 installed, a domain controller, and a number of test machines. It is assumed that SCCM is already deploying over the network using PXE.
Entry
The test environment consists of several virtual machines. All machines have Microsoft Windows Server 2008 R2 (x64) guest OS installed, E1000 network adapter, SCSI Controller: LSI Logic SAS
Name (Roles)
IP address / DNS name
Functional
SCCM (System Center Configuration Manager)
192.168.57.102
sccm2012.test.local
Installed System Center Configuration Manager 2012 SP1
DC (AD,DHCP,DNS)
192.168.57.10
dc1.test.local
The role of the domain controller, DHCP server and DNS server
TEST (Test machine)
192.168.57.103
test.test.local
For testing
G.W. (Gateway)
192.168.57.1
Routing between networks. Gateway Role
1. Add PXELinux to SCCM
We perform actions on the machine where System Center Configuration Manager is installed
- Let's determine the directory where the WDS files are located for downloading, for this we look in the registry for the value of the parameter
RootFolderin a branchHKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWDSServerProvidersWDSTFTP
Default valueC:RemoteInstall
The files to download from the SCCM deployment point are located in the directoriessmsbootx86иsmsbootx64depending on the architecture.
First, set up a directory for 32-bit architecture, by defaultc:Remoteinstallsmsbootx86 - Download the archive with the latest . Copy from syslinux-5.01.zip to
c:Remoteinstallsmsbootx86the following files:
memdisk, chain.c32, ldlinux.c32, libcom32.c32, libutil.c32, pxechn.c32, vesamenu.c32, pxelinux.0
Additional files are needed to avoid such an error.
- В
c:Remoteinstallsmsbootx86renamepxelinux.0вpxelinux.com
In the folderc:remoteinstallsmsbootx86make a copyabortpxe.comand rename it toabortpxe.0
If not rename to extension.0, then for example the instructionKernel abortpxe.comwill fail with the following error: Booting kernel failed: Bad file number
For PXELINUX, the download file extension should be set according to the platenone or other Linux kernel image .0 PXE bootstrap program (NBP) [PXELINUX only] .bin "CD boot sector" [ISOLINUX only] .bs Boot sector [SYSLINUX only] .bss Boot sector, DOS superblock will be patched in [SYSLINUX only] .c32 COM32 image (32-bit COMBOOT) .cbt COMBOOT image (not runnable from DOS) .com COMBOOT image (runnable from DOS) .img Disk image [ISOLINUX only]Source: Kernel file section
- In order not to press the F12 key several times when loading SCCM through the menu, rename pxeboot.com to pxeboot.com.f12, copy pxeboot.n12 to pxeboot.com
If this is not done, then when choosing, we will receive such a message every time
Note: Do not forget to rename these files in the x64 folder as well. when it loadsx86wdsnbp.comfrom the x86 folder, the loader determines the processor architecture and the next file is loaded from the folder with the corresponding architecture. Thus, for x64, the subsequent file will not bex86pxeboot.com,x64pxeboot.com - Download / create , resolution 640x480, copy to the same folder. Create a folder
ISOwhere we will place ISO images. Create a folderpxelinux.cfgfor configs. - In the pxelinux.cfg folder, create a default file, in a non-unicode encoding, with the content
default (Click to display)# используем графическое меню DEFAULT vesamenu.c32 PROMPT 0 timeout 80 TOTALTIMEOUT 9000 MENU TITLE PXE Boot Menu (x86) MENU INCLUDE pxelinux.cfg/graphics.conf MENU AUTOBOOT Starting Local System in 8 seconds # Boot local HDD (default) LABEL bootlocal menu label Boot Local menu default localboot 0x80 # if it doesn't work #kernel chain.c32 #append hd0 # Вход в меню по паролю Qwerty, алгоритм MD5 label av menu label Antivirus and tools menu PASSWD $1$15opgKTx$dP/IaLNiCbfECiC2KPkDC0 kernel vesamenu.c32 append pxelinux.cfgav.conf label sccm menu label Start to SCCM COM32 pxechn.c32 APPEND sccm2012.test.local::smsbootx86wdsnbp.com -W label pxe64 menu label Start to x64 pxelinux COM32 pxechn.c32 APPEND sccm2012.test.local::smsbootx64pxelinux.com LABEL Abort MENU LABEL Exit KERNEL abortpxe.0In the folder
pxelinux.cfgcreate a filegraphics.confwith content
graphics.conf (Click to display)MENU MARGIN 10 MENU ROWS 16 MENU TABMSGROW 21 MENU TIMEOUTROW 26 MENU COLOR BORDER 30;44 #00000000 #00000000 none MENU COLOR SCROLLBAR 30;44 #00000000 #00000000 none MENU COLOR TITLE 0 #ffffffff #00000000 none MENU COLOR SEL 30;47 #40000000 #20ffffff MENU BACKGROUND background.png NOESCAPE 0 ALLOWOPTIONS 0In the folder
pxelinux.cfgcreate a fileav.confwith content
av.conf (Click to display)DEFAULT vesamenu.c32 PROMPT 0 MENU TITLE Antivirus and tools MENU INCLUDE pxelinux.cfg/graphics.conf label main menu menu label return to main menu kernel vesamenu.c32 append pxelinux.cfg/default label drweb menu label DrWeb kernel memdisk append iso raw initrd=isodrweb.iso label eset menu label Eset kernel memdisk append iso raw initrd=isoeset_sysrescue.iso label kav menu label KAV Rescue CD KERNEL kav/rescue APPEND initrd=kav/rescue.igz root=live rootfstype=auto vga=791 init=/init kav_lang=ru udev liveimg doscsi nomodeset quiet splash #Загружаем ISO по полному пути, можно загружать с другого TFTP label winpe menu label WinPE from another TFTP kernel sccm2012.test.local::smsbootx86memdisk append iso raw initrd=sccm2012.test.local::smsbootx86isoWinPE_RaSla.iso label clonezilla menu label Clonezilla kernel memdisk append iso raw initrd=isoclonezilla.iso - As a result, the c:remoteinstallsmsbootx86 directory contains the structure
c:remoteinstallsmsbootx86
pxelinux.cfgchain.c32
ldlinux.c32
libcom32.c32
libutil.c32
pxechn.c32
vesamenu.c32
pxelinux.com
background.png
pxelinux.cfg
pxelinux.cfg
pxelinux.cfg
ISO
abortpxe.0
wdsnbp.com
bootmgfw.efi
wdsmgfw.efi
bootmgr.exe
pxeboot.n12
pxeboot.com
abortpxe.comdefault
av.conf
graphics.conf
*.iso - For the x64 architecture, we similarly copy and create the same structure in the folder
c:remoteinstallsmsbootx64
Addition
When using the commandmenu PASSWDthe password can be set either as is, or use a hashing algorithm by adding the corresponding signature at the beginning of the parameterAlgorithm
SignatureMD5
$ $ 1SHA-1
$ $ 4SHA-2-256
$ $ 5SHA-2-512
$ $ 6So for password
Qwertyand MD5 algorithmmenu PASSWD $1$15opgKTx$dP/IaLNiCbfECiC2KPkDC0You can generate a password, for example, through an online hash generator , line
MD5(Unix)
2. Set up PXELinux boot
Now we will indicate how to load pxelinux.com and get the menu.
Specifying the pxelinux.com bootloader via the WDS functionality does not work in SCCM. View Commands
wdsutil /set-server /bootprogram:bootx86pxeboot.com /architecture:x86
are not processed. You can verify that boot images are not set by running the output WDS server configuration command
wdsutil /get-server /show:images
Therefore, in SCCM 2012, you cannot specify your file for PXE download to the SMSPXE provider. Therefore, we will configure the active area of the DHCP server.
In the parameters of the DHCP active area, set the parameters according to the plate
DHCP option
Parameter name
Value
066
Boot server hostname
sccm2012.test.local
067
Bootfile name
smsbootx86pxelinux.com
006
DNS Servers
192.168.57.10
015
DNS Domain Name
test.local
In option 066 we specify the FQDN name of the sccm server, in option 067 we specify the path to the x86 bootloader pxelinux.com starting from the TFTP root, in option 006 we specify the IP address of the DNS server. If a short server name is used in option 066, in option 015 we specify the DNS suffix of the domain.
Addition
Described the DHCP configuration in more detail . But onDCoption 150, TFTP server IP address, was missing from the DHCP scope settings, and specifying option 150 via netsh did not work.
3. Checking work
The basic settings are completed and you can start checking. We indicate on the test computer in the BIOS it is loaded over the network and loaded into the menu
Select item «Start to SCCM» and if a task sequence is assigned to the computer, then after a while the "Task Sequence Wizard" window will appear prompting you to enter a password
Reboot the machine, go back to the menu, select in the menu «Antivirus and tools» and enter the password Qwerty
We select an arbitrary item and observe the loading of the ISO image into memory
Waiting and seeing the result
Verification completed
4. Additional settings and features
Routing setup
If the client, DHCP server and server containing the network loader are in the same network segment, no additional configuration is required. However, if the client and the DHCP server or WDS/SCCM server are located on different network segments, it is recommended that you configure your routers to forward broadcast packets from the client to the active DHCP server and the active WDS/SCCM server. In English literature, this process is known as "IP Helper table updates". In this case, the client, after obtaining an IP address, contacts the server containing the network loader directly via DHCP packets in order to download the network loader.
For Cisco routers, use the command
ip helper-address {ip address}
where {ip address} DHCP server or WDS/SCCM server address. This command also sends the following UDP broadcast packets
Port
Protocol
69
Tftp
53
Domain Name System (DNS)
37
Time service
137
NetBIOS Name Server
138
NetBIOS Datagram Server
67
Bootstrap Protocol (BOOTP)
49
TACACS
The second method for the client to obtain information about the network loader directly from the DHCP server is to specify options 60,66,67 on the DHCP server. Using DHCP option 60 with value «PXEClient» to all DHCP scopes, only if the DHCP server is hosted on the same server as Windows Deployment Services. In this case, the client communicates directly with the Windows Deployment Services server using TFTP on UDP port 4011 instead of using DHCP. This method is not recommended by Microsoft due to issues with load balancing, incorrect handling of DHCP options and Windows Deployment Services response options on the client side. And also because using only two DHCP options 66 and 67 allows you to bypass the parameters set on the network boot server.
You also need to open the following UDP ports on the Windows Deployment Services server
port 67 (DHCP)
port 69 (TFTP)
port 4011 (PXE)
and port 68 if DHCP authorization is required on the server.
In more detail, the configuration process and the nuances of redirection between different WDS servers are described below in the sources:
Network boot program management
Server management
Microsoft Product Support Services (PSS) support boundaries for network booting Microsoft Windows Preinstallation Environment (Windows PE) 2.0
How to forward UDP broadcast (BOOTP / DHCP) on Cisco
Features of operation and configuration of DHCP on Cisco routers (Part 2)
Additional options for local download
On a test environment, the command
localboot 0 gives such an error
It follows from the syslinux documentation that when
localboot 0loading will go from a local disk. And when specifying a specific value 0x00 from the primary (primary) floppy disk, when specifying 0x80 from the primary (primary) hard disk. By changing the command to
localboot 0x80 the local OS has loaded.
If there is a need to boot from a specific disk, partition or command localboot does not work, then you can use the capabilities of the module chain.c32. After loading it, use the append command to specify a specific disk or disk partition, disk numbering starts from 0, partition numbering starts from 1. if partition 0 is specified, the MBR is loaded. When specifying a disk, the partition can be omitted.
KERNEL chain.c32
APPEND hd0 0or
KERNEL chain.c32
APPEND hd0
Sources:
Order and description of downloading files via PXE
As mentioned at the beginning of the article, the directory where the WDS files are located for download is contained in the value of the parameter RootFolder in the registry branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWDSServerProvidersWDSTFTP
Default value C:RemoteInstall
Here in the parameter ReadFilter directories are specified where the TFTP server looks for files to download, starting from the root. With SCCM 2012 SP1 installed, this setting is
boot*
tmp*
SMSBoot*
SMSTemp*
SMSImages*
If you change the parameter value to * then all files located in the directory will be processed RemoteInstall.
The SCCM 2012 deployment point role is specified in the registry value ProvidersOrderlocated in the branch HKLMSystemCurrentControlSetWDSServerProvidersWDSPXE
Parameter ProvidersOrder can take values
SMSPXE
PXE service point in SCCM
SMS.PXE.Filter
PXE script handler from MDT (Microsoft Deployment Toolkit)
BINLSVC
Standard WDS and RIS engine
With SCCM installed, the parameter ProvidersOrder has the meaning SMSPXE. By changing the parameter, you can change the order in which providers are loaded.
In the catalog RemoteInstall the following standard files are located
wdsnbp.com
A network boot program designed for Windows Deployment Services that performs the following tasks:
1. Architecture detection.
2. Maintenance of waiting computers. When the auto-add policy is enabled, this network boot program is sent to waiting computers to suspend network boot and inform the server of the client computer's architecture.
3. Using network boot links (including using DHCP options 66 and 67)
PXEboot.com
(Default) Requires the user to press F12 to continue network boot
PXEboot.n12
Does not require the user to press the F12 key and starts network booting immediately
AbortPXE.com
Boots the computer using the next boot item in the BIOS without waiting
bootmgr.exe
Windows Boot Manager (Bootmgr.exe or Bootmgr.efi). Loads the Windows bootloader using firmware from a specific disk partition or over a network connection (in case of network boot)
Bootmgfw.efi
The EFI version of PXEboot.com and PXEboot.n12 (in EFI, the choice to boot or not to boot PXE is in the EFI shell, not the network boot program). Bootmgfw.efi combines the capabilities of PXEboot.com, PXEboot.n12, abortpxe.com, and bootmgr.exe. It currently only exists for x64 and Itanium architectures.
Default.bcd
Boot Configuration Data Store (BCD), REGF format, can be loaded into REGEDIT, replaces the Boot.ini text file
Loading occurs in the following order as described above
1. Download wdsnbp.com.
2. Next, pxeboot.com of the appropriate architecture is loaded
3. PXEBoot.com downloads bootmgr.exe and the BCD boot configuration data store
4. Bootmgr.exe reads the BCD boot configuration data operating system entries and loads the Boot.sdi file and the Windows PE image (boot.wim)
5. Bootmgr.exe starts loading Windows PE by accessing Winload.exe in the Windows PE image
If the RemoteInstall there are folders
Boot
Images
Mgmt
Templates
Tmp
WdsClientUnattend their presence means that before adding the distribution point role in SCCM 2012 (PXE service points in SCCM 2007), there was some configuration action on the installed Windows Deployment Services (WDS) that automatically created these folders.
For the distribution point role (PXE service point in SCCM 2007), only the following folders are sufficient
SMSBoot
SMSIMAGES
SMSTemp
StoresThis does not mean that SCCM is installed incorrectly, but it may point to a possible source of errors.
The solution of various problems of the WDS, SCCM and PXE bundle is discussed in great detail in the article.
Сonclusion
IT infrastructure managed by System Center Configuration Manager has added a new tool for field system administrators.
List of links to ISO images (Click to display)
Thank you for attention!
Source: habr.com