1. Front coverDeployment Guide Series:Tivoli Provisioning
Managerfor OS Deployment V5.1Insiders Guide to TPM for
OSDeploymentLearn how to migrate to VISTAeasilyBest practices for
largedeployments Vasfi Gucer Damir BacaljaDominique BertinRichard
Hine Scott M KayFrancesco Latinoibm.com/redbooks
2. International Technical Support OrganizationDeployment Guide
Series: Tivoli ProvisioningManager for OS Deployment V5.1May 2007
SG24-7397-00
3. Note: Before using this information and the product it
supports, read the information in Notices on page ix.First Edition
(May 2007)This edition applies to IBM Tivoli Provisioning Manager
for OS Deployment V5.1. Copyright International Business Machines
Corporation 2007. All rights reserved.Note to U.S. Government Users
Restricted Rights -- Use, duplication or disclosure restricted by
GSA ADPSchedule Contract with IBM Corp.
9. viii Deployment Guide Series: Tivoli Provisioning Manager
for OS Deployment V5.1
10. NoticesThis information was developed for products and
services offered in the U.S.A.IBM may not offer the products,
services, or features discussed in this document in other
countries. Consultyour local IBM representative for information on
the products and services currently available in your area.Any
reference to an IBM product, program, or service is not intended to
state or imply that only that IBMproduct, program, or service may
be used. Any functionally equivalent product, program, or service
thatdoes not infringe any IBM intellectual property right may be
used instead. However, it is the usersresponsibility to evaluate
and verify the operation of any non-IBM product, program, or
service.IBM may have patents or pending patent applications
covering subject matter described in this document.The furnishing
of this document does not give you any license to these patents.
You can send licenseinquiries, in writing, to:IBM Director of
Licensing, IBM Corporation, North Castle Drive, Armonk, NY
10504-1785 U.S.A.The following paragraph does not apply to the
United Kingdom or any other country where suchprovisions are
inconsistent with local law: INTERNATIONAL BUSINESS MACHINES
CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow
disclaimerof express or implied warranties in certain transactions,
therefore, this statement may not apply to you.This information
could include technical inaccuracies or typographical errors.
Changes are periodically madeto the information herein; these
changes will be incorporated in new editions of the publication.
IBM maymake improvements and/or changes in the product(s) and/or
the program(s) described in this publication atany time without
notice.Any references in this information to non-IBM Web sites are
provided for convenience only and do not in anymanner serve as an
endorsement of those Web sites. The materials at those Web sites
are not part of thematerials for this IBM product and use of those
Web sites is at your own risk.IBM may use or distribute any of the
information you supply in any way it believes appropriate
withoutincurring any obligation to you.Information concerning
non-IBM products was obtained from the suppliers of those products,
their publishedannouncements or other publicly available sources.
IBM has not tested those products and cannot confirmthe accuracy of
performance, compatibility or any other claims related to non-IBM
products. Questions onthe capabilities of non-IBM products should
be addressed to the suppliers of those products.This information
contains examples of data and reports used in daily business
operations. To illustrate themas completely as possible, the
examples include the names of individuals, companies, brands, and
products.All of these names are fictitious and any similarity to
the names and addresses used by an actual businessenterprise is
entirely coincidental.COPYRIGHT LICENSE:This information contains
sample application programs in source language, which illustrate
programmingtechniques on various operating platforms. You may copy,
modify, and distribute these sample programs inany form without
payment to IBM, for the purposes of developing, using, marketing or
distributing applicationprograms conforming to the application
programming interface for the operating platform for which
thesample programs are written. These examples have not been
thoroughly tested under all conditions. IBM,therefore, cannot
guarantee or imply reliability, serviceability, or function of
these programs. Copyright IBM Corp. 2007. All rights reserved.
ix
11. TrademarksThe following terms are trademarks of the
International Business Machines Corporation in the United
States,other countries, or both:AIXMVS Tivoli
EnterpriseBladeCenterNetView Tivoli Enterprise ConsoleCandle
PartnerWorldTivoliDB2 Universal Database RedbooksVTAMDB2Redbooks
(logo) xSeriesIBMServerGuideIMSSystem xThe following terms are
trademarks of other companies:Oracle, JD Edwards, PeopleSoft,
Siebel, and TopLink are registered trademarks of Oracle
Corporationand/or its affiliates.ITIL is a registered trademark,
and a registered community trademark of the Office of
GovernmentCommerce, and is registered in the U.S. Patent and
Trademark Office.Adobe, Acrobat, and Portable Document Format (PDF)
are either registered trademarks or trademarks ofAdobe Systems
Incorporated in the United States, other countries, or both.Java,
JDBC, JDK, J2EE, Solaris, Ultra, and all Java-based trademarks are
trademarks of SunMicrosystems, Inc. in the United States, other
countries, or both.Access, Active Directory, Aero, BitLocker,
Internet Explorer, Microsoft, MS-DOS, MSN, Windows Media,Windows
NT, Windows Vista, Windows, and the Windows logo are trademarks of
Microsoft Corporation inthe United States, other countries, or
both.i386, Intel, Pentium, Xeon, Intel logo, Intel Inside logo, and
Intel Centrino logo are trademarks or registeredtrademarks of Intel
Corporation or its subsidiaries in the United States, other
countries, or both.UNIX is a registered trademark of The Open Group
in the United States and other countries.Linux is a trademark of
Linus Torvalds in the United States, other countries, or both.Other
company, product, or service names may be trademarks or service
marks of others.x Deployment Guide Series: Tivoli Provisioning
Manager for OS Deployment V5.1
12. Preface Tivoli Provisioning Manager for OS Deployment
provisions operating systems (OS) and applications to computers
using the PXE (Pre-boot eXecution Environment) industry standard
for bare-metal installation. A bare-metal installation eliminates
the need for an operating system to be present on a local disk
drive. Tivoli Provisioning Manager for OS Deployment is a turn-key
solution to the most common provisioning issues and provides an
easy to use, turn-key solution for education, small-to-medium
businesses (SMB) or larger accounts. In this easy-to-follow IBM
Redbooks publication we cover different image management scenarios
with Tivoli Provisioning Manager for OS Deployment, such as Windows
XP, Windows 2003, Vista, and Linux deployments. We also discuss how
to design and implement a highly-effective image management
solution for small, medium, and enterprise accounts, taking into
consideration network bandwidth limitations and large OS image
sizes. We also provide some best practices on how to integrate
Tivoli Provisioning Manager for OS Deployment with other change
management products, CD/DVD-based deployment, image redeployment,
and troubleshooting. Finally, we cover Tivoli Provisioning Manager
for OS Deployment sales engagement planning, including a sample
statement of work. The primary audience for this section is Tivoli
Provisioning Manager for OS Deployment Business Partners and
pre-sales Systems Engineers. This book is a major reference for IT
Specialists and IT Architects working in the image management
area.The team that wrote this Redbooks publication This Redbooks
publication was produced by a team of specialists from around the
world working at the International Technical Support Organization,
Austin Center. Vasfi Gucer is an IBM Certified Consultant IT
Specialist working at the ITSO Austin Center. He worked with IBM
Turkey for 10 years and has been with the ITSO since January 1999.
He has more than 12 years of experience in systems management,
networking hardware, and distributed platform software. He worked
on various Tivoli customer projects as a Systems Architect in
Turkey and in the United States. Vasfi is also a Certified Tivoli
Consultant. Copyright IBM Corp. 2007. All rights reserved. xi
13. Damir Bacalja is an Advisory IT Specialist from IBM
Croatia. He holds a degreein electrical engineering and is also
ITIL certified. He has worked with Tivoliproducts in Framework,
Tivoli Configuration Manager, Tivoli Monitoring, TivoliEnterprise
Console, Remote Control, and Tivoli Storage Manager, for
almosteight years. He joined IBM as part of IBM Global Services and
took part in manyTivoli implementations. Since 2002 he is part of
the IBM Software group as aTivoli Technical Sales Specialist for
the SEA region. He has strong skills inUNIX, Windows, and shell
scripting.Dominique Bertin holds a technology certificate in
electric engineering from theUniversity of Creteil, near Paris in
France. He began as a Honeywell Bullrepresentative on different
mainframe customer sites for seven years, and thenstarted working
as a Software Engineer in the National Software Center in theBull
company. After 12 years at Bull, he joined a software services
company thatwas acquired by Candle corporation five years later.
After the IBM acquisitionof Candle, he moved to a Tivoli presales
position. He is currently assigned to theTivoli Configuration
Manager, Tivoli Provisioning Manager for OS Deployment,and Tivoli
Provisioning Manager for Software products within the Tivoli
BusinessAutomation segment.Richard Hine Richard has a bachelors
degree in medical science from theUniversity of Manchester in the
UK, and has worked for IBM since 1981. Heworked with IBM Mainframes
for 11 years doing services and support roles withMVS, IMS and
VTAM, taking assignments to teach automation techniquesand
assembler programming. During this time, he also took a job
supporting theIBM first Point of Sale deployment in Europe at Boots
of Nottingham in the U.K.He moved to country technical support in
1991 to support IBM networkmanagement tools on distributed systems,
where he taught at the internationaleducation center in La Hulpe
and supported field services engagements for theNetView automationa
family of productsboth distributed and mainframe.During this time
Richard also did several international services engagements inthe
Middle East, and wrote an ANO based TCP/IP monitoring application
thatwas used in IBM South Africa. Richard moved to Tivoli in 1996
with IBMacquisition. He worked in a presales role for the UK on all
Framework products,latterly leading the UK Advanced Technology
Team. Certified in 2002, Richardhas been published in the Managed
View and two other IBM Redbookspublications. Currently he works
with the Tivoli Performance and Businessautomation products in a
presales capacity for the UK Financial Services Sector.Scott M Kay
is an Advisory Technical Specialist working for the IBM
Softwaregroup in Australia. His speciality is Tivoli Business
Automation tools. He has 15years of experience in the IT field. In
that time Scott has held various roles fromoperational support, SOE
development, to systems management. After joiningIBM in 1999 Scott
worked in roles all directly related to the Tivoli suite of
productsxii Deployment Guide Series: Tivoli Provisioning Manager
for OS Deployment V5.1
14. in Global Services, Tivoli Professional services, and
finally in his current presalesrole in the Software Group.Francesco
Latino is a Level 2 Customer Support Software Engineer in
TivoliConfiguration Manager and Tivoli Provisioning Manager. He
holds a ComputerScience degree from the Department of Computer
Science, University of Bari.His areas of expertise include Tivoli
Inventory, Tivoli Software Distribution,Common Inventory
Technology, and Tivoli Provisioning Manager for OSDeployment
products. He has skills in procedural and
object-orientedprogramming, TCP/IP network protocol, J2EE platform,
and electroniccommerce.Thanks to the following people for their
contributions to this project:Arzu GucerInternational Technical
Support Organization, Austin CenterDennis R Goetz, Peter Greulich,
Dennis Ligay, Mike Orr, Hakan ThyrIBM USADavid Clerc, Anne
Vandeventer Faltin, Jacques Fontignie, Marc
VuilleumierStueckelberg, Pierre-Antoine QuelozIBM
SwitzerlandElisabetta RinaldiIBM ItalyMike Gare, Kimberly MungalIBM
CanadaSean SafronIBM USAKaTrina Love AbramIBM USABecome a published
authorJoin us for a two-to-six week residency program! Help write
an IBM Redbookspublication dealing with specific products or
solutions, while getting hands-onexperience with leading-edge
technologies. You will have the opportunity to teamwith IBM
technical professionals, Business Partners, and Clients.Preface
xiii
15. Your efforts will help increase product acceptance and
customer satisfaction. As a bonus, you will develop a network of
contacts in IBM development labs, and increase your productivity
and marketability. Find out more about the residency program,
browse the residency index, and apply online at the following Web
site: ibm.com/redbooks/residencies.htmlComments welcome Your
comments are important to us! We want our Redbooks publication to
be as helpful as possible. Send us your comments about this or
other Redbooks publication in one of the following ways:Use the
online Contact us review book form found at:ibm.com/redbooksSend
your comments in an e-mail to:[email protected] your comments
to:IBM Corporation, International Technical Support
OrganizationDept. HYTD Mail Station P0992455 South
RoadPoughkeepsie, NY 12601-5400xiv Deployment Guide Series: Tivoli
Provisioning Manager for OS Deployment V5.1
16. Part 1Part 1 Planning and architecture In part 1 we
introduce the planning and architectural considerations when
deploying a Tivoli Provisioning Manager for OS Deployment
environment. We cover the actual deployment steps in Part 2.
Copyright IBM Corp. 2007. All rights reserved. 1
17. 2 Deployment Guide Series: Tivoli Provisioning Manager for
OS Deployment V5.1
18. 1Chapter 1. Introduction to image management In this
chapter we discuss the concept of the device configuration life
cycle and how Tivoli Provisioning Manager for OS Deployment can
assist in this management process. This is found in 1.1, Device
configuration life cycle on page 4. We look at business needsthe
sort of IT changes that are coming and that justify an investment
in a technology such as Tivoli Provisioning Manager for OS
Deployment. We also look at how this technology reduces costs
associated with deployment and redeployment of operating systems.
This is found in 1.2, Business requirements on page 8. Finally
several common deployment scenarios involving Tivoli Provisioning
Manager for OS Deployment are discussed at a high level, showing
how cost savings can be made. This is found in 1.4, Common OS
deployment scenarios on page 15. Copyright IBM Corp. 2007. All
rights reserved. 3
19. 1.1 Device configuration life cycle Every facet of IT these
days seems to have a life cycle management strategy, process, or
best practice, for example, asset life cycle management, software
life cycle management, user account life cycle management, and
storage life cycle management to name but a few. What they all have
in common is that through collective experience the tasks normally
undertaken throughout the life cycle of the item in question were
identified so that they can be managed as individual tasks and as a
whole cycle. It is then possible to measure these tasks, the costs
involved with them, and the time they take and improve them in
terms of efficiency, effectiveness, and cost. The device
configuration life cycle addresses the physical management of
computers from the time they are delivered to the time they leave
an organization. Device configuration life cycle management can go
by different names and have tasks with different terminology,
usually dependant upon the vendor you are talking to; however, in
essence the main tasks or activities involved are shown in Figure
1-1.Tasks and Activities within the Device Configuration Lifecycle
Bare Metal OS DeploymentBackup and Restore Software
distributionApplication and DataSecurity ConfigurationAsset and
Inventory ManagementSoftware LicenseRemote Control and
usageManagement Software Maintenanceand Patch Management Reporting
for Critical Decision Making Figure 1-1 Tasks and activities within
the device configuration life cycle4 Deployment Guide Series:
Tivoli Provisioning Manager for OS Deployment V5.1
20. There are many product suites on the market today that can
enable or automatethese tasks and a few that claim to do it all.
Most organizations, however, alreadyhave mature tools and processes
in place for many of the tasks in the life cycleand are not about
to rip and replace their existing solution unless there is a
verygood business case to do so. This is where Tivoli Provisioning
Manager for OSDeployment offers an excellent opportunity. Tivoli
Provisioning Manager for OSDeployment is a stand alone product that
offers significant integration capability,so much so that it has
already been integrated with Tivoli Provisioning Manager,Tivoli
Provisioning Manager for Software, and soon to be integrated with
IBMDirector. Tasks and Activities within the Device Configuration
LifecycleTIVOLI PROVISIONING MANAGERBARE METAL OS DEPLOYMENT FOR OS
DEPLOYMENT FULL AUTOMATION Backup and Restore Software distribution
Application and Data Security ConfigurationAsset and Inventory
Management Software License Remote Control and usage
ManagementSoftware Maintenance and Patch ManagementReporting for
Critical Decision MakingFigure 1-2 Tivoli Provisioning Manager for
Operating Systems role in the configurationlife cycleThe core
capability of Tivoli Provisioning Manager for OS Deployment is
theability to intelligently automate the deployment of operating
systems. Thiscapability extends from the many flavors of Microsoft
Windows, through SUSEand Red Hat Linux to Sun Solaris. The
deployment of an operating system isthe one item in the
configuration life cycle that every single computer willdefinitely
receive at least once and potentially more often during its working
life.This is shown in context of the device configuration life
cycle in Figure 1-2. Chapter 1. Introduction to image
management5
21. After installed, the product offers cost savings in the
following areas: Deployment manpower Using Tivoli Provisioning
Manager for OS Deployment during a deployment should significantly
reduce the number of personnel and the level of skill required to
deploy the computer workstations. The deployment role becomes more
of a box-moving role as opposed to a technical role. The universal
system profile Through the use of a universal system profile, it is
possible to have one image and a collection of driver packages for
deployment to a range of hardware. The savings to be made here are
in the following areas: Image storage spaceDue to the ability
Tivoli Provisioning Manager for OS Deployment has tomodify an image
and to add drivers through driver injection on the flyduring an
image deployment, one image and a collection of driverpackages need
storage space as opposed to an image for every hardwaremodel. This
is true for the master server and every distributed copy in
thenetwork. Image maintenanceInstead of building a new image every
time a new model of hardware ordriver is released, all that is
required is the packaging of the driver, theestablishment of the
rules for the deployment of that driver and testing ofthe
deployment and rules. Image replicationMinimal images mean less
time and resources are used to move thoseimages around the network
to where they are needed. Ease of redeployment Once an OS is
installed using Tivoli Provisioning Manager for OS Deployment,
redeployment is as simple as a few menu clicks in the Web console.
Many organizations have a system to automatically reinstall an
operating system. Those automatic solutions usually involve the
help desk consultant talking the user, or worse, the users
colleague, through the steps required to enter all the information
needed to kick off a rebuild and then waiting the hour to hour and
a half for the build to complete. In some cases, a rebuild requires
a site visit by a technical staff member. The savings that can be
made here are harder to quantify but easy to identify. Any time a
user is taken away from their core responsibility to help fix a
problem is a business cost. In an organization large enough, it is
easy for these distractions to add up to lost man-days on a daily
basis due to users being involved in helping with a fix.6
Deployment Guide Series: Tivoli Provisioning Manager for OS
Deployment V5.1
22. Tivoli Provisioning Manager for OS Deployment also touches
other parts of thedevice configuration life cycle with
functionality that enables the core OSdeployment functionality, as
can be seen in Figure 1-3. Tasks and Activities within the Device
Configuration Lifecycle TIVOLI PROVISIONING MANAGERBare Metal OS
DeploymentFOR OS DEPLOYMENTDEPLOYMENT ENABLING FUNCTIONALITY Backup
and RestoreSOFTWARE DISTRIBUTION Application and Data Security
ConfigurationASSET AND INVENTORYMANAGEMENT Software License Remote
Control and usage ManagementSoftware Maintenance and Patch
ManagementReporting for Critical Decision MakingFigure 1-3
Deployment enabling functionality of Tivoli Provisioning Manager
for OSDeployment Deployment enabling functionality Tivoli
Provisioning Manager for OS Deployments core function is its
ability to deploy operating systems. Included in the product are
some other capabilities that enable this core function. Following
are these capabilities: Software distribution The software
distribution capability gives Tivoli Provisioning Manager for OS
Deployment the ability to inject driver packages into an operating
system during deployment and install software after the operating
system starts. Inventory When Tivoli Provisioning Manager for OS
Deployment boots a computer using PXE, it automatically scans the
computer and stores this data in its Chapter 1. Introduction to
image management 7
23. database. Having the results of these scans available
allows TivoliProvisioning Manager for OS Deployment to make
decisions based on thisdata about which drivers to inject during OS
deployment and whichsoftware to deploy after OS deployment. Coupled
with the enabling capabilities, Tivoli Provisioning Manager for OS
Deployment is able to intelligently install a full SOE in an
automated manner completely automating the first task in the device
configuration life cycle, bare metal OS deployment.1.2 Business
requirements High-level business requirements are simple: help me
save money to improve my profitability or efficiency. But as you
start to drill down into this requirement it starts to become a
little less clear cut. Quite often you have to spend money now to
make a longer term gain or to avoid spending more money later. And
so it is with Microsofts Vista. Do I migrate now? The promise is so
great, easier support, greater security, but then there is the cost
of doing it now and the potential for problems. The remainder of
this section discusses the reasons an organization would migrate to
Microsoft Vista and the sort of requirements an organization could
have of a deployment solution to enable a large scale rollout of
Vista.1.2.1 Why Vista? Microsoft Vista is here, and chances are it
is coming to your organization sooner than you think. Many
organizations are expecting to make a move towards Vista within a
year. The larger the organization, the higher the probability that
this will occur. This significant commitment in time and expense is
driven by a variety of factors that include much needed features
introduced in Vista and the realities of waning support for older
versions of Windows. While enhancements in user experience like
Vistas Aero Glass interface have monopolized the marketing
spotlight, it is enhancements under the covers that are motivating
enterprise customers to upgrade. Vista introduces a new developer
platform, .NET Framework 3.0 that enables faster development of
applications that will have better interfaces, better integration
with other applications, and better code in general. .NET Framework
is comprised of key components that include the Windows Workflow
Foundation (WWF), which makes Vista the first OS to embed a
workflow development and runtime environment, and the Windows
Communication Foundation (WCF) that8 Deployment Guide Series:
Tivoli Provisioning Manager for OS Deployment V5.1
24. dramatically simplifies the way connections between
services are defined and managed. Perhaps the most important
innovation driving enterprise adoption of Vista is enhanced
Security. Vista is the first operating system Microsoft has built
from design to release using the Security Development Life cycle
(SDL) under their Trustworthy Computing Initiative. Immediately
beneficial security enhancements include User Account Control that
eliminates the need for average users to log in with Administrator
privileges and by default grant that privilege to every
application, virus, or other form of malware they intentionally or
inadvertently launch. In addition, Vista introduces a multi-tiered
rights management and encryption technology (BitLocker) that
protects data on the disk, even if the disk is inside a stolen
mobile computer. These are only a few of the security enhancements
in Vista that represent the quantum leap in integrated client
security that the enterprise has been waiting for. Beyond the
innovations Vista offers as a motivation to upgrade, there is also
the fact that older versions of Windows are becoming less
supportable. With Windows 2000 already out of mainstream support
and losing critical update support in 2010, and the launch of Vista
starting the two year countdown to the end of mainstream support
for Windows XP, upgrade is inevitable. If your enterprise may be
one that falls into this group, starting to plan and test now is
your best defense against unmanageable complexity and unpredictable
costs.1.2.2 A deployment project It is estimated that a project of
12-18 months is required to develop and test a Vista Standard
Operating Environment (SOE) in a corporate environment. The larger
the environment the longer and more complex the project. This sort
of project would include phases such as the following: 1. A full
audit of all applications in use by all users within the
organization.To be able to plan the testing of all the SOE
applications it is important toquantify them all, prioritize, and
plan with certainty. Being presented with 10untested applications
just before the rollout would unpleasantly impact theproject
schedule. 2. Testing of all SOE applications for compatibility with
Vista.With the new security enhancements within Vista, it is
probable that apercentage of current applications will not work.
Some of these will of coursebe patched by their vendor to make them
compatible, but of course thecustom applications written in house
or by a contracted company will requirean explicit effort applied
to make them compatible. This project phase has thepotential to be
the most time consuming and least satisfying, as old but Chapter 1.
Introduction to image management9
25. important applications may not work in Vista and may have
to be workedaround. 3. The development of a deployment
methodology.When rolling out a change of this magnitude to any
organization, a rock soliddeployment methodology is crucial.
Obviously an automation tool to deliveran image is a part of the
methodology, but what sort of image will that tooldeploy. There are
three commonly used image types to consider: Thick Images are large
images that contain the complete operatingsystem, all drivers, and
core applications. Simple image creation enabledby simple tools has
made thick images the most common form of image;however, it is at
the expense of high-maintenance costs. Because thickimages contain
so much target specific configuration, diverseenvironments need to
create and manage many large images to satisfythe needs of their
user population. When any small component of animage must be
changed (for example a security policy upgrade to thefirewall or
virus scanner definitions), the entire image must be
manuallyrebuilt. The result is many large images taking up large
amounts ofmaintenance resource and disk space and large amounts of
bandwidthduring deployment. Thin Images evolved as a reaction to
the high total cost of thick images,but because of the limitations
of the simple imaging tools, they created asmany problems as they
solved. Thin Images exclude core applications,which must then be
deployed using another software distribution systemafter first boot
of the base image. The benefit is fewer, smaller, moregeneric based
images to store and deploy thus saving disk space andnetwork
bandwidth, and subsequent changes to an image or coreapplication
results in far less image regeneration. End-to-end deploymentis now
slower and requires a software distribution system and scripting
tocomplete. Actual bytes deployed will likely be more than in thick
imagesbecause of duplication of files in the application install
and OS install,although the install is spread out over a longer
period of time. Note that nothaving all applications deployed at
first boot introduces security risks. Hybrid Images offer the best
of thick and thin images without thedisadvantages. Advanced hybrid
imaging systems separate drivers andapplications from OS images and
store them in a file-based repository. Atdeploy-time the correct
drivers are automatically selected and injected intothe image, the
correct updates and core applications are loaded into theimage, and
the resulting image is deployed to the targetall before firstboot.
This allows an organization to maintain as few as one
universalimage that automatically adapts to each target at
deploy-time when theminimum number of files possible is deployed
over the network. The resultis minimal disk space, minimal network
bandwidth, and a system thatallows modification to driver or
application configuration without the need10 Deployment Guide
Series: Tivoli Provisioning Manager for OS Deployment V5.1
26. to generate and catalogue a new image. The most advanced
hybrid imaging systems go a step further by providing a
policy-based configuration capability. This allows the image to be
adapted by global policies as well as physical attributes of the
target. For example, a policy such as "deploy ThinkVantage Access
Connection on Lenovo laptops only" would ensure that redundant
software is not deployed on other brands of laptop. The challenge
for the enterprise is that very few image management systems on the
market support this advanced form of imaging. 4. The development of
a user data migration strategy.The migration to Vista will not be
viewed as a success if your users lose data.Despite this, it does
not make sense to migrate all aspects of a users
existingconfiguration. Over time, most user desktops get cluttered
with unused diskshares, defunct network printers, and configuration
changes that weremotivated by idiosyncrasies in the original
operating system environment.Additionally, as application
compatibility may require the upgrade orreplacement of some
applications, some preferences and configuration datamay be
redundant in the new desktop environment. As a result,
blindmigration of all existing "personality" may not be the right
approach to take. Afresh OS install is an opportunity to clean
house, but this takes planning.Determine what data and
configuration is important to your users andacceptable under your
current security policy, and put the tools andprocesses in place to
migrate them cleanly to the new system. Many settingsare
predictable (for example the location of the target computer
dictateswhich printers or disk shares should be configured) and the
right deploymenttool can recreate the correct settings based on
current IT and security policyrather than migrate potentially
incorrect or out-dated settings from the existingdesktop
configuration. This is an important philosophical distinction
toconsider when selecting an image management system. Some are
betteraligned with the "migrate existing settings regardless if
they are correct"philosophy, and others align better with the
"recreate clean settings fromcurrent IT policy" philosophy.1.3
Requirements for a tool to assist the deploymenteffort Following is
a list of criteria that can be used in the assessment of a
deployment tool. Chapter 1. Introduction to image management11
27. 1.3.1 Time to value How long it takes to start getting
significant improvements in efficiency in your migration process is
key to the over all performance of your image management system.
Many systems management products either remain on a shelf or are
never implemented to their full potential because of the complexity
of their installation and configuration. Consider the following
aspects of the systems Time to Value. 1. How long does it take to
install the product and start using it in your migrationplanning
process? Will installation take 30 minutes? Or 30 days? 2. Is the
system an integrated single-vendor solution that provides
fullyautomated end-to-end deployment of desktops from Wake-on-LAN
to BIOSconfiguration, RAID configuration, disk partitioning,
OS/driver/applicationdeployment, offline servicing, user data
migration through to userconfiguration, and first boot? Or does the
system leave major aspects ofimage creation and deployment to
manual intervention or other 3rd partytools? 3. Does the system
consist of a single-product install providing you with all
thefunctionality you will require in both test and full-scale
production deployment(native multicast, USMT integration, native
PXE, native configurationdatabase, and so forth)? Or does it
consist of multiple components, eachcarrying additional purchase
costs, additional implementation time, additionalinterface and
management training, and additional infrastructure? 4. Does the
system scale to tens of thousands of targets after the initial
simpleinstallation, or will you have to purchase, install,
integrate, and configureadditional enterprise product modules? 5.
Does the product have a single, simple intuitive interface that
spans allproduct functions, or does it require that you learn
multiple different interfacesand jump between them during the
planning, testing, and deploymentprocesses? 6. Does the system
provide rules-based deployment configuration? Forexample, does it
support the ability to define a rule such as: "If target locationis
France, set keyboard to French", or "If target is Vista, deploy
Acrobat7.0"? At deploy-time, the system should then assess the
target against allsuch rules and adapt the configuration
accordingly. This rules-basedcapability dramatically reduces the
time required to configure the images forlarge and diverse
populations. Without this capability, each target imagewould have
to be manually configured.Note: This capability is only possible if
the system supports advanced hybridimages.12 Deployment Guide
Series: Tivoli Provisioning Manager for OS Deployment V5.1
28. 7. Does the system support advanced hybrid images allowing
you to startdeploying diverse systems after creating a
single-universal OS image? Ordoes the product require that you
create many specific thick images beforeyou can start testing
against a diverse community of targets? Or does theproduct require
that you also implement a software distribution system beforeyou
can start deploying applications on top of thin images?1.3.2
Resource and maintenance efficiency This selection criteria
assesses the image management systems impact on your systems
management and infrastructure costs and complexity. It is important
to consider how the system consumes your infrastructure, how it
impacts your normal operations, and how much systems management
workload it generates. 1. Does the system conserve bandwidth by
providing multicast as a nativefeature? With multicast, a single
bit stream over your network can updatemany targets simultaneously.
Without multicast, each target needs its own bitstream to pass
through your network. The difference in impact on yournetwork
infrastructure and your normal operations is orders of magnitude.
2. Does the product support advanced hybrid images that enable a
single,compact universal image to do the work of many large, thick
images? Thedisk space required by a thick image-based product will
be orders ofmagnitude greater. Maintaining many thick images also
has a significantimpact on image maintenance as any minor change to
a driver, OS, orapplication configuration can require the
regeneration of dozens of images.Does mitigating these resource
inefficiencies mean implementing a thinimage strategy requiring an
additional investment in a software distributionsystem to deal with
core applications? 3. Are the images stored in a single-instance
file-based repository thatconserves disk space by storing each OS
or application file only once in thedeployment repository. Or does
the system store many duplicatesector-based images or multiple
copies of the same file-based imagecomponents thus wasting storage
capacity? 4. Does the system support distributed, automatically
synchronized deploymentservers that can sit in distributed network
segments closer to specific groupsof targets? Does the system
provide this functionality in the base productwithout requiring an
additional investment in product license andimplementation effort?
This capability can dramatically reduce theperformance impact and
capacity required at gateways, routers, and overwide area
networks.Chapter 1. Introduction to image management 13
29. 1.3.3 Flexibility As your choice of unified image
management system is likely one you will have to live with for
years to come, it is important that it is flexible enough to adapt
to your changing requirements over time. 1. Will the system provide
a single-product experience for all of yourheterogeneous targets
(for example Windows, Linux, Unix) now and in thefuture? Or will
you require additional image management systems to
supportdeployment and maintenance of your non-Windows targets? 2.
Can the system be implemented on a server platform you currently
support(Windows, Linux, AIX, Solaris, FreeBSD, Mac OS-X, AIX) or
does it requirethat you procure and maintain a nonstandard platform
in your systemsmanagement environment? 3. Is the product open,
providing a native pre-installation environment andimage format,
and supporting Microsoft WinPE and Microsoft WIM (WindowsImaging)
images? Or does the product force you to abandon
Microsoftbest-practice and rely only on a proprietary
pre-installation environment andimage format in all situations? In
some situations, the native tools and formatsmay be superior,
although, in others the OS vendor does know best. 4. Will the
product integrate easily into any systems management
ecosystem,seamlessly providing an image management foundation to
any vendorsholistic provisioning solution? Or does the product
restrict its interfaces in anattempt to force you to build on its
foundation with only the same vendorssystems management portfolio?
5. Does the vendor that supplies the product also provide a
portfolio ofintegrated provisioning and systems management products
if you are lookingfor a simple path to increase the sophistication
of your automationinfrastructure?1.3.4 Security Mitigating security
risks is a top-3 budget item for most enterprise IT organizations.
Introducing new security risks with the image management system
results in subsequent cost and effort to provide perimeter defenses
around the new exposures. The best way to avoid this collateral
cost is to select an image management system that was architected
to minimize the security exposures it introduces. 1. Has the system
implemented Option-43 of the PXE specification thatprevents
malicious PXE Server impersonation on your network by
forcingexplicit identification of the PXE server network address?
If not, an intruderthat gets access to any server on your network
could deploy code that14 Deployment Guide Series: Tivoli
Provisioning Manager for OS Deployment V5.1
30. impersonates a PXE server on your network giving the
intruder the ability to alter your desktop configurations.2. Does
the product disallow a user break of the deployment process at the
target keyboard? If not, someone with access to the target during
the deployment could gain administrator-level privileges on your
network.3. Does the product support Offline Servicing for Vista?
Offline servicing allows security updates and configuration changes
to be applied to the target after the OS and core application
deployment, but before the first boot. If the product does not
support this Microsoft best practice function, the target is
exposed to many forms of intrusion and malware between first boot
and the application of the security updates.4. Has the product
implemented an encrypted transport protocol that prevents either
reading or altering the image bit stream while it is being deployed
over your network? Keep in mind, depending on your applications,
these bit streams could contain sensitive data or passwords. Many
products just support SMB (Server Message Block) or HTTP transport
protocols that leave the data exposed to malicious intruders or
applications. SMB and HTTP also require the creation of a user on
the network and the storage of that users password on the boot
mediaan unnecessary security exposure.1.4 Common OS deployment
scenariosThe following three scenarios are typical of those in many
corporate sites. Theaim of the scenarios is to show how Tivoli
Provisioning Manager for OSDeployment can help in times of
deployment and also with day-to-day supportissues. The scenarios
all assume that a corporate SOE was developed. Thecommon theme with
all of these scenarios is that the SOE deploymentcomponent of the
task at hand has become a minor part of the process. It is nowa
quick, simple step.1.4.1 Rollout of new desktop hardware and SOEA
multinational organization decides to upgrade their workstation
fleet and SOE.They enter into a contract with a large hardware
supplier to supply 15,000desktop PCs of three different
specifications and 5,000 laptops of two differentspecifications.
The hardware supplier is contracted to supply the
workstationsdirectly to their final destination across three
continents into 25 sites.The organization has spent the previous 12
months developing their Vista SOE,their deployment methodology, and
deploying Tivoli Provisioning Manager forOS Deployment. The
solution developed uses a universal system profile. Theuniversal
system profile allows them to have one image that can be deployed
to Chapter 1. Introduction to image management 15
31. every desktop computer and laptop. When the computers first
PXE boot and contact Tivoli Provisioning Manager for OS Deployment,
an inventory is taken of its components. Using this inventory or
Bill of Materials (BOM), rules can be established to select the
appropriate drivers to inject and software to install. For example,
the drivers for a desktop computer are different than those
required by a laptop computer. Based on the model number of the
computer and the PCI, Tivoli Provisioning Manager for OS Deployment
can inject. The organization allows a level of user level
workstation customization, and although the users are supposed to
store all business data in specific business systems and backed up
data drives, inevitably there is data stored locally on user
workstations. To avoid upsetting the users and to make the
workstation upgrade as seamless to the users as possible the
customization and data needs to be migrated to their new machine.
This is achieved by using the Microsoft User State Migration Tool.
The deployment process for desktop computers flows as follows:The
vendor ships the computers to the site as per the deployment
schedule.The deployment is to take place overnight. At close of
business, the userstate migration tool is run to back up all
appropriate user settings and data.The new workstation computers
that have arrived that day are unboxed andphysically moved to the
desktops in batches of 30. When 30 workstations areplugged in they
are all powered on, network boot is selected and thecomputer logs
into a multicast deployment.The 4GB image deployment over a 100Mbps
LAN to 30 workstationscompletes in 30 minutes.The user state
migration is completed, moving the user settings back to
userworkstations. In this scenario, the bulk of the work was in
planning and building of a SOE. When it came time to actually
deploy the computers, the work was very simple consisting mainly of
physically moving boxes and plugging them in. With regard to the
laptop computers, they are also shipped directly to the home office
of the proposed user. A deployment resource builds them in groups
just as with the desktop computers. When the user comes into their
home office to swap out their machine, the user state migration is
run to move all settings and data.1.4.2 Rebuild of a previously
deployed user workstation A user contacts the help desk because of
issues with their workstation. The workstation is not performing
properly, and it seems like there may be an issue with some file
corruption. The help desk consultant spends 15 minutes with the16
Deployment Guide Series: Tivoli Provisioning Manager for OS
Deployment V5.1
32. user trying to determine what the problem with the
workstation is. It is apparent that there is a problem, but a
diagnosis is eluding them. The help desk consultant decides that a
workstation rebuild is the best way forward. Tivoli Provisioning
Manager for OS Deployment was rolled out across the enterprise a
few months previously. During that rollout a decision was made to
install the RbAgent, Tivoli Provisioning Manager for OS Deployments
optional agent, onto every workstation. RbAgent gives the Tivoli
Provisioning Manager for OS Deployment administrator, amongst other
things, the ability to reboot a computer and to force a PXE boot.
In this support instance, after gaining agreement from the user,
the help desk consultant locates the users computer in the
management web console and executes deploy now against it. At the
users end, the computer pops up notification that it is being
rebooted for a redeployment. The computer promptly reboots and the
SOE deployment commences. Due to the fact that the computer is on a
production network and it is during working hours, the bandwidth
consumed during the deployment is limited to 50% of the 100Mbps
available. The 4GB SOE is deployed in approximately 15 minutes.
Instead of having the issue with the computer escalated up through
the support organization and using more time up, decisive action
was taken and in less than 45 minutes the user was able to once
again log in and do productive work.1.4.3 Upgrade of hardware and
subsequent Vista install An organization that upgraded its desktop
workstation fleet last year decided, for a variety of reasons, to
move to Microsoft Vista. At the time of deployment last year they
believed that 512 MB of RAM per computer would be plenty of memory
for the foreseeable future. Unfortunately this was not the case and
so now they are going to have to add another 512MB memory module to
each machine. Having deployed Tivoli Provisioning Manager for OS
Deployment for their upgrade last year they are well placed to
complete this piece of work at their four 100 workstation sites
overnight at one site per night using three human resources.
Following is the upgrade process:As all the workstations are
already defined within Tivoli Provisioning Managerfor OS
Deployment, it is a simple task of binding the new Vista profile
and therollout deployment scheme to all the workstations. This is
done. Chapter 1. Introduction to image management17
33. After each computer is opened and has its RAM upgraded, the
computer isrebooted and F12 is pressed to force a network boot.As
the computer is bound to the SOE the computer joins a
rollingnon-synchronized multicast deployment scheme. This scheme
ensuresmaximum efficiency of concurrent data transfer but without
the necessity tosynchronize computers. The deployment is completed
overnight as planned.18 Deployment Guide Series: Tivoli
Provisioning Manager for OS Deployment V5.1
34. 2Chapter 2. Architecture and deployment scenarios This
chapter presents two case studies for the implementation of Tivoli
Provisioning Manager for OS Deployment: A small implementation on a
single LAN. A large enterprise with multiple subnets in the main
office, remote sites connected via lower speed communication links,
and the sort of security scrutiny that characterizes large
organizations today. Subjects such as server sizing and placement,
image replication, driver injection, unicast and multicast,
firewalls, and security considerations are discussed. These are the
sort of subjects that are not explicitly discussed in the Tivoli
Provisioning Manager for OS Deployment user guide, but are of great
importance when designing an implementation of a tool in a
production environment. The chapter is broken into the following
sections: Tivoli Provisioning Manager for OS Deployment features on
page 20 Architecture on page 22 Copyright IBM Corp. 2007. All
rights reserved. 19
35. 2.1 Tivoli Provisioning Manager for OS Deploymentfeatures
Following are the major features of Tivoli Provisioning Manager for
OS Deployment and a short description of the features. It is these
features that make Tivoli Provisioning Manager for OS Deployment
such an indispensable tool for use during the life cycle of
computer systems.System cloningTivoli Provisioning Manager for OS
Deployment incorporates the ability tocapture a file-based clone
image of a target workstation. Using TivoliProvisioning Manager for
OS Deployments built-in Pre-boot eXecutionEnvironment (PXE) server
to boot the target system, it is possible to take acloned image of
that system from the Tivoli Provisioning Manager for OSDeployment
Web console. This image is stored on the Tivoli ProvisioningManager
for OS Deployment server and is referred to as a profile.Driver
injectionTivoli Provisioning Manager for OS Deployment includes the
ability to add adriver to an image as the image is being deployed
to a computer. This featureleads to the ability to create a
universal system profile that in turn reduces thenumber of images
that need to be managed.Software deploymentTivoli Provisioning
Manager for OS Deployment includes the ability to createsoftware
packages that can be deployed along with the OS image.Universal
system profileThe universal system profile is the ability provided
by Tivoli ProvisioningManager for OS Deployment to support many
different computer models andconfigurations with one image. This is
achieved by the automated addition ofvarious driver and software
packages during image deployment.Microsoft Vista supportMicrosofts
latest and greatest operating system is supported by
TivoliProvisioning Manager for OS Deployment in unattended setup
and cloningmodes.No touch build capabilityTivoli Provisioning
Manager for OS Deployment has features that enable atrue no touch
build capability. Whether set to boot from the hard disk or
thenetwork, Tivoli Provisioning Manager for OS Deployment can be
configuredto take control of the target system and to deploy a
profile.Unattended setupTivoli Provisioning Manager for OS
Deployment supports the unattendedsetup mode of installation. In
this feature all of the parameters that need to beprovided to the
installer during the OS installation are predefined in the Tivoli20
Deployment Guide Series: Tivoli Provisioning Manager for OS
Deployment V5.1
36. Provisioning Manager for OS Deployment server and fed to
the installerduring the installation. This type of installation is
best where a one-offinstallation is going to be made or where
installation to a number of differenthardware types requires an
investment of time to build a master image and allof the
appropriate drivers and or application packages.Unicast and
multicast image deploymentIn Tivoli Provisioning Manager for OS
Deployment, profiles, or what is beingdeployed, are defined
separately to how the profile is to be deployed. How theprofile is
to be deployed is defined in what is known as a deployment
scheme.it is in the deployment scheme that you can define the
communication methodbetween the server and client. This can be
unicast or multicast. Generally,individual workstation and server
builds are done using unicast, while buildsand batches of
workstations use multicast, for the time and networkbandwidth
savings that it offers.Adjustable network bandwidth utilization
during buildDeployment Schemes also offer the ability to limit the
amount of networkbandwidth that is used during a deployment. This
is very useful when adeployment is being executed over a LAN during
the business day. Anunlimited deployment has the capability to
really slow the network segmentdown as it could potentially use all
available bandwidth; however, if youlimited the bandwidth to say
50Mbps on a 100Mbps LAN it could only everabsorb half the available
bandwidth.Highly efficient image storageBy using an MD5 (Message
Digest 5) algorithm to individually identify eachfile being stored
in the image repository, it is possible to eliminate the need
tostore duplicates of any file. What this means is that one Windows
XP imagemay take 3GB of storage space, but two variations of an XP
image could takeless than 4GB. This efficiency of storage also
translates to less image dataneeding to be replicated between
servers in larger implementations.Build from DVDIn some instances,
a workstation that needs to be built may be at the end of a64Kbps
link, or worse. Attempting to install a 4GB image in a case like
this isimpractical. The data transfer, if all went well, would take
more than 7 days. Inan instance like this it is possible to cut a
DVD of the image and deploymentscheme, ship it to the site, then
boot from that DVD and deploy the imagefrom the DVD.Boot from
CD/DVDIf the network card, in a particular target system, does not
support PXE boot,or if PXE is not allowed on a network, it is
possible to build a boot CD or DVDon the Tivoli Provisioning
Manager for OS Deployment server, and use it toboot the target
computer and connect it to the Tivoli Provisioning Manager forOS
Deployment server to have an image deployed. Chapter 2.
Architecture and deployment scenarios21
37. Network sensitive image replicationThe replication of
workstation and server images around a WAN is acontroversial
subject. Many organizations like to have full control over all
dataon their network. Because of this Tivoli Provisioning Manager
for OSDeployment comes with the following two methods to replicate
data betweenservers: Scheduled, bandwidth controlled
replicationThis option allows you to set up a replication schedule
between serversand to dictate the maximum bandwidth that can be
used by thatreplication. Command line export utilitiesThrough the
use of command line utilities, it is possible to producedifferent
files containing all changes since a previous checkpoint.
Thesefiles can then be moved to the slave servers using the
corporate softwaredistribution tool or burnt to a DVD and
physically moved between servers.RedeploymentThis feature provides
the ability to place one or more reference images into ahidden
partition on the computer. During the system boot it is possible to
doone of the following: Boot the system off the current image on
the hard drive. Do a quick clean of the currently deployed image
against the referenceimage. Do a full restore of the reference
image.Using this feature it is possible to effectively have a fresh
image deploymentevery day for the optimum performance of a
system.2.2 Architecture We start our Tivoli Provisioning Manager
for OS Deployment architecture discussion with some design
considerations. These are subjects that could be important in
understanding how the product works, and how it fits into a larger
corporate environment. The subjects covered are by no means a
conclusive list.2.2.1 Design considerations This section aims to
describe various items and product features that you should
consider when designing a Tivoli Provisioning Manager for OS
Deployment implementation. Many of the items are quite obvious but
warrant discussion and further explanation; likewise, others are
less obvious and may assist a designer in reaching an appropriate
design. While the following list is quite22 Deployment Guide
Series: Tivoli Provisioning Manager for OS Deployment V5.1
38. comprehensive, it should not be considered the definitive
list of considerations asevery organization has its own set of
idiosyncrasies to take into account. Many ofthe subjects have links
through to section two of this book, which contains moredetailed
step-by-step guides to Tivoli Provisioning Manager for OS
Deploymentfeatures.Unattended setupUnattended setup of a Windows or
Linux operating system entails the provisionof all the parameters
required in the setup of the operating system by the
TivoliProvisioning Manager for OS Deployment. Unattended setup is a
more timeconsuming method of deploying an operating system and
cannot be used on thesame scale that cloning can. However it is the
easiest type of deployment profileto set up. All activities take
place on the server via the Web interface. A fulldescription of how
to set up an unattended setup deployment profile can befound in
Chapter 4, Installing pre-Vista systems on page 137.An advantage of
an unattended setup profile is that it is a more
genericinstallation, because the setup program detects the hardware
and peripheralspresent and detects if a driver is available, and
then installs it. The important taskthat the deployer has is to
ensure that all the necessary drivers are available.An unattended
setup can be a good way to build an initial system for cloning. It
isalso very good for building systems in an environment where the
hardware haslarge differences.Figure 2-1 on page 24 shows the
potential inputs to an unattended setup. Thisinstance includes the
original files and parameters such as the license key, hostname,
administrator account details, and the domain to join. It also
includes adriver package and a software package. Chapter 2.
Architecture and deployment scenarios23
39. DriverUnattended packageinstall DriverParameters package
Software Package Operating system installation files Result = an OS
setup in unattended mode Figure 2-1 Unattended setup Cloned image
Cloning is a major feature of Tivoli Provisioning Manager for OS
Deployment and in conjunction with deployment schemes gives the
product its versatility. Cloning is a fairly simple process, but it
does take more set up than an unattended operating system setup.
The process to clone a machine is as follows: 1. Start with a
reference machine that is representative of the different systemsto
which you are going to deploy. 2. Clean the machine. By this we
mean empty the recycle bin, disconnectnetwork drives and printers,
close all applications, and delete all temporaryfiles and caches.
3. Run sysprep. Sysprep is Microsofts utility for preparing the
operating systemfor duplication. It clears out many of the internal
system settings that identifythat instance of the operating system.
When the workstation is booted for thefirst time after deployment,
Tivoli Provisioning Manager for OS Deploymentsupplies all the
parameters required to complete the mini setup, and give
thisinstance of the operating system its personality.24 Deployment
Guide Series: Tivoli Provisioning Manager for OS Deployment
V5.1