So here's a run-down of what we did to get this going in our development environment (using Microsoft DHCP services on Windows Server 2012 R2):
For BIOS-mode PXE boot, we had to confirm that DHCP options 43, 60, 66, and 67 were populating correctly in the DHCP configuration, and that configuration is being received by clients. Our first problem was here - server-based DHCP options were being overridden by scope-targeted options (as we found out). We:
- installed Wireshark and VirtualBox on a host machine,
- created a test VM in VirtualBox with networking set to Bridged,
- started a packet capture on the host, then,
- booted the VM.
The log file revealed DHCP options 43 and 67 were being received by the client, but not 60 or 66. Once that was sorted, flat BIOS-mode PXE with TFTP was available in the environment. A solid starting point.
Next we looked at iPXE.
Our test NBS/package server (also Server 2012 R2) was missing a few IIS components, so we (very hastily) threw together a script which enabled all the features:
dism /online /norestart /enable-feature /featurename:"NetFx4Extended-ASPNET45"
dism /online /norestart /enable-feature /featurename:"IIS-ASPNET45" /all
dism /online /norestart /enable-feature /featurename:"IIS-NetFxExtensibility" /all
dism /online /norestart /enable-feature /featurename:"IIS-WebServerRole"
dism /online /norestart /enable-feature /featurename:"IIS-ISAPIExtensions"
dism /online /norestart /enable-feature /featurename:"IIS-ISAPIFilter"
dism /online /norestart /enable-feature /featurename:"IIS-ASPNET"
dism /online /norestart /enable-feature /featurename:"IIS-WindowsAuthentication"
dism /online /norestart /enable-feature /featurename:"IIS-ManagementConsole"
dism /online /norestart /enable-feature /featurename:"IIS-IIS6ManagementCompatibility"
dism /online /norestart /enable-feature /featurename:"IIS-Metabase"
dism /online /norestart /enable-feature /featurename:"IIS-ASP"
dism /online /norestart /enable-feature /featurename:"IIS-WMICompatibility"
dism /online /norestart /enable-feature /featurename:"IIS-LegacySnapIn"
dism /online /norestart /enable-feature /featurename:"IIS-LegacyScripts"
On the next Altiris policy refresh, the package server began offering files via both UNC and HTTP, as expected, but no iPXE virtual directory was visible (as per LCode's post above), even after the Deployment Package Server Components - Install policy had executed successfully. We ended up having to pull NBS from the server entirely (Altiris Console --> Settings --> All Settings --> Notification Server --> Site Server Settings --> Site Servers --> [Server] --> Install/remove Services --> Uncheck Network Boot Service --> Next --> OK) and redeploy.
Once NBS had reinstalled - and after a bit of a wait - the iPXE site eventually showed up under Sites in IIS. We fired up our VM and, hey presto, both our original and iPXE boot images were listed - and better still, they were both functional. Once the excitement wore off, we moved onto the next part...
Parallel UEFI- and BIOS-mode PXE booting
Our latest batch of PCs do not support "legacy" (BIOS) PXE boot options, so we've now been forced into pushing forward with UEFI-mode PXE. This is where we came unstuck, but eventually worked it out.
Starting with this fantastic walkthrough (skip to the Server 2012 section), we created and populated the Vendor Classes for...
- PXEClient:Arch:00000
- PXEClient:Arch:00006
- PXEClient:Arch:00007
- PXEClient:Arch:00009
....and created the associated DHCP policies. Two points of note from our tests:
- DHCP Option 43 should only be configured in the policy targeting PXEClient:Arch:00000. Adding Option 43 to the other policies targeting UEFI devices interfered with (read: broke) the client's ability to secure a DHCP lease.
- DHCP Policy processing order matters!!! Our inital DHCP policy sequence was originally configured to detect Arch:00000 first, then pass through Arch:00006, Arch:00007, and Arch:00009 (processing orders 1 through 4) - but for whatever reason, this prevented subsequent Arch:0000x types from securing a lease, so we moved Arch:00000 to the end of the policy list and, in the policy Conditions tab, changed the Vendor Class condition from Equals to Not Equals, then omitted each of the three other PXEClient:Arch:0000x options. (Pics below.) This worked.
Once this was in place, we were able to boot both BIOS- and UEFI-mode devices into PXE and then into WinPE, both via either the usual TFTP, or HTTP via the new iPXE bootstrap image.
Needless to say, we were well chuffed with the result and happy to put the episode behind us.
Addendum: I've since scripted the above operation in Powershell (for Windows Server 2012 R2), which automates the creation and configuration of relevant DHCP policies, options, associations, parameters, etc. It could do with a some commenting and a bit of tidying up but I'm happy to post it if there's any interest.
We've also noticed clients are a little slower to secure IP leases, presumably because our DHCP server is now iterating through a list of possible options whenever a request is made. (It's not a huge difference, but noticeable to those of us who operate from a place of panicked impatience.)
Aside from that, the entire setup works well. Big thanks to everyone who's provided input or advice - hopefully this guide helps others experiencing similar issues. (I might edit this post in coming days to add more screenshots or clarify the wording.)
Cheers
DMcG