Ghost Solution Suite

Some quick info on the setup I'm running:
-GSS 2.5
-Dell PowerEdge SC1430 running Windows Server 2003 R2: host to DHCP, TFTP, PXE, and GhostCast servers (following the SolarWinds TFTP tutorial).
-Cisco Catalyst WS-2980G 80-port switch.
-WinPE-512 (w/ deploy anywhere) images are pulled from the server via PXE.
-This is an isolated setup, completely free of any outside networking influence, completely dedicated to the purpose of ghosting.

The problem:
-The ultimate goal of the setup was to have the ability to multicast to 10 laptops.
-Adding the switch in between the server and client causes a 10030 when connecting (after entering session name), which does not change for UC/MC/DC.

What's been tried:
-Swapping the expensive switch for a dumb switch (no change).
-Reconfiguring switch to default settings (stopped PXE from pulling a DHCP address at boot up).
-Removing the switch and running a patch cable from server to client (100% successful unicast).

I would be quick to blame drivers in WinPE, but it worked in a p2p setup. At this point, I can't figure out if it's a switch configuration or a server configuration that needs to be looked at.

Boot to Windows PE, exit to the command window and do an ipconfig/all command: does this show a valid IP address? If not, it is probably drivers. What are the client machines, and is there an antivirus?

Generally, the most simple thing to do when analysing connectivity is to work into the network by alternately working from each end; start by running a packet capture (using e.g. Wireshark) at the server end to see if you can see the clients querying for sessions, for instance, and so whether GhostCast responds - the session query packets are sent by clients via multicast to a fixed multicast channel number - 224.77.0.0 port 6666, specifically - which listening GhostCast servers join. So, the first thing to determine is whether that query is getting through or not. If it isn't, then that's the cause of the 10030 right there

If the server isn't getting the initial session location query, then check the clients to see that in Windows PE the adapter is up and drivers are loaded - just use ipconfig to see that it's acquired an IP address - and check that the boot-time firewall is off using netsh (which it will be if you used our initial WinPE, but generally isn't if you use a WIM from any other source).

After much hair pulling, a few reinstalls of GSS, 11 boot package attempts, and 2 ethernet cables, the clients will now successfully talk to the server through a switch.

The clients in question are General Dynamics GoBook XR-1's running an on-board Agere PCI-E1310 Gigabit Ethernet adapter.

It turns out the NIC drivers I thought were Vista were actually XP, and the driver install file was unpackaging the true driver setup files into another setup folder. Once this second setup was done, I could down the real driver files and get them loaded into WinPE. After disabling all possible storage and network drivers other than my own, network boot package number 11 was a success.

My thanks for pointing in the direction of ipconfig in WinPE command prompt. It had completely slipped my mind. The controller was not pulling an IP address and kicked back an error whenever I would try to renew.

It's still strange that it was working in a p2p setup, but I wasn't able to duplicate it again for a comparison.

Are there any tips on getting WinPE to load ghost32 any faster? It seems the time saved through multicasting or gigabit unicasting is immediately lost in the 10-15 minutes it takes the laptop to load the ghost menu...

The performance thing is just PXE, unfortunately - the ultra-simple TFTP protocol is designed for simplicity of implementation for boot ROM code rather than performance, and so there's no pipelining of packets - meaning that there's lots of request/response latency in TFTP transfers, and so large boot packages like the Windows PE one just take their time. Of course, a good chunk of that WinPE boot package is all the drivers that need to be included with it so it's not really that large considering the range of hardware it supports.

Probably a majority of folks using GSS2.5 use the management environment which builds the boot environment inside a file on the existing disk, and then can boot into it and back to the existing OS - that comes up more than fast enough to generally get a big performance win overall (because of the better drivers and more memory available when running under WinPE instead of the BIOS drivers used in DOS).

If you have your heart set on using PXE, instead of using GSS2.5 management console or booting from a USB stick, then using a Linux PXE boot environment instead of WinPE is the only real option for cutting the boot package size down enough to make a difference given that TFTP is so darn slow. Of course, that has difficulties sometimes too, since Linux drivers aren't at all binary-compatible, making it in effect impossible for us to add drivers to it easily - so you need to test that it works on your hardware. If it does, though, the ThinStation version of Linux we include with 2.5 is small enough compared to WinPE that it should make a big difference to your boot times.

Incidentally, if you want to see something REALLY tragic, be on an international flight when the in-flight entertainment systems crash and get rebooted. A couple of hundred embedded machines all on the same subnet all trying to boot Windows CE at the same time over PXE ... they get there in the end but it's just as well the flight was 14 hours long.

The nature of these laptops forces me to assume they have no working operating system when it comes time to ghost. They also have a 2-year life cycle before they are replaced, and the transition of 70+ laptops needs to be as seamless (and fast) as possible. I'm also about to begin a Vista migration that has to see 156 laptops ghosted with a quickness.

Booting to USB stick is my preferred method, but unfortunately flash devices are not authorized for use on DoD computer systems. Ever.

Is there no way to cut the number of drivers loaded to, say, 4? I see all these other drivers that are loaded automatically, but I don't need them. I have the luxury of knowing my hardware will be the same so long as the laptop model is the same (currently there are two models).

Booting from CD/DVD was my previous method, but the limited number of external drives available to me were required elsewhere.
I'll try playing around with the management environment, but if I have no idea where to begin in setting that up. Installing the software into the clients' operating system is out of the question for security reasons.

Finding Linux drivers for these specialized laptops won' t happen. Finding Windows drivers is hard enough.

Unless LiveUpdate can be done manually, my version is stuck at whatever came with the install disk. This server is isolated from the main network to gain Internet access (again, for security reasons).

I've had the privilege of seeing an in-flight entertainment system reboot firsthand on my deployment to Afghanistan. I'm not sure if it's a coincidence or not that first class was up and running before the rest of us.
Now the telecom closet in my deployed dormitory... THAT was tragic.

 Ah, the military. I guess if the policy is written to not permit you to use non-Flash USB boot devices you're out of options (the GBW will format an external USB hard disk to be bootable just as well as it does a memory stick, for what it's worth).

> Is there no way to cut the number of drivers loaded to, say, 4?

You can cut it down a fair bit, but a lot of the drivers are preinstalled in PE with their files added to Windows\System32\drivers already, and so to get them out you need to unpack the WIM and then go through the INFs by hand to identify the files to chop out of Windows\System32\drivers. There's quite a bit more of the OS you can cut out too if you don't need it (for instance the WinPE-256 build in the WIM doesn't have WMI or some other parts of the OS).

Unfortunately it's tedious work and it requires a lot of manual testing as you cut things out to make sure you haven't damaged things, so it's a delicate balancing act. The WinPE-256Mb build we include in our WIM has already had some of this done to it to get it able to boot Vista on 256Mb machines from a RAMdrive, but the problem we faced in doing that is that for almost everything we cut out we'd have a customer who would end up complaining about the fact that their process required component X and why wasn't it working. So, our WinPE build tends to include lots of the standard Windows utilities just because we have to strike that balance.

It may be that the best process if you aren't using the management console and really want to squeeze things down a LOT is to work with vLite on a standard WinPE build to cut it down to the bone and then merge in the Ghost components to get a replacement for the standard WIM; no matter what you do there's a lot of tedium involved. Other than the fact there are two versions of WinPE inside the one WIM, the most important thing about the pre-built WIM included with GSS is that the Windows Firewall is completely turned off (whereas in the WAIK versions of PE it's on by default).

> Unless LiveUpdate can be done manually

We've generally always supported users on military and commercial secure networks by having LiveUpdate download our own install package which can be copied to other machines, rather than have LU just apply the updates directly as it does with AV. Normal LiveUpdate uses a digital signature system for the packages it downloads to ensure the download integrity, and for Ghost LiveUpdates we package either the installers or patches inside a single executable which we then digitally sign with the same code-signing keys we use on the main product.

For anyone with GSS installs off the main internet, just install a GSS management server instance on a machine which does have access to the public internet (you don't need to license it) and launch LiveUpdate from the console's Help menu. That will run LU in a context in which it should download the update package to the desktop, so you can save it and transport it elsewhere, and since it's easy to verify the package digital publisher signature that can be used to create a process to verify it's genuine as part of moving it to the secure environment.

[ Incidentally, although this works really well it can sometimes come unstuck on machines with Symantec Endpoint Protection installed - SEP turns out to configure LiveUpdate quite oddly and so on machines with SEP installed, if one of the SEP services trigger the update before it's done manually through the GSS console what happens is that the SEP-triggered LU downloads the GSS update package to an invisible user's desktop, and it doesn't get applied. However, LiveUpdate thinks it has downloaded and run the package so if you manually trigger LU, it tells you everything is up-to-date. ]