Few Q's about AD, XP, SysPrep, and Automatically Creating User Folders

[bigdogchris]

I've only worked with 7/2008R2 in an Active Directory setting. Sysprepping to clone those machines with default profiles with unattends was very easy, but XP is a different story. I'm now faced with moving several buildings with XP machines to a few Server 2008 R2 boxes, which all will all be in one location. There are around 700 machines but this will be a building by building process, maybe 100 at a time over the course of a year or more. Moving these machines to Win 7 is not an option. There are several buildings but they are all in the same town, all connected with fiber. I do not manage the physical network. My plan is to just offer each user thier mapped network home drive and possibly redirected folders. I’m just keeping it basic.

How important is it to sysprep these XP machines after I do clean installs? I've heard it's very important but also know a lot of people on AD that just clone machines without sysprepping. I've heard not sysprepping can screw with WSUS, but in the years up to this point the machines on Novell have been cloned without sysprep and WSUS worked fine.

Also, will Sites give me the advantage of forcing groups/buildings of machines to authenticate to a specific DC? Otherwise I only know of Sites to allow you to control the replication between servers over WAN. What other benefits is there to using Sites for each building?

If I'm running a few DC/FS's, how do you guys recommend handling DNS? Each server that needs DNS installed will have it installed per requirement, but as for configuring the workstations DNS settings, should I dedicate one server to DNS or have two, or something different? What do you suggest?

My last question is about folder permission inheritance. My previous experience, I created a folder inheritance system where when the user was created, their home drive pointed to a folder using \%username%\, and a folder would be automatically created, give ownership to the user, and inherit permissions to only view that folder and no one elses. It works brilliantly. My problem is that when I use group policy to deploy folder redirections, I couldn’t figure out a way to automatically create folders. I ended up pointing the redirection policy back to their own home folder. It ended up working out OK, but whenever the users look in their network drive they could see the redirected folders. So how would you guys handle a situation like this? Are there any other ways to automatically create user folders? I do not want to use scripting. Everything I’m doing I have accomplished in the GUI.

 

[/usr/home]

We just make a ghost image and then deploy that same image unsysprepped. We have no issues with WSUS, DNS, AD, or anything. We use pretty much every MS product that's common and have no issues.

I'm working on a WDS server at work and Windows 7 is easy to deploy. You CAN use WDS with XP though.

I recommend running DNS on your DCs. I would do one DC at least per building that way if your WAN or "LANSPAN" connection fails, you still have DNS and can authenticate, etc. I would host the files of each building on their own FS also due to if your WAN goes down.

 

[cyr0n_k0r]

How important is it to sysprep these XP machines after I do clean installs?

It depends. Are you interested in doing things the correct way or the easy way?
Microsoft best practice says to sysprep. I personally HAVE had issues with non syspreped machines joining a domain and determined it was a problem with the GUID's being duplicated. Granted this was with virtual machines but I had so many problems I promised myself I would sysprep 100% of the time in the future and I have never had a single problem.

I've heard it's very important but also know a lot of people on AD that just clone machines without sysprepping. I've heard not sysprepping can screw with WSUS, but in the years up to this point the machines on Novell have been cloned without sysprep and WSUS worked fine.

Again. The right way, or the easy way.

Also, will Sites give me the advantage of forcing groups/buildings of machines to authenticate to a specific DC? Otherwise I only know of Sites to allow you to control the replication between servers over WAN. What other benefits is there to using Sites for each building?

Yes, sites will allow you to dictate what subnets speak with what DC's. However unless you plan to specifically restrict subnets from failing over to other DC's on the network AD is by default a mesh. If a local DC is not responding then the machines WILL go and find another faster one.

If I'm running a few DC/FS's, how do you guys recommend handling DNS? Each server that needs DNS installed will have it installed per requirement, but as for configuring the workstations DNS settings, should I dedicate one server to DNS or have two, or something different? What do you suggest?

I recommend 2 DC's for each building/site. Both DC's should be running DNS and DHCP. DC1 should contain half your scope, DC2 the other half. They should both assign DC1 and DC2 as the primary and secondary DC's.

I do not want to use scripting. Everything I’m doing I have accomplished in the GUI.

 

[mmtom]

I agree with Cyron. Use sysprep. And, just for clarification, are you talking about cloning domain joined machines? Cloning domain joined machines = bad news.

Also, if you can help it, don't run DHCP on DCs. There are two reasons. First, most people don't bother to go in and set the DHCP credentials to a non-system account. The reason for doing so is here: http://support.microsoft.com/kb/255134

Second, and I tell customers this all the time, is that DCs are pretty much throw-away. If there's a problem on a DC that is preventing it from booting or whatever, you're probably better off just turning it off, siezing any FSMO roles on another DC, performing metadata cleanup, and rebuilding from scratch. That way you don't end up with some funky artifacts or anything weird sitting around. Adding DHCP (or mixing any other roles for that matter) makes this more complicated. Now you have to move DHCP, change scopes around, etc...

 

[Quartz-1]

I don't understand why you need to reimage the PCs.

It works brilliantly. My problem is that when I use group policy to deploy folder redirections, I couldn’t figure out a way to automatically create folders. I ended up pointing the redirection policy back to their own home folder

This doesn't make sense either. Creating the home folder is done in ADUC and totally different from deploying folder redirections via group policy.

 

[cyr0n_k0r]

Also, if you can help it, don't run DHCP on DCs. There are two reasons. First, most people don't bother to go in and set the DHCP credentials to a non-system account. The reason for doing so is here: http://support.microsoft.com/kb/255134

That is why I run DHCP on both DC's. If one fails then you still have half your scope and operations can continue. Unless you have gobs of money to throw at servers running DHCP on a DC is perfectly acceptable.
What I do for the budget minded at my remote sites is a single beefy server that runs both of my DC's as VM's. Granted there is a chance of the entire server going down hardware wise but then I have DC"s at other sites that can pickup the slack. My DHCP leases are long enough that I have plenty of time to rebuild before the leases time out.

Granted, if I had an unlimited budget I would split out the roles.

 

[mmtom]

Fair enough. Most of my customers are large enterprise customers, so they're usually just being cheap when they mix the roles.