In the process of migrating from ConfigMgr 2012R2 to Current Branch, I have 2 ConfigMgr servers on the same network. In addition to that, I have a regular WDS server that is used for imaging servers, and a Ubuntu PXE server that netboots various utilities.
But how to choose which server a computer uses to boot? With a normal setup, the computer will just boot from whichever server responds first. This setup avoids that problem.
What makes this hard to do?
UEFI and Secure Boot. I want to use Secure Boot on some machines. But with secure boot enabled, you can only load a Microsoft signed bootloader. It also requires disabling the legacy boot mode for network booting/
My previous setup just had a Ubuntu server running DNSMasq and booting PXELINUX. That pxelinux gave a menu with options for WDS and ConfigMgr servers, and other utilities.
It doesn’t work in UEFI mode however, only legacy network boot mode. Supposedly you can boot SYSLINUX over pxe in UEFI mode, but it’s buggy and doesn’t work for me. And SYSLINUX hasn’t had a release in years from what I can see, so it doesn’t look like it’s getting fixed any time soon. On top of that, neither pxelinux nor syslinux is signed by Microsoft. So on a secure boot system, it can’t be loaded. Again, there are supposed to be ways around that, like using a Microsoft signed shim and a Cannonical signed version of grub to do the loading, but I couldn’t get that working properly either. Even if I could, it might work on physical machines, but VMs require you to choose either the Microsoft Windows or Microsoft 3rd party secure boot template - you can’t have both. Which means even if it did work, there’s no way to get secure boot to go from the Microsoft 3rd party signed shim to a Microsoft Windows signed WDS bootloader.
That’s fine, I can accept that. But I still need to be able to choose between several WDS/ConfigMgr boot servers, which do use Microsoft signed bootloaders and work with Secure Boot.
This setup does that - BIOS clients can still use the menu and utilities. UEFI clients can only use WDS/ConfigMgr, but get a menu where they can choose which server to use.
In almost every topic I’ve read, DHCP options and IP Helpers comes up a lot. Everyone seems to be very confused by them.
DHCP Options are set on your DHCP server. They will not work with both BIOS and UEFI, because you can only point clients at a single boot program. There are ways around this, but its complex and hard to configure. IP Helpers are configured on your switch or router, to forward the DHCP broadcast packets beyond their local subnet to remote DHCP/WDS/PXE/ConfigMgr servers.
If your DHCP server, WDS/PXE/ConfigMgr server(s) and clients are all on the same subnet, you don’t need any of that. It will just work.
My network has:
ad2(192.168.0.3) - Server 2012R2 AD Domain controllers, running DNS and DHCP as well.
sccm2012(192.168.0.10) - ConfigMgr 2012R2 server
sccmcb(192.168.0.11) - ConfigMgr Current Branch
wds(192.168.0.12) - Server 2012R2 WDS server
pxe(192.168.0.4) - Ubuntu 18.04 server
biosclient- A generation 1 Hyper-V VM using the legacy network adapter, on a Windows 10 machine
ueficlient- A generation 2 Hyper-V VM with Secure Boot enabled and set to the Microsoft Windows template
Enable PXE on the configuration manager server normally. In the distribution point’s PXE settings, set a PXE server response delay of 15 seconds on both servers.
You may also want to disable the “Press F12 to network boot” prompt. In the RemoteInstall folder, under SMSBoot, do this in both the x64 and x86 folders:
That removes the F12 prompt with booting.
Even if you don’t plan to use WDS and just want 2 configuration manager servers, you still need the WDS server. It’s part fo the magic.
Setup WDS like normal. Set the PXE Response Delay to 2 seconds.
You’ll also need to enable the WDS boot menu. This is a hidden (and unsupported) feature of WDS. In regedit, change
HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\AllowServerSelection to 1 and restart the WDS service.
Ubuntu Server Setup
The Ubuntu server is only needed if you want to boot other utilities like memtest, linux live images, etc. If you are strictly interested in WDS and ConfigMgr and don’t want any of those, you can skip this step.
Anything you configure here will not work on systems using native UEFI booting (but legacy network booting in UEFI mode should still work). I set it up this way to allow secure boot systems to still use the WDS/ConfigMgr servers - they will not load pxelinux since it isn’t signed by Microsoft.
Install Ubuntu 18.04 Server. Set a static IP address for it (the method is different from previous versions, so look up how to do it).
Dnsmasq is installed in Ubuntu 18.04 by default, but doesn’t work properly. To get it running as a full server instead of a DNS client, you need to:
/etc/systemd/resolved.conf to set
Remove the symlink
/etc/resolv.conf and replace with a resolv.conf containing:
nameserver 22.214.171.124 nameserver 126.96.36.199 search your.domain.here
Replace the nameservers there with whatever you want to use, preferably your AD DNS servers.
The default install doesn’t have the configuration to run as a service. Create
[Unit] Description = Self-created DNSMasq service unit file After=sys-subsystem-net-devices-enp4s0.device [Service] Type=forking ExecStartPre=/lib/systemd/systemd-networkd-wait-online -i enp4s0 ExecStart=/usr/sbin/dnsmasq Restart=on-failure RestartSec=15 [Install] WantedBy=sys-subsystem-net-devices-enp4s0.device
Replace enp4s0 with the name of your network card, eg. eth0. Thanks to https://nucco.org/2018/05/ubuntu-18-04-chronicles-creating-a-dnsmasq-service.html for the guide on how to fix that
port=0 log-dhcp enable-tftp tftp-root=/var/lib/tftpboot dhcp-range=192.168.0.1,proxy,255.255.255.0 pxe-prompt="Press F8 for Dnsmasq options", 1 pxe-service=x86PC, "Go to main menu", lpxelinux pxe-service=x86-64_UEFI, "WDS Server for UEFI", boot\x64\wdsmgfw.efi,192.168.0.12
dhcp-range with your subnet, and 192.168.0.12 with the IP address of your standard WDS server.
This configuration tells Dnsmasq to only act as a PXE proxy server, for BIOS clients telling them to boot
lpxelinux from this server’s tftp directory and for UEFI clients to skip that and boot directly to the WDS server.
Create the directory
/var/lib/tftpboot. Download syslinux from https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/Testing/6.04/syslinux-6.04-pre1.tar.gz, and extract it. From that folder copy these files:
I also copied the Parted Magic PXE boot files to a folder, and Memtest86+ V5.01. I also found a nice background and saved it as
lpxelinux.0 is used instead of
pxelinux.0 because it also supports HTTP loading. You can setup an HTTP server and point to files like
LINUX http://192.168.0.12/pmagic/bzImage64 which will load them over HTTP instead of TFTP.
I didn’t fully document that here, but it’s much faster.
/var/lib/tftpboot/pxelinux.cfg folder, and a file named
default in there with:
DEFAULT vesamenu.c32 NOESCAPE 1 MENU TITLE Network Boot Menu MENU RESOLUTION 1024 768 MENU BACKGROUND background.jpg LABEL - MENU LABEL OS Deployment: MENU DISABLE LABEL wds MENU LABEL WDS Server at 192.168.0.12 MENU INDENT 2 KERNEL pxechn.c32 192.168.0.12::Boot\x64\wdsnbp.com -W TEXT HELP Standard WDS server ENDTEXT LABEL configmgr2012 MENU LABEL ConfigMgr 2012R2 at 192.168.0.10 MENU INDENT 2 KERNEL pxechn.c32 192.168.0.10::Boot\x64\wdsnbp.com -W TEXT HELP Configuration Manager 2012R2 ENDTEXT LABEL configmgrcb MENU LABEL ConfigMgr Current Branch at 192.168.0.11 MENU INDENT 2 KERNEL pxechn.c32 192.168.0.11::Boot\x64\wdsnbp.com -W LABEL - MENU LABEL Diagnostics: MENU DISABLE LABEL pmagic MENU LABEL Parted Magic Utilities MENU INDENT 2 LINUX pmagic/bzImage64 INITRD pmagic/initrd.img,pmagic/fu.img,pmagic/m64.img,pmagic/files.cgz APPEND edd=on vga=normal TEXT HELP Parted Magic (https://partedmagic.com) - Disk Partitioning and cloning - Erase HDDs, SSDs and NVME drives with proper Secure Erase support - Benchmark and stress testing - Reset local administrator password for Windows ENDTEXT LABEL memtest MENU LABEL MemTest MENU INDENT 2 KERNEL utils\memtest TEXT HELP Memtest86+ 5.01 Runs memory diagnostics ENDTEXT
Edit the IP addresses for your own servers. You can add more network boot items as desired. Most network bootable utilities and OSes come with instructions on how to put them in pxelinux’s menu.
With Ubuntu server:
- Starts network booting
- Dnsmasq on pxe server responds first. Computer boots from that and loads the pxelinux menu
- From the pxelinux menu, user selects which server or utility to run, with the ability to choose any of the 3 windows deployment servers.
This lets you directly choose any server you want. There’s no function key to forget to press in time. And you can choose from any other utilities you add.
Without Ubuntu server:
- Starts network booting
- WDS server responds first, loading it’s ndsnbp.com boot program.
- WDS boot program gives the option to press F11 to select a boot server.
- If you press F11, it will search for other WDS servers, and list all 3 available servers (itself, plus the two ConfigMgr servers). You can choose any of the servers.
- If you don’t, it boots from the WDS server
- Starts network booting
- Dnsmasq responds first. It points to the WDS server’s network boot program. If you skipped the Ubuntu setup, The WDS server would respond first and you’d end up in the same place.
- The WDS boot program gives the option to press F9 to select a boot server. (Yes, it’s F9 on UEFI and F11 on BIOS, no idea why it’s different.)
- If you press F9, it will search for other WDS servers, and list all 3 available servers (itself, plus the two ConfigMgr servers). You can choose any of the servers.
- If you don’t, it boots from the WDS server
This does NOT allow booting anything utilities, but works in Secure Boot mode.
The one downside to this is the ConfigMgr servers get listed like
192.168.0.11 [Unknown]. You have to know which IP address corresponds to the server you want. There doesn’t seem to be any way to set their name.