Hi my friends, very very long time no see. I sincerely apologize for my period of absence, however this is partially due to lack of new content to write, which is caused by a period of not working with deployment tools.
In previous blog posts, I’ve set out some default settings to configure MDT with, such as the CustomSettings.ini and Bootstrap.ini, and then there is this script which configures your MDT environment automatically with PowerShell.
This time I thought it would be useful to write about the requirements you need for implementing MDT on (a customers) site:
table 1.1 Server Details:
|Operating System||Windows Server 2012R2|
|Disk 0||50 Gb|
|Disk 1||100 Gb|
If you want to incorporate the MDT database integration, you’ll need a database on a SQL server, with service accounts with the following permissions:
table 1.2 Database Details:
|Database||Microsoft SQL 2005 or higher|
|Database permissions||MDT Database Service Accounts; dbo_owner|
|Database permissions||MDT Administrators; db_datareader, db_datawriter|
If you install Windows Deployment Services to transport your MDT boot image with PXE boot, you’ll need to configure certain scope options in DHCP, take notice that the DHCP option 60 is only needed to be configured when DHCP and WDS run on one and the same server:
table 1.3 DHCP Details:
|66||Boot Server Host Name||
The IP helper address needs to be configured, when your DHCP and WDS server are not on the same subnet. This prevents the boot image from being loaded into and over the memory of the network device, but point’s directly to the WDS server.
table 1.4 Network Details:
|IP Helper Address|
Next up, service accounts, based on least privileges needed to function, and, for setting the OU permissions for the domain join account, there is this very neat little script from MDT guru Johan Arwidmark:
table 1.5 Service Account Details:
|SA-MDT||NTFS: Read & execute, List folder contents, Read Share: Read||Folder: DeploymentShare|
|SA-MDTDomainJoin||Create Computer Objects; Delete Computer Objects; Read All Properties; Write All Properties; Read Permissions; Modify Permissions; Change Password; Reset Password; Validated write to DNS host name; Validated write to service principle name;||Active Directory: Organizational Unit|
|SA-MDTDB||dbo||SQL Server: database user mapping|
You can put accounts in groups and give permissions to groups if more people need the same permissions to work with MDT:
table 1.6 Domain Group Details:
|Group Name||Type||Member of||Members|
|DM-MDT||Domain local - Security||n.a.||GM-MDT|
|GM-MDT||Global - Security||DM-MDT||SA-MDTDB|
|DM-MDT-Admins||Domain local - Security||n.a.||GM-MDT-Admins|
|GM-MDT-Admins||Global - Security||DM-MDT-Admins||Individual Active Directory users|
Lastly again folder permissions based on least privileges, and also the SQL Share for authentication of unknown users during Operating System Deployment – WinPE phase
table 1.7 Folder permission Details:
|Folder||Account / Group||NTFS Permissions||Share Permissions|
|DeploymentShare||SA-MDT||Read & execute, List folder contents, Read||Read|
|SQL Share||Authenticated Users||n.a.||Read|
So next time you’re going to implement MDT, keep in mind some (preferably all) of the mentioned requirements, and hopefully this will make life again much easier.
~Things not working, privileges wrong? Don’t hesitate to let me know!
Thanks for the information..I wanted migrate windows 2008 server to windows 2012 R2 using MDT 2013. Could you please let me know how to do that?
Thank you in advance
Unfortunately, USMT does not work on Windows Server 2003 or 2008 to migrate Terminal servers. what is the best method we can use to migrate user profiles?- Thanks
I need a small help to configure MDT. It will be very helpful for me if you give me answer of my below question.
I want to configure MDT with separate DHCP Server. I tried my best to search from Google and reading different blogs but not succeed .
Would you please provide the exact steps to configure MDT with DHCP on different host.
I’ve been out of this material for some years now, however. If you have MDT running on a different server then the DHCP server you have to do nothing. It’s important that if WDS is running on the same server as DHCP that you supply additional instructions to the DHCP. However, if you have WDS running in your network and it is the only WDS instance that serves PXE booting, then no configuration of your DHCP is necessary.
Good luck! Kind Regards.
I’m curious as to whether MDT is cluster aware? Can I install MDT on a server cluster so it can failover to another node? My deployment share will be hosted on a HA HA clustered file server.
I think you need to have your share HA, either with the solution you state or replicated dfs.
The mdt workbench software itself is not cluster aware, however you can install multiple workbench consoles on different servers as long as you keep your prereq software and mdt version on the same level across all workbench servers.