Googling about WDS shows you that every single IT pro on earth has made a guide to deploy this Windows server feature. Unfortunately, most of them are only covering the basic scenario, which is : WDS and AD installed on the same subnet without DHCP server!
I definitely will not cover that case here!!!
One scenario I’ve often seen at customer site has the following requirements :
- Building an imaging factory based on WDS
- Isolated on its own subnet, with its own DHCP
- Keeping total control over who is deploying and what is deployed
- Keeping production network safe from traffic overload
- Machines should be able to register to the corporate Active Directory
- Be creative…
Well, while there is not anything complex here, most Desktop engineers that i know are not dealing every day with routing and network configuration. So to make everybody more comfortable (including me) I’ve put together this blog post.
Infrastructure
To meet previous requirements, our WDS server should be implemented this way:
I won’t go into all deployment details here. Especially because this blog post has a particular focus on an already up and running WDS server. If you are beginning from scratch, this post by Adnan Hendricks should teach you everything needed to make you started.
The following instructions apply if and only if:
- WDS, DHCP and untrusted AD are on the same server (but still need the corporate AD to register machines and to apply GPO).
- WDS and DHCP are on the same server and the corporate AD is on another subnet.
WDS Hardware
WDS server must at least have two network interfaces. The first one will communicate on the corporate network (IP 10.139.36.1) and the second one will be dedicated to the private factory LAN (IP 192.168.0.10)
If you already have WDS in place and need to add a secondary NIC, before proceeding please read the following:
Do Yourself a favor (and keep your job) :You are about adding connectivity to a machine that broadcast IP address over the network. If you don’t want to get fired for running a rogue DHCP on your company, please, before going any further: Launch Services.msc, Stop DHCP server, and set startup-type to disabled! |
After doing this, you can safely update your Hardware.
The NICs configuration should be set like this:
For the NIC connected to your corporate network, choose automatic configuration by DHCP (Not forgetting to ask the network team for a DHCP reservation) or configure manually an IP on the same subnet as your corporate network. You should also set valid corporate DNS and gateway address (For the purpose of this guide, this card will have IP 10.139.36.161)
For the NIC connected to your private factory LAN, set up an IP address and a network mask from the same range as your DHCP scope (if you come from an already in place WDS, this is already the case!) If you’ve configured gateway and DNS, remove them to avoid unexpected behavior. (For the purpose of this guide, this network card will have IP 192.168.0.10)
Note: Imaging factory requires also a dedicated switch and a KVM but that story is out of this post scope.
WDS Configuration
Now that network is up and running, we need to force WDS to distribute IP address only on the private factory LAN. To do this, open a command prompt with admin right and type in the following commands:
WDSUTIL /Set-Server /BindPolicy /Add /Address:192.168.0.10 /AddressType:IP
WDSUTIL /Set-Server /BindPolicy /Policy:Include
Then after, you can safely go back to Services.msc console and put back DHCP server service to “Automatic Start-type” and start up the service again.
DHCP Option Configuration
In order to allow your clients to go to the corporate network, some DHCP options need to be set up:
- Router : IP address of the router connected to both your subnet and your corporate network
- DNS Server : IP address of your corporate DNS
Enabling network address translation
To enable proper routing between our two networks, we will enable NAT (network address translation). This solution as many advantages over static routing or Internet connection sharing:
- It is a no brainer!
- You don’t need to modify any rooting table of the corporate routers around (in other words: it will work everywhere without requiring admin rights to modify routers).
- You’ll have full control on the DHCP address and its options.
To setup NAT, you’ll have to add the RRAS (Routing and Remote Access Service) role to your server.
You first have to select “Network Policy and Access Service” in the role list if you are using server above 2012.
On server 2012 and later, the role was renamed to “Remote Access”.
Depending of your server version you will be prompted to install or not various components, all those details can be found here for Server 2008 and there for Server 2012. By the way, the only important thing is to keep checked the following sub-roles:
- Remote Access Services (2008) or DirectAccess and VP (2012)
- Routing
Once everything finished to install, go to the RRAS console. You’ll have to start the service by right-clicking on the server node and then click on Configure and Enable Routing and Remote Access.
A Wizard will open, select Network Access Translation (NAT)
NAT will need to know how you set up your network. In the next panel, you’ll have to define your corporate network as the Public Interface
Your configuration is now done. You can now deploy computer in your private factory LAN that will register to Active Directory, download GPO and even surf the web if you have set up your corporate proxy in IE.