准备使用 MDT 部署Prepare for deployment with MDT

适用于Applies to

  • Windows 10Windows 10

本文将介绍准备网络和服务器基础结构以使用 Microsoft Deployment Toolkit (MDT 部署部署 Windows 10 所需的) 。This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). 它包括安装必要的系统必备组件、创建共享文件夹和服务帐户,以及配置文件系统和 Active Directory 中的安全权限。It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.

基础结构Infrastructure

本指南中的过程使用以下名称和基础结构。The procedures in this guide use the following names and infrastructure.

网络和服务器Network and servers

出于本主题的目的,我们将使用三台服务器计算机 :DC01、MDT01****** 和HV01。**For the purposes of this topic, we will use three server computers: DC01, MDT01, and HV01.

  • 所有服务器都运行 Windows Server 2019。All servers are running Windows Server 2019.
    • 你可以对一些过程进行细微修改,以使用早期版本的 Windows Server。You can use an earlier version of Windows Server with minor modifications to some procedures.
    • 注意:尽管 MDT 支持 Windows Server 2008 R2,但至少会Windows Server 2012 R2 或更高版本来执行本指南中的过程。Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
  • DC01 是域控制器、DHCP 服务器和 DNS 服务器contoso.com,代表虚构 的 Contoso Corporation。DC01 is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation.
  • MDT01 是 contoso.com 中的域成员服务器, (D:) D:) 存储至少 200GB 的数据。MDT01 is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 将托管部署共享并运行 Windows 部署服务。MDT01 will host deployment shares and run the Windows Deployment Service. 或者,MDT01 也是 WSUS 服务器。Optionally, MDT01 is also a WSUS server.
    • 第二个 MDT (MDT02) 与 MDT01 相同,也可以选择用于为 Windows 10 部署构建分布式环境。A second MDT server (MDT02) configured identically to MDT01 is optionally used to build a distributed environment for Windows 10 deployment. 此服务器位于与 MDT01 不同的子网中,并且具有不同的默认网关。This server is located on a different subnet than MDT01 and has a different default gateway.
  • HV01 是Hyper-V Windows 10 引用映像的一个主计算机。HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image.
    • 有关HV01 的详细信息,请参阅下面的Hyper-V要求。See Hyper-V requirements below for more information about HV01.

客户端计算机Client computers

本指南中引用了一些客户端计算机,其主机名为 PC0001 到 PC0007。Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.

  • PC0001: 运行 Windows 10 企业版 x64 的计算机,已使用最新的安全更新进行完全修补,并配置为 contoso.com 域中的成员。PC0001: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
    • 客户端名称:PC0001Client name: PC0001
    • IP 地址:DHCPIP Address: DHCP
  • PC0002: 运行 Windows 7 SP1 企业版 x64 的计算机,已使用最新的安全更新进行完全修补,并配置为 contoso.com 域中的成员。PC0002: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. 此计算机在迁移方案中被引用。This computer is referenced during the migration scenarios.
    • 客户端名称:PC0002Client name: PC0002
    • IP 地址:DHCPIP Address: DHCP
  • PC0003 - PC0007: 这些是本指南中使用的类似于 PC0001 和 PC0002 的其他客户端计算机,以及适用于各种方案的另一个指南。PC0003 - PC0007: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. 设备名称会在每个方案中递增,以清楚起见。The device names are incremented for clarity within each scenario. 例如,PC0003 和 PC0004 与 PC0002 一样运行 Windows 7,但分别用于 Configuration Manager 刷新和替换方案。For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.

存储要求Storage requirements

MDT01 和 HV01 应能够在 D:) 数据驱动器上存储 (多达 200 GB 的文件。MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). 如果使用具有 C: (系统分区的计算机) 则需要调整本指南中的来过程以指定 C: 驱动器,而不是 D: 驱动器。If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive.

Hyper-V要求Hyper-V requirements

如果你无法访问 Hyper-V 服务器,可以在 Windows 10 或 Windows 8.1 计算机上安装 Hyper-V 以临时用于生成引用映像。If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. 有关如何在 Windows 10 上启用Hyper-V的说明,请参阅 Windows 10 部署测试实验室指南Hyper-V验证支持和安装版本部分。For instructions on how to enable Hyper-V on Windows 10, see the Verify support and install Hyper-V section in the Windows 10 deployment test lab guide. 本指南是概念证明指南,其中详细说明了如何安装Hyper-V。This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.

网络要求Network requirements

本指南中引用的所有服务器和客户端计算机都位于同一子网中。All server and client computers referenced in this guide are on the same subnet. 这不是必需的,但每台服务器和客户端计算机必须能够相互连接以共享文件,并解析域的所有 DNS 名称和 Active Directory contoso.com信息。This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. 下载操作系统和应用程序更新还需要 Internet 连接。Internet connectivity is also required to download OS and application updates.

域凭据Domain credentials

本指南中使用了以下通用凭据。The following generic credentials are used in this guide. 应在每个过程中显示这些凭据时将其替换为您的凭据。You should replace these credentials as they appear in each procedure with your credentials.

Active Directory 域名:contoso.comActive Directory domain name: contoso.com
域管理员用户名: 管理员Domain administrator username: administrator
域管理员密码:pass@word1Domain administrator password: pass@word1

组织单位结构Organizational unit structure

本指南使用了以下 OU 结构。The following OU structure is used in this guide. 下面提供了 帮助 创建所需 OUS 的说明。Instructions are provided below to help you create the required OUs.

图 2

安装 Windows ADKInstall the Windows ADK

这些步骤假定你正在运行 MDT01 成员服务器,并配置为域成员服务器。These steps assume that you have the MDT01 member server running and configured as a domain member server.

MDT01 上On MDT01:

访问"下载并 安装 Windows ADK" 页面,将以下项目下载到 MDT01 上的 D:\Downloads\ADK 文件夹 (你需要创建此文件夹) :Visit the Download and install the Windows ADK page and download the following items to the D:\Downloads\ADK folder on MDT01 (you will need to create this folder):

提示

您可能需要为管理员临时禁用 IE 增强安全配置,才能将文件从 Internet 下载到服务器。You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. 可以使用服务器管理器或本地服务器/属性 (禁用此设置) 。This setting can be disabled by using Server Manager (Local Server/Properties).

  1. MDT01上,确保以 CONTOSO 域中的管理员角色登录。On MDT01, ensure that you are signed in as an administrator in the CONTOSO domain.
    • 出于本指南的目的,我们使用管理员的域管理员帐户,密码为**** pass@word1。For the purposes of this guide, we are using a Domain Admin account of administrator with a password of pass@word1. 只要正确调整本指南中使用这些登录凭据的所有步骤,就可以使用自己的管理员用户名和密码。You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
  2. 启动ADK安装程序 (D:\Downloads\ADK\adksetup.exe) ,单击"下一步"两次以接受默认安装参数,单击****"接受以接受许可协议",然后在"选择要安装**** 的功能"页上单击"安装"接受默认功能******列表。**Start the ADK Setup (D:\Downloads\ADK\adksetup.exe), click Next twice to accept the default installation parameters, click Accept to accept the license agreement, and then on the Select the features you want to install page accept the default list of features by clicking Install. 这将安装部署工具和 USMT。This will install deployment tools and the USMT. 在移动到下一步之前,请验证安装是否成功完成。Verify that the installation completes successfully before moving to the next step.
  3. 启动WinPE安装程序 (D:\Downloads\ADK\adkwinpesetup.exe) ,单击"下一步"两次以接受默认安装参数,单击****"接受以接受许可协议",然后在"选择要安装**** 的功能"页上单击"安装******"。**Start the WinPE Setup (D:\Downloads\ADK\adkwinpesetup.exe), click Next twice to accept the default installation parameters, click Accept to accept the license agreement, and then on the Select the features you want to install page click Install. 这将为 x86、AMD64、ARM和 ARM64 安装 Windows PE。This will install Windows PE for x86, AMD64, ARM, and ARM64. 在移动到下一步之前,请验证安装是否成功完成。Verify that the installation completes successfully before moving to the next step.
  4. WSIM 1903 更新 (D:\Downloads\ADK\WSIM1903.zip) ,然后 ** 运行UpdateWSIM.bat文件 ** 。Extract the WSIM 1903 update (D:\Downloads\ADK\WSIM1903.zip) and then run the UpdateWSIM.bat file.
    • 可以通过查看C:\Program Files (x86) \Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\WSIM中的 ImageCat.exe 和 ImgMgr.exe 文件的属性来确认已应用更新,并验证"**** 详细信息"选项卡是否**** 显示文件版本10.0.18362.144或更高版本。You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\WSIM and verifying that the Details tab displays a File version of 10.0.18362.144 or later.

安装和初始化 WDS (Windows 部署服务) Install and initialize Windows Deployment Services (WDS)

MDT01 上On MDT01:

  1. 打开提升的Windows PowerShell提示符并输入以下命令:Open an elevated Windows PowerShell prompt and enter the following command:
Install-WindowsFeature -Name WDS -IncludeManagementTools
WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All

可选:在 WSUS (安装 Windows Server Update Services) Optional: Install Windows Server Update Services (WSUS)

如果要使用 Windows Internal Database (WID) MDT 作为 WSUS 服务器,请使用以下命令安装此服务。If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. 或者,将本指南中的 WSUS 服务器信息更改为环境中 WSUS 服务器。Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.

若要在 MDT01 上安装 WSUS,请在提升的Windows PowerShell输入:To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS

若要使用已安装在 MDT01 上的 WSUS,还必须在DC01 上配置组策略,并执行 MDT01 上 WSUS 的必要安装后配置。To use the WSUS that you have installed on MDT01, you must also configure Group Policy on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.

安装 MDTInstall MDT

备注

MDT 安装需要以下各项:MDT installation requires the following:

  • 上一过程中安装的适用于 Windows 10 (Windows ADK) The Windows ADK for Windows 10 (installed in the previous procedure)
  • Windows PowerShell (版本 5.1; 键入 $host 以检查) Windows PowerShell (version 5.1 is recommended; type $host to check)
  • Microsoft .NET FrameworkMicrosoft .NET Framework

MDT01 上On MDT01:

  1. 访问MDT 资源页,然后单击 "下载 MDT"。Visit the MDT resource page and click Download MDT.
  2. 将MicrosoftDeploymentToolkit_x64.msi** 文件 ** 保存到 MDT01 上的 D:\Downloads\MDT 文件夹中。Save the MicrosoftDeploymentToolkit_x64.msi file to the D:\Downloads\MDT folder on MDT01.
    • **** 注意:截至本指南的发布日期,MDT 的当前版本为 8456 (6.3.8456.1000) ,但更高版本也有效。Note: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
  3. 使用默认设置 (D:\Downloads\MDT\MicrosoftDeploymentToolkit_x64.exe) MDT 应用程序。Install MDT (D:\Downloads\MDT\MicrosoftDeploymentToolkit_x64.exe) with the default settings.

创建 OU 结构Create the OU structure

切换到 DC01, 然后对 DC01执行以下过程:Switch to DC01 and perform the following procedures on DC01:

若要创建 OU 结构,可以使用 Active Directory 用户和计算机控制台 (dsa.msc) ,或者可以使用 Windows PowerShell。To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.

若要使用Windows PowerShell,请复制以下命令到文本文件,并将其另存为 C:\Setup\Scripts\ou.ps1。To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. 确保你正在查看文件扩展名,并且使用 .ps1 扩展名保存文件。Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.

$oulist = Import-csv -Path c:\oulist.txt
ForEach($entry in $oulist){
    $ouname = $entry.ouname
    $oupath = $entry.oupath
    New-ADOrganizationalUnit -Name $ouname -Path $oupath
    Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
}

接下来,将以下 OU 名称和路径列表复制到文本文件中,并将其另存为C:\Setup\Scripts\oulist.txt Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt

OUName,OUPath
Contoso,"DC=CONTOSO,DC=COM"
Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"

最后,在 DC01 上Windows PowerShell提升的ou.ps1脚本:Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\ou.ps1

这将创建一个 OU 结构,如下所示。This will create an OU structure as shown below.

OU 结构

若要使用 Active Directory 用户和计算机控制台 (而不是 PowerShell) :To use the Active Directory Users and Computers console (instead of PowerShell):

DC01 上On DC01:

  1. 使用 Active Directory 用户和计算机控制台 (dsa.msc) ,在 contoso.com 域级别创建一个名为 Contoso的顶级 OU。Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named Contoso.
  2. Contoso OU 中,创建以下 OU:In the Contoso OU, create the following OUs:
    1. 帐户Accounts
    2. 计算机Computers
    3. Groups
  3. Contoso / Accounts OU 中,创建以下基础 OU:In the Contoso / Accounts OU, create the following underlying OUs:
    1. 管理员Admins
    2. 服务帐户Service Accounts
    3. 用户Users
  4. Contoso / Computers OU 中,创建以下基础 OU:In the Contoso / Computers OU, create the following underlying OUs:
    1. 服务器Servers
    2. 工作站Workstations
  5. Contoso / Groups OU 中,创建以下 OU:In the Contoso / Groups OU, create the following OU:
    1. 安全组Security Groups

下面显示了任一方法的最终结果。The final result of either method is shown below. MDT_BA 创建帐户。The MDT_BA account will be created next.

创建 MDT 服务帐户Create the MDT service account

在创建引用映像时,你需要 MDT 帐户。When creating a reference image, you need an account for MDT. MDT 生成帐户用于 Windows 预安装环境 (Windows PE) 连接到 MDT01。The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

若要创建 MDT 生成帐户,请在 DC01 上打开一个已删除的 Windows PowerShell 提示符,并输入以下 (复制并粘贴整个命令,注意注意底部的滚动条) 。To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). 此命令将创建MDT_BA用户帐户,将密码设置为"pass@word1":This command will create the MDT_BA user account and set the password to "pass@word1":

New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true

如果打开了 Active Directory 用户和计算机控制台,可以刷新视图,并查看 Contoso\Accounts\Service Accounts OU 中的此新帐户,如上面的屏幕截图所示。If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the Contoso\Accounts\Service Accounts OU as shown in the screenshot above.

创建和共享日志文件夹Create and share the logs folder

默认情况下,MDT 将日志文件存储在本地客户端。By default MDT stores the log files locally on the client. 为了捕获引用映像,你需要启用服务器端日志记录,为此,你需要具有一个存储日志的文件夹。In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. 有关详细信息,请参阅创建 Windows10 引用映像For more information, see Create a Windows 10 reference image.

MDT01 上On MDT01:

  1. CONTOSO\administrator登录。Sign in as CONTOSO\administrator.

  2. 在提升的提示符中运行以下命令,创建并共享 D:\Logs Windows PowerShell文件夹:Create and share the D:\Logs folder by running the following commands in an elevated Windows PowerShell prompt:

    New-Item -Path D:\Logs -ItemType directory
    New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
    icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
    

请参见以下示例:See the following example:

Logs 文件夹

使用 CMTrace 阅读日志文件(可选)Use CMTrace to read log files (optional)

MDT Lite Touch 中的日志文件的格式设置为由 Configuration Manager Trace (CMTrace) 读取,它是 Microsoft System 2012 R2 Center Configuration ManagerToolkit 的一部分。The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part of the Microsoft System 2012 R2 Center Configuration Manager Toolkit. 还应下载此工具。You should also download this tool.
可以使用记事本 (下面的示例) :You can use Notepad (example below):

图 8

或者,CMTrace 格式可使日志更易于阅读。Alternatively, CMTrace formatting makes the logs much easier to read. 请参阅下面的相同日志文件,在 CMTrace 中打开:See the same log file below, opened in CMTrace:

图 9

安装 ConfigMgrTools.msi文件后,可以搜索 cmtrace, 将该工具固定到任务栏,方便访问。After installing the ConfigMgrTools.msi file, you can search for cmtrace and pin the tool to your taskbar for easy access.

后续步骤Next steps

完成本部分中所有步骤以准备部署后,请参阅"创建Windows 10 引用映像"。When you have completed all the steps in this section to prepare for deployment, see Create a Windows 10 reference image.

附录Appendix

示例文件Sample files

以下示例文件还可用于帮助自动执行一些 MDT 部署任务。The following sample files are also available to help automate some MDT deployment tasks. 本指南不使用这些文件,但在此处提供这些文件,以便你可以了解如何使用Windows PowerShell。This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell.

  • Gather.ps1Gather.ps1. 此示例 Windows PowerShell 脚本将在模拟的 MDT 环境中执行 MDT 收集过程。This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. 这允许你测试 MDT 收集过程并检查它是否起作用,而无需执行完整的 Windows 部署。This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
  • Set-OUPermissions.ps1Set-OUPermissions.ps1. 此示例 Windows PowerShell 脚本将创建域帐户,然后配置 OU 权限以允许该帐户将计算机加入指定 OU 中的域。This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
  • MDTSample.zipMDTSample.zip. 此示例 Web 服务将显示如何使用 MDT 以动态方式配置计算机名。This sample web service shows you how to configure a computer name dynamically using MDT.