{"id":1713,"date":"2016-12-12T09:30:21","date_gmt":"2016-12-12T01:30:21","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=1713"},"modified":"2023-06-17T17:36:00","modified_gmt":"2023-06-17T09:36:00","slug":"installing-configuring-securing-and-using-mdt-webservices-part-1","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2016\/12\/12\/installing-configuring-securing-and-using-mdt-webservices-part-1-1713","title":{"rendered":"Installing, Configuring, Securing and Using MDT Webservices &#8211; Part 1"},"content":{"rendered":"<p>This will be a three&nbsp;part article on installing, configuring, securing and using <a href=\"http:\/\/maikkoster.com\/moving-computers-in-active-directory-during-mdt-deployments-step-by-step\/\" target=\"_blank\">Maik Koster&#8217;s<\/a>&nbsp;<a href=\"http:\/\/mdtcustomizations.codeplex.com\/releases\/view\/26318\" target=\"_blank\">Deployment Webservice<\/a>.<\/p>\n<ul>\n<li>Part 1 &#8211; Installing and Configuring Deployment Webservices<\/li>\n<li><a href=\"http:\/\/www.jhouseconsulting.com\/2016\/12\/22\/installing-configuring-securing-and-using-mdt-webservices-part-2-1728\" target=\"_blank\">Part 2 &#8211; Securing Deployment Webservices<\/a><\/li>\n<li><a href=\"http:\/\/www.jhouseconsulting.com\/2019\/06\/28\/installing-configuring-securing-and-using-mdt-webservices-part-3-1816\" target=\"_blank\">Part 3 &#8211; Using Deployment Webservices<\/a><\/li>\n<\/ul>\n<p>I\u2019m a massive fan of Microsoft Deployment Toolkit (MDT) and use it for all customer deployments that don\u2019t already have a modern and\/or mature deployment model.<\/p>\n<p>The <a href=\"http:\/\/mdtcustomizations.codeplex.com\/releases\/view\/26318\" target=\"_blank\">Deployment Webservice<\/a> is required to complement MDT for two main reasons:<\/p>\n<ol>\n<li>The Active Directory Net Framework classes are NOT supported in WinPE, which means that WinPE does not support the use of ADSI. So when you rebuild a device\/image, you are unable to easily automate moving of the computer object to a build\/staging OU before the Domain Join process. This is important when there is an existing object in Active Directory because you don\u2019t want it to join to an existing object where unwanted Group Policy Objects may apply, that may in-turn break the build process, or at least make it unreliable.<\/li>\n<li>The MDT task sequence does not run as a Domain User with permissions to easily achieve this task. Whilst in MDT you can run a script as a different user, I don\u2019t like using those configuration fields, as it means my task sequences end up being hard coded with credentials. I wanted a far more flexible approach so that I could pass it existing variables or derive them directly from the Task Sequence variables.<\/li>\n<\/ol>\n<p><!--more--><\/p>\n<p>In PowerShell terms, [adsi] and [adsisearcher] are built into PowerShell V2 and later.<\/p>\n<ul>\n<li>[adsisearcher] &#8211; is a builtin type accelerator for -&gt; System.DirectoryServices.DirectorySearcher<\/li>\n<li>[adsi] &#8211; is a builtin type accelerator for -&gt; System.DirectoryServices.DirectoryEntry<\/li>\n<\/ul>\n<p>Whilst <a href=\"http:\/\/deploymentresearch.com\/Research\/Post\/508\/Adding-ADSI-Support-for-WinPE-10\" target=\"_blank\">Johan Arwidmark has blogged about adding ADSI support to WinPE<\/a>, it is not supported by Microsoft. As a Consultant I don&#8217;t want to build an unsupported environment for my customers. So I choose to use <a href=\"http:\/\/mdtcustomizations.codeplex.com\/releases\/view\/26318\" target=\"_blank\">Maik Koster&#8217;s Deployment Webservice<\/a> instead.&nbsp;You also have the option of using <a href=\"http:\/\/deploymentresearch.com\/Research\/Post\/562\/Moving-Computers-to-another-OU-during-deployment-Webservice-style\" target=\"_blank\">Johan Arwidmark&#8217;s cut down version<\/a>. Or you could write you own!<\/p>\n<p><strong>Update 6th October 2018<\/strong>. I was informed by a commenter that the download of Deployment Webservice was no longer available via the CodePlex site, as this has now been archived. So I&#8217;ve uploaded a copy to my web site and made it available here:&nbsp;<a  data-e-Disable-Page-Transition=\"true\" class=\"download-link\" title=\"\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/download\/1883\/?tmstv=1779081483\" rel=\"nofollow\" id=\"download-link-1883\" data-redirect=\"false\" >\n\tMaik Koster Deployment Webservice v7.3\t(2174 downloads\t)\n<\/a>\n<\/p>\n<p>Extract to the root of the non-system drive of your MDT server. I place them on the same drive as the deployment shares in a folder called &#8220;DeploymentWebservice&#8221;<\/p>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1716\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-1716 size-full\" title=\"Deployment Webservice Folder\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/DeploymentWebserviceFolder.png\" alt=\"Deployment Webservice Folder\" width=\"759\" height=\"464\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/DeploymentWebserviceFolder.png 759w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/DeploymentWebserviceFolder-300x183.png 300w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/a><\/p>\n<p>Install IIS as&nbsp;on the MDT server&nbsp;by using the following PowerShell script:<\/p>\n<pre class=\"brush: powershell; auto-links: false; title: ; toolbar: false; notranslate\" title=\"\">\r\n$ServicesToInstall = @(\r\n&quot;Web-Windows-Auth&quot;,\r\n&quot;Web-ISAPI-Ext&quot;,\r\n&quot;Web-Metabase&quot;,\r\n&quot;Web-WMI&quot;,\r\n&quot;NET-Framework-Features&quot;,\r\n&quot;Web-Asp-Net&quot;,\r\n&quot;Web-Asp-Net45&quot;,\r\n&quot;NET-HTTP-Activation&quot;,\r\n&quot;NET-Non-HTTP-Activ&quot;,\r\n&quot;Web-Static-Content&quot;,\r\n&quot;Web-Default-Doc&quot;,\r\n&quot;Web-Dir-Browsing&quot;,\r\n&quot;Web-Http-Errors&quot;,\r\n&quot;Web-Http-Redirect&quot;,\r\n&quot;Web-App-Dev&quot;,\r\n&quot;Web-Net-Ext&quot;,\r\n&quot;Web-Net-Ext45&quot;,\r\n&quot;Web-ISAPI-Filter&quot;,\r\n&quot;Web-Health&quot;,\r\n&quot;Web-Http-Logging&quot;,\r\n&quot;Web-Log-Libraries&quot;,\r\n&quot;Web-Request-Monitor&quot;,\r\n&quot;Web-HTTP-Tracing&quot;,\r\n&quot;Web-Security&quot;,\r\n&quot;Web-Filtering&quot;,\r\n&quot;Web-Url-Auth&quot;,\r\n&quot;Web-Performance&quot;,\r\n&quot;Web-Stat-Compression&quot;,\r\n&quot;Web-Mgmt-Console&quot;,\r\n&quot;Web-Scripting-Tools&quot;,\r\n&quot;Web-Mgmt-Compat&quot;\r\n)\r\n\r\nInstall-WindowsFeature -Name $ServicesToInstall -IncludeManagementTools\r\n<\/pre>\n<p>Note that this script is the same as <a href=\"http:\/\/deploymentresearch.com\/Research\/Post\/562\/Moving-Computers-to-another-OU-during-deployment-Webservice-style\" target=\"_blank\">Johan<\/a>\u2019s, with the addition of the &#8220;Web-Url-Auth&#8221; (URL Authorization) component. This is required to help us secure&nbsp;Webservices.<\/p>\n<p>Configure IIS<\/p>\n<ul>\n<li>Open IIS Manager<\/li>\n<li>Expand the &#8220;Sites&#8221; node<\/li>\n<li>Right click on &#8220;Default Web Site&#8221;<\/li>\n<li>Select &#8220;Add Application\u2026&#8221;<\/li>\n<li>Alias: MDTWS<\/li>\n<li>Physical Path: D:\\DeploymentWebservice<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1717\"><img decoding=\"async\" class=\"aligncenter wp-image-1717 size-full\" title=\"Add MDTWS IIS Application\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDTWS-IIS-Application.png\" alt=\"Add MDTWS IIS Application\" width=\"519\" height=\"386\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDTWS-IIS-Application.png 519w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDTWS-IIS-Application-300x223.png 300w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Select OK<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Now we create a new Application Pool for the Webservice. As per Maik\u2019s instructions, it\u2019s necessary to have your webservice running under a different User Account than your Default Websites for the following reasons:<\/p>\n<ol>\n<li style=\"padding-left: 30px;\">To have a clean separation between the webservice and your other Web sites.<\/li>\n<li style=\"padding-left: 30px;\">To securely give it the necessary permission it requires to do its job. By default, the webservice will use the User configured for the application pool of the webservice for authentication. You can also set this in the webservice application settings, which directly corresponds to the Web.config file. However, this is stored in plain text. Not good! IIS stores configuration of web sites, applications and pools in the applicationHost.config file located under the \u201cC:\\Windows\\System32\\inetsrv\\config\u201d folder. The password strings are encrypted automatically before they are written to the XML configuration files.<\/li>\n<\/ol>\n<ul>\n<li>Right click on Application Pools<\/li>\n<li>Select &#8220;Add Application Pool&#8230;&#8221;<\/li>\n<li>Name: MDT Webservice<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1718\"><img decoding=\"async\" class=\"aligncenter wp-image-1718 size-full\" title=\"Add MDT Webservice IIS Application Pool\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDT-Webservice-IIS-Application-Pool.png\" alt=\"Add MDT Webservice IIS Application Pool\" width=\"314\" height=\"286\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDT-Webservice-IIS-Application-Pool.png 314w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Add-MDT-Webservice-IIS-Application-Pool-300x273.png 300w\" sizes=\"(max-width: 314px) 100vw, 314px\" \/><\/a><\/p>\n<ul>\n<li>Select OK<\/li>\n<li>Click on Application Pools<\/li>\n<li>Right click on \u201cMDT Webservice\u201d application pool<\/li>\n<li>Select \u201cAdvanced Settings&#8230;\u201d<\/li>\n<li>Under the Process Model section select the Identity field<\/li>\n<li>Select the \u201c&#8230;\u201d button on the right hand side<\/li>\n<li>Select \u201cCustom account\u201d<\/li>\n<li>Select \u201cSet&#8230;\u201d<\/li>\n<li>Enter the username and password of you MDT Domain Join Account\n<ul>\n<li style=\"padding-left: 30px;\">Set the \u201cUser name\u201d in the format of the UPN or \u201cFQDNDomainName\\Username\u201d<\/li>\n<li style=\"padding-left: 30px;\">DO NOT use the \u201cNetBIOSDomainName\\Username\u201d format, as it may be slow in large\/complex environments.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1719\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1719 size-full\" title=\"MDT Webservice IIS Application Pool Credentials\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Credentials.png\" alt=\"MDT Webservice IIS Application Pool Credentials\" width=\"672\" height=\"254\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Credentials.png 672w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Credentials-300x113.png 300w\" sizes=\"(max-width: 672px) 100vw, 672px\" \/><\/a><\/p>\n<ul>\n<li>Select OK<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1720\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1720 size-full\" title=\"MDT Webservice IIS Application Pool Advanced Settings\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Advanced-Settings.png\" alt=\"MDT Webservice IIS Application Pool Advanced Settings\" width=\"430\" height=\"178\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Advanced-Settings.png 430w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDT-Webservice-IIS-Application-Pool-Advanced-Settings-300x124.png 300w\" sizes=\"(max-width: 430px) 100vw, 430px\" \/><\/a><\/p>\n<p style=\"padding-left: 30px;\">Note the new Identity for the application pool<\/p>\n<ul>\n<li>Select OK<\/li>\n<li>Right click on the MDTWS application<\/li>\n<li>Select \u201cManage Application\u201d &gt; \u201cAdvanced Settings&#8230;\u201d<\/li>\n<li>Under the General section select the Application Pool field<\/li>\n<li>Select the \u201c&#8230;\u201d button on the right hand side<\/li>\n<li>Select the \u201cMDT Webservice\u201d application pool<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1721\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1721 size-full\" title=\"MDTWS Application setting Application Pool\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-setting-Application-Pool.png\" alt=\"MDTWS Application setting Application Pool\" width=\"329\" height=\"231\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-setting-Application-Pool.png 329w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-setting-Application-Pool-300x211.png 300w\" sizes=\"(max-width: 329px) 100vw, 329px\" \/><\/a><\/p>\n<ul>\n<li>Select OK<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1722\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1722 size-full\" title=\"MDTWS Application Advanced Settings\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-Advanced-Settings.png\" alt=\"MDTWS Application Advanced Settings\" width=\"424\" height=\"231\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-Advanced-Settings.png 424w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/MDTWS-Application-Advanced-Settings-300x163.png 300w\" sizes=\"(max-width: 424px) 100vw, 424px\" \/><\/a><\/p>\n<ul>\n<li>Note the new Application Pool<\/li>\n<li>Select OK<\/li>\n<\/ul>\n<p>The installation and configuration of the Webservice is now complete. Or is it? You see this is the point where most documentation for configuration of the Webservice finishes, including instructions from Maik and Johan. So when you start testing access you soon realise that by default anyone can access the Webservice and execute the functions. Woops! Therefore you need to lockdown the Webservice. This will be discussed and demonstrated in <a href=\"http:\/\/www.jhouseconsulting.com\/2016\/12\/22\/installing-configuring-securing-and-using-mdt-webservices-part-2-1728\" target=\"_blank\">Part 2<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This will be a three&nbsp;part article on installing, configuring, securing and using Maik Koster&#8217;s&nbsp;Deployment Webservice. Part 1 &#8211; Installing and Configuring Deployment Webservices Part 2 &#8211; Securing Deployment Webservices Part 3 &#8211; Using Deployment Webservices I\u2019m a massive fan of Microsoft Deployment Toolkit (MDT) and use it for all customer deployments that don\u2019t already have &#8230; <a title=\"Installing, Configuring, Securing and Using MDT Webservices &#8211; Part 1\" class=\"read-more\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2016\/12\/12\/installing-configuring-securing-and-using-mdt-webservices-part-1-1713\" aria-label=\"Read more about Installing, Configuring, Securing and Using MDT Webservices &#8211; Part 1\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[202,388,103,389],"tags":[462,463,455,456,449,453,454,458,457,390,452,459,460,451,450,461],"class_list":["post-1713","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-mdt","category-methodologies","category-osd","tag-adsi","tag-adsisearcher","tag-configure","tag-configuring","tag-deployment-webservice","tag-install","tag-installing","tag-johan-arwidmark","tag-maik-koster","tag-mdt","tag-mdt-webservice","tag-move-computer-object","tag-task-sequence","tag-web-service","tag-webservice","tag-winpe"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/comments?post=1713"}],"version-history":[{"count":5,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1713\/revisions"}],"predecessor-version":[{"id":2004,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1713\/revisions\/2004"}],"wp:attachment":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/media?parent=1713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/categories?post=1713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/tags?post=1713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}