Why I use FOG over WDS, and my FOG workflow for a school

First off, this is my first post after lurking for years, so a HUGE thank you to Tom Elliott and the rest of the development team for an outstanding product! I am a Windows guy first, and a casual Linux guy second, so could not have gotten everything working without the help I received by searching through the forums. FOG has been a basic necessity for me for around 8 years (since version 0.26), so it is high time I give back. In this post I will share why I use FOG over other imaging platforms, and a basic overview of the FOG workflow (for me anyway).

Why FOG?

I work for a tech school that has about 700 Windows 7/10 PCs under a volume Microsoft license. We have many different classrooms with very diverse software requirements. Some of the classrooms require upwards of 60 applications to be installed. This makes it very difficult or impossible to deploy systems the Microsoft way (WDS, packaging applications and pushing over network). Changes to such programs require updates to the application package. Some people may prefer this over the FOG/image way, which is to set up a computer exactly the way you want it, take a snapshot (image) and deploy that image. I would suspect that entities with only a few software applications to keep up with may actually prefer that method, but for me FOG is the answer.

My workflow

I generally only install Windows once per model of computer, ever. Most of our computers don’t have optical drives any more, so I use RUFUS to copy a Windows ISO to USB flash drive (much faster this way, and less trouble in general). I don’t bother with multi-model images because the time spent slipstreaming network drivers, etc usually takes me more time than installing Windows, especially via USB flash drive on modern computers. Plus, way more time is spent customizing images than installing Windows and drivers, so there’s not much return on time investment for me. Yes, having a single base image is cool, but in practice unless someone has dozens of different computer models to image it isn’t worth the time investment. IMHO anyway.

I build one BASE image for each model computer (install Windows, enter Audit mode with CTRL-SHIFT-F3 (important), install drivers and Windows updates only). Then, while still in Audit mode, I upload a BASE image. If the computer model is a Dell E5430 and the year is 2017, I will name the image E5430.BASE.17. In subsequent years, I won’t typically bother making a new BASE image unless I need new drivers or move to a new OS.

I then build a CORE image, starting with the BASE image for that model (downloading BASE to the computer if necessary using FOG). The CORE image adds Windows updates (assuming I started with an older BASE image), Office suites and basic applications like Notepad++, VLC, etc that I haven’t yet packaged for deployment via GPO. Nothing class-specific yet, just applications that EVERYONE will (or could) use. I use the same naming convention as for the BASE image, so a Dell E5430 core image in 2017 will be named E5430.CORE.17.

If I plan to deploy a core image as-is to anyone (teachers or classrooms without further specialized applications) I will then sysprep the machine to get it out of Audit mode, and after it shuts down I will upload an image named E5430.CORE.17.Prepped. Only Prepped images are deployed to end users. Nobody should ever use a computer that is in Audit mode.

If there is a classroom that needs a custom set of software I will start with a CORE image (downloading CORE to the computer if necessary using FOG), install specialized applications (Autodesk Inventor, Adobe Creative Cloud, etc), then upload a new image with the classroom name, such as E5430.AUTOTECH.17. You could sysprep immediately and only upload E5430.AUTOTECH.17.Prepped, but I like to be able to go back and customize or fix images as needed without having to reinstall all the applications from scratch.

Using FOG groups, I will assign Prepped images to every classroom so that I can reimage an entire classroom with just a few clicks. This makes it dead simple to reimage classrooms during Christmas break and summer.

The following year (usually spring/summer), I will download one of the non-prepped CORE images to a computer of the same model, and update as needed from that point. This way, I should only ever install Windows once on a particular model (unless there is a need to rebuild the BASE image). I do tend to rebuild the CORE image every year to get latest Windows updates and reduce the load on my WSUS server and network, as well as update Office suite, but even this is not absolutely necessary. However, downloading CORE and then reinstalling new software versions is much better than downloading a class-specific image and uninstalling then reinstalling software. Windows doesn’t always behave well when large applications are uninstalled and then reinstalled.

When I order new computers, I print barcode labels containing an asset number (E5430-0001 for example) and stick them on each computer. I then use a barcode scanner to build an Access database containing a list of matched asset numbers and MAC addresses from the computers (most computers have barcoded MAC labels). I use Access instead of Excel because it goes to a new line automatically (no intervention needed to drop to the next row). Copy/pasting this data into a spreadsheet and saving as CSV allows me to import the hosts directly to FOG. I can then add the new hosts to a temporary group and update the image to be used, the OS, AD join info, etc so they are ready to be pushed out without having to go through the FOG host registration process. Just turn on the computer, set the BIOS to boot to PXE if it is not already set up that way, and let the image load! FOG can serve as a simple but powerful computer inventory tool in this way.

Yes, FOG can do it. I just built a new server with 1TB SSD, 32GB memory and 10Gbps fiber network adapter for well under $2,000. It’s a 1U Supermicro barebones system with an i3-based processor running Ubuntu Server 16.10. All my computers are SSD-based finally, and following are the results of my first test download of an image (157GB image across two separate switches with 1GbE port at the client).

Entire image completed in under 15 minutes, never dropped below 9.5GB/min. Top speed was about 10.9GB/min, or 1.5Gbps [edit: up to 19.75GB/min or 2.6Gbps thanks to zstd, see more recent post below). This was only possible over a 1Gbps link due to the compression of the image. I ran this test in the middle of the day while about 400 people were on the network. I didn’t look at the network port utilization but it had to be close to 100%. Client computer is an i5-3570K (3.4Ghz) with 256GB MSATA SSD and 8GB memory. The server’s 10Gbps link isn’t all that necessary for single deployments like this but for deploying to multiple classrooms at once it should allow me to image dozens of computers at once in unicast mode (most of our edge ports are still 100Mbps).

No RAID on the server, I figure if it croaks I can rebuild. One backup of the server and database and backups of my images are enough for me to sleep soundly at night, which I will be able to do more now that I can image this quickly! Anyone else seeing these kind of speeds? I continue to be impressed with FOG.

OK, test results are in, and wow, zstd is fast, at least on my newest i3 systems with a vanilla Win10 installation (haven’t yet tested it with the original 157GB image I posted earlier). So, this isn’t really apples to apples when comparing with my earlier results, but solid comparison between zstd compression levels.

Vanilla Win10 SSD/6th gen i3/32GB ram system:
Image: 9,180MB uncompressed (converted from 8.55GiB as shown in FOG to MB)
zstd -11: 3,390MB compressed, avg upload 3.66GB/min, download time 27 seconds, peak 18.23GB/min
zstd -19: 3,068MB compressed, avg upload 725MB/min, download time 25 seconds, peak 19.75GB/min

So it looks like an speed improvement of about 7% and a space improvement of 9%, tradeoff being 400% increase in upload time. Worth it for some, not for others. Totally worth it for me to save server space and make deployments as quick as possible to reduce user downtime. I suspect these increases will vary depending on client hardware specs.

HOWEVER, I did see an “error 39 read premature end” at the very end of the download process for zstd -19 right before it rebooted. I didn’t notice if there was an error when uploading, but the error did cause FOG to repeat the image process until I killed it. However, Windows 10 booted fine and I don’t see any problems. I re-uploaded the image and compared disk usage and the post-error image is 10MB smaller, so I wouldn’t trust the image. This error may have been a fluke, will probably settle in the zfs -15 range if -19 continues to generate errors.

And for fun…

I know I’m gravedigging an old topic, but since this is all the Google could find for me on this topic I thought I’d post a solution for future reference.

For my setup (FOG 1.3.5), the following allowed me to get my Dell Latitude M4800 and E7470 laptops to exit iPXE and continue booting the hard disk properly without the dreaded flashing cursor:

FOG Configuration -> iPXE Boot Menu -> Exit to Hard Drive Type = GRUB_FIRST_HDD (default is SANBOOT, which was giving me trouble)

Hope this helps someone.

Jon

@Tom-Elliott Lol, my sentiments as well, been pumped all day. Can’t wait to try this over multiple unicasts simultaneously.

I know I’m gravedigging an old topic, but since this is all the Google could find for me on this topic I thought I’d post a solution for future reference.

For my setup (FOG 1.3.5), the following allowed me to get my Dell Latitude M4800 and E7470 laptops to exit iPXE and continue booting the hard disk properly without the dreaded flashing cursor:

FOG Configuration -> iPXE Boot Menu -> Exit to Hard Drive Type = GRUB_FIRST_HDD (default is SANBOOT, which was giving me trouble)

Hope this helps someone.

Jon

Agreed that option 66 is the issue here.

Another way you could set up a test server may be to set up a test subnet and place the server there. Then, you could set up multiple subnets on one switch in your testing lab and simply plug your clients into one port or another to change which subnet it connects to. Option 66/67 can be set separately for each subnet (subnet options override server options in DHCP).

Hmm, I may try this myself. I already have a switch in my office that is programmed with ports for every subnet we have. Quite useful.

@Bob-Henderson My color scheme for network cables has been based on length (5’ = white, 7’ blue, 10’ pink, 14’ yellow, etc). Maintenance disconnects everything every summer, waxes the floors or shampoos the carpets, then hooks everything up again, so the different colors on each row of computers is useful for figuring out which cables go where. Not sure I can do away with that for network cables, but I’ll definitely incorporate your idea for everything else.

Good idea to post laminated signs too.

@Quazz Yes, the target device does appear to be the deciding factor for deployment speed when imaging 1 device. That said, my old FOG box was running 0.32 (didn’t upgrade it due to some customization I had made to it) and was WAY slower than this, even with the same clients. The server was no slouch, even for 5 year old hardware, but the newer versions of FOG (partclone, etc) are making a big different too.

From now on I think the bottleneck (if you can call it that) will be endpoint network bandwidth. We’re pretty much saturating 1Gbps links as this test shows, so going concurrent with 10Gbps link at the server is the next logical step. For me, 10Gbps is overkill since I have mostly 100Mbps endpoints with 1Gbps uplinks, but as I upgrade endpoint switches client speeds will improve a lot. Heck, with 100Mbps endpoints and SSD on the server I am thinking I can saturate 50-100 clients simultaneously at 100Mbps each. Can’t wait to try it.

@Bob-Henderson That’s a really good idea. Gives me ideas for audio/video stuff that gets plugged in wrong every time they wax the floors…

@Bob-Henderson Good point on the Intel nics, that’s what I’m using as well. My new clients are based on H110T chipset, which has both Intel and Realtek nics. I made sure to only enable PXE on the Intel nic and disabled the Realtek nic entirely. Now to keep my users from plugging into the wrong jack and generating more help desk tickets. I’m actually contemplating gluing a punched down RJ45 plug into the Realtek ports, lol.

Thanks! I did try that but since I’m scanning two barcodes per computer I lost my two columns when I did that (everything got flattened into one column with alternating asset numbers (hostnames) and MAC addresses). I contemplated making a barcode consisting of a CRLF that I could scan off a piece of paper as needed but I don’t think that’s possible (or maybe it is).

@Tom-Elliott Lol, my sentiments as well, been pumped all day. Can’t wait to try this over multiple unicasts simultaneously.

@Tom-Elliott Ah, I borked the log then when I uploaded the image and redownloaded after the error to compare image file sizes. No errors the second time since the images matched. If I see that error again I’ll revisit this. Thanks!

@Junkhacker “locate partclone.log” does not find a log file. Thinking a log was not generated, or am I looking for the wrong log file? I tried “locate *.log” but didn’t see anything promising:

/opt/fog/log/fogimagesize.log
/opt/fog/log/fogreplicator.log
/opt/fog/log/fogscheduler.log
/opt/fog/log/fogsnapinhash.log
/opt/fog/log/fogsnapinrep.log
/opt/fog/log/groupmanager.log
/opt/fog/log/multicast.log
/opt/fog/log/pinghost.log
/opt/fog/log/servicemaster.log
/root/fogproject/bin/error_logs/fog_error_1.3.5.log
/root/fogproject/bin/error_logs/foginstall.log
/var/log/alternatives.log
/var/log/auth.log
/var/log/bootstrap.log
/var/log/dpkg.log
/var/log/kern.log
/var/log/php7.1-fpm.log
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/apache2/other_vhosts_access.log
/var/log/apt/history.log
/var/log/apt/term.log
/var/log/mysql/error.log
/var/log/unattended-upgrades/unattended-upgrades-shutdown.log