Things you think you thought you knew...

So I always thought I knew how to tie my shoes. Of course I have to double-knot them a lot because they because untied. Little did I know I was doing it wrong! This TED talk from Terry Moore shows where most of us go wrong. If only I knew the rabbit hole was a trick all along I could have been tying my shoes the correct way!

Moving that DataStore, is there still someone attached?

While migrating a Citrix XenApp datastore isn't difficult (see How to move or migrate data store) can can rather quickly be scripted across all your farm servers, one question always remains... did I miss one?

If you try to take your original DB and perform the SQL Management Studio action "Take Offline" and all you get is a progress wheel that, well, never progresses, you may have one or more connections still active.

So how do you check? If you open a new query in SQL Management Studio prior to trying to take the DB offline you type and execute the command "sp_who" - the results of this will show all connections to the SQL Server including the source, user, and database. If your server is dedicated to your SQL infrastructure you can quickly parse this list to see what servers may have been missed.

Alternatives if you have a shared environment could be the query below that will tell you the number of connections active to each DB:

SELECT DB_NAME(dbid) as DBName, COUNT(dbid) as NumberOfConnections, loginame as LoginName, nt_domain as NT_Domain, nt_username as NT_UserName, hostname as HostName FROM sys.sysprocesses WHERE dbid > 0 GROUP BY dbid, hostname, loginame,nt_domain,nt_username order by NumberOfConnections DESC

Finally, you could combine the two options and build a temporary DB to see only the connections open to your data store. 

There are a number of samples on the web for this method, one such is listed below. Just change the DB name 'master' to the DB name of your Citrix XenApp DataStore. 

DECLARE @temp TABLE(spid int , ecid int, status varchar(50),
                     loginname varchar(50),   
                     hostname varchar(50),
blk varchar(50), dbname varchar(50), cmd varchar(50), request_id int) 
INSERT INTO @temp  
EXEC sp_who
SELECT * FROM @temp WHERE dbname = 'master'

The PageFile - Oh My!

The page file should be two times the amount of RAM!

The page file should be one and one-half the size of RAM!

The system should manage the size of RAM!

It is 2014, who needs a page file!

---

You may hear any of the above from colleagues or clients in today's day and age. The long and short of it is that you cannot easily and accurately compute the the needed page file ahead of time in many environments due to different software that is used. Below you will find some references as well as an excerpt from a write up I wrote a couple years ago for sizing virtual memory in a specific environment.

Pushing the Limits of Windows: Virtual Memory (really the be-all guide)

http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx

How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive when capturing a system memory dump (I used this on the 2012 build to eliminate the tie between dumps and PF)

http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx

How To Size Page Files on Windows Systems (good reference)

http://mcpmag.com/Articles/2011/07/05/Sizing-Page-Files-on-Windows-Systems.aspx?Page=1

The Pagefile Done Right! (my go-to guide)

http://blogs.citrix.com/2011/12/23/the-pagefile-done-right/

PAGE FILE SIZING

“Perhaps one of the most commonly asked questions related to virtual memory is, how big should I make the paging file? There’s no end of ridiculous advice out on the web and in the newsstand magazines that cover Windows, and even Microsoft has published misleading recommendations.” –Mark Russinovich

The following items hold true in regards to the Windows Page File.

1.       Even systems with large amounts of RAM benefit from the presence of a page file.

2.       The page file space is no longer needed to capture a full system dump as it was on legacy systems. (http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx)

3.       There is a performance hit to a system whenever the operating system automatically resizes the page file.

4.       Excessive use of the page file will result in poor system performance as the speed of disk is much slower than that of RAM.

5.       Never stripe paging files (you can have more than one) across multiple volumes on the same physical disk. This can lead to performance issues.

6.       Splitting a page file across multiple physical disks will increase performance.

7.       “To optimally size your paging file you should start all the applications you run at the same time, load typical data sets, and then note the commit charge peak (or look at this value after a period of time where you know maximum load was attained). Set the paging file minimum to be that value minus the amount of RAM in your system (if the value is negative, pick a minimum size to permit the kind of crash dump you are configured for). If you want to have some breathing room for potentially large commit demands, set the maximum to double that number.” –Mark Russinovich

Understanding Virtual Memory:
http://technet.microsoft.com/en-us/magazine/ff382717.aspx
(Not for the timid) http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx

Hidden Devices Causing you the Blues?

When using Citrix PVS (or often when changing hardware on virtual machines) you may often run into instances where you need to remove phantom devices. But how do you know these exist? Device Manager doesn't show them by default. Microsoft outlines how to do this in an old support article.

1. Launch a command prompt with elevated permissions. 
2. At the command prompt, type the following lines, pressing ENTER after each line
   set devmgr_show_nonpresent_devices=1
   cd\%SystemRoot%\System32
   start devmgmt.msc
3. In the Device Manager View Menu, select Show Hidden Devices

Reference: KB241257

File Selection Input Window

Sometimes in my scripting ways I need to solicit a location from a user with for reading or writing data. Below is a simple function I have used when I need a user to select a Comma Separated Values file. It creates a simple dialogue box showing .CSV files in a particular location. It will either return the selected file name or an error. It is a simple starting point that can be expanded upon as needed.

Function Select-FileWindow

{

      param(

      [string]$Title = "Select CSV",

      [string]$Directory = "C:",

      [string]$Filter = "CSV Files (*.csv)|*.csv"

      )

     

      [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null

      $objForm = New-Object System.Windows.Forms.OpenFileDialog

      $objForm.InitialDirectory = $Directory

      $objForm.Filter = $Filter

      $objForm.Title = $Title

      $objForm.ShowHelp = $true

      $Show = $objForm.ShowDialog()

      If ($Show -eq "OK")

      {

            Return $objForm.FileName

      }

      Else

      {

            Write-Error "Operation cancelled by user."

      }

}

Troubleshooting Citrix Clients

Sometimes it can be helpful to have a list of questions to approach a troubleshooting scenario. Citrix client issues are often one of these areas that can benefit because so many items could impact client connectivity it is easy to overlook one. While this list isn't a be-all-end-all, it - plus your favorite search engine - can help you get by most client connectivity issues.

Troubleshooting Questions for Citrix Clients

For every problem

• Which version and build of the client are you using?

• Is it the same problem with the latest version (if not already in use)?

• Did it work at least once? Did you change anything since then?

• Can the issue be reproduced on demand? By one user, 1+ users, all users?

Installation Issues

• What is the error message (send a screen shot)?

• How are you trying to install the client (client database, MSI, silent installation, other)?

• Is the same problem seen when a user with administrator’s rights is tested?

Connectivity

• Do you see the logon box or the background screen of the server, or does the connection fail before this?

• Any errors on the event viewer of the server (send the event viewer files)?

• Is it happening for all applications? All servers? All users? At all times?

• Is the browser configured to allow ActiveX script?

• If connecting with Web Client, what is the browser version?

• Is it the same issue with non-seamless connections? And for seamless connections?

• Do you have the same problem if connecting with the RDP client?

• Can you telnet to the Presentation Server using port 1494?

• Are there any proxy servers or firewalls between the client and the server?

• Are you connecting through Web Interface, MSAM or Advanced Access Control? If so, try connecting directly to the farm using a Custom ICA connection. Refer to the administrator’s guide of the ICA client in use to know how to create an ICA connection.

• Is the problem persistent if you disable the mappings (drives, printers)? You can disable mappings within the Citrix Connection Configuration > Client Settings section.

• Through which protocol does the client connect: TCP/IP, TCP/IP + HTTP, SSL/TLS + HTTPS?

• Is the problem persistent if the connection is made using TCP/IP + HTTP?  

• Which settings are applied for Session Reliability, Data Compression and Speed Screen Latency reduction?

• Is the problem persistent if these features are deactivated?

• How do users authenticate against the farm: Primary Windows Credentials, Pass-through or Pass-through with Smartcard?

• If connecting with the Java client, what is the Java Virtual Machine (JVM) version?

• Did you manually change any settings in the client configuration files?

Disappearing Citrix Policies?

Ever have your Citrix policies disappear for some unknown reason? You may need to update your Citrix policy engine. 

Symptom:

• Your Citrix Policies disappeared – shortly followed by lots of cursing.

Issue:

• During times of high memory consumption the policy engine can truncate Citrix policies thus leaving your environment without them.

Impact:

• Any XenApp 6.5/XenDesktop 5.5/6 Farm. Both AppCenter/Studio IMA and Microsoft Active Directory based policies will be deleted.

Resolution:

• Install http://support.citrix.com/article/CTX140488 on ALL workstations used to manage Citrix policies. This is a Limited Release Hotfix, but given the nature of the issue it resolves, I recommend pre-emptive installation when appropriate. Recovery of lost policies is not part of this release – that requires either a manual backup from before they were lost and subsequent restoration; or in the case of IMA policies a backup of the DB from which one may restore settings.

Office 2013 over VDI

If you plan to deploy Microsoft Office 2013 over VDI keep an eye out for issues with screen flickers or audio pops. These are a side effect of a default Office option for hardware acceleration.

Issue:

• When using XenDesktop/XenApp 7.x with Office 2013 installed, there can be speaker popping, Office application windows can randomly go black, and there can be screen flickers.

Reason:

• Hardware acceleration with Office 2013

Resolution:

• On clients (server or desktop OS) with Office 2013 deployed: disable hardware graphics acceleration. 

This checkbox is available in all (I believe, only checked Outlook, Excel, and Word) the Office applications.

This setting may also be applied via the Office ADMX template in Group Policy.

Reference: KB2768648

Documenting XenApp 6.5 Environments

Frequently I need to document XenApp environments either for build documents or for health check purposes. While I have a small arsenial of scripts I have written to acomplish several aspects of these documentation encounters, I recently came across Carl Webster's documentation script. I have to say I was impressed with the thoroughness of the script. I recommend anyone check this out if you need to quickly document a XenApp 6.5 environment.

Carl Webster's XenApp Documentation

Project VRC Releases App-V Impact WhitePaper

On the 29th Project VRC (Virtual Reality Check) - a leader in reviewing different configurations in the virtualization space, released an Impact and Best Practices paper on Microsoft's App-V product. It is linked below for anyone interested (login required). I can't wait to see what they have to say on a product which I have long been a fan.

Microsoft App-V Impact and Best Practices V1.0

Need Windows Search with PVS?

By default the optimization wizard for imaging XenApp/XenDesktop server and desktop operating systems disables Windows Search features. This is a best practice from Citrix. In some cases users may need this functionality. If you need to turn it on, be sure to utilize the group policy below to adjust the scanned areas and limit the scope of indexing as much as possible.

A reason why you may need to enable search? Disabling Windows Search will disable search features in Outlook 2013.

Keep in mind that the Windows Search feature works with the Indexing Service, which is also disabled.

For details on both of these services and their impact, review the Optimization Guide linked below.

Group Policy for Windows Search

Optimization Guide

Assuming too much I guess...

The Economist had a "great" little blurb the other day regarding burger chain competitions in the 1980s. 

Original source. 

In summary, A&W restaurants tried to challenge McDonald's Quarter Pounder (or as Vincent Vega would say "Royale") with a third pound burger that cost less and had better taste reviews. They failed miserably. Their failure? They assumed the public would know 1/3 of a pound was greater than 1/4 of a pound. Consumers felt ripped off because they were getting "less" with the A&W burger. "Less" because the 3 in one-third is a lower number than the 4 in quarter. Fractions fail. 

I am guessing these are the same folks that continuously trend towards voting down school district tax increases. (Not that I am for tax increases - but I think there needs to be some emphasis on renewed 3rd grade curriculum for folks.) 

Any way you cut it, it is a sad indictment on our society's education level. I just need to remember to have a fifth-pound burger if I ever open a restaurant. 

Renaming a Reverse-Imaged Operating System

Often times after reverse-imaging a PVS-based member-server's *.vhd back to a "physical" disk there might be the desire to change the computer's name or domain membership.

I have seen on a few occassions that the ability to do this is compromised. Usually both the Computer name and the  Member of fields are greyed out when one of the issues outlined below is encountered. Additionally, the device may or may not let your add or remove features via either the GUI or PowerShell's Add-WindowsFeature cmdlet. You may also not be able to run SysPrep due to a "fatal error." In each instance, the host operating system may state that a reboot is pending - even after one has just completed!

Sample where the domain/workgroup affiliation cannot be changed.

Before panicking and rebuilding your image from scratch - run through these items to see if there are errors on any. Any one of these could halt your ability to rename the workstation.

1. Do you have appropriate permissions to modify these settings?
• Are you an administrator on the server? Are policies preventing this action? Try as the local device administrator - if you see the same issues here you most likely can continue.
2. Is the Workstation service running? 
• This service is required to communicate with the domain and if it is not running you will have a bad time.
3. On the device's network interface, is Client for Microsoft Networks in use?
• You will again have issues if there is a problem with this component. If it is not attached to your controller, add it. If it is, try uninstalling it (requires reboot) and reinstalling it once the server is back up.
4. Is the device "stuck" mid-rename? 
• This is a little bit trickier but still in the end fairly straight forward. When at the logon screen, if you use the local machine login characters (.\) does the machine name you see match the one in the Computer name/Domain changes GUI? If you open the CLI and type set (cmd) or $env:computername (PS) does the computername variable match both of these? If any of these are a mismatch, check out the keys in:
  HKLM//System/CurrentControlSet/Control/ComputerName
  If the values in ActiveComputerName and ComputerName do not match, the server thinks there is a pending reboot for a server name change. If a reboot has not set them to be identical, change them to match and reboot again.

Depending on the nature of failure that caused the server to not allow modifications to the Computer name/Domain changes GUI, one of these items should be the culprit. 

Just remember to keep in mind, if this is a XenApp server, if you had run the image prep tool previously, the next time IMA runs it will join the farm and you cannot simply rename a XenApp server that is joined to a farm without properly preparing it. If after you run the image prep tool you disable the IMA service so it does not run, you do not have to worry about this biting you. Just set the service back to automatic and reboot to have your renamed machine join the farm again. 

Finally, depending what you are trying to accomplish and what software is installed, don't forget about security identifiers and the need to properly prepare an image (SysPrep). 

Citrix Receiver Feature Matrix

Do you need to know what is supported for a deployment of Citrix Receiver? Want to do SSO and use Desktop Viewer? Check out the Receiver Feature matrix to make sure what you want to do is supported on the client version you are targeting.

Citrix Receiver Feature Matrix

3-D Graphics Introduction

Do you need an introductory primer on 3-D graphics over server-based computing? Need to know the differences between a vGPU, a dedicated GPU, and GPU pass-through? Check out Bridget Botelho's article on TechTarget which is a great introduction to the world of 3-D-based SBC.

Quick Reference
vGPU: A virtual GPU - it delivers shares of a physical GPU. The same concept as a vCPU.
Software 3-D: Graphics rendered on the CPU via software
GPU Pass-Through: Dedicating an actual hardware GPU to a VDI instance.

First Recommended Hotfixes for XenDesktop/XenApp 7.5 Released

On July 10th the first recommended hotfixes for XenDesktop 7.5 were released. Additionally, on today July 17th, a private hotfix to fix the policy management console was finally released. Hopefully this will go public soon as I have run into the errors outlined in that hotfix on numerous occasions. 

Citrix recommended hotfixes from are in bold. 

Delivery Controllers Hotfixes

DStudio750WX64001 

(Version 7.5.1) (For: Citrix Studio 7.1 and 7.5) (x86 if required: DStudio750WX86001)

1. This fix addresses a memory issue in an underlying component.

Limited Release: Hotfix GPMx220WX64001 

(Computers running the 64-bit version of Windows 7, Windows 8, Windows 8.1, Server 2008 R2, Server 2012, or Server 2012 R2, with the Group Policy Management Console installed)

1. The priority order of GPOs is reversed in the following scenarios:
• After upgrading from Version 1.7 to Version 2.1 of the Citrix Group Policy Management Console.
• After exporting GPOs from Version 1.7 or earlier of the Citrix Group Policy Management Console and importing them into Version 2.1 or later of the Citrix Group Policy Management Console. 
• Note: This fix does not address the issue for GPOs that were modified using Version 2.1 of the Citrix Group Policy Management Console; it will prevent the issue only with GPOs you modify going forward. To fix the reversed priority order of existing GPOs you modified in Version 2.1 of the Citrix Group Policy Management Console, you must manually adjust the priority order of the affected GPOs once you install this fix.
2. When making changes to Citrix policies in Citrix Studio the following error message appears:
• "Changes made to policies outside of this console, such as in PowerShell or management tools from previous versions, resulted in a discrepancy between policies.
• The priorities for policy [PolicyA's name] and policy [PolicyB's name] interfere with each other in the "user" and "computer" components. The priorities must be assigned in the same order for both policies."
• Note:
• This fix prevents any issues occurring with merged policies. If the error message appears before applying the fix, then you must manually adjust the priority order after installing this fix.
• For example, if two merged policies, PolicyA and PolicyB, are swapped and a user setting is added to PolicyB, the issue occurs. To prevent the issue from occurring, run the following commands on Citrix Delivery Controller:
  PS>Add-PSSnapin Citrix.Common.GroupPolicyPS>New-PSDrive Site –PSProvider CitrixGroupPolicy –Root \ -Controller localhostPS>cd Site:\Computer[Note the PolicyA's computer setting priority]PS> cd ..PS>cd Site: \UserPS>Set-ItemProperty PolicyA -Name Priority -Value [PolicyA's computer setting priority]
• You can configure user and computer settings in the same policy and both settings can have the same priority order. Occasionally, the priorities for the settings might be different. 
• For example, PolicyA and PolicyB have the same user and computer settings, but the computer setting priority of PolicyA is higher than PolicyB. In this instance, configure the user setting of PolicyA to be higher than PolicyB.
3. After editing the built-in "Unfiltered" policy, the following error message appears:
• "Changes made to policies outside of this console, such as in PowerShell or management tools from previous versions, resulted in a discrepancy between policies.
• The Enabled Flag for the "user" and "computer" components of the policy Unfiltered must have the same value."
• Note: This fix prevents any issue occurring with unfiltered policies. If the error message appears before applying the fix, you must manually enable the flag of the "Unfiltered" policy by using PowerShell commands (cmdlet) after installing this fix.
• For example, if "Unfiltered" has only computer settings configured and the Enabled flag is clear, run the following commands in Citrix Delivery Controller:
  PS>Add-PSSnapin Citrix.Common.GroupPolicyPS>New-PSDrive Site -PSProvider CitrixGroupPolicy -Root \ -Controller localhostPS>cd Site:\UserPS>cd Site:\User\UnfilteredPS>Set-ItemProperty . -Name Enabled -Value True
4. The following error message appears when opening the Citrix Studio and selecting the policy node:
• "The priority of the "user" and "computer" components of policy <policy name> must have the same value."

Desktop OS x86 & x64 Host Hotfixes

BrokerAgent750WX86001 

(Server or Desktop VDA x86) [x64 if ever needed see server section]

1. This fix addresses a session brokering issue.

XD710ICAWSWX86005 

(Desktop VDA x86) [x64 if ever needed: XD710ICAWSWX64005]

1. COM port redirection can fail after upgrading Version 5.1 of VDI-in-a-Box to Version 5.3.
2. This fix addresses various session brokering issues.

XD710ICAWSWX86004 

(Desktop VDA x86) [x64 if ever needed: XD710ICAWSWX64004]

1. This enhancement provides additional compatibility with Nvidia's GRID API related to GPU pass-through and vGPU use cases.

XD710ICAWSWX86001 

(Desktop VDA x86) [x64 if ever needed: XD710ICAWSWX64001]

1. In Cisco WAAS deployments, the session reliability feature fails to automatically reconnect sessions dropped from VDAs.
   To enable this fix, you must set the following registry key on affected VDAs and then restart those systems:
   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XTEConfig
   Name: CgpDisableBranchRepeaterSessionReliability
   Type: REG_DWORD
   Data: 1 (enabled); 0 (disabled)

ICAWS750WX86007 

(Desktop VDA x86) [x64 if ever needed: ICAWS750WX64007] 

***Replaces XD710ICAWSWX86002, XD710ICAWSWX86003

1. In sessions on VDAs with Desktop Composition Redirection enabled (default) and Fix #LA5736 (XD710ICAWSWX86003) installed, the mouse pointer might not honor the boundaries of the desktop.
2. (from replaced hotfix) This enhancement provides better performance when running VDAs on hosts with AMD or Intel graphics (for example, physical PC, pass-through GPU, or vGPU).
3. (from replaced hotfix) Mouse pointer movement is not visible in the Lync conversation window if you share your virtual desktop.
4. (from replaced hotfix) After a virtual desktop session reconnects, the VDI log on dialog box does not appear and Lync in the virtual environment is no longer paired with the Lync VDI plug-in.

Server Session Hosts x64 Hotfixes

BrokerAgent750WX64001 

(Server or Desktop VDA x64)

1. This fix addresses a session brokering issue.

XD710ICATSWX64001 

(Server VDA x64)

1. In Cisco WAAS deployments, the session reliability feature fails to automatically reconnect sessions dropped from VDAs.
   To enable this fix, you must set the following registry key on affected VDAs and then restart those systems:
   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XTEConfig
   Name: CgpDisableBranchRepeaterSessionReliability
   Type: REG_DWORD
   Data: 1 (enabled); 0 (disabled)

XD710ICATSWX64004 

(Server VDA x64)

1. Attempts to open Microsoft Office files in a virtual desktop session might take a longer time to open. Additionally, when a published application is started and then minimized, it can no longer be restored or maximized from the taskbar.

XD710ICATSWX64002 

(Server VDA x64)

1. Certain session time limit policies of Remote Desktop Services might fail to work on Windows Server 2012 VDAs.
2. The Citrix "Server idle timer interval" policy in Citrix Studio does not work for Windows Server 2012 VDAs.

Limited Release: Hotfix XD710ICATSWX64003 

(Server VDA x64)

1. The session graphics of certain applications can fail to update. As a result, the session appears frozen.
2. With the default graphics mode enabled, certain applications can prevent screen updates. As a result, the session can appear unresponsive.

Limited Release: Hotfix XD710ICATSWX64005 

(Server VDA x64)

1. The Citrix Audio Service exits unexpectedly when logging off from the server.

Limited Release: Hotfix ICATS750WX64007 

(Server VDA x64) 

***Replaces: XD710ICATSWX64002

1. The Windows Event Viewer occasionally displays the following error message with Event ID 9026. The error is benign and can safely be ignored.
2. "Error %1 received while obtaining a license for a Citrix XenApp client connection. A grace license has been granted."
3. (from replaced hotfix) Certain session time limit policies of Remote Desktop Services might fail to work on Windows Server 2012 VDAs.
4. (from replaced hotfix) The Citrix "Server idle timer interval" policy in Citrix Studio does not work for Windows Server 2012 VDAs.

 References:

• XenDesktop 7.5 Hotfixes

Citrix PVS Target Device Trust Relationship Failed

Issue

Attempting to log into a Citrix Provisioning Services client device a user or domain administrator receives an error that the "Trust Relationship between this workstation and the primary domain has failed." This error is not seen when logging into the client as the local administrator.

Backstory

This issue is often seen when a "Golden Image" is booted to the HDD sometime after the XenConvert process has completed. It is also seen with server and client class system Target Devices deployed via Provisioning Services, often after upgrades involving Private Image mode or when machine account password management has not been properly configured. The cause is a mismatched machine account password between the device and Microsoft Active Directory.

References

TechNet: Netdom
TechNet: Reference Point: "The trust relationship between this workstation and the primary domain failed."
KB162797
CTX134340
CTX132289

Step-By-Step Guide

For a PVS Target Booting to vDisk

1.      Shut down the target device
2.      In the Provisioning Services, navigate to the device's site collection. It should show down.

3.      Right-click on the target device and in the context menu select Active Directory>Resent Machine Account Password.
4.      In the pop-up window, select the Domain and Organizational Unit of the Target Device.

5.      Finally, select Reset Account.

6.      Assuming this is successful, boot the device and log in with your Active Directory credentials.

For a PVS Target Booting to Hard Disk

Method 1 (Preferred)

1.      Log into the server as the local administrator

2.      Verify NetDom is available on your target device (it may have to be downloaded for a desktop OS)

3.      Verify the computer account is in the desired Active Directory Organizational Unit

4.      Launch cmd.exe as an administrator

5.      Run:

netdom.exe resetpwd /server:<server> /userd:<user> /passwordd:*
<Server> Specifies the domain controller to use to set the computer account password.
<User> Specifies the user account to use to make the secure connection with the domain that you specify in the /server parameter. You must specify the user account in the Domain\User format.
* Specifies the password of the user account that you specify in the /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.

6.      Reboot

Method 2

1.      Log into the server as the local administrator

2.      Remove the server from the domain using your desired method and reboot

3.      Verify the computer account has been removed from Active Directory

4.      Pre-create the computer account in the desired Active Directory Organizational Unit

5.      Re-join the target device to the domain

6.      Reboot

Method 3 (if the local administrator account is unknown and passwords are cached on the client)

1.      Unplug (or disconnect if a VM) the NIC. This should allow you to log in with cached credentials to a domain account.

Verification of Configuration

It is important that management of computer object passwords is configured properly for Citrix PVS deployments to work properly. This involves configuring the password management in both Active Directory and Provisioning Services.

PVS & Active Directory Settings

1.      In the Citrix PVS Console, navigate to the desired site and Servers node.

2.      Right-Click on each server and select Properties.

3.      In the options tab make sure your server is configured to manage computer accounts. The days between updates is usually left at 7 but may be changed if desired.

4.      Next verify the vDisk in use is managed properly by navigating the vDisk Pool node and right-clicking on the desired disk. Select Properties from the context menu.

5.      On the General tab, verify Enable Active Directory machine account password management is checked (the screen shot is greyed out because this disk is online and cannot be changed).

6.      Now move from PVS to Microsoft's Group Policy Management MMC.

7.      It is important that machine account password changes be disabled for the Organizational Unit that hosts Target Devices and the maximum machine account password age must be set. This value must be greater than the number of days specified above in the PVS console.

Edgesight Unrecoverable, fatal DB error

One error to watch out for on Citrix EdgeSight deployments is the one below.

Error:  An unrecoverable, fatal database error has occurred.  Shutting down the Citrix System Monitoring Agent. 

This error is generally a sign of local FireBird database corruption. This could happen for a variety of reasons: system power failure, hard drive corruption, or improper anti-virus exclusions to name just a few. 

If this error were to experience frequent re-occurrence, be sure to take a look at the EdgeSight logs (SYS_EVENT_TXT) to see if a cause can be found. 

Additionally, keep an eye on the local DB size. If it regularly exceeds the size specified in the management infrastructure I have found corruption is much more likely.

Finally, to fix this error when corruption is the cause (the System Monitoring service will often not restart if corruption is the cause) follow the steps below to clean the local database.

1. Stop the Citrix System Monitoring service on the problem server
2. Rename the FireBird database file for EdgeSight (RSDATR.FDB)
3. Restart the Citrix System Monitoring service.

The service should restart and the FDB database recreate. Yes, you will loose any data that was not previously uploaded to the primary infrastructure database.

Not sure where the FireBird database is? (Common for PVS deployed devices with a re-directed DB.) Check out the DataPath value in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\System Monitoring\Agent\Core\4.00

Creating a Microsoft Mandatory or Citrix Template Profile

I have been asked several times lately by colleagues how to create a profile that could be used with Citrix User Profile Manager as a template or a Citrix Mandatory Profile. The process for this basically the same as creating one for use with Microsoft Mandatory Profiles. An outline of the required steps can be found below.


Reference Articles:

• User Profile Best Practices for Citrix XenApp
• Customize the Default Local User Profile
• Creating a Mandatory User Profile
• The Cache Option for Offline Files Must Be Disabled on Roaming User Profile Shares
• The "Set roaming profile path for all users logging onto this computer" Group Policy setting also applies to local user accounts in Windows Server 2008
• Deploy Roaming User Profiles

Goal:
Create a profile that can be utilized for all users of a system to either speed logon or set base configurations void of personalization settings.

Prerequisites:

1. A "like" operating system (Server class 2008 or newer, Windows desktop OS 7 or newer).
   See this article for details.
2. Network storage*
3. Administrative privileges

*Network storage can be avoided by copying the profile locally prior to user access which eliminates the need to have the profile centrally available. 

Step-by-Step:

1. Select a "clean" machine for creating the user profile. This machine should be ready to deploy as if it were going to production, but should should not have been in use. This eliminates as many divergences from the ideal build as possible.
2. Log into the server and create a new local user "ManUser1." (I am utilizing Microsoft Server 2008 R2 in this case.)
3. Add the new user to the local administrators group on the server
4. Log off of the current session and into the server with the new use
5. Customize the user environment as needed
• Alternatively the reference article above for customizing the default profile could be done ahead of time 
6. Log off of this account and back in as your original administrator account
7. Create a network share for central access
• Example: \\MyLab_NAS\MandatoryUser
• Share Permissions: Everyone Full Control
• NTFS Permissions: Follow this TechNet article
• Disable Caching 
8. Copy the entire folder C:\Users\ManUser1 to the new share
9. Rename the folder ManUser1.V2
10. Clean the profile:
1. Delete the AppData Local and AppData Local Low folders
2. Open RegEdit and mount the ntuser.dat hive:
• Search for any instances of "ManUser1" and clear those instances
• Check the various software run and policy locations (Run, Run Once, Policies, etc.) and remove any unwanted software launches / settings
11. Set permissions:
1. Return to RegEdit with the already mounted the ntuser.dat hive:
• Right-click on "ManUser1" and select permissions
• Delete "ManUser1"
• Add Authenticated Users Full Control
• Unmount ntuser.dat from RegEdit
12. In the root of ManUser1.V2, delete files other than NTUser.dat and ntuser.ini (i.e. Log, BLF, etc.)
    *For use with Citrix Profile Manager, skip to the next section
13. Rename ntuser.dat to ntuser.man
14. Specify the profile \\MyLab_NAS\MandatoryUser\ManUser1 in the group policy to set mandatory profiles with Server 2008 RDS (XenApp) or newer. For Windows desktop OS, reference this.
• Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles
• Enable: Use mandatory profiles on RD Session Host server
• Enable: Set path for Remote Desktop Services Roaming User Profile
  *Remember NOT to include .V2 in your path!
15. Not run gpudate /force on any clients targeted by the deployed group policy to have the new mandatory profile applied

Citrix User Profile Manager

There a a couple differences when utilizing Citrix UPM 5.x for managing profiles. Your profile created above can still be used (though there is no need to rename it to *.man nor apply the Microsoft group policy). To check out the steps for configuring UPM to for use, check out the Citrix eDocs page here. It is rather straightforward and you have already taken care of all the prerequisites!

NetScaler VPX on Hyper-V 2012 R2

Unfortunately the current Citrix download for their NetScaler VPX virtual appliance was exported from Hyper-V 2008. This means that the appliance can not natively be imported into Hyper-V 2012 R2 due to a deprecated feature (reference).

I found that I could get around this little hiccup in my lab environment by using VMware Workstation to stand up a Hyper-V 2008 R2 instance. Once the legacy instance is up, import the VPX appliance. You can now copy and paste the VM folders from that appliance directly into your Hyper-V 2012 R2 infrastructure and add the VM that way - without using the export feature on the legacy Hyper-V system.

You could also stand up 2012 original release and use it as an intermediary host - though I did not test this method.