Set acls remotely to a VDI / RDSH Delivery Group 7 Comments

In the same way as the previous blog post, some more automation to maintain a VDI/RDSH environment, and get back to a controlled and clean environment. This blog is a follow up to Remotely clean up Virtual Machines drives – XenDesktop , Expand virtual machines hard disk – automation , XenDesktop XenApp 7.x – vmware / ad / delivery group notes and descriptions sync . I had to automate an action to place ACLs on the D: drive using Powershell and icacls. This script is using XenDesktop / XenApp command to list all the Virtual Machines with SessionSupport value equal to SingleSession, it means the VDI only in my case. If you want to check the list of Virtual Machines you targeted you can use this command : If you want to target a specific XenDesktop Delivery Group, then just adapt the previous line : Once you know the target, you can execute the following script. Using this script assume Virtual Machines are switched on. If you have suggestion, and/or comment, share your though !

Remotely clean up Virtual Machines drives – XenDesktop 10 Comments

Following up the previous blogs XenDesktop XenApp 7.x – vmware / ad / delivery group notes and descriptions sync and Expand virtual machines hard disk – automation and continue in automated task, I had to clean up the D: drive of different XenDesktop Delivery Group. As there was no security restriction on the D: drive some users used it as a repository for some of their project... That caused some issues : Users complain of losing their working data from a session to another (pooled VDI, new logon = new vm) Some disk space notification where displayed to random users... Calls where raise to the helpdesk support team Beside hiding the D: drive to avoid non necessary access (ie : non system access) check this blog to do so : Citrix XenApp – Hiding system drives part 1/2 an automated task had to be performed to "clean" this D: drive The variable $XDDC is the FQDN of a Delivery Controler, $Exclusion is the files and folder you want to exclude from being removed. For example : the directories "logs" "pvsvm" "System Volume Information" "$RECYCLE.BIN" and the files "dedicateddumpfile.sys" "pagefile.sys" and "vdiskdif.vhdx" will be ignore from the delete process. Most of these files and directory are system protected anyway it's more to avoir error during script execution. Once you have a clear list of what you need and want to keep you can proceed to the next step.   This script will clean everything which is not in the $Exclusion list so be careful when you run the script. This script assume all the targeted VM are switched ON of course. Leave a comment bellow if you have an idea how to improve this script !

Expand virtual machines hard disk – automation 7 Comments

Sometimes, at some customers's place, with an infrastructure already in place (XenApp with PVS or XenDesktop VDI pooled with PVS) the D: drive is too small. The drive where you redirect Windows Event Logs, Logs (UPM for example and/or other applications - services) This is a drive where page file is often redirected as well and even memory dump file generated. PVS cache can also be on this drive : Cache on device RAM with overflow on Hard Disk When RAM is zero, the target device write cache is only written to the local disk. When RAM is not zero, the target device write cache is written to RAM first. When RAM is full, the least recently used block of data is written to the local Write Cache disk to accommodate newer data on RAM. The amount of RAM specified is the non-paged kernel memory that the target device consumes. Cache on device Hard Disk The cache on local HD is stored in a file on a secondary local hard drive of the device. It gets created as an invisible file in the root folder of the secondary local HD. The cache file size grows, as needed, but never gets larger than the original vDisk, and often not larger than the free space on the original vDisk. It is slower than RAM cache, but faster than Server cache and works in a HA environment. The lack of space on this drive will bring some slowness in user's session and this drive needs to be expanded a bit to get back a normal user experience. To expand these disks two actions need to be done : Expand the Virtual Machine hard disk - in this example vmware Virtual Machines Expand the disk within the Operation System (Windows) In addition to the following script, psexec tool (Microsoft Sysinternal) is used to execute remotely the diskpart command listed in a text file (diskpart.txt) which is upload to the Virtual Machines. Targeted Virtual Machines need to be powered on. Psexec.exe and Diskpart.txt needs to be in the same folder as the Powershell script, of course you can specify their path as it suits your need.   This script is using XenDesktop / XenApp command to list all the Virtual Machines with SessionSupport value equal to SingleSession, it means the VDI only in my case. If you want to check the lust of Virtual Machines…

XenDesktop XenApp 7.x – vmware / ad / delivery group notes and descriptions sync 9 Comments

Several times i had the need to synchronise Virtual Machine notes (vmware) with Active Directory Computer description. As in big environment, different team are managing each of these components, the need to be able to link an Active Directory computer account to a vm with XenApp / XenDesktop delivery group has often been seen as useful. Delivery group name : Desktop123 Virtual Machine note (vmware) : Desktop123 Active Directory account Description : Desktop123 The idea is to simply synchronise the information through the platforms so everyone knows quickly what machine does what. In this particular example that was about XenApp Servers and XenDesktop VDI. You will need a machine where : XenDesktop 7.x SDK (Powershell is installed) vmware PowerCli installed RSAT role deployed as well Thank to Rodolphe Herpeux who simplified the first version of this script I wrote.

Load Balancing TFTP with Netscaler 10.5 30 Comments

Implementing Citrix Provisioning Services (PVS) is very common nowaday when it's about deploying Shared Desktops (XenApp) or Pooled, Private or Personal Desktops (XenDesktop). If there are still some debate around about using TFTP+PXE vs using BDM (Boot Device Manager) I still observe a large number of deployment made using TFTP+PXE rather than BDM. Both of these two solution have Pro and Cons (Check Wilco's website here) and this is an architectural choice you need to plan ahead the project. Using TFTP and PXE bring several spof along the line and need to be consider and design as the most resilient as the high availability require. TFTP is not redundant by design, using the DHCP 66 options (Boot Server Host Name) allow the use of only one IP address. and there is no redundance behind that. With Citrix Netscaler, Citrix gave us the ability to bring high availability to this spof and address this issue. With Netscaler previous version (prior 10.x) that wasn't that easy to setup and the understanding of Netscaler feature like Layer 2 Mode, DSR etc... And if you didn't understand exactly everything what you were doing, all the PVS traffic was going through the Netscaler and believe me, that was really pain in the ass... I saw that kind of mistake a number of time... With Netscaler 10.1 then 10.5 things are a lot more easy... So I just jump on the occasion I had at one customer's place to load balance 4 Citrix PVS servers (TFTP + PVS) to deliver this simple and fast how to. Information you need to gather : IP Adresses and name of all PVS servers (with TFTP) One IP Adress for the Virtual Server (VIP) One or more Netscaler 10.5 (I made this configuration with 10.5.51.10.nc) Here is a basic architecture overview of component we are impacting : Netscaler #1 and #2 : This is were the configuration will take place PVS Servers #1, #2, #3 and #4 : All the PVS / PXE / TFTP servers we will use in this example DHCP Servers #1 and #2 : This is where we will configure the 66 option by using the Load Balanced IP Address (VIP) VMs : All these Virtual Machines will use PXE to boot get the Load Balanced TFTP address to launch the ARDBP32.bin file.   Let's got for the Netscaler configuration, first you need to login, if you're using a multi Netscaler architecture you…

Netscaler 10.5 and Storefront 2.5.2 Configuration 13 Comments

Citrix Netscaler 10.5 is out since a couple of weeks now, and if you want to read what's new about this new release just click on the [link] because there are so many things I won't list everything here. I will use this blog to refresh the "how to" I already did about Netscaler and I will go through the basic setup, certificate request, import and Access Gateway configuration to plug my XenDesktop 7.5 lab. First, you need to download your Netscaler (download if you're using a VPX appliance). You can find the appliance corresponding to your hypervizor : vmware ESX Microsoft Hyper-V Citrix XenServer KVM You can download it here : [link] - myCitrix account is required One you boot up the appliance, after give the basic information like IP address, subnet and getway, you can fireup the GUI through your favorite browser. You need to logon and follow the step by step screenshots : The basic configuration is done. now time to add a certificate for the Access Gateway, creating a private key, a CSR and finally importing the pem certificate.   Don't forget to change the nsroot password. Now the certificate part is done (thanks to Digicert for my lab) you can go ahead to the next step and configure your Strorefront server to create a new store ready to connect with the Netscaler Access Gateway. Storefront part is easy and quick to do, you can now continue by creating the Access Gateway using the new wizard and following these steps : Here you go, just a reboot to have the Access Gateway up and running. I had few issue in the end with Application Firewall with Google Chrome and Safari from a Mac OSx computer, you need to enable the learning mode to check what need to be change in Application Firewall rules and allow connexion to you Access Gateway. You can customize the Netscaler Access Gateway logon page and your Storefront very easily, Eric one of my CTP friends did a very short and nice blog about that [link] and a very detailed blog written by Feng Huang Citrite here [link] This blog will give you a good overview on what needs to be done to set up an Access Gateway with Storefront, for those who don't have time to make test, now you know !

XenApp 6.5 to XenApp 7.5 Migration (Machine) 24 Comments

Citrix will very soon offer a lot of scripts and tools to give the ability to migrate policies from a XenApp 6.5 farm to a XenApp 7.5, I'm currently testing all these Powershell script to check it out and maybe use it by including it in our migration process. What Citrix haven't give us yet is a tool to move an existing XenApp 6.5 server to a XenApp 7.5 Site, steps are fairly simple and can be automatize : Leave XenApp 6.5 Farm **Reboot** Uninstall XenApp 6.5 **Reboot** Install XenApp 7.5 VDA This is not what I recommend to do because removing a piece of software to replace by another always leave some dirty little things everywhere... This is the reason I prefer to start from scratch and migrate application; sometime it's not possible and we need to go fast, so these few steps are easy to customize and integrate in every deployment system in place. The first step is to leave the XenApp 6.5 farm : To complete this farm leave script, you need to reboot the XenApp server. The second step is to uninstall XenApp 6.5 using this command line : To complete this step the XenApp server needs to reboot again. The last step is to deploy the new VDA (XenApp / XenDesktop 7.5) using this command line : Update 25 April 2014 If you plan to move your XenApp 6.5 servers to XenApp 7.5 you need to clean a bit more than simply XenApp, I had a lot of comments about Edgesight agent, Citrix Profile Management etc... and my answer if yes you need to uninstall each of these component to avoid any conflict with the VDA. For example Esgesight can be uninstall using the following command line : This is it ! I think Citrix will offer a "graphic" tool in some point, but I needed to have that ready now, so I share it ! Resources : XenApp and XenDesktop 7.5 edocs XenApp Uninstallation Best Practices

Are we missing something ? 2 Comments

As you might know I'm the CTO of a super cool company here in France (Activlan) base around Paris and one side of my job is to watch in my crystal ball to know what our customers will need and how they could use us to remain on top of their productivity with their IT. Reducing cost and accelerate process; giving flexibility and liberty to their users and keeping the information safe when needed. What's very cool in my job is I always exchange so many things with you all during events, when we meet here and there, online and in real life that is give me a flavor of what's happening in IT in a lot of country very different than here in France. Of course I try to give back what I learned of all this shared experience and knowledge but these last months I've been busy working hard on some other project. So, this title brings me back to an old blog : VDI ok, What's next ?  published in May 2012 where my conclusion was : What really matters in the vWorld ? In the end, the data. I think that was about right in 2012 and you know, with all the VDI, RDSH, offline and online, Hypervizor of all type, application installed, streamed or isolated, using a phone a tablet, a thin client or a computer, in the end the only thing that matter remains data. Software vendor in our segment are pushing harder and harder their mobile (ie MAM and MDM) solution thinking everyone should buy these software and work with tablets and phones. I think we aren't still there just yet... When someone is hired in a company this is almost all the time a giant waste of time (and money) the first days... No desktop ready, no application access etc... In the big company, MDM and MAM need to be addressed but that will never be wildly use for the next 2/3 years, what user expect from their company is to have access to their data (core need) through a applications accessed via a desktop, or not but with a consistent environment. They want to work in an optimal way during their working hours and sometime be able to access their data from home or a remote location, but taking over the personal people's phone is over-rated for now. The MAM MDM hype remind me the…

Citrix PVS vs MCS – Despectus 21 Comments

I know this subject has been cover thousand times here and there but this is an eternal discussion we have whatever the forum or the meeting going on when we speak about Citrix. To remind people not familiar with MCS or PVS here are the main differences : MCS : Machine Creation Service PVS : Provisioning Services All the blogs, articles, white papers are very good and very technical with a lot of details but lake too often of "real life" example. Of course this is important to know  detailed performance measuring iOPs in read and write, cache mode, disk and storage type etc. but what most of the time everyone is missing is a crucial component : complexity and ability of the technical team to handle PVS and/or MCS. At many of my customers place we've implemented PVS architecture on multi-site with DFS-R and SAN / NAS etc to provision XenApp 6.5 farm lightning fast and this is every time a success when everything is setup correctly and when everything works as expected. BUT the complexity we leave behind at the customer's place leave me a though that in 70% of the case, they will call us back to fix an issue they created while trying to handle PVS and surrounding component. 20% won't call us but nothing will change, event the XenApp servers will remain in the same state as when we left. Of course writing documentation and how to for everything won't solve this issue because managing XenApp servers provisioned with PVS is complex and needs good organisation and an understanding of the product. PVS is in version 7.1 (April 2014) and haven't evolve that much during last couple of years, some say PVS will disappear with time to let MCS take over, but I honestly don't know what are the plan for Citrix about PVS. But as PVS is an awesome technology, I think Citrix will bring more and more feature to MCS and keeping the simplicity while adding feature will be an interesting chalenge. To keep this topic short (that never happen when we speak about this during CTP meetings or forums :) ) I would say for large enterprise I would continue to use PVS on the current and new deployment but put in my customer's mind the overhead of complexity could cost more than intelligent storage solution (software, hardware) and introduce few desktops (XenDesktop…

Trend ServerProtect 5.80, XenApp 6.5 / PVS 3 Comments

AntiVirus software are always pain in the ass when it's about delivering desktops through golden images system like Citrix Provisioning Services. It's changing but still, in most of the company I'm working for there is always the AntiVirus dude who is yelling and requesting to be able to watch / watch and be able to know where the Antivirus software is deployed, if it's up to date and if all the machine are ok. Last blog I did about an antivirus was about Symantec SEP 11 (here) and Symantec did their job by understanding what was a virtual environment about with the version 12. With TrendMicro and ServerProtect, we're not there yet... Even if their product Office Scan seems to fit better the needs, today I had to deal with Trend Micro ServerProtect installed on the PVS golden images. The problem remain the same, a Trend GUID is created when installing the piece of software on the golden image but won't change across multi machine usage. The Trend GUID is located in the registry : HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion\SpntService\NS_GUID with a 75 long character chain. What I had to do : Create a 75 random character string Replace the registry value create a flag so the value won't change at each reboot So I did with my crappy PowerShell skills a very small script (and thanks to Livio @EldejiPoint for the cleanup ^^ ) So this script will be executed as a startup script for the computer (using GPOs) and by creating a trend.txt file on the fixed drive (d:\) the generated Trend GUID won't change upon the file is removed. I hope it will help !