Remotely clean up Virtual Machines drives – XenDesktop 10 Comments

Following up the previous blogs XenDesktop XenApp 7.x – vmware / ad / delivery group notes and descriptions sync and Expand virtual machines hard disk – automation and continue in automated task, I had to clean up the D: drive of different XenDesktop Delivery Group. As there was no security restriction on the D: drive some users used it as a repository for some of their project... That caused some issues : Users complain of losing their working data from a session to another (pooled VDI, new logon = new vm) Some disk space notification where displayed to random users... Calls where raise to the helpdesk support team Beside hiding the D: drive to avoid non necessary access (ie : non system access) check this blog to do so : Citrix XenApp – Hiding system drives part 1/2 an automated task had to be performed to "clean" this D: drive The variable $XDDC is the FQDN of a Delivery Controler, $Exclusion is the files and folder you want to exclude from being removed. For example : the directories "logs" "pvsvm" "System Volume Information" "$RECYCLE.BIN" and the files "dedicateddumpfile.sys" "pagefile.sys" and "vdiskdif.vhdx" will be ignore from the delete process. Most of these files and directory are system protected anyway it's more to avoir error during script execution. Once you have a clear list of what you need and want to keep you can proceed to the next step.   This script will clean everything which is not in the $Exclusion list so be careful when you run the script. This script assume all the targeted VM are switched ON of course. Leave a comment bellow if you have an idea how to improve this script !

If you're used to check the IMA service and verify if everything is running fine on your XenDesktop 4 or XenApp environment, you won't find any IMA in XenDesktop 5. This is one of the huge changes Citrix have done in the new XenDesktop, this is a major change because no more IMA means many things in term of architecture and product functionality. So as I just mention, no IMA in XenDesktop 5 Controller (DDC), which means there is no IMA data store or local host cache (!!!) No more XML Blob, there is no more Active Directory Configuration Wizard or Farm OU, XenDesktop 5 doesn't need Terminal Services any more, everything is stored in a brand new SQL database and there is no support for Oracle or Access. <-- Wow ! These are a big changes right ?  I will explain more the impact of these change regarding what we're used to and the consequences. First thing first, when you want to install XenDesktop 5, you have choice between the "Quick Deploy", "Join existing deployment",  "Desktop deployment" and "Application deployment". You can also notice the installer is simpler than the one in XenDesktop 4 "Quick deploy" option is the fastest way to deploy a fully functional XenDesktop installation. All in one box, Citrix License Server, the DDC, and Database. "Join existing deployment" add a XenDesktop Controller to an existing site. "Desktop deployment" advanced installation for large deployment, to use with Citrix Provisioning Services. Regarding the installation, on the server side, XenDesktop Controller supports Windows Server 2008 and 2008 R2 only, exit Windows 2003. If you want to use the “Quick Deploy” mode, then all components must be on same box, it also assumes SQL Express is installed on same machine. Microsoft PowerShell 2.0 is downloaded during the installation, you will need to manually install PowerShell 2.0 if you don't have internet access. You can use the same License Server as XenDesktop 4 (11.6.1) Desktop Controller – System Requirements Microsoft Windows Server 2008, Standard or Enterprise Edition, with Service Pack 2 Microsoft Windows Server 2008 R2, Standard or Enterprise Edition Service Pack 1 will be supported Microsoft .NET Framework, Version 3.5, with Service Pack 1 Microsoft Internet Information Services (IIS) and ASP.NET 2.0 IIS is required only if you are installing the Web Interface, the License Server, or Desktop Director Controller – Database Requirements Microsoft SQL Server 2008 R2 Microsoft…

Warning : For those who download Alcatraz before the 2nd of December 2010, please update it, same link. An issue around leaking desktop handles is affecting v0.9.0.31, when you update it you should have v0.9.0.32 Citrix announced the 29th of November 2010 a new project code name “Alcatraz“, part of the project “San Francisco” and can be combine with project “GoldenGate” (Check the end of this blog for the Citrix links about each project). The idea is simple, how to add a "lock" layer to all the published applications accessed by mobile users, how to improve "security" if a device is stolen, lost etc ? Citrix Labs try to give an answer with this new project and I think this idea is very well found. Without modifying your existing Citrix (XenApp, WebInterface, CAG etc..) architecture you can provide another authentication level before launching an application with a PIN Code request (bellow screen shot from my iPhone) To be clear, this is not a second factor authentication add-on / product for Access Gateway and Web Interface. This PIN code interface is load before the published application, once the user profile loaded. It look neat, but how does it work ? First you need to install Alcatraz msi on the XenApp servers you want to use for your tests, you can download msi packages here : https://www.citrix.com/English/SS/downloads/details.asp?downloadID=2305766&productID=186 (MyCitrix account is required) You will find one package for 32bit OS and another one for 64bit OS. All the binaries will be installed in “C:\Program Files (x86)\Citrix\Alcatraz” folder and you will find the following files: Then the only change you need to do is to amend or create published applications dedicated to mobile users using “C:\Program Files\Citrix\Alcatraz\Alcatraz.exe” /a “command line of published application” for the 32bit XenApp servers or “C:\Program Files (x86)\Citrix\Alcatraz\Alcatraz.exe” /a “command line of published application” for the 64bit XenApp servers. In the registry, you can find a part in HKLM\Software\Citrix\Alcatraz for 32bit servers and in HKLM\Software\WOW6432Node\Citrix\Alcatraz for 64bit servers and all the settings are explained on the project page here : http://community.citrix.com/display/xa/Getting+Started+with+Project+Alcatraz ChallengeInterval – This setting is disabled by default (set to 0). This setting will force the user to enter their pass-code after a period of time (in seconds) even if the user is interacting with the published application. (Default: Disabled) InactivityTimeout – This is the amount of time (in seconds) that a user has not interacted with their published…

Provisioning XenApp 6 Servers is very easy and make everything very simple but using third party Citrix products like EdgeSight or Power and Capacity Management can be tricky in order to make it work properly with provisioned services. The last issue I had was with Power and Capacity Management but before explaining everything, a quick remind : Citrix XenApp Power and Capacity Management can help reduce power consumption and manage XenApp server capacity by dynamically scaling up or scaling down the number of online XenApp servers. Consolidating sessions onto fewer online servers improves server utilization, while providing sufficient capacity to handle load while minimizing unnecessary power consumption. As users log on to the system and reduce the idle capacity (how much capacity is available for additional sessions), other servers in the workload are powered up. As users log off and idle capacity increases, idle servers are shut down. This helps optimize capacity for XenApp workloads. When installing PCM on the PVS master virtual machine to update the vDisk, everything ran smoothly, no problem at at, service was set to automatic. The service name is "Citrix XenApp Power and Capacity Management Agent" (PCMAgent) and have dependency toward "Citrix Independent Management Architecture (IMA)" and "Remote Procedure Call (RPC)". I assumed the service will wait XenApp is done launching IMA Service and then PCM Service would be able to launch. That was an error, I suppose XenAppPrepTool was taking too much time to launch IMA Service and a timeout occur for PCMAgent Service so the service was in auto but an error showed up in system event logs : Solution ? I choose the simple way, first try was to try to delay the PCMAgent service to wait for IMA Service startup. To do so, just switch from Automatic to Automatic (Delayed Start) in the service properties / Startup type : As I use a login script for the XenApp servers, a very good example can be find here : http://jariangibson.com/2010/03/17/using-edgesight-with-provisioned-xenapp-servers/ I just add a line to start the PCMAgent service : If you want to script the service startup type, you can inject registry using this value : in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PCMAgent Then, update your vhd image and boot your provisoned XenApp servers, they should appear in PCM console. Sources: http://support.citrix.com/proddocs/topic/xenapp6-w2k8/ps-power-capacity-mgt-wrapper-v1.html http://jariangibson.com/2010/03/17/using-edgesight-with-provisioned-xenapp-servers/

At one of my customer place, we need to publish mstsc.exe (RDP Client) through XenApp 4.5 on Windows 2008 x64. Users complained about a weird keyboard behaviour. While typing in their session, users stated using shift for the first letter, the second letter was upper case as well. I'va made a quick video to show you this issue, you can watch it bellow :   On the Citrix Web Interface, one ICA file is used as a template for ICA file creation, default.ica. I edited this file to check what was in : In the WFClient (section bellow) I found the line KeyboardTimer=50 which mean at the end of the specified time period the keyboard data are sent to the server. I didn't wanted to modify this value without beeing able to test it before, so I right clicked on the published Remote Desktop icon to download the launch.ica file (generated with the defgault.ica and the 50ms value) saved it and the edited it changing the keyboardTimer value to 25 then 15 then 10 and finnaly 5. I had the issue until the last value 5ms tested. Now I need to make some more test to check if the bandwith consumed is really highter compare with the 50ms default value. I will update this post with the statistics result (Edgesight) Update : 1st July 2010 I've used Citrix Edgesight to check what's going on while I run some test toward ICA Session Traffic and ICA Session I/O. To run this test I created a script which open notepad and type a text (about 30/40 lines) so the same text input will be use for all the tested values. I made this test with KeyboardTimer=50 (default), KeyboardTimer=25 and KeyboardTimer=5 and here are the results :   I did blank the "non needed" data to avoid confusion and as you might notice, there is not a huge difference between these different values. I decided to commit the change for wan users and I will check in deeper statistics will real usage on weeks/month, before/after the change. I wanted to blog this issue because this is an annoying one and you might search a long time around the mstsc configuration, registry tips and tunning before finding out this was the KeyboardTimer value in the default.ica file on the Citrix WebInterface. You can also add the line KeyboardTimer=## (your value) to your WFCLIENT.INI file in your…

This is the second part, here is the link to the first part : Citrix XenApp – Hiding system drives part 1/2 If you read the first part, now you know how to apply the Microsoft Windows 2003/2008/R2 GPO to hide A,B,C or/and D drives. But what's happening if you have a E: drive or O: ? You cannot use this GPO anymore, you need to create your own. This is simple to understand how it works, just read what's follow. By default the Hide Drives part in the system.adm file look like this : Then if I explain you this policy displays only specified drives on the client computer. The registry key that this policy affects uses a decimal number that corresponds to a 26-bit binary string, with each bit representing a drive letter: I choose an example where I want to hide A,B,C,D and E drives : Then convert to decimal. This binary string converts to 31 in decimal. Add this line to the [strings] section in the new HideDrives.adm file: After add this entry in the ITEMLIST section above and save the HideDrives.adm file. So the whole ADM file must look like this : I think you're good with this one, just import this ADM file and activate it following the part 1. Links : Microsoft KB (thx to CTXBlog.fr) CLASS USER CATEGORY  !!HideDrives KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer POLICY !!HideDrives PART !!HideDrivesDropdown    DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoDrives" ITEMLIST NAME !!ABOnly           VALUE NUMERIC    3 NAME !!COnly            VALUE NUMERIC    4 NAME !!DOnly            VALUE NUMERIC    8 NAME !!ABConly          VALUE NUMERIC    7 NAME !!ABCDOnly         VALUE NUMERIC    15 NAME !!HideABCDE        VALUE NUMERIC    31 NAME !!ALLDrives        VALUE NUMERIC    67108863 DEFAULT NAME !!RestNoDrives     VALUE NUMERIC    0 END ITEMLIST END PART END POLICY END CATEGORY;HideDrives [strings] Blank=" " ABCDOnly="Restrict A, B, C and D drives only" ABConly="Restrict A, B and C drives only" ABOnly="Restrict A and B drives only" ALLDrives="Restrict all drives" COnly="Restrict C drive only" DOnly="Restrict D drive only" HideABCDE="Restrict A,C,E,D and E drives only" HideDrives="Hide Drives" HideDrivesDropdown="Hide Drives Selection" MoveProfile="Move Profiles" MoveProfileDropdown="Move User Profile Location" MOVEPROFILETOD="Move Profile to D Drive" RestNoDrives="Restore Drives"

Hiding system drives C, D, floppy if there is still one and CDRom seems to be easy but I saw many many time at some customer's place administrator unable to complete this simple operation. The reason is in most of the case, the administrator doesn't really know how to manage GPO and what is difference between user and machine GPOs. First you need to know there is a built-in GPO in Microsoft Windows 2003 / 2008 / R2 with these settings ready to be set. To set it up, you need to create a new GPO or edit an existing one and find these two GPO bellow as follow : Most of the administrators I spoke with told me they've done that already, but it still doesn't work, they rebooted XenApp servers, Domain controller, everything they could reboot... But they forgot the essential... These GPO above are USER GPO and this GPO is place on the XenApp OU in the Active Directory where there is no user at all. The solution is very simple you need to activate the GPO loopback : This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. Then with a gpupdate /enforce this hiding drives GPO is working ! Finally ! In the second part of this blog I will explain how you can go further and hide drives with other letters than A,B,C or D.

This issue appear on my Presentation Server 4 HR5, 32bit only, x64 servers (Windows 2003 & 2008) were fine after deploying Citrix Edgesight Agent for XenApp 5.2 SP1. (build 5.2.3012.0) Impacted applications : All java applications using more than 706mb of reserved memory, command line example :  c:\Progra~1\Java\jre1.5.0_07\bin\javaw -Xms8m -Xmx1024m -Dcai.starter.jvm.options="-Xms8m -Xmx1024m" -classpath d:\xxxxxxxxxxxxx Visual Studio 2008 Pro SP1 x64 crashes when Citrix Edgesight 5.2SP1 is installed, process CL.exe. Reminder : -Xmsn Specify the initial size, in bytes, of the memory allocation pool. This value must be a multiple of 1024 greater than 1MB. Append the letter k or K to indicate kilobytes, or m or M to indicate megabytes. The default value is 2MB.       -Xmxn Specify the maximum size, in bytes, of the memory allocation pool. This value must a multiple of 1024 greater than 2MB. Append the letter k or K to indicate kilobytes, or m or M to indicate megabytes. The default value is 64MB.  Affected system : Microsoft Windows 2003 R2 Sp2 x32 with Citrix Presentation Server 4 HR5 Error message : Or Even if the Presentation Server all have 4Gb of ram,  and freshly rebooted (567mb memory occupation) the java application doesn't want to start. I first uninstall Citrix Edgesight, and checked everything was fine, it was fine with prior Edgesight for XenApp's version. Someone had the same issue, only one person posted this issue with a java application on Citrix's forums : http://forums.citrix.com/thread.jspa?threadID=261266&tstart=0  About the Visual Studio 2008 SP1 x64 the process CL.exe seems the one to exclude to make it work. Workaround : To avoid EdgeSight for XenApp agent "blocking" a process, you need to hade the executable program to the following registry key : You need to keep in mind, adding file to this registry key excluding them from statistics (information to confirm) Update 30 march 2010 : There is no fix yet for this issue, Edgesight for XenApp 5.3 next version should include the fix, but not before Q2 2010...

XenApp 4.5 / 5 unattended installation 4 Comments

Unattended installation is very usefull in large XenApp farm, of course if you're deploying one server per two month you might not be interessed by this process automation but this is always interresting to know this kind of tips. Scripts bellow are example I use every day in production to install servers, of course its needs to be change and adapt to your own settings and of course if you have some ideas to share, I take it ! This unattended example assume you have only one network card enable, a local XenApp source installation file and IP address type 192.168.3 / 192.168.10 / 192.168.200 / 10.113 / 10.112. This file allow to join an existing farm named CTX_TEST with a datastore hosted on a SQL server. Finally, you need to create one folder per farm inside your XenApp source folder if you are automating multi farm setup. This is the UnattendedTemplate.txt you can find on your XenApp installation media, this file is very simple to fill and everything is comment and explain. This file example is for the XenApp zone named ZoneA I wanted to comment every option bellow but I think existing comments are very clear and you will understand everything. If you have any question, just ask on the forum. And if you want to go further, you can create one file per zone and use a script to deploy your XenApp server to the right zone while checking the machine IP address. This script needs XenApp installation files locally on your server (c:\Citrix\XenApp5). This unatended installation generate a verbose log file on c:\XENAPPCTX_PROD.log , don't under estimate this part, it can be very usefull to troubleshoot your silent installation. One last thing before you go, don't forget to use a valid MF20.dsn :