### Archive

Archive for the ‘Citrix Provisioning Services’ Category

## How to create a XenApp 6.5 Server 2008 R2 golden image for PVS 6.1

I urge you to read my PVS 6.1 on XenDesktop/Windows 7 guide first. Read it and make sure you understand it. The same concepts and most all procedures apply to Server 2008 R2. So I am not going to get as detailed on PVS technology in this article. This is going to be more XenApp centric. If you don’t have a thorough understanding of PVS, it is easy to become lost so please make sure and read that article and go through those screenshots first.

Citrix has an excellent eDoc primer for understanding the intricacies of XenApp on PVS located here. I recommend skimming this before beginning:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

Now on to the steps. This is just my way of doing it. It works well for me. There are a couple of different ways you can achieve the same thing so use what works for you:

1. I am assuming you already have a XenApp 6.5 farm created and at least one dedicated server for the role of the ZDC. All XenApp servers provisioned via XenApp will be member servers of this farm and you do not want them to become a ZDC. Just set the election preference in AppCenter under Zones. In this example, I have a Default Zone and have set one server as the ZDC but it is best practice to have at least a handful of servers that are not provisioned to be set as preferred. Just in case one goes down, you don’t want one your provisioned servers to become a ZDC:

2. Now go to your XenServer and create a new Server 2008 R2 VM

3. Install XenServer Tools

4. Make a copy of the VM and convert it to a template. This is your “clean” Server 2008 R2 image you can come back to later if you need to. You can spin up new VMs from it.

5. Now go back to the VM you were working on and install things that are needed on all servers like Symantec, Citrix Offline Plugin (if you intend to leverage app streaming), etc. but try to keep it as clean as possible. Remember, you are building just the base right now. Don’t install any applications you plan to publish yet.

6. Add the server to the domain. Make sure the name is the first server in your naming scheme, example: “ServerName-100″ where 1 denotes the image number and 00 is the VM number. The next VM that gets spun up using this image will be ServerName-101 and so on.

7. Begin installation of XenApp 6.5 like normal and follow Approach 3 detailed here:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

8. If you have multiple NICs in your PVS environment for streaming vs. regular network traffic there’s an extra step you have to perform in the VM. Make sure you go into ICA Listener properties and set it to PVS Adapter #1, the network NIC. Not the PVS streaming NIC which is #0. They may be labeled differently in your environment depending on the NIC order of your VM. Just remember, you want the network NIC to handle ICA, not the streaming NIC.

9. Now install the apps you intend to publish. Just install, don’t try publishing anything yet. If you plan on streaming apps to your XenApp servers via Citrix Offline Plugin or App-V, skip this step.

10. Install the PVS Target and reboot. Do not run Imaging Wizard yet.

11. You can choose to install the EdgeSight agent at this point if you use EdgeSight in your environment. There is an excellent guide from Citrix on how to install EdgeSight in a PVS environment below. Don’t worry, when it detects the PVS Target software is on the system and the image is in private mode being updated, it won’t start the EdgeSight service and start sending your EdgeSight server junk data:

http://support.citrix.com/proddocs/topic/edgesight54/es-agent-install-streamed.html

12. Log back in to the VM and in the XenCenter console, set the PVS boot disk to boot first (BDM). Then go to the PVS Console on the PVS server and create a new Device with the MAC address of this VM’s provisioning/streaming NIC. Call the device ServerName-101 so it’s separate from the ServerName-100 original but call the vDisk 100 so you know where the image came from later (i.e. image 1). Set device to Boot from Hard Disk. Now reboot the VM. You can let Imaging Wizard do this but if you really want to be hands on, you can choose to create and attach an empty vDisk of the same size as the c: drive of the VM now.

13. It should have booted from the BDM boot disk and be connected to the empty vDisk you created. Run Imaging Wizard and push the image across to the PVS Server vDisk (don’t forget to optimize the image). If you did not create a vDisk in the above steps, just create a new disk and run through the Wizard prompts to create it real quick. It will assign the device to this new vDisk. Reboot when you are asked to.

14. Log back in and immediately XenConvert will launch and begin pushing your image over to the newly created vDisk.

15. Now go to the PVS console and set your device to boot from vDisk and reboot your VM. It should now be booting from your vDisk.

16. Log back in and re-run XenApp configuration and unjoin from farm using the prep option. This is done by going to Start > Programs > Administrative Tools > Citrix > XenApp Server Role Manager > and then clicking on the XenApp Server Role Manager app. Click Edit Configuration. Then click Prepare this server for imaging and provisioning. You want to just leave the defaults checked which is to remove it from the farm and join on the next boot. Once it removes it, it will ask you to reboot. Just close and power down the VM, don’t reboot.

17. Go to your PVS server and change the vdisk from private to standard mode. Now spin up a few VMs using the “Streamed VM Setup Wizard” in the PVS console. You’re going to need a template and you’re going to want to setup your write cache. I’ve covered this very well in my PVS 6.1 on XenDesktop/Windows 7 guide so I’m not going to get into the details here. Wait until the VMs are created and powered on.

18. Go to your ZDC and open up AppCenter and run a Discovery. You should see the new member servers. At this point you can begin publishing or streaming apps to them.

TO MAKE CHANGES AND RESEAL THE IMAGE
1. Boot a device into maintenance mode after creating a maintenance version on the vDisk. Or you can choose to power down all your running VMs and put the disk into private mode. Your choice.

3. Re-run XenApp configuration and unjoin from farm using the prep option.

4. Shut it down and promote the image to production if using versioning. Or put the disk back into standard mode if you used the other method.

5. Reboot all your devices so it gets the new vdisk

I hope this guide helps. Please feel free to leave a comment below if you have any questions. I’ll try and help as best as I can.

## Opening Sharepoint documents in a Windows 7 XenDesktop session using XenApp published Office products with content redirection

Wow, long title there! Just like it says, I’m going to cover opening Sharepoint documents in a Windows 7 XenDesktop VDI session using XenApp published Office products with content redirection enabled. Here’s an example scenario:

• Your company uses Sharepoint and the URL is http:\\sharepoint.domain.com. It is part of the Local Intranet zone in IE.
• Your users are using Windows 7 VDI/XenDesktop VMs with Citrix Receiver Enterprise pulling published apps into the Start menu.
• You have Office 2010 products (Word 2010, Excel 2010, Visio 2010, etc) published via XenApp with content redirection enabled so .docx, .xlsx, .vsd files launched in the VDI session will open using the published Office app.
• Your users want to click on a Word, Excel, Visio, etc. document in a Sharepoint document library and click the Edit button to edit the document instead of just Read Only. They expect the published Office app to launch and allow them to edit the document.

THE PROBLEMS
In this scenario, when the user clicks on let’s say a Visio document in Sharepoint, the published app will launch but the document will not be sucked in. You’ll get a “File not found” error and if you look closely, the URL begins with “\\” as if it’s a UNC path instead of an HTTP path:

If you click OK, Visio will open but no diagram will open.

If you right click, Save As the Visio diagram to your C: drive and attempt to open it locally, it will launch the published Visio instance but will give you the following “File not found” error:

Again, look closely. It says “\\Client\” instead of your VM’s name.

THE FIXES
Well, really it’s 1 fix and 1 workaround for now. Let’s start with the fix first. We’re going to get local files and files residing on network shares launching right using the published app. I’m going to use Visio and a .vsd file again as the example:

1. On the Windows 7 VM, you must enabled Native Drive Mapping to be able to launch the .vsd file via published Visio. You can follow the CTX article here to make the registry change:

http://support.citrix.com/article/CTX130378

or you can enforce it via group policy. One thing though, on Windows 7 x64 the path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\

NativeDriveMapping
Reg Type: REG_SZ


Once the value is set to TRUE, try launching the .vsd file you saved to your hard drive or on a network share. It will launch immediately. Then go to File – Save As in Visio and checkout the path bar. It will say “\\Client\C\$\Users\xxxx\”. So now your system recognizes the word “Client”.

This is because you’re going through 2 virtualization layers. Citrix has an excellent article detailing how Client drives are passed through multiple sessions here:
http://support.citrix.com/article/CTX127872

http://support.citrix.com/article/CTX124389

Additionally here is a really good CTX article from Citrix that covers Client Drive Mapping troubleshooting that might be helpful to you:
http://support.citrix.com/article/CTX238200

And some info describing differences in Client drive mapping between the different versions of XenApp and Presentation Server here:
http://support.citrix.com/article/CTX127614

2. Now back to Visio diagrams in Sharepoint. First you need to verify content redirection is behaving correctly. In my case, I needed to make sure to change the published app location to include the “%**” switch. By default when you enable content direction, it will be:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%*"

with just one asterisk. You need to add two so it looks like this:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%**"

The reason for this is documented in this CTX article:

http://support.citrix.com/article/CTX116887

This was written for Presentation Server 4.5 but it still applies to XenApp 6.5 just fine.

Once you get content redirection squared away on your XenApp server, things will still not work correctly unfortunately when opening docs in Sharepoint in your XenDesktop session. You can try right clicking and editing but you will still get the File not found error. This error has nothing to do with Client Drive Mapping. Being a Sharepoint Architect in a previous role long ago, my gut feeling was this is a WebDAV issue. Remember, Sharepoint uses WebDAV with document libraries though to the casual observer it might appear to be a UNC file share path. My gut was telling me Receiver was not handling WebDav paths correctly and was treating them like regular SMB file share paths. No proof this is the culprit just yet, only a hunch.

Let’s run an experiment. In your Sharepoint document library, click Actions > Open with Windows Explorer:

You’ll notice the path bar says “http://sharepoint.domain.com” when you open it here:

Go ahead and launch the Visio diagram in this document library. When you try and launch it, it will launch published Visio and give you the same File not Found error as before. In some scenarios even an Access Denied error though it never actually was able to find the file. Again, it is looking for “\\sharepoint.domain.com” instead of using WebDAV (or the DavWWWRoot keyword) which should be parsed like the HTTP protocol “http:\\sharepoint.domain.com”. Sharepoint Content Redirection is never going to work because Citrix Receiver doesn’t know how to get there. One work around is to tell your users to save locally, edit, then upload. But this is annoying and most users will complain.

I started thinking Mini Redirector (which is Microsoft’s WebDav client and part of the Windows 7 OS) was trying to hand-off the DavWWWRoot keyword in the URL to Receiver and Receiver didn’t know what to do with it. Looking at the URL though it didn’t even seem to be passing it through. It was as if it was passing a straight UNC path. Or maybe is was not talking to owssupp.dll which is required to interact with and edit docs in Sharepoint. Maybe somehow it wasn’t handing off through Receiver properly. Now I was really starting to go down the rabbit hole and before I dug further, I figured I’d give Citrix Support a call and see if they had any input.

I was able to talk to a XenApp support technician and a XenApp Developer who were both very knowledgeable. I explained my WebDav theory and we ran a little experiment. We ran Process Monitor from my Windows 7 workstation and attempted to edit a simple Word document in Sharepoint. The published version of Word launched as expected and failed to find the file. Here is the URL that was passed to the PNAgent when we used the Process Tree display:

You can see that it passed:

\\Client\\\sharepoint.domain.com\link\to\doc\repository\test jason.docx"

Looks a bit odd, doesn’t it? No wonder it can’t find the file.

Then we went to the XenApp server with Word 2010 installed locally, opened Internet Explorer, and navigated to the Sharepoint document library. When I clicked Edit on the Word document this time, this is what was passed to the locally installed Word:

And of course the Word document successfully launched. You can see it passed a nicely formatted HTTP URL:

http://sharepoint.domain.com/link/to/doc/repository/test%20jason.docx"

The XenApp Developer verified this was actually a bug and needed to be fixed. It may or may not be WebDav related, but he confirmed there is definitely a disconnect at the Content Redirection level via Sharepoint as I had suspected. It has been added to their bug queue to get taken care of.

In the mean time, his suggestion is to publish Sharepoint itself on the same server Office 2010 products are installed on (publish IE passing the Sharepoint URL during launch). This is a good workaround but may annoy a few users. I always hate publishing IE because of the stuff you have to do to lock down/harden the browser. People can get confused and start browsing to Youtube or other process intensive websites using this published instance of IE if you don’t completely lock down the allowed URLs. This can cause a severe impact on XenApp performance for all users on the box. If I limit tabs, then people start complaining they can’t open additional tabs and the helpdesk gets flooded with phone calls. So just keep that in mind if you use this workaround.

Another work around I found online is by Anthony Obi:

http://community.obilogic.co.uk/blogs/teamblog/archive/2011/10/25/sharepoint-2010-edit-document-via-citrix-xenapp.aspx

He has an issue where owssupp.dll was not being detected on the client system (because it wasn’t there) and added an extra menu item in his Sharepoint deployment to edit documents as a work around. He modified the new Edit action to launch some Javascript that talks to PNAgent.exe that then talks to the published Office instance and passes the correct URL. This might work as well for you but of course it requires a modification of your Sharepoint environment and end user training.

I will post here as I get updates from Citrix Support on this issue. It’s a fairly unique scenario but definitely not uncommon in the real world as application delivery and desktop virtualization continue to be separated through multiple layers.

## BGInfo for Windows 7 VMs running in Citrix PVS XenDesktop environments

If you’re running a Citrix VDI implementation using Provisioning Services (PVS) and XenDesktop, you need a way for your help desk and even the end user to easily identify the VM and pertinent system info easily. BGInfo is the tried and true way of doing this in a corporate environment. A simple overlay for the wallpaper. In a PVS environment, a lot of the info you would need to grab from a physical desktop are useless since it all goes away after the VM reboots and you’re back to a clean image. A lot of companies use BGInfo to quickly see troubleshooting data without having to use a management tool or agent. With PVS VMs, troubleshooting itself is rarely necessary. You just tell the user to reboot and they’re back to a clean slate. So BGInfo can be leveraged as more of an identification tool for when the user calls in than a troubleshooting tool. Download BGInfo from Microsoft here:

http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx

I did a little custom BGInfo configuration to capture just the important pieces of info for my Windows 7 PVS XenDesktop environment. Of course this might differ for your environment and you might need more fields but this is a good starting point:

1. A Title – let’s the user know they are on a Windows 7 VM and not a workstation. Users can get confused when switching back and forth.

2. Host name – for when the help desk asks the user the name of their VM

3. IP addresses – both the streaming NIC and LAN NIC IPs. Not really necessary in a PVS environment obviously, but nice to have it displayed.

4. User Name – good to know what account the user is logging in with

5. Boot Time – very important to know in a PVS environment. You know those calls you get saying a person’s desktop looks completely different from everyone else and after you investigate a bit you figure out they’re on an old version of the image because they haven’t rebooted in forever. Yeah, this will help with that.

6. Write Cache free disk space left – another very important piece of info in a PVS environment. Once the write cache gets filled up, the VM is done and users start calling in. Good to know how much the user has left. Also a good way to gauge if your allocated write cache is truly enough for your environment or if you need to think about growing it.

So here’s how my desktop looks, very simple and clean:

I like to bake BGInfo into my images. I just create a folder called c:\BGInfo and copy Bginfo.exe in there. I’ll get to the other 2 files in a second.

Run Bginfo.exe and you get all the default stuff, delete it all and start clean adding just the stuff you need. Here’s how mine looks:

Don’t forget to set your settings under Position > Multiple Monitor Configuration for people with more than 1 monitor. I like mine to just be on the primary screen:

And under Desktops, you’ll want to change it for pretty much anyone that hits the VM using any method. I set mine to “Update this wallpaper” for all scenarios and prompt if it has an issue setting it (so I can investigate if anyone reports an issue):

Then go to File > Save As and save your configuration file. It will be saved with the .bgi extension.

That’s it for the implementation side. For PVS though, you’re going to have a lot of different NICs and you don’t want a bunch of “0.0.0.0″ IPs being displayed. I just wanted my streaming IP and LAN IP displayed. So under Fields click Custom:

and then click New. You will need to create a new field called “IP Addresses” and do a WMI query to pull the IPs of only the active NICs. I used the following query:

SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE

Which will look like this when you are entering and Evaluating it:

Make sure to name the Identifier when you are saving it:

Then just add the field and hit apply and you should see both IPs appear.

Now the last part is the Write Cache free disk space percentage. I could not find a way to do it from just a simple WMI Query. So I wrote this little .vbs script and stuck it in c:\BGInfo. As you can see, my write cache drive is the Z: so you will need to change the code to whatever drive letter you are using:

' Display Write Cache percentage free (z:)
' Written by Jason Samuel (www.jasonsamuel.com) for use with BGInfo

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set colDisks = objWMIService.ExecQuery _
("Select * From Win32_LogicalDisk Where DeviceID = 'z:'")

For Each objDisk in colDisks
intFreeSpace = objDisk.FreeSpace
intTotalSpace = objDisk.Size
pctFreeSpace = intFreeSpace / intTotalSpace
Echo FormatPercent(pctFreeSpace)
Next

Then just create a new Field and set the VB Script for it:

Add the field to your config and hit Apply and it should show the percentage free on your desktop. Now just create a group policy to run it every 5 min. Or you can schedule a task to run it every 5 minutes in the VM itself. I like to use these switches:

/accepteula /timer:0 /log:"C:\BGInfo\BGInfo.log"

If you want BGInfo to run just once, it is very easy to do via scheduled task, GPO, login script, registry, or even adding it as a shortcut under Startup. Just Google it, tons of ways out there. But if you want it to run every 5 minutes and refresh the info, the only way to do it is via GPO. If you bake in into a local scheduled task in the image like I mentioned above, it will not work in a provisioned environment. It will attempt to run under the Administrator account of the maintenance image. So if you baked it in as “VM0001\Administrator”, a provisioned VM named VM0054 will not have this account. This will cause the scheduled task to fail. It won’t run under the System account either. The System account won’t run interactively. The task will start but stay running indefinitely and you will get an error like this in the BGInfo log:

An error occured while attempting to set the new desktop settings.
Please ensure the current user has rights to change desktop settings:
This operation requires an interactive window station.

To get around all this, use group policy. By default group policy will run the scheduled task under “%LogonDomain%\%LogonUser%” which is exactly what you want. Here is how my group policy looks:

Notice I have 2 triggers. The first trigger is to run BGInfo at login and update the wallpaper. But when opening a VDI session from a Win 7 host, it may open in Desktop Viewer but not in full screen. When the user goes full screen, the desktop wallpaper will not resize automatically and instead appear as tiled. So to get around this, I have a second trigger that runs BGInfo again 30 seconds into the session and runs every 5 min from then on. Hopefully within that 30 seconds, the user will have gone full screen and BGInfo will get a chance to run at the resolution the user will use throughout their session. One thing to note, I suggest adding a 3rd trigger that runs BGInfo on workstation unlock like this:

This is very useful in VDI when you go from a Desktop to an iPad for example. Upon login, it will immediately update the wallpaper resolution and run indefinitely every 5 minutes. This is a lot of triggers but it covers all your bases. I really wish BGInfo had a “Fit” setting for the wallpaper like Windows 7 has by default. It would avoid this whole resize mess. Right now BGInfo 4.16 only supports Center, Tile, and Stretch for the wallpaper.

Also if you decide to store the Bitmap BGInfo creates in a central place like c:\BGInfo, make sure Users and/or Authenticated Users have Full Control to c:\BGInfo and all child objects and change the location the .bmp is stored to under this folder. Othwerwise the background may not change for users that are not admins on the VMs:

Lastly, you might get an error like below, but the wallpaper does in fact update.

An error occured opening the Default Desktop registry key.
Please ensure the current user has rights to change Logon Desktop settings:
Access is denied.

This is because the user is not an admin and does not have rights to change the Logon Desktop settings. Either give permissions to do this or go back into your .bgi and uncheck the “Display an error when user permissions prevent a Logon Desktop from being modified” option that you had set before for troubleshooting purposes under the Desktops settings in BGInfo. Then the popup will stop.

One thing I’ve been trying to do is brand BGInfo with my company logo. But I don’t want a big white box around it like when you use a jpg. I want to use a transparent gif. BGInfo does not support this from all the things I’ve tried so far. For example, here is the Amazon logo as a transparent gif:

Looks great on a white background but I want to use it with the standard Windows 7 wallpaper which has a gradient. It looks pretty awful because BGInfo flattens it somehow when creating the bmp causing there to be a black background around the logo:

But if your company chooses to use a standard wallpaper with no gradient, like a solid white background for example, just edit the background of your logo to match the color of the background and save it as a jpg. Add it to BGInfo and it will look perfect. Here is the Amazon logo (jpg with white background) with BGInfo set to white for the background wallpaper:

Hope this helps. Let me know if you have any questions or suggestions for custom fields to add that might be handy in a PVS XenDesktop environment.

## How to create a Windows 7 or Server 2008 R2 mandatory profile for AppSense

You really just want a clean mandatory profile if you are deploying AppSense on Windows 7 or Server 2008 R2. The vast majority of companies don’t need to customize it. When you get into customization, you’re going to go through a lot of trouble trying to clean up the profile. Save yourself the trouble. The best thing to do is have a clean and slim mandatory profile that can be applied to any server or desktop in your environment and leverage AppSense itself to do everything else.

So to build a clean mandatory profile:

1. Login to your Windows 7 or Server 2008 R2 box with a local admin account or an domain administrator account, doesn’t matter. I’m going to use Server 2008 R2 for these screenshots.

2. Start > Control Panel > click User Accounts > click Configure advanced user profile properties

3. Click the Default Profile and hit Copy Too…

4. Copy the profile anywhere you like, I chose “c:\mandatoryprofile.v2”. Usually you want your mandatory profile on a file server or DFS share where it is easily accessible but I am just leaving it local for this example. I specified v2 since I am creating a profile for Server 2008 R2. I changed the “Permitted to use” to “Everyone” so all users get NTFS rights to use it.

5. Navigate to c:\mandatoryprofile.v2 and go to Folder and search options

6. Uncheck “Hide protected operating system files”

7. Now you will 5 temp files you do not need in the mandatory profile. Delete them.

8. The ntuser.dat should be around 512 KB on a clean Server 2008 R2 box

9. Now rename ntuser.dat to ntuser.man

10. From here, you would normally setup a domain level group policy and apply it to the OU that has the servers or desktops you want to use the mandatory profile on. Since this is an example, I am going to edit the local group policy instead.

Go to Start > Run > and type gpedit.msc.

Then navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles

There will be 3 items we need to change to “Enabled”:

-Delete cached copies of roaming profiles
-Set roaming profile path for all users logging on this computer
-Prevent Roaming Profile changes from propagating to the server

11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:

\\servername\mandatoryprofile

Notice I did not add “.v2″ at the end. Windows will automatically look for it as the users login.

13. Now navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

There will be 2 items we need to change to “Enabled”:

-Use mandatory profiles on the RD Session Host server
-Set path for Remote Desktop Services Roaming User Profile

14. For “Set path for Remote Desktop Services Roaming User Profile”, you need toy need to put a UNC path to the share that holds your mandatory profile just like the previous setting.

\\servername\mandatoryprofile

Notice again I did not add “.v2″ at the end. Windows will automatically look for it as the users login.

16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:\mandatoryprofile.v2\Desktop”. I’ve created a file called “This is a mandatory profile in action.txt”.

17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:

18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.

## XenCenter causing a SYN flood on port 3389 in a PVS environment

Had an interesting morning. Our network team discovered my workstation was making around 6000 requests an hour on RDP port 3389 through our internal firewall to an unroutable network reserved in our server subnet. Basically a SYN flood (DOS/Denial of Service attack) was being executed internally from my workstation. I know my machine is clean and the only thing I had open was XenCenter. It had been running for about a week now, that was the last time I rebooted my workstation. So time to put on the detective hat and figure this one out.

While using TCPView to do a live netstat, I discovered that XenCenter by default will always establish a connection via RDP when you click the Console tab. It tests to see if RDP is available on the VM and then ungreys that “Switch to Remote Desktop” option. Even if you are using a console session, XenCenter wants to see if RDP is an available option to you. You know that little flash of the console you usually see after hitting the Console tab? That’s the XenCenter console checking for RDP and “connecting” to the VM transparently to verify RDP is available. Not so transparent and actually annoying but I never thought too much about it.

SYN_SENT on 3389:

Established connection:

Terminating connection:

The problem is in a PVS environment, you usually have your network split between a streaming traffic NIC and a regular traffic NIC. The streaming traffic NIC is supposed to be the first NIC/device. So Device 0. It will look something like this on all your VMs:

Where the first streaming NIC is only routable within the Blade enclosure or server subnet and the secondary NIC routable and used for regular network traffic.

Well the problem is that when you click the Console tab on one of these VMs, XenCenter will send a SYN request to what IP is at Device 0. So in our case, an unroutable IP in the server subnet.

Not a problem right? Well it never stops. It continuously sends the SYN requests attempting to connect. Even if you click off the Console tab or go to another VM, it continues to try RDP on that IP. Our firewall separating workstation and server subnets was getting hammered. You can verify because your Console will have the “Switch to Remote Desktop” option greyed out during this whole process.

and TCPView will show all those little red SYN_Sent attempts. After a few days of leaving XenCenter up and clicking from console to console, the amount of traffic hitting your firewall will be tremendous. It will look like a SYN flood attack. If you have an IPS or IDPS (Intrusion Prevention or Intrusion Detection & Prevention System), it might even shut down your port.

I called Citrix and submitted a ticket with their development team. I got a call back later and there is a work around. In XenCenter, go to Tools > Options > and click the Console option. Then uncheck “Enable Remote Desktop console scanning”:

When you uncheck this, it will also uncheck “Automatically switch to the Remote Desktop console when it becomes available”. This is fine:

After this you will notice the SYN flood will immediately stop and all your VMs will now have the “Switch to Remote Desktop” option ungreyed from the get go. If you click it, then it will attempt the RDP connection and you will see the SYN_Sent again:

In my opinion, Citrix should fix this but stopping the SYN requests after you click away from the Console tab. This is not an issue that will impact many people but if you are running a PVS environment and you have it setup using Citrix best practices with 2 NICs and the streaming NIC is not accessible from your workstation subnet, you will eventually run into this issue. The longer you keep XenCenter open, the worse it will get.

If I get any updates from Citrix on a fix, I will post here. For now the work around will work fine. You just won’t have the Remote Desktop automatic console scanning available for your regular environments anymore. Not really a big loss for me but it might be for you depending on your environment.

## Citrix PVS server Vdisk is locked 0xffff8017 error as VMs boot up

Wow it’s been busy as we approach the end of the year. I am going through my Inbox as I can and I really appreciate all the comments and emails from you all. Really makes it worth while hearing how these posts are helping out there in the real world.

Here’s a quick fix for today. PVS 6.1 environment with latest updates started showing the following error anytime a VM attempted to boot:

Vdisk is locked. 0xffff8017

The fix is not that painful but you will need to kick off everyone that is still connected and running using that vDisk. So there is an outage involved in this procedure for people that use that image.

1. Tell all your users that are still connected to save their work and log off. This is going to be a complete outage for anyone that uses that particular image.

2. Go to your DDC and put the Desktop Group in maintenance mode. This will prevent the DDC from attempting to start up VMs and potentially lock up the vDisk while you are working on it. Then Force Shutdown on all the VMs. Verify in XenCenter they are all shutdown.

3. RDP to a single PVS server and in the PVS Console, go to the Store and right click on your vDisk. Verify there is no gold lock next to the vDisk. If there is clear all the locks. Then click “Unassign from Selected Devices(s)…”

4. Make sure all your VMs are checked and click Unassign

5. If you have maintenance versions, I suggest you merge them at this point. You’ll want to use the “Merged Base – Last base + all updates from that base” option so you get an nice single .vhd file to play with.

6. Once you have verified you have a nice little .vhd file you can rename it if you wish. Now copy that .vhd file and the associated .pvp file to all your other PVS stores. Get all your PVS servers in sync and check the replication status. They should all have blue dots:

7. Now go back to your Store view and right click on your vDisk. You should now see an option to Delete. Click it.

8. MAKE SURE you DO NOT check the Delete the associated VHD files check box. Just hit Yes only. All it does is delete it from the PVS database. It will not touch anything in your Store this way. Better safe than sorry. Do this on all your PVS servers.

9. Now right click on “Store” and click “Add or Import Existing vDisk…”

10. Click Search to search your Store for vDisks. Only check that new .vhd you had created in step 5 and 6 above. Then click Add once it stops being greyed out.

11. It will be imported in Private mode every time. Go ahead and switch it to Standard mode. You might also want to check Cache type, Enable Active Directory machine account password management, and KMS on the Microsoft Volume Licensing tab because all that stuff will likely not carry over for you.

12. Now go to your Device Collection. In this example I have 20+ Devices that need this particular vDisk golden image. I’m not going to sit here and click and modify each one. So I will set the vDisk on the first VM only.

13. Now right click that VM you just set and click “Copy Device Properties…”

14. Hit “Clear All”, then check “vDisk Assignment” only, then hit Copy.

15. Now just highlight all your other VMs, right click in the highlighted area, and click Paste. Instantly all your VMs will be assigned that vDisk.

16. Now just boot up a couple of VMs and verify the “Vdisk is locked. 0xffff8017″ error is gone. Then disable Maintenance mode on your DDC and you’re back in business. Don’t forget to tell your users to log back in. You can delete all those old .vhd, .avhd, and .pvp files from old versions of your image if you like or archive them somewhere. It will help keep your Store nice and clean.

## XenApp applications won’t launch in a PVS environment with multiple network interfaces

October 8th, 2012 1 comment

If you click an application icon on your web interface or storefront site, Receiver will popup and say “Starting…” like normal and if you click for More information, it will say “Connection in progress…”. After about a minute, you will get a popup message saying:

Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. There is no Citrix XenApp server configured on the specified address.

Well that’s odd because you know the app is published. You know the sever is up. You know it’s talking to the ZDC and permissions are good or you wouldn’t be seeing the app. So what’s the issue?

Well one of the common reasons for this issue is that your have multiple NICs on the XenApp server (multihomed server) so there are 2 IP addresses for the server. This is a very common setup in a Citrix PVS environment when running XenApp. One NIC for regular traffic and the other NIC for streaming traffic. But even a regular XenApp environment can have 2 NICs for a variety of reasons. If that secondary NIC is firewalled, on a different VLAN, private, etc. you are going to have problems. That secondary NIC is not meant for ICA traffic but everyone is trying to connect to it. It will time out every time.

A quick way to confirm this from the client side is to click on the application icon again and while it says Starting…, open up a command prompt. Type “netstat” and you should see a SYN_SENT to the server on port 1494. If this IP address is your secondary IP that is not meant for ICA traffic, it will never get a response.

Now go to your server and open up a command prompt. Type “qfarm”. Does your XenApp server show up in the list twice? With both of it’s IP addresses? That’s not good and is another confirmation it’s listening on both NICs.

You can also confirm a third way by going into AppCenter, expanding Servers, clicking on your XenApp server, clicking the Information tab in the right hand pane, and seeing if there are two IP addresses in the “IP addresses” section.

So to fix this, you will need to set your ICA Listener to listen only on the NIC you want regular network traffic to be on.

If you go to Remote Desktop Servers Session Host Configuration, you can double click on the ICA-TCP connection and click the Network Adapter tab. Unfortunately in some environments, you might get an error message saying:

Remote Desktop Session Host Configuration tool is not able to obtain the properties for this connection. The connection has either been deleted or the internal state of this connection has been corrupted. Please close all property pages, and select refresh from the menu.

So to get around this, go to Administrative Tools > Citrix > Administration Consoles > and click on ICA Listener configuration:

Notice how it’s set to “All network adapters configured with this protocol”. Click Edit and go the Network Adapter tab. In the drop down, choose just the NIC you want ICA traffic on:

In my case, I want ICA traffic to be on “Citrix PV Ethernet Adapter #1″. So I will choose that and click OK. Now you can go ahead and restart the IMA Service on your XenApp server but you don’t really have to in most cases. Just try launching your app again and it should come right up.

Categories: Tags:

## SEP 12 not working with PVS 6.1 and Windows 7 XenDesktop VMs

We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.

Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.

We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.

After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.

UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

## How to install and configure PVS 6.1 with XenDesktop 5.6

Once a company has a XenDesktop or XenApp environment that is pretty mature, they often turn to Citrix Provisioning Services (PVS) to help scale the environment. There are many reasons to use or not use PVS for your VDI or XenApp environment and that’s a whole other discussion. The purpose of this blog post is to get you familiar with how to implement it. There are not a whole lot of step by step guides out there and PVS can be a real beast to wrap your head around if you are not familiar with it.

Now for the disclaimer. This guide will describe how I do things for my PVS environments. This will probably be different for your environment so make sure you thoroughly understand the reasoning behind each step and how it applies to your environment. What works for me may not work for you.

So let’s get started!

INSTALLATION
You must be logged into the PVS server using a service with DBO rights or the install will fail. Have your DBA set the service account to SA temporarily for the install. After install, remove SA rights and just give these rights only:

• dbcreator; required for creating the database
• securityadmin; required for creating the SQL logins for the stream and soap services
• db_datawriter
• execute permissions on stored procedures

I find this to be the most pain free method of getting PVS installed with no DB errors. Now on to the actual steps:

1. Enable Application Server role (.NET features will be automatically installed)

2. Start Wizard, hit Console installation, run through all of it. Just hit next accept all the license agreements and let it install everything until you get to the path to install part.

3. Choose Path for install (change to D:)

4. Choose Complete install

5. Once done, click Server Installation on wizard home page > Install Server

6. Install SQLncx64 when prompted

7. Change path to D:

8. Choose Complete install

And you’re done! Not very hard at all.

CONFIGURATION
Now we get to the slightly harder part, configuration. This is going to depend a lot on how you have your hardware setup. I want each of my Windows 7 provisioned desktops to have 2 NICs. One NIC is for regular network traffic and the other for streaming traffic. You don’t have to have 2 NICs and separate your traffic like this but I do for production environments. It is really only beneficial for large scale implementations so if you are doing something smaller scale or for a test environment, 1 NIC will suffice. Just keep in mind everything below in my guide is written as if you have 2 NICs:

9. For DHCP, choose service that runs on this computer and choose Microsoft DHCP. So the PVS server will have the DHCP server role running and it will be handing out streaming network IPs to the VMs as they boot. They will get regular network IPs from your regular DHCP servers just like any physical box on the network. More on this later.

10. For PXE boot, choose service that runs on this computer and choose Microsoft DHCP as well.

11. Create farm or join farm depending on what you’re doing.

12. Either choice will will ask for database info on next page

13. Type in your DB info and hit Next

14. Choose a database ***DO NOT USE A PRE-CREATED DB, just type the new DB name in the Database name box and it will create it automatically once you hit Next***. I’ve run into numerous issues in the past attempting to pre-create a database. I’m telling you now, get SA rights temporarily as I mentioned in the first part of this guide if you can. It will make your life easier.

15. My E: drive on my PVS Server is a high performance flash based IO accelerator card in this case. That is where I will put my Store. You will want some very read friendly storage for your Store as this is where you will be putting all your golden images.

17. Keep user account as Network service account

18. Hit Yes wen prompted for configuring the database with the account

20. Check the teamed NIC for the “Provisioning” network, not the regular network traffic network. In this case my streaming traffic/provisioning network is only routable within my blade enclosure and my interface has an IP of 192.0.0.1

21. Check the Use the PVS TFTP service option

22. Leave the default for stream servers boot list. It should be the IP of the server itself on the “provisioning” network.

23. Advanced button has some settings, leave default

24. Hit finish on confirmation page. It should look something like this.

25. Go to your NIC for PVS traffic (or teamed NIC) on your PVS server and disable IPv6. Leaving it enabled can lead to issues.

26. If using your server for DHCP as well as I mentioned above, install the DHCP Server role.

27. Select just the PVS network

28. 0.0.0.0 for the DNS servers

29. WINS not required

31. Disable DHCPv6

32. I skipped authorization when taking the screenshots but you should do it now if possible.

33. Confirm and install

Now on to building your Windows 7 base image. This is the base image that will be completely clean, very little customization. This will be the primer for your golden images later.

Building an image is not to be taken lightly. These two articles from Citrix are a good read so you have a solid understand of what you are going to do.

CTX121028 “Best Practices for Creating a XenDesktop Image” is an older article but still a good read if you are building your image for the first time:

http://support.citrix.com/article/CTX121028

CTX131481 “Recommended Install Order for Preparing Target Device Captured by Provisioning Server to Deploy vDisk” is a bit newer and is also a good resource you should read through before proceeding:

http://support.citrix.com/article/CTX131481

34. So first you need to build a VM out. Just go to XenCenter and run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

35. Give it a name and description

36. Choose the MSDN Windows 7 ISO

37. Choose a host server

38. 2 vCPUs, 4 GB RAM (4096 MB)

39. Choose local storage for the disk. You can add more disks or even increase the size of a disk under Properties.

40. Delete ALL the NICs, you will recreate in the right order in the next step.

41. Click Add and add the PVS bond first, THEN the network bond. So in the example Bond 4+5 first, then Bond 2+3. Note: This is a critical step. Changing the order or adding/removing NICs later is not recommended as it breaks stuff between the XenServer Tools and PVS Target agent in my experience. Get your network setup right the first time and in the right order to avoid issues. Always put the PVS network first, network traffic second.

42. Hit Finish on confirmation page to build the VM

43. Go to the console of the new VM and run through the Windows 7 setup wizard. When it comes time to name the PC, make sure it is not a name that already exists on your network. In this example I will use “Win7MSDNBaseISO” for demo purposes but you should come up with some kind of naming scheme for your environment since you will eventually have several golden images and you don’t want to confuse them. Something like “GOLD-ACCT01″ for your Accounting departments first golden image, etc.

44. Login and install XenServer Tools. Without it your NICs will act wonky. Like sending malformed packets and such which cause an HTTP 400 server error to any website you navigate to. You will need to reboot after the install. Once it’s back up, it will detect the NICs and likely prompt you to reboot again after installing the new hardware so go ahead and do it.

45. Log back in and then run your Windows Updates and/or Microsoft Updates. Don’t install any company related apps yet if at all possible. Make it as generic and clean as possible. Remember, you are building a base image to suck into a vDisk, not a golden image just yet. Whether you have just one golden image for your whole company (not likely in most environments) or several per department, try to keep the base image as lean as possible. You’ll also notice your NICs are now labeled are looking a lot healthier than before as well. Adapter 0 may say Unidentified network since your provisioning network should ideally be private. **NOTE: You can add the machine to the domain but, DO NOT install the VDA agent yet.

46. If you click on the network tab, you will notice both NICs have IPs whereas before the XenSever tools install it was Unknown.

47. Snapshot your VM. It’s not necessary but I like to as a precaution. From here if I mess up on something or forgot something, it’s easy to revert to my snapshot and fix whatever needs fixing. Beyond this point it becomes tricky.

48. Now install the Provisioning Server Target Device Software from the PVS ISO. Just click the Autorun.exe.

49. Click Target Device Installation

50. Hit Target Device Installation on the 2nd page too and it will launch the wizard. Run through the EULA and hit Next through all the windows until the install is done.

51. Uncheck the Launch Imaging Wizard link and hit Finish.

52. Hit Yes to reboot and mount your PVS boot disk as the VM comes back up or you can just shut down for now if you don’t have one yet.

53. Open up Provisioning Services Boot Device Manager (BDM) on your PVS server and create an ISO if you don’t have one already. It needs to have the IP address of the server on the provisioning network NIC.

54. Options can all be default

55. Use DHCP, swith the Boot Device to Citrix ISO Image Recorder, then hit Burn. Drop the ISO in an ISO Library your XenCenter can see.

56. Here’s where things may differ for you if you have used older versions of PVS before Imaging Wizard is where its at today. The old way of doing things was pre-creating a device on your PVS server with the same MAC address as the VM’s NIC, pre-creating a vDisk and calculating the necessary size, formatting it, assigning the vDisk to the device, then running BNImage to capture the system and push it into the vDisk. None of this manual work is necessary anymore. The Imaging Wizard works really well and will do everything for you. I actually first took screenshots of everything the manual way just for reference so you know where to look if something breaks. But then I figured that showing that whole process might confuse you so I will show you the Imaging Wizard way only. If you need me to, I can post an addendum to this article showing the manual way. Just leave a comment if you’d like to see it.

So now log back in once the VM is up and start Imaging Wizard. Enter your PVS server farm details.

57. Hit next and let it Create a new vDisk. Just hit Next again.

58. Give the vDisk a name. The vDisk size in the store will automatically be calculated. I left the VHD type to Fixed but you can choose Dynamic. Citrix has started recommending Dynamic as a best practice these days. I like to do 16 MB block size if doing Dynamic personally. It just means it will grow in 16 MB chunks. Again, make sure you select a good naming scheme for your vDisks as it becomes very important to keep them organized.

59. Choose KMS for key management (assuming you are using KMS)

60. Leave the image volume sizes all default

61. Type in a target device name, choose your streaming traffic NIC, and choose a collection:

62. On the confirmation page, click Optimize for Provisioning Services.

63. This will make a ton of registry changes that will optimize your image for PVS using ngen.exe in a cmd prompt window. Just hit OK and wait several minutes as it completes this process.

64. Once it’s done, hit Finish to begin prepping the vDisk on your PVS server’s store. It will immediately allocate the space for the vDisk since you are using Fixed so make sure there is enough room.

65. Once it’s done, it will ask to Reboot. Hit No.

66. Now right click on the VM in XenCenter and change the DVD Drive boot order to first and disable everything else.

67. Change the ISO in the DVD drive to the ISO you burned above.

68. Now go back to your PVS console and verify the device now has the vDisk attached under it’s properties. You can also choose to list the local hard disk in the boot menu.

69. Now you can reboot your VM. It will boot using your ISO, connect to the PVS server, obtain an IP on the PVS network, connect the virual disk you created. The vDisk is still in private mode. You can verify this in the PVS console easily. Just refresh and you will see a green check mark next to the device. It will have an IP and will tell you which PVS server it is connected to.

70. Log back into your VM now. It will automatically kick off the vDisk capture by loading XenConvert to capture the image. It will begin pushing your image to the vDisk you created on your PVS server.

71. Sometimes there may be errors (non-critical) but make sure to read the log and verify there is nothing critical in there. Then hit Finish.

72. You will be logged back into your Windows 7 VM at this point. Go ahead and shut it down.

73. Go to your PVS server and change the Boot From properties on your device to vDisk.

74. Now go to the storage options of your VM and detach the local storage on your XenServer. You don’t need it anymore. Then boot up your VM again. This time you will be booting directly into the vDisk image you had pushed across before on the server.

75. In the system tray menu, you can verify your vDisk is connected. Also in Explorer, you will only see the c: drive which is your vDisk.

76. I HIGHLY recommend you make a backup copy of the .vhd in your Store right now. It is a clean image with no apps and if something happens, this is the image you can revert back to. Think of it as your “Stage 1″ vDisk. Make the copy and store it away somewhere safe. Once you do that, since it is still in private mode and if you haven’t done so already earlier, go ahead and add it to the domain. Then reboot when prompted. Don’t forget to add your necessary security groups as local admins before rebooting.

77. Log back in and install and other apps your company may need for the base image. You can begin installing core applications like Adobe Reader, Flash, SEP, SnagIt, NAC agent, etc. Apps that need to reside on every PC on the network. Nothing specific. You should also do your OS customizations at this time if you have any. Then lastly, install the XenDesktop 5.6 VDA agent. Make sure you use AutoSelect.exe to install it and not the .msi on the CD or you will have issues. Your path will be something like this if you left the XenDesktop 5.6 install files somewhere on your DDC:

\\yourDDCservername\Downloads\XD5.6_VDI_Single2\XenDesktop56\AutoSelect.exe

79. Accept the EULA

80. Leave the default Virtual Desktop Agent

81. I usually uncheck Receiver. I like to deploy it later using the Enterprise version I want our users to be using.

82. Leave PVD disabled for now. You can enable personal vDisk later if you need to.

83. Type in the names of the DDCs. You can seperate multiple DDCs with spaces. They must be FQDNs. Hit the Check button to verify they can be resolved. Then hit Next when done.

84. Leave the VDA config settings the default and hit next

85. Hit next at the summary page

86. Hit Close and it will restart the VM.

87. When the VM is back to the login prompt, go ahead and shut it down. Then go to the PVS Console and swtich the vDisk from private to standard mode (multi-device) mode which makes it read-only. If you see a lock next to the vDisk, you may need to clear it first.

That’s it, you are now complete with your base image setup.

CREATING A XENSERVER VM TEMPLATE
88. Now you need to create a VM template that PVS will use to spin up new VMs with. You can simply create a copy of the VM you had been working on and convert that copy into a template or you can create one manually. I suggest copying and converting to a template, less change of screwing something up. If doing it manually though, in XenCenter run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

89. Give it a name and description

90. Boot from network

91. Choose a host server

92. 2 vCPUs, 4 GB RAM (4096 MB)

93. Choose “Create a diskless VM that boots from the network” and hit Next.

94. Delete ALL the NICs, you will recreate in the right order in the next step. Click Add and add the PVS bond first, THEN the network bond. Same as before when you created the original VM. It is critical you get this right and it matches the VM.

95. Uncheck “Start the new VM automatically” and hit Finish.

96. Make sure to change the boot options to DVD drive only and move it to the top since we are using BDM (PVS boot disk). Also make sure to mount the PVS boot disk ISO at this time.

97. Right click the VM and click “Convert to Template…”

98. Hit Convert at the confirmation prompt

99. Now you can verify it is a template (blue box next to it) in XenCenter

PROVISIONING VMS USING THE PVS SERVER AND XENDESKTOP DDC
100. Now it’s time to start provisioning new VMs. In the PVS Console, right click on your site name and click “XenDesktop Setup Wizard…”

101. Hit Next at the Welcome screen

102. Type in the FQDN of only one of your DDCs and hit Next

103. Select the XenServer host you want to run your machines on and then hit Set Template to set the VM template.

104. Type in credentials for your XenServer and hit Log On, you will see all the templates on the host. Choose the VM template you had created in the steps above and hit OK and then Next.

105. Choose your Device Collection and vDisk

106. Now you can create a new Catalog or use an existing catalog. In this example, I am going to use an existing catalog. Select your Admins and hit Next.

107. Choose the number of VMs to create. I will choose 5 in this example. Leave the default of creating new AD computer accounts.

108. Choose the OU you want your new VMs to be put in. You can also choose the naming scheme for the new VMs at this point. You could use something like “VM-ACCT###” for your Accounting VMs for example. Hit Next.

109. You will see the Summary screen. Hit Finish and your VMs will start to be created. The progress bar will show you the progress but you can also go to XenCenter and watch the VMs beign created. They will not be powered on by default since you haven’t instructed your DDC to do so yet.

110. Now go to your DDC and open up Desktop Studio. Under Machines, you will see your catalog and it will show there are 5 free machines that have not been assigned.

111. Double click on the catalog and you will see the 5 machines but their SIDs since they have not been powered on yet.

112. Click on Assignments in the left and create a new Desktop Group

116. Choose a Display Name and Desktop Group Name. The Display Name will be shown to the end user in the Web Interface. The Desktop Group name is for within Desktop Studio. Hit Finish.

117. Now go to your Web Interface (or the DDC itself in this example). Login using an account you have assigned one of your VMs to. If it’s the only thing on your WI, the desktop will start booting up immediately.

118. Log into your new VM and create and you will see the Welcome message. Yes my wallpaper, quicklaunch, visualizations are different from default Win7 because I was playing with some profile customizations when I took these screenshots. Just ignore that.

119. Create a new text document on the desktop. Then log off.

120. You will notice in XenCenter the VM you were on is now being shutdown automatically. Basically getting it ready for the next user with a clean slate.

121. Click the desktop icon again on the WI and it will launch the VM again. It will likely be another VM entirely you will be logging onto, but of course it will look the same. You will notice your text document is gone now. Exactly as expected.

That’s it! You are now up and running with your first provisioned desktops. Now you can create copies of the VHDs and begin customizing your images for different departments. Make sure the disks are in private mode when making your changes. You can also use the versioning feature for little changes to the images like Windows Updates. More on this later.

SETTING UP WRITE CACHE
So Write Cache is that big scary thing that can make or break your PVS implementation. Where you put it makes a world of difference. There are several options available where write cache can be stored. Most people opt for caching on a hidden local drive on the VM i.e. on your XenServer local disks or direct attached storage on the XenServer. It’s cheap and it works well for most implementations. Keep in mind it is not shared when you do this. Citrix has a good article called “How to Add a Persistent Volume to Your Provisioned Virtual Machine in XenServer” located here:

http://support.citrix.com/article/CTX125590

and another excellent blog post here on PVS write cache size considerations:

http://blogs.citrix.com/2011/10/06/pvs-write-cache-sizing-considerations/

So in our example so far, I had created the vDisk to leave the write cache on the PVS server. You can put the vDisk in private mode and skip directly to 127 if you like. But I want to leave old vDisk and provisioned desktops intact as an example and create a completely new vDisk and set of provisioned desktops with write cache on the XenServers instead. So we’re going to create a new vDisk from the old vDisk and then attach the new write cache drive to that. This is pretty straight forward but if you need more screenshots, leave a comment and I’ll take some:

122. Go to your Store, copy the .vhd file, paste it in the same location. Call the new VHD file whatever you like.

123. In the PVS Console, right click Store and click “Add or Import Existing vDisks. Search the store and add the vDisk you just created.

124. Under properties, make sure to enable “Enable Active Directory machine account password management” and KMS Service because they will likely not be checked when importing just the vhd.

125. Make sure the vDisk is in private mode

126. Go to your device collection and assign the vdisk to a device. You can use the original VM you were using to build out the Windows 7 image. Make sure it is set to boot from vDisk.

127. Go to XenCenter, click the Storage tab on your VM, and hit Add. You can name it something like “Win7MSDNBaseISO-WC”. We will leave the size as 10 GB. That’s a pretty decent size for a Windows 7 box rebooted once a week. Then hit Add.

128. Ensure the new disk was created with position 1. Position 0 should be your c: drive.

129. Now power on the VM, booting from the DVD and with the PVS boot disk in the drive. You will notice that Windows has detected a new drive under Disk Management. Initialize it.

130. Right click the new disk, New Simple Volume, choose the full size of the drive, assign it z:, and format it as NTFS, label the volume “Write Cache”, then hit Finish on the confirmation page to format it.

131. Shut down the VM. Detach the c:, leaving only the 10 GB z:. Copy it. Rename it to a template name, then hit Convert to template.

132. Go to your PVS console, under Store, and switch the vDisk to Standard Image and under Cache type, switch it to “Cache on device hard drive” and hit OK.

133. Go to your Site in the PVS Console and run through the XenDesktop setup wizard again like you did before but using your new template. Also go to your DDC and setup your desktop group, assignments, etc. like before but create a new desktop group so you know which ones are the new “local write cache” machines.

134. Launch one of your new VMs. You will see the Z: now called “Write Cache”. Also on the XenServer under local storage, you will see 10 GB drives created for all your VMs.