JasonSamuel.com

I urge you to read my PVS 6.1 on XenDesktop/Windows 7 guide first. Read it and make sure you understand it. The same concepts and most all procedures apply to Server 2008 R2. So I am not going to get as detailed on PVS technology in this article. This is going to be more XenApp centric. If you don’t have a thorough understanding of PVS, it is easy to become lost so please make sure and read that article and go through those screenshots first.

Citrix has an excellent eDoc primer for understanding the intricacies of XenApp on PVS located here. I recommend skimming this before beginning:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

Now on to the steps. This is just my way of doing it. It works well for me. There are a couple of different ways you can achieve the same thing so use what works for you:

1. I am assuming you already have a XenApp 6.5 farm created and at least one dedicated server for the role of the ZDC. All XenApp servers provisioned via XenApp will be member servers of this farm and you do not want them to become a ZDC. Just set the election preference in AppCenter under Zones. In this example, I have a Default Zone and have set one server as the ZDC but it is best practice to have at least a handful of servers that are not provisioned to be set as preferred. Just in case one goes down, you don’t want one your provisioned servers to become a ZDC:

2. Now go to your XenServer and create a new Server 2008 R2 VM

3. Install XenServer Tools

4. Make a copy of the VM and convert it to a template. This is your “clean” Server 2008 R2 image you can come back to later if you need to. You can spin up new VMs from it.

5. Now go back to the VM you were working on and install things that are needed on all servers like Symantec, Citrix Offline Plugin (if you intend to leverage app streaming), etc. but try to keep it as clean as possible. Remember, you are building just the base right now. Don’t install any applications you plan to publish yet.

6. Add the server to the domain. Make sure the name is the first server in your naming scheme, example: “ServerName-100″ where 1 denotes the image number and 00 is the VM number. The next VM that gets spun up using this image will be ServerName-101 and so on.

7. Begin installation of XenApp 6.5 like normal and follow Approach 3 detailed here:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

8. If you have multiple NICs in your PVS environment for streaming vs. regular network traffic there’s an extra step you have to perform in the VM. Make sure you go into ICA Listener properties and set it to PVS Adapter #1, the network NIC. Not the PVS streaming NIC which is #0. They may be labeled differently in your environment depending on the NIC order of your VM. Just remember, you want the network NIC to handle ICA, not the streaming NIC.

9. Now install the apps you intend to publish. Just install, don’t try publishing anything yet. If you plan on streaming apps to your XenApp servers via Citrix Offline Plugin or App-V, skip this step.

10. Install the PVS Target and reboot. Do not run Imaging Wizard yet.

11. You can choose to install the EdgeSight agent at this point if you use EdgeSight in your environment. There is an excellent guide from Citrix on how to install EdgeSight in a PVS environment below. Don’t worry, when it detects the PVS Target software is on the system and the image is in private mode being updated, it won’t start the EdgeSight service and start sending your EdgeSight server junk data:

http://support.citrix.com/proddocs/topic/edgesight54/es-agent-install-streamed.html

12. Log back in to the VM and in the XenCenter console, set the PVS boot disk to boot first (BDM). Then go to the PVS Console on the PVS server and create a new Device with the MAC address of this VM’s provisioning/streaming NIC. Call the device ServerName-101 so it’s separate from the ServerName-100 original but call the vDisk 100 so you know where the image came from later (i.e. image 1). Set device to Boot from Hard Disk. Now reboot the VM. You can let Imaging Wizard do this but if you really want to be hands on, you can choose to create and attach an empty vDisk of the same size as the c: drive of the VM now.

13. It should have booted from the BDM boot disk and be connected to the empty vDisk you created. Run Imaging Wizard and push the image across to the PVS Server vDisk (don’t forget to optimize the image). If you did not create a vDisk in the above steps, just create a new disk and run through the Wizard prompts to create it real quick. It will assign the device to this new vDisk. Reboot when you are asked to.

14. Log back in and immediately XenConvert will launch and begin pushing your image over to the newly created vDisk.

15. Now go to the PVS console and set your device to boot from vDisk and reboot your VM. It should now be booting from your vDisk.

16. Log back in and re-run XenApp configuration and unjoin from farm using the prep option. This is done by going to Start > Programs > Administrative Tools > Citrix > XenApp Server Role Manager > and then clicking on the XenApp Server Role Manager app. Click Edit Configuration. Then click Prepare this server for imaging and provisioning. You want to just leave the defaults checked which is to remove it from the farm and join on the next boot. Once it removes it, it will ask you to reboot. Just close and power down the VM, don’t reboot.

17. Go to your PVS server and change the vdisk from private to standard mode. Now spin up a few VMs using the “Streamed VM Setup Wizard” in the PVS console. You’re going to need a template and you’re going to want to setup your write cache. I’ve covered this very well in my PVS 6.1 on XenDesktop/Windows 7 guide so I’m not going to get into the details here. Wait until the VMs are created and powered on.

18. Go to your ZDC and open up AppCenter and run a Discovery. You should see the new member servers. At this point you can begin publishing or streaming apps to them.

TO MAKE CHANGES AND RESEAL THE IMAGE
1. Boot a device into maintenance mode after creating a maintenance version on the vDisk. Or you can choose to power down all your running VMs and put the disk into private mode. Your choice.

2. Make your changes.

3. Re-run XenApp configuration and unjoin from farm using the prep option.

4. Shut it down and promote the image to production if using versioning. Or put the disk back into standard mode if you used the other method.

5. Reboot all your devices so it gets the new vdisk

I hope this guide helps. Please feel free to leave a comment below if you have any questions. I’ll try and help as best as I can.

Wow, long title there! Just like it says, I’m going to cover opening Sharepoint documents in a Windows 7 XenDesktop VDI session using XenApp published Office products with content redirection enabled. Here’s an example scenario:

• Your company uses Sharepoint and the URL is http:\\sharepoint.domain.com. It is part of the Local Intranet zone in IE.
• Your users are using Windows 7 VDI/XenDesktop VMs with Citrix Receiver Enterprise pulling published apps into the Start menu.
• You have Office 2010 products (Word 2010, Excel 2010, Visio 2010, etc) published via XenApp with content redirection enabled so .docx, .xlsx, .vsd files launched in the VDI session will open using the published Office app.
• Your users want to click on a Word, Excel, Visio, etc. document in a Sharepoint document library and click the Edit button to edit the document instead of just Read Only. They expect the published Office app to launch and allow them to edit the document.

THE PROBLEMS
In this scenario, when the user clicks on let’s say a Visio document in Sharepoint, the published app will launch but the document will not be sucked in. You’ll get a “File not found” error and if you look closely, the URL begins with “\\” as if it’s a UNC path instead of an HTTP path:

If you click OK, Visio will open but no diagram will open.

If you right click, Save As the Visio diagram to your C: drive and attempt to open it locally, it will launch the published Visio instance but will give you the following “File not found” error:

Again, look closely. It says “\\Client\” instead of your VM’s name.

THE FIXES
Well, really it’s 1 fix and 1 workaround for now. Let’s start with the fix first. We’re going to get local files and files residing on network shares launching right using the published app. I’m going to use Visio and a .vsd file again as the example:

1. On the Windows 7 VM, you must enabled Native Drive Mapping to be able to launch the .vsd file via published Visio. You can follow the CTX article here to make the registry change:

http://support.citrix.com/article/CTX130378

or you can enforce it via group policy. One thing though, on Windows 7 x64 the path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\
Advanced\Modules\ClientDrive

NativeDriveMapping
Reg Type: REG_SZ
Add the Value: True

Once the value is set to TRUE, try launching the .vsd file you saved to your hard drive or on a network share. It will launch immediately. Then go to File – Save As in Visio and checkout the path bar. It will say “\\Client\C$\Users\xxxx\”. So now your system recognizes the word “Client”.

This is because you’re going through 2 virtualization layers. Citrix has an excellent article detailing how Client drives are passed through multiple sessions here:
http://support.citrix.com/article/CTX127872

You can also read more about the NativeDriveMapping key here:
http://support.citrix.com/article/CTX124389

Additionally here is a really good CTX article from Citrix that covers Client Drive Mapping troubleshooting that might be helpful to you:
http://support.citrix.com/article/CTX238200

And some info describing differences in Client drive mapping between the different versions of XenApp and Presentation Server here:
http://support.citrix.com/article/CTX127614

2. Now back to Visio diagrams in Sharepoint. First you need to verify content redirection is behaving correctly. In my case, I needed to make sure to change the published app location to include the “%**” switch. By default when you enable content direction, it will be:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%*"

with just one asterisk. You need to add two so it looks like this:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%**"

The reason for this is documented in this CTX article:

http://support.citrix.com/article/CTX116887

This was written for Presentation Server 4.5 but it still applies to XenApp 6.5 just fine.

Once you get content redirection squared away on your XenApp server, things will still not work correctly unfortunately when opening docs in Sharepoint in your XenDesktop session. You can try right clicking and editing but you will still get the File not found error. This error has nothing to do with Client Drive Mapping. Being a Sharepoint Architect in a previous role long ago, my gut feeling was this is a WebDAV issue. Remember, Sharepoint uses WebDAV with document libraries though to the casual observer it might appear to be a UNC file share path. My gut was telling me Receiver was not handling WebDav paths correctly and was treating them like regular SMB file share paths. No proof this is the culprit just yet, only a hunch.

Let’s run an experiment. In your Sharepoint document library, click Actions > Open with Windows Explorer:

You’ll notice the path bar says “http://sharepoint.domain.com” when you open it here:

Go ahead and launch the Visio diagram in this document library. When you try and launch it, it will launch published Visio and give you the same File not Found error as before. In some scenarios even an Access Denied error though it never actually was able to find the file. Again, it is looking for “\\sharepoint.domain.com” instead of using WebDAV (or the DavWWWRoot keyword) which should be parsed like the HTTP protocol “http:\\sharepoint.domain.com”. Sharepoint Content Redirection is never going to work because Citrix Receiver doesn’t know how to get there. One work around is to tell your users to save locally, edit, then upload. But this is annoying and most users will complain.

I started thinking Mini Redirector (which is Microsoft’s WebDav client and part of the Windows 7 OS) was trying to hand-off the DavWWWRoot keyword in the URL to Receiver and Receiver didn’t know what to do with it. Looking at the URL though it didn’t even seem to be passing it through. It was as if it was passing a straight UNC path. Or maybe is was not talking to owssupp.dll which is required to interact with and edit docs in Sharepoint. Maybe somehow it wasn’t handing off through Receiver properly. Now I was really starting to go down the rabbit hole and before I dug further, I figured I’d give Citrix Support a call and see if they had any input.

I was able to talk to a XenApp support technician and a XenApp Developer who were both very knowledgeable. I explained my WebDav theory and we ran a little experiment. We ran Process Monitor from my Windows 7 workstation and attempted to edit a simple Word document in Sharepoint. The published version of Word launched as expected and failed to find the file. Here is the URL that was passed to the PNAgent when we used the Process Tree display:

You can see that it passed:

\\Client\\\sharepoint.domain.com\link\to\doc\repository\test jason.docx"

Looks a bit odd, doesn’t it? No wonder it can’t find the file.

Then we went to the XenApp server with Word 2010 installed locally, opened Internet Explorer, and navigated to the Sharepoint document library. When I clicked Edit on the Word document this time, this is what was passed to the locally installed Word:

And of course the Word document successfully launched. You can see it passed a nicely formatted HTTP URL:

http://sharepoint.domain.com/link/to/doc/repository/test%20jason.docx"

The XenApp Developer verified this was actually a bug and needed to be fixed. It may or may not be WebDav related, but he confirmed there is definitely a disconnect at the Content Redirection level via Sharepoint as I had suspected. It has been added to their bug queue to get taken care of.

In the mean time, his suggestion is to publish Sharepoint itself on the same server Office 2010 products are installed on (publish IE passing the Sharepoint URL during launch). This is a good workaround but may annoy a few users. I always hate publishing IE because of the stuff you have to do to lock down/harden the browser. People can get confused and start browsing to Youtube or other process intensive websites using this published instance of IE if you don’t completely lock down the allowed URLs. This can cause a severe impact on XenApp performance for all users on the box. If I limit tabs, then people start complaining they can’t open additional tabs and the helpdesk gets flooded with phone calls. So just keep that in mind if you use this workaround.

Another work around I found online is by Anthony Obi:

http://community.obilogic.co.uk/blogs/teamblog/archive/2011/10/25/sharepoint-2010-edit-document-via-citrix-xenapp.aspx

He has an issue where owssupp.dll was not being detected on the client system (because it wasn’t there) and added an extra menu item in his Sharepoint deployment to edit documents as a work around. He modified the new Edit action to launch some Javascript that talks to PNAgent.exe that then talks to the published Office instance and passes the correct URL. This might work as well for you but of course it requires a modification of your Sharepoint environment and end user training.

I will post here as I get updates from Citrix Support on this issue. It’s a fairly unique scenario but definitely not uncommon in the real world as application delivery and desktop virtualization continue to be separated through multiple layers.

If you click an application icon on your web interface or storefront site, Receiver will popup and say “Starting…” like normal and if you click for More information, it will say “Connection in progress…”. After about a minute, you will get a popup message saying:

Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. There is no Citrix XenApp server configured on the specified address.

Well that’s odd because you know the app is published. You know the sever is up. You know it’s talking to the ZDC and permissions are good or you wouldn’t be seeing the app. So what’s the issue?

Well one of the common reasons for this issue is that your have multiple NICs on the XenApp server (multihomed server) so there are 2 IP addresses for the server. This is a very common setup in a Citrix PVS environment when running XenApp. One NIC for regular traffic and the other NIC for streaming traffic. But even a regular XenApp environment can have 2 NICs for a variety of reasons. If that secondary NIC is firewalled, on a different VLAN, private, etc. you are going to have problems. That secondary NIC is not meant for ICA traffic but everyone is trying to connect to it. It will time out every time.

A quick way to confirm this from the client side is to click on the application icon again and while it says Starting…, open up a command prompt. Type “netstat” and you should see a SYN_SENT to the server on port 1494. If this IP address is your secondary IP that is not meant for ICA traffic, it will never get a response.

Now go to your server and open up a command prompt. Type “qfarm”. Does your XenApp server show up in the list twice? With both of it’s IP addresses? That’s not good and is another confirmation it’s listening on both NICs.

You can also confirm a third way by going into AppCenter, expanding Servers, clicking on your XenApp server, clicking the Information tab in the right hand pane, and seeing if there are two IP addresses in the “IP addresses” section.

So to fix this, you will need to set your ICA Listener to listen only on the NIC you want regular network traffic to be on.

If you go to Remote Desktop Servers Session Host Configuration, you can double click on the ICA-TCP connection and click the Network Adapter tab. Unfortunately in some environments, you might get an error message saying:

Remote Desktop Session Host Configuration tool is not able to obtain the properties for this connection. The connection has either been deleted or the internal state of this connection has been corrupted. Please close all property pages, and select refresh from the menu.

So to get around this, go to Administrative Tools > Citrix > Administration Consoles > and click on ICA Listener configuration:

Notice how it’s set to “All network adapters configured with this protocol”. Click Edit and go the Network Adapter tab. In the drop down, choose just the NIC you want ICA traffic on:

In my case, I want ICA traffic to be on “Citrix PV Ethernet Adapter #1″. So I will choose that and click OK. Now you can go ahead and restart the IMA Service on your XenApp server but you don’t really have to in most cases. Just try launching your app again and it should come right up.

Sometimes when working on a XenApp server and publishing websites through Internet Explorer, you may have a need to temporarily add the website to the Local Intranet or Trusted Sites zone for testing purposes. Usually NTLM passthrough windows authentication won’t work unless the website is part of the Local Intranet zone. Your users will get a popup box asking for their credentials. In multidomain environments, things can get especially hairy sometimes with the way IE detects a Local Intranet website. You can add the site manually in IE after the website has launched but it’s per profile. If you want to add it for all users on the server, group policy is the way to go. Associating a site with a zone can be accomplished through group policy at the domain level easily but sometimes you just want to test things first and it’s quicker to edit the local group policy on the server.

So to do that on Server 2008 R2, go to Start > Run > gpedit.msc

From there you will see Computer Configuration and User Configuration. We want Computer Configuration. Drill down to:

Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Double click on Site to Zone Assignment List and click the “Enabled” radio button.

Then click “Show…”

A new box will pop up. For the Value name, you want to type in the name of your website. For the Value, you want to specify a number 1 through 4. These correlate to the zones which are:

1. Intranet zone
2. Trusted Sites zone
3. Internet zone
4. Restricted Sites zone

Hit OK to both windows and you’re done. You can test by launching your published IE website. It should now be associated with the zone you specified. You can verify in IE by pressing Alt to bring up the menu bar, then File > Properties and under Zone it will tell you the zone of the current website. Every user that launches the published IE app on your server will have the website in the zone you specified.

Windows 7, Citrix Receiver 3.0, 3.1, 3.2 etc., and Web Interface 5.4 all work hand in hand with newer XenApp farms. But you might notice if you have older farms in your Web Interface, apps from those farms will not launch when using Windows 7 and Citrix Receiver. You’ll get a message like this when you click on an app icon:

The network connection to your application was interrupted.  Try to access your application later, or contact your help desk.

Really helpful right? Well if you look at your event log on your Windows 7 box, you get something even more cryptic:

The description for Event ID 1 from source ICA Client (Vanadium) 
cannot be found. Either the component that raises this event is not 
installed on your local computer or the installation is corrupted. 
You can install or repair the component on the local computer.

If the event originated on another computer, the display 
information had to be saved with the event.

The following information was included with the event: 

Vanadium: TW Protocol error: Data rejected
Cmd = CMD_TW2_TEXTOUT
The data containing the error is below (1953 bytes)

I get this error with apps hosted on legacy MetaFrame XP and Presentation Server 4.0 farms. The work around is to go to your farm’s console, right click on your farm name, Properties > ICA Settings and uncheck the “Discard redundant graphics operations” setting.

After making this change, the apps will launch just fine. Additionally on some MetaFrame XP apps, I’ve had to go under the actual published application properties and lower the resolution of the app. I doubt Citrix will ever release a fix for this since legacy farms are not supported and reached End of Life years ago. You should get your apps moved over to newer XenApp farms as soon as possible.

Once a company has a XenDesktop or XenApp environment that is pretty mature, they often turn to Citrix Provisioning Services (PVS) to help scale the environment. There are many reasons to use or not use PVS for your VDI or XenApp environment and that’s a whole other discussion. The purpose of this blog post is to get you familiar with how to implement it. There are not a whole lot of step by step guides out there and PVS can be a real beast to wrap your head around if you are not familiar with it.

Now for the disclaimer. This guide will describe how I do things for my PVS environments. This will probably be different for your environment so make sure you thoroughly understand the reasoning behind each step and how it applies to your environment. What works for me may not work for you.

So let’s get started!

INSTALLATION
You must be logged into the PVS server using a service with DBO rights or the install will fail. Have your DBA set the service account to SA temporarily for the install. After install, remove SA rights and just give these rights only:

• dbcreator; required for creating the database
• securityadmin; required for creating the SQL logins for the stream and soap services
• db_datareader
• db_datawriter
• execute permissions on stored procedures

I find this to be the most pain free method of getting PVS installed with no DB errors. Now on to the actual steps:

1. Enable Application Server role (.NET features will be automatically installed)

2. Start Wizard, hit Console installation, run through all of it. Just hit next accept all the license agreements and let it install everything until you get to the path to install part.

3. Choose Path for install (change to D:)

4. Choose Complete install

5. Once done, click Server Installation on wizard home page > Install Server

6. Install SQLncx64 when prompted

7. Change path to D:

8. Choose Complete install

And you’re done! Not very hard at all.

CONFIGURATION
Now we get to the slightly harder part, configuration. This is going to depend a lot on how you have your hardware setup. I want each of my Windows 7 provisioned desktops to have 2 NICs. One NIC is for regular network traffic and the other for streaming traffic. You don’t have to have 2 NICs and separate your traffic like this but I do for production environments. It is really only beneficial for large scale implementations so if you are doing something smaller scale or for a test environment, 1 NIC will suffice. Just keep in mind everything below in my guide is written as if you have 2 NICs:

9. For DHCP, choose service that runs on this computer and choose Microsoft DHCP. So the PVS server will have the DHCP server role running and it will be handing out streaming network IPs to the VMs as they boot. They will get regular network IPs from your regular DHCP servers just like any physical box on the network. More on this later.

10. For PXE boot, choose service that runs on this computer and choose Microsoft DHCP as well.

11. Create farm or join farm depending on what you’re doing.

12. Either choice will will ask for database info on next page

13. Type in your DB info and hit Next

14. Choose a database ***DO NOT USE A PRE-CREATED DB, just type the new DB name in the Database name box and it will create it automatically once you hit Next***. I’ve run into numerous issues in the past attempting to pre-create a database. I’m telling you now, get SA rights temporarily as I mentioned in the first part of this guide if you can. It will make your life easier.

15. My E: drive on my PVS Server is a high performance flash based IO accelerator card in this case. That is where I will put my Store. You will want some very read friendly storage for your Store as this is where you will be putting all your golden images.

16. Type in your license server info.

17. Keep user account as Network service account

18. Hit Yes wen prompted for configuring the database with the account

19. Leave password updates to the default of 7

20. Check the teamed NIC for the “Provisioning” network, not the regular network traffic network. In this case my streaming traffic/provisioning network is only routable within my blade enclosure and my interface has an IP of 192.0.0.1

21. Check the Use the PVS TFTP service option

22. Leave the default for stream servers boot list. It should be the IP of the server itself on the “provisioning” network.

23. Advanced button has some settings, leave default

24. Hit finish on confirmation page. It should look something like this.

25. Go to your NIC for PVS traffic (or teamed NIC) on your PVS server and disable IPv6. Leaving it enabled can lead to issues.

26. If using your server for DHCP as well as I mentioned above, install the DHCP Server role.

27. Select just the PVS network

28. 0.0.0.0 for the DNS servers

29. WINS not required

30. Create your scope

31. Disable DHCPv6

32. I skipped authorization when taking the screenshots but you should do it now if possible.

33. Confirm and install

BUILDING YOUR BASE IMAGE
Now on to building your Windows 7 base image. This is the base image that will be completely clean, very little customization. This will be the primer for your golden images later.

Building an image is not to be taken lightly. These two articles from Citrix are a good read so you have a solid understand of what you are going to do.

CTX121028 “Best Practices for Creating a XenDesktop Image” is an older article but still a good read if you are building your image for the first time:

http://support.citrix.com/article/CTX121028

CTX131481 “Recommended Install Order for Preparing Target Device Captured by Provisioning Server to Deploy vDisk” is a bit newer and is also a good resource you should read through before proceeding:

http://support.citrix.com/article/CTX131481

34. So first you need to build a VM out. Just go to XenCenter and run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

35. Give it a name and description

36. Choose the MSDN Windows 7 ISO

37. Choose a host server

38. 2 vCPUs, 4 GB RAM (4096 MB)

39. Choose local storage for the disk. You can add more disks or even increase the size of a disk under Properties.

40. Delete ALL the NICs, you will recreate in the right order in the next step.

41. Click Add and add the PVS bond first, THEN the network bond. So in the example Bond 4+5 first, then Bond 2+3. Note: This is a critical step. Changing the order or adding/removing NICs later is not recommended as it breaks stuff between the XenServer Tools and PVS Target agent in my experience. Get your network setup right the first time and in the right order to avoid issues. Always put the PVS network first, network traffic second.

42. Hit Finish on confirmation page to build the VM

43. Go to the console of the new VM and run through the Windows 7 setup wizard. When it comes time to name the PC, make sure it is not a name that already exists on your network. In this example I will use “Win7MSDNBaseISO” for demo purposes but you should come up with some kind of naming scheme for your environment since you will eventually have several golden images and you don’t want to confuse them. Something like “GOLD-ACCT01″ for your Accounting departments first golden image, etc.

44. Login and install XenServer Tools. Without it your NICs will act wonky. Like sending malformed packets and such which cause an HTTP 400 server error to any website you navigate to. You will need to reboot after the install. Once it’s back up, it will detect the NICs and likely prompt you to reboot again after installing the new hardware so go ahead and do it.

45. Log back in and then run your Windows Updates and/or Microsoft Updates. Don’t install any company related apps yet if at all possible. Make it as generic and clean as possible. Remember, you are building a base image to suck into a vDisk, not a golden image just yet. Whether you have just one golden image for your whole company (not likely in most environments) or several per department, try to keep the base image as lean as possible. You’ll also notice your NICs are now labeled are looking a lot healthier than before as well. Adapter 0 may say Unidentified network since your provisioning network should ideally be private. **NOTE: You can add the machine to the domain but, DO NOT install the VDA agent yet.

46. If you click on the network tab, you will notice both NICs have IPs whereas before the XenSever tools install it was Unknown.

47. Snapshot your VM. It’s not necessary but I like to as a precaution. From here if I mess up on something or forgot something, it’s easy to revert to my snapshot and fix whatever needs fixing. Beyond this point it becomes tricky.

48. Now install the Provisioning Server Target Device Software from the PVS ISO. Just click the Autorun.exe.

49. Click Target Device Installation

50. Hit Target Device Installation on the 2nd page too and it will launch the wizard. Run through the EULA and hit Next through all the windows until the install is done.

51. Uncheck the Launch Imaging Wizard link and hit Finish.

52. Hit Yes to reboot and mount your PVS boot disk as the VM comes back up or you can just shut down for now if you don’t have one yet.

53. Open up Provisioning Services Boot Device Manager (BDM) on your PVS server and create an ISO if you don’t have one already. It needs to have the IP address of the server on the provisioning network NIC.

54. Options can all be default

55. Use DHCP, swith the Boot Device to Citrix ISO Image Recorder, then hit Burn. Drop the ISO in an ISO Library your XenCenter can see.

56. Here’s where things may differ for you if you have used older versions of PVS before Imaging Wizard is where its at today. The old way of doing things was pre-creating a device on your PVS server with the same MAC address as the VM’s NIC, pre-creating a vDisk and calculating the necessary size, formatting it, assigning the vDisk to the device, then running BNImage to capture the system and push it into the vDisk. None of this manual work is necessary anymore. The Imaging Wizard works really well and will do everything for you. I actually first took screenshots of everything the manual way just for reference so you know where to look if something breaks. But then I figured that showing that whole process might confuse you so I will show you the Imaging Wizard way only. If you need me to, I can post an addendum to this article showing the manual way. Just leave a comment if you’d like to see it.

So now log back in once the VM is up and start Imaging Wizard. Enter your PVS server farm details.

57. Hit next and let it Create a new vDisk. Just hit Next again.

58. Give the vDisk a name. The vDisk size in the store will automatically be calculated. I left the VHD type to Fixed but you can choose Dynamic. Citrix has started recommending Dynamic as a best practice these days. I like to do 16 MB block size if doing Dynamic personally. It just means it will grow in 16 MB chunks. Again, make sure you select a good naming scheme for your vDisks as it becomes very important to keep them organized.

59. Choose KMS for key management (assuming you are using KMS)

60. Leave the image volume sizes all default

61. Type in a target device name, choose your streaming traffic NIC, and choose a collection:

62. On the confirmation page, click Optimize for Provisioning Services.

63. This will make a ton of registry changes that will optimize your image for PVS using ngen.exe in a cmd prompt window. Just hit OK and wait several minutes as it completes this process.

64. Once it’s done, hit Finish to begin prepping the vDisk on your PVS server’s store. It will immediately allocate the space for the vDisk since you are using Fixed so make sure there is enough room.

65. Once it’s done, it will ask to Reboot. Hit No.

66. Now right click on the VM in XenCenter and change the DVD Drive boot order to first and disable everything else.

67. Change the ISO in the DVD drive to the ISO you burned above.

68. Now go back to your PVS console and verify the device now has the vDisk attached under it’s properties. You can also choose to list the local hard disk in the boot menu.

69. Now you can reboot your VM. It will boot using your ISO, connect to the PVS server, obtain an IP on the PVS network, connect the virual disk you created. The vDisk is still in private mode. You can verify this in the PVS console easily. Just refresh and you will see a green check mark next to the device. It will have an IP and will tell you which PVS server it is connected to.

70. Log back into your VM now. It will automatically kick off the vDisk capture by loading XenConvert to capture the image. It will begin pushing your image to the vDisk you created on your PVS server.

71. Sometimes there may be errors (non-critical) but make sure to read the log and verify there is nothing critical in there. Then hit Finish.

72. You will be logged back into your Windows 7 VM at this point. Go ahead and shut it down.

73. Go to your PVS server and change the Boot From properties on your device to vDisk.

74. Now go to the storage options of your VM and detach the local storage on your XenServer. You don’t need it anymore. Then boot up your VM again. This time you will be booting directly into the vDisk image you had pushed across before on the server.

75. In the system tray menu, you can verify your vDisk is connected. Also in Explorer, you will only see the c: drive which is your vDisk.

76. I HIGHLY recommend you make a backup copy of the .vhd in your Store right now. It is a clean image with no apps and if something happens, this is the image you can revert back to. Think of it as your “Stage 1″ vDisk. Make the copy and store it away somewhere safe. Once you do that, since it is still in private mode and if you haven’t done so already earlier, go ahead and add it to the domain. Then reboot when prompted. Don’t forget to add your necessary security groups as local admins before rebooting.

77. Log back in and install and other apps your company may need for the base image. You can begin installing core applications like Adobe Reader, Flash, SEP, SnagIt, NAC agent, etc. Apps that need to reside on every PC on the network. Nothing specific. You should also do your OS customizations at this time if you have any. Then lastly, install the XenDesktop 5.6 VDA agent. Make sure you use AutoSelect.exe to install it and not the .msi on the CD or you will have issues. Your path will be something like this if you left the XenDesktop 5.6 install files somewhere on your DDC:

\\yourDDCservername\Downloads\XD5.6_VDI_Single2\XenDesktop56\AutoSelect.exe

78. Choose Advanced Install

79. Accept the EULA

80. Leave the default Virtual Desktop Agent

81. I usually uncheck Receiver. I like to deploy it later using the Enterprise version I want our users to be using.

82. Leave PVD disabled for now. You can enable personal vDisk later if you need to.

83. Type in the names of the DDCs. You can seperate multiple DDCs with spaces. They must be FQDNs. Hit the Check button to verify they can be resolved. Then hit Next when done.

84. Leave the VDA config settings the default and hit next

85. Hit next at the summary page

86. Hit Close and it will restart the VM.

87. When the VM is back to the login prompt, go ahead and shut it down. Then go to the PVS Console and swtich the vDisk from private to standard mode (multi-device) mode which makes it read-only. If you see a lock next to the vDisk, you may need to clear it first.

That’s it, you are now complete with your base image setup.

CREATING A XENSERVER VM TEMPLATE
88. Now you need to create a VM template that PVS will use to spin up new VMs with. You can simply create a copy of the VM you had been working on and convert that copy into a template or you can create one manually. I suggest copying and converting to a template, less change of screwing something up. If doing it manually though, in XenCenter run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

89. Give it a name and description

90. Boot from network

91. Choose a host server

92. 2 vCPUs, 4 GB RAM (4096 MB)

93. Choose “Create a diskless VM that boots from the network” and hit Next.

94. Delete ALL the NICs, you will recreate in the right order in the next step. Click Add and add the PVS bond first, THEN the network bond. Same as before when you created the original VM. It is critical you get this right and it matches the VM.

95. Uncheck “Start the new VM automatically” and hit Finish.

96. Make sure to change the boot options to DVD drive only and move it to the top since we are using BDM (PVS boot disk). Also make sure to mount the PVS boot disk ISO at this time.

97. Right click the VM and click “Convert to Template…”

98. Hit Convert at the confirmation prompt

99. Now you can verify it is a template (blue box next to it) in XenCenter

PROVISIONING VMS USING THE PVS SERVER AND XENDESKTOP DDC
100. Now it’s time to start provisioning new VMs. In the PVS Console, right click on your site name and click “XenDesktop Setup Wizard…”

101. Hit Next at the Welcome screen

102. Type in the FQDN of only one of your DDCs and hit Next

103. Select the XenServer host you want to run your machines on and then hit Set Template to set the VM template.

104. Type in credentials for your XenServer and hit Log On, you will see all the templates on the host. Choose the VM template you had created in the steps above and hit OK and then Next.

105. Choose your Device Collection and vDisk

106. Now you can create a new Catalog or use an existing catalog. In this example, I am going to use an existing catalog. Select your Admins and hit Next.

107. Choose the number of VMs to create. I will choose 5 in this example. Leave the default of creating new AD computer accounts.

108. Choose the OU you want your new VMs to be put in. You can also choose the naming scheme for the new VMs at this point. You could use something like “VM-ACCT###” for your Accounting VMs for example. Hit Next.

109. You will see the Summary screen. Hit Finish and your VMs will start to be created. The progress bar will show you the progress but you can also go to XenCenter and watch the VMs beign created. They will not be powered on by default since you haven’t instructed your DDC to do so yet.

110. Now go to your DDC and open up Desktop Studio. Under Machines, you will see your catalog and it will show there are 5 free machines that have not been assigned.

111. Double click on the catalog and you will see the 5 machines but their SIDs since they have not been powered on yet.

112. Click on Assignments in the left and create a new Desktop Group

113. Choose your Catalog, add all 5 machines, and hit Next

114. Add your users and hit Next

115. Admins should already be selected so hit Next

116. Choose a Display Name and Desktop Group Name. The Display Name will be shown to the end user in the Web Interface. The Desktop Group name is for within Desktop Studio. Hit Finish.

117. Now go to your Web Interface (or the DDC itself in this example). Login using an account you have assigned one of your VMs to. If it’s the only thing on your WI, the desktop will start booting up immediately.

118. Log into your new VM and create and you will see the Welcome message. Yes my wallpaper, quicklaunch, visualizations are different from default Win7 because I was playing with some profile customizations when I took these screenshots. Just ignore that.

119. Create a new text document on the desktop. Then log off.

120. You will notice in XenCenter the VM you were on is now being shutdown automatically. Basically getting it ready for the next user with a clean slate.

121. Click the desktop icon again on the WI and it will launch the VM again. It will likely be another VM entirely you will be logging onto, but of course it will look the same. You will notice your text document is gone now. Exactly as expected.

That’s it! You are now up and running with your first provisioned desktops. Now you can create copies of the VHDs and begin customizing your images for different departments. Make sure the disks are in private mode when making your changes. You can also use the versioning feature for little changes to the images like Windows Updates. More on this later.

SETTING UP WRITE CACHE
So Write Cache is that big scary thing that can make or break your PVS implementation. Where you put it makes a world of difference. There are several options available where write cache can be stored. Most people opt for caching on a hidden local drive on the VM i.e. on your XenServer local disks or direct attached storage on the XenServer. It’s cheap and it works well for most implementations. Keep in mind it is not shared when you do this. Citrix has a good article called “How to Add a Persistent Volume to Your Provisioned Virtual Machine in XenServer” located here:

http://support.citrix.com/article/CTX125590

and another excellent blog post here on PVS write cache size considerations:

http://blogs.citrix.com/2011/10/06/pvs-write-cache-sizing-considerations/

So in our example so far, I had created the vDisk to leave the write cache on the PVS server. You can put the vDisk in private mode and skip directly to 127 if you like. But I want to leave old vDisk and provisioned desktops intact as an example and create a completely new vDisk and set of provisioned desktops with write cache on the XenServers instead. So we’re going to create a new vDisk from the old vDisk and then attach the new write cache drive to that. This is pretty straight forward but if you need more screenshots, leave a comment and I’ll take some:

122. Go to your Store, copy the .vhd file, paste it in the same location. Call the new VHD file whatever you like.

123. In the PVS Console, right click Store and click “Add or Import Existing vDisks. Search the store and add the vDisk you just created.

124. Under properties, make sure to enable “Enable Active Directory machine account password management” and KMS Service because they will likely not be checked when importing just the vhd.

125. Make sure the vDisk is in private mode

126. Go to your device collection and assign the vdisk to a device. You can use the original VM you were using to build out the Windows 7 image. Make sure it is set to boot from vDisk.

127. Go to XenCenter, click the Storage tab on your VM, and hit Add. You can name it something like “Win7MSDNBaseISO-WC”. We will leave the size as 10 GB. That’s a pretty decent size for a Windows 7 box rebooted once a week. Then hit Add.

128. Ensure the new disk was created with position 1. Position 0 should be your c: drive.

129. Now power on the VM, booting from the DVD and with the PVS boot disk in the drive. You will notice that Windows has detected a new drive under Disk Management. Initialize it.

130. Right click the new disk, New Simple Volume, choose the full size of the drive, assign it z:, and format it as NTFS, label the volume “Write Cache”, then hit Finish on the confirmation page to format it.

131. Shut down the VM. Detach the c:, leaving only the 10 GB z:. Copy it. Rename it to a template name, then hit Convert to template.

132. Go to your PVS console, under Store, and switch the vDisk to Standard Image and under Cache type, switch it to “Cache on device hard drive” and hit OK.

133. Go to your Site in the PVS Console and run through the XenDesktop setup wizard again like you did before but using your new template. Also go to your DDC and setup your desktop group, assignments, etc. like before but create a new desktop group so you know which ones are the new “local write cache” machines.

134. Launch one of your new VMs. You will see the Z: now called “Write Cache”. Also on the XenServer under local storage, you will see 10 GB drives created for all your VMs.

MAINTAINING YOUR VDISKS
Never update XenServer Tools in a vDisk after you have installed the PVS Target. It will destroy it. The PVS Target software talks to the XenServer Tools software and if it changes, the whole thing falls apart. In my experience, even changing hardware settings like the NIC order can cause all sorts of bad behavior. The best thing to do is build a new image and vDisk if you need to update XenServer Tools.

Other than that, you can put your vDisk in private mode and update anything else like normal, including Citrix Receiver. When doing little changes to a VM, take advantage of versioning. Little changes being stuff like Windows Updates, app updates, etc. If installing a giant application like Photoshop or AutoCAD or something, you’ll probably want to merge soon since the reads would be happening all over your disk for something that large.

I hope this post has been helpful to you. As you can see at over 130+ steps, there is a lot to know when deploying PVS with XenDesktop. Deploying with XenApp is mostly the same until you get to the OS and I can cover all that in another post. If you have any questions, comments, or tips please let me know in the comments section below. If I left out something, please let me know too.

If you are using ICA files to connect to a XenApp farm for whatever reason, and you are running Citrix Receiver Enterprise, it will attempt to passthrough credentials by default if you have setup Receiver to allow passthrough authentication using the ADM template. This is bad when you are trying to connect to a different domain because you will get the “The user name or password is incorrect” logon error message every time you launch the ICA file. It is trying to pass the wrong credentials:

You really don’t want to change your ADM file settings because that will break functionality for other things. The best way around this is to add these two lines to your ICA file:

UseLocalUserAndPassword=Off
AutoLogonAllowed=Off

Once you do that, launching the ICA file will work correctly and will show the domain the server is a member of:

When you login to your web interface and launch a new desktop, it might not launch and you might get this error in the application event log on the server:

Source: Citrix Web Interface
Event ID: 30105  
The Citrix servers do not trust the server. This message was reported from
the XML Service at address http://localhost/scripts/wpnbr.dll
[com.citrix.xml.NFuseProtocol.RequestAddress].
  [Unique Log ID: xxxxxxxx]

In previous versions of Presentation Server, the way to set the XML Trust was to go to your Access Management Console and edit the Properties of the each server. There would be an “XML Service” property near the bottom in the left navigation you could click on. Check the “Trust XML requests sent to the XML Service” box and hit OK. For the whole farm, open up the farm Properties and go to Farm-wide > XenApp > General and check the “XML Service DNS address resolution” check box and hit OK.

In previous versions of XenDesktop, you could go to your DDC and open up the Delivery Services console, right click on the farm properties go to Farm-wide > Desktop Delivery Controller > General and check the “XML Service DNS address resolution” and hit OK.

In XenApp 6.0, 6.5, etc. you need to open Delivery Services Console or AppCenter and go to Policies and hit the Computer tab. Edit the Unfiltered policy and find the XML Service near the bottom in the left hand navigation. When you click it, you will see “Trust XML requests”. Hit Add and set it to “Enabled” so the Citrix XML Service will trust requests sent to it and hit OK.

All this is from memory so if I missed something, let me know. I don’t have any consoles in front of me for the different environments at the moment except Desktop Studio or I would post screenshots for you. Let me know if you need them and I’ll take some screenshots this evening when I have a bit more time.

And now for the whole reason for this blog post. In XenDesktop 5.0, 5.5, etc., the Desktop Studio console does not have this option if you look in the Unfiltered policy under HDX Policy. That’s a totally different policy. You have to set the XML Trust via PowerShell now. So to set an XML Trusts policy, open up PowerShell and if you haven’t already, add the Citrix snapin which will give you the ability to use the Citrix cmdlets:

asnp citrix.*

Now enable the XML Trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Done, if everything goes well, you should see no confirmation or error messages like this:

Now if you logout of your web interface, log back in, then attempt to launch the desktop, it should come right up and there are no more errors in your application event log.

You might get a request to to publish an Internet Explorer URL/link in XenApp for whatever reason. Web applications that use Java Runtime Environment (JRE)/Java applets do not play nicely with Citrix XenApp. The main problem is the Java cache. It wants to write its cache to:

C:\Program Files\Java\Cache\username\Sun\Java\Deployment\cache

by default during a XenApp session but nothing ever gets populated past the “username” part. The directory underneath will be blank and your web application will never load the Java applet.

I’m not a Java expert and I’m not even going to claim the following is any kind of best practice. But this is what I have done in my environments to make the web apps work using XenApp. If you have a better way of doing it, please do comment in this post.

So a little background, I am using Windows Server 2008 R2 with IE9 with Java (JRE) 6 Update 26 installed because my web app requires that specific version of Java.

1. Go to “C:\WINDOWS\Sun\Java\Deployment” and create a file called “deployment.config” with the following:

deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties

2. Now create a file called “deployment.properties” in the same folder with your custom properties. What I do is generate a deployment file and then copy it over to this directory. To do this, open up Internet Explorer and go to your web app. Once Java is invoked, you will notice the Java icon in the notification bar in the bottom right.

Right click on it > Open Control Panel > Settings and you will see a path where temporary files are kept.

This is the default Java cache and will look like:

C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache

Navigate to:

C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\

and there will be a file called “deployment.properties” that was just generated for you. Just copy it over to the “C:\WINDOWS\Sun\Java\Deployment” folder as is.

Now you need to edit this file and specify the Java cache to be somewhere else. In my case, I want it to go to a folder on my D: drive called JavaCache. So all I add is this line (make sure the slashes are just like this, I know it’s a little odd):

deployment.user.cachedir=D\:\\JavaCache

So now my “deployment.properties” file will look like this:

#deployment.properties
#Mon Nov 28 13:17:40 CST 2011
deployment.javaws.cache.update=true
deployment.version=6.0
deployment.user.cachedir=D\:\\JavaCache
deployment.capture.mime.types=true
deployment.javapi.cache.update=true
deployment.browser.path=C\:\\Program Files (x86)\\Internet Explorer\\iexplore.exe
#Java Web Start jre's
#Mon Nov 28 13:17:40 CST 2011
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.platform=1.6
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.0.product=1.6.0_26
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.args=

Yours will probably look different than mine depending on which version of JRE you have installed.

3. Make sure to create the location you specified above. It can be a blank folder and will be populated the first time someone invokes Java. So in my case, I created:

D:\JavaCache

4. Now publish IE and the URL like you normally would in the XenApp console. IMPORTANT NOTE: If you are using 32 bit IE and installed 32 bit Java, DO NOT publish 64 bit IE by accident. It will not be able to use the 32 bit Java. You will need to install 64 bit Java if you intend to use 64 bit IE.

Here is an example of how 32 bit IE should be published on Server 2008 R2 in XenApp 6.5:

Command line:
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http://www.google.com"

Working directory:
C:\Program Files (x86)\Internet Explorer

5. That’s it, now launch your published IE web app from your desktop via the WI and it should load just fine. Once Java is invoked, verify your Java cache is pointed at the new location. Just look in your notification area for the Java icon, right click on it > Open Control Panel > Settings and you should see “D:\JavaCache”.

One interesting thing to note, older versions of Java pull their deployment configuration from a different location. So if putting everything in:

C:\WINDOWS\Sun\Java\Deployment

does not work for you, try copying them to:

C:\Program Files (x86)\Java\jre6\lib

and everything should work. Just make sure to edit your “deployment.config” accordingly with the new path to “deployment.properties”. An example, I have a web app that requires JRE 6 Update 11 and it pulls the deployment info from the lib folder and completely ignores the one in the Windows folder:

I also want to note that Oracle has pretty good documentation on configuring the deployment configuration file to your liking here:

http://docs.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/properties.html

You can do quite a bit of customization to it. Some of my web apps require certain things to be configured in Java such as suppressing certain warning messages and I have used this article to set those switches. For example setting the Java System Cache:

deployment.system.cachedir=D\:\\JavaSystemCache

or Trusted Certs store:

deployment.user.security.trusted.certs=D\:\\JavaCertStore\\security\\trusted.certs
deployment.system.security.trusted.certs=D\:\\JavaCertStore\\security\\trusted.certs

or getting rid of Java warning prompts:

deployment.security.notinca.warning=false
deployment.security.expired.warning=false
deployment.security.mixcode=HIDE_RUN

or even setting Java heap size memory limits:

deployment.javaws.jre.0.args=-Xmx256m -Xms64m
deployment.javapi.jre.0.args=-Xmx256m -Xms64m

where 0 should be the Java version, but it has worked for me without having to specify it in the past. If you do want to put the version it should be like this:

deployment.javaws.jre.1.6.0.args=-Xmx256m -Xms64m
deployment.javapi.jre.1.6.0.args=-Xmx256m -Xms64m

Again, I’m not a Java expert so there may be an easier way of doing this but this is how I have been able to get my Java web apps to work with XenApp. Let me know of your experiences.

If you ever wanted to force an uninstall of XenApp or Presentation Server, you can do it with just one command. There are many scenarios where you might have to do this. Forcing an uninstall should always be a last resort though. You just navigate to your setup files to where mps.msi is located and run the following. In this example, I have copied the XenApp 6.5 install files to my D: drive:

D:\InstallFiles\XenApp6.5\XenApp Server\w2k8x64

and type the following command:

msiexec /x MPS.msi CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=YES

This will bring up the following prompt:

and then you just run through the uninstaller and reboot when it prompts you.

Now if you don’t have mps.msi on your server and don’t have time to find the media and copy the install files over, here is a nice trick. Open regedit to edit your registry and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Now find the key with the Display Name of Citrix Presentation Server or XenApp, here is a screenshot from a Presentation Server 4.5 box for example:

Right on the key and copy the key name:

Paste it into Notepad. It will be the full path of the key but just copy the key part only:

Then open up a command prompt and type the following but with the key you saw on your server. Here is mine for example::

msiexec /x {44412985-02EE-4824-9EA5-B2AF6D98924E} CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=YES

Once you hit enter, it will pop up with the uninstall dialog and you can run through it to complete your uninstall:

Just keep in mind that the force uninstall switch only uninstalls XenApp/Presentation Server. It will not uninstall all of the little plugins and other modules that were install when you original setup your Citrix server:

BEFORE:

AFTER: