JasonSamuel.com

Wow, long title there! Just like it says, I’m going to cover opening Sharepoint documents in a Windows 7 XenDesktop VDI session using XenApp published Office products with content redirection enabled. Here’s an example scenario:

• Your company uses Sharepoint and the URL is http:\\sharepoint.domain.com. It is part of the Local Intranet zone in IE.
• Your users are using Windows 7 VDI/XenDesktop VMs with Citrix Receiver Enterprise pulling published apps into the Start menu.
• You have Office 2010 products (Word 2010, Excel 2010, Visio 2010, etc) published via XenApp with content redirection enabled so .docx, .xlsx, .vsd files launched in the VDI session will open using the published Office app.
• Your users want to click on a Word, Excel, Visio, etc. document in a Sharepoint document library and click the Edit button to edit the document instead of just Read Only. They expect the published Office app to launch and allow them to edit the document.

THE PROBLEMS
In this scenario, when the user clicks on let’s say a Visio document in Sharepoint, the published app will launch but the document will not be sucked in. You’ll get a “File not found” error and if you look closely, the URL begins with “\\” as if it’s a UNC path instead of an HTTP path:

If you click OK, Visio will open but no diagram will open.

If you right click, Save As the Visio diagram to your C: drive and attempt to open it locally, it will launch the published Visio instance but will give you the following “File not found” error:

Again, look closely. It says “\\Client\” instead of your VM’s name.

THE FIXES
Well, really it’s 1 fix and 1 workaround for now. Let’s start with the fix first. We’re going to get local files and files residing on network shares launching right using the published app. I’m going to use Visio and a .vsd file again as the example:

1. On the Windows 7 VM, you must enabled Native Drive Mapping to be able to launch the .vsd file via published Visio. You can follow the CTX article here to make the registry change:

http://support.citrix.com/article/CTX130378

or you can enforce it via group policy. One thing though, on Windows 7 x64 the path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\
Advanced\Modules\ClientDrive

NativeDriveMapping
Reg Type: REG_SZ
Add the Value: True

Once the value is set to TRUE, try launching the .vsd file you saved to your hard drive or on a network share. It will launch immediately. Then go to File – Save As in Visio and checkout the path bar. It will say “\\Client\C$\Users\xxxx\”. So now your system recognizes the word “Client”.

This is because you’re going through 2 virtualization layers. Citrix has an excellent article detailing how Client drives are passed through multiple sessions here:
http://support.citrix.com/article/CTX127872

You can also read more about the NativeDriveMapping key here:
http://support.citrix.com/article/CTX124389

Additionally here is a really good CTX article from Citrix that covers Client Drive Mapping troubleshooting that might be helpful to you:
http://support.citrix.com/article/CTX238200

And some info describing differences in Client drive mapping between the different versions of XenApp and Presentation Server here:
http://support.citrix.com/article/CTX127614

2. Now back to Visio diagrams in Sharepoint. First you need to verify content redirection is behaving correctly. In my case, I needed to make sure to change the published app location to include the “%**” switch. By default when you enable content direction, it will be:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%*"

with just one asterisk. You need to add two so it looks like this:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%**"

The reason for this is documented in this CTX article:

http://support.citrix.com/article/CTX116887

This was written for Presentation Server 4.5 but it still applies to XenApp 6.5 just fine.

Once you get content redirection squared away on your XenApp server, things will still not work correctly unfortunately when opening docs in Sharepoint in your XenDesktop session. You can try right clicking and editing but you will still get the File not found error. This error has nothing to do with Client Drive Mapping. Being a Sharepoint Architect in a previous role long ago, my gut feeling was this is a WebDAV issue. Remember, Sharepoint uses WebDAV with document libraries though to the casual observer it might appear to be a UNC file share path. My gut was telling me Receiver was not handling WebDav paths correctly and was treating them like regular SMB file share paths. No proof this is the culprit just yet, only a hunch.

Let’s run an experiment. In your Sharepoint document library, click Actions > Open with Windows Explorer:

You’ll notice the path bar says “http://sharepoint.domain.com” when you open it here:

Go ahead and launch the Visio diagram in this document library. When you try and launch it, it will launch published Visio and give you the same File not Found error as before. In some scenarios even an Access Denied error though it never actually was able to find the file. Again, it is looking for “\\sharepoint.domain.com” instead of using WebDAV (or the DavWWWRoot keyword) which should be parsed like the HTTP protocol “http:\\sharepoint.domain.com”. Sharepoint Content Redirection is never going to work because Citrix Receiver doesn’t know how to get there. One work around is to tell your users to save locally, edit, then upload. But this is annoying and most users will complain.

I started thinking Mini Redirector (which is Microsoft’s WebDav client and part of the Windows 7 OS) was trying to hand-off the DavWWWRoot keyword in the URL to Receiver and Receiver didn’t know what to do with it. Looking at the URL though it didn’t even seem to be passing it through. It was as if it was passing a straight UNC path. Or maybe is was not talking to owssupp.dll which is required to interact with and edit docs in Sharepoint. Maybe somehow it wasn’t handing off through Receiver properly. Now I was really starting to go down the rabbit hole and before I dug further, I figured I’d give Citrix Support a call and see if they had any input.

I was able to talk to a XenApp support technician and a XenApp Developer who were both very knowledgeable. I explained my WebDav theory and we ran a little experiment. We ran Process Monitor from my Windows 7 workstation and attempted to edit a simple Word document in Sharepoint. The published version of Word launched as expected and failed to find the file. Here is the URL that was passed to the PNAgent when we used the Process Tree display:

You can see that it passed:

\\Client\\\sharepoint.domain.com\link\to\doc\repository\test jason.docx"

Looks a bit odd, doesn’t it? No wonder it can’t find the file.

Then we went to the XenApp server with Word 2010 installed locally, opened Internet Explorer, and navigated to the Sharepoint document library. When I clicked Edit on the Word document this time, this is what was passed to the locally installed Word:

And of course the Word document successfully launched. You can see it passed a nicely formatted HTTP URL:

http://sharepoint.domain.com/link/to/doc/repository/test%20jason.docx"

The XenApp Developer verified this was actually a bug and needed to be fixed. It may or may not be WebDav related, but he confirmed there is definitely a disconnect at the Content Redirection level via Sharepoint as I had suspected. It has been added to their bug queue to get taken care of.

In the mean time, his suggestion is to publish Sharepoint itself on the same server Office 2010 products are installed on (publish IE passing the Sharepoint URL during launch). This is a good workaround but may annoy a few users. I always hate publishing IE because of the stuff you have to do to lock down/harden the browser. People can get confused and start browsing to Youtube or other process intensive websites using this published instance of IE if you don’t completely lock down the allowed URLs. This can cause a severe impact on XenApp performance for all users on the box. If I limit tabs, then people start complaining they can’t open additional tabs and the helpdesk gets flooded with phone calls. So just keep that in mind if you use this workaround.

Another work around I found online is by Anthony Obi:

http://community.obilogic.co.uk/blogs/teamblog/archive/2011/10/25/sharepoint-2010-edit-document-via-citrix-xenapp.aspx

He has an issue where owssupp.dll was not being detected on the client system (because it wasn’t there) and added an extra menu item in his Sharepoint deployment to edit documents as a work around. He modified the new Edit action to launch some Javascript that talks to PNAgent.exe that then talks to the published Office instance and passes the correct URL. This might work as well for you but of course it requires a modification of your Sharepoint environment and end user training.

I will post here as I get updates from Citrix Support on this issue. It’s a fairly unique scenario but definitely not uncommon in the real world as application delivery and desktop virtualization continue to be separated through multiple layers.

Had an interesting morning. Our network team discovered my workstation was making around 6000 requests an hour on RDP port 3389 through our internal firewall to an unroutable network reserved in our server subnet. Basically a SYN flood (DOS/Denial of Service attack) was being executed internally from my workstation. I know my machine is clean and the only thing I had open was XenCenter. It had been running for about a week now, that was the last time I rebooted my workstation. So time to put on the detective hat and figure this one out.

While using TCPView to do a live netstat, I discovered that XenCenter by default will always establish a connection via RDP when you click the Console tab. It tests to see if RDP is available on the VM and then ungreys that “Switch to Remote Desktop” option. Even if you are using a console session, XenCenter wants to see if RDP is an available option to you. You know that little flash of the console you usually see after hitting the Console tab? That’s the XenCenter console checking for RDP and “connecting” to the VM transparently to verify RDP is available. Not so transparent and actually annoying but I never thought too much about it.

SYN_SENT on 3389:

Established connection:

Terminating connection:

The problem is in a PVS environment, you usually have your network split between a streaming traffic NIC and a regular traffic NIC. The streaming traffic NIC is supposed to be the first NIC/device. So Device 0. It will look something like this on all your VMs:

Where the first streaming NIC is only routable within the Blade enclosure or server subnet and the secondary NIC routable and used for regular network traffic.

Well the problem is that when you click the Console tab on one of these VMs, XenCenter will send a SYN request to what IP is at Device 0. So in our case, an unroutable IP in the server subnet.

Not a problem right? Well it never stops. It continuously sends the SYN requests attempting to connect. Even if you click off the Console tab or go to another VM, it continues to try RDP on that IP. Our firewall separating workstation and server subnets was getting hammered. You can verify because your Console will have the “Switch to Remote Desktop” option greyed out during this whole process.

and TCPView will show all those little red SYN_Sent attempts. After a few days of leaving XenCenter up and clicking from console to console, the amount of traffic hitting your firewall will be tremendous. It will look like a SYN flood attack. If you have an IPS or IDPS (Intrusion Prevention or Intrusion Detection & Prevention System), it might even shut down your port.

I called Citrix and submitted a ticket with their development team. I got a call back later and there is a work around. In XenCenter, go to Tools > Options > and click the Console option. Then uncheck “Enable Remote Desktop console scanning”:

When you uncheck this, it will also uncheck “Automatically switch to the Remote Desktop console when it becomes available”. This is fine:

After this you will notice the SYN flood will immediately stop and all your VMs will now have the “Switch to Remote Desktop” option ungreyed from the get go. If you click it, then it will attempt the RDP connection and you will see the SYN_Sent again:

In my opinion, Citrix should fix this but stopping the SYN requests after you click away from the Console tab. This is not an issue that will impact many people but if you are running a PVS environment and you have it setup using Citrix best practices with 2 NICs and the streaming NIC is not accessible from your workstation subnet, you will eventually run into this issue. The longer you keep XenCenter open, the worse it will get.

If I get any updates from Citrix on a fix, I will post here. For now the work around will work fine. You just won’t have the Remote Desktop automatic console scanning available for your regular environments anymore. Not really a big loss for me but it might be for you depending on your environment.

We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.

Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.

We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.

After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.

UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

Once a company has a XenDesktop or XenApp environment that is pretty mature, they often turn to Citrix Provisioning Services (PVS) to help scale the environment. There are many reasons to use or not use PVS for your VDI or XenApp environment and that’s a whole other discussion. The purpose of this blog post is to get you familiar with how to implement it. There are not a whole lot of step by step guides out there and PVS can be a real beast to wrap your head around if you are not familiar with it.

Now for the disclaimer. This guide will describe how I do things for my PVS environments. This will probably be different for your environment so make sure you thoroughly understand the reasoning behind each step and how it applies to your environment. What works for me may not work for you.

So let’s get started!

INSTALLATION
You must be logged into the PVS server using a service with DBO rights or the install will fail. Have your DBA set the service account to SA temporarily for the install. After install, remove SA rights and just give these rights only:

• dbcreator; required for creating the database
• securityadmin; required for creating the SQL logins for the stream and soap services
• db_datareader
• db_datawriter
• execute permissions on stored procedures

I find this to be the most pain free method of getting PVS installed with no DB errors. Now on to the actual steps:

1. Enable Application Server role (.NET features will be automatically installed)

2. Start Wizard, hit Console installation, run through all of it. Just hit next accept all the license agreements and let it install everything until you get to the path to install part.

3. Choose Path for install (change to D:)

4. Choose Complete install

5. Once done, click Server Installation on wizard home page > Install Server

6. Install SQLncx64 when prompted

7. Change path to D:

8. Choose Complete install

And you’re done! Not very hard at all.

CONFIGURATION
Now we get to the slightly harder part, configuration. This is going to depend a lot on how you have your hardware setup. I want each of my Windows 7 provisioned desktops to have 2 NICs. One NIC is for regular network traffic and the other for streaming traffic. You don’t have to have 2 NICs and separate your traffic like this but I do for production environments. It is really only beneficial for large scale implementations so if you are doing something smaller scale or for a test environment, 1 NIC will suffice. Just keep in mind everything below in my guide is written as if you have 2 NICs:

9. For DHCP, choose service that runs on this computer and choose Microsoft DHCP. So the PVS server will have the DHCP server role running and it will be handing out streaming network IPs to the VMs as they boot. They will get regular network IPs from your regular DHCP servers just like any physical box on the network. More on this later.

10. For PXE boot, choose service that runs on this computer and choose Microsoft DHCP as well.

11. Create farm or join farm depending on what you’re doing.

12. Either choice will will ask for database info on next page

13. Type in your DB info and hit Next

14. Choose a database ***DO NOT USE A PRE-CREATED DB, just type the new DB name in the Database name box and it will create it automatically once you hit Next***. I’ve run into numerous issues in the past attempting to pre-create a database. I’m telling you now, get SA rights temporarily as I mentioned in the first part of this guide if you can. It will make your life easier.

15. My E: drive on my PVS Server is a high performance flash based IO accelerator card in this case. That is where I will put my Store. You will want some very read friendly storage for your Store as this is where you will be putting all your golden images.

16. Type in your license server info.

17. Keep user account as Network service account

18. Hit Yes wen prompted for configuring the database with the account

19. Leave password updates to the default of 7

20. Check the teamed NIC for the “Provisioning” network, not the regular network traffic network. In this case my streaming traffic/provisioning network is only routable within my blade enclosure and my interface has an IP of 192.0.0.1

21. Check the Use the PVS TFTP service option

22. Leave the default for stream servers boot list. It should be the IP of the server itself on the “provisioning” network.

23. Advanced button has some settings, leave default

24. Hit finish on confirmation page. It should look something like this.

25. Go to your NIC for PVS traffic (or teamed NIC) on your PVS server and disable IPv6. Leaving it enabled can lead to issues.

26. If using your server for DHCP as well as I mentioned above, install the DHCP Server role.

27. Select just the PVS network

28. 0.0.0.0 for the DNS servers

29. WINS not required

30. Create your scope

31. Disable DHCPv6

32. I skipped authorization when taking the screenshots but you should do it now if possible.

33. Confirm and install

BUILDING YOUR BASE IMAGE
Now on to building your Windows 7 base image. This is the base image that will be completely clean, very little customization. This will be the primer for your golden images later.

Building an image is not to be taken lightly. These two articles from Citrix are a good read so you have a solid understand of what you are going to do.

CTX121028 “Best Practices for Creating a XenDesktop Image” is an older article but still a good read if you are building your image for the first time:

http://support.citrix.com/article/CTX121028

CTX131481 “Recommended Install Order for Preparing Target Device Captured by Provisioning Server to Deploy vDisk” is a bit newer and is also a good resource you should read through before proceeding:

http://support.citrix.com/article/CTX131481

34. So first you need to build a VM out. Just go to XenCenter and run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

35. Give it a name and description

36. Choose the MSDN Windows 7 ISO

37. Choose a host server

38. 2 vCPUs, 4 GB RAM (4096 MB)

39. Choose local storage for the disk. You can add more disks or even increase the size of a disk under Properties.

40. Delete ALL the NICs, you will recreate in the right order in the next step.

41. Click Add and add the PVS bond first, THEN the network bond. So in the example Bond 4+5 first, then Bond 2+3. Note: This is a critical step. Changing the order or adding/removing NICs later is not recommended as it breaks stuff between the XenServer Tools and PVS Target agent in my experience. Get your network setup right the first time and in the right order to avoid issues. Always put the PVS network first, network traffic second.

42. Hit Finish on confirmation page to build the VM

43. Go to the console of the new VM and run through the Windows 7 setup wizard. When it comes time to name the PC, make sure it is not a name that already exists on your network. In this example I will use “Win7MSDNBaseISO” for demo purposes but you should come up with some kind of naming scheme for your environment since you will eventually have several golden images and you don’t want to confuse them. Something like “GOLD-ACCT01″ for your Accounting departments first golden image, etc.

44. Login and install XenServer Tools. Without it your NICs will act wonky. Like sending malformed packets and such which cause an HTTP 400 server error to any website you navigate to. You will need to reboot after the install. Once it’s back up, it will detect the NICs and likely prompt you to reboot again after installing the new hardware so go ahead and do it.

45. Log back in and then run your Windows Updates and/or Microsoft Updates. Don’t install any company related apps yet if at all possible. Make it as generic and clean as possible. Remember, you are building a base image to suck into a vDisk, not a golden image just yet. Whether you have just one golden image for your whole company (not likely in most environments) or several per department, try to keep the base image as lean as possible. You’ll also notice your NICs are now labeled are looking a lot healthier than before as well. Adapter 0 may say Unidentified network since your provisioning network should ideally be private. **NOTE: You can add the machine to the domain but, DO NOT install the VDA agent yet.

46. If you click on the network tab, you will notice both NICs have IPs whereas before the XenSever tools install it was Unknown.

47. Snapshot your VM. It’s not necessary but I like to as a precaution. From here if I mess up on something or forgot something, it’s easy to revert to my snapshot and fix whatever needs fixing. Beyond this point it becomes tricky.

48. Now install the Provisioning Server Target Device Software from the PVS ISO. Just click the Autorun.exe.

49. Click Target Device Installation

50. Hit Target Device Installation on the 2nd page too and it will launch the wizard. Run through the EULA and hit Next through all the windows until the install is done.

51. Uncheck the Launch Imaging Wizard link and hit Finish.

52. Hit Yes to reboot and mount your PVS boot disk as the VM comes back up or you can just shut down for now if you don’t have one yet.

53. Open up Provisioning Services Boot Device Manager (BDM) on your PVS server and create an ISO if you don’t have one already. It needs to have the IP address of the server on the provisioning network NIC.

54. Options can all be default

55. Use DHCP, swith the Boot Device to Citrix ISO Image Recorder, then hit Burn. Drop the ISO in an ISO Library your XenCenter can see.

56. Here’s where things may differ for you if you have used older versions of PVS before Imaging Wizard is where its at today. The old way of doing things was pre-creating a device on your PVS server with the same MAC address as the VM’s NIC, pre-creating a vDisk and calculating the necessary size, formatting it, assigning the vDisk to the device, then running BNImage to capture the system and push it into the vDisk. None of this manual work is necessary anymore. The Imaging Wizard works really well and will do everything for you. I actually first took screenshots of everything the manual way just for reference so you know where to look if something breaks. But then I figured that showing that whole process might confuse you so I will show you the Imaging Wizard way only. If you need me to, I can post an addendum to this article showing the manual way. Just leave a comment if you’d like to see it.

So now log back in once the VM is up and start Imaging Wizard. Enter your PVS server farm details.

57. Hit next and let it Create a new vDisk. Just hit Next again.

58. Give the vDisk a name. The vDisk size in the store will automatically be calculated. I left the VHD type to Fixed but you can choose Dynamic. Citrix has started recommending Dynamic as a best practice these days. I like to do 16 MB block size if doing Dynamic personally. It just means it will grow in 16 MB chunks. Again, make sure you select a good naming scheme for your vDisks as it becomes very important to keep them organized.

59. Choose KMS for key management (assuming you are using KMS)

60. Leave the image volume sizes all default

61. Type in a target device name, choose your streaming traffic NIC, and choose a collection:

62. On the confirmation page, click Optimize for Provisioning Services.

63. This will make a ton of registry changes that will optimize your image for PVS using ngen.exe in a cmd prompt window. Just hit OK and wait several minutes as it completes this process.

64. Once it’s done, hit Finish to begin prepping the vDisk on your PVS server’s store. It will immediately allocate the space for the vDisk since you are using Fixed so make sure there is enough room.

65. Once it’s done, it will ask to Reboot. Hit No.

66. Now right click on the VM in XenCenter and change the DVD Drive boot order to first and disable everything else.

67. Change the ISO in the DVD drive to the ISO you burned above.

68. Now go back to your PVS console and verify the device now has the vDisk attached under it’s properties. You can also choose to list the local hard disk in the boot menu.

69. Now you can reboot your VM. It will boot using your ISO, connect to the PVS server, obtain an IP on the PVS network, connect the virual disk you created. The vDisk is still in private mode. You can verify this in the PVS console easily. Just refresh and you will see a green check mark next to the device. It will have an IP and will tell you which PVS server it is connected to.

70. Log back into your VM now. It will automatically kick off the vDisk capture by loading XenConvert to capture the image. It will begin pushing your image to the vDisk you created on your PVS server.

71. Sometimes there may be errors (non-critical) but make sure to read the log and verify there is nothing critical in there. Then hit Finish.

72. You will be logged back into your Windows 7 VM at this point. Go ahead and shut it down.

73. Go to your PVS server and change the Boot From properties on your device to vDisk.

74. Now go to the storage options of your VM and detach the local storage on your XenServer. You don’t need it anymore. Then boot up your VM again. This time you will be booting directly into the vDisk image you had pushed across before on the server.

75. In the system tray menu, you can verify your vDisk is connected. Also in Explorer, you will only see the c: drive which is your vDisk.

76. I HIGHLY recommend you make a backup copy of the .vhd in your Store right now. It is a clean image with no apps and if something happens, this is the image you can revert back to. Think of it as your “Stage 1″ vDisk. Make the copy and store it away somewhere safe. Once you do that, since it is still in private mode and if you haven’t done so already earlier, go ahead and add it to the domain. Then reboot when prompted. Don’t forget to add your necessary security groups as local admins before rebooting.

77. Log back in and install and other apps your company may need for the base image. You can begin installing core applications like Adobe Reader, Flash, SEP, SnagIt, NAC agent, etc. Apps that need to reside on every PC on the network. Nothing specific. You should also do your OS customizations at this time if you have any. Then lastly, install the XenDesktop 5.6 VDA agent. Make sure you use AutoSelect.exe to install it and not the .msi on the CD or you will have issues. Your path will be something like this if you left the XenDesktop 5.6 install files somewhere on your DDC:

\\yourDDCservername\Downloads\XD5.6_VDI_Single2\XenDesktop56\AutoSelect.exe

78. Choose Advanced Install

79. Accept the EULA

80. Leave the default Virtual Desktop Agent

81. I usually uncheck Receiver. I like to deploy it later using the Enterprise version I want our users to be using.

82. Leave PVD disabled for now. You can enable personal vDisk later if you need to.

83. Type in the names of the DDCs. You can seperate multiple DDCs with spaces. They must be FQDNs. Hit the Check button to verify they can be resolved. Then hit Next when done.

84. Leave the VDA config settings the default and hit next

85. Hit next at the summary page

86. Hit Close and it will restart the VM.

87. When the VM is back to the login prompt, go ahead and shut it down. Then go to the PVS Console and swtich the vDisk from private to standard mode (multi-device) mode which makes it read-only. If you see a lock next to the vDisk, you may need to clear it first.

That’s it, you are now complete with your base image setup.

CREATING A XENSERVER VM TEMPLATE
88. Now you need to create a VM template that PVS will use to spin up new VMs with. You can simply create a copy of the VM you had been working on and convert that copy into a template or you can create one manually. I suggest copying and converting to a template, less change of screwing something up. If doing it manually though, in XenCenter run the “New VM” wizard. Choose the Windows 7 (64-bit) template.

89. Give it a name and description

90. Boot from network

91. Choose a host server

92. 2 vCPUs, 4 GB RAM (4096 MB)

93. Choose “Create a diskless VM that boots from the network” and hit Next.

94. Delete ALL the NICs, you will recreate in the right order in the next step. Click Add and add the PVS bond first, THEN the network bond. Same as before when you created the original VM. It is critical you get this right and it matches the VM.

95. Uncheck “Start the new VM automatically” and hit Finish.

96. Make sure to change the boot options to DVD drive only and move it to the top since we are using BDM (PVS boot disk). Also make sure to mount the PVS boot disk ISO at this time.

97. Right click the VM and click “Convert to Template…”

98. Hit Convert at the confirmation prompt

99. Now you can verify it is a template (blue box next to it) in XenCenter

PROVISIONING VMS USING THE PVS SERVER AND XENDESKTOP DDC
100. Now it’s time to start provisioning new VMs. In the PVS Console, right click on your site name and click “XenDesktop Setup Wizard…”

101. Hit Next at the Welcome screen

102. Type in the FQDN of only one of your DDCs and hit Next

103. Select the XenServer host you want to run your machines on and then hit Set Template to set the VM template.

104. Type in credentials for your XenServer and hit Log On, you will see all the templates on the host. Choose the VM template you had created in the steps above and hit OK and then Next.

105. Choose your Device Collection and vDisk

106. Now you can create a new Catalog or use an existing catalog. In this example, I am going to use an existing catalog. Select your Admins and hit Next.

107. Choose the number of VMs to create. I will choose 5 in this example. Leave the default of creating new AD computer accounts.

108. Choose the OU you want your new VMs to be put in. You can also choose the naming scheme for the new VMs at this point. You could use something like “VM-ACCT###” for your Accounting VMs for example. Hit Next.

109. You will see the Summary screen. Hit Finish and your VMs will start to be created. The progress bar will show you the progress but you can also go to XenCenter and watch the VMs beign created. They will not be powered on by default since you haven’t instructed your DDC to do so yet.

110. Now go to your DDC and open up Desktop Studio. Under Machines, you will see your catalog and it will show there are 5 free machines that have not been assigned.

111. Double click on the catalog and you will see the 5 machines but their SIDs since they have not been powered on yet.

112. Click on Assignments in the left and create a new Desktop Group

113. Choose your Catalog, add all 5 machines, and hit Next

114. Add your users and hit Next

115. Admins should already be selected so hit Next

116. Choose a Display Name and Desktop Group Name. The Display Name will be shown to the end user in the Web Interface. The Desktop Group name is for within Desktop Studio. Hit Finish.

117. Now go to your Web Interface (or the DDC itself in this example). Login using an account you have assigned one of your VMs to. If it’s the only thing on your WI, the desktop will start booting up immediately.

118. Log into your new VM and create and you will see the Welcome message. Yes my wallpaper, quicklaunch, visualizations are different from default Win7 because I was playing with some profile customizations when I took these screenshots. Just ignore that.

119. Create a new text document on the desktop. Then log off.

120. You will notice in XenCenter the VM you were on is now being shutdown automatically. Basically getting it ready for the next user with a clean slate.

121. Click the desktop icon again on the WI and it will launch the VM again. It will likely be another VM entirely you will be logging onto, but of course it will look the same. You will notice your text document is gone now. Exactly as expected.

That’s it! You are now up and running with your first provisioned desktops. Now you can create copies of the VHDs and begin customizing your images for different departments. Make sure the disks are in private mode when making your changes. You can also use the versioning feature for little changes to the images like Windows Updates. More on this later.

SETTING UP WRITE CACHE
So Write Cache is that big scary thing that can make or break your PVS implementation. Where you put it makes a world of difference. There are several options available where write cache can be stored. Most people opt for caching on a hidden local drive on the VM i.e. on your XenServer local disks or direct attached storage on the XenServer. It’s cheap and it works well for most implementations. Keep in mind it is not shared when you do this. Citrix has a good article called “How to Add a Persistent Volume to Your Provisioned Virtual Machine in XenServer” located here:

http://support.citrix.com/article/CTX125590

and another excellent blog post here on PVS write cache size considerations:

http://blogs.citrix.com/2011/10/06/pvs-write-cache-sizing-considerations/

So in our example so far, I had created the vDisk to leave the write cache on the PVS server. You can put the vDisk in private mode and skip directly to 127 if you like. But I want to leave old vDisk and provisioned desktops intact as an example and create a completely new vDisk and set of provisioned desktops with write cache on the XenServers instead. So we’re going to create a new vDisk from the old vDisk and then attach the new write cache drive to that. This is pretty straight forward but if you need more screenshots, leave a comment and I’ll take some:

122. Go to your Store, copy the .vhd file, paste it in the same location. Call the new VHD file whatever you like.

123. In the PVS Console, right click Store and click “Add or Import Existing vDisks. Search the store and add the vDisk you just created.

124. Under properties, make sure to enable “Enable Active Directory machine account password management” and KMS Service because they will likely not be checked when importing just the vhd.

125. Make sure the vDisk is in private mode

126. Go to your device collection and assign the vdisk to a device. You can use the original VM you were using to build out the Windows 7 image. Make sure it is set to boot from vDisk.

127. Go to XenCenter, click the Storage tab on your VM, and hit Add. You can name it something like “Win7MSDNBaseISO-WC”. We will leave the size as 10 GB. That’s a pretty decent size for a Windows 7 box rebooted once a week. Then hit Add.

128. Ensure the new disk was created with position 1. Position 0 should be your c: drive.

129. Now power on the VM, booting from the DVD and with the PVS boot disk in the drive. You will notice that Windows has detected a new drive under Disk Management. Initialize it.

130. Right click the new disk, New Simple Volume, choose the full size of the drive, assign it z:, and format it as NTFS, label the volume “Write Cache”, then hit Finish on the confirmation page to format it.

131. Shut down the VM. Detach the c:, leaving only the 10 GB z:. Copy it. Rename it to a template name, then hit Convert to template.

132. Go to your PVS console, under Store, and switch the vDisk to Standard Image and under Cache type, switch it to “Cache on device hard drive” and hit OK.

133. Go to your Site in the PVS Console and run through the XenDesktop setup wizard again like you did before but using your new template. Also go to your DDC and setup your desktop group, assignments, etc. like before but create a new desktop group so you know which ones are the new “local write cache” machines.

134. Launch one of your new VMs. You will see the Z: now called “Write Cache”. Also on the XenServer under local storage, you will see 10 GB drives created for all your VMs.

MAINTAINING YOUR VDISKS
Never update XenServer Tools in a vDisk after you have installed the PVS Target. It will destroy it. The PVS Target software talks to the XenServer Tools software and if it changes, the whole thing falls apart. In my experience, even changing hardware settings like the NIC order can cause all sorts of bad behavior. The best thing to do is build a new image and vDisk if you need to update XenServer Tools.

Other than that, you can put your vDisk in private mode and update anything else like normal, including Citrix Receiver. When doing little changes to a VM, take advantage of versioning. Little changes being stuff like Windows Updates, app updates, etc. If installing a giant application like Photoshop or AutoCAD or something, you’ll probably want to merge soon since the reads would be happening all over your disk for something that large.

I hope this post has been helpful to you. As you can see at over 130+ steps, there is a lot to know when deploying PVS with XenDesktop. Deploying with XenApp is mostly the same until you get to the OS and I can cover all that in another post. If you have any questions, comments, or tips please let me know in the comments section below. If I left out something, please let me know too.

When you login to your web interface and launch a new desktop, it might not launch and you might get this error in the application event log on the server:

Source: Citrix Web Interface
Event ID: 30105  
The Citrix servers do not trust the server. This message was reported from
the XML Service at address http://localhost/scripts/wpnbr.dll
[com.citrix.xml.NFuseProtocol.RequestAddress].
  [Unique Log ID: xxxxxxxx]

In previous versions of Presentation Server, the way to set the XML Trust was to go to your Access Management Console and edit the Properties of the each server. There would be an “XML Service” property near the bottom in the left navigation you could click on. Check the “Trust XML requests sent to the XML Service” box and hit OK. For the whole farm, open up the farm Properties and go to Farm-wide > XenApp > General and check the “XML Service DNS address resolution” check box and hit OK.

In previous versions of XenDesktop, you could go to your DDC and open up the Delivery Services console, right click on the farm properties go to Farm-wide > Desktop Delivery Controller > General and check the “XML Service DNS address resolution” and hit OK.

In XenApp 6.0, 6.5, etc. you need to open Delivery Services Console or AppCenter and go to Policies and hit the Computer tab. Edit the Unfiltered policy and find the XML Service near the bottom in the left hand navigation. When you click it, you will see “Trust XML requests”. Hit Add and set it to “Enabled” so the Citrix XML Service will trust requests sent to it and hit OK.

All this is from memory so if I missed something, let me know. I don’t have any consoles in front of me for the different environments at the moment except Desktop Studio or I would post screenshots for you. Let me know if you need them and I’ll take some screenshots this evening when I have a bit more time.

And now for the whole reason for this blog post. In XenDesktop 5.0, 5.5, etc., the Desktop Studio console does not have this option if you look in the Unfiltered policy under HDX Policy. That’s a totally different policy. You have to set the XML Trust via PowerShell now. So to set an XML Trusts policy, open up PowerShell and if you haven’t already, add the Citrix snapin which will give you the ability to use the Citrix cmdlets:

asnp citrix.*

Now enable the XML Trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Done, if everything goes well, you should see no confirmation or error messages like this:

Now if you logout of your web interface, log back in, then attempt to launch the desktop, it should come right up and there are no more errors in your application event log.

I was able to attend a Desktop Virtualization seminar by Brian Madden several weeks ago. It was a small group of attendees so it was great to interact at a personal level with him and some of the other speakers and get some questions answered. What I loved the most about this seminar was that a lot of the discussion was vendor agnostic, so I didn’t have a ton of marketing pushed at me. That’s a welcome change because I don’t want to hear sales talk, I want to hear the raw facts from other engineers on what works, what doesn’t, and why.

A lot of what was covered is stuff most everyone working with VDI may already know. I’m not going to transcribe all my notes from the seminar. But some key takeaways that I felt were important were the following:

1. VDI projects and hardware refreshes are driven by different factors than last year this time. April 8, 2014 (End of Support, patches, hotfixes, etc. for Windows XP) is looming and many IT departments are concentrating more on hardware/Windows 7 migrations than they are on VDI projects. Last year many companies were trying to do both since these projects usually go hand in hand. Many companies that are still doing POCs or extending their testing phases are now starting to feel a time crunch. Because of this, many companies are giving priority to the refreshes and letting the VDI projects become a secondary project. That’s not to say VDI is not important, it’s just that many companies need to prioritize resources and personnel and choosing to allocate these at the refreshes. It’s funny because this has been happening all around me and to friends at their companies but I didn’t fully realize how industry wide this shift of priorities was until Brian said it out loud. So the takeaway is, get your refreshes completed first if you don’t have enough resources to handle both. You DO NOT want to get caught in 2014 with any XP machines on your network or something seriously needs to be reevaluated at your company. And it may end up being your job if you don’t drive the initiative to get your refreshes done well ahead of this date.

2. With all the different types of desktop technologies out there now:

DATA CENTER BASED INFRASTRUCTURE
-Remote Desktop Session Host (Terminal Server)
-VDI (Citrix XenDesktop, VMware View, etc)

CLIENT BASED INFRASTRUCTURE
-Client VM – Hypervisor on baremetal client (Citrix XenClient, VMware View Local Mode, Virtual Computer NxTop, MokaFive, Virtual Bridges VERDE, etc)
-Client VM – Hypervisor on existing OS (VMware Workstation, Virtual PC, Fusion, Parallels, XP Mode, etc.)
-OS Streaming
-Traditional desktops

Companies are having a hard time trying to decide what is best for their users. One of the slides shown showed the enumeration of these technologies into the environment and I swear, it was like a pack of Skittles. There are so many directions to go and for many different reasons but you really have to factor everything or you are going to have end up with one of these Skittles environments over time. The biggest take away here is that there is no ONE solution that is the BEST. Your infrastructure might be a few of these. But don’t let it run away from you, plan it well from the get go. Pretty much common sense to anyone working with VDI already.

3. So my co-worker asked how do you plan your VDI environment? How do you know what is best? Brian recommended a couple of products that can help you:

-LakeSide Solutions VMP – pulls stats on your environment and spits out a report that tells you which users are good candidates for VDI vs. Terminal Server vs. staying on a traditional desktop.

http://www.lakesidesoftware.com/systrack_vmp.aspx

-Liquidware Labs – does a lot of the same and comes with 30 day trial

http://liquidwarelabs.com/products/stratuspherefit.asp

Another really good tool he suggested that was good for looking at the app compatibility and testing closer was App-DNA AppTitude. It does automated testing against 68,000 data points. They were acquired by Citrix just a couple of weeks ago:

http://www.app-dna.com/about-apptitude/automated-application-testing/

ChangeBase offers something similar and they were acquired by Quest just a few weeks ago:

http://www.changebase.com/

4. User workspace management. Let’s face it, any large VDI deployment across all the different infrastructure technologies above + across all the different OSes is going to be a nightmare if you don’t have some way of managing the user workspace. Brian talked about the concept of layering hardware, OS, application, and users. Not unfamiliar to anyone that has worked with VDI. He talked about 3rd parties like AppSense, RES, LiquidWare Labs, etc. vs. what’s being offered from Citrix, Microsoft, and VMware. I’m not going to go too much into this because I plan on writing an article about user workspace management and a comparison of the different options soon. But just know that this is a big point that will break or make your VDI project.

These were some of my main takeaways from the seminar without going into too much detail. There was a lot of information covered and I have to thank Brian & TechTarget for putting this on. Doesn’t matter if you’re just in the planning stages of your VDI project or if it’s been running great for years, I guarantee you will learn something new or what’s coming down the pipe in the VDI world at one of these seminars. You can sign up for one in your city here:

http://events.techtarget.com/desktopvirtualization/

By default, Firefox stores it’s profile cache in "C:\Documents and Settings\yourusername\Application Data\Mozilla\Firefox\Profiles". This can be problematic when using roaming profiles with a limited amount of profile storage space due to quotas. As you add extensions, it grows even bigger. This is a big problem in XenApp/XenDesktop/View and other VDI environments using roaming profiles. You’ll soon start getting errors saying you are almost out of profile storage space or that you have exceeded your profile storage space. Something like this (note I just grabbed this screenshot from a Google Image Search, you would normally see a bunch of Mozilla Firefox related files in there eating up the space):

The solution is to move the profile out of the user folder and into another local folder or onto a network drive/home folder, thus reclaiming the profile storage space. For example, I created "c:\FireFoxProfile" to house the profile. Here is what you need to do to begin using this folder:

1. Edit "C:\Documents and Settings\yourusername\Application Data\Mozilla\Firefox\profiles.ini" in Notepad and change:

IsRelative=1

to

IsRelative=0

What this does is allow you to use an explicit path that you specify for the profile.

2. Change the next line from:

Path=Profiles/xxxxxxx.default

to

Path=c:\FireFoxProfile\xxxxxxx.default

3. Save profile.ini and restart Firefox. You will notice that immediately, the new profile folder is populated. Keep in mind when you open Firefox for the first time, it will be like a brand new install and you will lose all of your bookmarks, extensions, customizations, etc. unless you restore them from the old path.

4. You can delete everything in your old profile path once you have Firefox working in the new profile path. This will immediately reclaim your roaming profile storage space.

NOTE: If deploying to the entire corporation, there are other methods to centrally manage Firefox and control the deployment. This solution is good for the one off users though.