Friday, October 28, 2011

A hotfix rollup (build 4.0.3594.2) is available for Forefront Identity Manager 2010 (FIM2010)

Original link: http://support.microsoft.com/?id=2520954

This hotfix rollup package replaces the following hotfix rollup packages:
2502631  2417774  2272389  2028634  978864 

Fixed issues in Workflow Engine

  1. An error message: Cannot enlist in the transaction because a local transaction is in progress on the connection.
  2. The time stamp is the same as the time when the operation fails.

Fixed issues in Sync Engine

  1. Fixes an SQL query construction issue that occurs during an import. This issue affects a DB2 database that uses a non-Unicode character set.
  2. Fixes many "Export not reimported" errors that might occur because of errors in SQL.
  3. An ExpectedRulesEntry (ERE) object is associated to a child synchronisation rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. which causes the deletion of the Metaverse object.
  4. Fixes an access violation when a custom extension calls a COM+ object.
  5. An earlier hotfix introduced a special Extensible Connectivity Management Agent (ECMA) mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix causes delta sync to add new items that are not merged with an escrowed export into a pending export. After you install the hotfix that is mentioned in this article, if the ECMAAlwaysExportUnconfirmed registry entry is set to 1, the escrowed and pending changes are merged.
  6. Improves the performance of all Sync Engine operations.
  7. A password reset that uses the ADMAEnforcePasswordPolicy registry setting fails when the user is in the Administrator group but is not an administrator.

Fixed issues in Sets and Query

  1. Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.
  2. Revised the FIM "Query and Sets" features to treat underscores and precent signs as literals instead of as SQL wildcard characters.

Fixed issues in Certificate Management

  1. Enables the random number generator in the server key generation function.
  2. Improves the performance when enrolling a smartcard that has not previously been used with FIM Certificate Management (CM).

Fixed issues in FIM Management Agent (MA)

  1. Fixes an issue in which the FIM synchronisation service configuration for synchronisation rules and codeless provisioning was not correctly written to the FIM Service database.

Fixed issues in FIM Service

  1. Fixes an issue with SQL Server deadlocks that might occur during periods of high concurrency of requests or approvals.
  2. Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronisation service to fail during import, and a stopped-server error occurred.
  3. Fixes an issue when you add or remove a value for a multivalued string attribute. If the request was subject to authorisation such as request reevaluation, the request would fail after approval.
  4. Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.

You still need KB979214 if you turned on the AD trashcan: http://davestechnology.blogspot.com/2011/07/w2k8-r2-ad-recycle-bin-and-fim.html

Turned on the Active Directory trash can only to find out the FIM (Forefront Identity Manager) has not stoped synchronising some objects? Well fear not, they are in sync, but to the trash folder!

Below shows an object that is in sync, but to the delete item. There is a hotfix for it that installs on the DC. KB979214 is the patch.

Monday, October 24, 2011

Single or dual CPU in VDI?

This is a really interesting article that shows in limited testing that additional CPUs for the client session will give a better overall performance to the VDI pool. Nice to see it tried and counter intuitive result that shows consuming more resource is better overall for the environment.

From this results, I can certainly say, an additional CPU will:

  • boost the streaming/boot up process
  • improve responsiveness and registration of virtual desktops
  • with an increased cost of the CPU hit on the hypervisor

So the takeaway will be:

  • If you are planning to go big with huge number of VMs lifecycling every day…
  • If you have large amount of working shifts which you may need to provision in advance…
  • If your cycling window need to be the shortest possible…

…in all those cases, an additional CPU will improve your cycling processes, reducing the registration gap of virtual desktops, with an additional cost of higher peak of host CPU utilisation, improving your infrastructure uptime.

Source: http://blogs.citrix.com/2011/10/23/will-2-vcpu-desktops-improve-your-uptime/

Friday, October 21, 2011

How to Optimise XenDesktop Machines

 

Original link:http://support.citrix.com/article/CTX125874 (Citrix Article)

The TargetOSOptimizer tool reconfigures various Windows functions to optimize the performance of the operating system for virtual desktops. Optimisation of the master VM is typically performed before the desktop catalogue is created.

Procedure

To optimise your master virtual machine, select the option to optimise the desktop when you install the Virtual Desktop Agent. This applies a predetermined set of optimisations specifically recommended for pooled and dedicated machines as part of the Virtual Desktop Agent installation process.

To apply additional optimizations to the master virtual machine at a later date, run the TargetOSOptimizer tool manually.

Optimisations are applied either through changes to the Windows registry or programmatically by disabling specific features. Some optimisations are only applicable to certain versions of Windows or, for physical machines, specific hardware such as particular network adapters.

A backup file named optimisations.reg is stored in the installation folder for the TargetOSOptimiser tool, typically located at C:\Program Files (x86)\Citrix\TargetOSOptimiser. Apply this file to the Windows registry to revert the most recent set of optimisations on the master virtual machine..

Specific Optimisations Performed by the Virtual Desktop Agent Installer

Disable Windows Autoupdate
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004

Disable Offline Files
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache]
"Enabled"=dword:00000000

Disable Disk Defragmentation BootOptimizeFunction
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
"Enable"="N"

Disable Background Layout Service
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
OptimalLayout]
"EnableAutoLayout"=dword:00000000

Disable System Restore
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000001

Disable Last Access Time Stamp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:00000001

Disable Hibernate
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power]
Various keys and values are set according to the version of Windows detected.

Disable CrashDump
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled"=dword:00000000
"LogEvent"=dword:00000000
"SendAlert"=dword:00000000

Disable Indexing Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000004

Reduce Event Log File Size to 64 kB
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\
Application]
“MaxSize"=dword:00010000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\
Security]
"MaxSize"=dword:00010000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\
System]
"MaxSize"=dword:00010000

Reduce Internet Explorer Temporary File Cache
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CacheLimit"=dword:00000400 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Content]
"CacheLimit"=dword:00000400 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CacheLimit"=dword:00000400
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Content]
"CacheLimit"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Cache\Paths]
"Paths"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Cache\Paths\path1]
"CacheLimit"=dword:00000100
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Cache\Paths\path2]
"CacheLimit"=dword:00000100
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Cache\Paths\path3]
"CacheLimit"=dword:00000100
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Cache\Paths\path4]
"CacheLimit"=dword:00000100

Disable Clear Page File at Shutdown
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"ClearPageFileAtShutdown"=dword:00000000

Disable Superfetch (Windows 7)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain]
"Start"=dword:00000004

Disable Windows Defender (Windows 7)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run]
"Windows Defender"=hex(2):00

Disable Windows Search (Windows 7)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch]
"Start"=dword:00000004

Disable Scheduled Disk Defragmentation (Windows 7) Programmatic optimisation.

Additional Optimisations Available When Running the Tool Manually

Disable Move to Recycle Bin (Windows XP)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\BitBucket]
“UseGlobalSettings"=dword:00000001
"NukeOnDelete"=dword:00000001

Disable Move to Recycle Bin (Windows 7)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecycleFiles"=dword:00000001

Disable Machine Account Password Changes
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
Parameters]
"DisablePasswordChange"=dword:00000001

Disable UDP Checksum Offload (Only When a Broadcom NIC Is Detected)
Programmatic optimisation.

Friday, October 14, 2011

Citrix Licence server and Repeaters

According to: support.citrix.com/proddocs/topic/licensing-119/lic-fs-accessing-firewall-c.html

Firewall Considerations

If there is a firewall between your product and the license server, you need to configure port numbers. This configuration process entails:

  • Open up the firewall ports. Open any ports on the firewall that you modified so that traffic can flow. For Windows Server 2008, the license server Version 11.5 or later configures the built-in firewall automatically.

This is not my experience and instead needed to do so manually. If you use default port numbers for use by Licensing components you will need to manually create IP/TCP port exceptions for the following:

  • TCP/27000 License server (Citrix apps, XenDesktop etc.)
  • TCP/7279 Vendor daemon (Repeaters)
  • TCP/8082 Console Web (optional).

Wednesday, October 12, 2011

Citrix Branch Repeater VPX setup

Default login and set an IP Address

Login: admin
Password: password

Give it an IP, DNS and Name:

set adapter apa -ip YourIPaddress -netmask 255.255.255.0 –gateway YourRouter
set dns-server YourDNSserver
set hostname YourVPXname

Display details:

show interface
show adapter

Set admin password and create a new Admin:

add user -name UserName –password Password -privilege admin
set user -name admin –password YourPassword -privilege admin

Restart and test:

restart

 

Then go to a web browser: https://YourIPaddress  to licence via a central license server going to the

“System Tools: Manage Licenses”

  • License Server Location: Remote.
  • Remote License Server Address: Enter the IP address of your license server.
  • Remote License Server Port: The default will work unless you chose a non-standard port for your license server
  • Model: match the selection to the BW limit in your license, that is “Citrix Branch Repeater V10” refers to a 10 mbps license.

NOTE: #

69520. Description: After adding licenses to a license server that previously had
none, any Branch Repeater VPX units will fail to notice the new licenses for
24 hours
.

Recommended action: Restarting Branch Repeater VPX will cause the new
licenses to be noticed immediately. Stopping the license server for at least
15 minutes and then starting it again will also work.

Tuesday, October 11, 2011

Windows 7– lost thumbnail view

This has been killing me, but I found the answer, sorry I can’t credit the original poster.

  1. Open Control Panel
  2. Choose Folder Options
  3. Click the Views tab
  4. Uncheck "Always show Icons, never thumbnails"
  5. Uncheck "Display file icon on thumbnails"
  6. Click Reset Folders button.

Thank goodness !

SSH to a Citrix Repeater (Linux or VPX)

You can SSH to it using putty etc but the user name/password, does not work  and you get “Access Denied”.

Ahh, the user name is ‘CLI’

Then it will ask for the real user name, such as:

login as : cli

login: admin

password: ShhhhSecret11

image

Hey Presto!

Monday, October 10, 2011

XenDesktop pools verse dedicated machines

Choosing pooled verses dedicate machines depends mainly on the access and control you want to grant the user of the virtual desktop.

Pooled – good for task workers

  1. Pooled machines provide desktops that are allocated to users on a per-session, first-come first-served basis. For pooled-static machines, users are assigned a specific machine from the pool when they first log on to XenDesktop. Users are connected to the same machines for all subsequent sessions. This allows users of pooled-static machines to be associated with specific VMs, which is a licensing requirement for some applications.
  2. Pooled-random machines are arbitrarily assigned to users at each logon and returned to the pool when they log off. Machines returned to the pool are available for other users to connect to.

Pooled desktops are freshly created from the master VM when users log on via the provisioning server.

Any changes that users make to their desktops are stored for the duration of the session, but are discarded when users log off. Of course you can use profile manager to help with this and store the user details.

This solution maintains a manually created single master VM in the data centre dramatically reduces the time and effort required to update and upgrade users' desktops. This allows you to periodically replace this master for patches etc.

Dedicated – good for power users and administrators

  1. Dedicated machines provide desktops that are assigned to individual users. Machines can be assigned manually or automatically assigned to the first user to connect to them. Whenever users request a desktop, they are always connected to the same machine, so you can allow users to personalise their desktops to suit their needs.

Dedicated desktops are pre-created from the master VM via the snap-shot and the first time that users log on, they are assigned this machine. Several users can access the same machine (at different times).

Maintains an automatically created snap-shot of the catalogue master VM. But as for changes, the user has to look after the computer or you re-mint them a new image as needed.

Sources: http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-choose-scheme-type-rho.html

Wednesday, October 05, 2011

Removing Licences from the Citrix Licence server

This is handy if you are using the Desktop Controller that lets you add licences such as the Repeater VPX but does not allow you to delete them. You can see them in the web console but not delete them.

You can manually delete license files that are no longer in use from their Windows directory and restart the service.

The license files are stored in:

  • C:\Program Files (x86)\Citrix\Licensing\MyFiles
  • Stop the Citrix Licensing services
  • Delete the old license files
  • Restart the Citrix Licensing Services

image

XenDesktop 5.5 and vSphere 5

Yes it is (almost) fully supported. Including the Virtual Distributed Switch (vDswitch). However you do need to upgrade the Provisioning Server (PVS) to v6 to support it as 5.6 fails if vDwitches are used.

If you are using the Machine Creation Service (MCS) then you don't need to do anything. However if you upgrade VMWare tools, you need to re-install the Citrix Virtual Desktop Agent VDA.

There is a short whitepaper here: http://support.citrix.com/article/CTX130681

We will be upgrading today.

Additional Information Sources:

http://blogs.citrix.com/author/johnfa

http://blogs.citrix.com/author/richm

Blog Archive