Wednesday, December 18, 2013

You want back the PNA (Program Neighbourhood Agent) with Citrix Receiver 4.1, Citrix StoreFront 2.1 and Citrix XenDesktop 7.1


If you are longing for the 2000’s, you want back the PNA (Program Neighbourhood Agent) back but the man is making you move to receiver, never fear, with some time, configuration and tweeks you can be right back in the comfort zone.

This is the standard Citrix Receiver without sign sing on when it opens the StoreFront store.


First you need to install the agent with the single sign on support (/includeSSON and ,SSON,) in the command line below.

Just as a note when installing this and removing this the ,USB item had to be last to stop errors occurring in installing and the installation failing.

Command line to install Receiver 4.1:

CitrixReceiver.exe /includeSSON ADDLOCAL="ReceiverInside,ICA_Client,SSON,AM,SELFSERVICE,DesktopViewer,Flash,Vd3d,usb" /Store0="sp;"


YOU NEED TO REBOOT, you need the SSOSVR.EXE to be running as seen below.


You need to make the changes to the GPO for the client (the desktop computer) to allow internet explorer to pass the logon credentials.


You need to install and configure Authentication with Domain Pass-through on the StoreFront Server.

YOU NEED TO BE USING HTTPS and a valid Cert.


You can see I have the receiver web site disabled, you can use it, but it is not needed for this configuration (in fact it does not support pass-through and this confuses people).


You need to configure the XML Policy on the Delivery Controller, this is the GPO, but it can also be via PowerShell.


You need your StoreFront server to be in ‘Local Intranet’ or ‘Trusted Sites’.


If your IE policy is locked down, delete these Registry Settings and then you can check (until next reboot).

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Check that “Automatic Logon with current user name and password” is enabled in local Intranet if that is what you are in (see above).


Check that “Automatic Logon with current user name and password” is enabled in Trusted Sites if that is what you are in (see above).


At this point if you start the receiver you will see the client automatically logs on and gets the desktop(s) as shown below.


If you want to automate further (you needed the self service plug installed, it is if you used my command line above), then you can it force do a logon, a refresh and then see the newly created .EXE dummy files that you can use to create shortcuts in the Start Menu (or Metro interface), yes Windows 8.1 using these commands in the back ground.

Here are the commands to force this:

"C:\Program Files\Citrix\SelfServicePlugin\SelfService.exe" -logon

"C:\Program Files\Citrix\SelfServicePlugin\SelfService.exe" -poll

dir C:\Users\ColvinDave\AppData\Roaming\Citrix\SelfService


If you want to you can make shortcuts to the EXE files, anywhere in the start menu, you cant copy just the .EXE files or you will get the error below.


Good luck and tell them Dave Sent You.

Friday, December 13, 2013

Finding Citrix StoreFront via Email Address


This is old news, and everyone should know this, but I have never found a site using it yet, so maybe someone wasn't paying attention in class, so here is how.


You must install a valid server certificate on the StoreFront before you start. Also the full chain to the root certificate must be valid.

  1. Create a DNS Service Location (SRV) record
  2. In DNS, Right-click your Forward Lookup Zone
  3. Click on Other New Records, Create a Service Location (SRV)
  4. Click in the Service box and enter the host value _citrixreceiver
  5. Click in the Protocol box and enter the value _tcp
  6. In the Host offering this service box, put the fully qualified domain name (FQDN) and port for your StoreFront

You can use nslookup to test this:

  1. Open command prompt, type nslookup
  2. Type “set type=srv”
  3. Type “”
  4. The response should be : SRV service location:

priority = 0
weight = 100
port     = 443
svr hostname =

Sunday, November 10, 2013

Linux package management


Really, you need these commands again? What, you have forgotten the obscure command lines to remove a simple package? Well you are bad and you should feel bad.
Personally I always forget these myself so I thought why not a quick and easy reference for apt-get package management. ‘apt-*’ : APT is acronym for Advanced Package Tool.
Do you like cows?
apt-get moo
Search on my local Linux box connected repositories for something cool
apt-cache search {something cool}
Install an application (from a currently connected repository)
apt-get install {package-name}
List applications that are installed on this
boxdpkg-query –l
apt-cache pkgnames | more
Once you know the name of the packages that offended you delete it with
apt-get remove --purge {package-name} [Dave here, note - - is 2 dashes)

If you have upgraded, updated or removed some packages run this to clean up the package cache
apt-get autoclean
If you are running out of space and don't need a cache of local apps, say for example you are connected to the internet, be a bit more ruthless. If you want to see how big it is first (du -sh /var/cache/apt/archives)
apt-get clean
If something is broken use the automatic fix command first
apt-get install –f
If you have not been on this box for while run this to update the lists, and versions of packages in the attached repositories
apt-get update
If you are feeling like you still miss Windows Update use this command
apt-get upgrade
Maybe you just need some extra details on a package in use on this computer
apt-cache show {package_name}

Great reference for this:

Friday, November 01, 2013

Citrix Universal Print Server/Driver


The Universal Print Server uses the Universal print driver, which is installed with the XenDesktop agents. It is so easy I cant believe everyone isn’t doing it.

The Universal Print Server transfers the print job in a highly optimised and compressed format, minimising network use and improving the user experience.

The Universal Print Server includes the following:

  • The client UPClient which is installed via the XenDesktop agent software
  • The UPServer which is a simple MSI install that accepts connections from the clients to the printers on the print server.

Generally in XenDesktop, it is recommended to use Universal print driver. The Universal print driver is a device-independent driver that supports MOST print device. This reduces the number of dedicated drivers required.

The Universal Print Server and Universal print driver have the following policies:

Universal printing optimization[sic] defaults. Specifies default settings for the Universal Printer when it is created for a session:

    • Desired image quality specifies the default image compression limit applied to universal printing.
    • Enable heavyweight compression enables or disables reducing bandwidth beyond the compression level set by Desired image quality, without losing image quality.
    • Image and Font Caching settings specify whether or not to cache images and fonts that appear multiple times in the print stream, ensuring each unique image or font is sent to the printer only once.
    • Allow non-administrators to modify these settings specifies whether or not users can change the default print optimisation settings within a session.
    • Universal printing image compression limit. Defines the maximum quality and the minimum compression level available for images printed with the Universal print driver.

Universal printing print quality limit. Specifies the maximum dots per inch (dpi) available for generating printed output in the session.

Tuesday, October 22, 2013

Windows RUNAS Command Restrictions


Understanding RunAs or ‘Run as different User’

The command “runas /user:domain\user appName” or,


the use of SHIFT-Right-Click “Run as different User” from the context menu applications can be started with different user logons.


When you do either of these an authentication occurs and a new Windows process will be created with the specified user account. Unless defined, a temporary Windows profile will be loaded. This is not typical user logon process, so no GPO will be applied.

You can still restrict the RunAs / Run as different User function by removing the access to it.

There are two steps to remove the RunAs and Run as different User:

1. Restrict the access to runas.exe:
- Remove the user permission from C:\Windows\System32\runas.exe

2. The second step is to remove the Run as different User entry from the context menu. Delete the following registry keys
- HKEY_CLASSES_ROOT\exefile\shell\runasuser
- HKEY_CLASSES_ROOT\batfile\shell\runasuser
- HKEY_CLASSES_ROOT\cmdfile\shell\runasuser
- HKEY_CLASSES_ROOT\mscfile\shell\runasuser
- HKEY_CLASSES_ROOT\Msi.Package\shell\runasuser


Thanks to for this information

Tuesday, September 03, 2013

Citrix StoreFront v2 password expiry notice


You can enable the Receiver for Web site users to change their passwords at any time. Users passwords that are about to expire are shown a warning when they log on.

The notification period is determined by the Windows Group Policy setting. To set a custom notification period for all users, you edit the configuration file for the authentication service.

  1. On the StoreFront server, use a text editor to open the web.config file for the authentication service, in the C:\inetpub\wwwroot\Citrix\Authentication\ directory.
  2. Locate the following element in the file.
    <explicitBL ... allowUserPasswordChange="Always"
    showPasswordExpiryWarning="Windows" passwordExpiryWarningPeriod="10" ... >

  3. Ensure that the allowUserPasswordChange attribute is set to Always to enable password expiry notifications.

    Change the value of the showPasswordExpiryWarning attribute to Custom to apply a specific password expiry notification period to all users.

    Use the passwordExpiryWarningPeriod attribute to set the password expiry notification period in days.

Receiver for Web site users connecting from the local network whose passwords are due to expire within the specified time period are shown a warning when they log on.

Copy configuration changes you make on the primary server are propagated to the the other servers.


This information comes from here:

Wednesday, August 28, 2013

Browser Market Share Changing Over Time


Firstly I don't run an analytics company but I found one on the web ( and as a part of planning which browsers should be tested for a terminal services project I wanted to know the winners, losers and where IE6 still is.

Below are the last twelve months of browser change. Overall I will be testing on IE10. The others will all be tier 2 for business.


The big winners here are IE10 and losing out are IE8 and IE9. IE7 is still in slow decline, but what scares me is IE6 is static at 6% (Siebel use ActiveX controls). The total of IE releases is around 54%

Chrome with auto update is always the current release about 12% and the others falling away to a total 17%

Firefox is much the same around the 14% mark

Safari, Opera, Sleipnir, Maxthon, Comodo are ALL in the other 18% – here, have one






Saturday, August 24, 2013

Changing the Citrix Provisioning Server TFTP IP/NIC


If it works (it did not for me) there is a control panel applet…

C:\Program Files\Citrix\Provisioning Services\tftpcpl.cpl


And just make the change, easy (if it works)





If that did not work, do it via the registry.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Find the network card you want to use and copy the ‘ServiceName’ data

Export the key as you need one of the ‘ServiceName’


Change the data for "Adapter" with what you just copied

Restart the "Citrix PVS TFTP Service"

Check you got the right adaptor, if not try again…


To find what port is listening look for UDP:69

netstat -an -p udp | find ":69"


This is it working on a VM guest


You can test this by using the Windows TFTP client


tftp Computer.Name.or.IP GET ardbp32.bin ardbp32.bin


Thanks for the insight:


Monday, August 19, 2013

Citrix Printing, history and tips


Back in the days of old, Windows printer drivers are written in either ‘user mode’ (version 3 drivers) or ‘kernel mode’ (version 2 drivers). Because Windows NT, was sooooo…. slow Microsoft moved the print drivers to the kernel improve performance. I bet you can get what colour the screen when on NT4 when a print driver failed? As systems got fast the print drivers were moved out to user mode to protect the system and improve reliability.

From Windows Server 2008 and later, the operating system blocked the installations of kernel-mode print drivers. So in cases you can but if you can avoid it don't use kernel-mode drivers on a XenApp servers anymore, best spend some money on a new printer or move to the universal driver.

You can still us user-mode (Version 3) if they are supported on the platform (ie 32bit v 64bit).

If you are on an old system and you are upgrading check whether a driver that you have installed is user mode or kernel mode, do the following:

  1. Click Server Properties on the TS.
  2. Click the Drivers tab.
  3. Look at the Version column for a specific driver. Windows NT 4.0 = kernel-mode driver. Windows 2000, Windows XP and Windows Server 2003 = user-mode driver.

Universal Printer Driver (UPD)

The Citrix Universal Printer Driver or the Universal Print Server can support really old printers if they are still needed, so use this if you can?

In traditional Windows the XPS drivers outperforms EMF drivers, but not the Citrix Universal Printer Drivers. Also the output of print jobs using the EMF UPD will be started as soon as the first page has been transferred to the client, which is way better for the end user.



  1. Always render print jobs on the server

  2. Execute print drivers in isolated processes

  3. Point to Print Restrictions (set to localhost)

  4. Restrict Print Drivers From Being Installed on Servers Hosted on Windows Server 2008/R2

  5. Disallow RDP printers from being created via GPO

  6. How to Restrict Print Drivers from Being Installed on XenApp Servers
  7. Use the driver that came with the OS first, if there is none, look for a TS compatible driver, if there are none look for the Windows Cluster compatible and newest driver
  8. When you use 3rd party printer driver do not use any with print monitors (HP Master Monitor, Lexmark MarkVision, or a utility that is loaded in the Notification Area of the user’s Windows Desktop with many economy printers.)


Information for this came from here:

Friday, August 16, 2013

Citrix Receiver for Windows Phone 8

Receiver on Win Phone 8


IT’s real!

Citrix Receiver for Windows Phone 8 is in the Windows Phone Store today.

When used with the Citrix Mobility Pack, Receiver automatically displays the device keyboard when an editable field has the focus. And, the desktop session scrolls if needed to make the input area visible.

It works with Citrix XenApp 5 and up, XenDesktop 5.6 and up, StoreFront 1.2, 2.0, Web Interface 5.4, Access Gateway 9.3 and 10, as well as Netscaler Gateway 10.1.

Receiver for Windows Phone supports these features in an application session:

  • Pan and zoom gestures

App bar buttons to:

  • Hide or show the menu, where users can return to the Receiver home page or switch between running apps
  • Hide or show the keyboard
  • Send Ctrl+Alt+Delete
  • Toggle between panning/zooming and app scrolling

Gestures for mouse clicks:

  • Single tap for left-click and long press for right-click

Citrix Mobility Pack features:

  • The use of mobile device controls instead of native Windows controls such as combo boxes.
  • Automatic display of the device keyboard when an editable field has the focus. The desktop session scrolls if needed to make the input area visible.

Wednesday, August 14, 2013

XenCenter not showing performance stats?


I have four new XenServers (old v5.6 due to testing, but anyway). One of the four showed performance stats and the other three did now. After looking around the problem was all four had different time settings (specifically odd dates that were years out) and of course no NTP Setup.

To check this open the server console and use the ‘date’ command.

To fix this do the following:

  1. Set manually the date/time. on the XenServer console use: date –s “14 AUG 2013 08:27:00”
  2. Check to make sure your NTP is running and accessible: ping NTP.server.IP.Address
    1. ‘vi /etc/ntp.conf’
    2. Add NTP servers at the end of the file in the following format:
      server ntp.server.dns.domainname
    3. Restart the NTP service: ‘/etc/init.d/ntpd restart’
  3. Check your server ntpd process: ps –ef | grep ntpd
  4. Make sure that your AD DCs and your XenServers are using the same NTP Server (optional)
  5. Restart XenCenter and BAM!

If your uptime stats are wrong you need to reboot the affected XenServers.


Information came from these sources:

Citrix Web Interface, notes about


There should be nothing new here, this is just a collection of notes I had kept.


First, don't use the Web Interface, use the Storefront v2. But if you are a laggard continue reading.


Web Interface (WI), uses Java and .NET to dynamically generates a list of resources available to users. Most settings are configured via the configuration console and under the covers in the file ‘WebInterface.conf’.

The WebInterface.conf file allows you to change many of the Web Interface properties.

  • Location Windows: \InetPub\WWWRoot\Citrix\XenApp\Conf\WebInterface.conf
  • Location NetScaler: /var/wi/tomcat/webapps/Citrix/XenApp/WEB-INF/WebInterface.conf

Changes made directly to the file can be overwritten by configurations made in the Web Interface Management console.


Web Interface Repair

The IIS site and the Web Interface installation can be repaired. It may be necessary to repair or reinstall the site using the Web Interface Repair option.

Always back up any custom scripts and the WebInterface.conf file before repairing.

  • If you reinstall Web Interface, any pre-existing scripts and the WebInterface.conf file will not be replaced

Repair the installation if files were mistakenly deleted, renamed, or corrupted.

  • Repair a Web Interface installation from the Windows control panel

Repair the site to address any configuration issues specific to the site or corruption.

  • If you repair a site, pre-existing scripts and the WebInterface.conf file will be replaced
  • After making a backup of scripts and the configuration file, repair a site using the Site Maintenance > Repair Site task in the Web Interface management console.

NTFS Permissions for Pass-Through Authentication

  • After windows authentication, IIS impersonates the current user account when accessing files on the web server hard drive. This requires the users’ domain account has at least Read permission on all scripts beneath the web server document root directory
  • Restricting NTFS permissions on the files beneath WWWRoot to allow access only by administrators or the IIS_IUSRS account will disable non-administrator users from being able to view Web Interface pages. In these cases, users are forbidden or cannot access Web Interface or the applications. To correct this issue, ensure that in addition to the IIS_IUSRS account, all users who will access the Web Interface have NTFS read permissions on all files beneath WWWRoot\Citrix on the web server.

Receiver Detection Redirection Error

Web Interface can  detect if a Receiver is not installed or the Receiver on a user device is not current. A download wizard allows users to download and install the latest Receiver.

Under certain circumstances, users may find that the wizard redirects them to instead of downloading a Receiver installer.

For example, the installer file for the Citrix Receiver should be copied to the %ProgramFiles(x86)%\Citrix\Web Interface\5.x.x\Clients directory.

Web Interface should detect the presence of the Receiver installer automatically; however, if the site is still redirecting users to, restart the web server.

If Prohibit User Installs is enabled in the Windows Installer option in the console tree of the Group Policy Management Console, users will not be able to install a plug-in on their user devices.

Internet Explorer 9 is known to exhibit issues when used together with some Citrix products. For example, users commonly report that published applications fail to open from Web Interface in Internet Explorer 9. For additional information, including troubleshooting tips and workarounds, see Citrix article CTX129444.

Tuesday, August 06, 2013

Active Directory and XenDesktop


When you install the Virtual Desktop Agent (VDA) on a VDI computer, you can use Active Directory or the local computer Registry to find Desktop Controllers (DDCs). If you have multiple domain the VDI computers and the DDCs need to be in a common domain (or in a trusted AD domain).

To use AD an Organisational Unit (OU) is created and contains the DDCs for the site.  You can create the OU in the installation or if you create the OU manually run the PowerShell script called Set-ADControllerDiscovery.ps1

XenDesktop creates the following objects:

  • A Controllers security group (all controllers in the site must be in this group)
  • The DDCs must have the 'Access this computer from the network' permission so give the DDCs security group this privilege
  • A container called RegistrationServices is created in the OU for the each XenDesktop site. This contains one SCP object for each controller in the site
  • A Service Connection Point (SCP) object contains the information about the XenDesktop site
  • The SCP is created when the Set-ADControllerDiscovery.ps1 script is run. Each time the controller starts, it validates the contents of its SCP and updates them if necessary

Administrators of XenDesktop require permissions to create and delete children on the RegistrationServices container and to set properties on the Controllers security group.  These permissions are granted automatically by running the Set-ADControllerDiscovery.ps1 script as the new administrator.

Information is updated in Active Directory when the following happen:

  • Installing XenDesktop
  • Uninstalling XenDesktop
  • When a DDC starts
  • When a DDC update the information in its SCP
  • Or when Set-ADControllerDiscovery.ps1 is run

Thursday, August 01, 2013

Troubleshooting XenDesktop 5 Registration


The Desktop State column in the Desktop Controller provides information about the registration state of the desktop machine; values of Not Registered or Pending indicate that registration has not successfully completed.


Let me start with this, IT IS THE FIREWALL ! Client and Server, via the GPO !


Virtual Desktop Firewall

  • Registration fails if the firewall on the Virtual Desktop Machine has not had the appropriate exclusions configured to enable DDC’s communication.
  • Follow CTX116843 to fix this


Ok, if you made it this far it is more complicated. Start through this list:

Domain Name Services (DNS)

  • use ‘ping <>’ from each other to ensure resolution works

Time Synchronisation not Properly Configured

  • Ensure time is within 3 minutes – Setup NTP on the Hypervisor platform, the Domain Controllers if not already (or the clients if they dont get it from a DC)

XenDesktop VDA Registry Key

  • Verify that the following registry key exists and has correct information:
    (x86) HKEY_Local_Machine\Software\Citrix\VirtualDesktopAgent
    (x64) HKEY_Local_Machine \Software\Wow6432Node\Citrix\VirtualDesktopAgent
    • ‘ListOfDDCs’ REG String
    • ‘NameOfDDC’


Service Principal Names (SPNs)

  • The DDC determines the virtual desktop’s SPN by inspecting the servicePrincipalName attribute of the associated computer account in Active Directory. You can inspect the virtual desktop’s computer account using tools such as AD USers and Computers (attribute editor). If the servicePrincipalName attribute does not include an entry with the computer’s FQDN, editing it manually and check to see if that fixes registration problems.



Domain Membership Problems

  • Removing the machines in question from their domains and re-join them to the domains.

Multiple Network Adapters

  • If the virtual desktops contain multiple network adapters that can be used to communicate with the DDC, this might cause the security negotiation to fail. In that case, try disabling all network adapters except for the one used to communicate with the DDC.

Local Security Policy Settings

  • In case of some images, an overly restrictive security policy settings might prevent the VDA from registering.



User XDPing, ugly but helpful.



Local Machine::

  NetBIOS Name = OEH7004
  OS Version   = Microsoft Windows NT 6.1.7601 Service Pack 1
  Platform     = X64 Platform

  Computer Domain:
    Role       = Member Workstation
    Membership = Verified, SID:S-1-5-21-2723282484-2951877577-328923344-98806 [OK]


  User Name      = bennetsx
  User Domain    = DEC
  Authentication = Kerberos [OK]
     COLVIN\Domain Users
     NT AUTHORITY\Authenticated Users
     NT AUTHORITY\This Organization
Unable to translate group name from SPID  S-1-18-1
     COLVIN\Allowed RODC Password Replication Group

Local Machine Time::

  UTC   = 1/08/2013 12:32:54 AM
  Local = 1/08/2013 10:32:54 AM (AUS Eastern Standard Time)
  DST   = No
  NtpServer =,0x9

Domain Controller(s) Time::

Date/Time from : 1/08/2013 10:32:54 AM : Time difference (mins): 0 [OK]

Network Interfaces::

  NIC #0 "Local Area Connection":
    Network      = Ethernet, 2Gb/s, Up
    MAC          = DC:9F:E4:DF:14:6C
    DNS suffix   =
    DNS servers  =
    WINS servers =
    Gateways     =
    DHCP server  =
    Address #0   =, Preferred, Origin=Dhcp/OriginDhcp
           Lease = 694799/689961/689961

WCF Endpoints: WorkstationAgent::
C:\Program Files\Citrix\Virtual Desktop Agent\WorkstationAgent.exe
Version Number :

XenDesktop version 5
    Ping Service: /Citrix/VirtualDesktopAgent/ILaunch
      Connect = Tcp to ::1:80 via ::1 ("Loopback Pseudo-Interface 1") [OK]
      Service = Listening [OK]
    Ping Service: /Citrix/VirtualDesktopAgent/IDynamicDataQuery
      Connect = Tcp to ::1:80 via ::1 ("Loopback Pseudo-Interface 1") [OK]
      Service = Listening [OK]
    Ping Service: /Citrix/VirtualDesktopAgent/IConfiguration
      Connect = Tcp to ::1:80 via ::1 ("Loopback Pseudo-Interface 1") [OK]
      Service = Listening [OK]
    Ping Service: /Citrix/VirtualDesktopAgent/ISessionManager
      Connect = Tcp to ::1:80 via ::1 ("Loopback Pseudo-Interface 1") [OK]
      Service = Listening [OK]
Endpoint -> not Tested - net.pipe://localhost/CitrixIStackManagerEndPoint
Endpoint -> not Tested - net.pipe://localhost/Citrix/HDXConnect

Workstation Services::

  Service  : WorkstationAgent ("Citrix Desktop Service")
    Status = Win32OwnProcess, Running [OK]
    Prereq =
      LanmanServer (Win32ShareProcess), Running
      PorticaService (Win32OwnProcess), Running
      LanmanWorkstation (Win32ShareProcess), Running

  Service  : PorticaService ("Citrix ICA Service")
    Status = Win32OwnProcess, Running [OK]
    Prereq =
      picapar (FileSystemDriver), Running
      picakbm (KernelDriver), Running
      picadm (FileSystemDriver), Running
      dhcp (Win32ShareProcess), Running
      picaser (FileSystemDriver), Running
      picadd (KernelDriver), Running
      rpcss (Win32ShareProcess), Running

  Service  : Citrix CGP Server Service ("Citrix CGP Server Service")
    Status = Win32OwnProcess, Running [OK]

  Service  : Citrix Encryption Service ("Citrix Encryption Service")
    Status = Win32OwnProcess, Running [OK]
    Prereq =
      Winmgmt (Win32ShareProcess), Running

  Service  : cpsvc ("Citrix Print Manager Service")
    Status = Win32OwnProcess, Running [OK]
    Prereq =
      Spooler (Win32OwnProcess, InteractiveProcess), Running
      PorticaService (Win32OwnProcess), Running
      RpcSs (Win32ShareProcess), Running

DNS Lookups for Local Machine::

  Host Name  :
  Address #0 = (rDNS: [OK]

Client Details::
   (Session ID) (Status)    (Name)   (Client IP Address):
       1        WFActive   Console

   Estimated Latency:           6
   Estimated Bandwidth:         36.35 Mbps
   Estimated Network Condition: LAN_CONDITIONS
   Session Reliability:         True

Event Log Check::
  No importent XenDesktop events detected in the last hour.

Windows Firewall Settings::

Status : Disabled

Current Profile name : Domain
XenDesktop Farm::

  Farm GUID (GPO)   : Not Set
  Farm GUID (local) : NOT SET
  Farm GUID In Use  : NOT SET
Registry Based Configurations::

Registry based Controller list (ListOfDDCs) : [Configured]
   Controller :
Controllers (manually specified)::

    DNS Lookup(
      Host Name  =
      Address #0 = (rDNS: [OK]
    Ping Service: /Citrix/CdsController/IRegistrar
      Connect = Tcp to via ("Local Area Connection") [OK]
      Service = Listening [OK]

  ListOfDDC is set in the registry to enurmerate DDC list [OK]


    Checking version : You are using the latest version. [OK]
    Unable to translate group name from SPID  S-1-18-1 [WARNING]

Number of messages reported = 2






This information in this comes from here:

Tuesday, July 30, 2013

Citrix Logon Process


Here are the steps the client, Web Interface and Citrix service all combine to give you a session:

  1. The user logs on the Web Interface (WI)
  2. Web interface speaks to the XML broker, and passes the credentials
  3. The XML broker reaches out to an Active Directory Domain Controller with the credentials to authenticate
  4. If you pass authentication the WI will enumerate the applications and desktops you have. At this point a user can start/select an application to run
  5. A server will respond back to the WI with ICA file for the app/desktop
  6. The ICA file is passed from WI to the client machine
  7. Client machine open the ICA and reaches out directly to the given XenApp/XenDesktop  device
  8. The XenApp Server confirms the correct RDS/TS License is available
  9. The standard Windows computer logon starts (RDS or XD session)
  10. XenApp/DDC checks with the Citrix license server to obtain a licence
  11. The Microsoft GPO’s are applied
  12. The Citrix policies are applied
  13. The remaining standard Windows logon process run, FirstRun, Run, Startup etc
  14. The user is happy…


Much of this detail came from here and here:

Saturday, July 27, 2013

Lost admin password for Citrix Licensing Server?


A default administrator account ‘admin’ is created during installation of the Citrix License Administration Console. You can set the password for this account during installation.

Try to logon with the default ‘admin’ password ‘admin’ to configure your domain users. NOTE: ‘admin’ is not ‘Admin’ they are case sensitive.

If you have lost the licensing server admin password then you can reset the admin password in the licence server configuration file.

  1. Find the ‘server.xml’ file in Citrix Licensing folder
  2. Open and Administrator CMD prompt to edit it.
  3. Find the entry that looks something like this:

<user firstName=”System” id=”admin” lastName=”Administrator” password=”--lots-of-characters-encrypting-your-password--” passwordExpired=”false” privileges=”admin”/>;

  1. Delete the text in the password section, in the above example change password=”(ERD-32)IUJ676h43wedftQ(lots-of-characters-encrypting-your-password--” to  password=”Password”
  2. Change passwordExpired to ‘true’
  3. Restart the licensing services, ‘Citrix Licensing Server’
  4. Log onto the licensing console using user name ‘admin’ and the ‘Password’
  5. Change your password and you are done.


Some of this came from:

Wednesday, July 10, 2013

Aero Glass Remote Desktop Connection (RDS/TS)


To enable Aero Glass in a Remote Desktop session:

Remote Desktop client, Windows Aero hardware and Aero driver is required.

The following settings should be selected in the Remote Desktop client:

  1. Colour depth of the remote session must be set to 32-bit
  2. “Desktop composition” must be enabled on the Experience tab

image image 

If the remote computer is a Windows Server 2008 R2 machine

  • Desktop Session Host (RDSH) role is required
  • Desktop Experience feature is required
  • Themes service is set to auto start
  • Video settings are 32bit per pixel

(In Server Manager, go to “RD Session Host Configuration” under “Remote Desktop Services” role, right-click on the connection to bring up “RDP-Tcp Properties” Uncheck “Limit Maximum Colour Depth” from “Remote Desktop Session Host Configuration.”)

  • Group Policy is required to enable the settings for RDP

(The policy path is “Computer Configuration\ AdministrativeTemplates\ WindowsComponents\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment”)

image image image

Would you like to user Aero Flip, good luck with the key combination, if you find it let me know. NOTE: Does not work on a Citrix ICA session, only RDP.

Create a shortcut like so:



This information is generally from here:

Tuesday, July 09, 2013

Windows 7 Theme for XenApp 6.5 Desktops


Windows Server 2008 R2 does not have the Windows 7 theme out of the box so to fix this. Install the Desktop Experience feature allows users to look like a traditional Windows 7 PC.

The steps are:

  1. Go to Features and click Add Desktop Experience
  2. Enable Powershell remote signed code
  3. Run …\Citrix\App Delivery Setup Tools\New-CtxManagedDesktopGPO.ps1
  4. This will create 3 GPOs that you can edit and apply if they suite (CtxStartMenuTaskbarUser and CtxPersonalizableUser or CtxRestrictedUser)
  5. Check that the ‘themes’ service is running

Edit and update to suite.



Links for this information:

This is a great example of why…

Some more details on automation

Thursday, June 20, 2013

Contact me? Mobile enabled now

While I am embracing my inner Hipstep and not rolling with a mobile phone you may still need to beat down the doors to reach me, well fear not, using the power of the Internet I have amassed a range of ways to contact me…

0411 COLVIN – the new mobile number




Skype me ‘dcolvin’

Whitepages – dead trees with names… That's hipster right there.

(l33t speak style hidden email address –>) d c o l v i n at g mail dot com …oh I see you are here already…

Tuesday, June 18, 2013

Ctrl-Alt-Del ® Terminal Server Tools


A bunch of handy Citrix and Terminal Server tools for FREE !


BOMBProf - manage multiple local/roaming profiles

CTXCOMMAP - to map serial ports beyond COM9:

CTXCliOS - to check the type of OS being run from the Client

DEFSET - manage default printer

ENVTSCIP - obtain the current session's client ip address and assign is to an environment variable

GETTSCIP - to obtain the current session's client ip address

GETPUBAPP - to query what specific Published Application is running in the current session

ICSWEEP - clear the Temporary Internet Files Cache and/or the TEMP files folder

LOGONMsg - displays a "message of the day"

PASSCHG - allow the end user to change their domain password

PINGWIZ - ping devices with an IPv4 address

PRTSRVCHG - remapping network printer paths

QRYDEPTAPP - running a specified Published Application based

QRYCLIENTIP - Current session's client ip address

QRYPUBAPP - Check whether the current session is running a specified Published Application

QRYTSCIP - Client ip address. No Citrix Required

REMProf - Delete local user profiles

TSAPPBOOST - Manage the CPU priority of applications

TSAPPINJECT - Launch an application with an assigned CPU priority

TSBADAPP - Manage Application Compatibility Flags

TSBACKDROP - display information about a Terminal Server background

TSHIDE - Run a named program as a hidden window

TSKAAPOP / TSKAAPOW / TSKAASPLAT - Run multiple applications from one command

TSLOADBAL - Load balancing of Terminal Servers in a single Domain.

TSLOADSTTS - Gather performance information

TSLOGOFF - Logoff Sessions from a particular server within a Domain

TSLOGINS - Set the status of remote logins

TSMSG - To message Sessions on any server within a Domain

TSPASSCHG / TSPASSCHG / TSPASSCHG - Allow the end user to change their password

TSREBOOT - Reboot selected or all Servers

TSRUNLOGOFF - Run a application with a logoff script upon exit

TSSELFSERVRESET - Users manage their own sessions from a single location

TSSESSIONNFO - Provide information on Sessions from a particular server

TSSNAPSEND - Take Screen shots of a user's Windows desktop

TSSRVTYPE - list Application Server Mode or Remote Application Mode

TSTASKMAN - show a user the list of processes/ applications running

TSTBARSET - Settings of the Windows Taskbar

TSWHATDOM - Query the domain membership

TSWHEREIS - locate a user within a Domain

XLAUNCH – Launce a programs based on 32 bit or 64 bit OS Platforms

Get the tools here:

Tuesday, April 23, 2013

Design guide, Server 2012, Cisco & NetApp


There are new design guide and deployment guide for Microsoft Windows Server 2012 based on FlexPod (UCS and NetApp).

It covered,

  • Full FCoE, vPC
  • iSCSi for WS 2012 Hyper-v
  • VM-FEX for WS 2012 Hyper-v
  • Single Wire Management for C220 M3 with N2232PP.

Remove Missing Dependencies for SCVMM 2012 RC VHDs


Ran into this issue with SCVMMM2012 and I could not delete a VHD from my library as I had a series of items that were dependent on the VHD. I resolved the template issue by entering the following command from Powershell on the SCVMM server:

Get-SCVMTemplate | where {$_.Name -like "Temporary*"} | Remove-SCVMTemplate

The second issue will be identified by the following error when you attempt to delete the VHD:

The library object (VHDNAME) cannot be removed because following objects are dependent on it:

Virtual Hard Disk deployment configuration

Thanks to Ryan Holt for this ( and @TheChadVent for the tip.

Thursday, April 18, 2013

ABC Video of Cocky


This is funny….

Watch it NOW !

SCVMM 2012 SP1 and Linux


To automatically configure the Linux OS after SCVMM creates the OS there are extra tools that are needed. On the VMM management server, open a command prompt, (administrative).

They programs are found in the c:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\agents\Linux folder.

Copy all the agent installation files from that folder to a new folder on the virtual machine, and then, on the virtual machine on which Linux is running as a guest operating system, open the new folder.

Make the installer executable

chmod +x install

Run either the x86 or x64 installer:

./install scvmmguestagent.


/install scvmmguestagent.



The official Microsoft link is:

Monday, April 15, 2013

Linux, on Hyper-V Server 2012


Supported Linux on Hyper-V 2012,  ALL Are 64 BIT ! (

CentOS 5.7 and 5.8, CentOS 6.0 – 6.3 (Download and install Linux Integration Services Version 3.4 for Hyper-V.)

Red Hat Enterprise Linux 5.7 and 5.8, Red Hat Enterprise Linux 6.0 – 6.3 (Download and install Linux Integration Services Version 3.4 for Hyper-V.)

SUSE Linux Enterprise Server 11 SP2 (Integration services do not require a separate installation because they are built-in.

Open SUSE 12.1 (Integration services are built-in.)

Ubuntu 12.04 (Integration services are built-in.)


Dont forget there are Integration Services AND an SCVMM Agent

( )

Checking the OS (Red Hat)

Checking Redhat version installed

$ uname -a

Linux 2.4.22-32.ELsmp #1 SMP Mon Apr 15 21:17:59 EDT 2005 i686 i686 i386 GNU/Linux

To get the version in simple terms, check  /etc/redhat-release instead.

$ cat /etc/redhat-release

Red Hat Enterprise Linux AS release 3 (Taroon Update 5)


To turn on DHCP for Red Hat

To configure a DHCP client manually, modify  the /etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.

The /etc/sysconfig/network file should contain the following line:


The NETWORKING variable must be set to yes if you want networking to start at boot time.

The /etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:


Other options for the network script include:

  • DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)

  • PEERDNS=<answer>, where <answer> is one of the following:

    • yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.

    • no — Do not modify /etc/resolv.conf.

  • SRCADDR=<address>, where <address> is the specified source IP address for outgoing packets.

  • USERCTL=<answer>, where <answer> is one of the following:

    • yes — Non-root users are allowed to control this device.

    • no — Non-root users are not allowed to control this device.

Set-ExecutionPolicy Unrestricted


(I use this all the time, so posted it for my convenience).

Using the Set-ExecutionPolicy Cmdlet

Changing the Windows PowerShell Script Execution Policy

The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

  • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.

  • AllSigned - Only scripts signed by a trusted publisher can be run.

  • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.

  • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

To assign a particular policy simply call Set-ExecutionPolicy followed by the appropriate policy name. For example, this command sets the execution policy to RemoteSigned:

Sunday, April 14, 2013

System Center [sic] App Controller Certificate Import Error


I get this error when using a W2K12 Cluster File Server for a Library Server in SCVMM 2012 SP1…


Export of the library server certificate from the VMM server has failed for library server %clustered library server%. In order to perform this operation, you must be an Administrator in both Virtual Machine Manager and App Controller, and also a local Administrator on the server. (StatusCode: Microsoft.SystemCenter.CloudManager.Providers.ProviderException)


An internal error has occurred trying to contact an agent on the NO_PARAM server: NO_PARAM: NO_PARAM.
Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent. (StatusCode: Microsoft.VirtualManager.Utils.CarmineException)


You we have some steps you can use to manually import the missing certificates.

  1. Open MMC (Start -> Run -> MMC)
  2. Add the certificate snap-in and select Computer account and specify your VMM server
  3. Add the certificate snap-in and select Computer account and specify your App Controller server
  4. Expand the Trusted People\Certificates folder for the App Controller server
  5. Browse to the Trusted People\Certificates folder for the VMM server
  6. Make sure you're looking in the Friendly Name column for the certificates
  7. Find the certificates that start with SCVMM_CERTIFICATE_KEY_CONTAINER and then has the FQDN of the library cluster nodes
    You only need the certificates for the library server - you don't need any of the certificates for the Hyper-V hosts
  8. Copy the certificates to the Trusted People\Certificates folder on the App Controller server

If you previously had success importing certificates, you might find that some of the library certificates are already present. You do not need to recopy these certificates - just the missing certificates for the library servers.

On the VMM server you will see a certificate for each of your host computers - you do NOT need to copy these certificates. 



All I have to say is ‘cool story Bro, tell it again’. Yep this did not work for me and I ended up creating a new W2K12 Server and presenting the storage that way… But it look good heh?


Monday, April 08, 2013

Server 2012 Phone Activation

Hi Server,

Let me choose somewhere other than Afghanistan… That’d be great.


BTW Phone Australia on 13 20 58 Option 3 then option 1…

Thursday, April 04, 2013

SCCM 2012 SP1, SQL 2012 on Server 2012

If like me you ‘skimmed’ the pre-reqs for SCCM 2012 SP1 and then cant install due to the database collation (see below), here is how to fix it.


Open up command prompt, from the SQL setup folder where the setup.exe is located and execute the command:

Setup.exe /QUIET 

(all above is one line)


Note your


“SQLSYSADMINACCOUNTS=Domain\Administrator” may be different…

Friday, March 22, 2013

Duplicate SIDs in on multiple Cluster Nodes


I was working on a two node w2k8 R2 cluster running in VMware ESX 5.1, running SQL 2008 and a bunch of other services, the disks were local and also RDMs out to iSCSI NetApp disks. The system had been running for about three months, but started acting weird… yep just weird.

You could logon with a domain cache credential, but there was no ‘LogonServer’ but when you did you get a temporary profile.


Services that had a domain service account that needed a profile would fail.

A local logon with Administrator would fail with a ‘the Group Policy service failed the logon. Access is denied’.


The issue turned out to be the first server was cloned to the second server and both had the same SID. This caused account and domain connection issues and looked like file corruption, virus issues, and got progressively worse, to the point you could not add/remove programs due to ‘appdata’ issues and finally the two servers we cut loose and rebuilt.

I have also been told of SQL server and FIM Portal 2010 that all have problem with this, so maybe a worthwhile check from time to time access environments… A quick powershell would be handy Winking smile


Article on fixing Windows profiles.

Why SIDs should matter.

Blog Archive