Jump to content
Welcome to our new Citrix community!
  • 0

PVS Battle of the Teams: Who builds it? (PVS Streamed VM Wizard)

Stephen D. Holder



I'm contracting at an organization which has very defined roles. For the purposes of this post I'll try and boil it down and keep it as simple as I can.

There is a Build/VMware team and a Citrix team. The Build/VMware team is responsible for building servers and managing the VMware environment. The Citrix team is responsible for managing Citrix servers.

The issue:

The way the organization currently builds target devices is manual process. If a requisition requires bulk building (10+ servers) multiple PowerShell scripts are ran, but not before the Citrix team submits a ticket to the Build/VMware team to ask which cluster, datastore, etc should the target devices be built on. The process to build about 40 servers can literally take eight hours. The Citrix team currently manages their target devices by AppCenter / HP Altiris and / or the Vsphere web client for powering on / off.

I'm suggesting that the organization's Citrix team leverages PVS's Streamed VM Setup Wizard to create their target devices. In addition, I'm suggesting that the Citrix team manages their VM target devices as well as skeletal administration (shut down, power up, send messages) right from the PVS console.

I presented an in-service with PVS 7.6 and XenServer on how the process technically works. The managers and team members were floored at how easily and effective the stream VM wizard was. Everyone agreed, this should have been implemented years ago. Build/VMware team saw the same presentation and had me take it further present in their VMware test environment. They also agreed this is the way it should be done. The organization is now at a point where I'm upgrading their PVS environment to 7.6 and they want to be able to use this feature in their production hypervisor -- VMWare ESXi.

At this point, it becomes political because as you know, PVS requires a service account to establish the link between PVS and VCenter. This account must have certain privileges outlined in the pvs citrix product documentation.

In a nut shell, Build/VMware team is saying "we don't want to give out a service account because on our side, we will not have a valid audit. Furthermore, servers are being built - building is our job, so we'll handle it."

Citrix team on the other hand is saying "we don't want to give out site admin access to our PVS environment. Furthermore without this service account we are unable to administer power on/off, reboots, send message, etc right from the PVS console, so let us handle it."

The whole issue has now reached managerial levels. As a contractor, I don't really care - I'm just trying to providing alternate solutions to how work is being done today.

While managers are hashing out who will have rights to what, I've been working with the VMware architect. He explained to me Build/VMware team's concern with the service account. Using a general service account, always will reference that service account in their VMware Log Insight software (auditing tool). So while Log Insight will report an account creating servers, they won't know who is behind the wheel.

I showed the VMware architect the PVS auditing tool. He was impressed and said if we could get this to somehow port to Syslogger/Windows system event logs, it'd be worth some points, because now even though VMWare Log Insight shows a service account, the PVS logs shows who performed the action.

My question is; anyone aware on how to automatically deliver the PVS logs directly to the window event system logs, or evenly directly to VMware Log Insight?

My other question is, has anyone else run into this type of issue? - That is the issue of stepping on other toes' in a larger environment? Sure, in a smaller environment, the Citrix guy is the VMware guy, is the Windows guy and whatever else, but in these larger enterprises, it's not so.

I've been through the security settings in PVS in an attempt to grant Build/VMware team access to only build target devices, but by logic, someone has to have at least site access, which Citrix team isn't t too keen on giving out, at least right now.

Thought, comments suggestions, always welcomed.

Link to comment

1 answer to this question

Recommended Posts

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...