Jump to content
Welcome to our new Citrix community!
  • 0

XenMobobile 10.09 LDAP RODC Issue

Alexander Koch1709157616


Hi all,


we are in the process of building a new XenMobile environment.

We just have another interesting problem.

The XenMobile server is talking to an LDAPS load balancer on the NetScaler.
This load balancer points to two RODCs. They are both up over TCP SSL over 636.

The problem is the following, I can see in the firewall logs that the XenMobile server tries to address other DCs, which are not part of the load balancer or the XenMobile server. This has the consequence that he tries several times to contact different DCs and fails, because the firewall only allows him to talk to the RODCs.

You can feel this effect when you create a new provisioning group and add an Active Directory group, the search for the group takes several minutes.

We are asking ourselves why the XenMobile server tries to contact the other DCs, although it should only talk to the RODCs. Like it would query a list somewhere via DNS and then try to execute it... already very strange.


Maybe someone has already gained experience here. I am curious.


Wish you a nice weekend
best regards




Link to comment

1 answer to this question

Recommended Posts

Hi Alex,


XenMobile should 'only' communicate with the LDAP server which is specified under 'Settings->LDAP'. There is room here for both a Primary and also a Secondary server. If you find that XenMobile is communicating directly with 'other' LDAP servers, then it has to be asked "how is it that XenMobile has knowledge of these other LDAP servers?"

Perhaps a previous attempt has been made at adding (and then removing) these 'other servers' (on the LDAP configuration page of XenMobile, not on the NetScaler). If so, perhaps such content has been cached somewhere on the server for some reason. A reboot should reset such caches, if this is the case.

This link is one of the more comprehensive articles around LDAP behaviour in XenMobile: https://docs.citrix.com/en-us/xenmobile/server/advanced-concepts/on-premises-xenmobile-active-directory-interaction.html. If the advice provided so far doesn't help to answer this query, it might be that a support case will need to be raised for some deep-level inspection to take place.

In this scenario, for the lack of any other analysis being done (network traces and log files, for example), I would think it best to start with a simple setup for LDAP, just to begin with, and then 'add back on' the extra layers of complexity. When considering the Load Balancing setup through the NetScaler, it also might be necessary to check over the session persistence carefully. The article at https://support.citrix.com/article/CTX225590 is not quite an 'exact match' for this, though it does cover the concepts quite well.


Best regards,

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...