Jump to content
Welcome to our new Citrix community!
  • 0

Adding a new XenApp server, can't get roaming profiles to work.


Joe Grover

Question

I'm inheriting the management of an existing XenServer/XenApp 7.9 environment. Currently there are about 25 Windows Server 2012 R2 servers deployed. Roaming profiles are enabled and operating (profiles stored on a SSD file server at \\servername\profileshare) and all security/profile settings are configured in Citrix Studio and via GPO applied to the OU where the server computer accounts are located. Everything in this production environment is functioning normally.

 

I'd like to start migrating to Windows Server 2016 for our XenApp servers (or possibly 2019), but when I installed a test 2016 server I can't get roaming profiles to function. This is what I've done:

 

- Created new VM.

- Installed/patched Server 2016 Standard.

- Joined domain, rebooted.

- Shut down server, moved computer account to the OU the existing XenApp servers are in and booted server.

- Installed XenApp (VDA for Windows Server OS, Universal Print Server, rebooting after each).

- Created a test machine catalog and delivery group for this server, giving access to a test login account (a copy of an existing user account).

- Logged into the server with this test user account.

 

Upon logging in/logging out the user profile is still located in C:\Users\testusername. There is also no profile for this user created in the \\servername\profileshare.

 

This is my first time setting up a server from scratch. I've spun up additional servers before, but they were all based on a golden image. I'm attempting to create a new golden image for 2016 servers and am just not sure what it is that I'm missing. I was assuming (probably incorrectly) that this server would pick up all of the settings it needed via the GPO and other settings already defined. Some things work (such as non-admin restrictions, folder redirection) but the profile is not getting created/copied from the profile store.

 

**EDIT** Also, after logging in and leaving the session running for a bit, I received the attached error. It's likely because there was still a profile folder for the test username that wasn't removed. It created a new one named testusername.upm.unmanaged. I logged out and the unmanaged profile disappeared. I deleted the testusername profile folder and logged in and received no error.
 

citrix profile error.PNG

Link to comment

8 answers to this question

Recommended Posts

  • 0

That's correct. For this reason you want to check C:\users during your next golden image update to make sure there are no remaining roaming user profiles left (accidentily) in that folder before you proceed to sealing the image.

 

In addition this can happen to real users during daily operation if -for whatever reason- their previous logoff did not complete successfully as in not removing their profile while load balancing during the next logon happens to send them back to exact same server.

 

When in doubt go check manually in C:\users on that server and/or check the UPM detailed log file on that server since it will tell you exactly what happened

Link to comment
  • 0

Well my main issue is that UPM doesn't appear to be occuring at all on this new server. I'm setting this up from scratch so I think there may be something I'm missing.

 

Essentially when I create a new user in our environment and log into Citrix for the first time a new profile is created for them in the profile store based on the default template and that profile is copied over to the server they're logging into.

 

With this new server I'm logging in as a new test user and *no* profile is being created--only a local profile on the new server (which--since it isn't considered a roaming profile--isn't cleaned up upon logoff). I need to find out why the roaming profile isn't being created/copied upon login, or cleaned up at logoff.

 

Link to comment
  • 0

The answer to that you will find by simply following the chain of your profile management and you will automatically stumble upon the reason why.

 

Use the group policy management console on your domain controllers (or management servers) to inspect your mentioned citrix servers OU. There you will find at least 1 policy that contains the UPM settings for anyone that logs on to those servers, including which AD group of user accounts is affected and which is not. It could be as simple as for instance your new test user not being member of that group.

 

In case you have 1 large 'lockdown' policy containing all Citrix servers with loopback processing enabled (typical setup) just look inside that group policy under the following section:

 

image.thumb.png.6f110cca2b95b2a983e0ef982143a2d1.png

Link to comment
  • 0

Thanks. It doesn't appear that the GPO is handling the user profiles, then (the only entry I have in the common GPO for Citrix/ Profile Management is for Log settings).

 

I do however see the user profile stuff defined in Citrix Studio under Policies, though.

 

- There's a policy for the path to the profiles pointing to \\servername\profileshare. On the Assigned to tab it lists the OU where the servers (including the new server) reside.

- There's a policy listing some folders to explicitly synchronize, folders to explicitly ignore during synchronization, session timeouts, path to the template profile, etc. This is also assigned to the OU.

- Other policies are also defined for various things (desktop resolution, local app access,etc). All policies are Assigned to the OU.

 

Would it be because the new server has different profile versions than the one specified as the template in the policy?

Link to comment
  • 0

There are no files in that folder.

 

As a test I logged into our production servers and a profile was created in \\servername\profileshare. I logged off and the profile was cleaned up from the server I'd landed on. This would seem to indicate that the user account/permissions are fine but there's something somewhere that is preventing it from the same on the 2016 server.

 

Is it because the version of the profiles are different? Part of the policy in Citrix Studio appears to identify which profile to use as a template. Could it be that 2016 is seeing that profile and disregarding it due to it being from a previous version of Windows?

Link to comment
  • 0

then you should go 1 step back and check all the basics:

 

1. Was/is Universal profile manager actually correctly installed on your new Citrix server as a piece of software part of your Citrix virtual apps/desktops installation at all ? Is it in add/remove software ?

 

2. Is the version you installed compatible with the policies since they are defined in Citrix and not as Active Directory policies ?

 

3. ...

 

Follow the chain....have a nice weekend !

Link to comment
  • 0

I guess it's "the chain" that I need to know heh.

 

From what I understand, User Profile Management is installed as part of the VDA, which has been installed. It is not listed in the programs list on either this test 2016 server nor our production servers. There is C:\Program Files\Citrix\User Profile Manager in both this server and production servers, and both have file versions of 5.4.0.6104.

 

As for compatibility, I don't know how to determine if it's compatible with the policies. Is there a compatibility matrix somewhere? I do know that the original servers were installed with XenApp 6 and the VDA was updated to 7.9 afterward; this is the first server that's been installed from the ground up with 7.9. The Citrix Studio I'm using is 7.9.

 

**EDIT** It could be that things just needed more time for the policy to pick up. My admin account is working properly (well, mostly properly--I don't have all the apps installed on the 2016 server so some settings obviously don't show up/work) but at least it's copying over my normal profile and removing it when I log off.

 

The test account looks like it tried to do the same thing, but the profile didn't delete. The folder is empty except for NTUSER.DAT, which it says is still in use. The PM log is full of errors indicating this as well.

 

Looking at the log there's this entry when I logged off:

2019-07-12;13:29:17.357;ERROR;DOMAIN;testuser16;3;26296;CRegistryHive::Unload: RegUnloadKey of hive <S-1-5-21-727222229-3077305332-3498067029-30252> failed with: Access is denied.

 

Followed by these entries over and over again.

2019-07-12;13:50:13.496;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:14.746;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:14.809;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT.LOG1> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:16.059;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT.LOG1> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:16.121;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT.LOG2> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:17.371;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT.LOG2> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:17.434;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TM.blf> failed with: The process cannot access the file because it is being used by another process.

2019-07-12;13:50:18.684;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TM.blf> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:18.747;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TMContainer00000000000000000001.regtrans-ms> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:19.997;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TMContainer00000000000000000001.regtrans-ms> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:20.059;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TMContainer00000000000000000002.regtrans-ms> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:21.309;ERROR;;;;1764;DeleteAnyFile: Deleting the file <C:\Users\testuser16\NTUSER.DAT{cb078802-a4bd-11e9-81c5-faab3538718b}.TMContainer00000000000000000002.regtrans-ms> failed with: The process cannot access the file because it is being used by another process.
2019-07-12;13:50:21.309;ERROR;;;;1764;DeleteDirectory: Deleting the directory <C:\Users\testuser16> failed with: The directory is not empty.
2019-07-12;13:50:21.309;ERROR;;;;1764;DeleteLocalProfile: Could not delete local profile: <C:\Users\testuser16>: The directory is not empty.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...