Jump to content
Welcome to our new Citrix community!
  • 0

Group policy processing with Citrix MCS and Nutanix AHV


Markus Mohr1709163411

Question

Hi Community,

we have a problem combined with Citrix MCS, Nutanix AHV Hypervisor and Group Policy Processing. 


Some background information about our structure:
We use Citrix MCS and a few of our Machines runs on Nutanix AHV Hypervisor. Our Master is located in another OU in Active Directory than the Machines, which are deployed via MCS. Thus the Group Polices that are applied are different on Master and deployed Machines.


I wrote a script that should run at computer startup for deployed Machines (not master). So i linked a GPO with startup script to the OU where the deployed machines are located.
I noticed that this script doesn't run if i start the machines through Citrix Studio. If i restart this machine manually, the script runs successful. I already checked permission etc. The script per se works.
Another problem that i noticed but occurs rather sporadically: If i restart the machine through Citrix Studio and make a "gpresult /r" i see that the applied policies are that polices that are linked to the OU where the Master is located but actually there should be the GPOs that are linked to the OU where the deployed machine are located. It looks like the machine does not do a "gpupdate" at start. 
I already tried the setting "Always Wait for Network" and disabled GPO Caching. Nothing works. 

 

The central question: Why does the script run if i start the machine manually but does not run if i start the machine through Citrix Studio? I guess the problem is related to Nutanix AHV Hypervisor. The majority of our machines runs on VMware ESX and i think here we don't have this problem. Is the behaviour of Citrix MCS different on AHV and ESX?
 

Link to comment

5 answers to this question

Recommended Posts

  • 0

We use full clones when deploying VDI workloads with MCS like this. When you power on from Prism, you won't get a reset, when you power action from Studio, you will get a reset.

 

With vSphere, the default is thin cloning, though why that would make a difference is beyond me

 

I dealt with a similar issue in Azure which uses Full Clone technology when we were building images in one region and replicating to another - there was a delay on when GPO would apply when the machines came up initially. We used BIS-F which bakes in a gpupdate /force as part of the startup process and that resolved the issues.

 

Some things to consider https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::SyncWaitTime

 

Not aware of anything we do (nutanix) to impact this - will be a race/timing thing. Throw in BIS-F, problems go away, but it's likely masking the root cause

Link to comment
  • 0

Hi,

thank you for your answer. I tried your GPO Setting "Specify startup policy processing wait time". This didn't helped. 

 

I tried the following: Powershell-Script per Windows Task which creates a textfile under C:\Temp with the computername in it. The task is executed on startup.

I created the Task on the Master and deployed the machines.

 

The Windows Task tells me that the job is executed on 11:09., but the Machine is started on 13:09. Maybe there is an issue with timesync and AHV? 

 

Another question: Where did you baked gpupdate in BIS-F? Custom Script with "gpupdate /force" located in Folder "C:\Program Files (x86)\Base Image Script Framework (BIS-F)\Framework\SubCall\Personalization\Custom" ?

Link to comment
  • 0
On 7/21/2023 at 9:31 PM, Markus Mohr1709163411 said:

I tried your GPO Setting "Specify startup policy processing wait time"

More just something to consider and make sure it wasn't altered etc

 

On 7/21/2023 at 9:31 PM, Markus Mohr1709163411 said:

Maybe there is an issue with timesync and AHV

Time can be very sensitive - some references below

https://portal.nutanix.com/page/documents/kbs/details?targetId=kA032000000TVVyCAO

https://portal.nutanix.com/page/documents/kbs/details?targetId=kA00e000000bsicCAA

https://www.nutanix.com/au/blog/supporting-frame-on-a-nutanix-ahv-cluster-time-configuration (ignore the Frame bits)

On 7/21/2023 at 9:31 PM, Markus Mohr1709163411 said:

Where did you baked gpupdate in BIS-F

It is natively in the framework, you don't need to do anything

Link to comment
  • 0

Hi

 

i had something similar years ago when booting Windows 10 devices the first time I started to deploy physical Windows 10 (GPOs were not being applied on reboot)

I traced this down to Fast Startup being enabled. Disabling it fixed the issue and GPOs applied every time

You can Google the registry key or take a quick look at this link... https://enterprisesecurity.hp.com/s/article/Disabling-Windows-10-Fast-Startup

 

Not saying this is your issue but worth a try. Set it in the gold image manually rather than a GPO ?

 

Regards

 

Ken Z

Link to comment
  • 0

I could solve this problem. I started the machine without network and realised that the time is 2 hours before real time and because the machine had no network the time could't be updated.

 

I found the following link and implemented Method 1 in the master.

https://portal.nutanix.com/page/documents/kbs/details?targetId=kA03200000098c9CAA

 

Registry Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Registry Key: RealTimeIsUniversal (DWORD)

Value: 1

 

Now it works ? thank you for your support.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...