Jason Ochs1709152296
-
Posts
20 -
Joined
-
Last visited
-
Days Won
2
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Jason Ochs1709152296
-
-
Windows Group Policy. You can even go into Security properties of the GPO and set a deny attribute to "apply group policy" so a select AD User/Group could reboot them.
-
This is a Windows thing. Happens on my VDI and home PC too. Go to Control Panel > Mouse> Pointers (tab) and change the Scheme. I use "Windows Black (system scheme)" but many others work. I unselected the Enable Pointer shadow too. In Pointer options, I also unchecked "hide pointer while typing" too. That still didn't 100% restore the pointer in some cases so I also checked "display pointer trails" and set them to short. Seems an annoying way to work around the issue.
-
Implement
- Take VM Snapshot of SQL servers + Delivery Controllers, (if applicable.)
- Perform a Test Site in Studio to make sure environment is healthly. Then ensure all instances of Citrix Studio are closed.
- Do a SQL Backup/Restore from old server to new server.
- Create/check SQL logons/ database permissions. This is very important as permissions must be the same.
- Set SQL Connection strings on one delivery controller. Citrix has some scripts, but I combined them into one and tweaked it. I used it on 1912. If you're running 2203, might need some adjustment.
Do not open Citrix Studio or Citrix Director until ALL DELIVERY CONTROLLERS have had their connection strings updated.
Test plan:
- Launch Citrix Director and check database links at the bottom of the dashboard
- Open Citrix Studio. Verify Applications and Delivery Groups look normal. Check Database servers (Configuration.)
- In Studio, Perform a Site test under Citrix Studio>Site Configuration. Ensure all 237 tests pass.
PowerShell Script:
#Citrix Database Connection Scripts
#by Jason Ochs 3/22/21#This script with backup DB connections to services, nullify then, and allow you to set a new database connection string.
#CITRIX may add new services thus adding/removing the database connection strings below, so run command 'Get-Command -Name get-*DBConnection' to get a current list.asnp Citrix*
## Record existing database connection Strings to CitrixDBConnectionStrings.txt
Write-Host "Backing up existing connection strings to C:\Temp\CitrixDBConnectionStrings.txt. Strings will also be written as variables as well." -ForegroundColor Red
Write-Output "ConfigDBConnection is:" (Get-configDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "AppLibDBConnection is:" (Get-AppLibDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "OrchDBConnection is:" (Get-OrchDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "TrustDBConnection is:" (Get-TrustDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "AcctDBConnection is:" (Get-AcctDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "AnalyticsDBConnection is:" (Get-AnalyticsDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "HypDBConnection is:" (Get-HypDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "ProvDBConnection is:" (Get-ProvDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "BrokerDBConnection is:" (Get-BrokerDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "EnvTestDBConnection is:" (Get-EnvTestDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "SfDBConnection is:" (Get-SfDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "MonitorDBConnection is:" (Get-MonitorDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "MonitorDBConnection is:" (Get-MonitorDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "LogDBConnection is:" (Get-LogDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "LogDBConnection is:" (Get-LogDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
Write-Output "AdminDBConnection is:" (Get-AdminDBConnection) | Out-File C:\Temp\CitrixDBConnectionStrings.txt -Append
# Records Strings to backup variables:
Get-configDBConnection | Out-File C:\Temp\CitrixDB_configDBConnectionOLD.txt
Get-AppLibDBConnection | Out-File C:\Temp\CitrixDB_AppLibDBConnectionOLD.txt
Get-OrchDBConnection | Out-File C:\Temp\CitrixDB_OrchDBConnectionOLD.txt
Get-TrustDBConnection | Out-File C:\Temp\CitrixDB_TrustDBConnectionOLD.txt
Get-AcctDBConnection | Out-File C:\Temp\CitrixDB_AcctDBConnectionOLD.txt
Get-AnalyticsDBConnection | Out-File C:\Temp\CitrixDB_AnalyticsDBConnectionOLD.txt
Get-HypDBConnection | Out-File C:\Temp\CitrixDB_HypDBConnectionOLD.txt
Get-ProvDBConnection | Out-File C:\Temp\CitrixDB_ProvDBConnectionOLD.txt
Get-BrokerDBConnection | Out-File C:\Temp\CitrixDB_BrokerDBConnectionOLD.txt
Get-EnvTestDBConnection | Out-File C:\Temp\CitrixDB_EnvTestDBConnectionOLD.txt
Get-SfDBConnection | Out-File C:\Temp\CitrixDB_SfDBConnectionOLD.txt
Get-MonitorDBConnection | Out-File C:\Temp\CitrixDB_MonitorDBConnectionOLD.txt
Get-LogDBConnection | Out-File C:\Temp\CitrixDB_LogDBConnectionOLD.txt
Get-AdminDBConnection | Out-File C:\Temp\CitrixDB_AdminDBConnectionOLD.txtWrite-Host "Completed writing existing connection strings to C:\Temp\CitrixDBConnectionStrings.txt. Please verify." -ForegroundColor Red
pause#Checking Service State. All should report "OK."
Get-AcctServiceStatus
Get-AdminServiceStatus
Get-AnalyticsServiceStatus
Get-AppLibServiceStatus
Get-BrokerServiceStatus
Get-ConfigServiceStatus
Get-EnvTestServiceStatus
Get-HypServiceStatus
Get-LogServiceStatus
Get-MonitorServiceStatus
Get-OrchServiceStatus
Get-ProvServiceStatus
Get-SfServiceStatus
Get-TrustServiceStatus
Write-Host "Next, Monitoring and Logging will be disabled. Afterwards, DB connections will be nullified. Proceed only if everything checks out OK and you are ready." -ForegroundColor Red
pause#Disable Monitoring and Logging
Set-MonitorConfiguration –DataCollectionEnabled $False
Set-LogSite –State Disabled
## Nullifies DB connection strings so we can change them.
Set-AnalyticsDBConnection -DBConnection $null -force # 7.6 and newer
Set-AppLibDBConnection -DBConnection $null -force # 7.8 and newer
Set-OrchDBConnection -DBConnection $null -force # 7.11 and newer
Set-TrustDBConnection -DBConnection $null -force # 7.11 and newer
Set-HypDBConnection -DBConnection $null -force
Set-ProvDBConnection -DBConnection $null -force
Set-BrokerDBConnection -DBConnection $null -force
Set-EnvTestDBConnection -DBConnection $null -force
Set-SfDBConnection -DBConnection $null -force
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null -force
Set-MonitorDBConnection -DBConnection $null -force
Set-LogDBConnection -DataStore Logging -DBConnection $null -force
Set-LogDBConnection -DBConnection $null -force
Set-ConfigDBConnection -DBConnection $null -force
Set-AcctDBConnection -DBConnection $null -force
Set-AdminDBConnection -DBConnection $null -forceWrite-Host "DB connections have been nullified. Setting new connection string." -ForegroundColor Red
pause## Replace <dbserver> with the New SQL server, and instance if present
## Replace <dbname> with the name of your restored Database
## Note: AdminDBConnection should be first#$ServerName="<SQL AlwayaOn Listener Name>"
$ServerName = Read-Host -Prompt 'Input your SQL AlwaysOn Listener Name. You can specify instance or port. E.G> CTXDBLSNR\CTRX \ CTXDBLSNR,1433'
#$SiteDBName = "<DbName(case sensitive)>"
$SiteDBName = Read-Host -Prompt 'Input your SITE DbName, (case sensitive)'
#$LogDBName = "<LoggingDbName>"
$LogDBName = Read-Host -Prompt 'Input your LOGGING DbName, (case sensitive)'
#$MonitorDBName = "<MonitorDbName>"
$MonitorDBName = Read-Host -Prompt 'Input your MONITORING DbName, (case sensitive)'$cs="Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True;MultiSubnetFailover=True"
$csLogging= "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True;MultiSubnetFailover=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True;MultiSubnetFailover=True"Set-AdminDBConnection -DBConnection $cs
Set-ConfigDBConnection -DBConnection $cs
Set-AcctDBConnection -DBConnection $cs
Set-AnalyticsDBConnection -DBConnection $cs # 7.6 and newer
Set-HypDBConnection -DBConnection $cs
Set-ProvDBConnection -DBConnection $cs
Set-AppLibDBConnection -DBConnection $cs # 7.8 and newer
Set-OrchDBConnection -DBConnection $cs # 7.11 and newer
Set-TrustDBConnection -DBConnection $cs # 7.11 and newer
Set-BrokerDBConnection -DBConnection $cs
Set-EnvTestDBConnection -DBConnection $cs
Set-SfDBConnection -DBConnection $cs
Set-LogDBConnection -DBConnection $cs
Set-LogDBConnection -DataStore Logging -DBConnection $csLogging
Set-MonitorDBConnection -DBConnection $cs
Set-MonitorDBConnection -DataStore Monitor -DBConnection $csMonitoring
Write-Host "DB connections have been set. Enabling Monitoring and Logging. Afterwards, performing database tests..." -ForegroundColor Red#Enable Monitoring and Logging
Set-LogSite –State Enabled
Set-MonitorConfiguration –DataCollectionEnabled $true
##Performing connection tests.
Test-AcctDBConnection -DBConnection $cs
Test-AdminDBConnection -DBConnection $cs
Test-AnalyticsDBConnection -DBConnection $cs # 7.6 and newer
Test-AppLibDBConnection -DBConnection $cs # 7.8 and newer
Test-BrokerDBConnection -DBConnection $cs
Test-ConfigDBConnection -DBConnection $cs
Test-EnvTestDBConnection -DBConnection $cs
Test-HypDBConnection -DBConnection $cs
Test-LogDBConnection -DBConnection $cs
Test-LogDBConnection -DataStore Logging -DBConnection $csLogging
Test-MonitorDBConnection -DBConnection $cs
Test-MonitorDBConnection -Datastore Monitor -DBConnection $csMonitoring
Test-OrchDBConnection -DBConnection $cs # 7.11 and newer
Test-ProvDBConnection -DBConnection $cs
Test-SfDBConnection -DBConnection $cs
Test-TrustDBConnection -DBConnection $cs # 7.11 and newerWrite-Host "Testing complete. Setting monitoring retention."
Set-MonitorConfiguration -GroomApplicationInstanceRetentionDays 180
Set-MonitorConfiguration -GroomDeletedRetentionDays 180
Set-MonitorConfiguration -GroomFailuresRetentionDays 180
Set-MonitorConfiguration -GroomLoadIndexesRetentionDays 180
Set-MonitorConfiguration -GroomMachineHotfixLogRetentionDays 180
Set-MonitorConfiguration -GroomMachineMetricDaySummaryDataRetentionDays 180
Set-MonitorConfiguration -GroomNotificationLogRetentionDays 180
Set-MonitorConfiguration -GroomResourceUsageDayDataRetentionDays 180
Set-MonitorConfiguration -GroomSessionsRetentionDays 180
Set-MonitorConfiguration -GroomSummariesRetentionDays 180
Set-MonitorConfiguration -EnableDayLevelGranularityProcessUtilization $True
Set-MonitorConfiguration -EnableHourLevelGranularityProcessUtilization $True
Set-MonitorConfiguration -GroomApplicationErrorsRetentionDays 7
Set-MonitorConfiguration -GroomApplicationFaultsRetentionDays 7
Set-MonitorConfiguration -GroomMachineMetricDataRetentionDays 7
Set-MonitorConfiguration -GroomSessionMetricsDataRetentionDays 7Write-Host "-- Please reboot the Delivery Controller. --" -ForegroundColor Red
Write-Host "Run script against remaining delivery controllers until all controllers have been updated." -ForegroundColor RedWrite-Host "Do not open Citrix Studio or Citrix Director until ALL DELIVERY CONTROLLERS have had their connection strings updated." -BackgroundColor Yellow -ForegroundColor Black
Write-Host "Test steps after all controllers have been updated:"
Write-Host "1) Launch Citrix Director and check database links at the bottom of the dashboard "
Write-Host "2) Open Citrix Studio. Verify Applications and Delivery Groups look normal. Check Database servers (Configuration.)"
Write-Host "3) In Studio, Perform a Site test under Citrix Studio>Site Configuration. Ensure all 237 tests pass."pause
- 1
-
Pretty common error.
Check SQL permission.
--Your account for installing/running commands should be a sysadmin.
--All your delivery controllers should be added as dbo to your Citrix databases.
--All your delivery controllers should have "connect" permissions to default system databases (master/model/msdb/tempdb.)
Seeing as its local, I wouldn't expect to see a FW issue.
-
If you run your app server on a hypervisor, the simplest test would be:
- Take a snapshot of the Citrix App server.
- Uninstall Citrix VDA.
- Test application.
- Re-install app (if it still fails)
Vendors tend to blame Citrix too easily. After your testing is done you can revert to the snapshot to recover your server.
-
Probably the single worst setting you could have is a Citrix Policy "Launching of non-published programs during client connection." This would allow an attacker to modify an .ica file downloaded to their PC on launch. They can change the published resource name to something like Powershell.exe to override what program is launched.
Other than that, you go through Group Policies and turn off items in case they somehow got a desktop. Do some pen testing with whichever browser you publish. Make sure you can't launch apps. Simply typing in the local address in the address bar for Powershell was enough for IE! Lock down explorer too by hiding drives. Maybe prevent access to C if you can. You can create an AD group to undo the policy by setting a deny attribute in the GPO permissions. That way your admins would not be susceptible to the lock down policy.
If you really want to polish it, you could enable AppLocker. This can be configured to only run processes you specify. This is an awesome way to lock it down tight, but it requires some work. I forget the name of it, but it can run in an observation mode. This will report on processes that would have been blocked if AppLocker were enabled in the event log. That will allow you to build up a list and add processes users are OK to run to the list. Once you enable this, you'd have to test future apps out with AppLocker to ensure it doesn't interfere.
Hope this helps.
-
Can you copy/install the cert manually? Check cert permissions too.
-
Are they partial profiles or the full profile is being left behind? There could be "something" preventing files from being deleted.
-
1) Probably not. EDT is great for higher latency connections. It has done wonders for locations in India connecting to US VDAs. I doubt your users would notice a difference if they are all on the same LAN. Most users in the same building (or same city) did not see a difference enabling EDT.
2) Are the VDIs contained in the same delivery group? If so set up a Citrix policy for just that delivery group. There are other means of singling them out when you create a policy. I assume the IGEL just brokers connections to the VDI. Once you're on the VDI, you could launch apps with EDT from Citrix Workspace running on that desktop.
- 1
-
Can you id the process that is holding it up? RDP to the server as admin. Recreate the issue. As admin view open processes the user still has open in task manager. Kill processes one by one. Certain system processes can't be killed or give an ugly warning. Skip those. Once you kill the right process, it will log off the session for the user. Then open regedit, go to SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI. Edit LogoffCheckSysModules. Add the name of the process that is holding things up. Have the user logon once more and recreate the issue. If it fixes the issue, then you can add that registry value in Group Policy if you wish.
-
Did you check the StoreFront logs? RDP to StoreFront servers. Open Event viewer. Go to Application and Services Logs> Citrix Delivery Services. There are many things that can cause this error. The logs should help isolate it.
-
GUI tweaks can be tricky to figure out. There are many ways of going about doing it. You'll have to figure out which works best. I'll list out a few:
-
Find a theme that works best and set it in Group Policy. For example, I have a legacy app that requires more of a Windows 2000 look than 2019. I have a GPO setting of User Config> Policies> Administrative Templates> Control Panel> Personalization:
- Force a Specific visual style or force Windows Classic = enabled
- Load a specific theme / Path to theme file = C:\Windows\Resources\Ease of Access Themes\basic.theme
- Download a freeware tool called RegFromApp. Open a new process to Control Panel. Find your setting and toggle it. Close Control Panel. It spits out what .reg keys what registry changes were made by the app. Then you can apply it globally VIA Group Policy for users.
- Sometimes just Googling the setting with "registry" at the end gives results of what .reg key controls the settings.
-
Find a theme that works best and set it in Group Policy. For example, I have a legacy app that requires more of a Windows 2000 look than 2019. I have a GPO setting of User Config> Policies> Administrative Templates> Control Panel> Personalization:
-
I had something similar happen on server VDAs with 1912. VDAs deregister upon launch. Saw something in the "fixed issues" for the next documentation that could be it. I updated the VDA and that didn't solve it.
The problem ended up being on the Delivery Controller itself. I updated all my ddcs to the latest CU level and that solved the issue. I spent a lot of time focusing on the VDA since that's what deregistered. You said you're at 2209. If you're on-prem consider updating the ddc.
-
Assuming, you're talking the same SF Store? I know there are settings to disconnect the session on logout of SF, but if it's happening to the same store then it's likely not in StoreFront.
Need more info on the F5 set up. Are you using GTM or LTM? What's load balancing settings look like? Multiple members with persistence or round robin?
-
I always got unpredictable results using the VisualFXSetting=2. Essentially VisualFXSetting is the same as setting the radio button to "Adjust for best performance" Visual Effects.
A better way is to set this is VisualFXSetting=3 to essentially change that radio button to "Custom." Then you can control what you want on or off VIA reg key for those items. So in your case, you'll want to change:
- VisualFXSetting=3
- Add HKCU\Control Panel\Desktop: DragFullWindows (A string value) = 0
0 = Show window outline while dragging
1 = Show window contents while dragging
Of course setting Visual Effects opens up a pandora's box. Once you start you feel obligated to set the rest of them to lock in those values to ensure everyone has the same experience. If you google each value, I'm sure you'll find the reg key and values easily enough.
Good luck.
-
Setting the registry value for each user is easy. Create a Group Policy for your servers (or modify an existing one.) Go to User Configuration>Preferences>Windows Settings>Registry. Add a new Registry item. Browse to your Value and set the data. Then repeat for remaining keys.
If you're unsure about which value to set, I suggest a tool called RegFromApp: https://www.nirsoft.net/utils/reg_file_from_application.html. It's kind of like procmon but for registry. It monitors changes to the registry for a specific process. Then it displays what it captured to a window.
-
I have seen this before. A coworker couldn't get any commands working in PowerShell ISE whereas on the same Cloud Connector I had no issue. As it turns out the issue is he was using the 32-bit version of PowerShell ISE; PowerShell ISE (x86).
It makes sense. Using 32-bit Powershell against back end 64-bit services is bound to run into problems. I just wish the error was more descriptive. I was able to reproduce the issue with both 64 and 32 bit versions of PowerShell ISE running side by side.
-
Did you happen to delete the contents of C:\Windows\Temp manually or through some automated means? I had the issue. I had an issue with automating the installation though Puppet so I wiped out C:\Windows\Temp manually as a troubleshooting step. Then I kept seeing in my XenDesktop Installation.log file this:
Failed to find the MediaID file at 'C:\windows\TEMP\Ctx-2E22A811-50C3-4ECF-9A5B-44E3219B58A0\Extract\Image-Full\x64....
The Ctx-2E22A811 folder was deleted, so I copied another ctx folder within C:\Windows\Temp that had the same VDA version and named it Ctx-2E22A811-50C3-4ECF-9A5B-44E3219B58A0. I confirmed the VDA version was the one I wanted by looking at C:\Windows\Temp\Ctx-2E22A811-50C3-4ECF-9A5B-44E3219B58A0\Extract\Image-Full\ProductVersion.txt. Lesson learned, don't wipe out those ctx folders until the installation is done.
-
I just spent a few weeks on this issue. I know this is an old thread, but I'll post what I found here to hopefully help people. First off, Microsoft does not recommend disabling ADAL or WAM to fix this issue. REF: https://docs.microsoft.com/en-us/office365/troubleshoot/administration/disabling-adal-wam-not-recommended. For those of you posting that as a solution, it's incorrect!
The bottom of the above article is a link to https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd. I ran this dsregcmd on my older 2012R2 / 2016 boxes and pretty much everything was "NO." However, on my 2019 box AzureADJoined=YES and like the sample output I had tenant details populated with details. What was different was the user state. My user had NO for NGCSET, WORKPLACEJOINED, & WAMDEFAULTSET. So, I focused on the User details and ran some tests with Outlook. After each test, I deleted my profile. In order to see these details, I published Command Prompt' to my O365 user. From there I launched the dsregcmd as well as launched Outlook.
- Run published application. DSREGCMD showed No for user details. I ran Outlook and I saw the legacy Outlook sign in which didn't work.
- I RDP'ed to the box as the same user. DSREGCMD showed No for user details. I ran Outlook. Outlook built the profile successfully and I saw my e-mail. I reran the DSREGCMD and this time DSREGCMD showed WAMDEFAULTSET=YES. Same session. The only change was running Outlook!
-
Back to the article about disabling adal/wam not recommended, I started looking at the troubleshooting steps. Recommendation #6 talks links here which talks about reinstalling an Azure AD WAM plugin. MS was kind enough to include the PowerShell command to look for the package and install it if necessary. So I deleted my profile once more and tested my Command Prompt published application.
- Start Command Prompt
- Run DSREGCMD. Noted user details all were NO.
- Entered PowerShell
- Entered the PowerShell command: if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin
- Ran DSREGCMD again. This time WAMDEFAULTSET=YES.
- Started Outlook. It built my Outlook profile successfully and then I had my e-mail.
SOLUTION:
Execute the PowerShell command provided by Microsoft to check and install the AD WAM Plugin for each user. This plugin is stored in the user's profile. I created a logon script to run the command and linked to a GPO applied to my 2019 servers. Office activates automatically (unlike my 2012 servers which will popup a signon screen if profile is deleted.) Even Edge started logged in without any authentication. So, don't disable ADAL/WAM. You're just postponing the problem. Eventually you'll need to upgrade your Office build and you'll have to fix this.
- 4
Upgrading OS and citrix from windows 2016 to 2022 and citrx virtual desktop and app 7 1912 to 2103
in XenApp 7.x
Posted
You're going to have to upgrade from 1912 to 2203 before you do the OS uplift to W2022 because W2022 isn't supported on 1912. High level steps would be:
1912 to 2203:
W2016 to W2022:
Good luck.