Test Checklist for Citrix XenApp Deployment

While this won’t fit the bill for all your Citrix XenApp deployments I wanted to share what I like to test at the end of a new deployment as I couldn’t find much online when I looked for guidance. I’d very much welcome any suggestions to make this more comprehensive and will add them to a future edits of this post.

For a bit of a background this deployment involved installing new HP Servers and  deploying VMWare ESXi. Hence the test sections relating to those. There was very minimal NetScaler Access Gateway reconfiguration to reference the new StoreFront servers.

System Testing

HPE iLO and Hardware Status

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/HPE/001 From a PC connected to the internal data network login via http://ESX01-ILO.DOMAIN.LOCAL. Confirm login to iLO interface succeeds.
UAT/HPE/002 From a PC connected to the internal data network login via http://ESX02-ILO.DOMAIN.LOCAL. Confirm login to iLO interface succeeds.
UAT/HPE/003 From a PC connected to the internal data network login via http://ESX03-ILO.DOMAIN.LOCAL. Confirm login to iLO interface succeeds.
UAT/HPE/004 From a PC connected to the internal data network login via http://ESX04-ILO.DOMAIN.LOCAL. Confirm login to iLO interface succeeds.
UAT/HPE/005 On ESX01-ILO.DOMAIN.LOCAL confirm System Health displayed as OK and no hardware or configuration issues are shown.
UAT/HPE/006 On ESX04-ILO.DOMAIN.LOCAL confirm System Health displayed as OK and no hardware or configuration issues are shown.
UAT/HPE/007 On ESX03-ILO.DOMAIN.LOCAL confirm System Health displayed as OK and no hardware or configuration issues are shown.
UAT/HPE/008 On ESX04-ILO.DOMAIN.LOCAL confirm System Health displayed as OK and no hardware or configuration issues are shown.
UAT/HPE/009 On ESX01-ILO.DOMAIN.LOCAL launch remote console and confirm connection to the server.
UAT/HPE/010 On ESX02-ILO.DOMAIN.LOCAL launch remote console and confirm connection to the server.
UAT/HPE/011 On ESX03-ILO.DOMAIN.LOCAL launch remote console and confirm connection to the server.
UAT/HPE/012 On ESX04-ILO.DOMAIN.LOCAL launch remote console and confirm connection to the server.

VMWare

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/ESX/001 From a PC connected to the internal network browse to https://esx01.domain.local and confirm successful logon.
UAT/ESX/002 From a PC connected to the internal network browse to https://esx02.domain.local and confirm successful logon.
UAT/ESX/003 From a PC connected to the internal network browse to https://esx03.domain.local and confirm successful logon.
UAT/ESX/004 From a PC connected to the internal network browse to https://esx04.domain.local and confirm successful logon.
UAT/ESX/005 Login to https://vcenter.domain.local and confirm ESX01, ESX02, ESX03 and ESX04 are all being managed by vcenter.
UAT/ESX/006 While connected to https://vcenter.domain.local confirm no alerts which would indicate hardware or configuration issues are shown on cluster “XenAPP”. Success
UAT/ESX/007 While connected to https://vcenter.domain.local confirm virtual machine start up settings are set as expected. Success

NetScaler

The NetScaler tests are focused on newly configured functionality only such as NetScaler Gateway and load balancing virtual servers.

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/NS/001 Login via http://citrix.company.org.uk
UAT/NS/002 Launch published desktop via http://citrix.company.org.uk
Standard Desktop
Staging Desktop
Finance Desktop
IT Desktop
UAT/NS/003 Log off http://citrix.company.org.uk
UAT/NS/004 Disconnecting network on STOREFRONT01 results in requests being directed to STOREFRONT02
UAT/NS/005 Disconnecting network on STOREFRONT02 results in requests being directed to STOREFRONT01
UAT/NS/006 Browser requests sent to http://citrix.company.org.uk are redirected to https://citrix.company.org.uk/Citrix/company/PNAgent/config.xml. This is to allow for redirection of HP Thin Clients which can’t be reconfigured. I would normally test a simple http to https redirection
UAT/NS/007 Login via https://myoffice.company.org.uk  (from an external network)
UAT/NS/008 Launch published desktop via https://myoffice.company.org.uk (from an external network)
Standard Desktop
Staging Desktop
Finance Desktop
IT Desktop
UAT/NS/009 Log off https://myoffice.company.org.uk (from an external network)
UAT/NS/010 Configure an iOS device for https://myoffice.company.org.uk and launch desktop.
UAT/NS/011 Configure Citrix Receiver for Windows for https://myoffice.company.org.uk and launch desktop.
UAT/NS/011 From vSphere web client confirm NetScaler01 and NetScaler02 have been moved over to the new XenApp cluster.

Storefront

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/SF/001 Published desktops and applications enumerated as expected following logon to https://citrix.company.org.uk    
UAT/SF/002 Login to Desktop Appliance site https://citrix.company.org.uk/Citrix/StoreDesktopAppliance    
UAT/SF/003 Desktop is auto launched upon login to https://citrix.company.org.uk/Citrix/StoreDesktopAppliance    
UAT/SF/004 Log off from https://citrix.company.org.uk/Citrix/StoreDesktopAppliance    
UAT/SF/005 Confirm successful launch of Application1    
UAT/SF/006 Confirm successful launch of Application2    
UAT/SF/007 Confirm successful launch of Application3    
UAT/SF/008 Confirm successful launch of Application4    

Desktop Delivery Controllers

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/DDC/001 Run Site configuration test in Citrix Studio and confirm no warnings or failed tests are identified.    
UAT/DDC/002 Run machine catalog test in Citrix Studio against each catalog (Standard Desktop, IT Desktop, Finance Desktop, Staging Desktop, Application delivery) and confirm no warnings or failed tests are identified.    
UAT/DDC/003 Run delivery group test in Citrix Studio against each delivery group (Standard Desktop, IT Desktop, Finance Desktop, Staging Desktop, Published Applications) and confirm no warnings or failed tests are identified.    
UAT/DDC/004 Sessions are distributed across session hosts.    
UAT/DDC/005 Correct license information is displayed for the farm in Citrix Studio (500 XenApp Enterprise concurrent licenses).    
UAT/DDC/006 Disconnecting network on CTXDEL01 results in requests being handled by CTXDEL02.    
UAT/DDC/007 Disconnecting network on CTXDEL01 results in requests being handled by CTXDEL02.    

Citrix License Server

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/LIC/001 XenApp Enterprise Licenses shown in License Administration Console.    
UAT/LIC/002 Users aren’t presented with any license related errors on logon.    
UAT/DC/003 Members of “Domain Admins” can successfully login to the License Administration Console. To be tested against Patrick’s logon.    

Terminal Services Licensing

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/RDS/001 Logon to lic01.domain.local, open RD Licensing manager and confirm Windows Server 2012 are present and license server activated.    
UAT/RDS/002 Logon to lic01.domain.local, open RD Licensing manager and confirm licenses are being issued by the server.    
UAT/RDS/003 Users aren’t presented with any license related errors on logon on to session host servers.    
UAT/RDS/004 Run gpresult on a session host and confirm License servers to use is set to LIC01.    

Citrix Director

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/DIR/001 Members of Domain Admins can login to Citrix director at http://ctxdir01.domain.local/director/  to be tested with Patrick’s account.    
UAT/DIR/002 All session hosts are visible to from Citrix Director.    
UAT/DIR/003 Confirm successful session shadowing.    

Local Host Cache

The Local Host Cache (LHC) feature allows connection brokering operations in a XenApp or XenDesktop Site to continue when site database outage occurs. To simulate an outage the SQL instance sql01\CITRIX will be stopped.

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/LHC/001 Verify a new connection can be made to the farm by launching published desktop.    

Client Testing

This section covers connectivity to the new Citrix XenApp 7.15 site from a variety of clients.

Internet Explorer Browser

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/IE/001 Login to https://citrix.company.org.uk. Confirm successful logon.    
UAT/IE/002 Confirm desktops/applications are listed as expected.    
UAT/IE/003 Launch publish desktop and confirm successful launch.    
UAT/IE/004 Log out from desktop without errors.    
UAT/IE/005 Log out from Storefront without errors.    

IGEL Thin Client

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/IG/001 Login to https://citrix.company.org.uk. Confirm successful logon.    
UAT/IG/002 Confirm desktops/applications are listed as expected.    
UAT/IG/003 Launch publish desktop and confirm successful launch.    
UAT/IG/004 Log out from desktop without errors.    
UAT/IG/005 Log out from Storefront without errors.    

HP Thin Client

Task ID Task Description Result (Success/Fail) Remedial Action Required / Notes
UAT/HP/001 Login to https://citrix.company.org.uk/Citrix/StoreDesktopAppliance. Confirm successful logon.    
UAT/HP/003 Confirm desktop is auto launched as expected.    
UAT/HP/004 Log out from desktop without errors.    
UAT/HP/005 Log out from Storefront without errors.    

User Testing

The client would normally define their testing criteria.

Overall Test Result PASS/FAIL
All tests have been carried out successfully.  
Test Plan results verified with  
Customer Contact Signature  
Date  
Advertisements

XenDesktop: Migrating dedicated catalog to another datastore

If you are looking to move your virtual machines to another datastore chances are you have already come across this Citrix article: How to Migrate Dedicated Catalog to Another Datastore.

Last week I have unsuccessfully attempted to follow it and thought I would clarify a couple of ambiguous points in the guide and it’s indented application.

First of all I need to point out that if you intend to move your base image file this guide isn’t going to do it for you. While you are asked to copy the base image to the new datastore it doesn’t tell you to delete it from the old location. This is because all the delta disks you move will still be referencing the original base image file location. So if you are hoping to decommission  some old storage and need everything to move, Citrix recommend you convert the linked clones to full clones – you can achieve this by a simple storage migration in vSphere. You can then remove them from the catalog and add again as existing. There is an inevitable increased storage requirement which is what you were probably trying to avoid in the first place but it is the safest and most reliable way of doing this.

You could also look at editing the vmdk configuration files of your moved VMs and setting parentFileNameHint to the new file path – I will delve deeper into this in a future post.

If the Citrix guide still fits the bill for you here are the parts that I found slightly unclear. Some of them may seem obvious but as I things weren’t working out for me I was questioning every step.

Step 5:

Copy vmdk to new storage.

VMware PowerCli command:

Copy-DatastoreItem 'vmstore:\vc-servername\source_datastore\ contosow7-baseDisk-datastore-11\*' 'vmstore:\vc-servername\dest_datastore\ contosow7-baseDisk-datastore-11\' -Force

After copy has been completed, base disk will be converted to thick format; diff disk will remain thin-provisioned.

What Citrix want you to do here is to copy all your machine’s deltas and the base image file over to the new datastore. The command above assumes they are all within the same folder (contosow7-baseDisk-datastore-11) but depending on how you have the files organised you might need to copy the base image file separately. You will also likely have your vmx and other configuration files in the same location and these will be copied over at the same time. These won’t be used for anything as when you recreate the machines a new folder will be create for each one. In effect there will a be some doubling up but nothing to worry about as the storage use will be negligible. You can also manually copy the files using the vSphere client and the effect will be the same.

Step 6:

Back up the base and diff disk folder defined in the filename column of the contoso_disk.csv file. Delete the machines to be migrated through the desktop studio console and choose the options to “Remove the accounts from the Catalog but do not remove them from Active Directory”.

You should already have  a copy of all this on your new datastore but you might want to backup within the same datastore to reduce the restore time if required. When you delete the machines from the catalog the diff disks will be deleted but the base image will remain intact anyway.

Step 7:

Create new machines with existing disks. (Import.csv) file is used with the columns shown in the following table.

VMName LastConnectionUser OldDiskPath NewDiskPath
contosow7AAA contoso\user1 [source_datastore] contosow7-baseDisk-datastore-11/contosow7-baseDisk-datastore-217-000005.vmdk [dest_datastore] contosow7-baseDisk-datastore-11/contosow7-baseDisk-datastore-217-000005.vmdk

VMware PowerCli command:
Import-Csv importcsv.csv -UseCulture | %{
$vm = New-VM -Name $_.VMName -VMHost 20.10.102.12 -MemoryMB 2048 -NumCpu 2 -GuestId “windows7_64Guest” -NetworkName “VLAN 123”  -Datastore “Dest_Datastore” -DiskPath $_.NewDiskPath
}

The OldDiskPath isn’t used during the machine creation at all so you don’t need to worry about it too much. The NewDiskPath is the path for the machine’s delta – not the base image file.

Hope this helps to avoid at least some of the confusion.

Did you know?

Well I didn’t. More specifically I didn’t know that Server 2008 behaves quite differently to 2003 when it comes to choosing a source IP address on a server with multiple IP addresses on the same interface.

Previously on Server 2003 the source address would be the primary address on the interface in question. This address would also register in DNS. Server 2008 and higher uses the address which has the most bits in common with the default gateway. This is worked out in binary and I won’t bore you with the details. To make this a little bit easier on us Microsoft have released a hotfix which introduces the SkipAsSource flag. To use it you have to remove the IP addresses and re-add them using the netsh command.

For example:

netsh Int IPv4 Add Address <Interface Name> <IP Address> SkipAsSource=True

To check that the command worked as expected run:

Netsh int ipv4 show ipaddresses level=verbose

You should see something like this:

skipassource

In case you can’t see the Skip as Source setting you still need the install the hotfix above.

You would hope that you’re done at this stage but there are some issues with this hotfix and you will need to install two more:

 

KB2554859: The “skipassource” flag of IP addresses is cleared after you use the GUI to change IP settings of a network adapter in Windows 7 or in Windows Server 2008 R2

KB2551090: IIS Manager does not display IP addresses that are assigned to the network adapter together with the skipassource flag

This does the trick and gives you control over which addresses are registered in DNS and used as source.

References:

https://blogs.technet.microsoft.com/networking/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer/

http://blogs.technet.com/b/rmilne/archive/2012/02/08/fine-grained-control-when-registering-multiple-ips.aspx#pi63079=2

 

 

 

Installing drivers on ESXi 5.5 using esxcli

Today’s post is nothing revolutionary I’m afraid and is more for my own reference than anything else. I couldn’t recommend this VMware article more: http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2137854 . It comes with a video too.

I had to update the network adapter and the raid controller drivers

Before you start:

  1. Check / Enable SSH using vSphere client:
    • Select the host, click the Configuration tab, and click Security Profile in the Software panel.
    • In the Services section, click Properties.
    • Select ESXi Shell and click Options
    • Change the ESXi Shell options (Start/Start and stop with host).
    • OK.
  1. Check full datastore path:
    • Log in as root to the ESXi console through SSH.
    • Run esxcli storage filesystem list
    • Identify the datastore you are going to use for your drivers and record the mount point path ( I am using the ISO datastore so /vmfs/volumes/4e024984-a6c3ca91-a8bf-b499baa912d9 is what I need):

putty1

Install:

  1. Download drivers from VMware.
  2. Extract the contents of the async driver zip file.
  3. Identify the offline-bundle.zip file(s).
  4. Extract the contents of the offline-bundle.zip file(s).
  5. Identify the async-driver.vib file(s).
  6. Log in to the ESXi host using the vSphere Client with administrator privileges, such as root.
  7. Using Datastore Browser, upload the async-driver.vib file(s) to an ESXi host’s datastore.
  8. Enter the host into maintenance mode. (This means either shutting down or migrating all VMs on that host.)
  9. Log in as root to the ESXi console through SSH.
  10. Run this command to install drivers from the VIB file:
    esxcli software vib install –v /path/async-driver.vib
    For example:  esxcli software vib install -v /vmfs/volumes/55a47a7f-11c62c90-711e-d8b190a2deb2/LSI_bootbank_scsi-megaraid-sas_6.606.06.00-
  11. Restart the ESXi host.
  12. To confirm if the VIB is installed successfully, run this command to check the version:
    esxcli software vib list | grep -i vib_name
    For example: vib list | grep -i scsi-megaraid-sas
    putty2
  13. Exit maintenance mode.

Windows 8.1 hangs after changing expired password at logon

Update: This is now fixed in the following updates:


 

I have spent the last few weeks looking at an issue where after a user gets prompted to change their expired password at logon Windows just hangs at either Welcome or Changing your password.

I have googled every possible permutation of the search terms to no avail. Through a lot of testing I have found that disabling the group policy that sets the  default associations configuration file seems to help  but couldn’t for the life of me understand why. So decided to throw in the towel and log a case with Microsoft support and then as it often happens this blog post crops up: http://blogs.technet.com/b/askpfeplat/archive/2016/01/11/does-your-win-8-1-2012-r2-win10-logon-hang-after-a-password-change.aspx .

It really nicely explains what is going and how to get around it. It also turns out it’s not just limited to changing expired passwords either.

In my case I had the Set a default associations configuration file group policy applied (Computer configuration\administrative templates Windows Components\File Explorer\ “Set a default associations configuration file”) with the file sitting in the sysvol share so the best workaround was to move the file to a non DFS share on a different server and updating the group policy.

Another viable option could be disabling the credential manager and clearing cached credentials.

Definitely have a ready through the article as you might be experiencing the same problem if you map your drives to DFS shares.

Here is what happens during the logon process (taken from the above article):

1. When the user logs on, the profile service tries to map network home folder to \\contoso.com\…

2. To do this, we need to have a call created in RDR, and this requires a SMB session setup to dcname.contoso.com

3. The SMB session setup requires a security blob created to authenticate with the target server, which is the DC.

4. To create the security blob, Kerberos will check saved credentials by calling DPAPI.

5. DPAPI cannot decode the saved credential because the master key is not available because the user’s password is reset on DC, so it will need to query the DC for a master key. This requires a named pipe call to \\dcname.contoso.com\IPC$\protected_storage

6. To connect to this named pipe, RDR found it is the same as previous call in#2 (same fqdn DC name \\dcname.contoso.com) so now session setup is queued…

7. The Kerberos thread will hang forever, and the profile service will hang forever until a reboot.

8. After reboot, the user still cannot logon with the same symptom. (note: a different user CAN log on).

Really pleased I can finally tick this one off my list after scratching my head for such a long time. I will be looking out for updates and hopefully a full fix from Microsoft soon.

 

SEP clients offline after migrating to a new server

Just a quick post today. We have migrated our Symantec Endpoint Protection Manager to a new server last week. For the most part the Disaster recovery best practices support article is very useful. However what it doesn’t mention is that unless your new server has the same name your clients will still be trying to connect to the old one. I suppose that’s why it is a DR procedure rather than a migration.

What you need to do is update the clients connection settings. There are a few ways in which you can achieve this again pretty well detailed here and for SEP 12.1 RU2 or newer here.

NPS Migration Steps

I have been involved in a small migration project over the last couple of months and will be sharing my notes. In all fairness most of this comes from Microsoft guides which are pretty good and comprehensive. What I’ll be sharing is a rather condensed version so you might want to read through the original articles before undertaking your own migrations.

First up is the network policy server migration which is very straight forward.

NPS Migration Steps

Preparation

NPS01

Preparing the source server:

  • Gather information for the table above.

Preparing the destination server:

  • Configure new server OU and group membership identical to the source.
  • Install NPS role service.

Exporting settings from the source server (Windows Server 2008)

  • On the source server open elevated command prompt and run:
    netsh nps export filename=”\\share\IT\NPS\file.xml” exportPSK=YES

Importing settings to the destination server:

  • On the destination server open elevated command prompt and run:
    netsh nps import filename=”\\share\IT\NPS \file.xml”

Verifying the NPS migration

Source: https://technet.microsoft.com/en-us/library/dn530780.aspx

  1. Check that NSP is running on the destination server:
    • In elevated command prompt run: sc query ias
    • In the command output, verify that RUNNING is displayed next to STATE.
  2. Verify NPS config has been migrated:
    • netsh nps show config
    • Verify that the destination server is not using default NPS settings. For example, default settings display a single policy under Connection request policy configuration with the name Use Windows authentication for all users.
  3. Verify that NPS console is displaying correct settings
    • Using the NPS console navigate to Policies, RADIUS clients and servers…etc to make sure settings are displayed as expected.
  4. Verify Authentication methods:
    In this case NSP02 uses certificate based EAP methods, the destination server might already be provisioned with a suitable certificate through autoenrollment. You might also be required to manually enroll the destination server with a computer certificate.

    • To view the certificates associated with EAP methods on CAE-WT-DC02, open the NPS console.
    • Open Policies → Network Policies → Wireless Users Services/Wireless Users General.
    • Check the Constraints tab.
    • Click Authentication Methods, and then under EAP Types click Microsoft: Protected EAP (PEAP).
    • Click Edit, verify that the correct certificate is chosen next to Certificate issued or Certificate issued to, and then click OK.
  5. Verify client connections:
    • On the destination servers In the event viewer console tree, open Custom Views\Server Roles\Network Policy and Access Services.
    • In the details pane, verify under Event ID that event number 6272 is displayed.
    • Events 6273 or 6274 indicate that client authentication attempts are unsuccessful.
    • If no events are displayed, client connection requests are unable to reach the destination server, or the server is not logging authentication attempts.

Notes:

Migration file store –  you can of course export the file locally on the source server and then manually copy over.

DNS and IP addresses – Depending on how your radius clients connect to the NPS server for authentication you might want to assing the same IP addresses to the new servers, update your DNS records accordingly or update each radius client separately.