Archive | Windows RSS feed for this section

Black screen when re-connect to VMware Horizon virtual desktop

27 May

We had an issue after we upgraded our EUC Stack, especially VMware App Volumes 2.14 to 2.18.1. Quite a few end-users started reporting black screen when they were trying to re-connect to their desktops post the original session launch. This would mean re-connect post breaks, endpoint screen locks, next working day re-connections, etc.

EUC Environment Details:
VMware Horizon 7.11
VMware App Volumes 2.18.1
VMware Dynamic Environment Manager 9.10
VMware Horizon Client 5.x
VMware Workspace One 3.3

Process of elimination

  • If we re-created the writable volumes of the problematic end-users the black screen issue would go away. This provided us with a clue that the problem lied with VMware App Volumes – Writable Volumes
  • No errors/failures observed within the VMware DEM/Horizon logs
  • Upgrade the Horizon Client to the latest 5.x version to remove any Client related issues
  • We already had the necessary anti-virus exclusion based on VMware Antivirus Considerations in a VMware Horizon 7 Environment

Resolution
After trying out all the usual steps and avoid re-creating writable volumes for problematic end-users, we managed to open a VMware GSS case handled by Karan Ahuja(Very helpful support engineer), which ended been worked by the engineering team(Art Rothstein – Champ in AV Eng Team). Note quite alot of logs, memory dumps, and Procmon were exchanged from the problematic VM using various remote gathering techniques. Finally, the fix was determined as a writable volume snapvol.cfg exclusion. (In our case, the problem is caused by smss.exe using a copy of winlogon.exe that is on the writable volume). After putting this exclusion into all problematic end-users, they stopped seeing Black screen issues upon re-connect.

exclude_path=%SystemRoot%\System32\winlogon.exe
Path exclusion in writable volumes snapvol.cfg

In this blog, I am not outlining the steps on how to add the snapvol.cfg exclusion as my ex-colleague Daniel Bakshi outlines on a VMware blog post on how to do it step by step. I hope you will find this information useful if you encounter intermittent black screen issues.

Thanks,
Aresh Sarkari

Create a Memory Dump from a Suspended Virtual Machine – VMware vSAN

10 Nov

If you have a VMware VSAN environment and you wanted to capture a memory dump of the Virtual Machine for debugging or want to provide memory.dmp to VMware GSS or R&D for further analysis go ahead and read further!

Use Case – In our scenario had a few VDI Desktops running Windows 10 1607 + Horizon 7.3.1 + App Volumes Writable Volumes 2.13.1 + UEM 9.2.1 that were getting into unresponsive state. As a last resort we wanted to capture the memory dump to find out more what is causing the VM to get unresponsive.

Step by Step Instructions:

Using the vCenter console select the Virtual Machine VM – Power – Suspend

This will create the *.vmss and *.vmem file for Debugging. (Note the *.vmem file is applicable for ESXi 6.0 onwards)
VM Directory

Make a note of the ESXi host Name/IP for the VM is in Suspend state

— SSH to the ESXi Host and browser to the VM Directory location:

# cd /vmfs/volumes/vsanDatastore/od-av-troub-1 (Where “od-av-troub-1” is the VM name)


— Now lets open the *.vmem file using “cat” command to retrieve the Object ID information. Make a note of the ObjectID

# cat od-av-trou-1-7622414e.vmem

Object ID

In my scenario the Object ID was properly pre-created I didn’t have to use the objtool to find out the Object opened. However, in some cases you might have to run the following command

Now using WINSCP login to the same ESXi Host and go the path:
Object ID – /vmfs/device/vsan/2c86055a-573b-d20a-5cdf-ecf4bbea1e48 (my scenario)
Or/else Object opened at path and download the file “2c86055a-573b-d20a-5cdf-ecf4bbea1e48” which is your ”*.vmem file and move the files to local or remote location that you are using the WINSCP tool.

Rename the Object ID to a friendly name shown in the VM Directory Folder. I renamed it (od-av-trou-1-7622414e.vmem)

For the *.vmss (od-av-trou-1-7622414e.vms) you can directly WINSCP to the ESXi Host and go to the location in the table and move the files to your local or remote location

Once you have both the files *.vmem and *.vmss you can use a VMware Vmss2core Fling and convert it to a dump. Please make sure you meet the requirements and use the appropriate switches to your environment

# vmss2core -W8 od-av-trou-1-7622414e.vmss od-av-trou-1-7622414e.vmem 

— The above command will generate a memory.dmp file which can used in WINDBG for further analysis. If you are sending the dump file to someone make sure use *.zip and compress it before sending.

I hope you will find these steps useful and save a lot of time during daunting unresponsive VM issues. A big thanks to Frank EscarosBuechsel to helping with the entire procedure.

Thanks,
Aresh Sarkari

Troubleshooting Horizon TrueSSO aka Horizon Enrollment Server like a Ninja!

10 Oct

If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature:

  • If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools. This will provide you the ability to see the following snap-ins in read-only mode:
    • Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status
    • Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc.
SNAGHTML6730c9ff

  • Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message
    • [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM]
      “debugEnabled”=”true”
      “traceEnabled”=”true”
    • How to know whether the end-users logged in via TrueSSO – Interactive_SmartCard_Logon will be visible in the Horizon Agent (if Trace Log is enable)image
    • If TrueSSO is not used and SAML – CLEAR(Text)_PASSWORD is used you will receive the following in Horizon Agent logs (if trace is enable
      image
  • If you have two Issuing CA’s for High Availability and redundancy then make sure you import the TrueSSO template by Clicking Certificate Templates > New > Certificate Template to Issue. Select “TrueSsoTemplate” from the “Enable Certificate Templates” dialog and press “OK.” on the other Issuing CA. If you skip this step it will complain in Horizon Administrator dashboard – The primary and secondary enrollment server is not connected to the certificate servers “XXXXXX
  • Read and learn to use the VMWare Fling es_diag.exe it will provide a lot of information from the Horizon Enrollment Server stand point and equip you to troubleshoot issues with Certificate Servers.
    • /ListConfigs
    • /ListEnvironment
    • /EnrollmentTest

My colleague Tarique Chowdhury has posted few troubleshooting steps in the following post under Section – Testing it will provide more details as to what to look in the logs.

Log Entries 1
Log Entries 2

I hope you find this post useful during the Horizon TrueSSO aka Enrollment Server troubleshooting.

Thanks,
Aresh Sarkari

Top 10 lessons during Horizon TrueSSO deployment aka Horizon Enrollment Servers

6 Oct

Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application.

Let me share my top 10 lessons learnt from the deployment:

  1. In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive)
    • CPU – 4 vCPU
    • Memory – 10 GB RAM
    • HDD – 80 GB
  2. Make sure the “Group Scope” is selected as “Universal” for the  Active Directory Group in which the Enrollment Server – Computer Account is added
  3. On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment Servers (Computer Account) has Read and Enroll
  4. If you are deploying more than one Enrollment Server go in the Horizon ADAM database and add the following value to load balance between two Enrollment Servers:
    cs-view-certsso-enable-es-loadbalance=true
  5. For Large scale AD deployments, it is recommend to add the registry for “ConnectToDomains”=domainname.com
    HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service

    ConnectToDomain
  6. Make Sure the template to be used for TrueSSO, you have selected the check box “Do not store certificate and request in the CA database” and run the following command on the CA server. (without quotes)
    “certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS”

    TrueSSO Template Properties
  7. To support Smartcard Logon the following Requirements must be met by the Domain Controller or Kerberos Authentication Certificate:
    • Template name should be Domain Controller or Kerberos Authentication Certificate
      Kerberos Template Properties
    • DNS Name should be selected under Subject Name
      Subject Name Properties
    • Key Usage Extension should be “Digital Signature” and “Key Enciphement
      Key Usage Extension
  8. Make sure the the CA issuing Domain Controller Certificates has the following requirements met (Use GPO’s to deploy the below)
    • Add the Root Certificate to the Enterprise NTAuth Store
    • Add the Root Certificate to Trusted Root Certification Authorities
    • Add an Intermediate Certificate to Intermediate Certification Authorities
  9. Use the True SSO Diagnostic Utility Fling to troubleshoot Enrollment Server, Active Directory PKI Settings and Enterprise CA
  10. On the Domain Controllers under the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
    A key with the “Issuing CA Certificate” thumbprint needs to be created on all the domain controllers participating in the TrueSSO. Ideally if the Step 7&8 are done correctly you should not run into this problem. (In our case we had to open-up a Microsoft Case to get this resolved as we were receiving KDC errors.)

My colleague Tarique Chowdhury has written three awesome blog post on the TrueSSO feature make sure to check them out:

Introduction https://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html

Advance https://blogs.vmware.com/euc/2017/02/horizon-7-sso-advanced-features.html

Setting up in Labhttps://blogs.vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html

I hope you find this post useful during the Horizon TrueSSO deployment

Thanks,
Aresh Sarkari

Vulnerability Scanner for WannaCry and NoPetya – VDI environments

31 Jul

With a lot of enterprises in the middle of the WannaCry and NoPetya vulnerability. If you are running a enterprise VDI environment the fix is pretty simple. Just target your Master VM or Golden Master images and run the Windows Update. Once you have updated the image simply Recompose or Push-Image the desktops pools with the latest updates. Your environment is quickly secured! These vulnerability reiterate the importance of regular patching within the production environments for your Core infrastructure + Master Images.

WannaCry Patch for All Windows versionshttps://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Vulnerability Scanner

A quick and easy way to scan your environment is using a free EternalBlue vulnerability scanner. – http://omerez.com/eternalblues/

image

Simply download the scanner and launch it on a Windows VM of your choice on Windows 7/8.1/10.

IP Range:
The tool by default tends to select the /24 subnet. However, if you have a bigger subnet like a /19 to scan simply enter the Start and End of the entire subnet range. In this example its a 192.168.0.0/19. It will scan for 8190 IP addresses.

image

I hope you scan your environment ASAP! Get rid of the vulnerability ASAP!

Thanks,
Aresh

Missing default Windows ADMX Templates after importing VMware UEM ADMX files

5 Jul

In VMware User Environment Manager 9.0 (UEM) after you have copied over the VMware UEM Manager GPO’s (.ADMX and .ADML) to the central store for group policy administrative policy templates on a domain controller you cannot view the default Windows ADMX templates such System, Network, Control Panel etc.

Issue
After copying the UEM GPO templates to  \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions. You cannot see “System” under the Computer Configuration – Policies – Administrative Templates.

What is a Central Store on Domain Controller?
It’s a location to centrally store the .ADMX and .ADML files in a domain environment. The path is as follows:

.ADMX – \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADML – \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

MS Reference KB – https://support.microsoft.com/en-in/kb/3087759

Where is the default group policy administrative templates stored?
When central store is not enable the .ADMX and .ADML is stored at the default location on a domain controller. The path is as follows:

.ADMX – C:\Windows\PolicyDefinitions
.ADML – C:\Windows\PolicyDefinitions\en-US

Solution
If you cannot see the Windows default templates post enabling the central store you will have to copy all the ADMX and ADML manually from the Windows default location to Central Store on a domain controller

Copy all the .ADMX/.ADML files from Default to Central Store:

Particulars

Source

Destination

.ADMXC:\Windows\PolicyDefinitions \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADMLC:\Windows\PolicyDefinitions\en-US\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

I hope the above steps will help you to get your default Windows ADMX templates back and help you complete the remaining VMware UEM 9.0 server configuration.

Thanks,
Aresh

Monitoring Horizon View Connection Server LDAP Replication

29 Feb

You wish to monitor the LDAP replication traffic between the Horizon View Connection servers (CS) in your environment, Simply run the following command against all the replicating CS individually. Note: Run the following command on a CS or make sure Windows Remoting enabled to execute from a remote machine.
CON1:

repadmin /showrepl con1.example.com:389 /errorsonly

repadmin
if you got the above response means inbound/outbound replication is successful on this CS

Suppose you have 4 CS within your environment, you would like to monitor the replication across all of them. One could ‘Schedule a Task’ to check replication every 4 hours between the CS and send the report to concern monitoring team for further action. In my case, I am running this command from a remote machine which has SMTP enabled to send emails.


CON1 – CON4:

repadmin /showrepl con1.example.com:389 /errorsonly

repadmin /showrepl con2.example.com:389 /errorsonly
repadmin /showrepl con3.example.com:389 /errorsonly
repadmin /showrepl con4.example.com:389 /errorsonly

Type the following in a notepad and save it as batch file and save as ‘replication.cmd’

How to check Outbound Partners of Connection Server
In case you want to see the outbound replication partners of the CS you will have to run the following command on each server.(By default inbound is always visible)

repadmin /showrepl con1.example.com:389 /repsto


How to check replication status with Cloud Pod Architecture enabled
The only difference when testing the replication of CS with CPA is the port number is different, you will have to run the following command

repadmin /showrepl con1.example.com:22389


This was a quick way to monitor the LDAP replication between CS!

Thanks,
Aresh

How to activate Windows Server 2008 R2 Enterprise without Internet Connection

25 Jun

Recently, I faced a situation in which I had to activate Windows Server 2008 R2 Enterprise which didn’t have internet connection. In the earlier days of Windows 2003 there was a Phone Activation option within the wizard. However, in the current edition Windows 2008 onwards the option doesn’t exist.

I am going to show you the steps involved in quickly activated Windows Server 2008 onwards over the Phone using the following command line parameters:

  • Start –> Run –> Command Prompt right click and “Run as a administrator”
  • Type the following command to retrieve the Product Installation id slmgr.vbs /dti (A pop-up windows will appear with a long string of digits)
  • Call the Microsoft activation centers as per your locations from this Microsoft Activation Centers link
    • I used the India number 1800 11 11 00 or 1800 102 1100
  • Provide the Installation ID to the customer care representative and they will provide a Confirmation Number (A long sting of numbers)
  • Type slmgr.vbs /atp (without ) at the command prompt and you will receive a pop-up that your Windows have been activated successfully
  • To confirm your activation type the following command slmgr.vbs /dli

Go to your Server Manager and you will be able to see the Windows Server 2008 R2 activated Smile.

If you find this post useful, please provide your comment down below

Best Regards,
Aresh
Technorati Tags: ,,
Windows Live Tags: Windows Server,Windows,Microsoft
WordPress Tags: Windows Server,Windows,Microsoft

Insight into Windows Remote Desktop Services 2012

5 Nov

I managed to install and test the Windows Remote Desktop Services (RDS) 2012 and I would like to share my experiences with the community. If you are looking for step by step installation please check RDS TechNet Lab Guides in this blog. I’m only covering new features, functionality and things I learnt.

RDS Installation

  • With the new Server Manager, installation of Roles & Features has over simplified. Sitting on one server, we could install all the RDS roles such as Connection Broker (CB), Licensing Server, Web Access (WA) and Session Host from one console to all the servers\VM in the environment.
  • All the pre-requisites (IIS, .Net) are installed by the Role & Features wizard automatically.
  • There are two explicit options under the new RDS Wizard – “Session Virtualization” and “Virtual Desktop Infrastructure”. See more details as below.

Session Virtualization

  • After you have installed all the roles such as RDS Licensing, RDS Session Host, RDS Web Access and RDS Licensing, you can see the complete Deployment\Server overview in a picture format of the RDS farm.
RDS Deployment Overview
  • In just one step you can configure the RD Session Host by simply clicking on the “Create a RD Session Collection wizard”. Collection is nothing but the wizard where you need to specify the Users, Applications, Profile and Servers participating in hosting this application.
  • There is a very interesting feature in this wizard such as “User Profile Disks” which can allow you to store the end-user Profile and selection of folders on a centralized file server that can either be clustered or DFS (Distributed File System).
User Profile Disks

Virtual Desktop Infrastructure (VDI)

  • There is a latest addition to the RDS 2012 which allows you to have two types of desktop such as “Pooled Desktop 1xMany” and “Dedicated Desktop 1×1”.
  • For Pooled Desktops, Microsoft uses their own snapshotting technology just like Citrix MCS (Machine Creation Services). There is no dependency on SCVMM, the RD Connection Broker does everything for you.
  • NOTE: My lab activities were stalled because there is a requirement for a dedicated Hyper-V server (RD Virtualization Host) which should be part of the same domain as the other RD components (CB, WA & Licensing). Will perform this test later on and share my learning with everyone.

My Verdict

RDS 2012 is a superb out of the box product which comes at no extra cost other than server infrastructure cost involved in setting up the environment. The much awaited and talked about integration of “User Profile Disk”, “VDI” and “Single Management Console” has brought the product on-par with other market vendors such as Citrix XenApp/XenDesktop, VMware ThinApp/View, Ericom etc. Though, I am not equipped to test the product against its over the WAN capabilities. The flip side that I see today with RDS 2012 is its functionality on non-windows devices and environment such as iOS, Android, BlackBerry & OpenSource. I doubt Microsoft will make a client like Receiver/View for non-windows platforms.

Business Case
The perfect business case is for Application Hosting + VDI for a complete Windows Platform which involves Windows Phone 8, Windows Tablet 8 and Windows PC 8/7. I would strongly recommend RDS 2012 as it is outstanding with no additional cost.

If you like this post please leave your comments below.

Best Regards,
Aresh Sarkari

Latest Citrix RemotePC feature with XenDesktop5.6 FP1–RemotePC VS RDP

4 Oct

With the recent launch of XenDesktop 5.6 Feature Pack (FP) 1 Citrix released a great feature known as the Remote PC. The Remote PC feature allows end-users to access their laptops/desktops on any device (Tablets, Mobile Phones or even other remote laptop and desktop) and anywhere (in the office, home and road). Citrix launched this feature for enterprises that are yet not ready to move into VDI mode and this solution allows end-users to continue using their desktop/laptop devices. The device that will be accessing the office desktop/laptop will require Citrix Receive to be installed beforehand.

Architecture for Remote PC to work:Citrix RemotePC (XenDesktop 5.6 FP1)

Many of you would ask what is the difference between RemotePC VS traditional RDP?

RDP

Remote PC

Works well on Microsoft platform. However, no standard or official applications are available on cross platforms such as iOS, Android and Blackberry You can access your desktop on multiple platforms such as iOS, Android and Blackberry with a single Citrix Receiver
No Standard apps available from Microsoft. All 3rd Party un-popular applications available at the App Stores for alternativesOfficial Citrix Receiver application integration that offers built-in Virtual Keyboard, ShareFile
No OS/Application Shell enhancement provision available with Microsoft RDP solutionCitrix Mobility Pack enhancement to make Windows OS and Applications touch and type friendly

Typical Use Case Scenarios:
Use Case 1: The customer has a desktop at his desk and is leaving for a meeting and wants to access the desktop from his/her tablet.

Solution: Simply install the Virtual Desktop Agent (VDA) on the desktop and the end-user can access their desktop on any device and from any where

Benefits:

  • The enterprise doesn’t have the CAPEX to invest in a full blown VDI infrastructure. Simply enable this feature and take advantage from your existing infrastructure and investments.
  • Access to the resources from their mobile devices such as iPad, iPhone, Windows Phone, Windows 8 RT, Android Phones, Android Tablets
  • There is no resource sharing hence no complaints from end-users regarding performance degradation
  • Whatever Access, Software, Storage end-user carries remain the same while accessing on mobile devices
  • Leverage existing Electronic Software Distribution software to deploy the VDA on Desktop/Laptops within the enterprise

Video of the RemotePC Installation: