Avatar of coeurdcom
coeurdcom
 asked on

Moving Citrix XenApp server out of SBS Active Directory OU causes problems

We have a Citrix XenApp 5 Server running on Server 2008 in a Small Business Server 2008 domain. When I initially configured the server and installed XenApp, I did not realize that the server had been placed in the SBSComputers OU in Active Directory. Now that it is fully in production I want to move it into it's own OU so I can tweak the GP's. However, every time I move the XenApp server out of the OU and do a gpupdate, it causes multiple different issues dealing with connectivity to applications and authentication/logging in. If I move the server back into the SBSComputers OU and perform a gpupdate, all is well again.

I am certain it is GP related, but SBS 2008 has so many GP's applied to it I can't find the one that is causing issues. I have tried enabling loopback processing but this doesn't fix it.

Any ideas?

Thanks,

Derek
CitrixSBS

Avatar of undefined
Last Comment
Irwin W.

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Irwin W.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
coeurdcom

ASKER
I think this is my next step, it's just difficult because it's all in production and it is very disruptive to the end users.

What is odd is that I when I do a gpresult, it appears all of the previous GP's are being applied, as well as the new one (which is simply disabling the screensaver). Even using the Merge setting on the loopback policy it still drops connections, etc. I will see if I can get the errors posted that I am getting.

Thanks!

Derek
arunexp

if the errors are easily recreatable  u could put only one server to the new ou and work with it. or put any standby server in the farm disable the user logon to the standby server, move it to new ou and test.
coeurdcom

ASKER
We only have one server in the farm, it's a really small deployment. I will be working on this tomorrow during some scheduled downtime and will post some of the errors I encounter, and hopefully post what I do to get it fixed!
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
coeurdcom

ASKER
OK, so I moved all of the GP's that the server was saying it was applying based on the gpresult output into the OU I created for the XenApp server. I moved the XenApp server to this OU, and then connected to it via remote desktop. I opened a command prompt, ran gpupdate /force, and was immediately kicked out. I am unable to connect via RDP, and also can log into the XenApp web interface but cannot open a published application. It gives me the error:

"Cannot connect to the Citrix XenApp server. SSL Error 29: The proxy denied access to <alphanumeric string> port 1494"

So, I am thinking that a firewall GP got activated and kicked me out. Still working on removing the GP's that seem relevant to see if this fixes it.
Irwin W.

Yeah looks that way..

I would suggest that you remove the SBS firewall GPO and try again.

I hope you're not doing this remotely.
coeurdcom

ASKER
OK, I basically fixed it by removing all of the policies from the top of the domain and the XenApp server domain that had firewall policies defined. Even though I had the actual firewall service disabled on the server, it still somehow was blocking traffic. I had to remove the policy and re-enable the firewall then just turn it "Off" using server manager for all zones. This seems to have fixed it.

Thanks all for your input and help.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
coeurdcom

ASKER
Thanks!
Irwin W.

Something else you can do is to block policy inheritance on the OU with your Citrix server.