Link to home
Start Free TrialLog in
Avatar of coeurdcom

asked on

Moving Citrix XenApp server out of SBS Active Directory OU causes problems

We have a Citrix XenApp 5 Server running on Server 2008 in a Small Business Server 2008 domain. When I initially configured the server and installed XenApp, I did not realize that the server had been placed in the SBSComputers OU in Active Directory. Now that it is fully in production I want to move it into it's own OU so I can tweak the GP's. However, every time I move the XenApp server out of the OU and do a gpupdate, it causes multiple different issues dealing with connectivity to applications and authentication/logging in. If I move the server back into the SBSComputers OU and perform a gpupdate, all is well again.

I am certain it is GP related, but SBS 2008 has so many GP's applied to it I can't find the one that is causing issues. I have tried enabling loopback processing but this doesn't fix it.

Any ideas?


Avatar of Irwin W.
Irwin W.
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of coeurdcom


I think this is my next step, it's just difficult because it's all in production and it is very disruptive to the end users.

What is odd is that I when I do a gpresult, it appears all of the previous GP's are being applied, as well as the new one (which is simply disabling the screensaver). Even using the Merge setting on the loopback policy it still drops connections, etc. I will see if I can get the errors posted that I am getting.


if the errors are easily recreatable  u could put only one server to the new ou and work with it. or put any standby server in the farm disable the user logon to the standby server, move it to new ou and test.
We only have one server in the farm, it's a really small deployment. I will be working on this tomorrow during some scheduled downtime and will post some of the errors I encounter, and hopefully post what I do to get it fixed!
OK, so I moved all of the GP's that the server was saying it was applying based on the gpresult output into the OU I created for the XenApp server. I moved the XenApp server to this OU, and then connected to it via remote desktop. I opened a command prompt, ran gpupdate /force, and was immediately kicked out. I am unable to connect via RDP, and also can log into the XenApp web interface but cannot open a published application. It gives me the error:

"Cannot connect to the Citrix XenApp server. SSL Error 29: The proxy denied access to <alphanumeric string> port 1494"

So, I am thinking that a firewall GP got activated and kicked me out. Still working on removing the GP's that seem relevant to see if this fixes it.
Yeah looks that way..

I would suggest that you remove the SBS firewall GPO and try again.

I hope you're not doing this remotely.
OK, I basically fixed it by removing all of the policies from the top of the domain and the XenApp server domain that had firewall policies defined. Even though I had the actual firewall service disabled on the server, it still somehow was blocking traffic. I had to remove the policy and re-enable the firewall then just turn it "Off" using server manager for all zones. This seems to have fixed it.

Thanks all for your input and help.
Something else you can do is to block policy inheritance on the OU with your Citrix server.