Solved

Need help deploying machine catalog in XenDesktopo 5.6

Posted on 2013-11-26
11
606 Views
Last Modified: 2013-12-06
Environment:
-Citrix XenDesktop 5.6
-Server 2008 R2
-Windows 7 Enterprise

I'm looking for just some general guidance on deploying an image catalog. My catalog more than likely needs to be dedicated since the certificate for web-based software gets installed in the trusted root (I've already tried pooled-static so let's not rehash that one).

Question:
If I deploy 100 or so users in a new deployment to XenDesktop 5.6 with Windows 7 enterprise vm's, while using a Dedicated machine catalog, will I be able to roll out master image updates without disrupting their individual computing experience? (i.e- personally installed programs, backgrounds, settings, etc.)
0
Comment
Question by:Paul Wagner
11 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 39680646
If you are talking about MCS, you can't update the dedicated machines by updating the master image. This is only true with pooled machines!!

See this article to understand it better:
http://infrastructureadventures.com/2011/05/18/understanding-citrix-xendesktop-machine-creation-services/
0
 
LVL 14

Expert Comment

by:amichaell
ID: 39680788
Dedicated machines are basically like taking your physical desktops and simply virtualizing them.  They are still individual read/write machines.  There is no master image to update.

I would see if there was a way to use pooled-random perhaps importing the certificate at logon if necessary or go with pooled-static using personal vDisks.  At least then you could maintain a golden image.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 39682659
You've got multiple possibilities here.

1st thing I would check is where the certificate *really* gets stored, and I would test moving it to the personal store. If you can get that working, then the cert becomes part of the profile, and you can use whatever you want.

But, as far as dedicated machines, you need to think about your long term management.
If they are truly dedicated, you don't have a good way to safely update them (in a single image update) once they have been brought up.   You have to treat them as individual machines, including all the work to manage them.  

If you use MCS to create the machines, then again, they are still dedicated and have to be managed individualy, but they are read/write.  The major downside is that once they have been brought up, they are effectively fixed in place on your storage - you cannot migrate them, because they are linked clones.

But, one strong possibility for you would be to use Personal virtual Disks.  When you combine this with either MCS pooled or PVS pooled, it will likely accomplish what you want.  With the pooled images, you can update them from a single master, etc.  But, the key to the PvD is that it is an extra disk attached to each VM.  That extra disk can store the profile, and any user installed apps directly.  So, you can keep all the individuality, but still update the master disk image in 1 swoop for your catalog.  

Coralon
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39693187
@coralon

Sorry for the delay.... thanksgiving and all.
Great answer!

The certificate for the web app (third party on the internet) is required to be installed in the trusted root instead of personal certs. Will the trusted root be kept in the vDisk?
0
 
LVL 23

Expert Comment

by:Coralon
ID: 39694444
It depends :-)  Since it is a Trusted Root cert, then you can put it in the Trusted Root store under the user account, or the machine account.  Since it is a root cert, then I would feel comfortable putting it the machine store, since it's used to connect to another cert for the chain of trust.

Go into your MMC, load the certificates snapin, and select the Computer Account. From there, you can put it in your Trusted Root store, and you should be good. You should also check if there was a intermediate certificate to go with it.  (Unless it is a cert from a vendor that is not one of the "normal" trusted root certs.  The major vendors all use intermediate certs these days.

Coralon
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Author Comment

by:Paul Wagner
ID: 39694499
This vendor (CoStar) requires the cert to be put in the trusted root of the machine.

Is the solution you're describing going to hold in vDisks with pooled-random catalogs?

There is another cert that they have users install but it doesn't show you where it installs. They're VERY vague about this since I think they want to protect each machine license.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 39697351
The cert will remain in the image and be part of the machine.  But, the problem is that all the machines will have that cert installed -- they will all be using the same cert.  I don't know if that is problem for your configuration.

The user's individual certs will remain in their profile.  You should be able to locate it in the certificate snapin for the user account.

Coralon
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39698925
So you're saying to put the cert in the master image that I deploy in the image pool?

Ya, that's a big problem.

Each cert is specific to a user license (but it is installed on the machine).... so if a user wants to log in to the site from another machine, they have to revoke the existing license and then get a new one issued to them.

That is why pooled-random/static seems like a such a headache, but I don't want to issue dedicated VM's to 200 people. I might as well just give them all fat clients at that point.

Any ideas?
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 39700056
I don't think you'll have a lot of choice, short of a pooled-static, and you said you didn't have any luck with that.  :-\

In my opinion, you're only real option at that point is just to create standalone VM's, put the VDA on there, if you want to run the option from the VDI.

For a slight rehash, one possibility, (and it's a long shot), would be to assign your VDI's (again, basically a pooled-static) with either MCS or PVS.. *but*, you would basically set up a login/logout powershell script to automatically copy the cert in and out of the machine as they login/logout.  But.. just an idea.. :-)

Beyond that, I'm out of ideas.  :-\

Good luck!

Coralon
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39702516
.... hmmmm..... I like the idea but it sounds like I'd be taking the cleanliness of XD and throwing it out the window with powershell scripts and all.

There is an option in using key fobs instead of machine certificates but it's $170/person. I think I'll end up having to do that (but it's expensive).

I talked to someone else about vDisk and they think that it DOES keep machine certificates, so I'll set up a test pooled-random catalog to see if it works.

Thanks for the input Coralon. Since your advice has helped in molding my decision, I'll give you the solution points.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 39702647
Glad I could at least steer you in the right direction :-)

Coralon
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now