Solved

Need help deploying machine catalog in XenDesktopo 5.6

Posted on 2013-11-26
11
614 Views
Last Modified: 2013-12-06
Environment:
-Citrix XenDesktop 5.6
-Server 2008 R2
-Windows 7 Enterprise

I'm looking for just some general guidance on deploying an image catalog. My catalog more than likely needs to be dedicated since the certificate for web-based software gets installed in the trusted root (I've already tried pooled-static so let's not rehash that one).

Question:
If I deploy 100 or so users in a new deployment to XenDesktop 5.6 with Windows 7 enterprise vm's, while using a Dedicated machine catalog, will I be able to roll out master image updates without disrupting their individual computing experience? (i.e- personally installed programs, backgrounds, settings, etc.)
0
Comment
Question by:Paul Wagner
11 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 39680646
If you are talking about MCS, you can't update the dedicated machines by updating the master image. This is only true with pooled machines!!

See this article to understand it better:
http://infrastructureadventures.com/2011/05/18/understanding-citrix-xendesktop-machine-creation-services/
0
 
LVL 14

Expert Comment

by:amichaell
ID: 39680788
Dedicated machines are basically like taking your physical desktops and simply virtualizing them.  They are still individual read/write machines.  There is no master image to update.

I would see if there was a way to use pooled-random perhaps importing the certificate at logon if necessary or go with pooled-static using personal vDisks.  At least then you could maintain a golden image.
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39682659
You've got multiple possibilities here.

1st thing I would check is where the certificate *really* gets stored, and I would test moving it to the personal store. If you can get that working, then the cert becomes part of the profile, and you can use whatever you want.

But, as far as dedicated machines, you need to think about your long term management.
If they are truly dedicated, you don't have a good way to safely update them (in a single image update) once they have been brought up.   You have to treat them as individual machines, including all the work to manage them.  

If you use MCS to create the machines, then again, they are still dedicated and have to be managed individualy, but they are read/write.  The major downside is that once they have been brought up, they are effectively fixed in place on your storage - you cannot migrate them, because they are linked clones.

But, one strong possibility for you would be to use Personal virtual Disks.  When you combine this with either MCS pooled or PVS pooled, it will likely accomplish what you want.  With the pooled images, you can update them from a single master, etc.  But, the key to the PvD is that it is an extra disk attached to each VM.  That extra disk can store the profile, and any user installed apps directly.  So, you can keep all the individuality, but still update the master disk image in 1 swoop for your catalog.  

Coralon
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39693187
@coralon

Sorry for the delay.... thanksgiving and all.
Great answer!

The certificate for the web app (third party on the internet) is required to be installed in the trusted root instead of personal certs. Will the trusted root be kept in the vDisk?
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39694444
It depends :-)  Since it is a Trusted Root cert, then you can put it in the Trusted Root store under the user account, or the machine account.  Since it is a root cert, then I would feel comfortable putting it the machine store, since it's used to connect to another cert for the chain of trust.

Go into your MMC, load the certificates snapin, and select the Computer Account. From there, you can put it in your Trusted Root store, and you should be good. You should also check if there was a intermediate certificate to go with it.  (Unless it is a cert from a vendor that is not one of the "normal" trusted root certs.  The major vendors all use intermediate certs these days.

Coralon
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 4

Author Comment

by:Paul Wagner
ID: 39694499
This vendor (CoStar) requires the cert to be put in the trusted root of the machine.

Is the solution you're describing going to hold in vDisks with pooled-random catalogs?

There is another cert that they have users install but it doesn't show you where it installs. They're VERY vague about this since I think they want to protect each machine license.
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39697351
The cert will remain in the image and be part of the machine.  But, the problem is that all the machines will have that cert installed -- they will all be using the same cert.  I don't know if that is problem for your configuration.

The user's individual certs will remain in their profile.  You should be able to locate it in the certificate snapin for the user account.

Coralon
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39698925
So you're saying to put the cert in the master image that I deploy in the image pool?

Ya, that's a big problem.

Each cert is specific to a user license (but it is installed on the machine).... so if a user wants to log in to the site from another machine, they have to revoke the existing license and then get a new one issued to them.

That is why pooled-random/static seems like a such a headache, but I don't want to issue dedicated VM's to 200 people. I might as well just give them all fat clients at that point.

Any ideas?
0
 
LVL 24

Accepted Solution

by:
Coralon earned 500 total points
ID: 39700056
I don't think you'll have a lot of choice, short of a pooled-static, and you said you didn't have any luck with that.  :-\

In my opinion, you're only real option at that point is just to create standalone VM's, put the VDA on there, if you want to run the option from the VDI.

For a slight rehash, one possibility, (and it's a long shot), would be to assign your VDI's (again, basically a pooled-static) with either MCS or PVS.. *but*, you would basically set up a login/logout powershell script to automatically copy the cert in and out of the machine as they login/logout.  But.. just an idea.. :-)

Beyond that, I'm out of ideas.  :-\

Good luck!

Coralon
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39702516
.... hmmmm..... I like the idea but it sounds like I'd be taking the cleanliness of XD and throwing it out the window with powershell scripts and all.

There is an option in using key fobs instead of machine certificates but it's $170/person. I think I'll end up having to do that (but it's expensive).

I talked to someone else about vDisk and they think that it DOES keep machine certificates, so I'll set up a test pooled-random catalog to see if it works.

Thanks for the input Coralon. Since your advice has helped in molding my decision, I'll give you the solution points.
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39702647
Glad I could at least steer you in the right direction :-)

Coralon
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CITRIX 1 32
Runtime Exceptions when trying to submit data 28 37
block folder inheritance 4 35
Mirroring the display on Windows 7.  Horizontal to Vertical monitor. 2 59
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now