Need help deploying machine catalog in XenDesktopo 5.6

-Citrix XenDesktop 5.6
-Server 2008 R2
-Windows 7 Enterprise

I'm looking for just some general guidance on deploying an image catalog. My catalog more than likely needs to be dedicated since the certificate for web-based software gets installed in the trusted root (I've already tried pooled-static so let's not rehash that one).

If I deploy 100 or so users in a new deployment to XenDesktop 5.6 with Windows 7 enterprise vm's, while using a Dedicated machine catalog, will I be able to roll out master image updates without disrupting their individual computing experience? (i.e- personally installed programs, backgrounds, settings, etc.)
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
CoralonConnect With a Mentor Commented:
I don't think you'll have a lot of choice, short of a pooled-static, and you said you didn't have any luck with that.  :-\

In my opinion, you're only real option at that point is just to create standalone VM's, put the VDA on there, if you want to run the option from the VDI.

For a slight rehash, one possibility, (and it's a long shot), would be to assign your VDI's (again, basically a pooled-static) with either MCS or PVS.. *but*, you would basically set up a login/logout powershell script to automatically copy the cert in and out of the machine as they login/logout.  But.. just an idea.. :-)

Beyond that, I'm out of ideas.  :-\

Good luck!

Ayman BakrSenior ConsultantCommented:
If you are talking about MCS, you can't update the dedicated machines by updating the master image. This is only true with pooled machines!!

See this article to understand it better:
Dedicated machines are basically like taking your physical desktops and simply virtualizing them.  They are still individual read/write machines.  There is no master image to update.

I would see if there was a way to use pooled-random perhaps importing the certificate at logon if necessary or go with pooled-static using personal vDisks.  At least then you could maintain a golden image.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

You've got multiple possibilities here.

1st thing I would check is where the certificate *really* gets stored, and I would test moving it to the personal store. If you can get that working, then the cert becomes part of the profile, and you can use whatever you want.

But, as far as dedicated machines, you need to think about your long term management.
If they are truly dedicated, you don't have a good way to safely update them (in a single image update) once they have been brought up.   You have to treat them as individual machines, including all the work to manage them.  

If you use MCS to create the machines, then again, they are still dedicated and have to be managed individualy, but they are read/write.  The major downside is that once they have been brought up, they are effectively fixed in place on your storage - you cannot migrate them, because they are linked clones.

But, one strong possibility for you would be to use Personal virtual Disks.  When you combine this with either MCS pooled or PVS pooled, it will likely accomplish what you want.  With the pooled images, you can update them from a single master, etc.  But, the key to the PvD is that it is an extra disk attached to each VM.  That extra disk can store the profile, and any user installed apps directly.  So, you can keep all the individuality, but still update the master disk image in 1 swoop for your catalog.  

Paul WagnerFriend To Robots and RocksAuthor Commented:

Sorry for the delay.... thanksgiving and all.
Great answer!

The certificate for the web app (third party on the internet) is required to be installed in the trusted root instead of personal certs. Will the trusted root be kept in the vDisk?
It depends :-)  Since it is a Trusted Root cert, then you can put it in the Trusted Root store under the user account, or the machine account.  Since it is a root cert, then I would feel comfortable putting it the machine store, since it's used to connect to another cert for the chain of trust.

Go into your MMC, load the certificates snapin, and select the Computer Account. From there, you can put it in your Trusted Root store, and you should be good. You should also check if there was a intermediate certificate to go with it.  (Unless it is a cert from a vendor that is not one of the "normal" trusted root certs.  The major vendors all use intermediate certs these days.

Paul WagnerFriend To Robots and RocksAuthor Commented:
This vendor (CoStar) requires the cert to be put in the trusted root of the machine.

Is the solution you're describing going to hold in vDisks with pooled-random catalogs?

There is another cert that they have users install but it doesn't show you where it installs. They're VERY vague about this since I think they want to protect each machine license.
The cert will remain in the image and be part of the machine.  But, the problem is that all the machines will have that cert installed -- they will all be using the same cert.  I don't know if that is problem for your configuration.

The user's individual certs will remain in their profile.  You should be able to locate it in the certificate snapin for the user account.

Paul WagnerFriend To Robots and RocksAuthor Commented:
So you're saying to put the cert in the master image that I deploy in the image pool?

Ya, that's a big problem.

Each cert is specific to a user license (but it is installed on the machine).... so if a user wants to log in to the site from another machine, they have to revoke the existing license and then get a new one issued to them.

That is why pooled-random/static seems like a such a headache, but I don't want to issue dedicated VM's to 200 people. I might as well just give them all fat clients at that point.

Any ideas?
Paul WagnerFriend To Robots and RocksAuthor Commented:
.... hmmmm..... I like the idea but it sounds like I'd be taking the cleanliness of XD and throwing it out the window with powershell scripts and all.

There is an option in using key fobs instead of machine certificates but it's $170/person. I think I'll end up having to do that (but it's expensive).

I talked to someone else about vDisk and they think that it DOES keep machine certificates, so I'll set up a test pooled-random catalog to see if it works.

Thanks for the input Coralon. Since your advice has helped in molding my decision, I'll give you the solution points.
Glad I could at least steer you in the right direction :-)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.