Contenu connexe Similaire à Citrix Group Policy Troubleshooting for XenApp and XenDesktop (20) Plus de David McGeough (16) Citrix Group Policy Troubleshooting for XenApp and XenDesktop1. Citrix Group Policy Troubleshooting for
XenApp and XenDesktop
Rick Berry
Principal Technical Relationship Manager
Citrix Support Webinar Series, November 2014
3. Citrix Group Policy Architecture
Policy Application Terminology
Local Group Policies
• Local GPO containing Computer and User settings
Citrix FarmSite Policies
• Also known as IMA farm policies (XenApp)
• Set via AppCenterDSC (XenApp 6.x) or Studio (XenDesktopXenApp 7.x)
• Stored in the farm datastoredatabase
Active Directory Policies
• Set via Site, Domain or OU GPO’s
• Stored in Active Directory
• Allows combining of Citrix and Microsoft Policies
3 © 2014 Citrix. Confidential.
4. Citrix Group Policy Architecture
Processing and Precedence for RSOP
CDM = Enabled
4 © 2014 Citrix. Confidential.
Processing
Precedence
Setting in RSOP
CDM = Disabled
Active Directory OU GPO
Active Directory Domain GPO
Active Directory Site GPO
Citrix FarmIMA Polices
Local Policies
5. Citrix Group Policy Architecture
Citrix Group Policy Management Console
Citrix GPMC – Our connector into the Microsoft GPMC
Management of Citrix group policies via AppCenterStudio or Microsoft GPMC
Allows Citrix policy modelingcomparison
Can be installed to manage AD GPO’s (with GPMC)
Core binaries are in:
• %PROGRAMFILES% and %PROGRAMFILES(x86)%
• Under CitrixGroup PolicyManagement
5 © 2014 Citrix. Confidential.
6. Citrix Group Policy Architecture
Citrix Group Policy Client Side Extension
Also known as Citrix CSE (CitrixCseClient.dll)
Loaded via Microsoft Winlogon process
Generates policy requests (Computer or User)
Retrieves values to determine policy filter calculation
Forwards policy requests to Citrix Caching Service
Core binaries are in:
• %PROGRAMFILES% and %PROGRAMFILES(x86)%
• Under CitrixGroup PolicyClient-Side Extension
6 © 2014 Citrix. Confidential.
7. Citrix Group Policy Architecture
Citrix Group Policy Caching Service
Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE
Performs the Citrix policy calculation and writes settings to the registry
Caches Group Policy files between calculations
GPO (ADFarm) Local Cache:
• %PROGRAMDATA%CitrixCseCache
Also caches per-computer and per-user data files
7 © 2014 Citrix. Confidential.
8. Citrix Group Policy Architecture
Data Files - Resultant Set of Policy (RSOP)
Per-Computer and Per-User resultant Citrix policy settings end up in RSOP.gpf
These binary files are cached in:
• Per-Computer → %PROGRAMDATA%CitrixCseCache
• Per-User → %PROGRAMDATA%CitrixCseCache<SessionID>
Files are used to create policy registry settings under:
• Per-Computer → HKLMSoftwarePoliciesCitrix
• Per-User → HKLMSoftwarePoliciesCitrix<SessionID>User
8 © 2014 Citrix. Confidential.
9. Citrix Group Policy Architecture
Data Files – Rollback
We needed a way to remove RSOP settings
Mechanism creates a Rollback.gpf file
Contains instructions to remove existing RSOP settings
These binary files are cached in:
• Per-Computer → %PROGRAMDATA%CitrixCseCache
• Per-User → %PROGRAMDATA%CitrixCseCache<SessionID>
9 © 2014 Citrix. Confidential.
10. Citrix Group Policy Architecture
Citrix Policy Filters
Allows granular control of Citrix policies
Filters policy settings based on certain criteria
Different options based on the policy category
Can’t be applied to the default Unfiltered policy
10 © 2014 Citrix. Confidential.
12. Policy Filters
User Policies
Additional filter types
For User Policies
12 © 2014 Citrix. Confidential.
13. Citrix Group Policy Architecture
Unfiltered Policy and Templates
There’s a default Unfiltered policy (contains no settings)
Unfiltered policy settings apply to all objects
Can be disabled if not needed (set to lowest priority)
There are pre-configured policy Templates in place
Templates grouped by end user connectivity (WAN, LAN)
Policies created can be saved as templates
Should be exported to complete the backup process
13 © 2014 Citrix. Confidential.
14. Policy Management
XenApp 6.x - XenDesktop 5.x
Separate
Computer and User
Policy Nodes
14 © 2014 Citrix. Confidential.
16. Citrix Group Policy Architecture
Citrix Policy Update Intervals
For Citrix farm policies setup via AppCenterStudio:
• Citrix policies for Computer and Users (logged in) refresh every 90 minutes
For Citrix Policies set via AD GPO:
• Leverages AD refresh interval (default is 90 minutes plus a random offset of 0-30 minutes)
• AD refresh interval can also be set via AD GPO
For either method:
• Computer Policies update at machine startup
• User Policies will also be updated during a reconnect to an active or disconnected session
• Policies can be updated manually by running: gpupdate /force
16 © 2014 Citrix. Confidential.
17. User Policy Application (Similar for Computer)
17 © 2014 Citrix. Confidential.
WinLogon
Client Side
Extensions
Microsoft
CSE
Citrix CSE
Local
GPO
AD
GPO
Resultant
Policy
RSOP.GPF
Local
server
Registry
Farm or
Studio
GPO
Citrix CSE
HKLMSoftwarePolicesCitrix (Computer)
-or-
HKLMSoftwarePolicesCitrix<SessionID>User
18. Policy Application Details
Load existing
Rollback.gpf
Rollback.gpf
18 © 2014 Citrix. Confidential.
Registry
%PROGRAMDATA%CitrixGroupPolicy (Computer)
-or-
%PROGRAMDATA%CitrixGroupPolicy<SessionID> (User)
Apply
RSOP
RSOP.gpf
Delete
Cached
GPF files
RSOP.gpf
Rollback.gpf
Registry
Cache
new files
RSOP.gpf
Set time in
LastUpdate
Under Events
Registry Area
Rollback.gpf
21. Recommended Practices
Architecture
While supported, using both AD and FarmStudio
Citrix policies may cause confusion when
troubleshooting issues
• Try to use one type or the other depending upon requirements
Using WMI filters on AD GPO’s containing Citrix
policies may cause issues during reconnects (due to
WMIAD timeouts)
• Use WMI filters sparingly
• Possible mitigation: using DisableGPCalculation setting
21 © 2014 Citrix. Confidential.
22. Recommended Practices
Document Policies
For Farm (AppCenterStudio) applied policies:
• Written documentspreadsheet (Scout can provide as well)
For Active Directory applied policies:
• Use the GPMC Save Report option on your AD GPO
For either of the above:
• CtxCseUtil – RSOP reporting tool
• Export using Citrix Group Policy PowerShell module
22 © 2014 Citrix. Confidential.
23. Recommended Practices
What Not To Do!
To prevent Citrix Group Policy consistency issues,
don’t manually manipulateremove any of the Citrix
Group Policy data files on your own
This includes filesfolders or reg entries under:
• %PROGRAMDATA%CitrixGroupPolicy<SessionID>
• %PROGRAMDATA%CitrixGroupPolicy
• HKLMSoftwarePoliciesCitrix<SessionID>
• HKLMSoftwarePoliciesCitrix
Might be needed for certain fixes (LA5051)
23 © 2014 Citrix. Confidential.
25. Troubleshooting Citrix Group Policy
Recommended Approach
Know your BaselineCollect the Details
Determine Versions
Policy Cache
GPF Files
RSOP Registry Settings
Connection Information
Data Collection Tools
25 © 2014 Citrix. Confidential.
26. Troubleshooting Citrix Group Policy
Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue?
What issue are they seeing?
26 © 2014 Citrix. Confidential.
Tokyo
Chicago
Miami
27. Troubleshooting Citrix Group Policy
Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue?
What issue are they seeing?
When are they seeing the issue?
Where are they seeing the issue?
27 © 2014 Citrix. Confidential.
New Session?
Reconnecting?
Smooth Roaming?
All of the Above?
29. Troubleshooting Citrix Group Policy
Determine CSE Version
Look in the component directory
Check CitrixCseEngine.exe
29 © 2014 Citrix. Confidential.
31. Product Versions - Reference
XenApp 6.x and XenDesktop 5.x – Baseline (Updated)
31 © 2014 Citrix. Confidential.
Version Citrix GPMC Citrix CSE
XenApp 6.0 1.0 1.0
XenApp 6.5 &
XenDesktop 5.6
1.5 (1.7) 1.5 (1.7)
32. Product Versions - Reference
XenApp and XenDesktop 7.x – Baseline
32 © 2014 Citrix. Confidential.
Version Citrix GPMC Citrix CSE
7.1 2.1 2.1
7.5 2.2 2.1
7.6 2.4 2.4
33. Policy Cache
Active Directory Policies
33 © 2014 Citrix. Confidential.
The 0 here denotes User policy settings
Seeing {GUID} in the filename = AD GPO
The 1 here denotes a Computer policy
34. Policy Cache
Active Directory Policies We have a match!!
34 © 2014 Citrix. Confidential.
We have a match!!
36. GPF files
36 © 2014 Citrix. Confidential.
SessionID = 2
Per-Computer files
Per-User files
41. Troubleshooting Tools - CtxCseUtil
Citrix RSOP Report Tool
Creates resultant set of policies report containing user settings, computer or both
Can be run locally or remotely against a server or VDA
Converts RSOP.gpf to HTML report
End user has to have logged in at some point
End user doesn’t have to be actively logged in
41 © 2014 Citrix. Confidential.
42. Troubleshooting Tools - CtxCseUtil
Common Errors
Typical error when first run…
42 © 2014 Citrix. Confidential.
Solution: Run WinRm QuickConfig
43. Troubleshooting Tools - CtxCseUtil
CtxCseUtil - Common Errors
Help Message.docx
Possible using Local Administrator Account?
43 © 2014 Citrix. Confidential.
44. Troubleshooting Tools - CtxCseUtil
Resultant Report - CitrixRsopResult.html
Once run, resultant report is: CitrixRsopResult.html
44 © 2014 Citrix. Confidential.
45. Citrix Group Policy PowerShell Module
Citrix.GroupPolicy.Commands.psm1
Module containing cmdlets for Citrix Policies
• Local, Farm or Active Directory
Needs to be imported via PowerShell prompt
Contains cmdlets to:
• Set or Get Citrix policy settings
• Export or Import Citrix policy objects
Policy Details ImportedExported:
• Policy Settings
• Configuration Details
• Filters
45 © 2014 Citrix. Confidential.
46. Citrix Group Policy PowerShell Module
Exporting Farm Policies
GET-COMMAND output
46 © 2014 Citrix. Confidential.
47. Citrix Group Policy PowerShell Module
Exporting Farm Policies
Export the policies
Once completed, these are your files
47 © 2014 Citrix. Confidential.
48. Citrix Group Policy PowerShell Module
Exporting Citrix Policies from Active Directory
Use the same PowerShell Module and cmdlets
Connect to Active Directory GPO via New-PSDrive cmdlet
See CTX140039 for the details
48 © 2014 Citrix. Confidential.
50. FarmStudio Policy Issue
Farm policies stored in a single object
Likely related to corrupt policy
Error seen when accessing policies
Don’t restore datastoredatabase
Contact Citrix Technical Support
Maintain an updated policy export!!
50 © 2014 Citrix. Confidential.
51. WMI Related Issues
Reconnect Issues
If using WMI Filters on AD GPO’s, might see reconnect issues
• Citrix policies not applying for reconnected sessions
• LoginsReconnects taking long time to occur (does the issue resolve itself after some time?)
Enable Microsoft Group Policy logging:
• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDiagnostics
"GPSvcDebugLevel"=dword:00030002
Log file will be in:
• %WINDIR%debugusermodegpsvc.log
• If you see FilterCheck: Evaluate returned error. hr=0x80041069, AD is timing out on WMI call
Look in Event Viewer as well for WMI errors
51 © 2014 Citrix. Confidential.
52. Takeaways
Architecture and files related to Citrix Group Policy
How Citrix policies apply during user login (computer too)
Recommended practices
Troubleshooting methods and tools
Documenting and backing up your policies is important!!
52 © 2014 Citrix. Confidential.
54. Resources
Citrix Documentation Links
Citrix Product Documentation Site (eDocs)
Manage Citrix Policies (XenDesktopXenApp 7.5)
Working with Citrix Policies (XenApp 6.5)
Policy Settings Reference (XenApp 6.5)
54 © 2014 Citrix. Confidential.
55. Resources
CTX140268 - Citrix policy settings not being displayed properly in newer Citrix
Group Policy Management Console
CTX127611 - How Citrix IMA Policies fit in to Microsoft GPO Processing and
Precedence Model
CTX138537 – HRP02 for Citrix XenApp 6.5 (for DisableGPCalculation setting)
CTX130116 - Case Study: Unable to Apply Citrix Policies because of 0kb gpf Files
CTX134081 - Planning Guide - Citrix XenApp and XenDesktop Policies
55 © 2014 Citrix. Confidential.
56. Resources
Group Policy Tools
CTX140267 - Updated Citrix Group Policy PowerShell Module
CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool
CTX140039 - How to Import and Export Policies in XenApp 6.x
CTX111961 – CDFControl
CTX130147 – Citrix Scout
MS TechNet – Group Policy Cmdlets for PowerShell
MS TechNet Blog – Enabling Group Policy Logging using RSAT
56 © 2014 Citrix. Confidential.
59. Simplify your journey, let us guide you.
Accelerate your implementation and minimize risk by taking advantage of Citrix
Consulting. You’ll get the expertise of certified Citrix Consulting Architects to
successfully deploy Citrix solutions in any phase of your project.
53% of customers have seen a
return on investment with Citrix
Consulting in 6 months or less.
Visit bit.ly/CTXConsulting to learn more about our proven methodology.
59 © 2014 Citrix. Confidential.
60. Build your Citrix skills in your personal virtual sandbox
Play in your own Virtual Sandbox with Learning Labs from Citrix Education. With
your purchase, you’ll receive your own dedicated server with access to the seven
most popular Learning Labs from Synergy. Featured labs include:
• NetScaler, the Enterprise Security Swiss Army Knife
• Front-Ending and Load Balancing XenDesktop and XenApp with NetScaler
• Enhancing Visibility of Applications with NetScaler Insight Center
http://training.citrix.com/cms/education/promotions/learninglabs/
60 © 2014 Citrix. Confidential.
61. Get access to Synergy 2014 Learn Labs for FREE
Offer: Buy a qualifying Citrix Training Pass and
receive 30 days of free access to the most
popular Learning Labs from Synergy 2014.
61 © 2014 Citrix. Confidential.
Purchase now
62. New Citrix Practice Exams
Accelerate Your Path to Certification
Available on training.citrix.com ($39 each):
CPE-350 – Citrix NetScaler 10 Essentials and
Networking Practice Exam
CPE-300 – Deploying XenDesktop 7 Solutions Practice
Exam
CPE-A22 – Citrix XenApp 6.5 Advanced Administration
Practice Exam
http://training.citrix.com/cms/index.php/promotions/prac
ticeexams/
62 © 2014 Citrix. Confidential.
63. Q4 PROMOTION
63 © 2014 Citrix. Confidential.
Most popular Learning Labs from Synergy ’14
7 lab environments totaling 30+ hours of exercises
30 days of access on a dedicated server
Self-paced online labs with minimal instruction
Free with purchase of a 5-day CTP through 12/31
Learning Labs
$500
64. 64 © 2014 Citrix. Confidential.
WORK BETTER. LIVE BETTER.