Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Citrix group policy troubleshooting for xen app and xendesktop
Similaire à Citrix group policy troubleshooting for xen app and xendesktop (20)
Plus de solarisyougood
Plus de solarisyougood (20)
Dernier
Dernier (20)
Citrix group policy troubleshooting for xen app and xendesktop
- 1. Citrix Group Policy Troubleshooting for XenApp and XenDesktop Download this slide http://ouo.io/HbyZQc SYN406
- 2. © 2014 Citrix. Confidential.2 Tweet about this session with hashtag #syn406 and #citrixsynergy
- 3. Citrix Group Policy Architecture Overview of Citrix Group Policy and Components
- 4. © 2014 Citrix. Confidential.4 Citrix Group Policy Architecture Policy Application Terminology Local Group Policies • Local GPO containing Computer and User settings Citrix Farm Policies • Also known as IMA farm policies (XenApp) • Set via AppCenterDSC (XenApp 6.x) or Studio (XenDesktopXenApp 7.5) • Stored in the farm datastoredatabase Active Directory Policies • Set via Site, Domain or OU GPO’s • Stored in Active Directory • Allows combining of Citrix and Microsoft Policies
- 5. © 2014 Citrix. Confidential.5 Local Policies Citrix FarmIMA Polices Active Directory Site GPO Active Directory Domain GPO Active Directory OU GPO Citrix Group Policy Architecture Processing and Precedence for RSOP Processing Precedence RSOP will have CDM = Enabled CDM = Disabled
- 6. © 2014 Citrix. Confidential.6 Citrix Group Policy Architecture Citrix Group Policy Management Console Citrix GPMC - A connector into the Microsoft GPMC Management of Citrix group policies via AppCenterStudio or GPMC Allows Citrix policy modelingcomparison Can be installed for standalone use Core binaries are in: • %PROGRAMFILES% and %PROGRAMFILES(x86)% • Under CitrixGroup PolicyManagement
- 7. © 2014 Citrix. Confidential.7 Citrix Group Policy Architecture Citrix Group Policy Client Side Extension Also known as Citrix CSE (CitrixCseClient.dll) Loaded via Microsoft Winlogon process Generates policy requests (ComputerUser) Retrieves values to determine policy filter calculation Forwards policy requests to Citrix Caching Service Core binaries are in: • %PROGRAMFILES% and %PROGRAMFILES(x86)% • Under CitrixGroup PolicyClient-Side Extension
- 8. © 2014 Citrix. Confidential.8 Citrix Group Policy Architecture Citrix Group Policy Caching Service Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE Performs the Citrix policy calculation and writes settings to the registry Caches Group Policy files between calculations to avoid excessive network traffic GPO (ADFarm) Local Cache: • %PROGRAMDATA%CitrixCseCache Also caches per-computer and per-user data files
- 9. © 2014 Citrix. Confidential.9 Citrix Group Policy Architecture Data Files - Resultant Set of Policy (RSOP) Per-Computer and Per-User resultant Citrix policy settings end up in RSOP.gpf These binary files are cached in: • Per-Computer → %PROGRAMDATA%CitrixCseCache • Per-User → %PROGRAMDATA%CitrixCseCache<SessionID> Files are used to create policy registry settings under: • Per-Computer → HKLMSoftwarePoliciesCitrix • Per-User → HKLMSoftwarePoliciesCitrix<SessionID>User
- 10. © 2014 Citrix. Confidential.10 Citrix Group Policy Architecture Data Files – Rollback We needed a way to remove RSOP settings Mechanism creates a Rollback.gpf file Contains instructions to remove existing RSOP settings These binary files are cached in: • Per-Computer → %PROGRAMDATA%CitrixCseCache • Per-User → %PROGRAMDATA%CitrixCseCache<SessionID>
- 11. © 2014 Citrix. Confidential.11 Citrix Group Policy Architecture Citrix Policy Filters Allows granular control of Citrix policies Filters policy settings based on certain criteria Different options based on the policy category Can’t be applied to the default Unfiltered policy
- 12. © 2014 Citrix. Confidential.12 Policy Filters Computer Policies
- 13. © 2014 Citrix. Confidential.13 Policy Filters User Policies Additional filter types For User Policies
- 14. © 2014 Citrix. Confidential.14 Citrix Group Policy Architecture Unfiltered Policy and Templates There’s a default Unfiltered policy (contains no settings) Unfiltered policy settings apply to all objects Can be disabled if not needed (set to lowest priority) There are pre-configured policy Templates in place Templates grouped by end user connectivity (WAN, LAN) Policies created can be saved as templates
- 15. © 2014 Citrix. Confidential.15 Policy Management XenApp 6.x - XenDesktop 5.x Separate Computer and User Policy Nodes
- 16. © 2014 Citrix. Confidential.16 Policy Management XenApp 7.5 – XenDesktop 7.x Single Policy Node
- 17. © 2014 Citrix. Confidential.17 Citrix Group Policy Architecture Citrix Policy Update Intervals For Citrix farm policies setup via AppCenterStudio: • Citrix policies for Computer and Users (logged in) refresh every 90 minutes For Citrix Policies set via AD GPO: • Leverage AD refresh interval (default is 90 minutes +- a random offset of 0-30 minutes) • What is set via AD GPO For either method: • Computer Policies update at machine startup • User Policies will also be updated during a reconnect to an active or disconnected session • Policies can be updated manually by running: gpupdate /force
- 18. © 2014 Citrix. Confidential.18 User Policy Application (Similar for Computer) WinLogon Client Side Extensions Microsoft CSE Citrix CSE AD GPO Local GPO Resultant Policy RSOP.GPF Local server Registry Farm or Studio GPO Citrix CSE HKLMSoftwarePolicesCitrix (For Server) -or- HKLMSoftwarePolicesCitrix<SessionID>User
- 19. © 2014 Citrix. Confidential.19 Policy Application Details Load existing Rollback.gpf Rollback.gpf Registry %PROGRAMDATA%CitrixGroupPolicy -or- %PROGRAMDATA%CitrixGroupPolicy<SessionID> Apply RSOP RSOP.gpf Delete Cached GPF files RSOP.gpf Rollback.gpf Registry Cache new files RSOP.gpf Rollback.gpf Set time in LastUpdate Under Events Registry Area All Done!Rollback.gpf
- 20. Recommended Practices - Tips Based on Citrix Support cases 20
- 21. © 2014 Citrix. Confidential.21 Recommended Practices Architecture While supported, using both AD and FarmStudio Citrix policies may cause confusion when troubleshooting issues • Try to use one type or the other depending upon requirements Using WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMIAD timeouts) • Use WMI filters sparingly • Possible mitigation: using DisableGPCalculation setting
- 22. © 2014 Citrix. Confidential.22 Recommended Practices Document Policies For Farm (AppCenterStudio) applied policies: • Written documentspreadsheet (Scout can provide as well) For Active Directory applied policies: • Use the GPMC Save Report option on your AD GPO For either of the above: • CtxCseUtil – RSOP reporting tool • Export using Citrix Group Policy PowerShell module
- 23. © 2014 Citrix. Confidential.23 Recommended Practices What Not To Do! To prevent Citrix Group Policy consistency issues, don’t manually manipulateremove any of the Citrix Group Policy data files on your own This includes filesfolders or reg entries under: • %PROGRAMDATA%CitrixGroupPolicy<SessionID> • %PROGRAMDATA%CitrixGroupPolicy • HKLMSoftwarePoliciesCitrix<SessionID> • HKLMSoftwarePoliciesCitrix Might be needed for certain fixes (LA5051)
- 24. Troubleshooting Citrix Group Policy
- 25. © 2014 Citrix. Confidential.25 Troubleshooting Citrix Group Policy Recommended Approach Know your BaselineCollect the Details Determine Versions Policy Cache GPF Files RSOP Registry Settings Connection Information Additional Data Points
- 26. © 2014 Citrix. Confidential.26 Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s Make sure you can answer the following: Who is seeing the issue? What issue are they seeing? Tokyo Chicago Miami
- 27. © 2014 Citrix. Confidential.27 Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s Make sure you can answer the following: Who is seeing the issue? What issue are they seeing? When are they seeing the issue? Where are they seeing the issue? New Session? Reconnecting? Smooth Roaming? All of the Above?
- 28. © 2014 Citrix. Confidential.28 Troubleshooting Citrix Group Policy Determine Versions What version am I at??
- 29. © 2014 Citrix. Confidential.29 Troubleshooting Citrix Group Policy Determine CSE Version Look in the component directory Check CitrixCseEngine.exe
- 30. © 2014 Citrix. Confidential.30 Troubleshooting Citrix Group Policy Determine GPMC Version
- 31. © 2014 Citrix. Confidential.31 Product Versions - Reference XenApp – Baseline (Updated) Version Citrix GPMC Citrix CSE 6.0 1.0 1.0 6.5 1.5 (1.7) 1.5 (1.7) 7.5 2.2 2.1
- 32. © 2014 Citrix. Confidential.32 Product Versions - Reference XenDesktop – Baseline (Updated) Version Citrix GPMC Citrix CSE 5.5, 5.6 1.5 (1.7) 1.5 (1.7) 7.1 2.1 2.1 7.5 2.2 2.1
- 33. © 2014 Citrix. Confidential.33 Policy Cache Active Directory Policies Seeing {GUID} in the filename = AD GPO The 0 here denotes User policy settings The 1 here denotes a Computer policy
- 34. © 2014 Citrix. Confidential.34 Policy Cache Active Directory Policies We have a match!! We have a match!!
- 35. © 2014 Citrix. Confidential.35 Policy Cache FarmStudio Policies Lack of {GUID} = Farm policies
- 36. © 2014 Citrix. Confidential.36 GPF files Per-Computer files Per-User files SessionID = 2
- 37. © 2014 Citrix. Confidential.37 RSOP Registry Settings Per-Computer (HKLMSoftwarePoliciesCitrix)
- 38. © 2014 Citrix. Confidential.38 RSOP Registry Settings Per-User (HKLMSoftwarePoliciesCitrix<SessionID>)
- 39. © 2014 Citrix. Confidential.39 Connection Information
- 40. © 2014 Citrix. Confidential.40 Connection Details HKLMSoftwareCitrixICASession
- 41. © 2014 Citrix. Confidential.41 Troubleshooting Tools - CtxCseUtil Citrix RSOP Report Tool Creates resultant set of policies report containing user settings, computer or both Can be run locally or remotely against a server or VDA Converts RSOP.gpf to HTML report End user has to have logged in at some point End user doesn’t have to be actively logged in
- 42. © 2014 Citrix. Confidential.42 Troubleshooting Tools - CtxCseUtil Common Errors Solution: Run WinRm QuickConfig Typical error when first run…
- 43. © 2014 Citrix. Confidential.43 Troubleshooting Tools - CtxCseUtil CtxCseUtil - Common Errors Help Message.docx Possible using Local Administrator Account?
- 44. © 2014 Citrix. Confidential.44 Once run, resultant report is: CitrixRsopResult.html Resultant Report - CitrixRsopResult.html Troubleshooting Tools - CtxCseUtil
- 45. © 2014 Citrix. Confidential.45 Citrix Group Policy PowerShell Module Citrix.GroupPolicy.Commands.psm1 Module containing cmdlets for Citrix Policies • Local, Farm or Active Directory Needs to be imported via PowerShell prompt Contains cmdlets to: • Set or Get Citrix policy settings • Export or Import Citrix policy objects Policy Details ImportedExported: • Policy Settings • Configuration Details • Filters
- 46. © 2014 Citrix. Confidential.46 Citrix Group Policy PowerShell Module Exporting Farm Policies GET-COMMAND output
- 47. © 2014 Citrix. Confidential.47 Citrix Group Policy PowerShell Module Exporting Farm Policies Once completed, these are your files Export the policies
- 48. © 2014 Citrix. Confidential.48 Use the same PowerShell Module and cmdlets Connect to Active Directory GPO via New-PSDrive cmdlet See CTX140039 for the details Citrix Group Policy PowerShell Module Exporting Citrix Policies from Active Directory
- 49. © 2014 Citrix. Confidential.49 CDFControl CDF Tracing Tool
- 50. © 2014 Citrix. Confidential.50 FarmStudio Policy Issue Farm policies stored in a single object Likely related to corrupt policy Error seen when accessing policies Don’t restore datastoredatabase Contact Citrix Technical Support Maintain an updated policy export!!
- 51. © 2014 Citrix. Confidential.51 WMI Related Issues Reconnect Issues If using WMI Filters on AD GPO’s, might see reconnect issues • Citrix policies not applying for reconnected sessions • LoginsReconnects taking long time to occur (does the issue resolve itself after some time?) Enable Microsoft Group Policy logging: • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDiagnostics "GPSvcDebugLevel"=dword:00030002 Log file will be in: • %WINDIR%debugusermodegpsvc.log • If you see FilterCheck: Evaluate returned error. hr=0x80041069, AD is timing out on WMI call Look in Event Viewer as well for WMI errors
- 52. © 2014 Citrix. Confidential.52 Takeaways Architecture and files related to Citrix Group Policy How Citrix policies apply during user login (computer too) Recommended practices Troubleshooting methods and tools Documenting and backing up your policies is important!!
- 53. Resources Links related to Citrix Group Policy 53
- 54. © 2014 Citrix. Confidential.54 Resources Citrix Documentation Links Citrix Product Documentation Site (eDocs) Manage Citrix Policies (XenDesktopXenApp 7.5) Working with Citrix Policies (XenApp 6.5) Policy Settings Reference (XenApp 6.5)
- 55. © 2014 Citrix. Confidential.55 Resources CTX140268 - Citrix policy settings not being displayed properly in newer Citrix Group Policy Management Console CTX127611 - How Citrix IMA Policies fit in to Microsoft GPO Processing and Precedence Model CTX138537 – HRP02 for Citrix XenApp 6.5 (for DisableGPCalculation setting) CTX130116 - Case Study: Unable to Apply Citrix Policies because of 0kb gpf Files CTX134081 - Planning Guide - Citrix XenApp and XenDesktop Policies
- 56. © 2014 Citrix. Confidential.56 Resources Group Policy Tools CTX140267 - Updated Citrix Group Policy PowerShell Module CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool CTX140039 - How to Import and Export Policies in XenApp 6.x CTX111961 – CDFControl CTX130147 – Citrix Scout MS TechNet – Group Policy Cmdlets for PowerShell MS TechNet Blog – Enabling Group Policy Logging using RSAT
- 58. © 2014 Citrix. Confidential.58 Questions?
- 59. © 2014 Citrix. Confidential.59 Before you leave… Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes Download presentations starting Monday, May 19 from the My Event Planning tool
- 60. © 2014 Citrix. Confidential.60 WORK BETTER. LIVE BETTER.
Notes de l'éditeur
- -Good morning and welcome to “Citrix Group Policy Troubleshooting for XenApp and XenDesktop”, my name is Rick Berry and I’ll be your guide to help clear up the mysterious world of Citrix Group Policies. -A little bit about myself: I’ve been on our Global Escalation team for 8 years and I work on both XenApp and XenDesktop related issues. I specialize in the Citrix Group Policy components and work closely with our Group Policy architects in addition to providing troubleshooting assistance to our global support teams. -When you’re having Group Policy issues, they can create a significant business impact in your environment, plus to complicate matters, you may not even know you’re having Citrix policy issues. So my key objectives for this session are to: Guide you through the Citrix Group Policy components, discuss troubleshooting tools and methods to help resolve your Group Policy issues or even better, prevent them altogether. Also, since the Citrix GP components are shared amongst our XenApp and XenDesktop platforms, the concepts I’ll be discussing today apply to both platforms. -Lastly, we should have time for one or two questions. I’ll be covering a lot of material today, so if you have a question please hold it until this time. I’ll be close by after this session and later in the day over at the Ask the Experts bar in the Citrix booth if you think of something later. Plus this slide deck including my narrative will be available for download after Synergy in addition to the video recording being available on Citrix TV. -So with that in mind, let’s get started
- You can tweet about this session using #SYN406
- There are multiple components involved with Citrix Group Policy and understanding how they work together is key to better troubleshooting Group Policy issues.
- First, I want to establish a baseline for some terminology we’ll be using today on the different locations Citrix policies can be applied. This is key since troubleshooting methods can differ a bit depending on where you apply your Citrix policy settings. First, you can set Citrix policies via the local group policies -Each server and workstation has a single group policy object and Citrix policies can be set here Next, we have Citrix Farm policies -These are also known as IMA policies (usually in XenApp environments) -These are policies that are set via AppCenter or the DSC (for XenApp 6.x) or Studio (for XenDesktop\XenApp 7.5) -These policy settings are stored in the Farm datastore\database Lastly, we can set Citrix policies via Active Directory Policies -Set via Site, Domain or OU GPO’s -Stored in Active Directory -This allows for a single GPO object with both Citrix and Microsoft policy settings Here are the methods for applying Citrix Policy settings However, for todays presentation, I’ll be focusing on the Farm\IMA and Active Directory method since these are the most common
- Next, it’s important to understand the processing and precedence order for policies. Especially if you are applying policies using different locations. So lets take a look at this. order for policies. This is the order that the GPO’s are reviewed for applicable policy settings. Here are the available GPO types where we can place Citrix policy Settings starting at the local policies This is the processing order, in other words, the order in which analyze each GPO type for applicable Citrix policy settings Now the precedence order is opposite of this, meaning that policy settings in the higher GPO will win when there’s a conflict in settings For example: say you have Client Drive Mapping enabled via a Citrix Policy in AD whereas in the local GPO you have it Prohibited, while processing policy settings, we’ll see both settings, but due to the precedence order, the resultant set of policies will contain the winning setting from the AD GPO
- The first major component I’ll discuss is the Citrix Group Policy Management Console. I’ll refer to this component as the Citrix GPMC from here on out, and provides Citrix policy visibility within the Microsoft GPMC It allows you to manage Citrix policies via AppCenter\Studio (for Farm policies) or the Microsoft GPMC (for AD GPO’s) This component also allows you to perform modeling or comparison of policy settings It can be installed on a device for managing policies, requires that GPMC is installed In case you ever need to review version details for these binaries during troubleshooting, the core binaries are located here
- The second major component I’ll go over is the Citrix Group Policy Client Side Extension I’ll refer to this from here on out as the Citrix CSE, this is separate from the MS CSE, and loaded via this DLL This component is initialized via the Winlogon process (for both Computer and User) It generates the policy requests It will also retrieve certain aspects of the Computer or User connection, this is needed to see if any policy filters will be leveraged This component also forwards policy request to the caching service The core binaries for this component are located here
- Next lets look at our Caching service Handled via the CitrixCseEngine process which runs as a service, and it’s a part of the Citrix CSE It handles the policy calculation in addition to writing the resultant settings to the registry It also caches the Farm\AD GPO objects to optimize the policy application process For AD\Farm GPO’s, the cache folder is located here In addition, it caches per-computer and per-user policy files which we review in detail later in the sessions
- Now that we’ve gone over the core components and services involved, let’s review what data files Citrix Group Policy uses. First, we have the resultant set of policies file, known as RSOP.gpf, and exists per-computer and per-user This binary file location is based on whether it’s a per-computer or per-user file The RSOP.gpf file is parsed into registry settings and are applied to the proper location, NOTE: the <SESSIONID> you see here is going to be used quite a bit for user policies
- Let’s talk about removing or rolling back Citrix policy settings We need a way to remove policy settings that aren’t explicitly configured, you may ask why ?? If a user logs in and gets say a printer virtual channel bandwidth setting via Citrix policy, if the next user to log in to that same session they may not have that setting configured, so we need to be able to “remove” or “undo” this settings The data file for this mechanism is the Rollback.gpf file. It exists for both per-computer and per-user settings The rollback.gpf file contains the instructions needed to remove pre-existing RSOP settings in the registry The rollback file is cached to the same location as the RSOP.gpf file
- Next, I want to review the Citrix Policy Filters The Citrix policy filters allow granular control of policy settings Allows filtering based on certain criteria, for instance workstations coming from a certain IP range, or connections coming thru your external Netscaler The available filters vary based on whether you are dealing with a Computer or User policy The filters can be used with any policy set with the exception of the “Unfiltered” default policy
- Lets take a look at the Computer filters for XenApp 6.5 from AppCenter. You can see the filter types listed here We’ll zoom in a bit on the filter types, and we see that for a Computer policy we have these available filters When selecting a filter type, you’ll get additional details on the filter in this pane Zooming in again, we can see the products and versions the filter applies to plus details of the filter
- Now lets take a look at that same details for User Policies. We see the available filter types here We’ll zoom in a bit to show you the additional filters that are present for User policies.
- Let’s review our default policy information along with the built-in templates There’s a default unfiltered policy (per-computer and per-user) The policy settings you add to the Unfiltered policy apply to all related objects (Computer or User) The unfiltered policy can be disabled if needed (if you disable the Unfiltered policy move it to the lowest priority) By default there are pre-configured policy templates in place Templates are group based on user connectivity methods (WAN, etc.) In addition, once you create your own polices, they can be saved as a template, this is a good backup method, but this shouldn’t be your only backup method
- Now, as you move from XenApp 6.x and XenDesktop 5.x to newer versions, you going to see some difference when managing Citrix policies. This is the policy node from a XenApp 6.5 environment In this case, you’ll see separate Computer and User policy nodes
- Now for newer versions of XenDesktop 7.x and XenApp 7.5, this view is different. Here we see a Studio screen shot of the policy node from XenApp 7.5 We see that there's only a single node for the policy objects. There’s no differentiation between computer and user policies within Studio for these newer versions. We take care of that on the backend when determining the resultant set of policies. The exception to this is when you manage Citrix policies via AD GPO’s, in that case, because you’re using the GPMC to manage policy settings, there will still be separate Computer and User sections.
- Here are some details surrounding policy refresh intervals, there are some differences to be aware of For policies setup in Studio\AppCenter The Computer and logged in User policies will refresh every 90 minutes For AD GPO’s The refresh interval is typically every 90 minutes plus or minus a random offset This update interval can also be set via AD GPO at the domain level For either method Computer policies will update at machine startup User policies will refresh during login or reconnection to an active or disconnected session You can also manually update the policies by issuing gpupdate /force (this is helpful when you modify policies and want them to refresh quicker)
- Now that we’ve reviewed the components and files involved in Citrix Group Policy, I want to tie this altogether for you by showing you how Citrix Group Policies are applied when a user logs in. NOTE, this process is similar for when a computer starts up. Here we have an end user ready to log in <PAUSE><PAUSE> What, this isn’t your end user, lucky Ok, here’s your happy end user logging in Once the user logs in, the Microsoft Winlogon process starts up Then it loads the available Client Side Extensions This includes not only the Microsoft policy extension, the Citrix one as well From this point I’ll focus on the Citrix CSE Citrix CSE starts to process the policies and the local GPO’s are processed first Then CSE process the Farm policies Then lastly CSE processes the Active Directory policies Now the precedence order is just the opposite of our processing order (so Active Directory policies l take precedence over Farm policies and so on), using this precedence order and any policy filters involved, a resultant set of policies file (RSOP.GPF) is created This file is then used to make the actual policy settings in the registry (the registry location is based on whether we dealing with Computer or User policies) Let’s take a closer look at this final stage of Citrix Group Policy processing, since there’s a lot more going on here and understanding this critical stage can help you significantly when troubleshooting
- The Rollback.GPF file is loaded from the cache (keep in mind this is the file containing instructions to remove or undo the existing RSOP settings) We then apply the new RSOP policy settings, this results in the registry being updated We then remove the previous cached GPF files Then we copy the new RSOP.gpf file to the cache and create a new Rollback.gpf file for the existing session which is cached as well The newer Rollback.gpf file will then be used the next time the User logs in (or Computer starts up) Then the LastUpdate value is updated in the registry for the Computer or Session At this point, we’re done
- Now, I want to review recommended practices based on issues encountered during Citrix Support cases.
- First, we’ll discuss policy architecture While it’s fully supported to use both Farm and AD policies together, it can lead to confusion during troubleshooting or when something is not working properly If possible try to use one method or the other based on your requirements We’ve seen some issues where the use of WMI filters on AD GPO’s (for example, you want to apply the AD GPO to a certain OS), can cause issues during session reconnects. This is due to some issues with the MS API’s used by Terminal Services during a reconnect and AD timing out for WMI calls. Try to use WMI filters sparingly and if you have to, it maybe possible to prevent issues by using a setting we have, I’ll talk a bit about this more later
- <????> I have a question for you, no need to raise your hand, think about if you’ve got your Citrix policies documented or even better backed up in a manner you could easily restore them <PAUSE> Ok, that’s a good amount of you. Documenting policies is important especially when things go wrong. No worries for those of you that don’t have them documented yet as I’m going to go over steps you can take to easy accomplish this. We have several methods to document these, based on how you apply your policies For Farm policies applied via AppCenter or Studio It’s best to get them written out say in Excel, etc. Or you can also leverage our Citrix Scout tool to get the settings and filters exported. For policies applied via Active Directory Use the GPMC and select the Save Report option on your GPOs, this will create a HTML report (NOTE: this needs to be done a device with both the MS GPMC and Citrix GPMC installed) For either method, there are a few other tools that will help with this as well and I’ll go into more details on these in a bit The first is CtxCseUtil, which will generate resultant set of policy reports We also have a PowerShell module that contains cmdlets to export and import Citrix Group Policies (the export cmdlet is great since this gives you a snapshot of your policies that can be imported later)
- There are certain actions, that if taken, can cause group policy consistency issues. These are some of the more difficult issues to troubleshoot and you may not even know you’re having an issue until it’s too late (you’ll get the dreaded call from security or your bosses, bosses boss). So here are some things you shouldn’t do. Unless instructed by someone from Citrix Technical Support, don’t manually manipulate any of the Citrix Group Policy files\folders\registry areas This includes these areas which relate to the policy cache and resultant registry areas. These areas are tightly linked together, so altering any one area can have negative effects. There is a certain use case where we might ask you to clear these areas out, for instance a specific fix as referenced here for LA5051, in this case, we clearly document the steps needed.
- Ok, now that I’ve gone over the architecture and components of Citrix group policy, let’s talk about some recommended practices based on issues we’ve seen while working on support cases.
- When troubleshooting Citrix group policy issues, we have a recommended troubleshooting path. These steps will help you isolate the issue or in case you need to contact Citrix Technical Support for assistance, you’re going to have the information ready to go and help expedite the resolution process. I’ll be covering these steps in greater detail in the upcoming slides
- The best starting point when troubleshooting Citrix group policy issues is to know what the desired policy settings are for the given scenario, so knowing you’re baseline configuration is key. Then to isolate the issue further, make sure you can answer what I call the four W’s Who is seeing the issue, are there specific users in a separate office, or all users? What issue is being seen, are they getting client drives mapped when they shouldn’t be or vice versa
- When are they seeing the issue. For new sessions, reconnecting, smooth roaming or maybe all of those? Lastly, where are they seeing the issue? Are they working from home and coming in via your Netscaler? Or are they working in the corporate office?
- The next step in the process is to be sure you know what version of components you are dealing with. Now looking at this screen shot, we only see the core XenApp 7.5 install the related VDA, but no group Policy components So what version am I really at?? In this case, the GP components are at the baseline versions that come with the core product. The best method to confirm the versions is to check the individual components. Note that our Citrix Scout tool does collect versions of the Citrix Group Policy components as I’ve highlighted in this Scout data file for a XenApp 6.5 server
- So let’s take a look at getting the CSE version. You can look in the component directory As I mentioned earlier, here’s the path to the CSE, you can right click on the CitrixCseEngine executable, which is the primary CSE binary And going to the Details tab will show you this is version 2.1
- Now to determine the GPMC version, we can do the same thing We go to the components directory as I’ve referenced here and we can right click on the main binary And we get the version here, in this v2.2
- Now that we’ve reviewed how to get the component version here’s a reference chart to show the versions for our core XenApp products. This will help you when you have the baseline versions of the components installed. I’ve provided the XenApp version, GPMC and CSE versions For 6.0 For 6.5, When there’s a higher version in parenthesis, this means this component has a higher available version. You can review these on our support site and you’d likely be asked to upgrade if you’re having issues And lastly for 7.5
- Now that we’ve reviewed how to get the component version here’s a reference chart to show the versions for our core XenDesktop products. Again showing the version of XenDesktop, GPMC and CSE For 5.5, 5.6 For 7.1 And lastly for 7.5
- Next we’d want to check our the locally cached policy objects, first we’ll look at cached objects from AD GPO’s On the server\VDA in question, here’s a look at the GPO cache As I noted earlier, it’s under PROGRAMDATA folder Let’s look closer at the GPF files In this case, we see a GUID in the file name When we see GUID in the file name, this means it’s a cached AD GPO You can there are two files with the GUID, the one with a 0 is the cached User policy The 1 in the name is the cached Computer policy
- Now that we have the GUID, let’s take a closer look in AD We look at the local cache again and note the GUID We can then search in the GPMC (or use PowerShell cmdlets) to find a match Here we’ve found a GUID match, so this is our AD GPO in the GPMC We then also know what the GPO display name is So now we want to compare the time details for the AD GPO, here we see the creation date Here is the modified date (meaning the last time a change was made to it), this is the date we’re really interested in In this case, the dates are a match between the AD GPO and the locally cached version, so our cached version is up to date. If we didn’t match, usually issuing a gpupdate /force will resolve that, if not, there’s a likely an issue with the GPO in AD (look in event viewer for errors) NOTE: There could be a difference in the modified timestamps of the cache files since there is a separate one for User and one for Computer. The modified timestamp in the GPMC is the last update and should reflect in one of the files.
- Now for farm policies created with AppCenter or Studio, the cache files look a little different. We’re looking in the same cache folder Looking closer, we see these files lack the GUID Which means they are Farm policies But the User and Computer notations are similar
- Now we should check the Computer and User cache files Here we see the location of the cached RSOP and Rollback GPF files The per-computer cache files are located in the root of this folder Now we can look into the sub-folders, the folder is named for the SessionID, if you know of a specific user seeing the issue, you can issue a QUSER to get their session and check from there These sub-folders are for the Per-User files (for the given SessionID) These are the files for Session 2, note for either computer or users files, you should always have both rollback and rsop gpf files, if not, this needs to be resolved
- Now, let’s review what’s in the registry for Citrix Group Policies Here we see the core location for the per-computer settings The various sets of Computer policies usually are contained in sub keys, here we see the Graphics and ICA policy settings Looking at the values, we can see the final resultant policy settings, NOTE: we have references on our e-docs site to match up a registry value to the policy in question
- Now we should review the per-user RSOP settings in the registry, especially if there’s some issue with a policy applying (or not applying) For the per-user registry area, we need to so into the sub-key noted with the SessionID which we get from QUSER, in this case we go into Session 2 Here I’ve highlighted two sub-keys of interest, the Events key contains a last Update time of the policy settings whereas the Evidence key contains details of the connection itself (things like Client IP, Client Name, etc.) Under the User sub-key we get the various groups of GPO’s and their settings
- Now let’s look at connection details and how that relates to Citrix Group Policy. <<QUESTION>>Can anyone tell me why we’d be interested in client connection details in relation to Citrix group policy? <PAUSE> Correct, we’re interested in connections details because we can filter User policies based on certain connection filters Things like Client IP address or Client name, so if connection info isn’t right, there’s no way we’ll be able to apply the right policies
- Lets look at the connection details closer. On the XenApp\XenDesktop device the end user is connecting to, we track the connections details under HKLM\Software\Citrix\ICA\Session, each session has a sub-key noted with the Session ID which we can get from running Quser on the device, then we can look in the Connection sub-key for details Here we see the connections Client Name and Client Address, which is good to know in case we’re filtering on this. Issues with policies not applying might be related to sub-net changes or a rebuild of a client device On a side note, you can also look up the full client version for connection here as well
- CTXCseUtil is a Citrix tool that can translate the RSOP.gpf for a user or computer into a html report. This can be beneficial when troubleshooting policy issues.
- Once we have CTXCseUtil on the Server\VDA, we can get to a cmd prompt on that device and run it (or we can run it against a remote device) Usually, when you run CtxCseUtil the first time on a device, you’ll likely get a general WinRM error. CtxCseUtil needs WinRm configured so it can run. The solution to this is to run WinRM quickConfig on the device
- Here’s another common issue when running CtxCseUtil. This “A specified Logon session” message error is another common issue This error usually means that you are trying to get RSOP report when using AD GPO’s and you’ve logged in with a local Administrators account that doesn’t have access to AD, The solution is to log in or run the tool with an account that has AD privileges NOTE: There are more details on using the tool in the Help Message document located in the same folder as the tool
- Once you run CtxCseUtil, the resultant report will be created in the same folder. The file name is CitrixRsopResult.html. Here’s a screen clip of the report detailing the User policy section Here’s a shot of the Computer policy section, showing what filters were applied or not Then lastly the report will show the Setting name, What Value was set and the GPO name the setting comes from
- The next tool we’ll look at is our PowerShell Module for Citrix group policies. This powerful tool contains cmdlets for managing all types of Citrix policies The module is not built-in and needs to be imported, I have a link in the resources section to the module It contains cmdlets to: set\get policy settings, export\import policy objects The module will import\export policy settings, configuration details and filters used, so a this is the preferred method to backup your polices for easy restoral
- So let’s walk thru using the PowerShell module to export our Farm policies Here we have our PowerShell cmd prompt up and we’re in the directory where we’ve copied the PowerShell module to Then we issue the Import-Module command Once Loaded we can use the Get-Command on the module to see the available functions, we can also use the Get-Help command on any of these functions for more details, not only can you import or export policy settings but you can modify or create them as well. Be sure to have a backup of your existing policies before modifying your policies
- Then we run the command to export the farm policies to a specific folder Once that completes, you should have these files in the folder specified
- When exporting Citrix policies from Active Directory GPO’s, there’s a few more steps involved. We use the same Citrix PowerShell module and cmdlets We create a PowerShell drive to the Active Directory GPO We have all of the steps in this Citrix Support article In the article we detail how to export settings And how to import settings from AD GPO’s
- Next, at some point you might need or be asked to capture a CDF trace of your policy issue and our latest CDFControl tool is a great way to expedite this process. <CLICK> Here we see that CDFControl already has a built in trace category for capturing Citrix Group Policy issues <CLICK> Zooming in, we can capture all modules, just the CSE or GPMC, if there’s a need to contact Citrix Technical Support, having a clear snapshot of the issue and details involved will expedite the resolution process.
- Now, I’m going to move on to two specific issues we’ve seen from time to time related to Group Policy issues. The first one relates a farm\IMA policy issue. Has anyone ever seen this error when accessing your Computer or User policies within AppCenter or Studio? With farm policies (not AD), the policy object is stored within the datastore\database as a single entity or blob This error can occur when the policy object gets corrupted, one possible use case is when multiple people are access Citrix policies and making changes at the same time, this use case has been resolved in newer versions of AppCenter\Studio This error will be seen when you attempt to access either the Computer or User policies node within AppCenter or Studio Try not to just jump in and restore the datastore\database for this issue, since you may not know when the corruption occurred. If you do see this error however, please contact Citrix Technical Support for assistance, we have a set of focused steps to help you resolve this issue When using Farm type policies, it’s important to maintain a policy export, this can be used for easy restoral in cases like this
- The second issue I want to bring up relates to the use of WMI filters on your AD GPO’s that contain Citrix policy settings. If you are using WMI filters on your AD GPO’s, it’s possible you may see some issues such as -Citrix policies not correct for reconnected sessions -Or reconnects\logins taking a extremely long time to complete (especially, if the issue seems to resolve itself after a while) In order to debug this further, it’s best to enable Microsoft Group Policy logging - This can be accomplished using this registry value (I have resource link to a TechNet article on this) This will create a log file here, look for this entry related to a FilterCheck API call, if it’s returning this error you are seeing AD time out on the WMI call You should also scan the event logs for WMI related errors, if any of these are seen, you should contact Microsoft for further assistance, there are several MS hotfixes out there to help with this issue, but the particular events surrounding this need to be reviewed for your specific environment.
- Here are the key items we reviewed during todays presentation.
- This section contains references, articles and links to tools that I’ve discussed during the presentation.
- Here are links for Group Policy Documentation
- Here are links to Citrix Technical Support articles on Group Policy issues and a planning guide
- And lastly here are links to tools related to Citrix Group Policy and Microsoft Group Policy.
- I’ve shined the light on Citrix Group Policy architecture to help you isolate and troubleshoot Citrix Group Policy issues in your environment. Plus we reviewed the key points to help preventing Group Policy issues in your environment as well. Thank you for attending my session and enjoy the rest of Synergy, I’ll be out in the hallway for further questions and come over a see us at the Ask The Experts bar at the main Citrix Booth in Hall C.