May 2017 « rakhesh.com

Sad times…

Posted: May 27th, 2017 | Category: Musings | §

My father in law passed away yesterday morning. It wasn’t unexpected. He was unwell and suffering for over 3 long years, so I am glad he’s finally managed to move on. Of course I wish he didn’t have to have the disease (cancer) or suffer in the first place; but given the fact that he was going through pain I can’t even begin to imagine and the humiliation of hospital visits and your body no longer being yours, I am happy he has moved on.

Death is a shitty thing though for the people you leave behind.

His wife has been sad and crying since then. Obviously. She’s going to miss him and whatever us children do it’s not going to replace him or her relationship to him. But more than all that, what saddens me is the constant throng of people and relatives. I guess it’s just me and my introvert nature – I can’t imagine what I’d do if I were in pain such as this and had people around me. I would be able to be myself around them, and I’d just hate having so many people around.

Well actually, I can’t even imagine what sort of pain I’d be in. I don’t get close to people, and even the ones I do get close to haven’t really resulted in any deep inseparable bond sort of thing. (Again, just me I guess. I aim of this “ideal” in relationships and how I am. I dream of an abstract but intense relationship. Reality doesn’t work that way so I don’t know how I would even react to the loss of any loved on).

Sitting here in Kerala, one it’s so boring; and two, I can’t help think that all this “process” is just holding everyone back. Today is day 2 but we are all still stuck in day 1. (By “we” I mean his wife and daughter etc – people with feelings). We are waiting for the son to arrive before the last rites can commence. He is due to arrive today night, so all that stuff will begin tomm morning. And that’s a ritual in itself. First his body will be brought from the cold freezer in the hospital. Then there’s a whole bunch of rituals to be done by son & daughter & other interested parties, after which the body will be cremated. During all this time there’ll be people and relatives – oh so many people! After cremation there’s more rites I think, but I am not sure. Then some 5 days later (or maybe it’s 3 coz I am not sure if they start counting from the day of death which was yesterday) there’s some more rites. Then we have to put his ashes and remains in a river somewhere. Then a few more days later (the whole thing ends in abt 11-12 days) there’s some more rites and rituals. And with that everyone is able to move on… I think.

The thing that strikes me is how we are all just holding on to him. I don’t know why, it feels so unreal to me. Like why do we ‘need’ to do all this to remember someone? A loved on dies, it’s a private thing. Let that person go – the body at least – and then mourn in private or with friends and relatives, and try to just move on. I am not saying forget the person, but just move on. Try to get on with life. Incorporate that person into your life, make him or her a part of you/ your memories/ your base, and then just get on with it. Spending 12 days in rituals (I am speaking of Kerala Hindus by the way, specifically the community of my in-laws, things could vary for others) holding on to the one who is no more, crying, remembering, mourning… it just feels so impractical or negative.

Right now for instance, we had to remove all the furniture from the main room because tomm morning that’s where the body will be kept. His wife burst into tears seeing that. I empathize with her. It is a sad sight – seeing things removed off your house (“their” house, their furniture, their dreams and reality) to place to dead body of your loved one in its place. It’s heart wrenching. And it leaves your last memory of everything in a bad place. Your last memory of your loved one is all this – not just pleasant ones if your time with him.

And now I have a relative trying to socialize with me so I have to abruptly stop this flow of thoughts. Bah!

Never mind he’s left. :)

My wife’s sad that she will have to do last rites tomm as she doesn’t want the last image of her father to be him in this dead state all skinny and lifeless. I get that. When I am dead I wouldn’t want anyone’s memories of me being my lifeless body or this sad state. Yes I would want them to miss me. Every day. Think of me, miss me, terribly miss me in fact – but I would still want them to be able to live life as usual and I would want their memories of me to be the good and bad times we had together, not a corrupted image of me lifeless with nothing more of “me” in it. And I would definitely want them to move past my physical body. That’s not me any more. That’s just what I was. Now I live on inside you, as part of you. Keep me alive that way instead of feeling sad that I am not physically around any more. If I love you I wouldn’t want you to be sad, and definitely not on my accord.

Anyways. Death is a shitty business. And I have to go through the motions for the next 11-12 days. Definitely not looking forward to it.

I didn’t know my father in law much though. He was a good person though and I’d like to think we respected each other. We didn’t speak much. I am an introvert and prefer reading a book or watching a movie instead of interacting with people. He was an introvert too, lost in his books and farming and teaching etc (to be honest I don’t know what else as I wasn’t too close to him). But he was a good person. A person filled with morals and all that good sort of stuff. He cared for his kids and family, wanted the best for them, secure their future, try and do what he could. Most of all I think he was a very simple person. You know he is wasn’t cunning or wily and that whatever he said or did was simple and from his heart. That’s probably *the* quality of his that I admire and remember most. It’s rare to come across people whose actions and words reflect their inner thoughts. Most people (myself included) aren’t simple. He was.

Someone needs to arrange lamps now for tomm’s ceremonies. I guess that’s one good thing of having people around. You can ask someone to help out as everyone’s there to help out. I would rather not having people or rituals, but considering you are stuck with both it’s good to know that both work out for each other. Your role (as family) is mainly to participate in everything – rituals and socializing.

Had to go socializing again now. Someone I have no idea of has come to visit. So go through the usual motions of hi hello and receive condolences etc. And then they sit and stare into the emptiness for a while and you to do the same (except in this case I am bored now and typing this post!). That’s a very funny thing about this business. Everyone just sitting around staring into the emptiness. I know why we do it – it’s to express sadness. Wouldn’t make sense to have a loud conversation or chit chat, so best is to just stare into the ether with a sad look.

I think it’s time to stop blogging. More visitors coming in. More socializing to do. More staring. Sigh.

PVS Steps

Posted: May 25th, 2017 | Tags: mcs, pvs, xendesktop | Category: Citrix | §

I need a central place/ post where I can write down (and keep adding) the steps required for a PVS image. Consider this as a continuation to a previous post. So here goes:

Install the OS.
Install Updates and Device Drivers; including integration tools such as VMware Tools, XenServer Tools, etc.
Install any applications & VDA. (No shutdown or domain join at this point – but you could domain join if needed, just don’t reuse that name later in the catalog)
Install the Target Device software (this is the Provisioning Services target device software).
Launch the imaging wizard. (No need for snapshots as we are capturing to a new vDisk)
1. The wizard will ask for a Target Device name. This can be different from the name of the machine/ VM. This is a PVS representation of the device.
2. Give a vDisk name too.
3. Upon creation this vDisk will be in private mode – which means only 1 machine can boot off it, and the disk is read/write.
Power off the VM.
1. If this VM will be used as the Master Target Device going forward, delete or remove the original hard disk. And go to the device object in PVS and change the “Boot from” to vDisk.
2. Alternatively: If this VM will not be used as the Master Target Device, create a new VM (maybe give it the same name as the Master Target Device in PVS) and put its MAC address to the Master Target Device in PVS. Also change the “Boot from” to vDisk.
3. Note: If the “Boot from” is not changed to vDisk the VM will try to boot from the local disk and fail if it’s not present.
Power on the VM. It will boot from the vDisk now (which is still in private mode). Make any more changes if required. Example domain join and add more applications etc. Whatever changes we make now will be written to the vDisk.
When everything is finalized power off the VM.
Convert the vDisk to standard mode. This means multiple machines can boot off it and the disk is read only (the writes will be made to a write-cache disk).
1. Note: the VM must be powered off to be able to change the disk type. There has to be no connections to the vDisk.
Now create a template based on the hardware specs you want for your VMs. Memory, CPU, etc. This template won’t have any storage. It will network boot.
From PVS console launch the XenDesktop Setup wizard. At one point it will ask for the template & vDisk we created above.
1. Quick note on the disk options.
2. With MCS we had the option of choosing random or static. Within random we had the option of using RAM as a cache. And within static we had the option of (a) using a personal vDisk or (b) a dedicated VM or (c) discarding changes.
3. With PVS our options are again random or static. No sub-options within random (i.e. no RAM cache etc). And within static the only options are (a) personal vDisk or (b) discard changes.
That’s all. New VMs will be created that can stream from the above vDisk. And AD accounts will be created for them.

Pool Machine booting up … :)

Migrating VMkernel port from Standard to Distributed Switch fails

Posted: May 24th, 2017 | Tags: distributed switch, esxcli, esxi, networking, standard switch, vds, vmware | Category: Virtualization | §

I am putting a link to the official VMware documentation on this as I Googled it just to confirm to myself I am not doing anything wrong! What I need to do is migrate the physical NICs and Management/ VM Network VMkernel NIC from a standard switch to a distributed switch. Process is simple and straight-forward, and one that I have done numerous times; yet it fails for me now!

Here’s a copy paste from the documentation:

Navigate to Home > Inventory > Networking.
Right-click the dVswitch.
If the host is already added to the dVswitch, click Manage Hosts, else Click Add Host.
Select the host(s), click Next.
Select the physical adapters ( vmnic) to use for the vmkernel, click Next.
Select the Virtual adapter ( vmk) to migrate and click Destination port group field. For each adapter, select the correct port group from dropdown, Click Next.
Click Next to omit virtual machine networking migration.
Click Finish after reviewing the new vmkernel and Uplink assignment.
The wizard and the job completes moving both the vmk interface and the vmnic to the dVswitch.

Basically add physical NICs to the distributed switch & migrate vmk NICs as part of the process. For good measure I usually migrate only one physical NIC from the standard switch to the distributed switch, and then separately migrate the vmk NICs.

Here’s what happens when I am doing the above now. (Note: now. I never had an issue with this earlier. Am guessing it must be some bug in a newer 5.5 update, or something’s wrong in the underlying network at my firm. I don’t think it’s the networking coz I got my network admins to take a look, and I tested that all NICs on the host have connectivity to the outside world (did this by making each NIC the active one and disabling the others)).

First it’s stuck in progress:

And then vCenter cannot see the host any more:

Oddly I can still ping the host on the vmk NIC IP address. However I can’t SSH into it, so the Management bits are what seem to be down. The host has connectivity to the outside world because it passes the Management network tests from DCUI (which I can connect to via iLO). I restarted the Management agents too, but nope – cannot SSH or get vCenter to see the host. Something in the migration step breaks things. Only solution is to reboot and then vCenter can see the host.

Here’s what I did to workaround anyways.

First I moved one physical NIC to the distributed switch.

Then I created a new management portgroup and VMkernel NIC on that for management traffic. Assigned it a temporary IP.

Next I opened a console to the host. Here’s the current config on the host:

~ # esxcli network ip interface ipv4 get
Name  IPv4 Address  IPv4 Netmask   IPv4 Broadcast  Address Type  DHCP DNS
----  ------------  -------------  --------------  ------------  --------
vmk0  10.xxx.xx.30  255.255.255.0  10.xxx.xx.255   STATIC           false
vmk1  10.xxx.xx.24  255.255.255.0  10.xxx.xx.255   STATIC           false
vmk2  10.xxx.xx.25  255.255.255.0  10.xxx.xx.255   STATIC           false
vmk3  1.1.1.1       255.255.255.0  1.1.1.255       STATIC           false
vmk4  10.xxx.xx.23  255.255.255.0  10.xxx.xx.255   STATIC           false

~ # esxcli network ip interface ipv4 get

Name IPv4 Address IPv4 Netmask IPv4 Broadcast Address Type DHCP DNS

---- ------------ ------------- -------------- ------------ --------

vmk0 10.xxx.xx.30 255.255.255.0 10.xxx.xx.255 STATIC false

vmk1 10.xxx.xx.24 255.255.255.0 10.xxx.xx.255 STATIC false

vmk2 10.xxx.xx.25 255.255.255.0 10.xxx.xx.255 STATIC false

vmk3 1.1.1.1 255.255.255.0 1.1.1.255 STATIC false

vmk4 10.xxx.xx.23 255.255.255.0 10.xxx.xx.255 STATIC false

The interface vmk0 (or its IPv4 address rather) is what I wanted to migrate. The interface vmk4 is what I created temporarily.

~~I now removed the IPv4 address of the existing vmk NIC and assigned that to the new one. Also, confirmed the changes just to be sure.~~ As soon as I did so vCenter picked up the changes. I then tried to move the remaining physical NIC over to the distributed switch, but that failed. Gave an error that the existing connection was forcibly closed by the host. So I rebooted the host. Post-reboot I found that the host now thought it had no IP, even though it was responding to the old IP via the new vmk. So this approach was a no-go (but still leaving it here as a reminder to myself that this does not work).

I now migrated vmk0 from the standard switch to the distributed switch. As before, this will fail – vCenter will lose connectivity to the ESX host. But that’s why I have a console open. As expected the output of esxcli network ip interface list shows me that vmk0 hasn’t moved to the distributed switch:

So now I go ahead and remove the IPv4 address of vmk0 and assign that to vmk4 (the new one). Also confirmed the changes.

~ # esxcli network ip interface ipv4 set -i vmk0 -t none
~ # esxcli network ip interface ipv4 set -i vmk4 -I 10.xxx.xx.30 -N 255.255.255.0 -t static
~ # esxcli network ip interface ipv4 get

~ # esxcli network ip interface ipv4 set -i vmk0 -t none

~ # esxcli network ip interface ipv4 set -i vmk4 -I 10.xxx.xx.30 -N 255.255.255.0 -t static

~ # esxcli network ip interface ipv4 get

Next I rebooted (reboot) the host, and via the CLI I removed vmk0 (for some reason the GUI showed both vmk0 and vmk4 with the same IP I assigned above).

~ # esxcli network ip interface remove --interface-name vmk0

1	~ # esxcli network ip interface remove --interface-name vmk0

Reboot again!

Post-reboot I can go back to the GUI and move the remaining physical NIC over to the distributed switch. :) Yay!

Certificates, Subject Alternative Names, etc.

Posted: May 23rd, 2017 | Tags: certificate authority, certificates, subject alternative names | Category: Infrastructure, Windows | §

I had encountered this in my testlab but never bothered much coz it was just my testlab after all. But now I am dabbling with certificates at work and hit upon the same issue.

The issue is that if I create a certificate for mymachine.fqdn but I visit the machine at just mymachine, then I get an error. So how can I tell the certificate that the shorter name (and any other aliases I may have) are also valid? Turns out you need to use the Subject Alternative Name (SAN) field for that!

You can’t add a SAN field to an existing certificate. Got to create a new one. In my case I had simply requested a domain certificate from my IIS server and that doesn’t give any option to specify the SAN.

Instructions for creating a new certificate with SAN field are here and here. The latter has screenshots, so check that out first. In my case, at the step where I select “Web Server” I wasn’t getting “Web Server” as an option. I was only getting “Computer”. Looking into this, I realized it’s coz of the permissions difference. The “Web Server” template only has Domain Admins and Enterprise Admins in its ACLs, while the “Computer” template had Domain Computers too with “Enrol” rights. The fix is simple – go the Manage Templates and change the ACL of “Web Server” accordingly. (You could also use ADSI Edit and edit the ACL in the Configuration section).

[Aside] NetScaler – CLI Networking

Posted: May 21st, 2017 | Tags: netscaler | Category: Asides, Citrix | §

Just putting these two here as a reference to myself (no idea why coz I am sure I’ll just Google and find them later when I need to :p)

# setting IP
set ns config [-IPAddress <ip_addr> -netmask <netmask>]

# view IP
show ns config

# adding route
add route <network> <netmask> <gateway>[-cost <positive_integer>] [-advertise ( DISABLED | ENABLED )]

# show route
show route [<network> <netmask> [<gateway>]] [<routeType>] [-detail]

# remove route
rm route <network> <netmask> <gateway>

# setting IP

set ns config [-IPAddress <ip_addr> -netmask <netmask>]

# view IP

show ns config

# adding route

add route <network> <netmask> <gateway>[-cost <positive_integer>] [-advertise ( DISABLED | ENABLED )]

# show route

show route [<network> <netmask> [<gateway>]] [<routeType>] [-detail]

# remove route

rm route <network> <netmask> <gateway>

As an aside (to this aside):

The NetScaler config is stored as ns.conf at /nsconfig.
Older versions have a .0, .1, .2, etc suffixed to the filename.
Backups are stored in /var/ns_sys_backup.
More info on backups etc.

[Aside] Useful CA/ Certificates info

Posted: May 18th, 2017 | Tags: CA, certificate authority, certificates | Category: Asides, Infrastructure, Windows | §

Obtaining a certificate on Windows Server without IIS
CA Web Enrollment
Determining the type of CA (standalone or AD integrated)
- Another option is certutil -CAinfo – look for CAType.
Difference between Standalone and Enterprise (AD integrated) CA. In case of Enterprise CA:
- Cert is automatically pushed out to all machines.
- Configuration is stored in AD: CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain.
- CAs and their certs can be found via AD itself: CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain.
- Requesting a new cert is easy (IIS for instance has an option to request domain certificate). Plus renewal happens automatically.
- Can define templates, which are stored in AD itself, and can be used to create new certs.
- Can archive the private key in AD?

Notes on Master Image Preparation (PVS & MCS)

Posted: May 17th, 2017 | Tags: master image, mcs, pvs | Category: Citrix | §

Reading some links on creating a Master Image; here’s notes to myself regarding that. These are the links I refer to:

Preparing a Master Target Device for Imaging
Prepare a Master Image
- This one says not to use Sysprep for the master image but my course docs say otherwise … Anyways, no sysprep for MCS seems to be the general advise. So I am going to assume no sysprep for either.

Note these are very rough/ brief. These really are rough notes to myself as I am trying to make organize my mind.

In case of PVS: Master Target Device – this is the VM whose image is used to create a virtual hard disk (vDisk). This vDisk is what PVS uses to stream to its VMs.

Unlike MCS, the Master Target Device does not have to be a VM. PVS works against both VMs and physical machines. It does not care about the compute; all it does is look at the machine and create a vDisk by capturing its contents. You network boot into the machine you want to capture, and PVS creates an image by streaming its contents to the PVS server to create a vDisk.

The Master Target Device or its disk can be removed after vDisk creation.

Here’s my understanding of the order in which to do stuff:

1. Install the OS

2. Install Updates and Device Drivers; including integration tools such as VMware Tools, XenServer Tools, etc.

In case of MCS:

3. Install any applications (optional) & VDA & domain join (optional) & shutdown the machine.

4. Add it to MCS to create a catalog. Recommended that we take a snapshot and point MCS to this snapshot. Else MCS will make its own snapshot (and we can’t change the snapshot name).

In the case of PVS:

3. Install any applications & VDA. (No shutdown!) (No domain join!)

4. Install the Target Device software (this is the Provisioning Services target device software).

5. Launch the imaging wizard. (No need for snapshots either as we are capturing it to a new vDisk).

5a. Note: The Target Device name can be different from the name of the machine/ VM.

6. After the vDisk is created we use a VM (existing or new one) to network boot and use this vDisk. Then we can domain join etc. PVS has a lot more steps. Check out http://www.carlstalhood.com/pvs-master-device-convert-to-vdisk/.

Update: I have a post that goes into more detail with PVS.

Components of the Provisioning Services target device software include an imaging wizard to capture the image, a NIC filter driver used for streaming images from the PVS server to the target devices (remember: the target device software is not used only for capturing the image – i.e. the master target device, but also by the target devices after an OS is loaded), a virtual disk to store the OS and applications (again, used by the target devices). There’s also a system tray utility.

Notes on ADFS Certificates

Posted: May 17th, 2017 | Tags: active directory, ADFS, certificates | Category: Infrastructure | §

Was trying to wrap my head around ADFS and Certificates today morning. Before I close all my links etc I thought I should make a note of them here. Whatever I say below is more or less based on these links (plus my understanding):

There are three types of certificates in ADFS.

The “Service communications” certificate is also referred to as “SSL certification” or “Server Authentication Certificate”. This is the certificate of the ADFS server/ service itself.

If there’s a farm of ADFS servers, each must have the same certificate.
We have the private key too for this certificate and can export it if this needs to be added to other ADFS servers in the farm.
The Subject Name must contain the federation service name.
This is the certificate that end users will encounter when they are redirected to the ADFS page to sign-on, so this must be a public CA issued certificate.

The “Token-signing” certificate is the crucial one.

This is the certificate used by the ADFS server to sign SAML tokens.
We have the private key too this certificate too but it cannot be exported. There’s no option in the GUI to export the private key. What we can do is export the public key/ certificate.
- ADFS servers in a farm can share the private key.
- If the certificate is from a public or enterprise CA, however, then the key can be exported (I think).
The exported public certificate is usually loaded on the service provider (or relying party; basically the service where we can authenticate using our ADFS). They use it to verify our signature.
The ADFS server signs tokens using this certificate (i.e. uses its private key to encrypt the token or a hash of the token – am not sure). The service provider using the ADFS server for authentication can verify the signature via the public certificate (i.e. decrypt the token or its hash using the public key and thus verify that it was signed by the ADFS server). This doesn’t provide any protection against anyone viewing the SAML tokens (as it can be decrypted with the public key) but does provide protection against any tampering (and verifies that the ADFS server has signed it).
This can be a self-signed certificate. Or from enterprise or public CA.
- By default this certificate expires 1 year after the ADFS server was setup. A new certificate will be automatically generated 20 days prior to expiration. This new certificate will be promoted to primary 15 days prior to expiration.
- This auto-renewal can be disabled. PowerShell cmdlet (Get-AdfsProperties).AutoCertificateRollover tells you current setting.
- The lifetime of the certificate can be changed to 10 years to avoid this yearly renewal.
- No need to worry about this on the WAP server.
- There can be multiple such certificates on an ADFS server. By default all certificates in the list are published, but only the primary one is used for signing.

The “Token-decrypting” certificate.

This one’s a bit confusing to me. Mainly coz I haven’t used it in practice I think.
This is the certificate used if a service provider wants to send us encrypted SAML tokens.
- Take note: 1) Sending us. 2) Not signed; encrypted.
As with “Token-signing” we export the public part of this certificate, upload it with the 3rd party, and they can use that to encrypt and send us tokens. Since only we have the private key, no one can decrypt en route.
This can be a self-signed certificate.
- Same renewal rules etc. as the “Token-signing” certificate.
Important thing to remember (as it confused me until I got my head around it): This is not the certificate used by the service provider to send us signed SAML tokens. The certificate for that can be found in the signature tab of that 3rd party’s relaying party trust (see screenshot below).
Another thing to take note of: A different certificate is used if we want to send encrypted info to the 3rd party. This is in the encryption tab of the same screenshot.

So – just to put it all in a table.

Clients accessing ADFS server	Service communications certificate
ADFS server signing data and sending to 3rd party	Token-signing certificate
3rd party encrypting data and sending ADFS server	Token-decrypting certificate
3rd party signing data and sending ADFS server	Certificate in Signature tab of Trust
ADFS server encrypting data and sending to 3rd party	Certificate in Encryption tab of Trust

Update: Linking to a later post of mine on ADFS in general.

Update 2: Modification to the above table, using better terminology.

Clients accessing ADFS server	Service communications certificate
We (Identity Provider STS) signing data and sending to a Relying Party STS	Token-signing certificate
Relying Party STS encrypting data and sending us (Identity Provider STS)	Token-decrypting certificate
[In a trust] Relying Party STS party signing data and sending us (Identity Provider STS)	Certificate in Signature tab of Trust
[In a trust] We (Identity Provider STS) encrypting data and sending to Relying party STS	Certificate in Encryption tab of Trust

[Aside] NetScaler VPX Express limitations etc.

Posted: May 14th, 2017 | Tags: netscaler, vpx | Category: Asides, Citrix | §

Reading about NetScaler VPX as we are looking at implementing VPX Express in our site as part of a POC.

VPX Express is limited to 5 Mbps (as opposed to say 1 Gbps for VPX-1000).
The license is free but you have to keep renewing annually.
The Edition is NetScaler Standard. This and this are two links I found that explain the difference between various editions.
1. tl; dr version: Standard is fine for most uses.
The Gateway part supports 5 concurrent user connections.
You cannot vMotion or XenMotion VPX.
This is an excellent blog post on VPX, MPX, and others. Worth a read.

[Aside] How to Secure an ARM-based Windows Virtual Machine RDP access in Azure

Posted: May 14th, 2017 | Tags: Azure | Category: Asides, Windows | §

Just putting this here as a bookmark to myself for later. A good post. ⇒

Changing Delivery Controller addresses on VDA

Posted: May 13th, 2017 | Tags: delivery controller, vda | Category: Citrix | §

This weekend the NetScaler gateway on one of our offices failed, rendering the office users unable to connect to their resources. I wanted to repoint all those users to the Delivery Controllers of a different office where the NetScaler was working, and ask users to temporarily connect via that.

I had to two two things basically. 1) Change a registry key to repoint the VDA to the other Delivery Controllers. 2) Restart the VDA service (these machines were running 5.6(!!) so it’s called the Workstation Agent).

# Change the registry key
> reg add \\<computer>\HKLM\Software\Citrix\VirtualDesktopAgent /v ListOfDDCs /t REG_SZ /d "dc01 dc02"
Value ListOfDDCs exists, overwrite(Yes/No)? y

# Stop Service
> sc \\<computer> stop WorkstationAgent

# Start Service (wait a bit before doing this)
> sc \\<computer> start WorkstationAgent

# Change the registry key

> reg add \\<computer>\HKLM\Software\Citrix\VirtualDesktopAgent /v ListOfDDCs /t REG_SZ /d "dc01 dc02"

Value ListOfDDCs exists, overwrite(Yes/No)? y

# Stop Service

> sc \\<computer> stop WorkstationAgent

# Start Service (wait a bit before doing this)

> sc \\<computer> start WorkstationAgent

Brief notes on NetScaler and Citrix StoreFront

Posted: May 13th, 2017 | Tags: netscaler, storefront | Category: Citrix | §

I spent the last two days intermittently trying to set up NetScaler and Citrix StoreFront in my home lab. It was a mixed bag partly due to my nature of just jumping into something and figuring it out as I go along :) but compounded by the fact that while there’s a lot of documentation on the Internet they seem to be either outdated or don’t explain the big picture of what we are trying to achieve. (Or maybe I am just slow in picking it up – wouldn’t put that possibility aside!)

Anyways. Here’s a couple of stuff in no particular order.

This PDF is the official documentation on setting up NetScaler with Citrix StoreFront. It’s a good one – lots of screenshots etc. Page 19 onwards seems to be outdated though with the latest version of NetScaler that I have – 11.1 53.11.

When I started this exercise though I was on a much older version of NetScaler – 10.5 56.22. I started setting up the NetScaler as a gateway (e.g. http://ctxstorefront.myfqdn) to my internal StoreFront servers (http://data01.myfqdn and http://data02.myfqdn), and my steps were more or less along the lines of the PDF above which I discovered later. That wasn’t a success though coz when I’d connect to the NetScaler gateway it gave some errors (I forget what now). Digging into this I realized that the wizard also creates a load balanced virtual server on the NetScaler and that was showing as down. Dug into that a bit and found out that the underlying monitor probes to the two StoreFronts were failing. If I separately created services representing my StoreFronts and attach the same monitor (basically, a monitor of type STOREFRONT, with the correct StoreName etc) it fails.

That was good to know coz I learnt a bit about the monitor probes. :) I found the following in my NetScaler logs:

root@ns105# nsconmsg -K /var/nslog/newnslog -d event
...

 2991    15 PPE-0 MonServiceBinding_10.10.1.12:443_(STF-HTTPS)(DATA02-STF): DOWN; Last response: Failure - Probe failed. Fri May 12 08:04:17 2017
 2992     0 PPE-0 'server_svc_cfg_NSSVC_SSL_10.10.1.12:443(DATA02-STF)' DOWN Fri May 12 08:04:17 2017
 2997    29 PPE-0 MonServiceBinding_10.10.1.11:80_(tcp-default)(DATA01-STF-HTTP): UP; Last response: Success - TCP syn+ack received. Fri May 12 08:04:40 2017
 2998     0 PPE-0 'server_svc_cfg_NSSVC_HTTP_10.10.1.11:80(DATA01-STF-HTTP)' UP Fri May 12 08:04:40 2017
 3003    15 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:04:59 2017
 3004     0 PPE-0 'server_svc_cfg_NSSVC_HTTP_10.10.1.11:80(DATA01-STF-HTTP)' DOWN Fri May 12 08:04:59 2017
 3005   102 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:06:40 2017
 3006    37 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:07:13 2017
 3007    44 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:07:57 2017

root@ns105# nsconmsg -K /var/nslog/newnslog -d event

...

2991 15 PPE-0 MonServiceBinding_10.10.1.12:443_(STF-HTTPS)(DATA02-STF): DOWN; Last response: Failure - Probe failed. Fri May 12 08:04:17 2017

2992 0 PPE-0 'server_svc_cfg_NSSVC_SSL_10.10.1.12:443(DATA02-STF)' DOWN Fri May 12 08:04:17 2017

2997 29 PPE-0 MonServiceBinding_10.10.1.11:80_(tcp-default)(DATA01-STF-HTTP): UP; Last response: Success - TCP syn+ack received. Fri May 12 08:04:40 2017

2998 0 PPE-0 'server_svc_cfg_NSSVC_HTTP_10.10.1.11:80(DATA01-STF-HTTP)' UP Fri May 12 08:04:40 2017

3003 15 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:04:59 2017

3004 0 PPE-0 'server_svc_cfg_NSSVC_HTTP_10.10.1.11:80(DATA01-STF-HTTP)' DOWN Fri May 12 08:04:59 2017

3005 102 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:06:40 2017

3006 37 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:07:13 2017

3007 44 PPE-0 MonServiceBinding_10.10.1.11:80_(STF-HTTP)(DATA01-STF-HTTP): DOWN; Last response: Failure - Probe failed. Fri May 12 08:07:57 2017

That’s same as what the GUI was telling me but I was additionally able to find what error code was being generated (thanks to this KB article):

root@ns105# tail /var/nslog/nsumond/nsumond.log
Fri May 12 08:20:49 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1
Fri May 12 08:20:49 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)
Fri May 12 08:20:54 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1
Fri May 12 08:20:54 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)
Fri May 12 08:20:59 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1
Fri May 12 08:20:59 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)
Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1
Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)
Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1
Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

root@ns105# tail /var/nslog/nsumond/nsumond.log

Fri May 12 08:20:49 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1

Fri May 12 08:20:49 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

Fri May 12 08:20:54 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1

Fri May 12 08:20:54 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

Fri May 12 08:20:59 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1

Fri May 12 08:20:59 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1

Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Script failed. Exit code : 1

Fri May 12 08:21:00 2017: /netscaler/monitors/nssf.pl Exit Reason : (200 OK)

So it runs a Perl script basically. Nice. Went through that script and here’s the relevant section:

#######Discovery#################################
        $url = "$baseurl/Citrix/$store/discovery";
        $request = HTTP::Request->new('GET', $url);
        unless($request){
                $errorcode = "Resources not available to create discovery request";
                goto ERROR;
        }
        $response = $conn->request($request);
        if($response->code( ) != 200){
                $errorcode = $response->status_line;
                goto ERROR;
        }

#######Discovery#################################

$url = "$baseurl/Citrix/$store/discovery";

$request = HTTP::Request->new('GET', $url);

unless($request){

$errorcode = "Resources not available to create discovery request";

goto ERROR;

}

$response = $conn->request($request);

if($response->code( ) != 200){

$errorcode = $response->status_line;

goto ERROR;

}

So it tries to access http(s)://<my delivery controller>/Citrix/<my Store>/discovery and gets a 200 error. Odd that it gets it, because if I try to probe that URL via cURL from NetScaler, I get a 404 error (which is sort of correct; I get a 403 error via IE and that’s the correct one I think):

root@ns105# curl -I http://10.10.1.11:80/Citrix/Store/discovery
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 1919
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
Date: Fri, 12 May 2017 09:14:10 GMT

root@ns105# curl -I http://10.10.1.11:80/Citrix/Store/discovery

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Length: 1919

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

Date: Fri, 12 May 2017 09:14:10 GMT

Anyhoo, that stumped me for a while until I found forum/ blog post where they said upgrading to a newer version of NetScaler supposedly fixes this. So I went down that route, and yes, it helped.

After upgrading though my UI changed. :)

The new UI is very different. But that’s good I think, coz it forced me think at least on what exactly am I trying to achieve here; and to take a step backward and understand what is going on. So here’s my understanding:

We have StoreFronts. :) That’s the thing you actually connect to.
We can have a group of StoreFronts for High Availability. You can configure each of these independently or you can keep them in sync from the UI itself.
For each StoreFront we need to specify a base URL.
- For a single StoreFront it’s easy – http://data01 or whatever (where data01 is my StoreFront server name in this case).
- But what about when I have a group of StoreFronts? If I am keeping them in sync via the UI itself, the base URL I define on one of them will be pushed out to all. So all my StoreFronts will have a base URL of http://data01 even though they might be called data01, data02, etc. That’s a problem coz all my clients will only connect to the first one as that’s where DNS will point clients to.
To avoid the above situation for multiple StoreFronts we need a common base URL which can be load balanced across all. A regular DNS round-robin situation won’t work coz we also need clients to stick on with whichever StoreFront they connect to, and also some form of monitoring to ignore StoreFronts that are down would be good to. So this is where the NetScaler first comes in!
Create a Virtual Server on the NetScaler that will load balance the various StoreFront services we define on it. Simple stuff – just HTTP or HTTPS services that are load balanced. Add the STOREFRONT type monitor. And a Persistence of type COOKIEINSERT. That’s all. (Oh, and add SSL certs etc if you are using HTTPS).
- I haven’t gone through this link but am putting it here as a reference to my future self – pretty sure I must have missed something when setting up things now. Also, that link goes into some scenarios such as where we do SSL termination at the NetScalers.

What I realized as I thought about this is that this Virtual Server I create above is the main thing. Going by my URLs above, I should have http(s)://ctxstorefront.myqdn load balance among http(s)://data01 and http(s)://data02. Forget about the whole external access stuff for now.

Once I do this and ensure things are working (they do), now I can think about external access. What does the NetScaler need to do there? It doesn’t need to do any load balancing coz that’s already setup; so all it needs to do is provide a VPN gateway sort of service for external clients to connect to! So that means a new Virtual IP on the NetScaler. Create this using the wizard in the “Integrate with Citrix Products” > “XenApp and XenDesktop”. This will basically create a Virtual Server in the NetScaler Gateway section (note: not in the Load Balancing section). As part of configuring, we have to point this Virtual Server to a StoreFront. Here use the Load Balanced StoreFront Virtual Server that we created on the NetScaler above – this is where it all ties in!

I could use the same internal URL for the external access too I guess and use split DNS – not sure, because I do have to specify this on the StoreFronts and I haven’t tried/ thought of any side effects – but in my case I simply decided to go with a different URL for the external access. Specify that for the certificate and Virtual Server etc, add that to DNS, and now I can access the StoreFronts externally too via the NetScaler.

If I were to go to the Virtual Server in the Gateway section there’s no obvious mapping from this one to the internal load balance Virtual Server. But there is. It’s in the policies section. That has a Published Application pointing to the load balanced URL (including the Store name (actually, there’s two policies – one for the Web another for the Receiver, to capture the different names)) so that’s how the traffic flow works. Users hit the gateway, the gateway does the authentication etc and checks its policies, finds one that offers uses the StoreFront published application at such and such URL, and it looks that up (it is with itself) and thus hits the load balanced Virtual Server, and so on …

Finally! I have some idea of how this all ties in together. :)

Scanning for MS17-010

Posted: May 13th, 2017 | Tags: powershell, windows updates, wmi | Category: PowerShell, Windows | §

Was reading about the WannaCrypt attacks. If you have the MS17-010 bulletin patches installed in your estate, you are safe. I wanted to quickly scan our estate to see if the servers are patches with this. Not my job really, but I wanted to do it anyways.

The security bulletin page lists the actual patch numbers for each version of Windows. We only have Server 2008 – 2016 so that’s all I was interested in.

Here’s a list of the Server name, internal version, and the patch they should have.

Server 2008 | 6.0.6002 | KB4012598
Server 2008 R2 | 6.1.7600 | KB4012215 or KB4012212
Server 2012 | 6.2.9200 | KB4012214 or KB4012217
Server 2012 R2 | 6.3.9600 | KB4012213 or KB4012216
Server 2016 | 10.0.14393 | KB4013429

One thing to bear in mind is that it’s possible a server doesn’t have the exact patch installed, but is still not at any risk. That is because since October 2016 Windows patches are cumulative. So if you don’t have the particular March 2017 patch installed, but do have the April 2017 one, you are good to go. The numbers above are from March 2017 – so you will have to update them with patch numbers of subsequent months too to be thorough.

Another thing – I had one server in my entire estate where the patch above was actually installed but turned up as a false positive in my script. Not sure why. I know it isn’t a script issue. For some reason that patch wasn’t being returned as part of the “Win32_QuickFixEngineering” output. Am assuming it wasn’t installed that way on this particular server.

Without further ado, here’s the script I wrote:

Get-ADComputer -SearchBase "OU=Servers,DC=myDomain,DC=com" -Filter * | 
  ?{ Test-Connection $_.Name -Quiet -Count 1 } | 
  %{
    $Computer = $_.Name
    $WinVer = (Get-WmiObject Win32_OperatingSystem -CN $Computer).Version
    
    switch ($WinVer) {
      '6.0.6002' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012598'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 | Missing KB4012598 "} }
      '6.1.7600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012215' or HotFixID='KB4012212'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 R2 | Missing KB4012212 or KB4012215 "} }
      '6.2.9200' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012214' or HotFixID='KB4012217'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 | Missing KB4012214 or KB4012217 "} }
      '6.3.9600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012213' or HotFixID='KB4012216'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 R2 | Missing KB4012213 or KB4012216 "} }
      '10.0.14393' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4013429'" | Measure-Object).Count -eq 0) { "$Computer | Server 2016 | Missing KB4013429 "} }
    }
  }

Get-ADComputer -SearchBase "OU=Servers,DC=myDomain,DC=com" -Filter * |

?{ Test-Connection $_.Name -Quiet -Count 1 } |

$Computer = $_.Name

$WinVer = (Get-WmiObject Win32_OperatingSystem -CN $Computer).Version

switch ($WinVer) {

'6.0.6002' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012598'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 | Missing KB4012598 "} }

'6.1.7600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012215' or HotFixID='KB4012212'" | Measure-Object).Count -eq 0) { "$Computer | Server 2008 R2 | Missing KB4012212 or KB4012215 "} }

'6.2.9200' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012214' or HotFixID='KB4012217'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 | Missing KB4012214 or KB4012217 "} }

'6.3.9600' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4012213' or HotFixID='KB4012216'" | Measure-Object).Count -eq 0) { "$Computer | Server 2012 R2 | Missing KB4012213 or KB4012216 "} }

'10.0.14393' { if ((Get-WmiObject Win32_QuickFixEngineering -CN $Computer -Filter "HotFixID='KB4013429'" | Measure-Object).Count -eq 0) { "$Computer | Server 2016 | Missing KB4013429 "} }

}

That’s all. Nothing fancy.

PVS Console XenDesktop Setup Wizard crash and timeout

Posted: May 9th, 2017 | Tags: pvs | Category: Citrix | §

If you get the following error when running the “XenDesktop Setup Wizard” from PVS console (and a catalog is created with no machines):

Or you get the following error (and again a catalog is created but no machines):

Or you get neither of these but the PVS Console simply freezes when you click OK/ Next at one of the steps and it throws an error about timeout and being unable to connect to the remote server (sorry no screenshot, forgot to take it when I got the error and now I can’t replicate it) …

The solution is simple! Install the PVS Console on your Delivery Controller server and run the wizard from there. For some reason that seems to do the trick. Thanks to this forum post.

Quickly move DHCP scopes between servers

Posted: May 8th, 2017 | Tags: dhcp, netsh | Category: Windows | §

Wish I had known this earlier. If you want to migrate DHCP servers and have got the two servers setup, run the following on the source server:

netsh dhcp server v4 export c:\dhcpdb all

1	netsh dhcp server v4 export c:\dhcpdb all

And the following on the destination server (the first command is to just connect to the C: drive of the source):

pushd \\sourceDC\c$
netsh dhcp server v4 import \path\to\dhcpdb all

1 2	pushd \\sourceDC\c$ netsh dhcp server v4 import \path\to\dhcpdb all

Amazing!

This only does IPv4 scopes, so replace v4 with v6 for IPv6. And this exports all scopes, so replace “all” with the scopes you want if you want a selected few.

rakhesh.com

Search

Contact

Subscribe via Email

Subscribe via RSS/JSON

Elsewhere

Categories

Recent Posts

Archives