NOTICE :. Since WordPress is displayed corrupting the PowerShell code, you can download all the PowerShell samples here
One of the common errors that you may encounter during your XenDesktop deployment are ADV that are stuck in an unregistered state - if you have a look at the support forums, you can find a lot of questions about this issue
There are different reasons why people write blog. - Sometimes you want to share new information, sometimes you just want to share information with partners and customers and sometimes you use your blog to summarize ideas and make your life easier when you have the same problem in the future.
Our brains have limited capacity - at least mine did. I tend to forget things that I do not consider important, especially if I know I can easily Google if necessary. In this case, I decided to write this article to store everything about the Brokering troubleshooting in one place, so when I'm stuck next time, I know where to look for the right answer! J
The registration process is the communication between the controller (DDC) and the worker (VDA), where VDA must register including DDC to become available to end users.
You want to minimize interference here -what I usually do is I create 1: 1 relationship - VDA point only single SDC SDC is communicated only with the only VDA. Also, I tend to place two virtual machines (when SDC is virtualized) on a single hypervisor host and use the same VLAN
process is very simple how you can force the registration process. - All you have to do is to treat "Desktop Service Citrix" (VDA) restart Using this method, you can easily confirm your changes
The most common problems
.. 1.) firewall Configuration
This means not only integrated in Windows firewall but a firewall on the way. the simplest method to validate is telnet on port 80 (8080 if you are using XenDesktop 4) - VDA -> SDC SDC - ..> VDA
2) DNS configured incorrectly
Very common problem - you need not only before, but also reverse DNS lookups to function properly perform ping and ipconfig compare against -.. and then try nslookup queries you can also try running the .NET code to avoid any additional logic added by nslookup
[ System.Net.Dns ] :: GetHostEntry (). HostName
3.) time synchronization configured incorrectly
Since Kerberos is used, the time synchronization is very important (by setting Kerberos default is maximum 5 minutes difference). W32tm utility is the key here or you can use Powershell:
$ LocalTime = ([ wmi ] '' ). ConvertToDateTime (( Get-WmiObject -query " select LocalDateTime Win32_OperatingSystem " .) LocalDateTime)
The beauty of this method is that you get an instance of [DateTime] object - and guess what, you can easily compare two [DateTime] objects to get [TimeSpan] object
PS C: > $ remotetime - $ LocalTime
Days: 0
Hours: 0
Minutes: 1
seconds: 17
Milliseconds 182
ticks: 771 820 000
TotalDays: 0.000893310185185185
TotalHours: 0.0214394444444444
totalminutes: 1.28636666666667
TotalSeconds: 77.182
TotalMilliseconds: 77182
long story short - this code should show you the drift time between two servers:
$ Server1 = " ". ; $ Server2 = "" [ datetime ] $ Server1DT = $ (([ wmi ] '' ). ConvertToDateTime (( Get-WmiObject -Computer $ Server1 -query " select LocalDateTime in32_OperatingSystem of " ). LocalDateTime) [ datetime ] $ Server2DT = ([ wmi ] '' ). ConvertToDateTime (( Get-WmiObject -Computer $ Server2 -query " select LocalDateTime Win32_OperatingSystem " ) LocalDateTime)) $ ( $ Server1DT -. $ Server2DT ) TotalSeconds
code is quick and dirty -. This is something I usually build in the interactive console, I just wanted to share the idea with you. The result is the time difference between two servers (in seconds). Be aware that it can be both positive and negative number -. Focusing only on the total number
4) domain membership issues
Sometimes there may be a problem with the domain membership. - I've never seen that before, so it just added to the list is complete.
5.) multiple NICs
Again, I've never known this (I usually use only one NIC for ADV) -. multiple cards can cause the negotiations to fail
6) Main Service Names (SPN)
SPN are very important during the VDA registration process. - You can run into several problems with SPN. Controller will have a look at the subject of the VDA AD and automatically determine SPN by inspecting servicePrincipalName attribute
process is pretty simple how to check the SPN registration - just run the following commands :.
SetSPN - l
For both computers, you should see 2 entries -. must be "HOST / ComputerName" and the second should be "HOST / FQDN"
you must also control SetSPN -X - this command will show you all the SPN duplicate records
7) Proper DDC not found
This is err .. quite common, although I have not seen it myself (I usually use group policy Preferences machinery to the list of DDCs set and I use CNAMEs to simplify management). Check your event log (VDA) for the event in 1010 - the event must contain all known controller names - and confirm that all entries are valid. Use these buttons to set your controllers:
HKLM Software Citrix VirtualDesktopAgent ListOfDDCs (32bit VM)
HKLM Software Wow6432Node Citrix VirtualDesktopAgent ListOfDDCs (64bit VM)
DDCs are defined as strings (FQDN) with spaces to separate.
8.) "Access this computer from the network" rights
By default, this should work, but if your environment is secure, you can run into a problem when the controller can not access VDA. This behavior is described in CTX117449
9) Operation timeout
XenDesktop brokerage is based on Windows Communication Foundation - WCF .. is a technology that is part of the .NET Framework (introduced in .NET Framework 3.0). It is not purpose of this article to explain the inner workings of the WCF, but you need to know the information - WCF uses channels and activities, and these activities (defined by "start" and limits "end "). These activities may have defined timers - such OpenTimeout (how long you are willing to wait when you open the connection), CloseTimeout (how long it should take to eliminate the client proxy) and probably the most timeouts important, and SendTimeout ReceiveTimeout [
what can happen (and it happens) is that your operation may expire - you send a message to the client, but do not receive the response of the allotted time ( timespan - for example for the test communication channel, it is default 0:00:05). The exception details should say the following:
unhandled exception: System.TimeoutException: Opening operation has not finished within the allotted time of 0:00:05 . The time allotted to this operation may have been part of a longer period.
What happens very often is that the registration process would succeed - but it would need more time to do it. I recently saw a scenario where server registration takes 4-6 seconds - if the operation the waiting period 2-3 times (> 5 seconds) and then succeed (<5 seconds)
A solution of course. would increase the waiting time - but it is actually just workaround and you should not use it. This question usually means something is wrong with your network - trying to capture a trace of wireshark to see what happens. The most important part of troubleshooting here is to check the WCF traces to see when the message was sent and when it was received (more on that later).
10.) MTU fragmentation
I have seen this behavior many times - the MTU size is not the default 1500, therefore packet must be fragmented and they are marked with the flag DF (do not fragment, drop the package instead)
I created small script to automatically check this value and display:
Function GetMaxMTU {
Settings (
[ string ] $ address = $ ( Throw " Argument is -Address necessary " ),
[ int ] $ MTU = 1472
)
boolean ] $ PingOK = $ False
[ int ] $ Step = 1
Do {
$ PingOutput = Ping -n 1 -l $ MTU -f $ address
If ( $ PingOutput -like " * Sent = 1 received = 1 * " ) {
Write-Host -ForegroundColor Green " $ MTU size MTU does not need to be fragmented "
$ PingOK = $ True
} Else {
Write-Host " $ MTU MTU is too high (or target is unreachable, the increase in MTU size "
$ MTU = $ MTU - $ Step
}
} Up ( $ PingOK eq $ True )
}
As you can see, I use Ping with -l
If you use a hypervisor, you could consider temporarily remove a virtual router that you use.
10.) Telnet connection
You should be able to telnet worker controller (port 80) and also the worker to the controller (also port 80).
basic troubleshooting
When you start troubleshooting, there are two simple methods you can use (for a start). The first is wonderful tool called XDPing our support - you can download it here
Another very important source of information (as usual) your event log .. During the initial troubleshooting, I prefer always use "administrative events" custom view - this view will show only critical error and the type of warning messages, so you can quickly see what is wrong:
Intermediate troubleshooting
if the very basic troubleshooting methods (XDPing entries and event logs) reveals nothing. The next step is to enable logging for two controller (Broker) and VDA (Workstation).
Since XenDesktop is based on the .NET Framework, you need to modify .config file to enable logging. This is described in the article on the basis of knowledge CTX127492 -. You must enable it for Service Broker (SDC) and Workstation Agent (VDA)
It is important to keep in mind that the brokerage is multi-threaded - which means that the log file, you can see the log entries from multiple threads. Some knowledge of the brokerage workflow is necessary here (TIP: Citrix Consulting knows a lot about brokeringJ). To start, I usually use this simple script to check the run times:
Settings ([ string ] $ LogFile , [ string ] $ Filter = " * " , [ timespan ] $ Threshold = " 0:00:01 " ) $ LogContent = like $ LogFile | where { $ _ -as $ Filter } [ timespan ] $ StartTime = $ LogContent [0] .split () [1] timespan ] $ EndTime = $ LogContent [0] .split () [1] [ string ] $ lastLine = "" ForEach ( $ Line in $ LogContent ) { If ( $ Line .split () [1] .Length eq 13 ) { $ EndTime = $ Line .split () [1] If ( $ EndTime - $ StartTime -ge $ Threshold ) { Write - Host -nonewline $ (( $ EndTime - $ StartTime ). TotalSeconds) Write-Host " $ lastLine " } $ StartTime = $ EndTime $ lastLine = $ Line . remove ( 0 25 )}}
In the output, you can see all operations which have had more than 1 second (Nveau argument). I usually keep a diary recording somewhere example, if I were to confirm that the time is correct. As mentioned above, this method is 100% reliable because messages can come from different threads, but it is how fast method to take a look at what is going on so long.
Expert Troubleshooting
now, things get more interesting - we finally get the help of experts
If you know a lot about XenDesktop and WCF you can skip the basic steps and immediate troubleshooting and just the expert. Troubleshooting - but it requires a lot of skill - you have been warned! J
Since the brokerage is based on WCF (WCF and .NET Framework subset), you can actually use some tools that are used to troubleshoot .NET. In this case, we will use "Microsoft Service Trace Viewer" (SvcTraceViewer.exe) Microsoft, nice and easy to use GUI for troubleshooting applications that are based on WCF.
SvcTraceViewer is part of Windows SDK., So you have to download the full SDK (as far as I know)
In a next step, we need to enable tracing for DDC and VDA - again, we'll use the same files as before .exe.config (Broker and Workstation). Just add the following lines under
accordingly, Traces.svclog file is automatically created in the subfolder C: XDLogs (feel free to change it). Now when you open the log file, you can see below:
looks scary, but it is not as complicated as it seems. On the right side you can see the activities as well as their names, number of tracks, duration and start end times.
Errors and failed activities are highlighted in red, as you can see below, it is easy enough to identify:
In this case, I can already guess that the problem is caused by timeout (duration - 5 seconds and default timeout for establishing a secure session)
reading is fairly possible, but not as easy to navigate. - Then what we do is that you click on the business failed and press the "F4" key
F4 automatically switch to (in this case "Establishing secure session.") graph view, where it is much easier to see what's happening, when and why it fails.
Usually, the error message you see is just notification timeout, so all you have to do is choose the step that was performed before. Very important in recording is the identity of end point - all you have to do to identify it is to choose the stage:
[1945042"IdentitywasdeterminedforaEndpointReference"]
You should see the entry specifying what SPN is used and IP address.
A more advanced method is to use network traces (my favorite tool is still WireShark). Here, my recommendation is to take 3 different tracks :.
1) Windows <-> window
2.) VIF <-> VIVID (virtual NIC)
3.) PIF <-> PIF (physical NIC)
you can skip the second stage most of the time. If you compare the traces from Windows with the trace of PIF, you can detect if your hypervisor could be the cause of problems (the network stack) or if it is really something out of your reach and you must assign the ticket Assistance networking active directory team instead.
Zugec Martin
0 Komentar