Tuesday, September 18, 2012

Words that start with "F"

Hmmm.... Tuesday morning.... Or is it late Monday night because it's 2am and I'm still up? The IMA Service on my new reversed PVS image is hosed and the only word I can think of is...? Fix, fix, fix it! I may have said a couple other words that started with "F" too that night/morning.

So.... Fixing the IMA Service. Anyone that has ever touched Citrix has had to deal with it. Usually the IMA Service runs for the most part. A few of the main reasons that it fails are:
  • It's Friday night right before you are ready to go out
  • It's Christmas Day and some Executive needs to access his Published Application
  • It's your anniversary with your Wife
  • You have plans to do anything outside of work
The problem that I see most, is that the LHC or Rade Cache gets corrupted and needs to be recreated. Either that, or the user account you used to create the ODBC connection had its password reset by your lovely SQL team.

There are many ways to resolve issues with the IMA Service not starting. Below are some of the things you can try:

Recreate Cache 

  • Recreate your Local Host Cache and Rade Cache
    1. Stop the IMA Service with ( It shouldn't be started ) "NET STOP IMAService"
    2. Recreate the LHC with "DSMAINT RECREATELHC"
    3. Recreate rade cache with "DSMAINT RECREATERADE"
    4. Start the IMA Service with "NET START IMAService"
      • You can run all the commands at once via:
      • NET STOP IMAService &&  DSMAINT RECREATELHC &&  DSMAINT RECREATERADE &&  NET START IMAService

Check ODBC Connection

  • Run DSMAINT against the MF20.DSN
    1. Run the following command Dependent on OS Type
      • DSMAINT CONFIG /user:contoso\ctx_db_svc /pwd:@w3som3n355 /dsn:"C:\Program Files\Citrix\Independent Management Architecture\MF20.dsn"
      • DSMAINT CONFIG /user:contoso\ctx_db_svc /pwd:@w3som3n355 /dsn:"C:\Program Files (x86)\Citrix\Independent Management Architecture\MF20.dsn"
      • If the "DSMAINT CONFIG" command is successful then you know your ODBC connection is working

Overwrite the IMA Directory

  • Copy over the IMA directory from a known working server to the broken server
    1. The IMA directory is located at:
      • "C:\Program Files\Citrix\Independent Management Architecture"

Check your LHC (Local Host Cache) a.k.a the Large Hadron Collider


  • Verify LHC
    1. Run the following command to verify LHC
      • DSMAINT VERIFYLHC
    • If  the LHC check fails, unlock the IMALHC.MDB
      • To do this, copy over the IMALHC.LDB file from a know working server
      • The IMALHC.LDB file is located in the IMA folder
    • Recreate your LHC
      • DSMAINT RECREATELHC

Clean the Data Store

    1. Run the following command from another server
      • DSCHECK /CLEAN

Clear the IMA Runtime Key

    1. Clear out the folllowing Registry Key:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\RUNTIME\CurrentlyLoadingPlugin
      • Then Recreate your LHC 
      • Run DSMAINT CONFIG
      • Start IMA Service

Check NTFS Permissions

    1. Verify that "Network Service User" has full access to:
      •  “C:\ Program Files\Citrix\Independent Management Architecture

SQL Disk Space

    1. Verify that your SQL Server hasn't ran out of space for your Citrix DB

ICA Listener

    1. Recreate ICA Listener

SQL DB Triggers

    1. Delete the triggers from the KEYTABLE in the DB
      • Right-click the KEYTABLE and select Design Table
      • In the design table window, click the Triggers button
      • From the Trigger properties window in the Name: drop-down box, delete 
        both OnKeyTableDelete(dbo) and OnKeyTableInsertUpdate(dbo) triggers

Print Spooler

    1. Make sure that the Print Spooler Service is running
      1. Make sure the Print Spooler Service is running under the Local System Account
      2. Stop the Print Spooler Service
      3. Start the Print Spooler Service
      4. Start the IMA Service

Check MFCOM

    1. Run through the basic troubleshooting of your MFCOM Service via:
I'm sure there are probally many more resolutions, but the above are ones that I have ran into. If you know of other resolutions, please feel free to contact me @ smith.itpro@gmail.com , and I will add them.

If the above does not get your IMA Service running, check out "Troubleshooting IMA Service Failure To Start" @ http://support.citrix.com/article/CTX105292


Below are some of the errors that pertain to the above fixes:

The Independent Management Architecture service terminated with service-specific error 2147876886
The Independent Management Architecture service terminated with service-specific error 2147876922
The Independent Management Architecture service terminated with service-specific error 2147483649
The Independent Management Architecture service terminated with service-specific error 2147090410

CTX101917 – Error: Error: Windows could not start the Independent Management Architecture on Local Computer .. and refer to service-specific error code 2147483647
CTX105166 – IMA Service Hangs In a Starting State 
CTX103015 – IMA Service Fails on MFPrintss.dll
CTX104200 – Could not start IMA Service in CTX_MF_IMA_StartIMAService
CTX103253 – Error: IMA service failed to start with error 2147483649 and failed to load plug-ins
CTX032712 – Error: IMA Service Error Message -2147483647
CTX101667 – IMA service failed on startup. Service specific error 2147483649
CTX103048 – IMA Service fails to start when a domain or local user is configured for logon
CTX101877 – Error: An error occurred while attempting to start the IMA Service.
CTX735338 – IMA failed to start with error code 2147483649

Tuesday, September 11, 2012

VMWARE - Update VM Video Driver


WHY IS MY VIEWING MY VM's SO SLOW!!!! No worries. This one is a quick, simple fix. Chances are, you just need to install the  "VMware SVGA 3D"  display adapter.


  • First things first, lets open up "Device Management"
    • CMD > devmgmt.msc


  • Find your Display Adapter and click "Update Driver Software..."


  • Click "Browse my computer for driver software"


  • Browse to "C:\Program Files\Common Files\VMware\Drivers\wddm_video\"
    • Then click "Next"


  • Windows will then install the "VMware SVGA 3D" display adapter
    • Click "Close"


  • Reboot to complete the installation of the new display adapter


Bazinga! Your VM will now be visually, a lot faster than it was before. If this doesn't work, I would also recommend upgrading the VMware tools and running Microsoft updates.

Tuesday, September 4, 2012

Citrix - Allow ActiveX Installation


Allowing ActiveX Components installation by basic Citrix users.

This morning I was asked to allow users in our Korean offices to install ActiveX Components, via a published IE8 application. The Citrix Boxes are PVS'd, and trying to figure out a best way to accomplish this, I was stumped. I still don't think this is a very good idea, but with what I am working with, it's the best idea I have come up with so far. The below is in no way shape of form a best practice.

Issue

Allow basic domain users to be able to install ActiveX components from Korean Banking websites. The ActiveX components are changed every hour.

Resolution

First things first, lets segregate the users. I first setup a new Security Group in AD called "CTX_KOREAN_BANKING_IE8" and added my special users to it. I then create a new child OU under my PVS "Provisioned Machines" OU called it "ActiveX" (I probably could have been more creative here, but that's what it ended up being named. I then created a GPO called "Korean ActiveX Install", linked it to the "ActiveX" OU and applied the following settings





  • Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\
    • Download Signed ActiveX Controls Enable
    • Download UnSigned ActiveX Controls Enable
  • Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\
    • Download Signed ActiveX Controls Enable
    • Download UnSigned ActiveX Controls Enable




After finishing up with the GPO I then created the Machine Account in AD via the PVS console for a new VM called XA-DEN-ActiveX-01 and setup my DHCP reservation and assigned my current vDisk to the new machine.

After all that, I logged into my new spun up PVS'd VM and do a "GPRESULT /R" to make sure my new GPO is applied, and test out my new instance of IE published only to the Korean Office and me.

Success!!! But wait, you ask "Why is this a horrible idea?". It's a horrible idea, because now if someone clicks on one of those "Clean my Registry" or "Yes, please install that virus", it will install on the XA VM. Because it's PVS'd, and the only thing published to the VM is "IE", so I can just reboot it to fix it. Also, all other VM's in my environment have virus protection, so having a virus spread shouldn't be an issue.

If there is a better way to do this, by all means please let me know, as this is the best idea I have come up with so far. The bank websites constantly change, and the ActiveX components constantly change. There is no way to do a white list scenario.

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....