Tuesday, January 15, 2013

Microsoft - Gpresult ERROR Access Denied

Running GPRESULT results in "Error: Access Denied"

Today on one of my Citrix Servers I was presented with an error when troubleshooting a GPO. I opened up my command prompt with "Run As Administrator", and received "Error: Access Denied".

So what now? You already are logged into the server with domain admin credentials, and opening command prompt as administrator doesn't work. You could disable UAC and see if that works, but chances are you will have to register the userenv.dll file again, and recompiling the scersop.mof file.

Below are the steps to correct the issue:
  • Register the userenv.dll file
    • regsvr32 /n /I c:\windows\system32\userenv.dll
  •  Change Directory to the wbem folder (required step, don't be lazy)
    • cd c:\windows\system32\wbem
  • Recompile the scersop.mof
    •  mofcomp scersop.mof
  • Optional Repositories you can recompile (Probably don't need to) 
    • mofcomp rsop.mof
    • mofcomp rsop.mfl    

  • Force Group Policy Update
    • gpupdate /force

After that, run "gpresult" (gpresult /R if on server 2008). Issue resolved!

Wednesday, January 9, 2013

Citrix NSVPX - Load Balancing LDAP Authentication

NetScaler - Load Balancing LDAP Authentication

You're setting up a new AGEE on your NetScaler Appliance, and when you go to put in an authentication server, it only allows you to put in one. Why not load balance your ldap requests so that you don't have a single point of failure. 

Things you need, to load balance your ldap requests:
  • 2 load balanced servers
  • 2 load balanced services
  • 1 load balanced vserver
  • 1 authentication policy
  • 1 authentication server

Setting up load balanced servers

  • Highlight "Load Balancing" > Servers
  • Click on "Add" at the bottom of the right pane
  • Create a connection to your first domain controller
    • Server Name: lb_server_demodc100
    • IP:
    • Click "Create"

  • Create a connection to your second domain controller
    • Server Name: lb_server_demodc101
    • IP:
    • Click "Create"
  • You should now see a green circle, and the word "Enabled" next to your ldap services 

Setting up Load Balanced Services
  • Highlight "Load Balancing" > Services
  • Click on "Add" at the bottom of the right pane

  •  Create a TCP LDAP service for your first domain controller
    • Server Name: lb_service_demodc100_ldap
    • Server: lb_server_demodc100
    • Protocol: TCP
    • Port: 389
    • Configure Monitor: tcp
    • Click "Create"

  •  Create a TCP LDAP service for your second domain controller
    • Server Name: lb_service_demodc101_ldap
    • Server: lb_server_demodc101
    • Protocol: TCP
    • Port: 389
    • Configure Monitor: tcp
  • Click "Create"

  • You should now see a green circle, and the word "Enabled" next to your ldap services 

Setting up Load Balanced Virtual Server (VIP)
  • Highlight "Load Balancing" > Virtual Servers

  • Click on "Add" at the bottom of the right pane

  •  Create a virtual server that will point towards your two ldap services
    • Server Name: lb_server_demodomain_ldap
    • Protocol: TCP
    • IP Address:
    • Port: 389
    • Select your two ldap services
      • lb_service_demodc100_ldap
      • lb_service_demodc101_ldap
    • Click "Create"

Setting up an Authentication Policy and Authentication Server
  • Highlight "System" > "Authentication" > "LDAP"

  • Click on "Add" at the bottom of the right pane

  •  Create an authentication policy
    • Name: auth_policy_demodomain
    • Authentication Type: LDAP
    • Server: (We need to create an auth Server)

  •  Click "New" next to the Server field

  •  Create an authentication server
    • Name: auth_server_demodomain
    • Authentication Type: LDAP
    • IP Address: (IP of your load balanced virtual server)
    • Click "Create" 

  •  Select the server you just created
    • auth_server_demodomain
  • Input an advanced Free-Form Expression
    • ns_true
  • Click "Create"

 Applying your LDAP Authentication Policy to a Virtual Server
  • Open your Access Gateway Virtual Server
  • Click on the "Authentication" tab
  • Click "Insert Policy" 
  • Select your ldap authentication policy
    • auth_policy_demodomain
  • Click "OK"



This Access Gateway Virtual Server now has its LDAP request load balanced. What happens is that all requests will hit your AGEE VIP that then applies the ldap policy (auth_policy_demodomain). The ldap policy says look at the ldap authentication server (auth_server_demodomain), that is pointing towards the VIP of your load balanced virtual server (lb_vserver_demodomain_ldap) ( That VIP will load balance the ldap requests to the two domain controllers (lb_server_demodc100 and lb_server_demodc101).

Thursday, January 3, 2013

Citrix PVS - Subnet Affinity

To "Subnet Affinity" and Beyond!

Hmmm.... I'm sure every Citrix Admin at one point has wondered, "What is this so called Subnet Affinity Option I have here?". I am referring to the load balancing algorithm that Citrix Provisioning Services uses on each of your vDisks (If you use it). 

To configure load balancing on a vDisk
  • Right-click on the vDisk in the Console, click "Properties", then select the Load Balancing... menu option.
  • Select to enable load balancing or to assign a single Provisioning Server to provide this vDisk.

The options you have are not necessarily straight forward and may be overwhelming. The Options you have to choose form are:

  • Subnet Affinity
    • None
    • Best Effort
    • Fixed
  • Rebalance Enabled
  • Trigger Percent

Use the load balancing algorithm

  • Provides the option to enable or disable the load balancing algorithm, which selects the server that is least busy to provide this vDisk to target devices. If you decide to pick "Use this server to provide the vDisk", the vDisk will not be load balanced.
Subnet Affinity - None
  • Ignore subnets; Uses least busy server. None is the default setting.
Subnet Affinity - Best Effort
  • Uses the least busiest Server/NIC combination from within the same subnet. If no Server/NIC combination is available within the subnet, PVS selects the least busiest server from outside of the subnet. If more than one server is available within the selected subnet, PVS performs load balancing between those servers.
Subnet Affinity - Fixed
  • Uses the least busy server/NIC combination from within the same subnet. PVS Performs load balancing between servers within that subnet. If no server/NIC combination exists in the same subnet, PVS does not boot target devices assigned to this vDisk.
Rebalance Enabled
  • When enabled, PVS rebalances the number of target devices on each server in the event that the trigger percent is exceeded. 
  • When enabled, Provisioning Services checks the trigger percent on each server every ten minutes.
  • Rebalancing will not occur if there are less than five target devices on each server, or if more than 20% of the target devices are currently booting. A target device that is currently booting will not be moved to a different server.
Trigger Percent
  • The percent of overload that is required to trigger the rebalancing of target devices.
  • Example: If the trigger percent is equal to 25%, rebalancing occurs if this server has 25% more load in comparison to other servers that can provide this vDisk. Values between 5 - 5000.
  • Default Trigger Percent is 25.
So What Now?

You're currently using an HP Blade c7002 Chassis (Apparently mine was manufactured wrong and only has 12 slots), with twelve G8's. Two of them are PVS boxes and 10 of them are VMWARE hosts containing your VM's. Below is a quick diagram of the chassis:  

What we can do now, is specifying a dedicated subnet for Provisioning Services traffic that spans all systems within that chassis. When configuring the Subnet Affinity for Best Effort in such a scenario, all PVS Targets within the chassis will be streamed by one of the two PVS servers. If one server goes down the other takes over. If the Targets perform the initial PVS logon with a server outside of the chassis, they will be redirected automatically to servers within their subnet for the actual streaming I/O. If both servers go down the targets will connect to a server outside the chassis.

Doing so allows using the high performance network connections between the blades (typically 10GBit/s per Blade) for streaming the vDisks and keeping basically all network traffic inside the PVS block.

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....