Upload
david-mcgeough
View
4.884
Download
18
Tags:
Embed Size (px)
DESCRIPTION
Understanding the Citrix Group Policy architecture and how to troubleshoot is key to ensuring a stable environment. This session will provide an overview of the Citrix Group Policy architecture and troubleshooting tool and steps that can be leveraged in both XenApp and XenDesktop environments. What you will learn - General components and architecture of Citrix Group Policy - Best practices and disaster recovery for Citrix Group Policy - Troubleshooting Citrix Group Policy issues
Citation preview
Citrix Group Policy Troubleshooting for XenApp and XenDesktop
Rick Berry, Senior Escalation EngineerCitrix Synergy, May 2014
SYN406
© 2014 Citrix. Confidential.2
Tweet about this session with hashtag #syn406 and #citrixsynergy
Citrix Group Policy ArchitectureOverview of Citrix Group Policy and Components
© 2014 Citrix. Confidential.4
Citrix Group Policy ArchitecturePolicy Application Terminology
Local Group Policies• Local GPO containing Computer and User settings
Citrix Farm Policies• Also known as IMA farm policies (XenApp)• Set via AppCenter\DSC (XenApp 6.x) or Studio (XenDesktop\XenApp 7.5)• Stored in the farm datastore\database
Active Directory Policies• Set via Site, Domain or OU GPO’s• Stored in Active Directory• Allows combining of Citrix and Microsoft Policies
© 2014 Citrix. Confidential.5
Local Policies
Citrix Farm\IMA Polices
Active Directory Site GPO
Active Directory Domain GPO
Active Directory OU GPO
Citrix Group Policy ArchitectureProcessing and Precedence for RSOP
Processing
Precedence
RSOP will have
CDM = Enabled
CDM = Disabled
© 2014 Citrix. Confidential.6
Citrix Group Policy ArchitectureCitrix Group Policy Management Console
Citrix GPMC - A connector into the Microsoft GPMC
Management of Citrix group policies via AppCenter\Studio or GPMC
Allows Citrix policy modeling\comparison
Can be installed for standalone use
Core binaries are in:• %PROGRAMFILES% and %PROGRAMFILES(x86)%• Under \Citrix\Group Policy\Management
© 2014 Citrix. Confidential.7
Citrix Group Policy ArchitectureCitrix Group Policy Client Side Extension
Also known as Citrix CSE (CitrixCseClient.dll)
Loaded via Microsoft Winlogon process
Generates policy requests (Computer\User)
Retrieves values to determine policy filter calculation
Forwards policy requests to Citrix Caching Service
Core binaries are in:• %PROGRAMFILES% and %PROGRAMFILES(x86)%• Under \Citrix\Group Policy\Client-Side Extension
© 2014 Citrix. Confidential.8
Citrix Group Policy ArchitectureCitrix Group Policy Caching Service
Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE
Performs the Citrix policy calculation and writes settings to the registry
Caches Group Policy files between calculations to avoid excessive network traffic
GPO (AD\Farm) Local Cache:• %PROGRAMDATA%\CitrixCseCache
Also caches per-computer and per-user data files
© 2014 Citrix. Confidential.9
Citrix Group Policy ArchitectureData Files - Resultant Set of Policy (RSOP)
Per-Computer and Per-User resultant Citrix policy settings end up in RSOP.gpf
These binary files are cached in:• Per-Computer → %PROGRAMDATA%\CitrixCseCache• Per-User → %PROGRAMDATA%\CitrixCseCache\<SessionID>
Files are used to create policy registry settings under:• Per-Computer → HKLM\Software\Policies\Citrix• Per-User → HKLM\Software\Policies\Citrix\<SessionID>\User
© 2014 Citrix. Confidential.10
Citrix Group Policy ArchitectureData Files – Rollback
We needed a way to remove RSOP settings
Mechanism creates a Rollback.gpf file
Contains instructions to remove existing RSOP settings
These binary files are cached in: • Per-Computer → %PROGRAMDATA%\CitrixCseCache• Per-User → %PROGRAMDATA%\CitrixCseCache\<SessionID>
© 2014 Citrix. Confidential.11
Citrix Group Policy ArchitectureCitrix Policy Filters
Allows granular control of Citrix policies
Filters policy settings based on certain criteria
Different options based on the policy category
Can’t be applied to the default Unfiltered policy
© 2014 Citrix. Confidential.12
Policy FiltersComputer Policies
© 2014 Citrix. Confidential.13
Policy FiltersUser Policies
Additional filter types
For User Policies
© 2014 Citrix. Confidential.14
Citrix Group Policy ArchitectureUnfiltered Policy and Templates
There’s a default Unfiltered policy (contains no settings)
Unfiltered policy settings apply to all objects
Can be disabled if not needed (set to lowest priority)
There are pre-configured policy Templates in place
Templates grouped by end user connectivity (WAN, LAN)
Policies created can be saved as templates
© 2014 Citrix. Confidential.15
Policy ManagementXenApp 6.x - XenDesktop 5.x
Separate
Computer and User
Policy Nodes
© 2014 Citrix. Confidential.16
Policy ManagementXenApp 7.5 – XenDesktop 7.x
Single Policy Node
© 2014 Citrix. Confidential.17
Citrix Group Policy ArchitectureCitrix Policy Update Intervals
For Citrix farm policies setup via AppCenter\Studio:• Citrix policies for Computer and Users (logged in) refresh every 90 minutes
For Citrix Policies set via AD GPO:• Leverage AD refresh interval (default is 90 minutes +\- a random offset of 0-30 minutes)• What is set via AD GPO
For either method:• Computer Policies update at machine startup• User Policies will also be updated during a reconnect to an active or disconnected session• Policies can be updated manually by running: gpupdate /force
© 2014 Citrix. Confidential.18
User Policy Application (Similar for Computer)
WinLogonClient Side Extensions
Microsoft CSE
Citrix CSE
AD GPO
Local GPO
ResultantPolicy
RSOP.GPF
Local server
Registry
Farm or StudioGPO
Citrix CSE
HKLM\Software\Polices\Citrix\ (For Server) -or-HKLM\Software\Polices\Citrix\<SessionID>\User
© 2014 Citrix. Confidential.19
Policy Application Details
Load existing Rollback.gpf
Rollback.gpf
Registry %PROGRAMDATA%\Citrix\GroupPolicy
-or- %PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>
Apply RSOP
RSOP.gpf
Delete Cached
GPF files
RSOP.gpf
Rollback.gpf
Registry
Cache new files
RSOP.gpf
Rollback.gpf
Set time in LastUpdate
Under Events Registry Area
All Done!Rollback.gpf
Recommended Practices - TipsBased on Citrix Support cases
20
© 2014 Citrix. Confidential.21
Recommended PracticesArchitecture
While supported, using both AD and Farm\Studio Citrix policies may cause confusion when troubleshooting issues• Try to use one type or the other depending upon requirements
Using WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMI\AD timeouts)• Use WMI filters sparingly• Possible mitigation: using DisableGPCalculation setting
© 2014 Citrix. Confidential.22
Recommended Practices Document Policies
For Farm (AppCenter\Studio) applied policies:• Written document\spreadsheet (Scout can provide as well)
For Active Directory applied policies:• Use the GPMC Save Report option on your AD GPO
For either of the above:• CtxCseUtil – RSOP reporting tool• Export using Citrix Group Policy PowerShell module
© 2014 Citrix. Confidential.23
Recommended PracticesWhat Not To Do!
To prevent Citrix Group Policy consistency issues, don’t manually manipulate\remove any of the Citrix Group Policy data files on your own
This includes files\folders or reg entries under: • %PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>• %PROGRAMDATA%\Citrix\GroupPolicy• HKLM\Software\Policies\Citrix\<SessionID>• HKLM\Software\Policies\Citrix
Might be needed for certain fixes (LA5051)
Troubleshooting Citrix Group Policy
© 2014 Citrix. Confidential.25
Troubleshooting Citrix Group Policy Recommended Approach
Know your Baseline\Collect the Details
Determine Versions
Policy Cache
GPF Files
RSOP Registry Settings
Connection Information
Additional Data Points
© 2014 Citrix. Confidential.26
Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue? What issue are they seeing?
Tokyo
Chicago
Miami
© 2014 Citrix. Confidential.27
Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue? What issue are they seeing?When are they seeing the issue?Where are they seeing the issue?
New Session?Reconnecting?
Smooth Roaming?All of the Above?
© 2014 Citrix. Confidential.28
Troubleshooting Citrix Group Policy Determine Versions
What version am I at??
© 2014 Citrix. Confidential.29
Troubleshooting Citrix Group PolicyDetermine CSE Version
Look in the component directory
Check CitrixCseEngine.exe
© 2014 Citrix. Confidential.30
Troubleshooting Citrix Group PolicyDetermine GPMC Version
© 2014 Citrix. Confidential.31
Product Versions - ReferenceXenApp – Baseline (Updated)
Version Citrix GPMC Citrix CSE
6.0 1.0 1.0
6.5 1.5 (1.7) 1.5 (1.7)
7.5 2.2 2.1
© 2014 Citrix. Confidential.32
Product Versions - ReferenceXenDesktop – Baseline (Updated)
Version Citrix GPMC Citrix CSE
5.5, 5.6 1.5 (1.7) 1.5 (1.7)
7.1 2.1 2.1
7.5 2.2 2.1
© 2014 Citrix. Confidential.33
Policy CacheActive Directory Policies
Seeing {GUID} in the filename = AD GPO
The 0 here denotes User policy settings
The 1 here denotes a Computer policy
© 2014 Citrix. Confidential.34
Policy CacheActive Directory Policies We have a match!!
We have a match!!
© 2014 Citrix. Confidential.35
Policy CacheFarm\Studio Policies
Lack of {GUID} = Farm policies
© 2014 Citrix. Confidential.36
GPF filesPer-Computer files
Per-User files
SessionID = 2
© 2014 Citrix. Confidential.37
RSOP Registry SettingsPer-Computer (HKLM\Software\Policies\Citrix)
© 2014 Citrix. Confidential.38
RSOP Registry SettingsPer-User (HKLM\Software\Policies\Citrix\<SessionID>)
© 2014 Citrix. Confidential.39
Connection Information
© 2014 Citrix. Confidential.40
Connection DetailsHKLM\Software\Citrix\ICA\Session
© 2014 Citrix. Confidential.41
Troubleshooting Tools - CtxCseUtilCitrix RSOP Report Tool
Creates resultant set of policies report containing user settings, computer or both
Can be run locally or remotely against a server or VDA
Converts RSOP.gpf to HTML report
End user has to have logged in at some point
End user doesn’t have to be actively logged in
© 2014 Citrix. Confidential.42
Troubleshooting Tools - CtxCseUtilCommon Errors
Solution: Run WinRm QuickConfigTypical error when first run…
© 2014 Citrix. Confidential.43
Troubleshooting Tools - CtxCseUtilCtxCseUtil - Common Errors
Help Message.docx
Possible using Local Administrator Account?
© 2014 Citrix. Confidential.44
Once run, resultant report is: CitrixRsopResult.html
Resultant Report - CitrixRsopResult.html
Troubleshooting Tools - CtxCseUtil
© 2014 Citrix. Confidential.45
Citrix Group Policy PowerShell ModuleCitrix.GroupPolicy.Commands.psm1
Module containing cmdlets for Citrix Policies• Local, Farm or Active Directory
Needs to be imported via PowerShell prompt
Contains cmdlets to:• Set or Get Citrix policy settings• Export or Import Citrix policy objects
Policy Details Imported\Exported:• Policy Settings• Configuration Details• Filters
© 2014 Citrix. Confidential.46
Citrix Group Policy PowerShell ModuleExporting Farm Policies
GET-COMMAND output
© 2014 Citrix. Confidential.47
Citrix Group Policy PowerShell ModuleExporting Farm Policies
Once completed, these are your files
Export the policies
© 2014 Citrix. Confidential.48
Use the same PowerShell Module and cmdlets
Connect to Active Directory GPO via New-PSDrive cmdlet
See CTX140039 for the details
Citrix Group Policy PowerShell ModuleExporting Citrix Policies from Active Directory
© 2014 Citrix. Confidential.49
CDFControlCDF Tracing Tool
© 2014 Citrix. Confidential.50
Farm\Studio Policy Issue
Farm policies stored in a single object
Likely related to corrupt policy
Error seen when accessing policies
Don’t restore datastore\database
Contact Citrix Technical Support
Maintain an updated policy export!!
© 2014 Citrix. Confidential.51
WMI Related IssuesReconnect Issues
If using WMI Filters on AD GPO’s, might see reconnect issues• Citrix policies not applying for reconnected sessions• Logins\Reconnects taking long time to occur (does the issue resolve itself after some time?)
Enable Microsoft Group Policy logging:• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\
"GPSvcDebugLevel"=dword:00030002
Log file will be in:• %WINDIR%\debug\usermode\gpsvc.log• If you see FilterCheck: Evaluate returned error. hr=0x80041069, AD is timing out on WMI call
Look in Event Viewer as well for WMI errors
© 2014 Citrix. Confidential.52
Takeaways
Architecture and files related to Citrix Group PolicyHow Citrix policies apply during user login (computer too)Recommended practicesTroubleshooting methods and tools Documenting and backing up your policies is important!!
ResourcesLinks related to Citrix Group Policy
53
© 2014 Citrix. Confidential.54
ResourcesCitrix Documentation Links
Citrix Product Documentation Site (eDocs)
Manage Citrix Policies (XenDesktop\XenApp 7.5)
Working with Citrix Policies (XenApp 6.5)
Policy Settings Reference (XenApp 6.5)
© 2014 Citrix. Confidential.55
Resources
CTX140268 - Citrix policy settings not being displayed properly in newer Citrix Group Policy Management Console
CTX127611 - How Citrix IMA Policies fit in to Microsoft GPO Processing and Precedence Model
CTX138537 – HRP02 for Citrix XenApp 6.5 (for DisableGPCalculation setting)
CTX130116 - Case Study: Unable to Apply Citrix Policies because of 0kb gpf Files
CTX134081 - Planning Guide - Citrix XenApp and XenDesktop Policies
© 2014 Citrix. Confidential.56
ResourcesGroup Policy Tools
CTX140267 - Updated Citrix Group Policy PowerShell Module
CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool
CTX140039 - How to Import and Export Policies in XenApp 6.x
CTX111961 – CDFControl
CTX130147 – Citrix Scout
MS TechNet – Group Policy Cmdlets for PowerShell
MS TechNet Blog – Enabling Group Policy Logging using RSAT
Questions and Wrap-Up
© 2014 Citrix. Confidential.58
Questions?
© 2014 Citrix. Confidential.59
Before you leave…
Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes
Download presentations starting Monday, May 19 from the My Event Planning tool
© 2014 Citrix. Confidential.60
WORK BETTER. LIVE BETTER.