Thursday, April 24, 2014

Using dr-ip-customizer.exe to bulk customize protected virtual machines in VMware SRM 5.x

I’ve noticed that I’ve received quite a few calls over the past year from clients asking me about how to properly use the dr-ip-customizer.exe executable on an SRM server to export an example CSV file, edit the file and re-import into their SRM environment to customize the IP addresses for the Protected Site and Recovery Site.  I personally don’t work with SRM that much and tend to forget the details so this post will serve as something I can reference to in the future.

First off, the following is a blog post that goes through the steps for the export and import of a CSV file that can be used to customize your SRM protected servers:

http://blogs.vmware.com/vsphere/2011/08/buil-ip-customization-in-srm-5.html

The most common call I get when people use this VMware blog post is that they receive the following error when trying to generate an example.csv file for them to edit:

C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin>dr-ip-customizer.exe -cfg ..\config\vmware-dr.xml -o c:\example.csv -cmd generate -vc someVC.domain.com

Input argument error: unknown option -c

Usage:

  -h [ --help ]               Display usage info.

  --cfg arg                   Path to application XML configuration file.

  --cmd arg                   Command to execute:

                                apply: Applies the network customization

                                       settings from the input CSV file to the

                                       recovery plans on the SRM servers.

                                generate: Generates a basic CSV file for the

                                          all virtual machines in the recovery

                                          plans on the SRM servers.

                                drop: Removes vm recovery settings from VMs

                                      specified by the input CSV file.

  --csv arg                   Path to the CSV file.  Read as input for the

                              "apply" and "drop" commands.

  -o [ --out ] arg            Output CSV file to use for the "generate"

                              command.  Will overwrite any existing contents.

  --vc arg                    VMware vCenter Server hostname.  Can instead be

                              specified in the application configuration file

                              at "/Config/VCSERVER". For "apply" and "drop"

                              commands, use the same server that was used to

                              generate the input CSV. The VM Ids are different

                              at each site.

  -i [ --ignore-thumbprint ]  Ignore the server thumbprint confirmation prompt.

  -e [ --extra-dns-columns ]  Must be specified if the input CSV file contains

                              extra columns for DNS information.

  -v [ --verbose ]            Enable verbose output.

C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin>

clip_image002

I’m not exactly why but I think the editor of used in the blog post could have automatically changed the “--“ to ““:

clip_image002[4]

The correct syntax for syntax is actually with two dashes / hyphens:

dr-ip-customizer.exe --cfg ..\config\vmware-dr.xml -o c:\example.csv --cmd generate --vc someVC.domain.com

clip_image002[6]

clip_image002[8]

A sample example.csv file will be generated that looks like this:

clip_image002[4]

What I find with this example.csv file are the following:

1. Still needs quite a bit of manual work (creating lines)

2. It’s too bad this does not export settings you’ve configured from the GUI

With this example spreadsheet, you’ll need to duplicate the row for the Protected and Recovery site vCenter, change the Adapter ID to 1 and then configure your NIC configuration settings as shown below:

clip_image002[10]

Once you’ve completed editing the spreadsheet, proceed to import it with the following command:

dr-ip-customizer.exe --cfg ..\config\vmware-dr.xml --csv c:\example.csv --cmd apply --vc someVC.someDomain.com

Tuesday, April 22, 2014

Launching a Citrix XenDesktop 7.x application through a Netscaler VPX 1000 version 10 throws the error: “Cannot start app AppName”

Problem

You’ve completed configuring your NetScaler VPX appliance to publish a Citrix XenDesktop 7.x environment with StoreFront 2.x and successfully log into the portal:

image

However, you notice that you receive the following error as soon as you launch an application:

Cannot start app “App Name”

image image

Solution

One of the reasons why you would receive this error is if you have mismatching Secure Ticket Authority (STA) between the NetScaler and the StoreFront configuration.  The environment I was troubleshooting had the NetScaler configured with http:// while the StoreFront configured as https://:

image

image

The correct configuration is http:// so change the StoreFront to reflect the URLs corrected the issue.

Monday, April 21, 2014

Launching Citrix XenDesktop 7.x StoreFront Receiver Web website throws the error: “Cannot complete your request.”

Problem

You attempt to access the Citrix XenDesktop 7.x StoreFront Receiver Web website directly but receive the following error:

Cannot complete your request

Log On

image

Solution

One of the reasons why you would receive this error is if you have a mismatch between your Citrix StoreFront’s Base URL and the URL you are accessing the website with your browser:

image

Note that the Base URL configured in the StoreFront is http://zencont01srv/ while the browser URL used to access the website was http://zenstore01.srv.  To correct the problem, change the base URL to match the URL you are using to access the website in the browser.

Thursday, April 17, 2014

Unable to add mailbox database copy to Exchange 2010 mailbox server in another datacenter

Problem

You have an existing DAG cluster at a datacenter and have deployed another mailbox server at another DR datacenter to add to the DAG cluster. The configuration of the new mailbox database is in place and you are able to successfully add the node to the existing DAG. You proceed to create a test mailbox database at your production datacenter, successfully mount it but you receive the following error when you attempt to add a mailbox database copy to the DR mailbox server:

A source-side operation failed. Error An error occurred while performing the seed operation. Error: The NetworkManager has not yet been initialized. Check the event logs to determine the cause. [Database: <database name>, Server: yourServerName.com

image

You may also get the following error if you adding a mailbox database copy again:

A source-side operation failed. Error An error occurred while performing the seed operation. Error: Couldn’t seed the mailbox database copy because it is not suspended. Please suspend the mailbox database copy, and then retry the seed operation. [Database: <database name>, Server: yourServerName.com

image

Solution

While there are various reasons why this error would be thrown (i.e. misconfigured MAPI and replication networks), one of the common reasons I’ve come across is that Active Directory replication hasn’t happened yet between the 2 datacenters since they are in different sites. I’ve found that this issue is fixed when I ask the person calling me to force replication between the DCs in the 2 sites. The following is a screenshot of what the confirmation looks like when a mailbox database copy is successfully added:

image

Remotely reconfiguring WinRM (Windows Remote Management)

I received a call a few weeks ago from a client indicating that the Activity portion of a Citrix XenDesktop virtual desktop was not reporting back with any data from within Desktop Director as shown in the following screenshot:

Failed to retrieve data: Machine unresponsive or reported an error (error code 105). View server event logs for further information.

image

I’ve come across issues like these in the past which are usually related to an issue with WinRM. The first troubleshooting step I usually take is to recreate the WInRM listener but the challenge we have with this environment is that majority of the users use dedicated desktops and it’s quite cumbersome to manually log into all of them, open up the command prompt and execute the following 2 commands to delete and recreate the WinRM listener as described in the KB http://support.citrix.com/article/CTX131197:

winrm delete winrm/config/listener?Address=*+Transport=HTTP

winrm create winrm/config/listener?Address=*+Transport=HTTP

To make the process a less labour intensive, I went ahead and downloaded Windows Sysinternals PsExec v2.1 to remotely execute the commands above. The tool can be found here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Once PsExec has been downloaded and extracted to a directory, open up a command prompt, navigate to the directory with PsExec.exe and execute the following:

PsExec.exe <\\virtualMachineName> -u <domain\username> -p <somePassword> -s c:\windows\system32\cmd.exe

The following will be displayed once you’ve successfully connected to the remote desktop:

image

Once connected, proceed with execute the following 2 commands to delete and recreate the WinRM listener:

winrm delete winrm/config/listener?Address=*+Transport=HTTP

winrm create winrm/config/listener?Address=*+Transport=HTTP

image

There have also been some cases where I’ve had to execute the following command to correct the issue so I’ll include it here as well:

winrm set winrm/config/Service @{EnableCompatibilityHttpListener="true"}

image

If the problem was related to the WinRM listener, you should now see statistics displayed in Desktop Director for the VDI:

image

Monday, April 14, 2014

Apple Mac Safari unable to open Exchange Server 2010 Outlook Web App with certificate error

Problem

You’ve received complaints from Mac users that they then attempt to launch Exchange Server 2010’s Outlook Web App, the following prompt is displayed:

The website “webmail.someDomain.bm” requires a client certificate.

This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, and then click Continue.

com.apple.idms.appid.prd.4e37636a…

image

Solution

While I can’t definitively claim whether the following is the right solution but what solved this issue for my client’s MAC users was to change the EWS to allow Basic Authentication:

image

You will still need to manually delete the certificate on the Mac’s keychain but unlike leaving Basic Authentication off, the certificate will not come back in a few days.

Note that this contradicts the default settings as shown in the following TechNet article:

Default Settings for Exchange Virtual Directories
http://technet.microsoft.com/en-us/library/gg247612.aspx

Tuesday, April 8, 2014

Configuring OpenGL Software Accelerator for Citrix XenApp 6.5

I’ve noticed that a few of my colleagues and clients have asked me about how to improve the performance of applications such as Google Earth on Citrix XenApp 6.5 servers last year which lead me to realize that I never wrote a blog post about it.  Some administrators probably already know that Citrix XenDesktop 5.6 has the Google Optimization pack that allows a user to run Google Earth in DirectX mode with a much faster rendering experience but with Citrix XenApp.  From what I’ve read, the recommended method is to use the OpenGL Software Accelerator because it allows more than 1 user accessing the XenApp server to use the acceleration as compared to DirectX.

I’m not sure what other people’s experience is but I find that without the OpenGL Software Accelerator installed, Google Earth launched in OpenGL mode never worked properly for me.  The globe would also be rendered black on the screen for me:

image

The rendering of the frames would be so slow that it would not be usable for someone with normal patience.

To speed up the rendering performance to a level that is more tolerable, the OpenGL Software Accelerator can be installed and the documentation can be found here:

http://support.citrix.com/proddocs/topic/xendesktop-7/hd-opengl-accelerator.html

image image

You’ll need a valid Citrix login to download the XenApp 6.5 Feature Pack 2 that bundles the OpenGL Software Accelerator:

image image

One you’ve downloaded the XA5_6FP2.zip file, unpack it and you will see the following folders:

image

I’ve been asked several times what’s the difference between the 32bit and 64bit bundled DLL file and I can honestly say I’m not sure as I haven’t come across documentation that clearly outlines the difference.  What I believe is that this if for the version of the software that will be using OpenGL and not the operating system.  The reason why I think this is the case is because the acceleration works if I use the 32bit opengl32.dll but when I try to use the 64bit, Google Earth (a 32bit program) doesn’t even launch (you double click on the icon and nothing happens).

With that out of the way, the following are the differences between the 32bit and 64bit opengl32.dll files:

32-Bit opengl32.dll

image

image image

64-Bit opengl32.dll

image

image image

The installation of the opengl32.dll file is quite simple and there is a bundled install.pdf file located in the OpenGLAccelerator folder:

image

image image

As the document states, you essentially have to replace the opengl32.dll file in the C:\Windows\SysWow64 folder on the XenApp server and because it is a protected file, you will need to take over the ownership of the file in order to either rename, delete or overwrite it.  I personally prefer to rename it by putting a ~ in front of the file in case I ever needed to revert back to the old file.

image

With the file replaced, you should now notice an improvement in the Google Earth rendering speeds.  My personal experience is that the DirectX driver for XenDesktop feels like it performs a tad better than the OpenGL accelerator.

From a bandwidth consumption perspective, the test I’ve done with the network engineer still shows that navigating around Google Earth can get up to around 5Mbps and sometimes while panning around maps such as Paris, I could get it to spike up to 10Mbps.

Monday, April 7, 2014

Unable to modify Owners of a Security Group in Exchange Server 2013’s Exchange admin center

Problem

You’re logged into the Exchange Server 2013 ECP and noticed that a newly created distribution group created with an existing Security group does not have any Owners assigned to it as displayed in Exchange Server 2013’s Exchange admin center:

image

You proceed to open the properties of the group, navigate to the ownership settings:

image

You proceed to add the Administrator account as an owner under the Owners configuration:

image

Proceeding to click the save button throws the following error:

error

You don’t have sufficient permissions. This operation can only be performed by a manager of the group.

image

Solution

To grant an account such as the administrator to edit the ownership of the group, open up Active Directory Users and Computers, navigate to the OU containing the Security Group and open the properties:

image

Navigate to the Managed By tab:

image

Add the account you would like to have permissions to managed this group into the Name field:

image

Going back to the Exchange admin center and hitting the refresh button should now show that the account you just configured is now an owner of the group with editing permissions:

image

Sunday, April 6, 2014

Filtering out Active Directory domains for VMware Horizon View

I was recently asked by a client who’s environment consists of 3 forest trusts to other domains and would like to filter them out from their VMware Horizon View infrastructure. The following screenshot is basically what they see when they log into the VMware Horizon View Administrator console:

image

Clicking on one of the domains configured with a forest trust shows the following:

Trust Relationship: The trust relationship could not be determined.

Status: Domain status error detected. View

image

The reason for the error above is because the View Connection server has problems verifying the domain and in the case of the client I was at, it was because the DNS servers configured for the View Connection servers not having forward lookup zones to these domains. With that clarified, the client wanted the domains removed so in order to do so, we can accomplish this with the vdmadmin command:

Trust Relationships and Domain Filtering
http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.installation.doc/GUID-48644652-C5C9-4BDC-AE93-75DA2D176995.html

The available switches for this command can be found here:

Configuring Domain Filters Using the N Option
http://pubs.vmware.com/view-50/index.jsp#com.vmware.view.administration.doc/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html

The vdmadmin.exe executable can be found in the following directory of the View Connection server:

C:\Program Files\VMware\VMware View\Server\tools\bin

image

Begin by launching the command prompt and navigating to the directory:

image

Execute the following command to list all of the domains VMware Horizon View can see:

vdmadmin -N -domains -list -active

image

Use the following command to list the current include and exclude domains:

vdmadmin -N -domains –list

image

To exclude the domain named MSAD, execute the following:

vdmadmin -N -domains -exclude -domain MSAD -add

**Note that you can only use NetBIOS names for the domain and not the FQDN.

Once the exclusion has been added, you should be able to use the vdmadmin -N -domains -list command to display the list showing that the domain is excluded:

image

With the domain MSAD added to the exclude list for the cluster, restart the VMware View Connection Server service and you should now see the domain no longer listed:

image

Executing the following command should no longer show MSAD as a active domain:

vdmadmin -N -domains -list -active

image

If you want to remove the MSAD domain from the exclude list, you can execute the following:

vdmadmin -N -domains -exclude -remove -domain MSAD

image

Also note that as soon as a domain is filtered out, the logon page for VMware Horizon View Administrator will no longer display it in the Domain: drop down menu:

image

image