10 Tips Every XenDesktop Admin Should Know

Citrix Support Secrets

Webinar Series
Mick Glover Sr. Readiness Specialist, Worldwide Support Readiness
January 30, 2014

Presenter Bio: Mick Glover

Over 18 Years of Experience in IT
Joined Citrix in January 2005
Started as Senior member of Frontline team
Spent 3 years working as an Escalation Engineer
Been with the WW Readiness team since 2009
Certifications: CCA, CCEE, CCIA, CCI & MCSE
SME areas: XenDesktop, App Orchestration, UPM
Promotes the XD Tipster Blog Series and @XDtipster twitter feed

At the end of this webinar, you will be able to:
Customize your PoSH working environment
Validate the true state of FMA services and identity possible issues
Generate and apply Schema update scripts against Site DB
Logically group machines using Broker tags
Manage computer a/cs and naming schemes for MCS Catalogs
Explicitly Control access to desktops through PoSH
Configure aspects of XD using built-in Citrix PSProviders
Configure advanced PMGMT features
Create service DB scripts of various types to facilitate XD Deployments
Tip Number 10
Creating a customized XD PoSH $profile

What is a PoSH Profile?

The nuts and Bolts
PoSH script file (.ps1) that runs when PoSH starts up
Can contain Cmdlets, Scripts, functions i.e. any valid PoSH commands

Can be used to set-up and customize your PoSH env

Advantage for XenDesktop administrators?
Lets take a look.

Step 1: Confirm if profile already exists

Test-path $profile
Return value False = No existing profile
Return value True = Existing profile

Step 2: Create PoSH $Profile

New-item type file $profile
-Force parameter can be used to overwrite an existing profile

Step 3: Configure PoSH $Profile

Notepad $profile
Type notepad $profile
Enter commands to customize PoSH env
File Save Exit

Step 4: Confirm existence of $Profile

Test-Path %profile
Expected return value = True
Edit at any stage by typing Notepad $profile Return

New-Item PoSH cmdlet

-Force switch Usage
Allows the cmdlet to create an item that writes over an existing read-only item

Step 5: Confirm $Profile functionality

E.G. Get-BrokerSite

Tip Number 9
Service MGMT (Checking The state of FMA
services through PoSH)

Checking the Status of the controller Services

Windows services applet wont paint the full picture
Run Get-<Alias>ServiceStatus for each service
Expected return value = OK

Other Possible Return values include:


Lets take a look

PoSH - Validating Service Status

XD 5.x
Use Get-BrokerServiceStatus (Broker Service)
Use Get-ConfigServiceStatus (Configuration Service)
Use Get-HypServiceStatus (Host Service)
Use Get-AcctServiceStatus (AD Identity Service)
Use Get-ProvServiceStatus (Machine Creation Service)
Use Get-PvsvmServiceStatus (Machine Identity Service)
Use Get-LicServiceStatus (License Service)

PoSH - Validating Service Status

XD 7.x 1 of 2
Use Get-BrokerServiceStatus (Broker Service)
Use Get-ConfigServiceStatus (Configuration Service)
Use Get-HypServiceStatus (Host Service)
Use Get-AcctServiceStatus (AD Identity Service)
Use Get-ProvServiceStatus (Machine Creation Service)
Use Get-LicServiceStatus (License Service)

PoSH - Validating Service Status

XD 7.x 2 of 2
Use Get-EnvTestServiceStatus (Environment Test Service)
Use Get-SfServiceStatus (Storefront Service)
Use Get-MonitorServiceStatus (Monitor Service)
Use Get-LogServiceStatus (Configuration Logging Service)
Use Get-AdminServiceStatus (Delegated Administration Service)

Get-BrokerServiceStatus - Return Values (1 of 2)




The broker is connected to a database that is valid, and

the service is running.


The broker does not have a database connection



The database rejected the logon from the Broker

Service. This may be caused by bad credentials, or the
database not being installed.


The database schema is missing (possibly just the

stored procedures in it).


The specified database could not be located with the

configured connection string.


The broker is connected to a database that is valid, but

it does not have the full functionality required for
optimal performance. Upgrading the database is

The broker is connected to a database that is valid, but

it does not have the full functionality required so the
broker cannot function. Upgrading the database is

Get-BrokerServiceStatus - Return Values (2 of 2)




The broker is too old to use the database. A newer

version is required.


The database is too old for the Broker Service. Upgrade

the database.


A database schema upgrade is in progress.


Connectivity between the Broker Service and the

database has been lost. This may be a transitory
network error, but may indicate a loss of connectivity
that requires administrator intervention.


Connectivity between the broker and the database has

been lost for an extended period of time, or has failed
due to a configuration problem. The broker service
cannot operate while its connection to the database is


The Service's status cannot be determined

Validating the Status of the controller Services

Write simple .ps1 script for single Controller to make your life easier

Validating the Status of the controller Services

Return value is important

What does DBMissingOptionalFeature mean?

Run Help Get-BrokerServiceStatus Full to find out
The broker is connected to a database that is valid, but it does not have the full
functionality required for optimal performance. Upgrading the database is
Next Step? See Tip 8

Tip Number 8
Checking & Updating DB Schema versions
manually through PoSH

DB Schemas
Each Service has its own DB Schema and set of tables that it communicates
DB Schema version should match the version of the service itself for optimal
Lets take a look and see what the problem is

Step 1: Run Get-BrokerInstalledDbVersion

Check current Broker Service DB schema and available upgrade options

Step 2: Run Get-BrokerController

Check Controller Version

Step 3: Run Get-BrokerDBVersionChangeScript

Create upgrade script

Step 4: Disconnect Controller from DB

Any controller can essentially be turned off (disconnect from the DB)by unconfiguring the services
You could also stop the Broker Service
2012 Citrix | Confidential Do Not Distribute

Step 5: Upgrade the Broker Service Schema

Execute upgrade_71.sql file on
SQLServer in SQLCMD mode and
against the XD DB
Check messages window for
Start the Broker service one again
on Controller prior to Step 7 (Next

Step 7: Check Status of Broker Service again

Expected return value = OK
Remember: Creating simple scripts will make your life easier and can be fun to

Tip Number 7
Machine Tagging

Machine Tagging
The Nuts and Bolts
Machine tagging first introduced in XD 5.x
Can be used to create a logical grouping of machines within a site
Across Delivery Groups & OUs

This can have advantages when configuring HDX Policies/Access to resources

Lets take a look

Machine Tagging through Citrix Studio

Any machine which is part of a Delivery or Desktop Group can be tagged within
Citrix Studio

Assigning Tags through PoSH

Example - Alternative Option
1. New-BrokerTag -Name <Executive>
2. $desktop = Get-BrokerDesktop -uid 1
3. Add-BrokerTag -Name Executive -desktop $desktop

Assigning Tags through PoSH

Visual Example 2

Confirming Machine UIDs

Viewing Tags through PoSH

Use Select Command
Get-BrokerMachine | select machinename, tags | format-table

HDX Tag Filter

Use Case
HDX Policies can be applied
against specific tags

Tip Number 6
Managing the Identity Pool StartCount and
NamingScheme Parameters for MCS Catalogs

Identity Pools
Created and managed by the AD Identity Service
Associated with Catalogs

IdentityPoolName & ProvisioningSchemeName matching values

XenDesktop A/C delete/re-use options

MCS Only
Important to understand
Delete options in relation to
machine a/c mgmt
NB: If machine AD a/c is
deleted then it can be used
again automatically as long as
the StartCount value is reset
to match
If AD a/c is not deleted then
resetting the StartCount will
have no impact
StartCount value determines

Changing the NamingScheme


Changing the NamingScheme

Set-AcctIdentityPool -IdentityPoolName
"Windows 7 SP1 x86 - 1GB" -NamingScheme
WebinarTest# -StartCount 1
Note: Unless the StartCount value is explicitly
set then it will remain as it was prior to the
change in NamingScheme

Reverting NamingScheme
StartCount will not change

Tip Number 5
Controlling Access To Resources

XD Site Policies
Entitlement Policies (Pooled/Shared Desktops)

Assignment Policies (Dedicated/Private Desktops)


Access Policy
Get-BrokerAccessPolicyRule (Discussed during Tip# 2)

Lets take a look

Viewing BrokerEntitlementPolicy rule(s)

Training Win7 Delivery Group

By default, no exclusions are set

2012 Citrix | Confidential Do Not Distribute

Setting a BrokerEntitlementPolicy rule

Edit existing rule for relevant Delivery Group

2012 Citrix | Confidential Do Not Distribute

Revert Changes/Remove Exclusions

Use RemoveExcludedUsers parameter or empty the array using @()
Set-BrokerEntitlementPolicyRule -Name "Training Win7_1" -RemoveExcludedUsers
training\user1 -ExcludedUserFilterEnabled $false
Set-BrokerEntitlementPolicyRule -Name "Training Win7_1"
-ExcludedUserFilterEnabled $false -ExcludedUsers @()

Tip Number 4
Exploring Citrix PowerShell Providers

What are PowerShell Providers

The nuts and Bolts
Extensions which allow data structures to be mounted through PoSH
Available PSProviders can be viewed using Get-PSProvider
XenDesktop 5.x & 7.x ship with two PSproviders

Lets take a look.

View all available Providers

Run Get-PSProvider

Specific PS-Drives are created by default for each PSProvider

Use CD command to mount PSDrives

CD XDHYP: Return
CD LocalGPO: Return
CD Templates: --> Return
CitrixGroupPolicy PSProvider also supports other PSDrives that are not
available by default
To view these options run Help New-PSDrive Full from within the mounted LocalGPO
or Templates drive

Example Usage: Enabling Intellicache

LocalStorageCaching related error

Creating HDX Policies through PoSH

Use the CitrixGroupPolicy PSProvider
New-PSDrive Webinar -PSProvider CitrixGroupPolicy -Root \ -Controller

Enable Setting
Example: ReadonlyClipboard
PS Webinar:\user\training\Settings\ica> Set-ItemProperty ReadonlyClipboard
-Name State -Value enabled
Running dir under the Ica folder will return the following

Configure Tag filter through Citrix Studio

Allow: Training Tag

Validate Functionality
Through Registry

Tip Number 3
Configuring Extended Disconnect/Logoff settings

Extended Disconnect/Logoff Settings

Extending Functionality
Available for Pooled & Dedicated Desktops/Delivery Groups
Can only be configured through PoSH
Available for Peak & OffPeak hours
Lets take a look

View all disconnect options through PoSH

Get-BrokerDesktopGroup -Name "training win7" | select *peakdis*, *extende* |

Configuring Extended Disconnect Setting

Example: Peak Hours
Set-BrokerDesktopGroup -Name "Training Win7"
-PeakExtendedDisconnectAction suspend -PeakExtendedDisconnectTimeout 5

Tip Number 2
Using the Site Access Policy to Restrict Access to

Site Access Policy

Contains two rules per Delivery Group by default
Direct Connections
Connections through Netscaler/AG

Similar to the Entitlement and Assignment site policy rules, Site access policy
rules control access to resources
What is the key difference?
Entitlement & Assignment policy rules control user access (included/excluded users)
Access policy rules control the wider conditions

Lets take a look

Example: Restrict access from ClientIP

Return Access Policy rules for a specific Delivery Group
Get-BrokerAccessPolicyRule -DesktopGroupName "Training Win7 - Dedicated

Edit the direct rule and exclude a specific IP address

Set-BrokerAccessPolicyRule "Training Win7 - Dedicated_Direct"
-ExcludedClientIPFilterEnabled $true -ExcludedClientIPs to restrict
access from the Win7Client machine

Tip Number 1
Manually Joining a Controller to an existing Site

Manually Joining a Controller to an existing Site

Simple three step process

Create Instance Scripts for each service

running on DC1 (Controller)

Manually Joining a Controller to an existing Site

Simple three step process

Create Instance Scripts for each service

running on DC1 (Controller)

Configure the DB connection string for each


Manually Joining a Controller to an existing Site

Simple three step process

Create Instance Scripts for each service

running on DC1 (Controller)

Configure the DB connection string for each


Register each service with the Configuration


Lets take a look

Complete instructions can be found here

Before I Finish

XD Tipster Blog Series

XD Tipster Blogs
Just a selection
