• Conversant Group: On average SMBs lose $141,000 per ransomware incident. We keep the bad guys away.

    Learning the Basics of Citrix Provisioning Services and XenApp 5 for Windows Server 2003 Part 1 of 3

    Building servers manually — that means one at a time – is a long-standing and honorable tradition in Information Technology (IT) organizations.  And it needs to stop!

    There are many issues that can arise when manually building servers. However, one of the most dangerous and insidious problems is that inconsistencies in those server builds are bound to happen.  Even with a thoroughly documented manual build process, someone will take shortcuts, new updates will be installed and, well, some people are just lazy.

    In the Citrix XenApp world, inconsistencies in server builds can cause problems that can prove very time consuming to resolve.  For example, if shadowing is disabled on a XenApp server when it was supposed to be enabled, the only way to “fix” the server is to uninstall XenApp and then reinstall XenApp.  Using Citrix Provisioning Services (PVS) allows for XenApp servers to be built consistently and also allows for additional XenApp servers to be added to a farm with relatively little effort.

    This article will cover the basics of integrating PVS 5.6 SP1 with XenApp 5 for Server 2003 using XenServer 5.6 SP2.

    The techniques covered here apply whether you are using VMware ESX/vSphere, Microsoft Hyper-V, or even physical servers.  In the real world, PVS is not a product you can insert the CD, run setup.exe, install the product, and expect it to work.  Even in a lab environment, installing and configuring PVS is not a trivial task.  There are numerous decisions that need to be made before the first PVS server can be installed.  Among them are:

    • Will DHCP be used?
    • Will PXE be used?
    • Will TFTP be used?
    • Will VLANs be needed?
    • Will the PVS SQL database be created ahead of time?
    • Will an Active Directory (AD) service account be used for PVS?
    • How will all the necessary permissions be handled when using an AD service account?
    • How many physical sites will need PVS servers?
    • How much bandwidth is available between sites?
    • How many PVS servers will be needed?
    • How much and what type of disk storage space will be needed?
    • How will the virtual disks (vDisks) be replicated between the PVS servers?

    And finally, how do we make everything listed above Highly Available?

    Lab Setup

    Domain Controller

    • Windows Server 2008 R2
    • IP address
    • Domain Controller
    • DNS
    • DHCP
    • Windows Server 2008 R2 Domain and Forest Function Levels
    • Citrix License Server 11.9

    SQL Server

    • Windows Server 2008 R2
    • IP address
    • Microsoft SQL Server 2008 R2

    PVS Server

    • Windows Server 2008 R2
    • IP address
    • PVS 5.6 SP1
    • TFTP
    • Windows Firewall Disabled and Stopped

    XenApp 5 Zone Data Collector

    • Windows Server 2003 R2 64-bit
    • IP address
    • XenApp 5 Server 2003 64-bit
    • Dedicated Zone Data Collector
    • XML Broker

    XenApp 5 Master Image

    • Windows Server 2003 R2 64-bit
    • DHCP Reservation for
    • XenApp 5 Server 2003 64-bit

    Preparation Work

    Before getting started on this project, you should realize there is not “one best way” to implement and use PVS.

    Every environment or project could implement and use PVS in different ways.  For example, XenDesktop can be used with dynamic IP addresses but XenApp requires that servers have a static IP address.   Implementing XenDesktop and or XenApp along with PVS will affect how DHCP or BOOTP or PXE or even Boot Device Manager is used.  Also, the process that defines how images are created and maintained will be different depending on the IT policies and procedures currently in place or that may be created for the PVS implementation.

    PVS touches many areas of a network infrastructure.  Citrix has published guidelines for configuring switch port and NIC ports.  Please see Best Practices for Configuring Provisioning Server on a Network at http://support.citrix.com/article/CTX117374.  The two main concepts from that document are:

    1. Depending on the type of your switches, ensure that the ports used by PVS servers and clients have the Spanning Tree Protocol (STP) disabled or the switch port is ignored by the STP (this is sometimes referred to as “enabling PortFast” by Cisco).
    2. Hard-code all PVS ports on the NIC and on the switch to have matching speeds and duplex settings.  Do not use auto-negotiate.

    There are at least five other documents you should read before you implement PVS:

    1. Citrix Provisioning Services 5.6 SP1 Installation and Configuration Guide (http://support.citrix.com/article/CTX124791)
    2. Citrix Provisioning Services 5.6 SP1 Administrator’s Guide (http://support.citrix.com/article/CTX124792)
    3. Provisioning Services Components Interaction (http://support.citrix.com/article/CTX127438)
    4. Provisioning Services 5.6 Best Practices (Provisioning Services 5.6 Best Practices PDF)
    5. Citrix Provisioning Services Security Backgrounder (http://support.citrix.com/article/CTX120803)

    Let’s begin.

    You have the option of running Microsoft DHCP on the PVS server or on another computer.  In my lab, I have DHCP installed on the Domain Controller.

    Create a DHCP scope for the servers.  You will need an address pool large enough for the XenApp servers that will receive streamed images (Figure 1).

    Figure 1

    Option 66 (Boot Server Host Name) is the IP address of the PVS Server running TFTP.  Option 67 (Boot File Name) should be set to ardbp32.bin.   Both are shown in Figure 2.

    Figure 2

    You will need to create an Organizational Unit (OU) in AD specifically for the PVS servers (Figure 3).  I pre stage my servers by creating the computer accounts in the appropriate OU.  When the server is joined to the AD domain, it is already in the correct OU and will receive the correct Group Policies immediately upon reboot after the domain join is complete.

    Figure 3

    Create an OU specifically for the XenApp servers and the XenApp server s that will be streamed by PVS (Figure 4).

    Figure 4

    Create a Group Policy and link it to the OU containing the PVS Servers (Figure 5).

    Figure 5

    Note:  Creation of the following registry key and value can be done by editing the registry during the original build of the PVS server.  The advantage for editing the registry is the setting is hard coded in the server build and doesn’t require a group policy to set it.  The disadvantage is this is a setting that needs to be done manually, and it may be possibly skipped, when building the server.  Making the registry setting via a Group Policy Preference automates the setting.  When the future PVS server is joined to the domain and restarted, the server will receive the registry setting automatically.  The registry setting is there before PVS is installed.

    Note:  This is a setting that applies to the streamed XenApp servers because PVS has its own UDP stack and therefore cannot take advantage of hardware.  The PVS server uses the full NDIS TCP/IP stack and hardware enhancements are invisible.

    The Group Policy will need only one Computer Preference setting (Figure 6).

    • Action: Update
    • Key Path: SYSTEM\CurrentControlSet\Services\TCPIP\Parameters
    • Value name: “DisableTaskOffload”
    • Value type: REG_DWORD
    • Value data: “1”
    Figure 6

    Next, create another Group Policy and link it to the OU for the XenApp servers streamed from PVS (Figure 7).

    Figure 7

    This Group Policy also needs only a single GPO setting (Figure 8).

    Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Domain Member: Disable machine account password changes > Enabled

    Figure 8

    On my SQL Server, I created a database for the XenApp 5 farm data store.  I will let the PVS Configuration Wizard  create the PVS Farm database.  If you or your database administrator wishes to create the PVS database before configuring PVS, use the DBScript.exe utility, which is installed with PVS.

    Citrix License Server 11.9 is installed on the Domain Controller with XenApp 5 Platinum licenses installed.  XenApp Platinum edition provides the necessary licenses to use PVS.

    , , ,

    Conversant Group: On average SMBs lose $141,000 per ransomware incident. We keep the bad guys away.

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    4 Responses to “Learning the Basics of Citrix Provisioning Services and XenApp 5 for Windows Server 2003 Part 1 of 3”

    1. Christopher Buford Says:

      Thanks for your response Carl. I agree, BDM is not something you would want in a physical environment. My experience is just the opposite, my projects seem to be virtual. I was able to find an article by Nick, in which he was questioning do we still need to segment traffic in PVS, he did make a statement in that blog article, which makes it seem he is an advocate of BDM.

      “And I still find many customers and partners don’t know about our swiss army knife – BDM! Instead of dealing with “fun” PXE traffic and trying desperately to load balance TFTP, simply boot from an ISO with BDM and you’ll eliminate a lot of the networking complexity associated with PVS deployments.”


      Once again,, thanks and keep up the great work.


    2. Christopher Buford Says:

      Carl, may I ask, why isn’t BDM used or recommended more often? It is a lot less complex and it works in most all situations. Do you know of any reasons “Not” to use BDM for the bootstrap process? I would like to begin using this as my default deployment, unless reasons prove otherwise.


      • Carl Webster Says:

        Almost all the PVS work I have done involved physical target devices. Using BDM in that scenario would be a royal PITA. At the recent Synergy 2012 in San Francisco, four people from CCS (IIRC) said they preferred BDM as you didn’t have to worry about making stuff like TFTP HA. Just make sure you create a BDM ISO file for each storage repository in XenServer, VSphere or Hyper-V. Unfortunately, that session was not recorded. I cannot find any articles from any of the regular CCS guys (Daniel Feller, Nick Rintalan) who blog about using BDM.

        Hope that helps.



    3. Roger Birong, Jr. Says:

      Ah, glad to see you finally put this up! Really well done. I look forward to the other parts.


    Leave a Reply