Friday, April 28, 2017

Unable to search for users outside of the domain the Citrix XenDesktop 7.11 Citrix Director server is joined to

Problem

You’ve noticed that your Citrix XenDesktop 7.11 environment with Citrix Director installed:

image

image

… is unable to look up users from another domain that there is a forest trust configured to:

image

imageimage

Navigating into the Sessions tab displays these foreign domain accounts:

image

… and navigating into the Filters menu displays these accounts:

image

Clicking on the listed accounts from the foreign domain opens the properties of the account:

image

However, you receive the following messages:

Cannot retrieve machines.

No details are available.

image

Clicking on the user icon on the top left corner displays the following message:

User details cannot be retrieved from Active Directory.

Cannot find the user. View Director server event logs for further information (Refer Citrix KB article CTX130320).

image

Solution

A default install of Citrix Directory requires additional configuration to allow it to look up accounts in other domains that have forest trusts configured and the following demonstrates the process.

Begin by launching the Internet Information Services (IIS) Manager on the Citrix Director server then navigate to: Sites > Default Web Site > Director and open up the Application Settings configuration:

image

Select the Connector.ActiveDirectory.Domains line item and then click Edit:

image

In the Value field:

image

Append the additional domain that there is a forest trust configured and contains accounts you would like Citrix Director to lookup:

image

Note the additional domain at the end of the string (user);(server),:

image

A restart of IIS is not required so proceed to log back into the Citrix Director console:

image

You should now notice that the problematic accounts from the foreign domain will now display information:

image

image

image

Searching for these accounts will now work as expected:

image

Monday, April 24, 2017

Attempting to install the Citrix XenDesktop 7.11 VDA agent fails with: Installation of MSI File ‘IcaWS_x64.msi’ failed with code ‘InstallPackageOpenFailed’ (1619).”

Problem

You’re attempting to the Citrix XenDesktop 7.11 VDA agent on a Windows 7 desktop but the installation immediately fails with the following error message:

Installation of MSI File ‘IcaWS_x64.msi’ failed with code ‘InstallPackageOpenFailed’ (1619).

image

Clicking on the View Details link displays the following:

Error Id: XDMI:B70F91CB

Exception:

Citrix.MetaInstaller.MetaInstallerException Installation of MSI File 'IcaWS_x64.msi' failed with code 'InstallPackageOpenFailed' (1619).

at Citrix.MetaInstaller.Msi.InstallProduct(InstallationContext context, String msiPath, String parameters)

at Citrix.MetaInstaller.MsiComponent.Install(InstallationContext context)

at Citrix.MetaInstaller.InstallationManager.InstallComponent(IInstallableComponent component, InstallationContext installContext)

image

Reviewing the installation logs has the following information at the end of the log:

16:32:18.9638 $ERR$ : XenDesktopSetup:MSI file C:\Windows\TEMP\Ctx-AD3A7E10-3F36-4A0C-BE5F-B348771B0200\Extract\Image-Full\x64\Virtual Desktop Components\WS\IcaWS_x64.msi not found on media.

16:32:18.9658 : XenDesktopSetup:About to install MSI File 'C:\Windows\TEMP\Ctx-AD3A7E10-3F36-4A0C-BE5F-B348771B0200\Extract\Image-Full\x64\Virtual Desktop Components\WS\IcaWS_x64.msi' using params 'INSTALLDIR="C:\Program Files\Citrix" ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="1" MSIRMSHUTDOWN="2"' log file is 'C:\Users\tluk\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\IcaWS_x641895175363.txt'

16:32:18.9658 : XenDesktopSetup:Starting synchronous process 'msiexec' with args '/i "C:\Windows\TEMP\Ctx-AD3A7E10-3F36-4A0C-BE5F-B348771B0200\Extract\Image-Full\x64\Virtual Desktop Components\WS\IcaWS_x64.msi" /lv "C:\Users\tluk\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\IcaWS_x641895175363.txt" /quiet INSTALLDIR="C:\Program Files\Citrix" ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="1" MSIRMSHUTDOWN="2" CLOUD=False REBOOT=ReallySuppress'

16:32:19.0158 : XenDesktopSetup:Process output: T h i s i n s t a l l a t i o n p a c k a g e c o u l d n o t b e o p e n e d . V e r i f y t h a t t h e p a c k a g e e x i s t s a n d t h a t y o u c a n a c c e s s i t , o r c o n t a c t t h e a p p l i c a t i o n v e n d o r t o v e r i f y t h a t t h i s i s a v a l i d W i n d o w s I n s t a l l e r p a c k a g e .

16:32:19.0168 : XenDesktopSetup:Process output:

16:32:19.0178 : XenDesktopSetup:Process output:

16:32:19.0188 : XenDesktopSetup:Process completed with error code 1619

16:32:19.0188 $ERR$ : XenDesktopSetup:Installation of MSI File 'IcaWS_x64.msi' failed with code 'InstallPackageOpenFailed' (1619).

16:32:19.0198 $ERR$ : XenDesktopSetup:InstallComponent: Failed to install component 'ICA for Workstation Services'. Installation of MSI File 'IcaWS_x64.msi' failed with code 'InstallPackageOpenFailed' (1619).

16:32:19.0198 $ERR$ : XenDesktopSetup:Recording installation failure. Installation of MSI File 'IcaWS_x64.msi' failed with code 'InstallPackageOpenFailed' (1619).

16:32:19.0208 PROC : XenDesktopSetup:InstallComponent: Exit

16:32:19.0208 : XenDesktopSetup:Install tasks for this session have finished.

16:32:19.0208 : XenDesktopSetup:Installation failed

16:32:19.0638 : XenDesktopSetup:InstallationManager returned Failed

image

Solution

This error actually threw me off for quite a few hours because the client called me to troubleshoot the issue over the phone which meant I wasn’t able to run the install myself.  After downloading different versions of the VDA agent, disjoining the template from the domain to eliminate GPO related issues, reviewing Windows hotfixes and patching the Windows 7 desktop to the latest version, what ended up being the issue was that the client used the server version of the the VDA agent:

VDAServerSetup_7.11

image

The installation completed as soon as the client downloaded the correct VDA agent:

VDAWorkstationSetup_7.11

image

image

Friday, April 21, 2017

Attempting to run an Export job with Microsoft Forefront Identity Manager 2010 R2 throws the error: “stopped-extension-dll-exception”

Problem

You’ve noticed that your previously operational Microsoft Forefront Identity Manager 2010 R2 throws the error the following error when you execute an Export job:

stopped-extension-dll-exception

image

Exchange 2010 contacts in the are either no longer updated or created in the source domain. 

You proceed into the connector’s properties under Management Agents:

image

Review and confirm that the service account is correct:

imageimage

Reviewing the event logs show the following errors displayed in the Application logs:

Log Name: Application

Source: FIMSynchronizationService

Event ID: 6803

Level: Error

Task Category: Management Agent Run Profile

image

The management agent "FIM Connector" failed on run profile "Export" because the server encountered errors.

image

Log Name: Application

Source: FIMSynchronizationService

Event ID: 0

Level: Error

Task Category: None

image

The description for Event ID 0 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException

Message: Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. The system load quota of 1000 requests per 2 seconds has been exceeded. Send future requests at a slower rate or raise the system quota. The next request from this user will not be approved for at least 1316187520 milliseconds. For more information, see the about_Remote_Troubleshooting Help topic.

Stack Trace: at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)

at System.Management.Automation.Runspaces.RunspacePool.Open()

at System.Management.Automation.RemoteRunspace.Open()

at Exch2010Extension.Exch2010ExtensionClass.OpenConnection(String uri, PSCredential credential)

at Exch2010Extension.Exch2010ExtensionClass.BeginExportToCd(String connectTo, String domain, String server, String user, String password)

the message resource is present but the message is not found in the string/message table

You attempt to use the following TechNet article to further troubleshoot by disabling Exchange provisioning confirming that the export now completes and manually executing the included PowerShell cmdlet:

FIM Troubleshooting: stopped-dll-exception: WinRM cannot process the request: Access Denied
https://social.technet.microsoft.com/wiki/contents/articles/15091.fim-troubleshooting-stopped-dll-exception-winrm-cannot-process-the-request-access-denied.aspx

imageimage

.. but you run into the error:

'contoso.com/contoso/Employees/TMRUK/GalContacts/Matthew  Evans' have been modified.
WARNING: The command completed successfully but no settings of
'contoso.com/contoso/Employees/TMRUK/GalContacts/Buu Truong' have been modified.
WARNING: The command completed successfully but no settings of
'contoso.com/contoso/Employees/TMRUK/GalContacts/Gemma Gregson' have been modified.
"DG_TMRUK_Pricing" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...G_TMRUK_Pricing:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
    + FullyQualifiedErrorId : 69D6CABF,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

"Terence Luk" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...cts/Terence Luk:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
    + FullyQualifiedErrorId : 1DAD038F,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

WARNING: The command completed successfully but no settings of
'contoso.com/contoso/Employees/TMRUK/GalContacts/Anna Ivanova' have been modified.
WARNING: The command completed successfully but no settings of
'contoso.com/contoso/Employees/TMRUK/GalContacts/DG_Operations' have been modified.
"Taro Murakami" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...s/Taro Murakami:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
    + FullyQualifiedErrorId : 5FD06EB8,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

"Sara Perdichizzi" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...ara Perdichizzi:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
    + FullyQualifiedErrorId : E298C7BF,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

"Giuseppe Ieraci" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...Giuseppe Ieraci:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
    + FullyQualifiedErrorId : 28CFBAA8,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

"Ken Tarbet" is a MailForestContact and can't be modified.
    + CategoryInfo          : NotSpecified: (contoso...acts/Ken Tarbet:ADObjectId) [Set-MailContact], TaskInva
   lidOperationException
+ FullyQualifiedErrorId : 2EE5477,Microsoft.Exchange.Management.RecipientTasks.SetMailContact

image

The AD and Exchange contacts also does not get created.

Other TechNet articles such as the following does not correct the issue:

FIM Troubleshooting: stopped-dll-exception troubleshooter document
https://social.technet.microsoft.com/wiki/contents/articles/8759.fim-troubleshooting-stopped-dll-exception-troubleshooter-document.aspx

Solution

After going through numerous TechNet articles and posts without making any progress, I went ahead and tried changing the Exchange 2010 RPS URI to another Exchange 2010 HT/CAS server:

image

… and the export job immediately worked.  This lead me to change my search query, which was when I found the following blog post that resolved the issue:

http://www.vspbreda.nl/nl/exchange/exchange-2010/exchange-2010-load-quota-1000-requests-exceeded/

What I needed to do was simply perform an iisreset on the problematic server to prevent the export job from erroring out:

image

Wednesday, April 19, 2017

Accelerating Exchange 2016 DAG (Database Availability Group) replication with Riverbed SteelHead

I’ve recently had to work with a Riverbed engineer to determine why the traffic between an Exchange server in Bermuda and London was not being accelerated by the Riverbeds between the two sites.  The following Riverbed  configuration guide was what I used in the past for Exchange 2010 environments:

Optimizing Database Availability Group (DAG) Replication for Microsoft Exchange 2010 (Testing Guide)
https://splash.riverbed.com/docs/DOC-1280

Since the the configuration guide above was last modified on December 1, 2012 and I was working with Exchange 2016, I went ahead to try and find a more updated guide but was unable to find one so I went ahead and used the instructions in the older guide.  The following are the results from my tests.

Begin by reviewing the DAG configuration with the following cmdlet:

Get-DatabaseAvailabilityGroup <dagName> | FL *network*

The following is an example of the output from the cmdlet:

Get-DatabaseAvailabilityGroup 16dag | FL *network*

NetworkCompression : InterSubnetOnly

NetworkEncryption : InterSubnetOnly

ManualDagNetworkConfiguration : False

NetworkNames : {}

image

The two configuration settings we’re interested in are:

  • NetworkCompression
  • NetworkEncrytion

More information about these two settings can be found in the following TechNet article:

Managing database availability groups
https://technet.microsoft.com/en-us/library/dd298065(v=exchg.150).aspx

In order to allow the Riverbed to accelerate the traffic, these two configuration settings need to be disabled.  As a test, I disabled NetworkEncryption first with the following cmdlet:

Set-DatabaseAvailabilityGroup 16dag -NetworkEncryption disabled

The following is the output and configuration settings of the DAG after the change:

Set-DatabaseAvailabilityGroup 16dag -NetworkEncryption disabled

Get-DatabaseAvailabilityGroup 16dag | FL *network*

NetworkCompression : InterSubnetOnly

NetworkEncryption : Disabled

ManualDagNetworkConfiguration : False

NetworkNames : {}

image

With NetworkEncryption disabled, the Riverbed was able to provide approximately 16% reduction of data:

imageimage

After performing the above test, I proceeded to disable NetworkCompression:

Set-DatabaseAvailabilityGroup 16dag -NetworkCompression disabled

Get-DatabaseAvailabilityGroup 16dag | FL *network*

NetworkCompression : Disabled

NetworkEncryption : Disabled

ManualDagNetworkConfiguration : False

NetworkNames : {}

image

With both NetworkCompression and NetworkEncryption disabled, the Riverbed was able to provide approximately 61% reduction of data:

imageimage

Thursday, April 13, 2017

Attempting to enable a user for Exchange UM displays the error message: “Extension xxx is already assigned to another user on dial plan UMDialPlan or on an equivalent dial plan.”

Problem

You attempt to reassign an Exchange UM extension that was previously assigned to a user who you have disabled for UM but receive the following error:

error

Extension xxxx is already assigned to another user on dial plan UMDialPlan or on an equivalent dial plan.

image

You try using the Get-UMMailbox cmdlet to list all of the users and review which one currently has the extension assigned:

Get-UMMailbox | Format-Table -Wrap -AutoSize

… but do not see the extension listed in Extensions column:

image

You review the attributes for the user who was previously assigned the extension but do not see any reference of it in the Exchange attributes:

image

The Lync / Skype for Business msRTCSIP-Line attribute is confirmed not to exist for the user either:

image

Solution

One of the possible causes of this issue is if the user who previously had this extension assigned still has the EUM email address with the extension as the value:

image

image

To correct this issue, remove the email address from the previous user.